From firewalls-owner Wed May 1 01:42:43 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id BAA14547 for firewalls-outgoing; Wed, 1 May 1996 01:35:06 -0700 (PDT) Received: from mail1.bll.co.il ([199.203.29.9]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id BAA14524 for ; Wed, 1 May 1996 01:34:55 -0700 (PDT) Received: from avishai.bll.co.il (line1.bll.co.il [199.203.29.11]) by mail1.bll.co.il (8.7.3/8.6.9) with SMTP id QAA13198; Wed, 1 May 1996 16:27:03 GMT Message-ID: <3187AEB8.38D2@BLL.CO.il> Date: Wed, 01 May 1996 11:34:32 -0700 From: Avishai Gindes Organization: Bank Leumi X-Mailer: Mozilla 2.0 (Win16; I) MIME-Version: 1.0 To: naftali@netvision.net.il CC: firewalls@greatcircle.com Subject: Firewall license - urgent. Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Please send to me the updated firewall license including installation instruction. From firewalls-owner Wed May 1 03:26:25 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id DAA18862 for firewalls-outgoing; Wed, 1 May 1996 03:12:02 -0700 (PDT) Received: from iez.com (mail.iez.com [194.218.38.3]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id DAA18856 for ; Wed, 1 May 1996 03:11:51 -0700 (PDT) Received: by iez.com (AIX 3.2/UCB 5.64/4.03) id AA06452; Wed, 1 May 1996 12:10:22 +0200 Received: from spibm02(172.16.13.62) by iez.com via smap (V1.3) id sma005682; Wed May 1 12:10:08 1996 Received: from iez.com by spibm02 (AIX 3.2/UCB 5.64/4.03) id AA15323; Wed, 1 May 1996 12:09:04 +0200 Message-Id: <9605011009.AA15323@spibm02> Received: from inhps-a by iez.com with SMTP (1.37.109.4/16.2) id AA16097; Wed, 1 May 96 12:09:03 +0200 Received: by inhps-a (1.38.193.3/16.2) id AA03313; Wed, 1 May 96 12:09:02 +0200 From: Rolf Weber Subject: Re: location of public hosts To: smith@sctc.com (Rick Smith) Date: Wed, 1 May 1996 12:09:02 +0200 (MESZ) Cc: peter@baileynm.com, firewalls@greatcircle.com (firewalls) In-Reply-To: from "Rick Smith" at Apr 30, 96 10:24:18 am X-Mailer: ELM [version 2.4 PL24] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > You have to assume the software you're running is buggy. There *will* > be bugs. You counter this threat with layered defenses, in particular, > a strong OS with mandatory protections. > yes, there will be bugs. but you suggested MLS systems would protect from *each* bug. that's not true. > >therfore: place these untrustable monster servers outside, no matter > >which OS they are running on. > > This assessment is reasonable only if you do not need to access > services inside your site in order to handle Internet requests. > If the service you provide needs to generate orders, access inventory > records, etc., then you need to take a different approach to security. > ok, i should have said "try to place it outside" (and i'm really sur it's possible in most cases). i agree that the OS should be as strong as possible. (BTW, what is strong? it can be a striped down kernel, small and therefore easier to examine for bugs. or it can be a system such as MLS, with better protection but obviously more complex. you can't say generally what's the better choice.) but if you're running a WWW server with CGI scripts and server side includes on it, then *this* server is your main problem. again, the firewall has to protect the internal net, not only itself. > If the people responsible for the information protected by this linux > box are willing to trust it, based on an informed assessment of risks, > then that's what matters. > that'it, really! what you described is that this people analyzed their situation and took measures. and that's the most important. > > > sure, the next sendmail bug will come, and then it's not secure > > anymore, but it will get corrected and is secure again. > > at least now, the time we discuss, it's secure. > > The purpose of layered defenses built with mandatory protection is to > provide protection even when the next bug is found. > that's the purpose of firewalls at all, isn't it? > > Firewalls aren't a silver bullet: they don't do everything. They don't > replace all security measures with a single one. Some of our customers > use perimeter security measures to reduce the risk of such attacks, but > these measures are always backed up with internal security measures. > > absolutely agreed. rolf -- ----------------------------------------- Rolf Weber | All I ask is a chance IEZ AG D-64625 Bensheim | to prove that money ++49-6251-1309-113 | can't make me happy. From firewalls-owner Wed May 1 04:27:44 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id EAA21163 for firewalls-outgoing; Wed, 1 May 1996 04:17:12 -0700 (PDT) Received: from molhub.mol.net.my (molhub.mol.net.my [202.190.128.10]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id EAA21154 for ; Wed, 1 May 1996 04:17:01 -0700 (PDT) From: watchman@molhub.mol.net.my Received: by molhub.mol.net.my; Wed, 1 May 96 19:17:29 +0800 Date: Wed, 1 May 1996 19:17:29 +0800 (SGT) To: firewalls@greatcircle.com Subject: Firewall-1 / Borderware + "Static multicast" Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Greetings respected ones, Came across a hypothetical scenario : A ( "multicast host" ) NET A ( 193.193.200.x ) |-------------------------------------------------| | --------- | | | FW | Firewal Gateway |--------| | |-----------------------------------------------| B ( "client host" ) NET B ( 193.196.300.x ) We have the above net topo. Host A is a Unix host which "multicast" data ( dest : 224.5.5.5, UDP port=4000 ), over NET A. Host B has the necessary apps to receive the "multicast data" which host A sends out. FW is the firewall host ( running FW-1 or Borderware ). The "multicast apps" involved is not a true multicast apps - it's something like a static multicast. Instead of broadcasting the data to every host on the network, the data is "multicast" out from host A. Any host with the above apps on NET A can receive the "multicast" data stream from host A. Questions : --------- 1. How does one "relays" the multicast data stream thru the FW, from net A to net B ? Is it possible using FW-1 or Borderware ? And if it's possible, how does one do it ? What rules does one need to set ? Do we need additional software on the FW host to relay the multicast data stream ? 2. If (1) is possible, what are the dangers to the internal net B ? If possible, what are the steps to take to reduce the threats by opening up the FW and the internal net, NET B, to this "multicast" data stream ? 3. What does one need to do on the FW host in order for internal hosts ( net B ) to access true multicast "channels", eg the MBONE ? 4. What considerations and config on the FW host does one need to do in order to offer multicast-type services ? Does one place the multicast-service's host on the internal net or on the outer net ( net A ) ? PS : if possible, please state your opinions relating to FW-1 or Borderware as the FW host. General opinions are also highly welcomed. Thanks very much in advance. Peace to all. jeffrey. From firewalls-owner Wed May 1 06:41:28 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA25996 for firewalls-outgoing; Wed, 1 May 1996 06:36:19 -0700 (PDT) Received: from dartvax.dartmouth.edu (dartvax.dartmouth.edu [129.170.16.4]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id GAA25990 for ; Wed, 1 May 1996 06:36:15 -0700 (PDT) Received: from hanover.VALLEY.NET (hanover.valley.net [198.115.160.10]) by dartvax.dartmouth.edu (8.7.5.1+DND/8.7.3) with SMTP id JAA19593 for ; Wed, 1 May 1996 09:34:02 -0400 (EDT) Received: by hanover.VALLEY.NET (blitz.valley.net) via SMTP from cmpmac.Fluent.COM id <976327> 01 May 96 09:34:00 EDT Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 1 May 1996 09:34:33 -0400 To: FireWalls@GreatCircle.com From: randy.witlicki@valley.net (Randy Witlicki) Subject: re: "Back door" via Modems Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Understand that modems connected to networked PC's are a > possible "back door" threat to a firewall protected... ( snip ) > Am sure there are packaged hardware/software solutions > to control; including the following: > 1. Access control...... ( snip ) When remote access happens within your control,it is no longer a "backdoor". When an employee puts a modem on their PC and installs a program such as pcAnywhere to access their desktop from home, AND doesn't tell you, it is a "backdoor". So, you don't get rid of "backdoors" by just buying equipment. You have to do a physical security audit to look for them. If you are in a Netware environment systems such as Netware Connect from Novell and WanderLink from Funk allow centralized remote access. Unix folks have Xylogics Annexes. Livingston Portmasters, the Cisco serial ports (as on 2511/2514), and so on. You can increase security with S/Key, SecureID, etc. These boxes also do IPX so Netware sites can use them. Two key things to do: - Don't make your centralized remote access a pain in the butt to use - this will cause employees to install their personal backdoors. Work hard to make your security policy work with remote access needs. Be a friend, not a hated facist security officer. - Make physical inventories part of your regular security audit. This is when you do your checking for backdoor personal modems. - Randy randy.witlicki@valley.net P.S. There is another definition of "backdoor" as in a way for systems people to get access in an emergency. This might be a seperate modem from the modem pool in case you are on the road and entire modem rack breaks. You still need strong security on this "backdoor". From firewalls-owner Wed May 1 07:17:20 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA27526 for firewalls-outgoing; Wed, 1 May 1996 07:08:32 -0700 (PDT) Received: from wpg-01.escape.ca (wpg-01.escape.ca [198.163.232.254]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id HAA27520 for ; Wed, 1 May 1996 07:08:27 -0700 (PDT) Received: from wpg-01.escape.ca (ts2dl25.escape.ca [198.163.232.140]) by wpg-01.escape.ca (8.6.11/8.6.11) with SMTP id JAA22263; Wed, 1 May 1996 09:09:51 -0500 Message-ID: <31876EA3.76E8@escape.ca> Date: Wed, 01 May 1996 09:01:07 -0500 From: Jason Manaigre Organization: Classified X-Mailer: Mozilla 2.01Gold (Win95; I) MIME-Version: 1.0 To: Richard Ruda CC: FireWalls Subject: Re: "Back door" via Modems References: <01BB36A6.C16344C0@rruda> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Richard Ruda wrote: > > Understand that modems connected to networked PC's are a possible "back door" threat to a firewall protected network and need to be addressed as part of the ov > Am sure there are packaged hardware/software solutions to control; including the following: > 1. Access control; dial in calls with password authentication (without and with 3rd party security devices). > 2. Ability to auto call back after call in. > 3. Must be able to dial out from desktop (modem pool) also. > 4. Perhaps call logging for audit purposes. > 5. Other? > I'm sure this is pretty standard stuff so perhaps someone can suggest a vendor with a range of solutions. > > RR Hey Richard... You have a good point, how do we protect our systems from WarDialers? They are everywhere... In the wrong hands they can be somewhat of a pain to say the least... Later Jay From firewalls-owner Wed May 1 07:26:40 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA27002 for firewalls-outgoing; Wed, 1 May 1996 07:00:45 -0700 (PDT) Received: from libofmich.lib.mi.us (libofmich.lib.mi.us [198.109.128.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id HAA26975 for ; Wed, 1 May 1996 07:00:37 -0700 (PDT) Received: by libofmich.lib.mi.us (AIX 3.2/UCB 5.64/4.03) id AA38133; Wed, 1 May 1996 09:58:52 -0400 Date: Wed, 1 May 1996 09:58:52 -0400 (EDT) From: "Amy M. Cremer" To: Richard Ruda Cc: "'GreatCircles firewall message host'" Subject: Re: "Back door" via Modems In-Reply-To: <01BB36A6.C16344C0@rruda> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Shiva makes a product called a LanRover/E which meets all of the criteria you have listed below and more. It supports IPX, Appletalk, IP, NetBeui, and LLC(Lan to Lan Connections). We have had one for about 4 years now and love it. Easy to use, setup and administer. Amy *********************************************************************** * Amy M. Cremer Microcomputer Support Specialist * * Library of Michigan EMail: amyc@libofmich.lib.mi.us * * PO Box 30007 Phone: (517) 373-5022 * * 717 W. Allegan St. Fax: (517) 373-5865 * * Lansing, MI 48909 * *********************************************************************** *Life would be so much easier if we could just look at the source code* *********************************************************************** On Tue, 30 Apr 1996, Richard Ruda wrote: > Understand that modems connected to networked PC's are a possible "back door" threat to a firewall protected network and need to be addressed as part of the overall network "firewall". > Am sure there are packaged hardware/software solutions to control; including the following: > 1. Access control; dial in calls with password authentication (without and with 3rd party security devices). > 2. Ability to auto call back after call in. > 3. Must be able to dial out from desktop (modem pool) also. > 4. Perhaps call logging for audit purposes. > 5. Other? > I'm sure this is pretty standard stuff so perhaps someone can suggest a vendor with a range of solutions. > > RR > > > > From firewalls-owner Wed May 1 07:58:00 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA29490 for firewalls-outgoing; Wed, 1 May 1996 07:44:14 -0700 (PDT) Received: from gatekeeper.sciatl.com (Gatekeeper.SciAtl.COM [192.133.190.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id HAA29466 for ; Wed, 1 May 1996 07:44:06 -0700 (PDT) Received: from smap@localhost by gatekeeper.sciatl.com for via smapdV1.3 id KAA06472; Wed, 1 May 1996 10:41:53 -0400 Received: from pizza.subasic.sciatl.com by gatekeeper.sciatl.com for via SMTP (smap V1.3) id sma006442; Wed May 1 10:41:31 1996 Received: from ss1.sciatl.com by subasic.sciatl.com (SMI-8.6/SMI-SVR4) id KAA12048; Wed, 1 May 1996 10:40:26 -0400 Received: by ss1.sciatl.com (SMI-8.6/SMI-SVR4) id KAA01251; Wed, 1 May 1996 10:39:21 -0400 Date: Wed, 1 May 1996 10:39:21 -0400 From: rodney@subasic.sciatl.com (Rodney Garner X5991) Message-Id: <199605011439.KAA01251@ss1.sciatl.com> To: firewalls@GreatCircle.COM Subject: "Back door" via Modems X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Jason Manaigre wrote: > You have a good point, how do we protect our systems from WarDialers? > They are everywhere... Where can I get a WarDialer to look for modems on my system? Finding the modems on our PBX is a big part of finding "back door" threats to our internal network. Rodney Garner Systems Admin From firewalls-owner Wed May 1 08:15:17 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA29491 for firewalls-outgoing; Wed, 1 May 1996 07:44:17 -0700 (PDT) Received: from star.cirrus.com (cirrus.com [141.131.7.10]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id HAA29482 for ; Wed, 1 May 1996 07:44:10 -0700 (PDT) Received: from ss563.corp.cirrus.com (ss563.corp.cirrus.com [141.131.8.55]) by star.cirrus.com (8.6.12/8.6.12) with ESMTP id HAA01508; Wed, 1 May 1996 07:41:57 -0700 Received: from sunstorm.corp.cirrus.com (sunstorm.corp.cirrus.com [141.131.8.51]) by ss563.corp.cirrus.com with SMTP id HAA18393 (8.7.5/IDA-1.6); Wed, 1 May 1996 07:41:55 -0700 (PDT) Received: from ss904.corp.cirrus.com by sunstorm.corp.cirrus.com with SMTP id AA14678 (5.67b/IDA-1.4.4); Wed, 1 May 1996 07:41:55 -0700 From: John Mizzi Message-Id: <199605011441.AA14678@sunstorm.corp.cirrus.com> Subject: Re: Getting started with firewall. To: Mark.Moore@kp.ORG (Moore, Mark) Date: Wed, 1 May 1996 07:41:54 -0700 (PDT) Cc: firewalls@GreatCircle.COM In-Reply-To: from "Moore, Mark" at Apr 30, 96 12:22:30 pm X-Mailer: ELM [version 2.4 PL25] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Moore, Mark writes > > Does anyone know what documentation I can purchase so that I can > better understand firewall technology ?? > May I suggest Building Internet Firewalls by Brent Chapman and Elizabeth Zwicky ISBN 1-56592-124-0 Firewalls and Internet Security by William Cheswick and Steve Bellovin ISBN 0-201-63357-4 John > > Firewall Beginner/Novice > Mark.Moore@kp.org > From firewalls-owner Wed May 1 08:26:28 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA01039 for firewalls-outgoing; Wed, 1 May 1996 08:02:10 -0700 (PDT) Received: from uu3.psi.com (uu3.psi.com [38.145.250.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id IAA01030 for ; Wed, 1 May 1996 08:02:04 -0700 (PDT) Received: from host8fa52298.tiaa-cref.org by uu3.psi.com (5.65b/4.0.940727-PSI/PSINet) via SMTP; id AA09125 for firewalls@GreatCircle.com; Wed, 1 May 96 07:18:59 -0400 Received: from srv016.tiaa.org by tiaa-cref.org (4.1/SMI-4.1/tiaa-cref/950927) id AA17309; Wed, 1 May 96 10:59:40 EDT Received: from sys001.tiaa.org by srv016.tiaa.org (SMI-8.6/SMI-SVR4) id KAA02494; Wed, 1 May 1996 10:59:38 -0400 Received: by sys001.tiaa.org (SMI-8.6/SMI-SVR4) id KAA11467; Wed, 1 May 1996 10:59:38 -0400 Date: Wed, 1 May 1996 10:59:38 -0400 From: mjs@tiaa-cref.org (marty shannon) Message-Id: <199605011459.KAA11467@sys001.tiaa.org> To: rruda@osti.com, amyc@libofmich.lib.mi.us Subject: Re: "Back door" via Modems Cc: firewalls@GreatCircle.com X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ] Date: Wed, 1 May 1996 09:58:52 -0400 (EDT) ] From: "Amy M. Cremer" ] To: Richard Ruda ] ] Shiva makes a product called a LanRover/E which meets all of the criteria ] you have listed below and more. It supports IPX, Appletalk, IP, NetBeui, ] and LLC(Lan to Lan Connections). We have had one for about 4 years now ] and love it. Easy to use, setup and administer. ] ] Amy Yeah, except that it offers *no* industry standard authentication. Shiva has their own proprietary nonsense that prevents standards-compliant platforms from connecting to it. When we asked about using PAP/CHAP, they basically told us that those were uninteresting (to them). Anyone want a doorstop? Marty -- Marty Shannon | SunOS System Administrator | Bill Gates can't TIAA-CREF 3rd Floor | SVR3 System Administrator | borrow enough to 730 3rd Avenue | UUCP Guru (Don't Tell!) | make me do Windows! New York City, NY 10017 | Solaris System Administrator | Sigh. If you think I speak for anyone but myself, you very much need a psychiatrist. From firewalls-owner Wed May 1 08:41:29 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA02279 for firewalls-outgoing; Wed, 1 May 1996 08:17:28 -0700 (PDT) Received: from baldy.worldbit.com (baldy.worldbit.com [199.4.115.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id IAA02261 for ; Wed, 1 May 1996 08:17:19 -0700 (PDT) Received: from localhost (blast@localhost) by baldy.worldbit.com (8.7.5/8.7.3) with SMTP id IAA17366; Wed, 1 May 1996 08:13:53 -0700 (PDT) Date: Wed, 1 May 1996 08:13:53 -0700 (PDT) From: Blast To: "Amy M. Cremer" cc: Richard Ruda , "'GreatCircles firewall message host'" Subject: Re: "Back door" via Modems In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 1 May 1996, Amy M. Cremer wrote: > Shiva makes a product called a LanRover/E which meets all of the criteria > you have listed below and more. It supports IPX, Appletalk, IP, NetBeui, > and LLC(Lan to Lan Connections). We have had one for about 4 years now > and love it. Easy to use, setup and administer. The first thing one should do when setting up a LanRover is to make sure that you put a password on it. Many times, administrator's just leave it blank (the way it ships) and figure that the only way to admin the box is to hit with with the AdminGUI. Well, it is not documented in the manual but I managed one day to find an account called 'root' on LanRovers that gets you to a commandline equiv of the AdminGUI. Ugly stuff. Just wanted to point this out to the list because there are still many LanRovers out there with dailup access that dont have a passwd put into the Admin account. --blast %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \ Tim Keanini | "The limits of my language, / / aka blast | are the limits of my world." \ \ | --Ludwig Wittgenstein / / | \ \ +================================================/ / PUB KEY: http://www-swiss.ai.mit.edu/~bal/pks-commands.html \ \ / %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% From firewalls-owner Wed May 1 08:56:41 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA03990 for firewalls-outgoing; Wed, 1 May 1996 08:42:24 -0700 (PDT) Received: from nic.near.net (nic.near.net [192.52.71.4]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id IAA03983 for ; Wed, 1 May 1996 08:42:17 -0700 (PDT) Received: from teicher.bbnplanet.com by nic.near.net id aa15621; 1 May 96 11:40 EDT X-Sender: mteicher@poblano.bbnplanet.com X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 01 May 1996 11:39:44 -0400 To: "Amy M. Cremer" , Richard Ruda From: Mark Teicher Subject: Re: "Back door" via Modems Cc: "'GreatCircles firewall message host'" Message-ID: <9605011140.aa15621@nic.near.net> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Livingston Enterprises makes a product called the Portmaster, which also meets all the criteria. Very easy to use, lifetime technical support, also RADIUS.. Much better logging over the Shiva product... At 09:58 5/1/96 -0400, Amy M. Cremer wrote: >Shiva makes a product called a LanRover/E which meets all of the criteria >you have listed below and more. It supports IPX, Appletalk, IP, NetBeui, >and LLC(Lan to Lan Connections). We have had one for about 4 years now >and love it. Easy to use, setup and administer. > >Amy > > >*********************************************************************** >* Amy M. Cremer Microcomputer Support Specialist * >* Library of Michigan EMail: amyc@libofmich.lib.mi.us * >* PO Box 30007 Phone: (517) 373-5022 * >* 717 W. Allegan St. Fax: (517) 373-5865 * >* Lansing, MI 48909 * >*********************************************************************** >*Life would be so much easier if we could just look at the source code* >*********************************************************************** > >On Tue, 30 Apr 1996, Richard Ruda wrote: > >> Understand that modems connected to networked PC's are a possible "back door" threat to a firewall protected network and need to be addressed as part of the overall network "firewall". >> Am sure there are packaged hardware/software solutions to control; including the following: >> 1. Access control; dial in calls with password authentication (without and with 3rd party security devices). >> 2. Ability to auto call back after call in. >> 3. Must be able to dial out from desktop (modem pool) also. >> 4. Perhaps call logging for audit purposes. >> 5. Other? >> I'm sure this is pretty standard stuff so perhaps someone can suggest a vendor with a range of solutions. >> >> RR >> >> >> >> > From firewalls-owner Wed May 1 09:19:17 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA05905 for firewalls-outgoing; Wed, 1 May 1996 09:00:15 -0700 (PDT) Received: from wichita.fn.net (wichita.fn.net [204.233.71.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id JAA05854 for ; Wed, 1 May 1996 09:00:06 -0700 (PDT) Received: (from Unknown UID 2015@localhost) by wichita.fn.net (8.7.4/8.6.9) id KAA15384; Wed, 1 May 1996 10:57:48 -0500 (CDT) Date: Wed, 1 May 1996 10:57:47 -0500 (CDT) From: Bruce Marshall To: firewalls@GreatCircle.COM Subject: Re: "Back door" via Modems In-Reply-To: <199605011439.KAA01251@ss1.sciatl.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 1 May 1996, Rodney Garner X5991 wrote: > Jason Manaigre wrote: > > You have a good point, how do we protect our systems from WarDialers? > > They are everywhere... > > Where can I get a WarDialer to look for modems on my system? > Finding the modems on our PBX is a big part of finding "back door" threats > to our internal network. Are you talking about finding modems that you know about or that you don't know about? I assume that you mean the latter since it wouldn't make much sense to scan for modems you know about. As a matter of procedure you should assume that any modems you have are known to hackers. Then work off that asumption to protect yourself. If you just want to check on employees use of modems why not just stoll around one night after everyone else has gone home and check out computers still powered up (or just ask if you trust your fellow employees). Of course, if people have locked offices or you work for a big company this probably isn't practical. Using Alta Vista, I found a copy of ToneLoc (supposedly the best war dialer) at: http://www.paranoia.com/~coldfire/ftp.html However, I have been using an actual hacker BBS for getting 'hacker' tools and texts. The sysop seems to be okay about letting security types on and he even has the CERT, RISK, C4I, etc. bulletins on there along with the classical hacking magazines like Phrack. If anyone is interested you can call it at 316-946-9507. Bruce Marshall From firewalls-owner Wed May 1 09:30:06 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA04953 for firewalls-outgoing; Wed, 1 May 1996 08:53:10 -0700 (PDT) Received: from libofmich.lib.mi.us (libofmich.lib.mi.us [198.109.128.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id IAA04912 for ; Wed, 1 May 1996 08:52:55 -0700 (PDT) Received: by libofmich.lib.mi.us (AIX 3.2/UCB 5.64/4.03) id AA19371; Wed, 1 May 1996 11:50:56 -0400 Date: Wed, 1 May 1996 11:50:56 -0400 (EDT) From: "Amy M. Cremer" To: Blast Cc: Richard Ruda , "'GreatCircles firewall message host'" Subject: Re: "Back door" via Modems In-Reply-To: Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Yes, you do have to password protect the Admin account(and yes ours is and has been since it was installed). *********************************************************************** * Amy M. Cremer Microcomputer Support Specialist * * Library of Michigan EMail: amyc@libofmich.lib.mi.us * * PO Box 30007 Phone: (517) 373-5022 * * 717 W. Allegan St. Fax: (517) 373-5865 * * Lansing, MI 48909 * *********************************************************************** *Life would be so much easier if we could just look at the source code* *********************************************************************** On Wed, 1 May 1996, Blast wrote: > On Wed, 1 May 1996, Amy M. Cremer wrote: > > > Shiva makes a product called a LanRover/E which meets all of the criteria > > you have listed below and more. It supports IPX, Appletalk, IP, NetBeui, > > and LLC(Lan to Lan Connections). We have had one for about 4 years now > > and love it. Easy to use, setup and administer. > > The first thing one should do when setting up a LanRover is to make > sure that you put a password on it. Many times, administrator's just > leave it blank (the way it ships) and figure that the only way to > admin the box is to hit with with the AdminGUI. Well, it is not documented > in the manual but I managed one day to find an account called 'root' > on LanRovers that gets you to a commandline equiv of the AdminGUI. > Ugly stuff. Just wanted to point this out to the list because > there are still many LanRovers out there with dailup access > that dont have a passwd put into the Admin account. > > --blast > > %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% > \ Tim Keanini | "The limits of my language, / > / aka blast | are the limits of my world." \ > \ | --Ludwig Wittgenstein / > / | \ > \ +================================================/ > / PUB KEY: http://www-swiss.ai.mit.edu/~bal/pks-commands.html \ > \ / > %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% > > From firewalls-owner Wed May 1 09:31:55 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA07324 for firewalls-outgoing; Wed, 1 May 1996 09:20:03 -0700 (PDT) Received: from mhaaf.inhouse.compuserve.com (mhaaf.inhouse.compuserve.com [149.174.64.79]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id JAA07308 for ; Wed, 1 May 1996 09:19:55 -0700 (PDT) Received: from notes2.compuserve.com ([149.174.221.56]) by mhaaf.inhouse.compuserve.com (8.6.9/8.6.12) with SMTP id MAA16832.; Wed, 1 May 1996 12:53:40 -0400 Received: by notes2.compuserve.com (IBM OS/2 SENDMAIL VERSION 1.3.17/2.0) id AA7275; Wed, 01 May 96 12:12:35 -0400 Message-Id: <9605011612.AA7275@notes2.compuserve.com> Received: by External Gateway (Lotus Notes Mail Gateway for SMTP V1.1) id 33EB2F0BAAC700008025631D00298B98; Wed, 1 May 96 12:12:34 To: firewalls From: "thomas.pavek" Date: 1 May 96 11:02:06 Subject: Re: Q on using "netpipes" for firewall maintanance Mime-Version: 1.0 Content-Type: Text/Plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk "Andrew V. Stesin" asked about "net pipes"... Have you heard of / taken a look at the "netcat" software? It is an extremely versatile (and potentially dangerous) piece of software. I've used it as part of my toolkit for intrusion testing. I can't say I'd advocate it to bypass good security practices, but if you can justify rsh -like activity, then you'll find it useful. It's available at ftp://ftp.avian.org/src/hacks/nc100.tgz Tom From firewalls-owner Wed May 1 09:41:38 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA08230 for firewalls-outgoing; Wed, 1 May 1996 09:28:15 -0700 (PDT) Received: from nic.near.net (nic.near.net [192.52.71.4]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id JAA08205 for ; Wed, 1 May 1996 09:28:09 -0700 (PDT) Received: from teicher.bbnplanet.com by nic.near.net id aa18543; 1 May 96 12:25 EDT X-Sender: mteicher@poblano.bbnplanet.com X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 01 May 1996 12:25:35 -0400 To: marty shannon , rruda@osti.com, amyc@libofmich.lib.mi.us From: Mark Teicher Subject: Re: "Back door" via Modems Cc: firewalls@greatcircle.com Message-ID: <9605011225.aa18543@nic.near.net> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Marty, Can you try my suggestion. Livingston Portmaster, supports PAP/CHAP and supports industry standards.. /m At 10:59 5/1/96 -0400, marty shannon wrote: > >] Date: Wed, 1 May 1996 09:58:52 -0400 (EDT) >] From: "Amy M. Cremer" >] To: Richard Ruda >] >] Shiva makes a product called a LanRover/E which meets all of the criteria >] you have listed below and more. It supports IPX, Appletalk, IP, NetBeui, >] and LLC(Lan to Lan Connections). We have had one for about 4 years now >] and love it. Easy to use, setup and administer. >] >] Amy > >Yeah, except that it offers *no* industry standard authentication. >Shiva has their own proprietary nonsense that prevents standards-compliant >platforms from connecting to it. When we asked about using PAP/CHAP, they >basically told us that those were uninteresting (to them). Anyone want >a doorstop? > > Marty >-- >Marty Shannon | SunOS System Administrator | Bill Gates can't >TIAA-CREF 3rd Floor | SVR3 System Administrator | borrow enough to >730 3rd Avenue | UUCP Guru (Don't Tell!) | make me do Windows! >New York City, NY 10017 | Solaris System Administrator | Sigh. >If you think I speak for anyone but myself, you very much need a psychiatrist. > From firewalls-owner Wed May 1 10:00:03 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA11021 for firewalls-outgoing; Wed, 1 May 1996 09:52:03 -0700 (PDT) Received: from uuneo.neosoft.com (uuneo.neosoft.com [206.109.1.3]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id JAA11014 for ; Wed, 1 May 1996 09:51:55 -0700 (PDT) Received: from baileynm.com (ficc@localhost) by uuneo.neosoft.com (8.7.5/8.7.4) with UUCP id LAA20051; Wed, 1 May 1996 11:21:07 -0500 (CDT) Received: from sonic.nmti.com (peter@sonic.nmti.com [198.178.0.2]) by web.nmti.com (8.6.12/8.6.9) with SMTP id JAA26821; Wed, 1 May 1996 09:21:05 -0500 Received: by sonic.nmti.com; id AA03881; Wed, 1 May 1996 09:21:04 -0500 From: peter@baileynm.com (Peter da Silva) Message-Id: <9605011421.AA03881@sonic.nmti.com.nmti.com> Subject: Re: Seeking tcpdump Information To: CWSTAFFORD@deserthosp.org Date: Wed, 1 May 1996 09:21:04 -0500 (CDT) Cc: firewalls@GreatCircle.COM In-Reply-To: from "CWSTAFFORD@deserthosp.org" at Apr 30, 96 04:48:07 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > I am looking for more documentation on tcpdump. I have read > through the man page. I am interested in anything else that might be > available. Can someone direct me to such an item? Look at the documentation on the Berkeley Packet Filter. You really need that info to get any use out of it. From firewalls-owner Wed May 1 10:41:44 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA15160 for firewalls-outgoing; Wed, 1 May 1996 10:26:03 -0700 (PDT) Received: from scifi.maid.com (scifi.emi.net [204.181.45.10]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id KAA15142 for ; Wed, 1 May 1996 10:25:57 -0700 (PDT) Received: (from njs@localhost) by scifi.maid.com (8.6.11/8.6.9) id NAA12134; Wed, 1 May 1996 13:06:34 -0400 Date: Wed, 1 May 1996 13:06:33 -0400 (EDT) From: Nick Simicich To: Rodney Garner X5991 cc: firewalls@GreatCircle.COM Subject: Re: "Back door" via Modems In-Reply-To: <199605011439.KAA01251@ss1.sciatl.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 1 May 1996, Rodney Garner X5991 wrote: > Date: Wed, 1 May 1996 10:39:21 -0400 > From: Rodney Garner X5991 > To: firewalls@GreatCircle.COM > Subject: "Back door" via Modems > > Jason Manaigre wrote: > > You have a good point, how do we protect our systems from WarDialers? > > They are everywhere... > > Where can I get a WarDialer to look for modems on my system? > Finding the modems on our PBX is a big part of finding "back door" threats > to our internal network. Just tell me how many rings you are going to try. My back door modem will answer only on the second call of two more rings than that. Or I'll answer the phone like a fax, and even accept faxes. This stuff needs to be controlled by policy and security awareness, not by war dialing around to find answer tones. Nick Simicich - njs@scifi.emi.net - (last choice) njs@bcrvm1.vnet.ibm.com http://scifi.emi.net/njs.html -- Stop by and Light Up The World! From firewalls-owner Wed May 1 11:41:43 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA19871 for firewalls-outgoing; Wed, 1 May 1996 11:40:04 -0700 (PDT) Received: from relay-4.mail.demon.net (relay-4.mail.demon.net [158.152.1.108]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id LAA19865 for ; Wed, 1 May 1996 11:39:58 -0700 (PDT) Received: by relay-4.mail.demon.net id aa24100; 1 May 96 17:23 GMT Received: from post.demon.co.uk ([158.152.1.72]) by relay-4.mail.demon.net id ar16126; 1 May 96 16:51 GMT Received: from browns.demon.co.uk ([158.152.46.59]) by relay-3.mail.demon.net id ab21683; 1 May 96 17:26 +0100 Received: from colin.browns.co.uk by post.browns.co.uk id aa12583; 1 May 96 17:27 GMT Message-ID: <318790D9.1C08@browns.co.uk> Date: Wed, 01 May 1996 17:27:05 +0100 From: Colin Childes Organization: Brown's Operating System Services Ltd X-Mailer: Mozilla 2.01 (Win16; I) MIME-Version: 1.0 To: Richard Ruda CC: firewalls@greatcircle.com Subject: Re: "Back door" via Modems References: <01BB36A6.C16344C0@rruda> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Richard Ruda wrote: > > Understand that modems connected to networked PC's are a possible "back door" threat to a firewall protected network and need to be addressed as part of the ov...??? > Am sure there are packaged hardware/software solutions to control; including the following: > 1. Access control; dial in calls with password authentication (without and with 3rd party security devices). > 2. Ability to auto call back after call in. > 3. Must be able to dial out from desktop (modem pool) also. > 4. Perhaps call logging for audit purposes. > 5. Other? > I'm sure this is pretty standard stuff so perhaps someone can suggest a vendor with a range of solutions. Having looked at Compsoft's web pages, I believe you might find Brown's interesting. As a company specializing in secure communications we meet all your requirements and more. Brown's provide a range of boundary gateway/routers for dial-up users with the empahsis firmly on security. If you would like further info or a brochure on how Brown's can help please call me or Geoff Foden on the number below. Alternatively eMail one of the following addresses: Geoff Foden gbf@browns.co.uk Beverley Davies beverley@browns.co.uk Andrew Brown andyb@browns.co.uk General Enquiry enquiry@browns.co.uk ---------------------------------------------------------------------------- I will support laws and technology which limit what you are allowed to hear, if you will oppose laws and technology limiting what I am allowed to say. Standard Disclaimer: The above statements and opinions are strictly mine, and do not represent any company or organization's position. ---------------------------------------------------------------------------- Brown's Operating System Services Ltd. Greenwhich, London, UK Tel: 44 (0)181 297-9797 Fax: 44 (0)181 318-3939 Secure Communications for Distributed Users ---------------------------------------------------------------------------- From firewalls-owner Wed May 1 12:11:42 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA21124 for firewalls-outgoing; Wed, 1 May 1996 11:59:09 -0700 (PDT) Received: from uu5.psi.com (uu5.psi.com [38.145.226.3]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id LAA21117 for ; Wed, 1 May 1996 11:59:04 -0700 (PDT) Received: by uu5.psi.com (5.65b/4.0.071791-PSI/PSINet) via UUCP; id AA01400 for ; Wed, 1 May 96 14:45:24 -0400 Date: Wed, 1 May 96 14:07:35 EDT From: gcl@nikko.com (George Lee) Received: from tamago.nikko (tamago.ARPA) by nikko.com (4.1/3.2.083191-The Nikko Securities Company) id AA21576; Wed, 1 May 96 14:07:35 EDT Message-Id: <9605011807.AA21576@nikko.com> To: firewalls@greatcircle.com Subject: Gauntlet vs. Firewall-1 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi All, I need your options... We are deciding in purchasing a firewall and our choices are between Firewall-1 and Gauntlet. I know the price and hareware differences but what about the performance, fontend, administration, maintenance, and upgrade diffenences? Does anyone have these information's or where can I look? ( especially on Gauntlet - whats good and bad...personal point of view ) Also, is there anyting else I should be concern about? Thank you G:-) From firewalls-owner Wed May 1 12:56:28 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA25959 for firewalls-outgoing; Wed, 1 May 1996 12:53:56 -0700 (PDT) Received: from relay.ashton.csc.com (relay.ashton.csc.com [20.2.54.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id MAA25943 for ; Wed, 1 May 1996 12:53:51 -0700 (PDT) Received: by relay.ashton.csc.com; id PAA20044; Wed, 1 May 1996 15:55:46 -0400 Received: from unknown(20.2.2.46) by relay.ashton.csc.com via smap (g3.0.1) id sma020042; Wed, 1 May 96 15:55:19 -0400 Received: by batman.ashton.csc.com with Microsoft Mail id <01BB3776.353428E0@batman.ashton.csc.com>; Wed, 1 May 1996 15:52:32 -0400 Message-ID: <01BB3776.353428E0@batman.ashton.csc.com> From: Chris Kostick To: "'firewalls@greatcircle.com'" Subject: Conclusions on management Date: Wed, 1 May 1996 15:52:28 -0400 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >From the underwhelming response I received (thanks Darren) on the topic of firewall management, I can conclude that no one really gives a flying rat's butt. That said, I still have concerns about it. Maybe not today, maybe not tomorrow, but someday soon I think others will have concerns too. Managing multiple firewalls, especially from different vendors, is going to hit someone's to do list and hopefully they'll have enough clout and money to have something done about it. Unfortunately for me, I fall into neither the 'enough clout' nor 'enough money' categories. -- Chris CSC From firewalls-owner Wed May 1 13:44:33 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA28813 for firewalls-outgoing; Wed, 1 May 1996 13:32:39 -0700 (PDT) Received: from ufrmsa1.olivetti.za (ufrmsa1.Olivetti.za [160.124.2.20]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id NAA28796 for ; Wed, 1 May 1996 13:32:32 -0700 (PDT) Received: from andy.UUCP by ufrmsa1.olivetti.za with UUCP (Smail3.1.29.1 #3) id m0uEiUP-000CadC; Wed, 1 May 96 22:27 GMT+0200 Date: Wed, 1 May 1996 22:25:35 +0200 (GMT+0200) From: Andrew Cameron To: Firewalls@Greatcircle.com Subject: Raptor Firewall Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I would like to know what peoples experinces with the Raptor firewall have been, both good and bad. Thanks in anticipation. ----------------------------------------------------------------------------- Andrew Cameron Internet : andrew@andy.alt.za X.400 : C=ZA G=Andrew S=Cameron Admd=TELKOM400 ---------------------------------------------------------------------------- From firewalls-owner Wed May 1 13:57:12 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA28925 for firewalls-outgoing; Wed, 1 May 1996 13:35:36 -0700 (PDT) Received: from mail.RC.Toronto.on.ca ([207.6.29.231]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id NAA28919 for ; Wed, 1 May 1996 13:35:22 -0700 (PDT) Received: from rwcooper.rc.toronto.on.ca ([207.6.29.232]) by mail.RC.Toronto.on.ca (post.office MTA v1.9.3 evaluation license) with SMTP id AAA316; Wed, 1 May 1996 16:32:21 -0400 Received: by rwcooper.rc.toronto.on.ca with Microsoft Mail id <01BB377B.D37CD7E0@rwcooper.rc.toronto.on.ca>; Wed, 1 May 1996 16:32:45 -0700 Message-ID: <01BB377B.D37CD7E0@rwcooper.rc.toronto.on.ca> From: Russ To: "rruda@osti.com" , "amyc@libofmich.lib.mi.us" , "'marty shannon'" Cc: "firewalls@GreatCircle.com" Subject: RE: "Back door" via Modems Date: Wed, 1 May 1996 16:32:43 -0700 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Marty said... "Yeah, except that it offers *no* industry standard authentication. Shiva has their own proprietary nonsense that prevents standards-compliant platforms from connecting to it. When we asked about using PAP/CHAP, they basically told us that those were uninteresting (to them). Anyone want a doorstop?" Sorry bud, but I'm afraid you must have been looking at one very old LanRover, and the people you spoke to at Shiva must work for Livingston... LanRover's, today, support PAP and CHAP, they also support TACACS+, Radius, Security Dynamics ACE Server and Digital Pathways Defender Server software. Being a seamless solution for PPP/SLIP/MLPPP (with support for BACP coming), they are my dial-in/dial-out device of choice. Whatever it was that you were looking at, throw it back at the vendor who brought it to you and tell them to show you a real Shiva LanRover/E with ShivOS 4.0 (released beginning of March). Cheers, Russ From firewalls-owner Wed May 1 14:11:35 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA00123 for firewalls-outgoing; Wed, 1 May 1996 13:53:47 -0700 (PDT) Received: from knuth.mtsu.edu (knuth.mtsu.edu [161.45.1.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id NAA00116 for ; Wed, 1 May 1996 13:53:38 -0700 (PDT) Received: from raider by knuth.mtsu.edu with uucp (Smail3.1.29.1 #15) id m0uEirq-000D3CC; Wed, 1 May 96 16:51 EDT Received: from jobsoft.com by raider.raider.net with esmtp (Smail3.1.29.1 #8) id m0uEhaa-000CoCC; Wed, 1 May 96 14:29 CDT Received: (from klf@localhost) by jobsoft.com (8.7.1/8.7.1) id OAA00916; Wed, 1 May 1996 14:31:18 -0500 Date: Wed, 1 May 1996 14:31:17 -0500 (CDT) From: "Kelly L. Fulks" To: Dave Stagner cc: firewalls@greatcircle.com Subject: Re: Intel firewalls: more than just performance In-Reply-To: <3184D8FA.41C6@ncs.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 29 Apr 1996, Dave Stagner wrote: > The reason for this isn't software, it's hardware. The power supplies > are designed to protect not only the hardware, but also the filesystems. > When a power failure happens, the power supply notifies the operating > system kernel, which immediately initiates a clean shutdown. The power > supply has enough onboard capacitance to run the machine for the several > seconds needed to at least sync the drives. > > PC hardware doesn't have this sort of support. Remember, it was > designed with the DOS FAT filesystem in mind, which isn't sensitive to > system states the way UNIX filesystems are. So whenever power is lost, > the system loses state and the filesystems get horked. > -- > * David Stagner david_stagner@ncs.com * > * National Computer Systems vox 319 354 9200 * > * Operations - Iowa City, IA fax 319 339 6555 * > * Unix programmer Internet administrator * > * I do not speak for NCS, of course. * > This is why you use a UPS on your PC Unix machines. Yes you still might get hit occassionally but not nearly so often. A good UPS can run even a major server class machine for quite a few minutes. More than enough time to shut it down properly. And Linux even has support for this built into its SysVInit system. -- Kelly L. Fulks klf@jobsoft.com Jobsoft Design & Development, Inc klf@raider.raider.net 118 S Maple St., Murfreesboro, TN 37130 VOICE (615) 904-9559 (615) 904-9562 -- FAX (615) 890-0021 From firewalls-owner Wed May 1 14:42:15 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA04558 for firewalls-outgoing; Wed, 1 May 1996 14:37:35 -0700 (PDT) Received: from gatekeeper.3Com.COM (gatekeeper.3Com.COM [129.213.128.5]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id OAA04549 for ; Wed, 1 May 1996 14:37:30 -0700 (PDT) Received: from manzanita.DEV.3Com.COM.noname (manzanita.DEV.3Com.COM) by gatekeeper.3Com.COM with SMTP id AA18640 (5.65c/IDA-1.4.4-910725 for ); Wed, 1 May 1996 14:34:56 -0700 Received: by manzanita.DEV.3Com.COM.noname (4.1/SMI-4.1) id AA09189; Wed, 1 May 96 14:34:33 PDT Date: Wed, 1 May 96 14:34:33 PDT From: bobk@manzanita.DEV.3Com.COM (Bob Konigsberg) Message-Id: <9605012134.AA09189@manzanita.DEV.3Com.COM.noname> To: firewalls@GreatCircle.COM, rodney@subasic.sciatl.com Subject: war/demon dialers Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I found one on ftp.paranoia.com. It's called ToneLoc (For Tone Locator). The product is pretty clearly written by and for hackers, but then it will raise your awareness level. It certainly raised mine. BobK From firewalls-owner Wed May 1 14:56:37 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA04179 for firewalls-outgoing; Wed, 1 May 1996 14:34:39 -0700 (PDT) Received: from marvin.cdf.toronto.edu (marvin.cdf.toronto.edu [128.100.31.3]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id OAA04163 for ; Wed, 1 May 1996 14:34:33 -0700 (PDT) Received: from localhost by marvin.cdf.toronto.edu with SMTP id <9266>; Wed, 1 May 1996 17:32:15 -0400 To: Firewalls@GreatCircle.COM Subject: Re: Firewalls-Digest V5 #284 In-reply-to: Your message of "Wed, 01 May 1996 04:00:30 EDT." <199605010800.BAA12567@miles.greatcircle.com> Date: Wed, 1 May 1996 17:32:12 -0400 From: John DiMarco Message-Id: <96May1.173215edt.9266@marvin.cdf.toronto.edu> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In message <199605010800.BAA12567@miles.greatcircle.com> todd@momentum.com.au (Todd Hooper) writes: me@tartufo.muc.ditec.de (Michael Elbel) writes: >>I don't know too much about how the software scales (OS, Firewall SW >>itself) for Borderware, but it looks like reasonably modern PC-based >>hardware can compete pretty well in the internet server business, >>shoving data around at speeds faster than Ethernet. Take Walnut Creek >>CDROM's ftp and www server: >That's a good example of a high performance Intel machine (Pentium Pro, >stacks of memory, PCI, 3 high speed SCSI cards, Fast Ethernet) as a >generic Internet server. > >However they aren't using it as a firewall. In the case of BorderWare, >version 3.1 of the BorderWare firewall only supports ISA (not PCI), >10 mbps ethernet, 486 & Pentium (not Pro) CPU's and a single SCSI >controller from either Adaptec or BusLogic. > >(This is from memory. Unfortunately I can't get the relevant file off >their Web server (http://www.border.com/product_overview.html) >as it stops half way through for some unknown reason) > >An Intel system such as this is very unlikely to match the performance of a >RS/6000, Sun, HP, DEC etc which leads one to the conclusion that some >serious capacity planning would be in order before deciding which system >to deploy. Any decent ISA 10 Mb/sec ethernet card is more than capable of saturating a 10 Mb/sec ethernet, and a T1 is an order of magnitude slower than that. Unless you're dealing with a connection of T3 magnitude, a 486 or Pentium with an ISA-based ethernet card and a SCSI controller should be more than adequate for most purposes. It only takes a few seconds of "capacity planning" to figure this out. In any case, a high-end Pentium system (even with an ISA ethernet card) can be configured as a perfectly adequate low to mid-range workstation-class machine, a machine that can significantly exceed the performance of many of the current offerings from the mainline workstation vendors. Don't believe me? Measure it yourself. Regards, John -- John DiMarco Office: EA201B Computing Disciplines Facility Systems Manager Phone: 416-978-1928 University of Toronto Fax: 416-978-1931 http://www.cdf.toronto.edu/~jdd From firewalls-owner Wed May 1 15:11:38 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id PAA06783 for firewalls-outgoing; Wed, 1 May 1996 15:09:10 -0700 (PDT) Received: from orion.webspan.net (orion.webspan.net [206.154.70.41]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id PAA06777 for ; Wed, 1 May 1996 15:09:05 -0700 (PDT) Received: (from scanner@localhost) by orion.webspan.net (8.6.12/8.6.12) id SAA12936; Wed, 1 May 1996 18:06:28 -0400 Date: Wed, 1 May 1996 18:06:28 -0400 (EDT) From: Scanner SOD To: Bob Konigsberg cc: firewalls@GreatCircle.COM, rodney@subasic.sciatl.com Subject: Re: war/demon dialers In-Reply-To: <9605012134.AA09189@manzanita.DEV.3Com.COM.noname> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 1 May 1996, Bob Konigsberg wrote: > I found one on ftp.paranoia.com. It's called ToneLoc (For Tone Locator). > > The product is pretty clearly written by and for hackers, but then it > will raise your awareness level. It certainly raised mine. Not to dampen the imprtance of being aware but that program is older than i am :) so Dont get the illusion that that program is by any means a standard tool used today :) -- ===================================| Webspan Inc., ISP Division. FreeBSD 2.1.0 is available now! | Phone: 908-367-8030 ext. 126 -----------------------------------| 500 West Kennedy Blvd., Lakewood, NJ-08701 Turning PCs into Workstations | E-Mail: scanner@webspan.net ===================================| SysAdmin / Network Engineer / Consultant From firewalls-owner Wed May 1 15:56:30 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id PAA10786 for firewalls-outgoing; Wed, 1 May 1996 15:48:00 -0700 (PDT) Received: from area1n176.residence.gatech.edu (area1n176.residence.gatech.edu [199.77.174.79]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id PAA10780 for ; Wed, 1 May 1996 15:47:56 -0700 (PDT) Received: (from xnor@localhost) by area1n176.residence.gatech.edu (8.6.12/8.6.9) id SAA00118; Wed, 1 May 1996 18:43:10 -0500 From: r00t Message-Id: <199605012343.SAA00118@area1n176.residence.gatech.edu> Subject: Re: war/demon dialers To: scanner@webspan.net (Scanner SOD) Date: Wed, 1 May 1996 18:43:10 -0500 (GMT-0500) Cc: firewalls@greatcircle.com In-Reply-To: from "Scanner SOD" at May 1, 96 06:06:28 pm X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > I found one on ftp.paranoia.com. It's called ToneLoc (For Tone Locator). > > > > The product is pretty clearly written by and for hackers, but then it > > will raise your awareness level. It certainly raised mine. > Not to dampen the imprtance of being aware but that program is older than > i am :) so Dont get the illusion that that program is by any means a > standard tool used today :) OK...the program WAS written for and by hackers. And its use has been dampened by Caller ID and the like. To say that is is not a standard tool is grossly incorrect. It is used, and to ignore it is a mistake. Chris Carpenter From firewalls-owner Wed May 1 17:11:33 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA14868 for firewalls-outgoing; Wed, 1 May 1996 17:05:25 -0700 (PDT) Received: from emout16.mail.aol.com (emout16.mx.aol.com [198.81.11.42]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id RAA14854 for ; Wed, 1 May 1996 17:05:21 -0700 (PDT) From: OoICE9oO@aol.com Received: by emout16.mail.aol.com (8.6.12/8.6.12) id UAA14977; Wed, 1 May 1996 20:03:10 -0400 Date: Wed, 1 May 1996 20:03:10 -0400 Message-ID: <960501200309_388107427@emout16.mail.aol.com> To: bobk@manzanita.dev.3com.com cc: firewalls@greatcircle.com Subject: Re: war/demon dialers Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Believe me, there are a lot more than just Tone Loc. Trust me, I've seen em all. Probly the oldest one that I know of is Code thief, which was not only a war dailer but a utility for hacking 950 extender codes. If you want to see a REALLY hopped up program, you should check out Blue Beep. This one has all the fixins. These programs are readily available on elite web sights everywhere. You don't even have to be a hacker to get them....its really quite sad. ICE 9 From firewalls-owner Wed May 1 17:26:41 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA14826 for firewalls-outgoing; Wed, 1 May 1996 17:03:53 -0700 (PDT) Received: from wpg-01.escape.ca (wpg-01.escape.ca [198.163.232.254]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id RAA14812 for ; Wed, 1 May 1996 17:03:46 -0700 (PDT) Received: from wpg-01.escape.ca (ts4dl47.escape.ca [198.163.235.83]) by wpg-01.escape.ca (8.6.11/8.6.11) with SMTP id TAA02136; Wed, 1 May 1996 19:05:11 -0500 Message-Id: <199605020005.TAA02136@wpg-01.escape.ca> Comments: Authenticated sender is From: "Classified" Organization: Classified To: r00t Date: Wed, 1 May 1996 18:56:25 +0000 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Re: war/demon dialers CC: firewalls@GreatCircle.COM X-mailer: Pegasus Mail for Win32 (v2.31) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > OK...the program WAS written for and by hackers. And its use has been > dampened by Caller ID and the like. To say that is is not a standard > tool is grossly incorrect. It is used, and to ignore it is a mistake. > > Chris Carpenter > > > Well put.... Ratak Secret Agents, where? From firewalls-owner Wed May 1 17:36:38 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA14876 for firewalls-outgoing; Wed, 1 May 1996 17:05:38 -0700 (PDT) Received: from wpg-01.escape.ca (wpg-01.escape.ca [198.163.232.254]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id RAA14870 for ; Wed, 1 May 1996 17:05:31 -0700 (PDT) Received: from wpg-01.escape.ca (ts4dl47.escape.ca [198.163.235.83]) by wpg-01.escape.ca (8.6.11/8.6.11) with SMTP id TAA02229; Wed, 1 May 1996 19:07:04 -0500 Message-Id: <199605020007.TAA02229@wpg-01.escape.ca> Comments: Authenticated sender is From: "Classified" Organization: Classified To: Scanner SOD Date: Wed, 1 May 1996 18:58:18 +0000 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Re: war/demon dialers CC: firewalls@GreatCircle.COM, rodney@subasic.sciatl.com X-mailer: Pegasus Mail for Win32 (v2.31) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > D > Not to dampen the imprtance of being aware but that program is older than > i am :) so Dont get the illusion that that program is by any means a > standard tool used today :) > > It might be old, but it is a trusted war horse so to speak... And there are others.... I think it's a serious problem... Ratak Secret Agents, where? From firewalls-owner Wed May 1 17:41:27 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA16241 for firewalls-outgoing; Wed, 1 May 1996 17:38:07 -0700 (PDT) Received: from mark.allyn.com (mark.allyn.com [206.114.135.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id RAA16235 for ; Wed, 1 May 1996 17:38:01 -0700 (PDT) Received: (from allyn@localhost) by mark.allyn.com (8.7.5/8.7) id RAA23554; Wed, 1 May 1996 17:40:52 -0700 (PDT) From: Mark Allyn 206-860-9454 Message-Id: <199605020040.RAA23554@mark.allyn.com> Subject: Re: war/demon dialers To: OoICE9oO@aol.com Date: Wed, 1 May 1996 17:40:51 -0700 (PDT) Cc: bobk@manzanita.dev.3com.com, firewalls@GreatCircle.COM In-Reply-To: <960501200309_388107427@emout16.mail.aol.com> from "OoICE9oO@aol.com" at May 1, 96 08:03:10 pm X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello: I read with interest the following statement: -> all the fixins. These programs are readily available on elite web sights ^^^^^ -> everywhere. You don't even have to be a hacker to get them....its really -> quite sad. Yet; when I try: mark.allyn.com% lynx http://www.elite.com lynx: Can't access start file http://www.elite.com and . . . . RWhois Server at rwhois.internic.net version V-1.0 Elite Data Processing, Inc. (ELITE-DOM) 3415 S. Sepulveda Blvd. Suite 500 Los Angeles, CA 90034 Domain Name: ELITE.COM Administrative Contact: Mendes, Jerry (JM85) jmendes@ELITE.COM (310) 398-4900 Technical Contact: D'ambrosio, Louis (LD19) lou@ELITE.COM (310) 398-4900 Record Last Updated on 931018. Domain servers in listed order: NS.UU.NET 137.39.1.3 UUCP-GW-1.PA.DEC.COM 204.123.2.18 16.1.0.18 UUCP-GW-2.PA.DEC.COM 16.1.0.19 NS.EU.NET 192.16.202.11 NS1.RUTGERS.EDU 128.6.21.6 mark.allyn.com% nslookup Default Server: mark.allyn.com Address: 206.114.135.2 > set querytype=mx > elite.com Server: mark.allyn.com Address: 206.114.135.2 elite.com preference = 100, mail exchanger = mail.uu.net mark.allyn.com% nslookup elite.com Server: mark.allyn.com Address: 206.114.135.2 *** No address information is available for elite.com mark.allyn.com% nslookup www.elite.com Server: mark.allyn.com Address: 206.114.135.2 *** No address information is available for www.elite.com mark.allyn.com% nslookup www1.elite.com Server: mark.allyn.com Address: 206.114.135.2 *** No address information is available for www1.elite.com ___________________________________________-- What gives here? It looks like elite has only am MX record with uunet and nothing else. Where are these so called elite web sites?? Thank you very much Mark Allyn allyn@allyn.com From firewalls-owner Wed May 1 17:57:45 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA15541 for firewalls-outgoing; Wed, 1 May 1996 17:23:57 -0700 (PDT) Received: from neon.ingenia.com (newneon.ingenia.com [205.207.219.29]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id RAA15534 for ; Wed, 1 May 1996 17:23:52 -0700 (PDT) Received: (from shaver@localhost) by neon.ingenia.com (8.6.12/8.6.9) id UAA01661; Wed, 1 May 1996 20:21:37 -0400 From: Mike Shaver Message-Id: <199605020021.UAA01661@neon.ingenia.com> Subject: Re: Conclusions on management To: ckostick@csc.com (Chris Kostick) Date: Wed, 1 May 1996 20:21:36 -0400 (EDT) Cc: firewalls@GreatCircle.COM In-Reply-To: <01BB3776.353428E0@batman.ashton.csc.com> from "Chris Kostick" at May 1, 96 03:52:28 pm X-Mailer: ELM [version 2.4 PL24 PGP3 *ALPHA*] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Thus spake Chris Kostick: > >From the underwhelming response I received (thanks Darren) on the > topic of firewall management, I can conclude that no one really > gives a flying rat's butt. ObExcuse: didn't see the original message. > That said, I still have concerns about it. Maybe not today, maybe not > tomorrow, but someday soon I think others will have concerns too. > Managing multiple firewalls, especially from different vendors, is going > to hit someone's to do list and hopefully they'll have enough clout > and money to have something done about it. Unfortunately for me, I fall > into neither the 'enough clout' nor 'enough money' categories. I wouldn't think that likely, given that a _lot_ of firewalls are being championed (and, sadly, sold) based on the sex appeal of the management interface. When you standardize that, you get a 3rd-party market opened up, and then the firewalls have to compete on the bases of functionality, security and reliability. With very few exceptions (Sidewinder comes to mind), I don't think any firewall vendor is seriously trying to distinguish themselves based on security. Neither "all the king's Hackers and all the king's Toolz couldn't break in" nor "someone broke into Other Product X" are distinguishing one's product on the basis of security. They're distinguishing one's product on the basis of ignorance (yours and the customer's). I asked for a document (from a firewall reseller that was courting us) describing the design analysis that went into the product. (They kept using phrases like "designed to be secure", which, while heartening, need a touch of salt.) I was more than a little surprised when they agreed, but I understood again when I got a fax entitled "Penetration testing of XXXX". Didn't even describe the testing methodology. Anyway, I don't think standardizing management makes sense from a marketing point of view, at least not right now, and I fear that's enough to keep it from happening. Mike -- #> Mike Shaver (shaver@ingenia.com) Ingenia Communications Corporation <# #> UNIX medicine man -- dark magick, cheap! <# #> <# #> When the going gets tough, the tough give cryptic error messages. <# #> "We believe in rough consensus and running code." <# From firewalls-owner Wed May 1 18:31:05 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id SAA20901 for firewalls-outgoing; Wed, 1 May 1996 18:22:42 -0700 (PDT) Received: from bliss.stetson.edu (bliss.stetson.edu [147.253.70.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id SAA20884 for ; Wed, 1 May 1996 18:22:36 -0700 (PDT) Received: from localhost (fay@localhost) by bliss.stetson.edu (8.6.10/8.6.10) with SMTP id VAA07719; Wed, 1 May 1996 21:19:11 GMT Date: Wed, 1 May 1996 21:19:10 +0000 (GMT) From: Jeff Fay To: Mark Allyn 206-860-9454 cc: OoICE9oO@aol.com, bobk@manzanita.dev.3com.com, firewalls@GreatCircle.COM Subject: Re: war/demon dialers In-Reply-To: <199605020040.RAA23554@mark.allyn.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ummm to the person who was doing all of the search for these "elite" web sites...hehehe...just do a search on yahoo or your favorite search engine for "phreak" this will proceed to give you numerous pages that will list many different types of wardialers...you will find bluebeep...whose main purpose is not that of wardialing...but to generate dtmf tones and 2600 tones and other tones that are quite useful to the phreaker. And in the defense of TONELOC, the students here use it to find all of the hidden PPP lines that our lovely Academic Computer Services puts up but then tries to keep for themselves. Yes it can be used to find all sorts of things that people don't want to be found. The main reason TONELOC and lots of similar programs were originally used for were to find the local phone switches and loops. But yes they can be used to find modem lines and whatever...I know that there is the *xx commands to disable callerID. When people do use these wardialers, you can bet that they use the callerID disabler. I don't know how well it works in all areas but in my local area it completely hides who I am. my $.02 Jeff Fay fay@bliss.stetson.edu From firewalls-owner Wed May 1 18:43:38 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id SAA22676 for firewalls-outgoing; Wed, 1 May 1996 18:39:15 -0700 (PDT) Received: from bnl.gov (bnl.gov [130.199.128.163]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id SAA22660 for ; Wed, 1 May 1996 18:39:09 -0700 (PDT) Received: from bnlls1.nsls.bnl.gov (bnlls1.nsls.bnl.gov [130.199.192.50]) by bnl.gov (8.7.3/8.7.1) with ESMTP id VAA04149 for ; Wed, 1 May 1996 21:36:57 -0400 (EDT) Received: from ls7354.nsls.bnl.gov.nsls.bnl.gov (ls7354.nsls.bnl.gov) by bnlls1.nsls.bnl.gov with ESMTP (1.37.109.16/16.2) id AA128461016; Wed, 1 May 1996 21:36:56 -0400 From: "John D. Smith" Received: by ls7354.nsls.bnl.gov.nsls.bnl.gov (1.37.109.16) id AA267601015; Wed, 1 May 1996 21:36:55 -0400 Message-Id: <199605020136.AA267601015@ls7354.nsls.bnl.gov.nsls.bnl.gov> Subject: Switched Ethernet and Vlans with a Firewall To: Firewalls@GreatCircle.COM Date: Wed, 1 May 96 21:36:54 EDT In-Reply-To: <199604301445.HAA23698@miles.greatcircle.com>; from "firewalls-digest-owner@GreatCircle.COM" at Apr 30, 96 7:45 am Mailer: Elm [revision: 70.85] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk A standard configuration for a firewall is to have two ethernets, one connected to the public network and one to the secure net. We are considering upgrading our internal network. It has been suggested that we should use switched technology and Vlans. With Vlans there would be no physical separation of the public and secure networks. The separation is done by the vlan software in the switches. The switch manufacturers think that this technology should be used and it would save money in our situation. We can buy one larger switch for our wiring closets rather than separate switches for the secure and public networks. I hesitate to trust the switch configuration completely especially since someone will have to login to the switch to change configurations. Was is the the thinking with regard to the use of vlans and switches to separate networks. Is anyone doing it. john jsmith@bnl.gov From firewalls-owner Wed May 1 21:56:27 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id VAA00763 for firewalls-outgoing; Wed, 1 May 1996 21:49:38 -0700 (PDT) Received: from emout16.mail.aol.com (emout16.mx.aol.com [198.81.11.42]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id VAA00757 for ; Wed, 1 May 1996 21:49:35 -0700 (PDT) From: OoICE9oO@aol.com Received: by emout16.mail.aol.com (8.6.12/8.6.12) id AAA14635; Thu, 2 May 1996 00:47:24 -0400 Date: Thu, 2 May 1996 00:47:24 -0400 Message-ID: <960502004723_104847690@emout16.mail.aol.com> To: fay@bliss.stetson.edu cc: firewalls@greatcircle.com Subject: Re: war/demon dialers Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In a message dated 96-05-01 21:20:13 EDT, you write: >But yes they can be used to find modem >lines and whatever...I know that there is the *xx commands to disable >callerID. When people do use these wardialers, you can bet that they use >the callerID disabler. I don't know how well it works in all areas but in >my local area it completely hides who I am. > my $.02 actually, thatz not completely true...it is true that you can block your number from all business and fax machine lines by using *76 (at least thatz what it iz in my area on my service). There is however a problem...800 and 900 calls are still able to log the caller ID number wether you have blocking on or not. my $.02 From firewalls-owner Thu May 2 00:26:34 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id AAA06667 for firewalls-outgoing; Thu, 2 May 1996 00:13:23 -0700 (PDT) Received: from popalex1.linknet.net (popalex1.linknet.net [206.103.79.89]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id AAA06661 for ; Thu, 2 May 1996 00:13:19 -0700 (PDT) From: zarquon@popalex1.linknet.net Received: from dsrvlaf2-2.linknet.net by popalex1.linknet.net; (5.65v3.2/1.1.8.2/06Mar96-1224PM) id AA23829; Thu, 2 May 1996 02:16:53 -0500 Received: (from zarq@localhost) by dsrvlaf2-2.linknet.net (8.6.12/8.6.9) id CAA00228 for firewalls@greatcircle.com; Thu, 2 May 1996 02:10:52 -0500 Message-Id: <199605020710.CAA00228@dsrvlaf2-2.linknet.net> Subject: Re: war/demon dialers To: firewalls@greatcircle.com Date: Thu, 2 May 1996 02:10:47 -0500 (CDT) X-Mailer: ELM [version 2.4 PL24] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >> But yes they can be used to find modem lines and whatever...I know that >> there is the *xx commands to disable callerID. When people do use these >> wardialers, you can bet that they use the callerID disabler. I don't know >> how well it works in all areas but in my local area it completely hides who >> I am. my $.02 > actually, thatz not completely true...it is true that you can block your > number from all business and fax machine lines by using *76 (at least thatz > what it iz in my area on my service). There is however a problem...800 and > 900 calls are still able to log the caller ID number wether you have > blocking on or not. On my BellSouth residential line, *69 invokes a so-called `privacy switch', preventing my Caller ID info from being forwarded from the switch to the person I am calling, effectively hiding my identity to *them*. At least that is what the phone companies (Germans?) would like us to believe. I have heard rumors that in some areas, it is in fact possible to extract the caller ID information even when this trick is used, but I have never had the opportunity nor felt the need to verify this. Under normal circumstances, a person using BellSouth's Call Return service would be informed that whoever called them did in fact utilize the privacy feature, and will still be offered the option of returning the call, although the actual number will not be available to them. Placing a simple Call Forwarding request before calling is a trick commonly used to circumvent this. The bottom line is that your phone company will still have saved your Caller ID information, regardless of what you press before you dial, and should you happen to do something that would be considered illegal, or perhaps just against *their* regulations, they will most definitely make use of their records and supply them to whatever law enforcement agency happens to come along. Of course, there are also various methods of `diverting' your call, the purpose of which is to stop the Caller ID information from being forwarded as early as possible in the chain of switches, PBXs, or other services you (ab)use. Still, this was not part of the original thread, and has basically *nothing* to do with firewalls at all... :) .../zarq From firewalls-owner Thu May 2 04:56:57 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id EAA19400 for firewalls-outgoing; Thu, 2 May 1996 04:48:19 -0700 (PDT) Received: from gatekeeper.sciatl.com (Gatekeeper.SciAtl.COM [192.133.190.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id EAA19393 for ; Thu, 2 May 1996 04:48:14 -0700 (PDT) Received: from smap@localhost by gatekeeper.sciatl.com via smapdV1.3 id HAA05847; Thu, 2 May 1996 07:45:16 -0400 Received: from pizza.subasic.sciatl.com by gatekeeper.sciatl.com for via SMTP (smap V1.3) id sma005810; Thu May 2 07:44:59 1996 Received: from ss1.sciatl.com by subasic.sciatl.com (SMI-8.6/SMI-SVR4) id HAA06487; Thu, 2 May 1996 07:43:54 -0400 Received: by ss1.sciatl.com (SMI-8.6/SMI-SVR4) id HAA02209; Thu, 2 May 1996 07:42:49 -0400 Date: Thu, 2 May 1996 07:42:49 -0400 From: rodney@subasic.sciatl.com (Rodney Garner X5991) Message-Id: <199605021142.HAA02209@ss1.sciatl.com> To: njs@scifi.maid.com Subject: Re: "Back door" via Modems Cc: firewalls@GreatCircle.COM X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >> >> Jason Manaigre wrote: > > You have a good point, how do we protect our systems from WarDialers? > > They are everywhere... > > Where can I get a WarDialer to look for modems on my system? > Finding the modems on our PBX is a big part of finding "back door" threats > to our internal network. >Just tell me how many rings you are going to try. My back door modem >will answer only on the second call of two more rings than that. > >Or I'll answer the phone like a fax, and even accept faxes. > >This stuff needs to be controlled by policy and security awareness, not >by war dialing around to find answer tones. Yes. I agree that policy and awareness is the way to go. But there is always someone or a group of soneones that think they have to find a way to bend the rules. I use SecureID and have firewalls on all of my gateways, But there is always someone who wants to have there own little connection to there self. Thanks to all who responded to my request. Rodney Garner From firewalls-owner Thu May 2 06:26:36 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA22879 for firewalls-outgoing; Thu, 2 May 1996 06:15:28 -0700 (PDT) Received: from mclo30.med.navy.mil ([164.167.86.30]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id GAA22869 for ; Thu, 2 May 1996 06:15:19 -0700 (PDT) Received: from mclo100.med.navy.mil (mclo100.med.navy.mil [164.167.86.100]) by mclo30.med.navy.mil (8.7.1/8.7.1) with SMTP id JAA23960; Thu, 2 May 1996 09:17:07 -0400 Message-Id: <199605021317.JAA23960@mclo30.med.navy.mil> Date: Thu, 02 May 96 09:06:54 -0400 From: "R. G. Resino" MIME-Version: 1.0 To: firewalls@GreatCircle.COM CC: zarquon@popalex1.linknet.net Subject: RE: war/demon dialers Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Not quite. The phone company provides CLID to the customer only. Internally, the Signaling System #7 SSN7 initial address message is saved as part of the Call Accounting database. Most of the Class Functions provided to users are subsets of information available at the digital central office. There have been several messages to this list about ANI (automatic number ID) and ALI (Location ID). These services are available over Primary Rate ISDN trunks. The SSN7 IMA and MTP messages are only available to Digital Central Offices using CNI turning. CLID is received by a subscriber as a series of modem tones between the 1st and 2nd ring. They are sent by the LEC's DCO. It requires a DCO command to prevent the modem from sending the number. That is what your *69 is doing. The TELCO's call accounting is unrelated to Caller ID. Bob Resino Head, MID/Data-telecommunications MCLO, HSO, Norfolk, VA The bottom line is that your phone company will still have saved your Caller ID information, regardless of what you press before you dial, and should you happen to do something that would be considered illegal, or perhaps just against *their* regulations, they will most definitely make use of their records and supply them to whatever law enforcement agency happens to come along. Of course, there are also various methods of `diverting' your call, the purpose of which is to stop the Caller ID information from being forwarded as early as possible in the chain of switches, PBXs, or other services you (ab)use. Still, this was not part of the original thread, and has basically *nothing* to do with firewalls at all... :) .../zarq From firewalls-owner Thu May 2 07:05:12 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA24228 for firewalls-outgoing; Thu, 2 May 1996 06:47:38 -0700 (PDT) Received: from crdems.ge.com (crdems.GE.COM [192.35.44.5]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id GAA24220 for ; Thu, 2 May 1996 06:47:34 -0700 (PDT) Received: from grymoire.crd.ge.com by crdems.ge.com (5.65/GE 1.77) id AA18652; Thu, 2 May 96 09:40:38 -0400 Received: by grymoire.crd.ge.com (5.x/GE-CRD Standard Sendmail Version S1.5)id AA13664; Thu, 2 May 1996 09:42:54 -0400 Date: Thu, 2 May 1996 09:42:54 -0400 From: barnett@grymoire.crd.ge.com (Bruce Barnett) Message-Id: <9605021342.AA13664@grymoire.crd.ge.com> To: Firewalls@GreatCircle.COM Subject: Re: war/demon dialers X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >The product is pretty clearly written by and for hackers, but then it >will raise your awareness level. It certainly raised mine. I purchases a Best of Shareware CD-ROM several years ago for my home computer from a major mail-order software house. It was loaded to games, utilities, etc. I was surprised at the time to see that a daemon-dialer was on of the "standard utilities" included on the CD-ROM. From firewalls-owner Thu May 2 07:16:04 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA24411 for firewalls-outgoing; Thu, 2 May 1996 06:49:28 -0700 (PDT) Received: from newfed.FRB.GOV (newfed.frb.gov [198.3.221.5]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id GAA24394 for ; Thu, 2 May 1996 06:49:19 -0700 (PDT) Received: from FRB.GOV by newfed.FRB.GOV (4.1/SMI-4.0) id AA04534; Thu, 2 May 96 09:46:32 EDT Received: from irmmp1.FRB.GOV by frbgate.FRB.GOV (4.1/SMI-4.0) id AA12179; Thu, 2 May 96 09:45:48 EDT Received: from localhost by irmmp1.FRB.GOV (4.1/SMI-4.0) id AA17537; Thu, 2 May 96 09:45:48 EDT Message-Id: <9605021345.AA17537@irmmp1.FRB.GOV> To: jeromie@garrison.com (Jeromie Jackson) Cc: Firewalls@GreatCircle.COM, todd@momentum.com.au, me@tartufo.muc.ditec.de Subject: lmbench [Was: Re: Most popular firewall implementation?] In-Reply-To: Your message of Wed, 01 May 96 00:00:51 -0500. <9605010500.AA01856@garrison.com.> Date: Thu, 02 May 96 09:45:47 -0400 From: "Jonathan M. Bresler" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Jeromie Jackson wrote: > I would refer you to the 'lmbench' that was done by an SGI engineer. >http://reality.sgi.com/employees/lm_engr > > The benchmarks are based on IO throughput. It shows quite clearly that >the 'larger scale' computers do not necessarily provide a benefit. >The larger the boxes the poorer they looked in the benchmarks for things such >as simple system call timings, process creation times, pipe latency, TCP >latency, TCP connect latency. > > Also, in relation to cost, it's obviously much more cost-effective to >upgrade a PC based platform in comparison to other machines. one concern regarding lmbench as a networking benchmark, lmbench uses only one host; the server and the client are different processes on the same host. the data never "hits the wire", but rather passes from the client to the kernel to the server. the networking code (device drivers and the network adapter) is not tested. larry mcvoy and carl staelin discuss this in their paper (the doc/PS file in lmbench sect 5.2). for a firewall, or network server, this is a CRITICAL ommission. frequently, the adapter's programming interface will be the hot-spot or bottleneck in network activity. jmb -- Jonathan M. Bresler 202-452-2831 breslerj@frb.gov MS-169, Federal Reserve Board of Governors, Washington DC 20551 I am speaking for myself only, not the Federal Reserve Board of Governors From firewalls-owner Thu May 2 07:58:41 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA28956 for firewalls-outgoing; Thu, 2 May 1996 07:43:30 -0700 (PDT) Received: from gatekeeper.3Com.COM (gatekeeper.3Com.COM [129.213.128.5]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id HAA28942 for ; Thu, 2 May 1996 07:43:23 -0700 (PDT) Received: from manzanita.DEV.3Com.COM.noname (manzanita.DEV.3Com.COM) by gatekeeper.3Com.COM with SMTP id AA08545 (5.65c/IDA-1.4.4-910725 for ); Thu, 2 May 1996 07:40:58 -0700 Received: by manzanita.DEV.3Com.COM.noname (4.1/SMI-4.1) id AA09404; Thu, 2 May 96 07:40:34 PDT Date: Thu, 2 May 96 07:40:34 PDT From: bobk@manzanita.DEV.3Com.COM (Bob Konigsberg) Message-Id: <9605021440.AA09404@manzanita.DEV.3Com.COM.noname> To: Firewalls@GreatCircle.COM, jsmith@bnlls1.nsls.bnl.gov Subject: Re: Switched Ethernet and Vlans with a Firewall Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'd be very cautious using virtual LANs in a secure environment. We've had some virtual lans on our network (not even secure) do some strange things because the operation thereof was not completely understood. Understand that I'm not knocking the concept. I'd just be very careful with new technology in an area that requires high security. For security, I'd feel better with tried and true systems, and do the experimenting on systems where the price of failure is lower. BobK From firewalls-owner Thu May 2 08:50:56 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA02329 for firewalls-outgoing; Thu, 2 May 1996 08:33:10 -0700 (PDT) Received: from hkg.hkg.ingr.com ([148.53.151.201]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id IAA02323 for ; Thu, 2 May 1996 08:32:58 -0700 (PDT) Received: from msmail.hkg.ingr.com (msmail) by hkg.hkg.ingr.com (5.65c/1.921207) id AA03259; Thu, 2 May 1996 23:31:52 -0500 Received: by msmail.hkg.ingr.com with Microsoft Mail id <3189AA85@msmail.hkg.ingr.com>; Thu, 02 May 96 23:41:09 PDT From: Elton Chan To: "'Firewalls lists'" Subject: disaster plan for WAN/LAN Date: Thu, 02 May 96 23:23:00 PDT Message-Id: <3189AA85@msmail.hkg.ingr.com> X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi all, Could anybody tell me what is the most common disaster plan for a WAN such as a in case a T1 link is down as well as LAN currently is adopted? Are there any document is related to this topic in the internet? Thanks, Elton From firewalls-owner Thu May 2 09:26:37 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA04558 for firewalls-outgoing; Thu, 2 May 1996 09:21:14 -0700 (PDT) Received: from gatekeeper.3Com.COM (gatekeeper.3Com.COM [129.213.128.5]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id JAA04552 for ; Thu, 2 May 1996 09:21:10 -0700 (PDT) Received: from manzanita.DEV.3Com.COM.noname (manzanita.DEV.3Com.COM) by gatekeeper.3Com.COM with SMTP id AA11635 (5.65c/IDA-1.4.4-910725 for ); Thu, 2 May 1996 09:18:58 -0700 Received: by manzanita.DEV.3Com.COM.noname (4.1/SMI-4.1) id AA09494; Thu, 2 May 96 09:18:34 PDT Date: Thu, 2 May 96 09:18:34 PDT From: bobk@manzanita.DEV.3Com.COM (Bob Konigsberg) Message-Id: <9605021618.AA09494@manzanita.DEV.3Com.COM.noname> To: Firewalls@GreatCircle.COM, elton@msmail.hkg.ingr.com Subject: Re: disaster plan for WAN/LAN Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This is somewhat off the topic of firewalls, but since this material may refer to Internet connections as well, here goes.... If you've really got mission critical WAN connections, what you can do is to set up redundant and diverse WAN connections to begin with. That is, have two T-1s (or fraction thereof). If possible, have them leave your premises by different physical routes to avoid backhoes. The T-1's should then go to different POPS (Points Of Presence) for your WAN carrier (who said this was cheap?). In some cases, you may even want to use different carriers (AT&T, Sprint, MCI, LCI, WilTel, whoever). Consider whether or not the high latency of Satellite connections will work with your set of applications. Typical latency within the US ranges from 30 ms to 300 ms. Satellite latency starts at about 700 ms and goes up from there. Use different routers to connect to each WAN connection. If you have a large or widely spread campus or interconnected sites, you may even want the routers and connections in different buildings. Size each pipe capable of carrying all your traffic with some overhead allowed for. Then set the routing costs to make one preferred for IP traffic, and the other for IPX/AT/XNS/OSI/DECNET or whatever protocol mix you run. Hope this helps, BobK From firewalls-owner Thu May 2 09:41:41 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA05660 for firewalls-outgoing; Thu, 2 May 1996 09:36:54 -0700 (PDT) Received: from hnc.hnc.com (hnc.hnc.com [206.79.10.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id JAA05637 for ; Thu, 2 May 1996 09:36:48 -0700 (PDT) Received: (from uucp@localhost) by hnc.hnc.com (8.7.1/8.7.1) id JAA12057; Thu, 2 May 1996 09:29:33 -0700 (PDT) Received: from serval.hnc.com(206.79.54.2) by hnc.hnc.com via smap (V1.3) id sma012054; Thu May 2 09:29:15 1996 Received: from spike.hnc.com (spike.hnc.com [191.9.201.52]) by serval.hnc.com (8.7.1/8.7.1) with ESMTP id JAA19340; Thu, 2 May 1996 09:28:30 -0700 (PDT) Received: from fred.hnc.com (fred.hnc.com [191.9.204.7]) by spike.hnc.com (8.7.1/8.7.1) with SMTP id JAA22734; Thu, 2 May 1996 09:35:31 -0700 (PDT) Message-Id: <199605021635.JAA22734@spike.hnc.com> Received: from pcdwl.hnc.com by fred.hnc.com with SMTP (1.38.193.4/16.2) id AA08212; Thu, 2 May 1996 09:35:25 -0700 Date: Thu, 2 May 1996 09:35:25 -0700 X-Sender: dwl@spike X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: Jeff Fay From: David Loysen Subject: Re: war/demon dialers Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ..I know that there is the *xx commands to disable >callerID. When people do use these wardialers, you can bet that they use >the callerID disabler. I don't know how well it works in all areas but in >my local area it completely hides who I am. > my $.02 > Jeff Fay > fay@bliss.stetson.edu > > > > Except when you call an 800 number. Firewalls relevance, not much, but; If you have an 800 number on your PBX, and modems, maybe you want to log incoming numbers. dwl@hnc.com David Loysen 619-546-8877 x245 From firewalls-owner Thu May 2 10:00:03 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA04191 for firewalls-outgoing; Thu, 2 May 1996 09:11:49 -0700 (PDT) Received: from mcfeely.bsfs.org (mcfeely.bsfs.org [204.91.13.34]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id JAA04185 for ; Thu, 2 May 1996 09:11:44 -0700 (PDT) Received: (from wombat@localhost) by mcfeely.bsfs.org (8.6.12/8.6.12) id MAA08472; Thu, 2 May 1996 12:04:20 -0400 Date: Thu, 2 May 1996 12:04:16 -0400 (EDT) From: Rabid Wombat To: "John D. Smith" cc: Firewalls@GreatCircle.COM Subject: Re: Switched Ethernet and Vlans with a Firewall In-Reply-To: <199605020136.AA267601015@ls7354.nsls.bnl.gov.nsls.bnl.gov> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk A site that I'm working on is implementing switching (Cisco Catalyst 5000 switches) and is planning on using VLANs to seperate departments. We're using multiple 10T collision domains for user segments within each department, and dedicated 100T for server connections. As Cisco doesn't have a layer 3 support on the Catalyst as of yet (3rd quarter, Paul ??), we're using a router to get between VLANs as a short term solution. When the switch can pas traffic between VLANs, the router will stay in place to pass traffic from the internal VLANs to the firewall. The firewall has a second ehternet connection which goes to the screening router ("bastion" segment), which in turn connects to the big bad internet (tm). I don't see any reason why you can't implement something similar. Are you using something lke the DEC Gigaswitch (which has layer 3 support) to implement VLANS and also provide connection to the outside via shared FDDI or something, rather than connecting to the ouside via a point-to-point circuit? There are plenty of ethernet-to-ethernet speed firewalls out there, if the "untrusted" net is local. ---------------------------------------- Rabid Wombat wombat@mcfeely.bsfs.org ---------------------------------------- On Wed, 1 May 1996, John D. Smith wrote: > > A standard configuration for a firewall is to have two > ethernets, one connected to the public network and one to the > secure net. > We are considering upgrading our internal network. It > has been suggested that we should use switched technology and > Vlans. With Vlans there would be no physical separation of the > public and secure networks. The separation is done by the > vlan software in the switches. > The switch manufacturers think that this technology > should be used and it would save money in our situation. > We can buy one larger switch for our wiring closets rather > than separate switches for the secure and public networks. > I hesitate to trust the switch configuration completely > especially since someone will have to login to the switch > to change configurations. > > Was is the the thinking with regard to the use > of vlans and switches to separate networks. Is anyone > doing it. > > john > jsmith@bnl.gov > > From firewalls-owner Thu May 2 11:26:44 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA11622 for firewalls-outgoing; Thu, 2 May 1996 11:15:13 -0700 (PDT) Received: from huey (huey.cadvision.com [204.50.1.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id LAA11616 for ; Thu, 2 May 1996 11:15:05 -0700 (PDT) From: schoettl@cadvision.com Received: from 204.50.1.2 (cadd164.cadvision.com [204.50.229.164]) by huey (8.7.5/8.7.5/DCX/TRI) with SMTP id MAA07496 for ; Thu, 2 May 1996 12:17:01 -0600 Date: Thu, 2 May 1996 12:17:01 -0600 Message-Id: <199605021817.MAA07496@huey> X-Sender: schoettl@mail.cadvision.com (Unverified) X-Mailer: Windows Eudora Version 1.4.3 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@greatcircle.com Subject: Borderware, performance limitations Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am currenlty doing an evaluation project on a number of firewall products. including Cyberguard, FW-1 and BorderWare. I have performed some throughput tests by ftping files, Etc. through the firewalls, Ethernet to Ethernet. Since my FTP server is not the fastest machine in the world, I cannot get more than about 20% utilization on the Ethernet, firewall or no firewall. Thus far, the Borderware product has performed as well as the others. My question is this: Has anyone performed any throughput tests on Borderware to the point of failure (or least hit the ceiling)? If so, I would be very interested in seeing the results. Thanks in advance. Peter Schoettle Telecomm Consultant Calgary, AB schoettl@cadvision.com From firewalls-owner Thu May 2 11:41:47 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA12036 for firewalls-outgoing; Thu, 2 May 1996 11:23:04 -0700 (PDT) Received: from adminfw.ort.fr (adminfw.ort.fr [194.3.64.202]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id LAA12030 for ; Thu, 2 May 1996 11:22:58 -0700 (PDT) Received: (from gblenet@localhost) by adminfw.ort.fr (8.7.1/8.7.1) id UAA05652; Thu, 2 May 1996 20:21:30 +0200 (MET DST) Date: Thu, 2 May 1996 20:21:30 +0200 (MET DST) From: "Gaetan J. BLENET" Message-Id: <199605021821.UAA05652@adminfw.ort.fr> To: jsmith@bnlls1.nsls.bnl.gov Subject: Re: Switched Ethernet and Vlans with a Firewall Cc: gblenet@ort.fr, Firewalls@GreatCircle.COM X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > From jsmith@bnlls1.nsls.bnl.gov Thu May 2 16:19 MET 1996 > From: "John D. Smith" > Subject: Re: Switched Ethernet and Vlans with a Firewall > To: gblenet@adminfw.ort.fr > Date: Thu, 2 May 96 10:18:11 EDT > Mailer: Elm [revision: 70.85] > > Thanks for the reply. I dont see a problem using a switch > and a Vlan within a secure or public network. My question concerns > using a switch to define the two networks. I would have to > install a Firewall where one port on the firewall goes to a > port on the switch and the other port of the firewall goes to > another port on the switch. I rely on the switch and vlans > software to distinguish secure and public network. > Are you doing something like this or do you have all the > connections to the switch going to the internal network. > john > > Hello, I understand what you want to do, but my english isn't very fluent. I hope you will understand the folowing. We have no connection to the switch going to the public network. However we have a gateway where one port on the gateway goes to a port on the switch and an other one on the gateway to a port on the same switch. Both ports on the switch are on two Vlans. No packet can cross the switch between these two ports by the switch. Packets can only be routed by the gateway. Two Vlans on this switch let36 are "physicaly separated". Our two Vlans may be our public network and one of our internal network. BobK is right. We prefered buy an another equipment for our public network. Thanks a lot for your reply, you're the first professional contact I have using mail. Gaetan \\|// O-O ~~~~~~~~~~~~~~~~~~~~~~~~oOO~~~~~(_)~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~ Gaetan J. BLENET ~ ~ O.R TELEMATIQUE ~ ~ e-mail: 7, chemin de Sens +33 47.62.63.66 ~ ~ gblenet@ort.fr 37210 ROCHECORBON FRANCE +33 47.62.62.62 ~ ~ ~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~oOO~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | -- -- ooO Ooo From firewalls-owner Thu May 2 12:26:46 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA16308 for firewalls-outgoing; Thu, 2 May 1996 12:22:04 -0700 (PDT) Received: from pimaia2y.prodigy.com (pimaia2y.prodigy.com [192.207.105.55]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id MAA16302 for ; Thu, 2 May 1996 12:22:00 -0700 (PDT) Received: from mail.prodigy.com (mail.prodigy.com [199.4.137.13]) by pimaia2y.prodigy.com (8.6.10/8.6.9) with SMTP id PAA16814 for ; Thu, 2 May 1996 15:06:56 -0400 Date: Thu, 02 May 1996 15:05:55 EDT From: sauroth@prodigy.com (MR ELDON B JENKINS) X-Mailer: PRODIGY Services Company Internet mailer [PIM 3.2-082.43] Message-Id: <013.07345786.QLDM75A@prodigy.com> To: firewalls@greatcircle.com Subject: Re: war/demon dialers Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > lines and whatever...I know that there is the *xx commands to disable > callerID. When people do use these wardialers, you can bet that they use > the callerID disabler. I don't know how well it works in all areas but in > my local area it completely hides who I am. I know that *69 works in my area for that...An even easier way though is to call the phone co and tell them that you want a caller ID block put on your line. This will do the same as pushing *69 before every call except that you don't have to press it at all, the block is always on. People can do a last call return with *67 but they don't get your number anyway. Just don't answer when they call back. Eldon Jenkins From firewalls-owner Thu May 2 12:41:45 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA16785 for firewalls-outgoing; Thu, 2 May 1996 12:32:32 -0700 (PDT) Received: from relay-2.mail.demon.net (disperse.demon.co.uk [158.152.1.77]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id MAA16779 for ; Thu, 2 May 1996 12:32:26 -0700 (PDT) From: les@zeuros.co.uk Received: from post.demon.co.uk ([158.152.1.72]) by relay-2.mail.demon.net id af04895; 2 May 96 19:46 +0100 Received: from tracker.demon.co.uk ([158.152.150.126]) by relay-3.mail.demon.net id aa05357; 2 May 96 19:44 +0100 To: firewalls@greatcircle.com, abays@cellnet.co.uk, kfullbro@cellnet.co.uk Newsgroups: comp.security.firewalls,comp.infosystems.www.announce,uk.announce,comp.security.announce Subject: FIREWALLS/WWW: The Rotherwick Firewall Resource Date: Thu, 02 May 1996 18:48:04 GMT Organization: The Rotherwick Firewall Resource Reply-To: les@zeuros.co.uk Message-Id: <3188f9ff.592749@news.demon.co.uk> X-Mailer: Forte Agent .99d/16.182 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Announcing the Rotherwick Firewall Resource - BETA http://www.zeuros.co.uk/firewall The resource is designed to give a common index point to information on Internet and Intranet firewalls. We have listings of Firewall Products and Vendors as well as many links to other security and firewall related sites. Not a new idea, I know, however we want to make the resource a permanent feature of the firewall scene, hence we'll be making very regular updates and changes as the community demands. Our aim is to be as comprehensive as is possible, however we can't do it alone, hence the beta period. We need assistance from the Internet community in order to provide a better service to the community. There are already a couple of hundred links on the site, however we know that this is only a fraction of the information out there. If you want to contribute a link or a paper or are a vendor or consultant please drop me a mail at les@zeuros.co.uk. We're also looking for documents and authors who are looking for a place on the Internet to place their firewally documents or want to provide a place for people outside the USA to come and look at the documents. If any security library sites are looking for a UK or european mirror site, then we'd like to hear from them too! The resource isn't trying to be another Yahoo! We're going to focus exclusively on Internet Security and try to make the information more useful and assessible to people interested in security. One thing which we are doing from scratch is to build up a _new_ index of consultants and services companies (specialising in firewalls) which will be geographically indexed. I would encourage consultancies to come and get their names on the list, there is no charge and hopefully it will give customers a better route to finding local consultants than the current trial and error method! I hope many of you will come and visit us, the whole thing is free and maybe we can help some folks! Thanks ...Les... +-----------------------------------------------+ | Les Carleton Firewalling Consultant / "The Software Lifeguard" | These are my views ... not my employer's / les@tracker.demon.co.uk | / +-------------------------------------------+ "Open Standards ... Free Software ... Live Free or Fry!" From firewalls-owner Thu May 2 13:56:32 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA22448 for firewalls-outgoing; Thu, 2 May 1996 13:46:06 -0700 (PDT) Received: from hermes.intel.com (hermes.intel.com [143.183.152.3]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id NAA22442 for ; Thu, 2 May 1996 13:46:01 -0700 (PDT) Received: from argus.intel.com by hermes.intel.com (8.7.4/10.0i); Thu, 2 May 1996 13:43:42 -0700 Received: by argus.intel.com (8.7.4/10.0i); Thu, 2 May 1996 13:43:41 -0700 From: sedayao@argus.intel.com (Jeffrey C. Sedayao) Message-Id: <199605022043.NAA06123@argus.intel.com> Subject: Re: Switched Ethernet and Vlans with a Firewall To: jsmith@bnlls1.nsls.bnl.gov (John D. Smith) Date: Thu, 2 May 96 13:43:40 PDT Cc: Firewalls@GreatCircle.COM In-Reply-To: <199605020136.AA267601015@ls7354.nsls.bnl.gov.nsls.bnl.gov> from "John D. Smith" at May 1, 96 09:36:54 pm X-Mailer: ELM [version 2.4dev PL66] MIME-Version: 1.0 Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > A standard configuration for a firewall is to have two > ethernets, one connected to the public network and one to the > secure net. > We are considering upgrading our internal network. It > has been suggested that we should use switched technology and > Vlans. With Vlans there would be no physical separation of the > public and secure networks. The separation is done by the > vlan software in the switches. > The switch manufacturers think that this technology > should be used and it would save money in our situation. > We can buy one larger switch for our wiring closets rather > than separate switches for the secure and public networks. > I hesitate to trust the switch configuration completely > especially since someone will have to login to the switch > to change configurations. > Was is the the thinking with regard to the use > of vlans and switches to separate networks. Is anyone > doing it. Yes. I was forced to doing this (not really my choice) and it seems to be working okay (so far, at the moment, etc.). Some caveats that come to mind: 1. Be careful about allowing access to the switch. The switch I have been working with is configured by telnetting in, and certainly you don't want the whole Internet doing that. You certainly don't want everyone doing SNMP requests or uploading configurations via TFTP. Once you have enable access on the switch, you can set up holes and routing through various ports and wreak some real havoc. 2. Don't put everything on one switch. It can be tempting, but you don't want it to be a single point of failure/bottleneck. Get more than one, and spread segments across them. > john > jsmith@bnl.gov -- Jeff Sedayao Intel Corporation sedayao@argus.intel.com From firewalls-owner Thu May 2 14:57:05 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA26782 for firewalls-outgoing; Thu, 2 May 1996 14:46:49 -0700 (PDT) Received: from carshp.carsinfo.com (carshp.carsinfo.com [192.148.241.111]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id OAA26776 for ; Thu, 2 May 1996 14:46:44 -0700 (PDT) Received: by carshp.carsinfo.com (1.38.193.5/16.2) id AA08881; Thu, 2 May 1996 17:40:32 -0400 Date: Thu, 2 May 1996 17:40:29 -0400 (EDT) From: Richard Reno Subject: Re: Linux Internet Server & firewall To: Joseph Seanor Cc: firewalls@GreatCircle.COM In-Reply-To: Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Joseph asked for info on firewall but his subject line also included info on internet servers. I just picked up a new book entitled Building a Linux Internet Server from New Riders which only has a small section on firewalls but has a lot on internet server services. It appears to be written for a beginner. Richard From firewalls-owner Thu May 2 15:17:12 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id PAA27431 for firewalls-outgoing; Thu, 2 May 1996 15:03:24 -0700 (PDT) Received: from mdi.meridian-data.com (mdi.meridian-data.com [204.94.131.10]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id PAA27423 for ; Thu, 2 May 1996 15:03:20 -0700 (PDT) Received: from smtpgate.meridian-data.com (smtpgate.meridian-data.com [204.94.132.12]) by mdi.meridian-data.com (8.6.11/8.6.9) with SMTP id OAA19860 for ; Thu, 2 May 1996 14:49:55 -0700 Received: from ccMail by smtpgate.meridian-data.com (SMTPLINK V2.10.08) id AA831074419; Thu, 02 May 96 14:58:51 PST Date: Thu, 02 May 96 14:58:51 PST From: "Eric Wedel" Message-Id: <9604028310.AA831074419@smtpgate.meridian-data.com> To: firewalls@greatcircle.com Subject: snews: through SSL proxy? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi.. we're using the TIS FWTK with Jean-Christophe Touvet's nice SSL proxy. All works fine for https, but not for snews. Instead, Netscape (2.01 gold) returns the following "error" in a message box: A News (NNTP) error occurred: secnews.netscape.com InterNetNews NNRP server Netscape 1.2 PR.030496 ready (posting ok). Of course, this doesn't look too much like an error. :-) But, the browser thinks it is and gives up. No one on the FWTK list knows about this.. does anybody here? In particular, is snews known to work through *any* SSL proxies? thanks in advance, Eric Wedel From firewalls-owner Thu May 2 15:31:17 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA26680 for firewalls-outgoing; Thu, 2 May 1996 14:43:39 -0700 (PDT) Received: from wichita.fn.net (wichita.fn.net [204.233.71.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id OAA26673 for ; Thu, 2 May 1996 14:43:33 -0700 (PDT) Received: (from brucem@localhost) by wichita.fn.net (8.7.4/8.6.9) id QAA22788; Thu, 2 May 1996 16:41:23 -0500 (CDT) Date: Thu, 2 May 1996 16:41:22 -0500 (CDT) From: "Bruce M." To: firewalls@GreatCircle.COM Subject: Re: war/demon dialers In-Reply-To: <960502004723_104847690@emout16.mail.aol.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 2 May 1996 OoICE9oO@aol.com wrote: > actually, thatz not completely true...it is true that you can block your > number from all business and fax machine lines by using *76 (at least thatz > what it iz in my area on my service). There is however a problem...800 and > 900 calls are still able to log the caller ID number wether you have blocking > on or not. 800 and 900 numbers have what is called ANI (Automatic Number Identification) which you are correct is saying cannot be easily blocked. All CID Blocking (your *76) does is tell the switch not to transmit the CID information to the customer. They can still use Call Return and several other methods of either refusing your call or calling you back. Bruce Marshall From firewalls-owner Thu May 2 15:56:55 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id PAA01110 for firewalls-outgoing; Thu, 2 May 1996 15:54:15 -0700 (PDT) Received: from fciencias.ens.uabc.mx (fciencias.ens.uabc.mx [148.231.191.14]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id PAA01081 for ; Thu, 2 May 1996 15:54:07 -0700 (PDT) Received: (from llanero@localhost) by fciencias.ens.uabc.mx (8.6.12/8.6.12) id PAA09389; Thu, 2 May 1996 15:47:22 GMT Date: Thu, 2 May 1996 15:47:20 +0000 () From: Urivan Alyasid Saaib To: Bob Konigsberg cc: Firewalls@GreatCircle.COM, elton@msmail.hkg.ingr.com Subject: Re: disaster plan for WAN/LAN In-Reply-To: <9605021618.AA09494@manzanita.DEV.3Com.COM.noname> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi there you all again.. My Anonymous FTP server has been visited for people that upload and download Software Piracy (you know , distribution of stolen software, and whatever...), I already erase this data from the FTP site, and i change all the atributes and owners of the site... Do you know a software or a diferent way to protect my machine against this guys ??... _-+-~-+-_-+-~-+-_-+-~-+-_-+-~-+-_-+-~-+-_-+-~-+-_-+-~-+-_-+-~-+-_-+-~-+-_ * * * Urivan Alyasid Flores Saaib E-mail addresses: * * Facultad de Ciencias uflores@bahia.ens.uabc.mx * * U. A. B. C. fcs00922@faro.ens.uabc.mx * * Ensenada, Baja California llanero@fciencias.ens.uabc.mx * * Mexico. guess@cicese.mx * * uflores@orca.ens.cetys.mx * * usaaib@envirolink.org * * root@fciencias.ens.uabc.mx * * http://fciencias.ens.uabc.mx/~llanero * * http://www.cicese.mx/~guess * ~-+-_-+-~-+-_-+-~-+-_-+-~-+-_-+-~-+-_-+-~-+-_-+-~-+-_-+-~-+-_-+-~-+-_-+-~ From firewalls-owner Thu May 2 16:14:36 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id PAA00385 for firewalls-outgoing; Thu, 2 May 1996 15:46:27 -0700 (PDT) Received: from gaia.internex.net (gaia.internex.net [198.67.38.22]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id PAA00268 for ; Thu, 2 May 1996 15:46:04 -0700 (PDT) Received: from hidata.com by gaia.internex.net (8.6.9/InterNex-SM8.6.9) id PAA11601; Thu, 2 May 1996 15:43:43 -0700 Received: by hidata.com (SMI-8.6/SMI-SVR4) id PAA13019; Thu, 2 May 1996 15:43:42 -0700 Received: from osc(205.158.62.10) by hds-gw via smap (V1.3) id sma013017; Thu May 2 15:43:34 1996 Received: from enterprise by osc.hidata.com (SMI-8.6/SMI-SVR4) id PAA07699; Thu, 2 May 1996 15:43:33 -0700 Date: Thu, 2 May 1996 15:43:33 -0700 Message-Id: <199605022243.PAA07699@osc.hidata.com> X-Sender: bstout@osc.hidata.com X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: Firewalls@GreatCircle.COM From: Bill Stout Subject: Re: Switched Ethernet and Vlans with a Firewall Sender: firewalls-owner@GreatCircle.COM Precedence: bulk A similar config is to use Cisco's 'policy routing', where the Firewall can reside by itself on one segment, and potentially traffic from all questionable ports is be routed to the firewall's IP address. (IOS > 10.0(7)?). I believe Livingston(?) also recommends the below configuration so that only one router is needed for a firewall config: Internet----Router----Internal_net | Firewall Of course you can combine vlan routing/switching with standard DMZ configurations. Bill Stout At 12:04 PM 5/2/96 -0400, you wrote: > >A site that I'm working on is implementing switching (Cisco Catalyst 5000 >switches) and is planning on using VLANs to seperate departments. We're >using multiple 10T collision domains for user segments within each >department, and dedicated 100T for server connections. As Cisco doesn't >have a layer 3 support on the Catalyst as of yet (3rd quarter, Paul ??), >we're using a router to get between VLANs as a short term solution. When >the switch can pas traffic between VLANs, the router will stay in place to >pass traffic from the internal VLANs to the firewall. The firewall has a >second ehternet connection which goes to the screening router ("bastion" >segment), which in turn connects to the big bad internet (tm). > >I don't see any reason why you can't implement something similar. Are you >using something lke the DEC Gigaswitch (which has layer 3 support) to >implement VLANS and also provide connection to the outside via shared FDDI >or something, rather than connecting to the ouside via a point-to-point >circuit? > >There are plenty of ethernet-to-ethernet speed firewalls out there, if >the "untrusted" net is local. > >---------------------------------------- >Rabid Wombat >wombat@mcfeely.bsfs.org >---------------------------------------- > > >On Wed, 1 May 1996, John D. Smith wrote: > >> >> A standard configuration for a firewall is to have two >> ethernets, one connected to the public network and one to the >> secure net. >> We are considering upgrading our internal network. It >> has been suggested that we should use switched technology and >> Vlans. With Vlans there would be no physical separation of the >> public and secure networks. The separation is done by the >> vlan software in the switches. >> The switch manufacturers think that this technology >> should be used and it would save money in our situation. >> We can buy one larger switch for our wiring closets rather >> than separate switches for the secure and public networks. >> I hesitate to trust the switch configuration completely >> especially since someone will have to login to the switch >> to change configurations. >> >> Was is the the thinking with regard to the use >> of vlans and switches to separate networks. Is anyone >> doing it. >> >> john >> jsmith@bnl.gov >> >> > > From firewalls-owner Thu May 2 16:41:45 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id QAA04673 for firewalls-outgoing; Thu, 2 May 1996 16:30:50 -0700 (PDT) Received: from gatekeeper.3Com.COM (gatekeeper.3Com.COM [129.213.128.5]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id QAA04646 for ; Thu, 2 May 1996 16:30:42 -0700 (PDT) Received: from manzanita.DEV.3Com.COM.noname (manzanita.DEV.3Com.COM) by gatekeeper.3Com.COM with SMTP id AA25462 (5.65c/IDA-1.4.4-910725 for ); Thu, 2 May 1996 16:28:25 -0700 Received: by manzanita.DEV.3Com.COM.noname (4.1/SMI-4.1) id AA09697; Thu, 2 May 96 16:28:00 PDT Date: Thu, 2 May 96 16:28:00 PDT From: bobk@manzanita.DEV.3Com.COM (Bob Konigsberg) Message-Id: <9605022328.AA09697@manzanita.DEV.3Com.COM.noname> To: bobk@manzanita.DEV.3Com.COM, llanero@fciencias.ens.uabc.mx Subject: Re: disaster plan for WAN/LAN Cc: Firewalls@GreatCircle.COM, elton@msmail.hkg.ingr.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Security on an FTP server is best organized the following way: (Assuming a Unix, anonymous FTP server) You set up two directories; incoming, and outgoing Inside addresses (your people) have rx permission on the incoming directory. Inside addresses have wx or rwx permission on the outgoing directory. Outside (others) addresses have rx permission on the outgoing directory Outside (others) addresses have wx permixxion on the incoming directory. This way, outsiders can drop off files in the incoming directory, but they can't see what is there. Likewise they can pick up files from the outgoing directory, but they can't see what is there either. They have to know the name in advance. Good luck, BobK From firewalls-owner Thu May 2 16:46:05 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id QAA02764 for firewalls-outgoing; Thu, 2 May 1996 16:10:00 -0700 (PDT) Received: from garrison.com. ([199.1.78.14]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id QAA02731 for ; Thu, 2 May 1996 16:09:51 -0700 (PDT) Received: by garrison.com. (4.1/Nutered Mailer) id AA02037; Thu, 2 May 96 18:03:57 CDT Date: Thu, 2 May 96 18:03:57 CDT From: jeromie@garrison.com (Jeromie Jackson) Message-Id: <9605022303.AA02037@garrison.com.> To: firewalls@greatcircle.com Subject: Re: lmbench [Was: Re: Most popular firewall implementation?] (fwd);Comments? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > From lm@neteng.engr.sgi.com Thu May 2 17:58:51 1996 > To: fisher@sgi.com > From: lm@gate1-neteng.engr.sgi.com (Larry McVoy) > Cc: jeromie@garrison.com, todd@momentum.com.au, me@tartufo.muc.ditec.de > Subject: Re: lmbench [Was: Re: Most popular firewall implementation?] (fwd);Comments? > Date: Thu, 02 May 1996 15:11:22 -0700 > Sender: lm@neteng.engr.sgi.com > Content-Length: 4253 > > : Jeromie Jackson wrote: > : > I would refer you to the 'lmbench' that was done by an SGI engineer. > : >http://reality.sgi.com/employees/lm_engr > : > > : > The benchmarks are based on IO throughput. It shows quite clearly that > : >the 'larger scale' computers do not necessarily provide a benefit. > : >The larger the boxes the poorer they looked in the benchmarks for things such > : >as simple system call timings, process creation times, pipe latency, TCP > : >latency, TCP connect latency. > : > > : > Also, in relation to cost, it's obviously much more cost-effective to > : >upgrade a PC based platform in comparison to other machines. > : > : one concern regarding lmbench as a networking benchmark, > : lmbench uses only one host; the server and the client are > : different processes on the same host. > : > : the data never "hits the wire", but rather passes from the > : client to the kernel to the server. the networking code > : (device drivers and the network adapter) is not tested. > > Hi folks, > lmbench is cool but it has some problems that you should be aware > of - these "problems" are by design, not by mistake, BTW. > > ---------- > > The I/O throughput comment is only sort of correct. lmbench will > measure how fast your VM/file system can _re_read a file, i.e., the > file is already in the cache. This was intentional, because this is a > software & hardware problem that is tuneable by vendors. I don't measure > disk performance because it can vary widely and consequently the results > don't tell you much. > > You can, and I & others do, use a tool included in lmbench to measure > disk & file system sequential and/or random performance. Check out > lmdd, it works like > > lmdd if=linux-1.3.94.tar.gz bs=1m move=4m > 4.00 MB in 2.18 secs, 1882.16 KB/sec > > full syntax, including random & async i/o is documented in the man page. > It's modeled on dd. > > ---------- > > I/O throughput in general is not measured by lmbench. Different systems > have dramatically different I/O capablities, and benchmarking those is > problematic. I was measuring the set of operations that go into an > I/O (or some other task); it is up to you to extrapolate. > > Furthermore, lmbench presents sort of "guarenteed to be obtainable by an > idiot" numbers. I used only -O, I disallowed any other optimizations, I > used the most common & portable interfaces I could find (and disallowed > optimizations - for example, you must use the socket interface, not > STREAMS - not that that would be an optimization :-), etc. > > On SGI hardware, at least, we can do dramatically more I/O than lmbench > shows. SGI Challenge XLs can do up to 500MB/sec file system I/O by > using an SGI extension to the open(2) interface. Given that that > interface is not portable, I don't measure it in lmbench - that's by > design. > > The point is that the numbers you see in lmbench are trivially > reproduceable. In many cases, you can do better. You'll never do worse > unless you are actively trying to do so. This is upside down thinking > compared to Spec. Those numbers are maybe reproduceable on a clear > day with a tailwind, but you have to wade through zillions of compiler > options, install special libraries, etc., etc. In other words, those > numbers are complete and utter bullshit - nobody gets them in real life. > On the other hand, if lmbench says it takes 500 usecs to send a message > via TCP to another process, then you application should - and typically > will - be able to get exactly those numbers with no tweaking on your part. > > ---------- > > The large box comment: larger boxes tend to be SMPs, and have lotso > locking scattered throughout the kernel. Since lmbench is measuring > uniprocessor performance, the SMPs will of course look worse, they are > being used in a uniprocessor fashion but are carrying all the SMP baggage. > This was also by design, I don't like SMP machines with fine grain > locking and more than 2-4 CPUs. You pay too much and gain too little. > > > ---------- > > The data on the wire comment: if you run lmbench, it asks you if you want to > do remote tests. It's all set up, people either aren't doing it or aren't > sending me results. I'm going to be putting a new release out in the > next month or so, I'll emphasize the desire for this. But if you want > to know the numbers, you can get 'em. > > Later, > > --lm > From firewalls-owner Thu May 2 18:26:30 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id SAA13273 for firewalls-outgoing; Thu, 2 May 1996 18:23:42 -0700 (PDT) Received: from mcfeely.bsfs.org (mcfeely.bsfs.org [204.91.13.34]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id SAA13265 for ; Thu, 2 May 1996 18:23:34 -0700 (PDT) Received: (from wombat@localhost) by mcfeely.bsfs.org (8.6.12/8.6.12) id VAA09333; Thu, 2 May 1996 21:15:39 -0400 Date: Thu, 2 May 1996 21:15:36 -0400 (EDT) From: Rabid Wombat To: Bob Konigsberg cc: bobk@manzanita.DEV.3Com.COM, llanero@fciencias.ens.uabc.mx, Firewalls@GreatCircle.COM, elton@msmail.hkg.ingr.com Subject: Re: disaster plan for WAN/LAN In-Reply-To: <9605022328.AA09697@manzanita.DEV.3Com.COM.noname> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > Inside addresses (your people) have rx permission on > the incoming directory. > > Inside addresses have wx or rwx permission on the outgoing directory. > > Outside (others) addresses have rx permission on the outgoing directory > > Outside (others) addresses have wx permixxion on the incoming directory. > > This way, outsiders can drop off files in the incoming directory, but they > can't see what is there. Likewise they can pick up files from the outgoing > directory, but they can't see what is there either. They have to know the > name in advance. > > Good luck, > > BobK > > This also keeps outsiders from using your server for storage, since outsiders can't drop off and pick up from the same place. It is VERY important to do this, unless you want to become an unwitting WAREZ and/or porn distributor. - r.w. From firewalls-owner Thu May 2 18:41:30 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id SAA13335 for firewalls-outgoing; Thu, 2 May 1996 18:25:46 -0700 (PDT) Received: from aurora.cdev.com (aurorax.cdev.com [160.207.114.200]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id SAA13323 for ; Thu, 2 May 1996 18:25:41 -0700 (PDT) Message-Id: <199605030125.SAA13323@miles.greatcircle.com> Received: from cdicisco11.cdev.com by aurora.cdev.com id SMTP-0013189607a011645; Thu, 2 May 96 20:25:15 -0500 X-Sender: djs3wn39@aurora.cdev.com X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Thu, 02 May 1996 17:07:24 -0700 To: firewalls@GreatCircle.com From: Donald.J.Smith@cdev.com (Donald J Smith) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk My mailer believes chris kostick said: > >>From the underwhelming response I received (thanks Darren) on the >topic of firewall management, I can conclude that no one really >gives a flying rat's butt. I missed the earilier posting but, IMHO the problem is that most gatekeepers have gotten are required to be paranoid. If you have a scheme for remote management (over lan) or really remote management (over wan) it is probably one of the most senstive facts about your firewalls. Also when you say management what do you mean. (Full reconfig over the WAN would be one extream) (not being able to read any status information over a lan would probably the other extream.) Ok the real other extream is what I use the most. Console only admin requireing physical access controls to get to the console is implied. >That said, I still have concerns about it. Maybe not today, maybe not >tomorrow, but someday soon I think others will have concerns too. >Managing multiple firewalls, especially from different vendors, is going >to hit someone's to do list and hopefully they'll have enough clout >and money to have something done about it. Yes like develop a method that covers their specific problem. The only this gets done on a grand scale is if we demand it now from products. Having said that I got to add that IMHO a firewall is not a product. It should be a implenentation that balances costs of added security vs value of the data being protected. It usually includes filtering routers, and/or bastion hosts/dhgs and if you offer any services than a dmz. >Unfortunately for me, I fall >into neither the 'enough clout' nor 'enough money' categories. > >- -- >Chris >CSC > IMHO - -- Chris CSC Donald J Smith Network Security Engineer @Computing Devices International design in security @ the begining & ease_of_use != A*(1/Data_Security) (my opinions are mine and so are the spelling errors ;-) From firewalls-owner Thu May 2 18:57:51 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id SAA14735 for firewalls-outgoing; Thu, 2 May 1996 18:51:46 -0700 (PDT) Received: from bnn.com (centurina.231.127.203.in-addr.arpa [203.127.231.8]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id SAA14720 for ; Thu, 2 May 1996 18:51:40 -0700 (PDT) Received: from hobbits.brel.com (hobbits [203.127.231.61]) by bnn.com (8.6.12/8.6.12) with SMTP id JAA13615 for ; Fri, 3 May 1996 09:49:04 +0800 Date: Fri, 3 May 96 09:36:39 GMT From: HangDog Subject: RE: Firewalls-Digest V5 #285 To: Firewalls@GreatCircle.COM X-PRIORITY: 3 (Normal) X-Mailer: Chameleon NFS95_44, TCP/IP for Windows, NetManage Inc. X-Face: $fGyb|Zfn:?Bv&Q[c3/t(MMc<#<5{@DI]syE\O&=#\WBj_R|LL\F':Nf\jNWwJqjCK0>}t+ Z?DG+wBNJqO;+F/B]gpEQ|WGMS\yay/8' MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > >From: John Mizzi >X-To: calvinng >Date: Wed, 1 May 1996 07:41:54 -0700 (PDT) >Subject: Re: Getting started with firewall. > >Moore, Mark writes >> >> Does anyone know what documentation I can purchase so that I can >> better understand firewall technology ?? >> > >May I suggest >Building Internet Firewalls by Brent Chapman and Elizabeth Zwicky >ISBN 1-56592-124-0 > >Firewalls and Internet Security by William Cheswick and Steve Bellovin >ISBN 0-201-63357-4 > Just curious, would attending a seminar like Network Security '96 (by CSI) help too?? What are the experiences people have with such seminars??? =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Calvin Ng email: ------------------------------------------------------------------------- From firewalls-owner Thu May 2 22:56:33 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id WAA24093 for firewalls-outgoing; Thu, 2 May 1996 22:50:21 -0700 (PDT) Received: from mhaaf.inhouse.compuserve.com (mhaaf.inhouse.compuserve.com [149.174.64.79]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id WAA24087 for ; Thu, 2 May 1996 22:50:16 -0700 (PDT) Received: from notes2.compuserve.com ([149.174.221.56]) by mhaaf.inhouse.compuserve.com (8.6.9/8.6.12) with SMTP id CAA28140.; Fri, 3 May 1996 02:24:22 -0400 Received: by notes2.compuserve.com (IBM OS/2 SENDMAIL VERSION 1.3.17/2.0) id AA7435; Fri, 03 May 96 01:42:55 -0400 Message-Id: <9605030542.AA7435@notes2.compuserve.com> Received: by External Gateway (Lotus Notes Mail Gateway for SMTP V1.1) id 33EB2F0BAACF00004125631F001EB96A; Fri, 3 May 96 01:42:54 To: urivan alyasid saaib Cc: firewalls , elton From: "marc.vael" Date: 3 May 96 6:39:38 Subject: Re: disaster plan for WAN/LAN Mime-Version: 1.0 Content-Type: Text/Plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk You wrote, > My Anonymous FTP server has been visited for people that upload >and download Software Piracy (you know , distribution of stolen >software, and whatever...), I already erase this data from the FTP >site, and i change all the atributes and owners of the site... > > Do you know a software or a diferent way to protect my machine >against this guys ??... You might consider using Dr. Solomon's AUDIT TOOL (pretty new on the market which verifies the software installed on your server with a predefined list. This can prevent the unauthorized uploads of Software Piracy. Marc (also reachable via marc.vael@ping.be) From firewalls-owner Thu May 2 23:56:37 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id XAA28020 for firewalls-outgoing; Thu, 2 May 1996 23:42:22 -0700 (PDT) Received: from emh.ramstein.af.mil (emh.ramstein.af.mil [132.25.130.14]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id XAA27757 for ; Thu, 2 May 1996 23:41:09 -0700 (PDT) Received: from ingate.ramstein.af.mil by emh.ramstein.af.mil with SMTP (1.37.109.16/16.2) id AA016005429; Fri, 3 May 1996 08:37:09 +0200 Received: by ingate.ramstein.af.mil with Microsoft Mail id <318A2841@ingate.ramstein.af.mil>; Fri, 03 May 96 08:37:37 PDT From: Crocker Sean SrA 786CS/SCNBN To: "'Firewalls@GreatCircle.COM'" Subject: TACACS+ info Date: Fri, 03 May 96 08:32:00 PDT Message-Id: <318A2841@ingate.ramstein.af.mil> X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello! I'm new on this list, so if this has been asked before, my apologies. We're looking into using tac_plus for some level of dial-up security. Anyone have some good sources of information for TACACS+? Is there anything, free or commercial, that enhances it or eases routine administration (adding user accounts, permission or denial of services). Otherwise, I was going to whip up something in Perl for our helpdesk folks. Any news of TACACS+ on an NT box? Is there a better forum for this stuff? Please, reply to my e-mail address unless you think that it's pertinent to this forum. Thanx in advance! Sean Crocker crockers@86aw4.ramstein.af.mil From firewalls-owner Fri May 3 01:26:46 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id AAA01702 for firewalls-outgoing; Fri, 3 May 1996 00:59:05 -0700 (PDT) Received: from hosaka.smallworks.com (hosaka.SmallWorks.COM [192.207.126.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id AAA01688 for ; Fri, 3 May 1996 00:58:59 -0700 (PDT) Received: from butthead.SmallWorks.COM by hosaka.smallworks.com (5.x/SMI-SVR4) id AA16187; Fri, 3 May 1996 02:56:47 -0500 Received: by butthead.SmallWorks.COM (4.1/SPARCbook_POP1.3) id AA05911; Fri, 3 May 96 02:53:38 CDT Date: Fri, 3 May 96 02:53:38 CDT Message-Id: <9605030753.AA05911@butthead.SmallWorks.COM> From: Jim Thompson To: crockers@86aw4.ramstein.af.mil Cc: Firewalls@GreatCircle.COM In-Reply-To: <318A2841@ingate.ramstein.af.mil> (message from Crocker Sean SrA 786CS/SCNBN on Fri, 03 May 96 08:32:00 PDT) Subject: Re: TACACS+ info Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Hello! > > I'm new on this list, so if this has been asked before, my apologies. It was discussed a couple months back. You might check the archives. > We're looking into using tac_plus for some level of dial-up security. > Anyone have some good sources of information for TACACS+? Well, the engineers at Smallworks authored Cisco's 'supported' T+ server, 'CiscoSecure'. http://www.cisco.com/warp/public/728/Secure/index.html. We're also quite active in the firewall community. You could just ask us. Other than that, from the TACACS+ 3.1 'PD' server 'user_guide': There are two mailing lists which may be of interest to users of Tacacs+. The first is a mailing list run by spot.Colorado.EDU which discusses many things pertaining to Cisco products. It is not run by Cisco Systems, Inc. and is not part of Cisco's formal service request channels, however, many knowledgeable people, including staff members of Cisco Systems, Inc. voluntarily read and respond on the list. Requests to be added to or deleted from the list at spot.Colorado.EDU, along with other administrative issues concerning it can be sent to: cisco-request@spot.Colorado.EDU There is also a relatively new list called TACPLUS-L, run by disaster.com, created for the purpose of information exchange between TACACS+ Users. It is intended as a supplement to the list at spot.Colorado.EDU, aiding TACACS+ users and prospective users in many issues including but not limited to technical support, bug reports and workarounds, configuration information, recommendations for future versions of TACACS+, and general talk about TACACS+ development, implementation, administration, etc. Please note that neither of these lists is in fact connected with Cisco Systems, Inc. or any of its subsidiaries. Standard etiquette rules apply. To subscribe to the TACPLUS-L list, send a message to tacplus-l-request@disaster.com In the body of the letter, enter SUBSCRIBE TACPLUS-L your Name to be automatically added. > Is there anything, free or commercial, that enhances it or eases routine > administration (adding user accounts, permission or denial of services). CiscoSecure comes with a GUI. Its been rumored that the folks at disaster.com have an HTML 'gui' interface to the PD server's config files. Also, the 'Universal Networks' server (see below) is supposed to come with a GUI. > Any news of TACACS+ on an NT box? Universal Networks of Hong Kong claim to sell a server for NT. See http://www.hkstar.com/~unet. I've not tried it. > Is there a better forum for this stuff? See above. -- Music for the mind, pizza for the body Jim Thompson / Smallworks, Inc. / jim@smallworks.com 512 338 0619 phone / 512 338 0625 fax The Internet is Microsoft's Vietnam... From firewalls-owner Fri May 3 04:41:36 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id EAA10824 for firewalls-outgoing; Fri, 3 May 1996 04:36:36 -0700 (PDT) Received: from carnival.com (NS.CARNIVAL.COM [151.124.250.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id EAA10818 for ; Fri, 3 May 1996 04:36:31 -0700 (PDT) Received: from carnival-pdc.carnival.com by carnival.com (5.65/1.35) id AA08770; Fri, 3 May 96 07:36:01 -0400 Received: from fiji ([151.124.5.236]) by carnival-pdc.carnival.com (Netscape Mail Server v1.1) with SMTP id AAA97 for ; Fri, 3 May 1996 07:45:44 -0400 Message-Id: <3189F0EB.5B54@carnival.com> Date: Fri, 03 May 1996 07:41:31 -0400 From: bowman@carnival.com (Bowman N. Hall) X-Mailer: Mozilla 3.0b3 (WinNT; I) Mime-Version: 1.0 To: Firewalls@GreatCircle.COM Subject: Re: Firewalls-Digest V5 #288 References: <199605030800.BAA01889@miles.greatcircle.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > From: Crocker Sean SrA 786CS/SCNBN > Date: Fri, 03 May 96 08:32:00 PDT > Subject: TACACS+ info > > Hello! > > I'm new on this list, so if this has been asked before, my apologies. > We're looking into using tac_plus for some level of dial-up security. > Anyone have some good sources of information for TACACS+? Security Dynamics Corporation. They're in the Boston Area. > Is there anything, free or commercial, that enhances it or eases routine > administration (adding user accounts, permission or denial of services). Sure. They've got a decent Motif GUI. > Otherwise, I was going to whip up something in Perl for our helpdesk > folks. > Any news of TACACS+ on an NT box? Is there a better forum for this > stuff? They have an NT RAS Server tacacs+ module I understand. > Please, reply to my e-mail address unless you think that it's pertinent > to this forum. > I think it is. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Bowman Hall Systems Analyst bowman@carnival.com Carnival Cruise Lines ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From firewalls-owner Fri May 3 05:26:32 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA12632 for firewalls-outgoing; Fri, 3 May 1996 05:14:42 -0700 (PDT) Received: from netcom23.netcom.com (netcom23.netcom.com [192.100.81.137]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id FAA12626 for ; Fri, 3 May 1996 05:14:37 -0700 (PDT) Received: (from madmax@localhost) by netcom23.netcom.com (8.6.13/Netcom) id FAA19409; Fri, 3 May 1996 05:12:28 -0700 Date: Fri, 3 May 1996 05:12:27 -0700 (PDT) From: HeatWave Subject: singoff To: firewalls-digest@greatcircle.com Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk signoff firewalls madmax@netcom.com From firewalls-owner Fri May 3 05:56:33 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA14277 for firewalls-outgoing; Fri, 3 May 1996 05:45:20 -0700 (PDT) Received: from bastion.sware.com (bastion.sware.com [139.131.15.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id FAA14270 for ; Fri, 3 May 1996 05:45:14 -0700 (PDT) Received: from shlep.sware.com (shlep.sware.com [139.131.1.14]) by bastion.sware.com (8.6.12/8.6.5) with SMTP id IAA18499 for ; Fri, 3 May 1996 08:42:48 -0401 Received: by shlep.sware.com (5.65/2.0) from localhost id AA01353; Fri, 3 May 96 08:40:45 -0400 Message-Id: <9605031240.AA01353@shlep.sware.com> From: Renee Landers X-Mailer: SecureMail [2.3.2] Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: disabling IP forwarding on HP-UX To: firewalls@GreatCircle.COM Date: Fri, 03 May 96 08:40:44 EDT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Has anyone ever tried to disable ip forwarding on HP-UX 10.0x? I need to do that, and I've tried modifying vmunix using adb, rebuilding the kernel with IP_FORWARDING undefined -- no luck. Also, I couldn't find any mention of it in the documentation -- but that doesn't mean it's not there, just not indexed or in a likely place. Any ideas? What about on HP-UX 9.0x? Thanks Renee rlanders@sware.com From firewalls-owner Fri May 3 06:11:42 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA14189 for firewalls-outgoing; Fri, 3 May 1996 05:44:24 -0700 (PDT) Received: from kpgwy.kpscal.org (kpgwy.kpscal.org [167.117.0.140]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id FAA14183 for ; Fri, 3 May 1996 05:44:19 -0700 (PDT) Received: from mailhub.kp.org ([206.18.242.135]) by kpgwy.kpscal.org (8.6.9/8.6.9) with SMTP id FAA20694 for ; Fri, 3 May 1996 05:43:01 -0700 X400-Received: by /c=us/admd=/prmd=kp/; converted ( IA5-Text); Relayed; 03 May 1996 05:40:53 -0700 X400-Received: by mta KPMTA in /c=us/admd=/prmd=kp/; converted ( IA5-Text); Relayed; 03 May 1996 05:40:53 -0700 X400-MTS-Identifier: [/c=us/admd=/prmd=kp/; 318A0D5B.CCC8.0123.000] Content-Identifier: 04E103189FED5004 Content-Return: Allowed X400-Content-Type: P2-1988 ( 22 ) Conversion: Allowed Original-Encoded-Information-Types: IA5-Text Disclose-Recipients: Prohibited Alternate-Recipient: Allowed X400-Originator: Mark.Moore@kp.org X400-Recipients: non-disclosure; Message-Id: <"318A0D5B.CCC8.0123.000*/c=us/admd= /prmd=kp/o=ga/ou=gwise/s=Moore/g=Mark/"@MHS> Expiry-Date: 18 May 1996 00:00: Z Date: 03 May 1996 05:40:53 -0700 From: "Moore, Mark" To: firewalls@GreatCircle.COM (Return requested) (Receipt notification requested) (Reply requested) Subject: AIX Solution MIME-Version: 1.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Does anyone know of any good firewall technology for AIX base solutions ?? Regards, Mark From firewalls-owner Fri May 3 06:59:02 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA18463 for firewalls-outgoing; Fri, 3 May 1996 06:47:59 -0700 (PDT) Received: from wrginet.corp.wrgrace.com (wrgrace.com [199.98.198.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id GAA18445 for ; Fri, 3 May 1996 06:47:53 -0700 (PDT) From: Juan.Gomez-Sanchez@corp.wrgrace.com Received: (from mail@localhost) by wrginet.corp.wrgrace.com (8.6.12/8.6.9) id JAA14926 for ; Fri, 3 May 1996 09:42:00 -0400 Received: from s1boca.corp.wrgrace.com(159.97.11.20) by wrginet.corp.wrgrace.com via smap (V1.3) id sma014924; Fri May 3 09:41:57 1996 Received: from by s1boca.corp.wrgrace.com with SMTP (1.37.109.4/16.2) id AA14104; Fri, 3 May 96 09:44:53 -0400 X-Openmail-Hops: 1 Date: Fri, 3 May 96 09:44:13 -0400 Message-Id: <906719E1@MHS> Subject: Second Firewall implementation To: firewalls@greatcircle.com Cc: Les.Pickersgill/OU=MIS/OU=BocaRaton@s1boca.corp.wrgrace.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi there, I am basically new here and my apologies if this issue has been discussed here before. Here is the situation: We are a large corporation with a robust and reliable world-wide backbone network. We have established a firewall that has been running satisfactorily for some time, providing Internal users access to the Internet (Web, FTP, Telnet, etc.). Now, another division of the corporation (which is already connected to the network backbone) has demonstrated the interest on implementing it's own firewall rather than using the one already implemented. I have to make a case to my management as to why this is not a good thing. Taking into consideration that some of the disadvantages of implementing a second firewall are a perfect example of duplication of efforts, bad resource allocation, and lack of communication between the divisions (just to name a few), I would be more interested in knowing what the real security implications are. It is obvious (to me) that guarding two doors is more difficult than guarding just one, but I am looking for a little more specific information and / or references. Thanks in advance for your input, Juan Gomez-Sanchez Global Internet Coordinator Global Electronic Messaging (GEM) Team W. R. Grace & Co. - Corporate Headquarters PS - Currently there are no band-width or performance issues with the the original firewall, therefore this not the reason why a second firewall is needed. From firewalls-owner Fri May 3 07:15:55 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA19180 for firewalls-outgoing; Fri, 3 May 1996 07:04:32 -0700 (PDT) Received: from reachit.com ([199.126.187.102]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id HAA19171 for ; Fri, 3 May 1996 07:04:25 -0700 (PDT) Received: Smail 3.1.29.1 running on reachit.com - router: match_mx_hosts - transport: smtp) Message size: 1887 Mesage-ID: m0uFLOB-000zN0C Processed at: Fri, 3 May 96 09:59 EDT Date: Fri, 3 May 1996 09:59:18 -0400 (EDT) From: N D Ghaznavi To: Firewalls@GreatCircle.COM Subject: Re: Switched Ethernet and Vlans with a Firewall In-Reply-To: <199605022043.NAA06123@argus.intel.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 2 May 1996, Jeffrey C. Sedayao wrote: > > We are considering upgrading our internal network. It > > has been suggested that we should use switched technology and > > Vlans. With Vlans there would be no physical separation of the > > public and secure networks. The separation is done by the > > vlan software in the switches. We're also in the process of upgrading our network topology. My understanding of `Intelligent Ethernet Switches' is that they `remember' what machine is on which segment (keeps track of the MAC) addresses. So there is *no* configuration. Essentially the switch is used to reduce network traffic, not as a `security box'. Can anyone comment on this? Specifically: Switch type, and level of configurability. > 1. Be careful about allowing access to the switch. The switch I have > been working with is configured by telnetting in, and certainly you > don't want the whole Internet doing that. You certainly don't want > everyone doing SNMP requests or uploading configurations via TFTP. Once > you have enable access on the switch, you can set up holes and routing > through various ports and wreak some real havoc. What kind of a switch was it? Can it do packet filtering? Cheers, Nadim --N D Ghaznavi----------------------------------------------------------- Unix System Administrator ndg@CADlink.com --CADlink.com--------Reachit.com--------Ghaznavi.com--------Apparel.org-- From firewalls-owner Fri May 3 07:26:37 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA19603 for firewalls-outgoing; Fri, 3 May 1996 07:15:34 -0700 (PDT) Received: from iez.com (mail.iez.com [194.218.38.3]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id HAA19597 for ; Fri, 3 May 1996 07:15:27 -0700 (PDT) Received: by iez.com (AIX 3.2/UCB 5.64/4.03) id AA08237; Fri, 3 May 1996 15:58:22 +0200 Received: from spibm02(172.16.13.62) by iez.com via smap (V1.3) id sma011558; Fri May 3 15:54:59 1996 Received: from iez.com by spibm02 (AIX 3.2/UCB 5.64/4.03) id AA11603; Fri, 3 May 1996 15:49:59 +0200 Message-Id: <9605031349.AA11603@spibm02> Received: from inhps-a by iez.com with SMTP (1.37.109.4/16.2) id AA12631; Fri, 3 May 96 15:49:58 +0200 Received: by inhps-a (1.38.193.3/16.2) id AA24111; Fri, 3 May 96 15:49:57 +0200 From: Rolf Weber Subject: Re: disabling IP forwarding on HP-UX To: rlanders@sware.com (Renee Landers) Date: Fri, 3 May 1996 15:49:57 +0200 (MESZ) Cc: firewalls@greatcircle.com (firewalls) In-Reply-To: <9605031240.AA01353@shlep.sware.com> from "Renee Landers" at May 3, 96 08:40:44 am X-Mailer: ELM [version 2.4 PL24] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > Has anyone ever tried to disable ip forwarding on HP-UX 10.0x? I need to do > that, and I've tried modifying vmunix using adb, rebuilding the kernel with > IP_FORWARDING undefined -- no luck. Also, I couldn't find any mention of it > in the documentation -- but that doesn't mean it's not there, just not indexed > or in a likely place. > > Any ideas? What about on HP-UX 9.0x? > i called the HP hotline for this, they told me to do: $ adb -w /hp-ux /dev/kmem > ipforwarding?/ W 0 <--kernel > ipforwarding/ W 0 <--memory > ^D but then we choosed to take AIX as firewall OS. later, i tried it just for fun, but it didn't work. please let me know if you get it work, i don't need it anymore, but i'm still interested. rolf -- ----------------------------------------- Rolf Weber | All I ask is a chance IEZ AG D-64625 Bensheim | to prove that money ++49-6251-1309-113 | can't make me happy. From firewalls-owner Fri May 3 07:41:44 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA19042 for firewalls-outgoing; Fri, 3 May 1996 07:00:13 -0700 (PDT) Received: from dns.eng.auburn.edu (dns.eng.auburn.edu [131.204.10.13]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id HAA18976 for ; Fri, 3 May 1996 07:00:02 -0700 (PDT) Received: from netman.eng.auburn.edu (netman.eng.auburn.edu [131.204.12.24]) by dns.eng.auburn.edu (8.7.4/8.6.4) with ESMTP id IAA17011 for ; Fri, 3 May 1996 08:57:33 -0500 (CDT) From: Doug Hughes Received: (doug@localhost) by netman.eng.auburn.edu (SMI-8.6/8.6.4) id IAA10083; Fri, 3 May 1996 08:57:31 -0500 Date: Fri, 3 May 1996 08:57:31 -0500 Subject: Re: disaster plan for WAN/LAN To: Firewalls@GreatCircle.COM Message-Id: In-Reply-To: <9605022328.AA09697@manzanita.DEV.3Com.COM.noname> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > >Security on an FTP server is best organized the following way: > >(Assuming a Unix, anonymous FTP server) > >You set up two directories; incoming, and outgoing > >Inside addresses (your people) have rx permission on >the incoming directory. > >Inside addresses have wx or rwx permission on the outgoing directory. > >Outside (others) addresses have rx permission on the outgoing directory > >Outside (others) addresses have wx permixxion on the incoming directory. > >This way, outsiders can drop off files in the incoming directory, but they >can't see what is there. Likewise they can pick up files from the outgoing >directory, but they can't see what is there either. They have to know the >name in advance. > Sad as it seems, this won't stop warez pirates from using your site as a staging area for copyright infringement. We use the ftpd that is part of logdaemon for this portion. It actually changes the permissions on the file after putting it so that user ftp/anonymous does not have permission to 'get' the files after a put. It works handily, and includes S/Key one time passwords as an added bonus. Another find tool by Wietse Venema. [ This message has been posted to firewalls. Replies to this message should be directed to the firewalls list. Please do not Cc me on replies to the list] -- ____________________________________________________________________________ Doug Hughes Engineering Network Services System/Net Admin Auburn University doug@eng.auburn.edu Pro is to Con as progress is to congress From firewalls-owner Fri May 3 07:56:43 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA22214 for firewalls-outgoing; Fri, 3 May 1996 07:50:28 -0700 (PDT) Received: from jaring.my (jaring.my [192.228.128.20]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id HAA22208 for ; Fri, 3 May 1996 07:50:20 -0700 (PDT) Received: from extol.extol.my (j4.ptl5.jaring.my [161.142.1.20]) by jaring.my (8.7.5/8.7.1) with SMTP id WAA14300; Fri, 3 May 1996 22:47:47 +0800 (MYT) Message-ID: <318A2C17.3EFB@pc.jaring.my> Date: Fri, 03 May 1996 22:53:59 +0700 From: peng-chiew low X-Mailer: Mozilla 2.01 (Win95; I) MIME-Version: 1.0 To: "Moore, Mark" CC: firewalls@GreatCircle.COM Subject: Re: AIX Solution References: <"318A0D5B.CCC8.0123.000*/c=us/admd= /prmd=kp/o=ga/ou=gwise/s=Moore/g=Mark/"@MHS> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Moore, Mark wrote: > > Does anyone know of any good firewall technology for AIX base > solutions ?? 1. NetSP from IBM 2. NetWall from Bull Hope that helps. From firewalls-owner Fri May 3 08:13:05 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA22275 for firewalls-outgoing; Fri, 3 May 1996 07:51:35 -0700 (PDT) Received: from habanero.jmu.edu (habanero.jmu.edu [134.126.70.210]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id HAA22250; Fri, 3 May 1996 07:51:27 -0700 (PDT) Message-Id: <199605031451.HAA22250@miles.greatcircle.com> Received: by habanero.jmu.edu (1.37.109.16/16.2) id AA240754954; Fri, 3 May 1996 10:49:14 -0400 Date: Fri, 3 May 1996 10:49:14 -0400 From: gary flynn To: Firewalls@GreatCircle.COM, firewalls-owner@GreatCircle.COM Subject: Re: Switched Ethernet and Vlans with a Firewall Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > From: N D Ghaznavi > On Thu, 2 May 1996, Jeffrey C. Sedayao wrote: > > > > We are considering upgrading our internal network. It > > > has been suggested that we should use switched technology and > > > Vlans. With Vlans there would be no physical separation of the > > > public and secure networks. The separation is done by the > > > vlan software in the switches. > > We're also in the process of upgrading our network topology. My > understanding of `Intelligent Ethernet Switches' is that they `remember' > what machine is on which segment (keeps track of the MAC) addresses. So > there is *no* configuration. Essentially the switch is used to reduce > network traffic, not as a `security box'. Ethernet switches are multiport bridges. Some have features to group ports or IP addresses into "VLANS". With the newness and constantly changing status of VLAN technology, I wouldn't rely on it for security purposes. > Can anyone comment on this? Specifically: Switch type, and level of > configurability. > > > 1. Be careful about allowing access to the switch. The switch I have > > been working with is configured by telnetting in, and certainly you > > don't want the whole Internet doing that. You certainly don't want > > everyone doing SNMP requests or uploading configurations via TFTP. Once > > you have enable access on the switch, you can set up holes and routing > > through various ports and wreak some real havoc. > > What kind of a switch was it? Can it do packet filtering? The switches that I am familiar with can only do MAC layer filtering or blocking of entire protocol suites. I believe Alantec makes switches with routing capabilities that may also be able to filter layer three protocol ports. From firewalls-owner Fri May 3 09:11:39 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA28923 for firewalls-outgoing; Fri, 3 May 1996 09:06:22 -0700 (PDT) Received: from sky.net (solar.sky.net [198.70.175.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id JAA28902 for ; Fri, 3 May 1996 09:06:17 -0700 (PDT) Received: (from shellyn@localhost) by sky.net (8.7.3/8.7.3) id LAA07981 for Firewalls@GreatCircle.COM; Fri, 3 May 1996 11:04:02 -0500 (CDT) From: Shelly Nuessle Message-Id: <199605031604.LAA07981@sky.net> Subject: "Re-dialers" To: Firewalls@GreatCircle.COM Date: Fri, 3 May 1996 11:04:02 -0500 (CDT) In-Reply-To: <199605022316.QAA03323@miles.greatcircle.com> from "firewalls-digest-owner@GreatCircle.COM" at May 2, 96 04:16:34 pm X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk WE are looking for a product that could run on our firewall and, as initiated by a specific incident, send a text/numeric page to someone or fire off email to out help desk, etc... any suggestions are appreciated. Shelly From firewalls-owner Fri May 3 09:31:48 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA29630 for firewalls-outgoing; Fri, 3 May 1996 09:21:32 -0700 (PDT) Received: from beach.sctc.com (beach.sctc.com [192.55.214.50]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id JAA29620 for ; Fri, 3 May 1996 09:21:20 -0700 (PDT) Received: from beach.sctc.com (daemon@localhost) by beach.sctc.com (8.7.2/8.7.2) with ESMTP id LAA25510; Fri, 3 May 1996 11:19:45 -0500 (CDT) Received: from sphinx.sctc.com (sphinx.sctc.com [172.17.192.3]) by beach.sctc.com (8.7.2/8.7.2) with ESMTP id LAA25506; Fri, 3 May 1996 11:19:45 -0500 (CDT) Received: from shade.sctc.com (shade.sctc.com [172.17.192.48]) by sphinx.sctc.com (8.7.1/8.6.10) with SMTP id LAA25987; Fri, 3 May 1996 11:20:22 -0500 (CDT) Received: (from smith@localhost) by shade.sctc.com (8.6.12/8.6.9) id LAA00913; Fri, 3 May 1996 11:20:23 -0500 Date: Fri, 3 May 1996 11:20:23 -0500 From: Rick Smith Message-Id: <199605031620.LAA00913@shade.sctc.com> To: Juan.Gomez-Sanchez@corp.wrgrace.com Cc: smith@sctc.com, firewalls@greatcircle.com Subject: Re: Second Firewall implementation Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Juan.Gomez-Sanchez@corp.wrgrace.com asks: >... We have established a firewall that >has been running satisfactorily for some time, providing Internal >users access to the Internet (Web, FTP, Telnet, etc.). Now, another >division of the corporation (which is already connected to the >network backbone) has demonstrated the interest on implementing >it's own firewall rather than using the one already implemented. >I have to make a case to my management as to why this is not a >good thing. Taking into consideration that some of the disadvantages >of implementing a second firewall are a perfect example of duplication >of efforts, bad resource allocation, and lack of communication between >the divisions (just to name a few), I would be more interested in >knowing what the real security implications are. It is obvious (to me) that >guarding two doors is more difficult than guarding just one, but I am >looking for a little more specific information and / or references. First, we need to figure out what the other organization's objectives are, and here are some possibilities: 1) The separate organization is concerned about performance, service access reliablity, and so on, and wants direct control over their own firewall in order to ensure reliable service. Furthermore, there is an explicit corporate wide policy regarding Internet access, your existing firewall implements it correctly, and the new firewall is going to implement exactly the same security controls. This is a strong argument in their favor -- if they plan to follow corporate security policies, they can pay for it and they need the control for legitimate business objectives, then you can't unilaterally prevent them. However, it *will* cost more to guarantee that they implement exactly the same protections you do. The right way to do that is to install a twin of the "main" corporate firewall. That makes it easier to ensure that identical protections are applied by both. Corporations typically want to enforce a consistent Internet access policy so that the internal net is subjected to a uniform threat level. If they *must* have their own firewall, make it easy to ensure that they do it consistently. 2) The separate organization needs different, more permissive, access protections. If so, you may need to install an internal firewall in case their more permissive access admits an attack that you'd like to block. 3) The separate organization needs different, less permissive, access protections. If so, they may need to install an internal firewall to protect themselves from attacks your site failed to block. Both 2) and 3) require a close look to decide if it's in the corporation's interest to have different access protections on a division wide basis. If this is really necessary, the other division should probably identify what set of their users really, really need special access (or special protection) re the Internet, and give them a separately firewalled network. Rick. smith@sctc.com secure computing corporation From firewalls-owner Fri May 3 09:41:45 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA01180 for firewalls-outgoing; Fri, 3 May 1996 09:39:43 -0700 (PDT) Received: from gatekeeper.3Com.COM (gatekeeper.3Com.COM [129.213.128.5]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id JAA01156 for ; Fri, 3 May 1996 09:39:36 -0700 (PDT) Received: from manzanita.DEV.3Com.COM.noname (manzanita.DEV.3Com.COM) by gatekeeper.3Com.COM with SMTP id AA15124 (5.65c/IDA-1.4.4-910725 for ); Fri, 3 May 1996 09:36:50 -0700 Received: by manzanita.DEV.3Com.COM.noname (4.1/SMI-4.1) id AA09895; Fri, 3 May 96 09:36:24 PDT Date: Fri, 3 May 96 09:36:24 PDT From: bobk@manzanita.DEV.3Com.COM (Bob Konigsberg) Message-Id: <9605031636.AA09895@manzanita.DEV.3Com.COM.noname> To: firewalls@greatcircle.com, Juan.Gomez-Sanchez@corp.wrgrace.com Subject: Re: Second Firewall implementation Cc: Les.Pickersgill/OU=MIS/OU=BocaRaton@s1boca.corp.wrgrace.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Two issues come to mind with more than one Internet connection. 1) If there is a WAN between the two sites (as opposed to being on the same campus), then you are loading the WAN with Internet traffic, and that, particularly web stuff, can put a strain on your core business operations. 2) If you are NOT doing proxy connections or Address translation (or anything else that hides the actual origin IP address, AND you have the same class B or class C address, then you run the risk of doing asyncronous routing through the Internet which is not a good idea. For sites with their own network, and the support staff to deal with it, assuming that items 1 and 2 don't present a problem to you, then I'd actually recommend separate connections, but with control and logging for the firewall to come back to your central location. Hope that helps, BobK From firewalls-owner Fri May 3 09:56:45 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA29754 for firewalls-outgoing; Fri, 3 May 1996 09:23:05 -0700 (PDT) Received: from mail.Clark.Net (mail.clark.net [168.143.0.10]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id JAA29748 for ; Fri, 3 May 1996 09:22:56 -0700 (PDT) Received: from explorer2.clark.net (explorer2.clark.net [168.143.0.5]) by mail.Clark.Net (8.7.3/8.6.5) with ESMTP id MAA20761; Fri, 3 May 1996 12:20:47 -0400 (EDT) Received: from localhost (proberts@localhost) by explorer2.clark.net (8.7.1/8.7.1) with SMTP id MAA29251; Fri, 3 May 1996 12:20:46 -0400 (EDT) X-Authentication-Warning: explorer2.clark.net: proberts owned process doing -bs Date: Fri, 3 May 1996 12:20:46 -0400 (EDT) From: "Paul D. Robertson" X-Sender: proberts@explorer2 To: Juan.Gomez-Sanchez@corp.wrgrace.com cc: firewalls@GreatCircle.COM, Les.Pickersgill/OU=MIS/OU=BocaRaton@s1boca.corp.wrgrace.com Subject: Re: Second Firewall implementation In-Reply-To: <906719E1@MHS> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 3 May 1996 Juan.Gomez-Sanchez@corp.wrgrace.com wrote: [snip] > I have to make a case to my management as to why this is not a > good thing. Taking into consideration that some of the disadvantages > of implementing a second firewall are a perfect example of duplication > of efforts, bad resource allocation, and lack of communication between > the divisions (just to name a few), I would be more interested in > knowing what the real security implications are. It is obvious (to me) that > guarding two doors is more difficult than guarding just one, but I am > looking for a little more specific information and / or references. > So long as you don't have to rely on their network for any trust issues, you shouldn't feel the need to not let them do what they want. If you have to rely on them for unfirewalled traffic, be it SNA, IPX, or IP, then you will be open to attack from their network if it is mismanaged, or if they allow something that fits their security model, but not yours. In general, I'd rather firewall *all* my business units separately, and let them make their own security decisions about what goes into and out of their network. Once they see how much work it is, or someone points out the gaping holes, they generally don't want to do it. If they are going to manage their own network, then my zone of trust ends at their boundry, and if they want ot pass *any* traffic to my core network, then it is treated as if it came from the Internet, and requires packet filters, proxies, case-by-case analysis, etc. The alternative is that they find someone else to manage the core network, as I wouldn't be put in that position without a letter from *very* upper management that holds me harmless for their problems, and that kind of letter tends not to get written. Draft up enough lawyer bait for them to sign for exposing the network, and they will think *very* hard about it, otherwise, treat them as an untrusted segment, like a business partner. Most of these folks tend to want to do things like RealAudio without understanding why I don't just let UDP in unhindered. They also tend to make these decisions based on management "guidence", not security policy. This is a good time to ensure that you have proceduralized how you accept protocols, applicaitons, etc. for inclusion into your gateways, and make sure that they understand the work, and formal procedures that must be followed, and also that you, or some central authority have to sign off on changes, have audit ability, etc. Hope this helps, Paul. > Thanks in advance for your input, > > Juan Gomez-Sanchez > Global Internet Coordinator > Global Electronic Messaging (GEM) Team > W. R. Grace & Co. - Corporate Headquarters > > PS - Currently there are no band-width or performance issues with the > the original firewall, therefore this not the reason why a second firewall > is needed. > ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts@clark.net which may have no basis whatsoever in fact." PSB#9280 From firewalls-owner Fri May 3 10:12:07 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA02901 for firewalls-outgoing; Fri, 3 May 1996 10:03:40 -0700 (PDT) Received: from pozarica.pr.uv.mx (pozarica.pr.uv.mx [148.226.210.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id KAA02841 for ; Fri, 3 May 1996 10:03:18 -0700 (PDT) Received: by pozarica.pr.uv.mx (5.0/SMI-SVR4) id AA09341; Fri, 3 May 1996 12:05:31 +0600 Date: Fri, 3 May 1996 12:05:31 +0600 From: higueron@pozarica.pr.uv.mx (Ing. Marco A. Higueron Hernandez) Message-Id: <9605031805.AA09341@pozarica.pr.uv.mx > Content-Type: text Apparently-To: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi friends Does anybody know how many Mbytes of RAM and Hard disk I need for setting up a firewall ? We want to install firewall-1 from checkpoint Tech., we have 600 users in our private network (nodes) and we want to use the address translation to have Internet access. We decide to buy a hardaware platform with 128 Mb of RAM and 4 Gb in hard disk. Is it enough ?, or do we need more ?. I've seen the specifications for firewall-1 but I haven't found what is the maximun number of users with that specifications. Sorry for giving you just a few detaills, and thanks in advance. From firewalls-owner Fri May 3 10:26:40 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA04420 for firewalls-outgoing; Fri, 3 May 1996 10:18:56 -0700 (PDT) Received: from buttercup.cybernex.net (buttercup.cybernex.net [204.141.116.5]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id KAA04411 for ; Fri, 3 May 1996 10:18:51 -0700 (PDT) Received: from cnj1-144.cybernex.net (cnj1-144.cybernex.net [204.141.117.144]) by buttercup.cybernex.net (8.6.13/8.6.12) with SMTP id NAA17078 for ; Fri, 3 May 1996 13:17:12 -0400 Received: by cnj1-144.cybernex.net with Microsoft Mail id <01BB38F2.55EF2E40@cnj1-144.cybernex.net>; Fri, 3 May 1996 13:13:35 -0400 Message-ID: <01BB38F2.55EF2E40@cnj1-144.cybernex.net> From: Gopakumar Chirukandath To: "'Firewall Discussion Group'" Subject: Firewall Setup Date: Fri, 3 May 1996 13:13:34 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk We are setting Internet Server and an Intranet server. These are Windows NT Based. Could someone suggest a good firewall product. We have about 50 users on the LAN. gopa@bc.cybernex.net Gopakumar Chirukandath From firewalls-owner Fri May 3 10:34:12 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA03366 for firewalls-outgoing; Fri, 3 May 1996 10:07:56 -0700 (PDT) Received: from ford.gbnet.org (ford.gbnet.org [192.188.96.10]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id KAA03350 for ; Fri, 3 May 1996 10:07:47 -0700 (PDT) Received: (from steve@localhost) by ford.gbnet.org (8.7.1/8.6.12) id SAA22380; Fri, 3 May 1996 18:05:48 +0100 (BST) From: Steve Kennedy Message-Id: <199605031705.SAA22380@ford.gbnet.org> Subject: Re: "Re-dialers" To: shellyn@sky.net (Shelly Nuessle) Date: Fri, 3 May 1996 18:05:48 +0100 (BST) Cc: firewalls@greatcircle.com In-Reply-To: <199605031604.LAA07981@sky.net> from "Shelly Nuessle" at May 3, 96 11:04:02 am X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk According to Shelly Nuessle > WE are looking for a product that could run on our firewall and, as > initiated by a specific incident, send a text/numeric page to someone or > fire off email to out help desk, etc... > any suggestions are appreciated. Have a look at sendpage, this talk TAP/IXO/PET (the protocol used by most paging companies to send pages via modem). It's available from ftp://ftp.net.ohio-state.edu/pub/paging also mirrored at ftp://ftp.gbnet.net/pub/paging/ (UK) Sendpage runs as a daemon, is relatively easy to integrate into sendmail Remedy ARS and can be called directly. Steve -- home steve@gbnet.org * Flat 2, 43 Howitt Road, Belsize Pk, London NW3 4LU work steve@demon.net * tel +44-(0)171 483 1169 FAX +44-(0)181 444 6103 www http://www.gbnet.net/ * bits steve@gbnet.net * Orange mobile +44-(0)973 600050 Euro firewall info - send mail to majordomo@gbnet.net (subscribe firewalls-uk) From firewalls-owner Fri May 3 10:56:59 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA04625 for firewalls-outgoing; Fri, 3 May 1996 10:21:10 -0700 (PDT) Received: from gatekeeper.3Com.COM (gatekeeper.3Com.COM [129.213.128.5]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id KAA04597 for ; Fri, 3 May 1996 10:21:02 -0700 (PDT) Received: from manzanita.DEV.3Com.COM.noname (manzanita.DEV.3Com.COM) by gatekeeper.3Com.COM with SMTP id AA16554 (5.65c/IDA-1.4.4-910725 for ); Fri, 3 May 1996 10:18:51 -0700 Received: by manzanita.DEV.3Com.COM.noname (4.1/SMI-4.1) id AA09925; Fri, 3 May 96 10:18:26 PDT Date: Fri, 3 May 96 10:18:26 PDT From: bobk@manzanita.DEV.3Com.COM (Bob Konigsberg) Message-Id: <9605031718.AA09925@manzanita.DEV.3Com.COM.noname> To: shellyn@sky.net, firewalls@greatcircle.com Subject: Re: "Re-dialers" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Firewall-1 (and possibly others) can trigger SNMP traps as a result of the violation of paticular rules. We then have our HP OpenView machine do all the actual paging, since we can then exercise more precise control of who gets paged, for what, and when. BobK From firewalls-owner Fri May 3 10:57:44 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA05226 for firewalls-outgoing; Fri, 3 May 1996 10:25:08 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id KAA05128 for ; Fri, 3 May 1996 10:24:52 -0700 (PDT) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) id KAA28571; Fri, 3 May 1996 10:17:09 -0700 Received: from athens.bitwise.net(204.97.222.2) by mycroft via smap (V1.3mjr) id sma028569; Fri May 3 10:16:48 1996 Received: from berlin.bitwise.net by athens.bitwise.net (AIX 3.2/UCB 5.64/4.03j) id AA20810; Fri, 3 May 1996 13:23:49 -0400 Message-Id: <9605031723.AA20810@athens.bitwise.net> X-Sender: admin@bitwise.net X-Mailer: Windows Eudora Version 2.0.3 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Fri, 03 May 1996 13:23:52 -0400 To: "Moore, Mark" From: admin@bitwise.net (Bitwise Internet Technologies) Subject: Re: AIX Solution Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >peng-chiew low wrote: > >Moore, Mark wrote: >> >> Does anyone know of any good firewall technology for AIX base >> solutions ?? > >1. NetSP from IBM >2. NetWall from Bull 3. PORTUS from LSLI > >Hope that helps. > ===================================================================== Bitwise Internet Technologies, Inc. email: support@bitwise.net 22 Drydock Avenue tel: (617) 261-4700 Boston, MA 02210 fax: (617) 261-7788 ===================================================================== From firewalls-owner Fri May 3 11:11:34 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA08695 for firewalls-outgoing; Fri, 3 May 1996 10:54:06 -0700 (PDT) Received: from fredin.co.frederick.md.us ([199.248.201.253]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id KAA08538 for ; Fri, 3 May 1996 10:53:01 -0700 (PDT) Received: from xl1.co.frederick.md.us by fredin.co.frederick.md.us with SMTP (1.38.193.4/16.2) id AA11566; Fri, 3 May 1996 13:47:00 -0400 Received: from XL1.CO.FREDERICK.MD.US by XL1.CO.FREDERICK.MD.US with HPDesk-FSC id 00220H; Fri, 3 May 1996 13:47:45 -0500 Message-Id: <00220H@XL1.CO.FREDERICK.MD.US> X-Mailer: DeskLink [Version B.03 95/12/18] Mime-Version: 1.0 Date: 3 May 96 13:47 +0500 To: firewalls@greatcircle.com, shellyn@sky.net Subject: "Re-dialers" X-Hpdesk-Ack: 17568255 0 0 5 " X-Hpdesk-Priority: 3 X-Hpdesk-System: 13 From: Alan_AMBERS@CO.FREDERICK.MD.US (Alan AMBERS) X-Hpdesk-To: "INTERNET"@[firewalls@greatcircle.com], "SHELLY-NUESSLE"@[shellyn@sky.net] Content-Type: text/plain; Name="/HPOFFICE/NETMAIL/C2449665.txt" Content-Disposition: inline; Filename="/HPOFFICE/NETMAIL/C2449665.txt" X-Hpdesk-Subject: Message text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Raptor's Eagle product supports this feature. I have not used it, but it is documented. /alan alan_ambers@co.frederick.md.us Frederick County Government > From: Shelly Nuessle > To: Firewalls@GreatCircle.COM > Sender: firewalls-owner@GreatCircle.COM > > WE are looking for a product that could run on our firewall and, as > initiated by a specific incident, send a text/numeric page to someone or > fire off email to out help desk, etc... > > any suggestions are appreciated. > > Shelly > From firewalls-owner Fri May 3 11:32:45 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA11655 for firewalls-outgoing; Fri, 3 May 1996 11:18:48 -0700 (PDT) Received: from leo.uacj.mx ([148.210.20.8]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id LAA11647 for ; Fri, 3 May 1996 11:18:43 -0700 (PDT) Received: from [148.210.29.51] by leo.uacj.mx (AIX 3.2/UCB 5.64/4.03) id AA15055; Fri, 3 May 1996 13:17:34 -0500 Date: Fri, 3 May 1996 13:17:34 -0500 Message-Id: <9605031817.AA15055@leo.uacj.mx> X-Sender: rgonzale@leo.uacj.mx X-Mailer: Windows Eudora Light Version 1.5.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@GreatCircle.COM From: "Ing. Rosa Isela Gonzalez Alvarez." Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello, Could somebody tell me what's the difference between bootp and dhcp server? Thanks in advance, any responses are appreciated. Ing. Rosa Isela Gonzalez Alvarez Universidad Autonoma de Ciudad Juarez Av. Adolfo Lopez Mateos # 20 C.P. 32310 Tel. 11-08-86 e-mail address rgonzale@uacj.mx From firewalls-owner Fri May 3 11:47:06 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA12439 for firewalls-outgoing; Fri, 3 May 1996 11:25:42 -0700 (PDT) Received: from justice.usdoj.gov (justice.usdoj.gov [149.101.1.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id LAA12425 for ; Fri, 3 May 1996 11:25:37 -0700 (PDT) Received: by justice.usdoj.gov id aa17656; 3 May 96 14:07 EDT From: To: Firewalls@GreatCircle.COM Subject: Firewalls-Digest V5 #289 X-Mailer: SCO Portfolio 2.0 Date: Fri, 3 May 1996 14:03:09 -0400 (EDT) Message-ID: <9605031403.aa16958@justice.usdoj.gov> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am looking for a list of all the Internet Service Providers world-wide. Can anyone point me in the right direction? Thanks in advance, Mary L. Casey, Program Analyst Information Management & Security Staff Information Resources Management Justice Management Division U.S. Dept of Justice From firewalls-owner Fri May 3 12:02:20 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA14827 for firewalls-outgoing; Fri, 3 May 1996 11:44:48 -0700 (PDT) Received: from gauntlet-1.trusted.com (gauntlet-1.trusted.com [204.254.155.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id LAA14801 for ; Fri, 3 May 1996 11:44:38 -0700 (PDT) Received: by gauntlet-1.trusted.com; id OAA02286; Fri, 3 May 1996 14:54:32 -0400 Received: from hilo.trusted.com(10.0.1.126) by gauntlet-1.trusted.com via smap (V3.1) id xma002273; Fri, 3 May 96 14:54:02 -0400 Received: from metro.trusted.com by hilo.trusted.com with SMTP (1.37.109.4/16.2) id AA25532; Fri, 3 May 96 14:43:43 -0400 Message-Id: <318A5325.42877E5C@trusted.com> Date: Fri, 03 May 1996 14:40:37 -0400 From: John J McMahon Organization: Trusted Information Systems - Rockville, MD X-Mailer: Mozilla 2.01 (X11; I; BSD/OS 2.0 i386) Mime-Version: 1.0 To: Eric Wedel Cc: firewalls@greatcircle.com Subject: Re: snews: through SSL proxy? References: <22502.6304.1996May02@tis.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Of course, this doesn't look too much like an error. :-) > But, the browser thinks it is and gives up. > > No one on the FWTK list knows about this.. does anybody here? > In particular, is snews known to work through *any* SSL proxies? Try installing an inside-to-outside plug-gw on port 563. That should work. -- John "FuzzFace" McMahon Gauntlet Internet Firewall Technical Support Trusted Information Systems - Rockville, MD USA (39 05 02 N 77 09 11 W) Support: gauntlet-support@trusted.com, 301-527-9555, 301-527-0482 (fax) From firewalls-owner Fri May 3 12:09:08 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA10838 for firewalls-outgoing; Fri, 3 May 1996 11:09:56 -0700 (PDT) Received: from chaos.ngdc.noaa.gov (chaos.ngdc.noaa.gov.148.149.192.in-addr.arpa [192.149.148.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id LAA10818 for ; Fri, 3 May 1996 11:09:44 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by chaos.ngdc.noaa.gov (8.6.12/8.6.12) with SMTP id KAA05261; Fri, 3 May 1996 10:58:41 -0600 Message-Id: <199605031658.KAA05261@chaos.ngdc.noaa.gov> X-Authentication-Warning: chaos.ngdc.noaa.gov: Host localhost didn't use HELO protocol To: "marc.vael" Cc: firewalls@GreatCircle.COM Subject: Re: disaster plan for WAN/LAN In-reply-to: Your message of "03 May 1996 06:39:38." <9605030542.AA7435@notes2.compuserve.com> Date: Fri, 03 May 1996 10:58:40 -0600 From: Bruce Welker Sender: firewalls-owner@GreatCircle.COM Precedence: bulk InRef: >>software, and whatever...), I already erase this data from the FTP >>site, and i change all the atributes and owners of the site... >> > > Do you know a software or a diferent way to protect my machine >>against this guys ??... > >You might consider using Dr. Solomon's AUDIT TOOL (pretty new on the market >which verifies the software installed on your server with a predefined list. >This can >prevent the unauthorized uploads of Software Piracy. > >Marc >(also reachable via marc.vael@ping.be) We've found that regular (as in weekly), purging of files over 7 days old helps to keep it clean. Also following the recommendations in Garfinkel & Spafford's "Practical Unix Security" about FTP security. The book is published by O'Reilly and associates ( most of you probably know this), who have a web site at www.oreilly.com. Bruce ============================================================================= Bruce Welker email: bdw@ngdc.noaa.gov ISD System Administration audio: 303-497-7079 NGDC/NOAA fax: 303-497-6513 Mailstop E/GC4 Discl: Whatever I say is a personal opinion, 325 Broadway unsupported by any authority or fact. Boulder,Co 80303 USA ============================================================================= From firewalls-owner Fri May 3 12:27:05 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA17652 for firewalls-outgoing; Fri, 3 May 1996 12:05:31 -0700 (PDT) Received: from server1.deltanet.com (mail.deltanet.com [199.171.190.4]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id MAA17585 for ; Fri, 3 May 1996 12:05:12 -0700 (PDT) Received: from [204.254.69.115] by server1.deltanet.com (5.65/SCA-6.6) with SMTP id AA05184 for firewalls@greatcircle.com; Fri, 3 May 96 12:02:59 -0700 Message-Id: <318A5837.1B01@mvi-net.com> Date: Fri, 03 May 1996 12:02:15 -0700 From: MVI Organization: MVI X-Mailer: Mozilla 2.0 (Win95; U; 16bit) Mime-Version: 1.0 To: firewalls@greatcircle.com Subject: Re: "Re-dialers" References: <199605031604.LAA07981@sky.net> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Shelly Nuessle wrote: > > WE are looking for a product that could run on our firewall and, as > initiated by a specific incident, send a text/numeric page to someone or > fire off email to out help desk, etc... > > any suggestions are appreciated. > > ShellyI'm not too sure about add ons for an existing firewall, but I know that Raptor Systems' Eagle firewall provides paging, e-mail, fax, or even an audio message. Matt Holway Marvel Internet Works Long Beach, CA From firewalls-owner Fri May 3 12:47:22 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA18706 for firewalls-outgoing; Fri, 3 May 1996 12:11:24 -0700 (PDT) Received: from server1.deltanet.com (mail.deltanet.com [199.171.190.4]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id MAA18664 for ; Fri, 3 May 1996 12:10:53 -0700 (PDT) Received: from [204.254.69.115] by server1.deltanet.com (5.65/SCA-6.6) with SMTP id AA05840 for firewalls@greatcircle.com; Fri, 3 May 96 12:08:40 -0700 Message-Id: <318A598C.52E2@mvi-net.com> Date: Fri, 03 May 1996 12:07:56 -0700 From: MVI Organization: MVI X-Mailer: Mozilla 2.0 (Win95; U; 16bit) Mime-Version: 1.0 To: firewalls@greatcircle.com Subject: Re: Firewall Setup References: <01BB38F2.55EF2E40@cnj1-144.cybernex.net> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Gopakumar Chirukandath wrote: > > We are setting Internet Server and an Intranet server. These are Windows NT Based. Could someone > suggest a good firewall product. We have about 50 users on the LAN. > > gopa@bc.cybernex.net > Gopakumar ChirukandathI replied to another emial that the Raptor Systems' Eagle has the ability to fax, page, or email notifications of problems on the system. The Eagle is also a full integrated firewall for Windows NT. In fact, if my memory serves correct, they were the first fully integrated firewall for Windows NT. Matthew Holway Marvel Internetworks (MVI) Long Beach, CA http://www.mvi-net.com From firewalls-owner Fri May 3 12:56:53 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA16869 for firewalls-outgoing; Fri, 3 May 1996 11:59:25 -0700 (PDT) Received: from fciencias.ens.uabc.mx (fciencias.ens.uabc.mx [148.231.191.14]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id LAA16860 for ; Fri, 3 May 1996 11:59:20 -0700 (PDT) Received: (from llanero@localhost) by fciencias.ens.uabc.mx (8.6.12/8.6.12) id LAA14441; Fri, 3 May 1996 11:54:05 GMT Date: Fri, 3 May 1996 11:54:05 +0000 () From: Urivan Alyasid Saaib To: firewall Subject: Re: disaster plan for WAN/LAN In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Tank you all for your answers... I prefeer to put the site only in Read mode, so if some one wants to put something in the site, need to tell me, and then i move the file... This is the better idea, that's because the server where i work, it's been used by Computer Sciencist students.. and they want to put they projects where other students or people can get them... About the software for protection, some body knows where can i found one of this ?.. P.S.: ammhh.. and sorry for my english..:P _-+-~-+-_-+-~-+-_-+-~-+-_-+-~-+-_-+-~-+-_-+-~-+-_-+-~-+-_-+-~-+-_-+-~-+-_ * * * Urivan Alyasid Flores Saaib E-mail addresses: * * Facultad de Ciencias uflores@bahia.ens.uabc.mx * * U. A. B. C. fcs00922@faro.ens.uabc.mx * * Ensenada, Baja California llanero@fciencias.ens.uabc.mx * * Mexico. guess@cicese.mx * * uflores@orca.ens.cetys.mx * * usaaib@envirolink.org * * root@fciencias.ens.uabc.mx * * http://fciencias.ens.uabc.mx/~llanero * * http://www.cicese.mx/~guess * ~-+-_-+-~-+-_-+-~-+-_-+-~-+-_-+-~-+-_-+-~-+-_-+-~-+-_-+-~-+-_-+-~-+-_-+-~ From firewalls-owner Fri May 3 13:18:38 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA25158 for firewalls-outgoing; Fri, 3 May 1996 12:59:02 -0700 (PDT) Received: from madge.dhss.state.wi.us (madge.dhss.state.wi.us [165.189.41.10]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id MAA24933 for ; Fri, 3 May 1996 12:58:23 -0700 (PDT) Received: by madge.dhss.state.wi.us; id AA08667; Fri, 3 May 96 14:54:25 CDT Received: from tomodachi.dhss.state.wi.us(159.158.53.9) by madge.dhss.state.wi.us via smap (g3.0.3) id xma008642; Fri, 3 May 96 14:53:56 -0500 Received: from DHSS.STATE.WI.US by tomodachi.dhss.state.wi.us (SMI-8.6/SMI-SVR4) id OAA13621; Fri, 3 May 1996 14:54:12 -0500 Received: from DHSS1-Message_Server by DHSS.STATE.WI.US with Novell_GroupWise; Fri, 03 May 1996 14:56:46 -0500 Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Fri, 03 May 1996 14:56:28 -0500 From: Kevin Cherek To: firewalls@greatcircle.com Cc: shellyn@sky.net Subject: re: "Re-dialers" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, You may want to check out swatch (Simple WATCHer), available from: ftp://ftp.stanford.edu/general/security-tools/swatch - kev - ========================================================= Shelly Nuessle writes: WE are looking for a product that could run on our firewall and, as initiated by a specific incident, send a text/numeric page to someone or fire off email to out help desk, etc... any suggestions are appreciated. Shelly From firewalls-owner Fri May 3 13:23:44 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA22953 for firewalls-outgoing; Fri, 3 May 1996 12:43:41 -0700 (PDT) Received: from kcpgw.kcp.com (kcpgw.kcp.com [198.62.69.65]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id MAA22916 for ; Fri, 3 May 1996 12:43:33 -0700 (PDT) Received: by kcpgw.kcp.com id AA20001 (InterLock SMTP Gateway 3.0 for firewalls@GreatCircle.COM); Fri, 3 May 1996 14:41:18 -0500 Message-Id: <199605031941.AA20001@kcpgw.kcp.com> Received: by kcpgw.kcp.com (Protected-side Proxy Mail Agent-2); Fri, 3 May 1996 14:41:18 -0500 Received: by kcpgw.kcp.com (Protected-side Proxy Mail Agent-1); Fri, 3 May 1996 14:41:18 -0500 Mime-Version: 1.0 Date: Fri, 3 May 1996 14:27:47 -0500 From: dharris@kcp.com (Delmer Harris) Subject: Re: To: firewalls@GreatCircle.COM, "Ing. Rosa Isela Gonzalez Alvarez." Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Description: cc:Mail note part Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Simple response from a simple person: bootp server: Client (probably Win3.1 or DOS) sends request to server. Packet(s) sent include MAC (Ethernet?) address. Server looks up MAC address in internal table and returns information such as IP address, DNS server address, default router address, and maybe one or two other items. See bootptab man pages for more details. DHCP server: Client (Win95 or WinNT) does approximately the same as above, only more options. Server does approximately the same as above, only more options. Also, IP address assigned may be dynamic rather than static (assigned from defined pool of addresses rather than from lookup table) and will have a defined lifetime after which it expires. DHCP is a superset of bootp. Now all the experts can chip in with the details, like the RFC which defines each (bootp & DHCP). Delmer D. Harris ______________________________ Reply Separator _________________________________ Subject: Author: "Ing. Rosa Isela Gonzalez Alvarez." at INTERNET-MAIL Date: 5/3/96 1:17 PM Hello, Could somebody tell me what's the difference between bootp and dhcp server? Thanks in advance, any responses are appreciated. Ing. Rosa Isela Gonzalez Alvarez Universidad Autonoma de Ciudad Juarez Av. Adolfo Lopez Mateos # 20 C.P. 32310 Tel. 11-08-86 e-mail address rgonzale@uacj.mx From firewalls-owner Fri May 3 13:26:54 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA25857 for firewalls-outgoing; Fri, 3 May 1996 13:04:20 -0700 (PDT) Received: from lint.cisco.com (lint.cisco.com [171.68.223.44]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id NAA25851 for ; Fri, 3 May 1996 13:04:15 -0700 (PDT) Received: from pferguso-pc.cisco.com (c2robo13.cisco.com [171.68.13.45]) by lint.cisco.com (8.6.10/CISCO.SERVER.1.1) with SMTP id NAA00513; Fri, 3 May 1996 13:00:58 -0700 Message-Id: <199605032000.NAA00513@lint.cisco.com> X-Sender: pferguso@lint.cisco.com X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Fri, 03 May 1996 16:01:59 -0400 To: From: Paul Ferguson Subject: Re: Firewalls-Digest V5 #289 Cc: Firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Try: http://www.thelist.com - paul At 02:03 PM 5/3/96 -0400, casey@justice.usdoj.gov wrote: >I am looking for a list of all the Internet >Service Providers world-wide. Can anyone point me >in the right direction? > >Thanks in advance, > >Mary L. Casey, Program Analyst >Information Management & > Security Staff >Information Resources Management >Justice Management Division >U.S. Dept of Justice > -- Paul Ferguson || || Consulting Engineering || || Reston, Virginia USA |||| |||| tel: +1.703.716.9538 ..:||||||:..:||||||:.. e-mail: pferguso@cisco.com c i s c o S y s t e m s From firewalls-owner Fri May 3 14:11:45 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA02387 for firewalls-outgoing; Fri, 3 May 1996 13:58:22 -0700 (PDT) Received: from 198.68.45.121 (www.steldyn.com [198.68.45.121]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id NAA02320 for ; Fri, 3 May 1996 13:58:10 -0700 (PDT) Received: from juneau.steldyn.com (172.16.31.1) by www.steldyn.com (EMWAC SMTPRS 0.80) with SMTP id ; Fri, 03 May 1996 15:00:07 -0600 Received: by juneau.steldyn.com with Microsoft Exchange (IMC 4.12.736) id <01BB3900.CB024F10@juneau.steldyn.com>; Fri, 3 May 1996 14:57:05 -0600 Message-ID: From: Chris Pugrud To: Firewalls Mailing list Subject: RE: Firewall Setup Date: Fri, 3 May 1996 14:57:03 -0600 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.12.736 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The current release of Raptor's EagleNT product (3.02) does not yet support the fax or page notifications, I am unsure about the email. Raptor says these features are "coming soon". Chris >---------- >From: MVI[SMTP:mholway@mvi-net.com] >Sent: Friday, May 03, 1996 1:07 PM >To: Firewalls Mailing list >Subject: Re: Firewall Setup > >Gopakumar Chirukandath wrote: >> >> We are setting Internet Server and an Intranet server. These are Windows >NT Based. Could someone >> suggest a good firewall product. We have about 50 users on the LAN. >> >> gopa@bc.cybernex.net >> Gopakumar ChirukandathI replied to another emial that the Raptor Systems' >Eagle has the ability >to fax, page, or email notifications of problems on the system. The >Eagle is also a full integrated firewall for Windows NT. In fact, if my >memory serves correct, they were the first fully integrated firewall for >Windows NT. > > Matthew Holway > Marvel Internetworks (MVI) > Long Beach, CA > http://www.mvi-net.com > From firewalls-owner Fri May 3 14:41:39 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA05670 for firewalls-outgoing; Fri, 3 May 1996 14:32:31 -0700 (PDT) Received: from hades.wvs.com (hades.wvs.com [204.247.81.10]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id OAA05664 for ; Fri, 3 May 1996 14:32:27 -0700 (PDT) Received: from sol.wvs.com (sol.wvs.com [204.247.80.10]) by hades.wvs.com (8.7.4/8.7.3) with ESMTP id OAA22445 for ; Fri, 3 May 1996 14:30:10 -0700 (PDT) Received: from zorch.sf-bay.org (Uzorch@localhost) by sol.wvs.com (8.7.4/8.7.3) with UUCP id OAA15410 for firewalls@greatcircle.com; Fri, 3 May 1996 14:30:09 -0700 (PDT) X-Authentication-Warning: sol.wvs.com: Uzorch set sender to zorch.sf-bay.org!news using -f Received: (from news@localhost) by zorch.sf-bay.org (8.6.11/8.6.9) id OAA03855 for firewalls@greatcircle.com; Fri, 3 May 1996 14:27:44 -0700 Newsgroups: zorch.lists.firewalls Path: zorch.sf-bay.org!scott From: scott@zorch.sf-bay.org (Scott Hazen Mueller) Subject: SSL versions of rsh, rdist? Reply-To: scott@zorch.sf-bay.org Organization: At Home; Salida, CA Message-ID: X-Nntp-Posting-Host: localhost.sf-bay.org Date: Fri, 3 May 1996 21:27:40 GMT Apparently-To: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'm pretty sure that there are some SSL-ified versions of rsh and rdist kicking around somewhere. I even have a paper from Netscape that says they exist, but the support people are clueless (I think it's a job requirement :-) [I did support for 2 years, no flames please]). Anyone have pointers to these beasties? Thanks, -- Scott Hazen Mueller | scott@zorch.SF-Bay.ORG or tandem!zorch!scott From firewalls-owner Fri May 3 15:56:44 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id PAA07972 for firewalls-outgoing; Fri, 3 May 1996 15:54:55 -0700 (PDT) Received: from jaring.my (jaring.my [192.228.128.20]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id PAA07966 for ; Fri, 3 May 1996 15:54:50 -0700 (PDT) Received: from extol.extol.my (j4.ptl5.jaring.my [161.142.1.20]) by jaring.my (8.7.5/8.7.1) with SMTP id GAA24360; Sat, 4 May 1996 06:52:35 +0800 (MYT) Message-ID: <318A9DB8.ED5@pc.jaring.my> Date: Sat, 04 May 1996 06:58:48 +0700 From: peng-chiew low X-Mailer: Mozilla 2.01 (Win95; I) MIME-Version: 1.0 To: casey@justice.usdoj.gov CC: Firewalls@GreatCircle.COM Subject: Re: Firewalls-Digest V5 #289 References: <9605031403.aa16958@justice.usdoj.gov> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk casey@justice.usdoj.gov wrote: > I am looking for a list of all the Internet > Service Providers world-wide. Can anyone point me > in the right direction? Now, what would the US Dept of Justice be doing with the list, I wonder???? Hmmm..Perhaps this question be better off in the cypherpunks list. From firewalls-owner Fri May 3 16:26:45 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id QAA08376 for firewalls-outgoing; Fri, 3 May 1996 16:12:11 -0700 (PDT) Received: from paloalto.access.hp.com (paloalto.access.hp.com [15.254.56.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id QAA08370 for ; Fri, 3 May 1996 16:12:04 -0700 (PDT) Received: from hpwcsvp.mayfield.hp.com by paloalto.access.hp.com with SMTP (1.37.109.16/15.5+ECS 3.3) id AA174134992; Fri, 3 May 1996 16:09:52 -0700 Received: from a2426kjs.nsr.hp.com by hpwcsvp.mayfield.hp.com with SMTP (1.36.108.10/15.5+ECS 3.3) id AA05425; Fri, 3 May 1996 16:09:49 -0700 Date: Fri, 3 May 1996 16:09:48 -0700 (PDT) From: Kevin Steves To: Renee Landers Cc: firewalls@GreatCircle.COM Subject: Re: disabling IP forwarding on HP-UX In-Reply-To: <9605031240.AA01353@shlep.sware.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 3 May 1996, Renee Landers wrote: > Has anyone ever tried to disable ip forwarding on HP-UX 10.0x? I need to do > that, and I've tried modifying vmunix using adb, rebuilding the kernel with > IP_FORWARDING undefined -- no luck. Also, I couldn't find any mention of it > in the documentation -- but that doesn't mean it's not there, just not indexed > or in a likely place. On 10.X see nettune(1). > Any ideas? What about on HP-UX 9.0x? On 9.X you need to poke the ipforwarding symbol with adb. Kevin From firewalls-owner Fri May 3 17:26:39 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA09506 for firewalls-outgoing; Fri, 3 May 1996 17:17:03 -0700 (PDT) Received: from info.kreonet.re.kr (info.kreonet.re.kr [134.75.30.10]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id RAA09500 for ; Fri, 3 May 1996 17:16:57 -0700 (PDT) Received: (from jhkim@localhost) by info.kreonet.re.kr (8.6.12h2/8.6.9) id JAA12557 for firewalls-digest@GreatCircle.COM; Sat, 4 May 1996 09:15:42 +0900 From: Jonghun Kim Message-Id: <199605040015.JAA12557@info.kreonet.re.kr> Subject: singoff To: firewalls-digest@GreatCircle.COM Date: Sat, 4 May 1996 09:15:42 +0900 (KST) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-2022-kr Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk signoff firewalls jhkim@info.kreonet.re.kr From firewalls-owner Fri May 3 17:41:51 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA09916 for firewalls-outgoing; Fri, 3 May 1996 17:36:55 -0700 (PDT) Received: from gaia.internex.net (gaia.internex.net [198.67.38.22]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id RAA09910 for ; Fri, 3 May 1996 17:36:50 -0700 (PDT) Received: from hidata.com by gaia.internex.net (8.6.9/InterNex-SM8.6.9) id RAA01498; Fri, 3 May 1996 17:34:38 -0700 Received: by hidata.com (SMI-8.6/SMI-SVR4) id RAA17625; Fri, 3 May 1996 17:34:38 -0700 Received: from osc(205.158.62.10) by hds-gw via smap (V1.3) id sma017622; Fri May 3 17:34:32 1996 Received: from enterprise by osc.hidata.com (SMI-8.6/SMI-SVR4) id RAA12150; Fri, 3 May 1996 17:34:31 -0700 Date: Fri, 3 May 1996 17:34:31 -0700 Message-Id: <199605040034.RAA12150@osc.hidata.com> X-Sender: bstout@osc.hidata.com X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: Firewalls@GreatCircle.COM From: Bill Stout Subject: Ethernet MAC address to Firewall Q? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I have an interesting problem. Users from a device can't reach the firewall (I'm stretching this as a firewall question). Someone changed the MAC address of a device on my network (don't ask), and suddenly users from that device can't connect to the firewall. The MAC address is now 11-22-33-44-55-66. None of my NT 3.51 systems, or my UNIX boxes can ping or be ping'd from that system. However, NT4.0, W95, and Japanese NT3.51 can ping/reply to the device. Any ethernet MAC rules being broken with the new MAC address? Any clues? <=======10========20====Ruler for Eudora users==50========60========70========80 William B. Stout | "Official student of 'the internet school of fire'." Senior Systems Admin | Hitachi Data Systems | "If it's in a textbook, it's obsolete." Open Systems Center | Santa Clara, California | "My opinions are my own." 408-970-4822 | #include <=======10========20========30========40========50========60========70========80 From firewalls-owner Fri May 3 23:59:41 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id XAA17090 for firewalls-outgoing; Fri, 3 May 1996 23:52:06 -0700 (PDT) Received: from popalex1.linknet.net (popalex1.linknet.net [206.103.79.89]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id XAA17084 for ; Fri, 3 May 1996 23:52:01 -0700 (PDT) From: zarquon@popalex1.linknet.net Received: from dsrvlaf1-24.linknet.net by popalex1.linknet.net; (5.65v3.2/1.1.8.2/06Mar96-1224PM) id AA26051; Sat, 4 May 1996 01:55:12 -0500 Received: (from zarq@localhost) by dsrvlaf1-24.linknet.net (8.6.12/8.6.9) id BAA01768 for firewalls@GreatCircle.COM; Sat, 4 May 1996 01:49:15 -0500 Message-Id: <199605040649.BAA01768@dsrvlaf1-24.linknet.net> Subject: Linux network monitoring To: firewalls@GreatCircle.COM (Firewalls) Date: Sat, 4 May 1996 01:49:08 -0500 (CDT) X-Mailer: ELM [version 2.4 PL24] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I connect my Linux box to the Internet through a dynamic PPP link, and I never really thought anyone would take interest in trying to gain any kind of access to it. I only recently started paying attention to my system logs, and it turns out that I *do* have the occasional login attempt, strange sendmail connections etc. The only problem is that I usually notice this days after it happened, and since I don't run any kind of network monitoring tools, all I can rely on is what syslogd and kerneld has been informed of, which usually doesn't amount to a whole lot. I have been looking around for some network monitoring tool that would suit my needs, specifically one that would not be too big and intended for a large network, but still have functionality and preferably some way of informing and, should it be necessary, alerting me of any strange activities. So far I have recompiled my kernel (1.3.97) with all firewall and ip accounting options enabled, and tried them out to a certain extent, and I have also had a look at various network monitoring tools that I could find around the net. What I would really like is a tool like one I saw in use a while back, but have been unable to locate. It could detect attempted connections on any ports, giving it the ability to effectively detect port scans in any port range, while *not* accepting any connections. In other words, whoever attempted to connect would *not* have the connection accepted, but it would still be logged as a connection attempt. This can clearly not be done with any kind of inetd extension, and with my limited knowledge of how all of this works, I can imagine two ways of accomplishing this: - Keeping an eye on all incoming packets (sniffing?) to determine if someone is attempting to connect, while the kernel-based firewall takes care of rejecting unwanted connections - Having the kernel firewall and/or ip accounting functions record any attempt at establishing a connection, then using some external program to parse them somehow to log and determine if the sysadmin should be informed What I would like to know is if either of these options would be practical, or even possible, to perform, and if any such applications exist already. .../zarq Runar Jensen [zarquon@popalex1.linknet.net] From firewalls-owner Sat May 4 01:41:44 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id BAA19158 for firewalls-outgoing; Sat, 4 May 1996 01:33:29 -0700 (PDT) Received: from relay.ioffe.rssi.ru (relay.ioffe.rssi.ru [194.85.224.33]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id BAA19150 for ; Sat, 4 May 1996 01:33:06 -0700 (PDT) Received: from ssrouter.ioffe.rssi.ru by relay.ioffe.rssi.ru with SMTP (8.7.5/Serv-2.12-AS-eef) id MAA13792; Sat, 4 May 1996 12:28:48 +0400 (MSD) Date: Sat, 4 May 1996 12:29:50 +0400 (MSD) From: Kirill Bolshakov To: "Ing. Rosa Isela Gonzalez Alvarez." cc: firewalls@GreatCircle.COM Subject: Re: your mail In-Reply-To: <9605031817.AA15055@leo.uacj.mx> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 3 May 1996, Ing. Rosa Isela Gonzalez Alvarez. wrote: > Hello, > > Could somebody tell me what's the difference between bootp and dhcp > server? > > Thanks in advance, any responses are appreciated. > > > > Ing. Rosa Isela Gonzalez Alvarez > Universidad Autonoma de Ciudad Juarez > Av. Adolfo Lopez Mateos # 20 > C.P. 32310 > Tel. 11-08-86 > e-mail address rgonzale@uacj.mx > > DHCP allows automated IP address distribution in , for example, MicrosoftNet environment. BOOTP allows remote booting. ------------------------------------------------------------------------- | Research Systems Software Laboratory | Kirill Bolshakov | | Ioffe Institute | raven@ssrouter.ioffe.rssi.ru | ------------------------------------------------------------------------- From firewalls-owner Sat May 4 11:26:42 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA29070 for firewalls-outgoing; Sat, 4 May 1996 11:22:07 -0700 (PDT) Received: from SantaClara01.pop.internex.net (SantaClara01.POP.InterNex.Net [205.158.3.18]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id LAA29064 for ; Sat, 4 May 1996 11:22:02 -0700 (PDT) Received: from SYSMKT.hdshq.com ([206.215.16.130]) by SantaClara01.pop.internex.net (post.office MTA v1.9.3 ID# 0-11030) with ESMTP id AAA26986 for ; Sat, 4 May 1996 11:19:55 -0700 Received: from courtney.hdshq.com (relay.hdshq.com [198.92.130.3]) by SYSMKT.hdshq.com (1/HDS MAIL SYSTEM) with SMTP id LAA10974 for ; Sat, 4 May 1996 11:19:30 -0700 (PDT) Message-Id: <1.5.4.32.19960504181934.00674db0@192.168.80.60> X-Sender: carl@192.168.80.60 X-Mailer: Windows Eudora Light Version 1.5.4 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Sat, 04 May 1996 11:19:34 -0700 To: firewalls@greatcircle.com From: Carl V Claunch Subject: Improved JavaScript and Java screening function Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Thanks to the feedback of several users of the patch I had previously developed against the http-gw component of TIS's fwtk, I have developed version 2, which improves the screening protection further. The complete patch kit, including documentation and a test-bed useful for passing sample or collected HTML thru the screener offline, can be found at http://www.hdshq.com/fixes/fwtk/welcome.html Users of the original (version 1) patch can simply apply the following context diff using patch, and be brought up to version 2 level. If you do not have version 1 installed please fetch the compressed tar archive javablok.tar.Z from the URL above. *** http-gw.c.orig Fri May 3 15:47:16 1996 --- http-gw.c Fri May 3 15:42:52 1996 *************** *** 12,17 * * 22-Aug-1994 Started to add the Gopher+ stuff. (pjc) * 15-Mar-1996 Added screening for Java, JavaScript. (carl@hdshq.com) */ static char RcsId[] = "$Header: http-gw.c,v 1.8 94/10/11 11:04:34 pjc Exp $"; --- 12,18 ----- * * 22-Aug-1994 Started to add the Gopher+ stuff. (pjc) * 15-Mar-1996 Added screening for Java, JavaScript. (carl@hdshq.com) + * 3-May-1996 Improved screening for Java, JavaScript. (carl@hdshq.com) */ static char RcsId[] = "$Header: http-gw.c,v 1.8 94/10/11 11:04:34 pjc Exp $"; *************** *** 21,26 extern int nojava; extern int nojavascript; static void do_logging() { char *proto = "GOPHER"; --- 22,28 ----- extern int nojava; extern int nojavascript; + void seek_and_destroy(); static void do_logging() { char *proto = "GOPHER"; *************** *** 1186,1191 syslog(LLEV,"content-type=%s", &go_request[13]); } }else if( !strncasecmp(go_request, "location:", 9) ){ if( (rem_type&TYPE_PROXYCLIENT)==0){ p = strchr(go_request, ':'); p++; --- 1188,1194 ----- syslog(LLEV,"content-type=%s", &go_request[13]); } }else if( !strncasecmp(go_request, "location:", 9) ){ + if (nojavascript) seek_and_destroy(go_request); if( (rem_type&TYPE_PROXYCLIENT)==0){ p = strchr(go_request, ':'); p++; *************** *** 1907,1912 IN_TAG, /* inside <....> */ IN_BEGIN_COMMENT, /* inside */ IN_COMMENTS, /* inside */ IN_ELEMENT, /* inside first word of tag */ IN_WS_1, /* whitespace before attribute name */ IN_ATTRIBUTE, /* inside <.. xxx [= yyy] > */ --- 1910,1916 ----- IN_TAG, /* inside <....> */ IN_BEGIN_COMMENT, /* inside */ IN_COMMENTS, /* inside */ + IN_END_COMMENT, /* looking for closing > */ IN_ELEMENT, /* inside first word of tag */ IN_WS_1, /* whitespace before attribute name */ IN_ATTRIBUTE, /* inside <.. xxx [= yyy] > */ *************** *** 2232,2237 !strcasecmp(attribute,"action")) trans_anchor(attribute,value,protocol); /* Quote at end removed to avoid double write*/ p = value + strlen(value) - 1; if ((*p == '"') || (*p == '\'')) *p = 0; --- 2236,2250 ----- !strcasecmp(attribute,"action")) trans_anchor(attribute,value,protocol); + /* we look for the ': + state = IN_BODY; + break; + + case ' ': + case '\n': + case '\t': + case '\r': + case '-': + ch = 0; + break; + + default: + state = IN_COMMENTS; + ch = 0; + break; + } + break; + default: break; } *************** *** 2513,2518 /* if handled by plug-gw, prefix p to URL */ oldurl = maybe_plug_it(value); /* match and remove URLs we are restricting */ if( filter_anchor(attribute, oldurl)){ sprintf(newurl,"filtered://-removed-"); --- 2547,2556 ----- /* if handled by plug-gw, prefix p to URL */ oldurl = maybe_plug_it(value); + /* remove javascript: URLs if we are screening */ + if ( nojavascript && !strncasecmp(oldurl,"javascript:",11)) { + sprintf(newurl,"filtered://-removed-"); + /* match and remove URLs we are restricting */ } else if( filter_anchor(attribute, oldurl)){ sprintf(newurl,"filtered://-removed-"); *************** *** 2514,2520 oldurl = maybe_plug_it(value); /* match and remove URLs we are restricting */ ! if( filter_anchor(attribute, oldurl)){ sprintf(newurl,"filtered://-removed-"); /* internal use URLs should not be modified */ --- 2552,2558 ----- sprintf(newurl,"filtered://-removed-"); /* match and remove URLs we are restricting */ ! } else if( filter_anchor(attribute, oldurl)){ sprintf(newurl,"filtered://-removed-"); /* internal use URLs should not be modified */ *************** *** 2702,2705 forward_file(sockfd, rem_path, rem_server); } return 0; } --- 2740,2767 ----- forward_file(sockfd, rem_path, rem_server); } return 0; + } + + /* This routine will seek through a string looking for a javascript: + substring. It will replace that with filterfwtk: so it becomes + non-functional. This is only called when screening for javascript */ + void + seek_and_destroy(jScan) + char *jScan; + { + char jTest[12]; + char jChar; + char *jEnd; + + jEnd = jScan + strlen(jScan); + while(jChar = *(jScan++)) { + if (((jChar == 'j') || (jChar == 'J')) && ((jEnd-jScan)>9)) { + strncpy(jTest,jScan-1,11); + *(jTest+11) = 0; + if (!strncasecmp(jTest,"javascript:",11)) { + memmove(jScan-1,"filterfwtk:",11); + break; + } + } + } } From firewalls-owner Sat May 4 17:44:21 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA24104 for firewalls-outgoing; Sat, 4 May 1996 17:11:11 -0700 (PDT) Received: from uustar.starnet.net (uustar.starnet.net [199.217.253.12]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id GAA24179 for ; Thu, 2 May 1996 06:47:16 -0700 (PDT) Received: from hq.UUCP by uustar.starnet.net with UUCP id AA18759 (5.67b/IDA-1.5 for greatcircle.com!firewalls); Thu, 2 May 1996 08:33:02 -0500 Received: (from daemon@localhost) by hq.agedwards.com (8.6.9/8.6.9) id IAA05138 for firewalls@greatcircle.com.outbound; Thu, 2 May 1996 08:20:59 -0500 Received: from igate.agedwards.com (igate.agedwards.com [159.45.56.11]) by hq. (8.6.9/8.6.9) with ESMTP id IAA05134 for ; Thu, 2 May 1996 08:20:58 -0500 Received: from Microsoft Mail (PU Serial #1093) by igate.agedwards.com (PostalUnion/SMTP(tm) v2.1.8c for Windows NT(tm)) id AA-1996May02.081900.1093.46279; Thu, 02 May 1996 08:20:45 -0500 From: nicholscs@agedwards.com (Nichols,Christopher) To: firewalls@greatcircle.com ('smtp: firewalls@greatcircle.com') Message-Id: <1996May02.081900.1093.46279@igate.agedwards.com> X-Mailer: Microsoft Mail via PostalUnion/SMTP for Windows NT Mime-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Organization: A.G. Edwards & Sons Inc. St. Louis Date: Thu, 02 May 1996 08:20:45 -0500 Subject: IP Tools Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I would like to test hurling IP frags, ICMP Dest Unreachables, redirects, and the like at various communications boxes on my net, maybe even try a little IP spoofing. Where is a good place to find some of the more well-known toolz such as IP-watcher, etc.? Chris From firewalls-owner Sat May 4 19:00:50 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id SAA03591 for firewalls-outgoing; Sat, 4 May 1996 18:47:33 -0700 (PDT) Received: from nsco.network.com (nsco.network.com [129.191.1.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id SAA03574 for ; Sat, 4 May 1996 18:47:25 -0700 (PDT) Received: from anubis.network.com by nsco.network.com (4.1/1.34) id AA12833; Sat, 4 May 96 20:49:50 CDT Received: from blefscu.network.com by anubis.network.com (4.1/SMI-4.1) id AA10885; Sat, 4 May 96 20:47:41 CDT Date: Sat, 4 May 96 20:47:40 CDT From: amolitor@anubis.network.com (Andrew Molitor) Message-Id: <9605050147.AA10885@anubis.network.com> To: Firewalls@greatcircle.com Subject: Re: Ethernet MAC address to Firewall Q? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Yeah. The low-order bit of the first octet of an ethernet address is the multicast bit (or RII -- Routing Information Present bit) in a source address. Anything that does talk to your firewall is busted, since that's an ethernet multicast group address of some kind ;) Andrew From firewalls-owner Sat May 4 19:11:48 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id TAA04649 for firewalls-outgoing; Sat, 4 May 1996 19:00:44 -0700 (PDT) Received: from dns.eng.auburn.edu (dns.eng.auburn.edu [131.204.10.13]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id TAA04643 for ; Sat, 4 May 1996 19:00:39 -0700 (PDT) Received: from nexus.eng.auburn.edu.eng.auburn.edu (nexus.eng.auburn.edu [131.204.12.98]) by dns.eng.auburn.edu (8.7.4/8.6.4) with SMTP id UAA15878; Sat, 4 May 1996 20:58:10 -0500 (CDT) Date: Sat, 4 May 1996 20:58:10 -0500 (CDT) From: Doug Hughes Message-Id: <199605050158.UAA15878@dns.eng.auburn.edu> To: firewalls@GreatCircle.COM, zarquon@popalex1.linknet.net Subject: Re: Linux network monitoring Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I wrote a tool that does what you want (an inetd service that you put in place of any UDP or TCP based service that logs the attempt but does not accept the connection). It's called klaxon and is available at either ftp.eng.auburn.edu:pub/doug or http://www.eng.auburn.edu/users/ doug/second.html. There's another tool on the www page that I use to watch the logs and inform me when critical security or other system events occur. It's called tklogger. Doug Hughes Engineering Network Services doug@eng.auburn.edu Auburn University From firewalls-owner Sat May 4 19:41:48 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id TAA08357 for firewalls-outgoing; Sat, 4 May 1996 19:39:46 -0700 (PDT) Received: from ns1.ptd.net (ns1.ptd.net [198.80.46.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id TAA08332 for ; Sat, 4 May 1996 19:39:39 -0700 (PDT) Received: from anaconda (cable005011.cable.tv13.ptd.net [204.186.5.11]) by ns1.ptd.net (8.7.3/8.7.3) with SMTP id WAA25518; Sat, 4 May 1996 22:36:49 -0400 (EDT) Message-ID: <318C1595.517A@prolog.net> Date: Sat, 04 May 1996 22:42:29 -0400 From: Stefan Gal Organization: segco.com X-Mailer: Mozilla 2.01 (X11; I; SunOS 5.4 sun4c) MIME-Version: 1.0 To: postmaster@montclair.edu CC: Randy Marchany , firewalls@GreatCircle.COM Subject: Re: Fakemail References: <199604261950.RAA21538@untraceable.net> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk John Doe wrote: > > >I've been following the fakemail thread for some time and nobody has mentioned > >that it is quite trivial to trace the note back to the originating machine. > >"Trivial" if you have logs at your 'access' points into your net. > > trivial, eh? trace this one... Received: from relay1.UU.NET (relay1.UU.NET [192.48.96.5]) by ns1.ptd.net (8.7.3/8.7.3) with ESMTP id RAA03374 for ; Fri, 26 Apr 1996 17:21:59 -0400 (EDT) Received: from miles.greatcircle.com by relay1.UU.NET with ESMTP id QQandt13375; Fri, 26 Apr 1996 17:19:38 -0400 (EDT) Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA05632 for firewalls-outgoing; Fri, 26 Apr 1996 12:57:31 -0700 (PDT) Received: from apollo.montclair.edu (apollo.montclair.edu [130.68.1.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id MAA05624 for ; Fri, 26 Apr 1996 12:57:21 -0700 (PDT) Received: from mail.untraceable.net by apollo.montclair.edu with SMTP ; Fri, 26 Apr 96 15:52:02 EST Received: (from devnull@localhost) by mail.untraceable.net (8.6.12/8.6.6) id RAA21538 for marchany@vtserf.cc.vt.edu; Fri, 26 Apr 1996 17:50:24 -0200 Received: from relay1.UU.NET (relay1.UU.NET [192.48.96.5]) by ns1.ptd.net (8.7.3/8.7.3) with ESMTP id RAA03374 for ; Fri, 26 Apr 1996 17:21:59 -0400 (EDT) Received: from miles.greatcircle.com by relay1.UU.NET with ESMTP id QQandt13375; Fri, 26 Apr 1996 17:19:38 -0400 (EDT) Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA05632 for firewalls-outgoing; Fri, 26 Apr 1996 12:57:31 -0700 (PDT) Received: from apollo.montclair.edu (apollo.montclair.edu [130.68.1.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id MAA05624 for ; Fri, 26 Apr 1996 12:57:21 -0700 (PDT) Received: from mail.untraceable.net by apollo.montclair.edu with SMTP ; Fri, 26 Apr 96 15:52:02 EST Received: (from devnull@localhost) by mail.untraceable.net (8.6.12/8.6.6) id RAA21538 for marchany@vtserf.cc.vt.edu; Fri, 26 Apr 1996 17:50:24 -0200 good enough for ya...I particularly like the devnull@localhost by mail.untraceable.net bit, so are you a Montclair student, wannabe hacker or just think your slick? pretty cute trick, though. -- Stefan Gal voice: 610-760-0747 c/o S.E.G. Co. email: sgaul@prolog.net NOTE: standard disclamer applies and send all flames > /dev/null From firewalls-owner Sat May 4 20:41:42 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id UAA12380 for firewalls-outgoing; Sat, 4 May 1996 20:29:21 -0700 (PDT) Received: from bridge.coy.com (bridge.coy.com [206.224.78.16]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id UAA12374 for ; Sat, 4 May 1996 20:29:16 -0700 (PDT) Received: (from coy@localhost) by bridge.coy.com (8.7.1/8.7.1) id VAA15767; Sat, 4 May 1996 21:30:02 -0500 Date: Sat, 4 May 1996 21:30:00 -0500 (CDT) From: Chip Coy To: zarquon@popalex1.linknet.net cc: Firewalls Subject: Re: Linux network monitoring In-Reply-To: <199605040649.BAA01768@dsrvlaf1-24.linknet.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk (Personally, I use Doug Hughes' klaxon, but that's not the tool you described) Sounds like you're looking for Argus, (to quote the announce) "a generic IP network transaction auditing tool. Argus runs as an application level daemon, promiscuously reading network datagrams from a specified interface, and generates network traffic status records for the network activity that it encounters". It's from CMU, it's built on top of libpcap (the low-level library used by tcpdump). Argus is a bit of a cpu hog on linux at the moment (all packets come up to the application, rather than being filtered in the kernel as on UNIX systems with the Berkley Packet Filter in the kernel). See ftp://ftp://ftp.sei.cmu.edu/pub/argus-1.5 for more information. Chip. On Sat, 4 May 1996 zarquon@popalex1.linknet.net wrote: > What I would really like is a tool like one I saw in use a > while back, but have been unable to locate. It could detect attempted > connections on any ports, giving it the ability to effectively detect port > scans in any port range, while *not* accepting any connections. In other > words, whoever attempted to connect would *not* have the connection accepted, > but it would still be logged as a connection attempt. Chip Coy coy@coy.com http://bridge.coy.com/~coy/ "Do not mistake composure for ease." - Tuvok From firewalls-owner Sat May 4 21:26:48 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id VAA15387 for firewalls-outgoing; Sat, 4 May 1996 21:12:50 -0700 (PDT) Received: from i-2000.com (i-2000.com [204.97.92.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id VAA15381 for ; Sat, 4 May 1996 21:12:46 -0700 (PDT) From: edpaudit@i-2000.com Received: from [204.97.93.218] (edpaudit.dh.i-2000.com [204.97.93.218]) by i-2000.com (8.7.5/8.7) with SMTP id AAA26036 for ; Sun, 5 May 1996 00:10:57 -0400 (EDT) Date: Sun, 5 May 1996 00:10:57 -0400 (EDT) Message-Id: <199605050410.AAA26036@i-2000.com> MIME-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: 7bit Subject: Internet Providers To: Firewalls@GreatCircle.COM In-Reply-To: <199605040800.BAA18262@miles.greatcircle.com> X-Mailer: SPRY Mail Version: 04.10.06.22 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk All of the internet providers that someone has given an opinion on in the this country can be found at www.thelist.com Jeffrey Loewenstein edpaudit@i-2000.com From firewalls-owner Sun May 5 07:11:49 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA08764 for firewalls-outgoing; Sun, 5 May 1996 06:58:52 -0700 (PDT) Received: from iez.com (mail.iez.com [194.218.38.3]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id GAA08748 for ; Sun, 5 May 1996 06:58:39 -0700 (PDT) Received: by iez.com (AIX 3.2/UCB 5.64/4.03) id AA10328; Sun, 5 May 1996 15:53:31 +0200 Received: from spibm02(172.16.13.62) by iez.com via smap (V1.3) id sma011606; Sun May 5 15:53:20 1996 Received: from iez.com by spibm02 (AIX 3.2/UCB 5.64/4.03) id AA15587; Sun, 5 May 1996 15:52:47 +0200 Message-Id: <9605051352.AA15587@spibm02> Received: from inhps-a by iez.com with SMTP (1.37.109.4/16.2) id AA19845; Sun, 5 May 96 15:52:46 +0200 Received: by inhps-a (1.38.193.3/16.2) id AA08481; Sun, 5 May 96 15:52:44 +0200 From: Rolf Weber Subject: Re: disabling IP forwarding on HP-UX To: firewalls@greatcircle.com (firewalls) Date: Sun, 5 May 1996 15:52:44 +0200 (MESZ) Cc: haddad@flamejr.hpl.hp.com X-Mailer: ELM [version 2.4 PL24] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk did really i wrote this??? > > > > > Has anyone ever tried to disable ip forwarding on HP-UX 10.0x? I need to do > > that, and I've tried modifying vmunix using adb, rebuilding the kernel with > > IP_FORWARDING undefined -- no luck. Also, I couldn't find any mention of it > > in the documentation -- but that doesn't mean it's not there, just not indexed > > or in a likely place. > > > > Any ideas? What about on HP-UX 9.0x? > > > i called the HP hotline for this, they told me to do: > no offense intended against the HP hotline. i'm *really* content with them, i surely misunderstood something... > > $ adb -w /hp-ux /dev/kmem > > ipforwarding?/ W 0 <--kernel > > ipforwarding/ W 0 <--memory > > ^D > > but then we choosed to take AIX as firewall OS. > later, i tried it just for fun, but it didn't work. > please let me know if you get it work, i don't need it anymore, > but i'm still interested. > sorry, this mail was not intended to go to the list... thanx to peter haddad who told me the right way. # adb -k -w /hp-ux /dev/kmem (or /vmunix for 10.0) ipforwarding?W0 <--kernel ipforwarding/W0 <--memory works (the real paranoid, however, should test if the forwarding is really disabled). sorry again, my fault. rolf -- ----------------------------------------- Rolf Weber | All I ask is a chance IEZ AG D-64625 Bensheim | to prove that money ++49-6251-1309-113 | can't make me happy. From firewalls-owner Sun May 5 09:56:53 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA14238 for firewalls-outgoing; Sun, 5 May 1996 09:47:46 -0700 (PDT) Received: from scratchy.mi.net (scratchy.mi.net [198.164.253.6]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id JAA14225 for ; Sun, 5 May 1996 09:47:39 -0700 (PDT) Received: (from node2001@localhost) by scratchy.mi.net (8.6.9/8.6.12) id NAA12836 for firewalls@greatcircle.com; Sun, 5 May 1996 13:45:29 -0300 >Received: by node2001.com (1.65/waf) via UUCP; Sun, 05 May 96 13:38:22 EDT for firewalls@greatcircle.com To: firewalls@greatcircle.com Subject: disconnect From: lskywalk@node2001.com (Barry Harris) Message-ID: Date: Sun, 05 May 96 13:38:16 EDT Organization: Node2001 Waffle BBS, Saint John, NB, Canada (506) 652-9662 Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk disconnect lskywalk@node2001.com (Barry Harris) Node2001 UUCP and Mail Site -- +1 506 652 9662 From firewalls-owner Sun May 5 12:41:46 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA20225 for firewalls-outgoing; Sun, 5 May 1996 12:27:00 -0700 (PDT) Received: from relay-4.mail.demon.net (relay-4.mail.demon.net [158.152.1.108]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id MAA20218 for ; Sun, 5 May 1996 12:26:53 -0700 (PDT) Received: from post.demon.co.uk ([158.152.1.72]) by relay-4.mail.demon.net id ac22872; 5 May 96 19:24 GMT Received: from ipsiss.demon.co.uk ([158.152.81.68]) by relay-3.mail.demon.net id aa16813; 5 May 96 20:23 +0100 Received: (from cyber@localhost) by ipsiss.demon.co.uk (8.6.12/v3.0) id RAA00606; Sun, 5 May 1996 17:40:06 GMT Date: Sun, 5 May 1996 17:40:03 +0000 (GMT) From: CyberJunkie To: Fin cc: Firewalls@greatcircle.com Subject: Re: VNPs and things -- In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 25 Apr 1996, Fin wrote: > This is my first posting, so please be gentle :) Well this is my first too so....... > To elaborate on this, Bad Guys simply hang round places where people use > mobile phones lots, such as motorway service stations, sit with a laptop > and scan analogue (V. difficult with digital phones) usage....they can Not usually, one of the most common methods is once you have built your snarfer (ddi), you drive through the nearest big city, or go wait at an aiport for a bit. To build a snarfer all you require is a scanner that can scan the mobile frequencies, some electronics experience and the plans for the ddi mod. As far as digital phones go, it is impossible to 'clone' them AT THE MOMENT. It wont be long, and you can, with the right equiptment, already listen to GSM didgital phones. As far as preventative steps go, most analogue providers are appalingly lax. Vodafone claims that cloned esns usually die within a day or two. Wrong. The shortest i have had an esn for was 3 days, the longest 3 weeks and 2 days. The only safe esns at the moment are the ones with PIN numbers attached to them. Yet due to the high cost of replacing ALL old analogue phones with more modern PIN compatible ones, the providers havent made them universal (hehe well actually about 3 in 400 esns i snarf at the moment have pins). > then simply (all you need is the right software and the right cables) > program a decommisioned phone (also relatively easy to get hold of) et Software which can be obtained from most bbs's, and cable which are usually built from hands free adapters for the phone concerned. If you have a pinout for a phone (analogue) it can be cloned. The only protection currently, are phones that will only allow one or two changes of the esn, before the phone has to be sent to a registered reseller who can reset it. > voila! More worrying is the advent of the so-called magic > phone, which can store many (well, about 10 at the moment I think) Unfortunately the so called 'tumbler' chip doesn't exist. Its a bit like the holy grail of cellular fraud. Nor do the chips that allow phones to scan esns off of the airwaves (infact these will NEVER exist). Most of these 'superchips' have been invented by the media. There is a tumbler chip in production (when it will come out is a matter of discussion). Remember, dont believe most of the garbage that the media spouts, especially in areas like cellular fraud, as at the moment they are very misinformed. > authorisation codes, and randomly chooses one each time the phone is > used...these can only be picked up by scrutinising your phone bill. Or, > you could just buy a digital phone :) Cellular fruad can be picked up through many ways. The most common is the presence of two (or more) phones with the same elctronic identities, on the same network. Other things that 'kill' the esn are, Two (or more) peopel answering a call at the same time; calling the operator and saying "hi, im on a cloned phone" and supposedly the esn will die if a call is made in one place, and then shortly after in another place miles away. although i have yet to find evidence for this (other than what the cellphone companies say). yeah buy a digital phone. Oranges are pretty good, but remember they wont be safe for ever. Nothing is safe for ever. My advice is only use a mobile phone if you really have to, and dont use and analogue phone for anything confidential. Besides noone knows for sure, what the effect of prolonged exposure to mobile phones will have ......yet. > > Fin > > Cyberjunkie From firewalls-owner Sun May 5 14:26:57 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA24729 for firewalls-outgoing; Sun, 5 May 1996 14:21:22 -0700 (PDT) Received: from nova.unix.portal.com (nova.unix.portal.com [156.151.1.101]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id OAA24715 for ; Sun, 5 May 1996 14:21:18 -0700 (PDT) Received: from jobe.shell.portal.com (jobe.shell.portal.com [156.151.3.4]) by nova.unix.portal.com (8.6.11/8.6.5) with ESMTP id OAA06626 for ; Sun, 5 May 1996 14:17:48 -0700 Received: (hfinney@localhost) by jobe.shell.portal.com (8.6.11/8.6.5) id OAA02662 for firewalls@GreatCircle.COM; Sun, 5 May 1996 14:17:47 -0700 Date: Sun, 5 May 1996 14:17:47 -0700 Message-Id: <199605052117.OAA02662@jobe.shell.portal.com> To: firewalls@GreatCircle.COM From: anonymous-remailer@shell.portal.com Comments: This message is NOT from the person listed in the From line. It is from an automated software remailing service operating at that address. THE PORTAL SYSTEM DOES NOT CONDONE OR APPROVE OF THE CONTENTS OF THIS POSTING. Please report problem mail to . Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, I have complete developer workstation from Interactive Systems Corp, Santa Monica, California. Is there any way I can installed this package to the Internet through my ISP or standalone PC? It comes with Interactive TCP/IP also? From firewalls-owner Sun May 5 15:11:48 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id PAA27272 for firewalls-outgoing; Sun, 5 May 1996 15:02:23 -0700 (PDT) Received: from dollar.firstpac.com.au (firstpac.com.au [203.61.7.10]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id PAA27256 for ; Sun, 5 May 1996 15:02:16 -0700 (PDT) Received: from shekel.firstpac.com.au (shekel [203.61.14.12]) by dollar.firstpac.com.au (8.7.3/8.7.3/firstpac) with ESMTP id HAA11562; Mon, 6 May 1996 07:58:18 +1000 (EST) Received: (from matt@localhost) by shekel.firstpac.com.au (8.7.2/8.7.2/firstpac) id HAA12152; Mon, 6 May 1996 07:59:58 +1000 (EST) Message-Id: <199605052159.HAA12152@shekel.firstpac.com.au> Subject: Re: Firewalls-Digest V5 #289 To: pclow@pc.jaring.my (peng-chiew low) Date: Mon, 6 May 1996 07:59:57 +1000 (EST) Cc: casey@justice.usdoj.gov, Firewalls@GreatCircle.COM In-Reply-To: <318A9DB8.ED5@pc.jaring.my> from "peng-chiew low" at May 4, 96 06:58:48 am X-Ph: ph: +61 2 330 1390 fax: +61 2 330 1999 home: +61 2 9929 0717 X-Pager: +61 2 214 1111 #216098 or pager@maverick.itd.uts.edu.au X-Pgp-Finger: pub 2048/27FB4AE1 1995/09/30 Jas (Matthew K) X-Pgp-Finger: Key fingerprint = 3A1EEDBE7A6D498D E7953FB40A21A6C8 From: Matthew Keenan X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk casey@justice.usdoj.gov wrote: > I am looking for a list of all the Internet Service Providers > world-wide. Can anyone point me in the right direction? you are kidding right? how long is a piece of string? what is the name of every person living in the US? i think you'll find this is a much bigger task than you think.. try going to see a census bereau of some kind they would probably be better at getting you this kind of information.. then go and do the same for every country in the world. Matt -- Matthew Keenan Network Administrator First Pacific Stockbrokers Sydney, Australia +61 2 394 4320 0412 100 262 From firewalls-owner Sun May 5 21:56:43 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id VAA10879 for firewalls-outgoing; Sun, 5 May 1996 21:53:34 -0700 (PDT) Received: from SantaClara01.pop.internex.net (SantaClara01.POP.InterNex.Net [205.158.3.18]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id VAA10869 for ; Sun, 5 May 1996 21:53:29 -0700 (PDT) Received: from SYSMKT.hdshq.com ([206.215.16.130]) by SantaClara01.pop.internex.net (post.office MTA v1.9.3 ID# 0-11030) with ESMTP id AAA20437 for ; Sun, 5 May 1996 21:51:25 -0700 Received: from courtney.hdshq.com (relay.hdshq.com [198.92.130.3]) by SYSMKT.hdshq.com (1/HDS MAIL SYSTEM) with SMTP id VAA13330 for ; Sun, 5 May 1996 21:51:16 -0700 (PDT) Message-Id: <1.5.4.32.19960506045108.00672fcc@192.168.80.60> X-Sender: carl@192.168.80.60 X-Mailer: Windows Eudora Light Version 1.5.4 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Sun, 05 May 1996 21:51:08 -0700 To: firewalls@greatcircle.com From: Carl V Claunch Subject: Java/JavaScript screening patch update Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Minor enhancement available now on http://www.hdshq.com/fixes/fwtk/welcome.html to my version 2 patch against TIS firewall toolkit http-gw component. The enhancement includes recognition of livescript: as a synonym for javascript: in the protocol field of a URL, when screening JavaScript. This patch is only usable with the Trusted Information Systems firewall toolkit. From firewalls-owner Mon May 6 00:26:49 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id AAA18103 for firewalls-outgoing; Mon, 6 May 1996 00:23:16 -0700 (PDT) Received: from lince.lander.es (lince.lander.es [194.72.77.10]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id AAA18097 for ; Mon, 6 May 1996 00:23:09 -0700 (PDT) Received: from polaris.inta.es (ppp019.lander.es [194.72.79.19]) by lince.lander.es (8.7.5/6.6.6) with SMTP id JAA12749 for ; Mon, 6 May 1996 09:20:58 +0200 Message-ID: <318DA7D3.B0@lander.es> Date: Mon, 06 May 1996 09:18:43 +0200 From: Compusec X-Mailer: Mozilla 2.0 (Win95; I) MIME-Version: 1.0 To: firewalls-digest@greatcircle.com Subject: (no subject) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk signoff firewalls jblas@lander.es From firewalls-owner Mon May 6 01:26:50 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id AAA19757 for firewalls-outgoing; Mon, 6 May 1996 00:58:49 -0700 (PDT) Received: from esoc.esa.de ([131.176.86.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id AAA19744 for ; Mon, 6 May 1996 00:58:44 -0700 (PDT) Received: by esoc.esa.de (8.6.12/ESARLY1.8) id HAA21984; Mon, 6 May 1996 07:58:03 GMT Received: from cs31.dev.esoc.esa.de(131.176.51.217) by com24.esoc.esa.de via smap (g3.0.3) id xma021974; Mon, 6 May 96 07:57:51 GMT Received: from cs40.cs.esoc.esa.de (cs40.dev.esoc.esa.de [131.176.51.108]) by cs31.dev.esoc.esa.de (8.7/8.6.9) with SMTP id JAA25932 for ; Mon, 6 May 1996 09:55:57 +0200 Received: by cs40.cs.esoc.esa.de (SMI-8.6/SMI-SVR4) id HAA03231; Mon, 6 May 1996 07:56:14 GMT Date: Mon, 6 May 1996 07:56:14 GMT From: mchurchi@esoc.esa.de (Martin Churchill) Message-Id: <199605060756.HAA03231@cs40.cs.esoc.esa.de> To: firewalls-digest@GreatCircle.COM Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Content-MD5: KVsmTykyIdtdcweQAZ73Bg== Sender: firewalls-owner@GreatCircle.COM Precedence: bulk signoff firewalls mchurchi@esoc.esa.de ____/ ____/ __ / ____/ Martin Churchill ___ ___ __ _ / / / / / Unix Systems Administrator / _ \/ __|/ _` | /___/ ___ / / / / Robert-Bosch Strasse 5 | __/\__ \ (_| | / / / / / 64293 Darmstadt, Germany \___/\___/\__,_| ____/ ____/ _____/ ____/ European Space Operations Centre mchurchi@esoc.esa.de European Space Agency From firewalls-owner Mon May 6 02:26:51 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id CAA24675 for firewalls-outgoing; Mon, 6 May 1996 02:17:19 -0700 (PDT) Received: from arthur.crpht.lu (arthur.crpht.lu [158.64.4.8]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id CAA24669 for ; Mon, 6 May 1996 02:17:11 -0700 (PDT) Received: from cnsmac1.crpht.lu by arthur.crpht.lu with SMTP (1.37.109.4/16.2) id AA01568; Mon, 6 May 96 11:11:55 +0200 X-Sender: security@arthur.crpht.lu Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Mon, 6 May 1996 11:15:31 +0100 To: Firewalls@GreatCircle.COM From: security@crpht.lu (Bruno MAMER) Subject: FTP thru DIGITAL FW Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello all, I have a question for those of you who use the DIGITAL firewall. I am trying to connect thru the firewall from the outside to the inside with FTP clients on PCs and Macintosh but it doesn't work. I have defined a user on the firewall user database. The user should be able to connect out-->in after authenticating with S/Key on the firewall. But the normal procedure is to connect to the proxy server, indicate in the user field something like "user@host.domain.lu". So when the user tries to authenticate, the proxy server apparently takes "user@host.domain.lu" as his ID for checking the S/Key password instead of just "user". And it answers that it doesn't know this user. I could of course define users with IDs "user@host.domain.lu" but that would mean one ID per host.... :-( If someone has a solution, I'd be glad to hear it. TIA Bruno _________________________________________________________________________ Bruno MAMER bruno.mamer@crpht.lu Centre de Recherche Public Henri Tudor Computing and Network Services Our local archive on security : http://www.crpht.lu/CNS/html/PubServ/Security/security-home.html ------------------------------------------------------------------------- From firewalls-owner Mon May 6 04:11:54 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id DAA27783 for firewalls-outgoing; Mon, 6 May 1996 03:55:08 -0700 (PDT) Received: from dns.sncf.fr (dns.sncf.fr [194.167.100.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id DAA27777 for ; Mon, 6 May 1996 03:54:58 -0700 (PDT) Received: by dns.sncf.fr; (5.65v3.2/1.3/10May95) id AA29163; Mon, 6 May 1996 12:52:46 +0200 Received: from axp1.dr.sncf.fr (axp1.dr.sncf.fr [193.105.96.9]) by svnet.dr.sncf.fr (8.6.4/8.6.4) with SMTP id MAA00505 for ; Mon, 6 May 1996 12:50:55 +0200 Received: from localhost by axp1.dr.sncf.fr; (5.65v3.2/1.1.8.2/22Apr96-0454PM) id AA11433; Mon, 6 May 1996 12:52:41 +0200 Message-Id: <318DD9F8.2781@dr.sncf.fr> Date: Mon, 06 May 1996 12:52:40 +0200 From: Alain BERGUERAND Organization: SNCF Recherche X-Mailer: Mozilla 2.0 (X11; I; OSF1 V3.2 alpha) Mime-Version: 1.0 To: firewalls-digest@GreatCircle.COM Subject: singoff Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk signoff firewalls Berguerand@dr.sncf.fr From firewalls-owner Mon May 6 06:41:49 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA02831 for firewalls-outgoing; Mon, 6 May 1996 06:29:08 -0700 (PDT) Received: from relay4.UU.NET (relay4.UU.NET [192.48.96.14]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id GAA02825 for ; Mon, 6 May 1996 06:29:03 -0700 (PDT) Received: from relay2.macom.com by relay4.UU.NET with ESMTP (peer crosschecked as: relay2.macom.com [198.6.2.1]) id QQaonl23891; Mon, 6 May 1996 09:26:58 -0400 (EDT) Received: from corp.macom.com by relay2.macom.com with SMTP ($Revision: 1.37.109.26 $/16.2) id AA135899214; Mon, 6 May 1996 09:26:54 -0400 Received: from ccMail by corp.macom.com (SMTPLINK V2.11 PreRelease 4) id AA831400142; Mon, 06 May 96 09:21:03 EDT Date: Mon, 06 May 96 09:21:03 EDT From: "Bob Fallon" Message-Id: <9604068314.AA831400142@corp.macom.com> To: firewalls-digest@GreatCircle.COM Subject: Re: singoff Sender: firewalls-owner@GreatCircle.COM Precedence: bulk signoff firewalls fallonb@corp.macom.com From firewalls-owner Mon May 6 06:57:15 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA03312 for firewalls-outgoing; Mon, 6 May 1996 06:48:13 -0700 (PDT) Received: from sparky.cassens.com (gatekeeper.cassens.com [199.217.138.34]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id GAA03306 for ; Mon, 6 May 1996 06:48:08 -0700 (PDT) Received: (from smap@localhost) by sparky.cassens.com (8.6.11/8.6.9) id IAA16971; Mon, 6 May 1996 08:52:04 -0500 Received: from zed.cassens.com(204.27.204.71) by sparky.cassens.com via smap (V1.3) id sma016969; Mon May 6 08:51:56 1996 Received: (from pj@localhost) by zot.cassens.com (8.6.12/8.6.12) id IAA00256; Mon, 6 May 1996 08:45:58 -0500 From: Phillippe Welsh Message-Id: <199605061345.IAA00256@zot.cassens.com> Subject: Re: Linux network monitoring To: zarquon@popalex1.linknet.net Date: Mon, 06 May 1996 8:45:56 CDT Cc: firewalls@GreatCircle.COM In-Reply-To: <199605040649.BAA01768@dsrvlaf1-24.linknet.net>; from "zarquon@popalex1.linknet.net" at May 4, 96 1:49 am X-Mailer: Elm [revision: 109.14] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ... What I would really like is a tool like one I saw in use a > while back, but have been unable to locate. It could detect attempted > connections on any ports, giving it the ability to effectively detect port > scans in any port range, while *not* accepting any connections. In other > words, whoever attempted to connect would *not* have the connection accepted, > but it would still be logged as a connection attempt. I use a modification of rexec by Doug Houghes (email Doug.Hughes@eng.auburn.edu) called klaxon. Works very well. Give it a try. Hope this helps. His home page: http://www.eng.auburn.edu/users/doug/second.html The program itself: ftp://ftp.eng.auburn.edu/pub/doug/klaxon.tar.gz -- Internet: | Phillippe J. Welsh | welshpj@cassens.com| Cassens Transport | Std disclaimers apply. Voice: | 145 N. Kansas Str. | (But you knew that!) | Edwardsville, IL 62025 | From firewalls-owner Mon May 6 09:26:54 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA10872 for firewalls-outgoing; Mon, 6 May 1996 09:24:04 -0700 (PDT) Received: from justice.usdoj.gov (justice.usdoj.gov [149.101.1.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id JAA10856 for ; Mon, 6 May 1996 09:23:59 -0700 (PDT) From: To: Firewalls@GreatCircle.COM Subject: Firewalls-Digest V5 #289 X-Mailer: SCO Portfolio 2.0 Date: Mon, 6 May 1996 12:25:29 -0400 (EDT) Message-ID: <9605061225.aa20825@justice.usdoj.gov> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Dear All: I recently posted to the list asking for assistance in locating a list of ISPs worldwide. In addition to working, I am a graduate student trying :-( to get some background info on who is in the field. In an effort to be helpful, I included my full name and office address. Some of you have been very helpful and indeed "point(ed) me in the right direction" of thelist.com. Thank you. Others were less polite. I don't really understand why people feel comfortable typing things that they would never say in person. But that's a subject for a different grad student perhaps. Sincerely, Mary Casey From firewalls-owner Mon May 6 09:56:47 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA11958 for firewalls-outgoing; Mon, 6 May 1996 09:50:39 -0700 (PDT) Received: from bliss.stetson.edu (bliss.stetson.edu [147.253.70.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id JAA11942 for ; Mon, 6 May 1996 09:50:34 -0700 (PDT) Received: from localhost (fay@localhost) by bliss.stetson.edu (8.6.10/8.6.10) with SMTP id MAA18830; Mon, 6 May 1996 12:47:47 GMT Date: Mon, 6 May 1996 12:47:46 +0000 (GMT) From: Jeff Fay To: Phillippe Welsh cc: zarquon@popalex1.linknet.net, firewalls@GreatCircle.COM Subject: Re: Linux network monitoring In-Reply-To: <199605061345.IAA00256@zot.cassens.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 6 May 1996, Phillippe Welsh wrote: > ... What I would really like is a tool like one I saw in use a > > while back, but have been unable to locate. It could detect attempted > > connections on any ports, giving it the ability to effectively detect port > > scans in any port range, while *not* accepting any connections. In other > > words, whoever attempted to connect would *not* have the connection accepted, > > but it would still be logged as a connection attempt. > > I use a modification of rexec by Doug Houghes (email Doug.Hughes@eng.auburn.edu) > called klaxon. Works very well. Give it a try. Hope this helps. > > His home page: > http://www.eng.auburn.edu/users/doug/second.html > > The program itself: > ftp://ftp.eng.auburn.edu/pub/doug/klaxon.tar.gz > would this detect against stealth port scanning? I once read an article about stealth port scanning where you send tcp packets with FIN. Supposedly this type of port scanning can work through most firewalls... sorry i don't have all of the details about stealth port scanning...once I find that article again I will post it to those that are interested. -Jeff Fay fay@bliss.stetson.edu From firewalls-owner Mon May 6 10:11:59 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA12879 for firewalls-outgoing; Mon, 6 May 1996 10:05:43 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id KAA12873 for ; Mon, 6 May 1996 10:05:39 -0700 (PDT) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) id JAA11883; Mon, 6 May 1996 09:57:54 -0700 From: cert-it@dsi.unimi.it Received: from unknown(149.132.121.1) by mycroft via smap (V1.3mjr) id sma011881; Mon May 6 09:57:38 1996 Received: (from root@localhost) by idea.sec.dsi.unimi.it (8.7.5/8.7.3) id TAA25866; Mon, 6 May 1996 19:00:02 +0200 (MET DST) Date: Mon, 6 May 1996 19:00:02 +0200 (MET DST) Message-Id: <199605061700.TAA25866@idea.sec.dsi.unimi.it> To: stel-channels@idea.sec.dsi.unimi.it Cc: cert-it@dsi.unimi.it Subject: STEL b5 released Sender: firewalls-owner@GreatCircle.COM Precedence: bulk -----BEGIN PGP SIGNED MESSAGE----- STEL beta5 has been released. 1. WHAT IS STEL? STEL is a free telnet surrogate which provides strong mutual authentication, encryption, secure file transfer, automatic s/Key password generation, centralization and management of s/Key passwords and more. 2. WHERE IS STEL AVAILABLE? STEL is available as: ftp://idea.sec.dsi.unimi.it/cert-it/stel.tar.gz Please note that ftp.dsi.unimi.it is not supporting security stuff anymore. All the security archive has been moved to idea.sec.dsi.unimi.it. 3. WHAT IS THE STATUS OF STEL? The latest version of STEL is beta 5. It has been (quite) extensively tested on the following systems: hpux sunos4 solaris24 solaris25 irix linux aix It has been reported to work (but no testing) on: ultrix freebsd bsdi Bug reports, comments and suggestions should be sent to: stel-authors@idea.sec.dsi.unimi.it - -- ******************************************************** ******** Computer Emergency Response Team ITALY ******** ******************************************************** E-mail: cert-it@idea.dsi.unimi.it Mailing list: unix-security-request@idea.sec.dsi.unimi.it Ftp: ftp://idea.sec.dsi.unimi.it WWW: http://idea.sec.dsi.unimi.it - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.3 mQBNAi1eowgAAAECAOTEMFRZHfBb+ndAmdk3vl20EpynEWwB3ZJo/ocZUXgSjBKS op11p19WyyTV9eW2Sosu9GoC4i7VLDiuFRfmKZUABRG0HkNFUlQtSVQgPGNlcnQt aXRAZHNpLnVuaW1pLml0PokAVQIFEC1epVbakBlHrAS41wEBnskB/iXnREAs044y ngOa8uJtYwFaDKc15GUKx9VV2klikcoWKPgaD6WjFs82HmdY86IQL2bFTi8FTKS2 2auGllxW2zaJAJUCBRAtXqV3kbMTtv2Q670BAccAA/sFW+OVkfr8FnClSAlD7fQc /PL0y8qDF4hYx3tIw1utM5zRGlti+KIOpuUIkQpIX4j8f9lIe/cihL5rlusQFsX4 d7cEJWW8GUM3+/mv89jM0ds6IX9KjfJAQPvPFr5rlRgmHdVm9K4ugCTkOzGsv1E4 o5+ZCN5dJW0+EbmjoghwoA== =WPYC - -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv iQBVAwUBMY4wESw4rhUX5imVAQFs1gIAuYqr5IAWRoFQzm71sWdBJCOKTCq/G4ti eucdKJ+5FlmyeQUavWseepozKF019KXElfoHkDVdjl8bnyhFIm7u1w== =nQd0 -----END PGP SIGNATURE----- From firewalls-owner Mon May 6 10:26:59 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA13202 for firewalls-outgoing; Mon, 6 May 1996 10:11:27 -0700 (PDT) Received: from nacg.trane.com (nacg.trane.com [198.80.4.199]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id KAA13084 for ; Mon, 6 May 1996 10:09:14 -0700 (PDT) Received: by nacg.trane.com id AA05930 (InterLock SMTP Gateway 3.0 for firewalls@greatcircle.com); Mon, 6 May 1996 11:58:36 -0500 Message-Id: <199605061658.AA05930@nacg.trane.com> Received: by nacg.trane.com (Internal Mail Agent-1); Mon, 6 May 1996 11:58:36 -0500 From: "Norton, Dave" To: Firewalls-post , "'gonzales'" Subject: Re: DHCP and BOOTP Date: Mon, 06 May 96 11:07:00 PDT X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 3 May 1996, Ing. Rosa Isela Gonzalez Alvarez. wrote: > Hello, > > Could somebody tell me what's the difference between bootp and dhcp > server? > > Thanks in advance, any responses are appreciated. > > Ing. Rosa Isela Gonzalez Alvarez > Universidad Autonoma de Ciudad Juarez > Av. Adolfo Lopez Mateos # 20 > C.P. 32310 > Tel. 11-08-86 > e-mail address rgonzale@uacj.mx > > Rosa, You might want to review the following RFC's concerning the relationship and interoperability of these two methodologies. You can obtain the text from NIC.DDN.MIL, using "anonymous/guest" (uid/pw) FTP, under the (UNIX) directory path /rfc/rfc####... Also note that RFCs 1541 and 1542 are current references for these protocols individually. 1534 Droms, R. Interoperation Between DHCP and BOOTP. 1993 October; 4 p. (Format: TXT=6967 bytes) 1533 Alexander, S.; Droms, R. DHCP Options and BOOTP Vendor Extensions. 1993 October; 30 p. (Format: TXT=50920 bytes) (Obsoletes RFC 1497) For whatever its worth, both of these methods make me a bit nervous from the perspective of *accountable* secure systems... Dave Norton Trane dnorton@trane.com From firewalls-owner Mon May 6 10:43:10 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA14389 for firewalls-outgoing; Mon, 6 May 1996 10:22:51 -0700 (PDT) Received: from nacg.trane.com (nacg.trane.com [198.80.4.199]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id KAA14195 for ; Mon, 6 May 1996 10:20:36 -0700 (PDT) Message-Id: <199605061720.KAA14195@miles.greatcircle.com> Received: by nacg.trane.com id (InterLock SMTP Gateway 3.0 for firewalls@greatcircle.com); Mon, 6 May 1996 12:10:51 -0500 Received: by nacg.trane.com (Internal Mail Agent-1); Mon, 6 May 1996 12:10:51 -0500 Received: by nacg.trane.com (Internal Mail Agent-0); Mon, 6 May 1996 12:10:51 -0500 From: "Norton, Dave" To: Firewalls-post , "'gonzales'" Subject: Re: DHCP and BOOTP Date: Mon, 06 May 96 11:07:00 PDT X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 3 May 1996, Ing. Rosa Isela Gonzalez Alvarez. wrote: > Hello, > > Could somebody tell me what's the difference between bootp and dhcp > server? > > Thanks in advance, any responses are appreciated. > > Ing. Rosa Isela Gonzalez Alvarez > Universidad Autonoma de Ciudad Juarez > Av. Adolfo Lopez Mateos # 20 > C.P. 32310 > Tel. 11-08-86 > e-mail address rgonzale@uacj.mx > > Rosa, You might want to review the following RFC's concerning the relationship and interoperability of these two methodologies. You can obtain the text from NIC.DDN.MIL, using "anonymous/guest" (uid/pw) FTP, under the (UNIX) directory path /rfc/rfc####... Also note that RFCs 1541 and 1542 are current references for these protocols individually. 1534 Droms, R. Interoperation Between DHCP and BOOTP. 1993 October; 4 p. (Format: TXT=6967 bytes) 1533 Alexander, S.; Droms, R. DHCP Options and BOOTP Vendor Extensions. 1993 October; 30 p. (Format: TXT=50920 bytes) (Obsoletes RFC 1497) For whatever its worth, both of these methods make me a bit nervous from the perspective of *accountable* secure systems... Dave Norton Trane dnorton@trane.com From firewalls-owner Mon May 6 12:45:12 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA23155 for firewalls-outgoing; Mon, 6 May 1996 12:27:52 -0700 (PDT) Received: from leo.uacj.mx ([148.210.20.8]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id MAA23142 for ; Mon, 6 May 1996 12:27:47 -0700 (PDT) Received: from [148.210.29.51] by leo.uacj.mx (AIX 3.2/UCB 5.64/4.03) id AA17927; Mon, 6 May 1996 14:26:44 -0500 Date: Mon, 6 May 1996 14:26:44 -0500 Message-Id: <9605061926.AA17927@leo.uacj.mx> X-Sender: rgonzale@leo.uacj.mx X-Mailer: Windows Eudora Light Version 1.5.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@GreatCircle.COM From: "Ing. Rosa Isela Gonzalez Alvarez." Subject: Tape question ... Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello, I don't know if this is the correct place to make this question: I want to connect an EXABYTE EXB-2501T tape unit (it's an SCSI device) to a DEC 3000 (Digital) Alpha OSF/1. I'm having some problems to make it readable. Any suggestions are appreciated. Ing. Rosa Isela Gonzalez Alvarez Universidad Autonoma de Ciudad Juarez Av. Adolfo Lopez Mateos # 20 C.P. 32310 Tel. 11-08-86 e-mail address rgonzale@uacj.mx From firewalls-owner Mon May 6 15:12:01 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA29771 for firewalls-outgoing; Mon, 6 May 1996 14:16:27 -0700 (PDT) Received: from dns.eng.auburn.edu (dns.eng.auburn.edu [131.204.10.13]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id OAA29762 for ; Mon, 6 May 1996 14:16:17 -0700 (PDT) Received: from netman.eng.auburn.edu (netman.eng.auburn.edu [131.204.12.24]) by dns.eng.auburn.edu (8.7.4/8.6.4) with ESMTP id QAA26645 for ; Mon, 6 May 1996 16:14:10 -0500 (CDT) From: Doug Hughes Received: (doug@localhost) by netman.eng.auburn.edu (SMI-8.6/8.6.4) id QAA15638; Mon, 6 May 1996 16:14:07 -0500 Date: Mon, 6 May 1996 16:14:07 -0500 Subject: Re: Linux network monitoring To: firewalls@GreatCircle.COM Message-Id: In-Reply-To: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk No, klaxon does not detect stealth port scanning. I've often thought about writing a program that does using DLPI/NIT, but haven't actually done it. It wouldn't be terribly difficult to do.. Courtney purportedly does detect stealth scanning attacks. But then, it's a lot more functional (and bigger) all around. [ replies to this posting should be directed to firewalls list and not to author of post, unless it is personal. Thanks ] -- ____________________________________________________________________________ Doug Hughes Engineering Network Services System/Net Admin Auburn University doug@eng.auburn.edu Pro is to Con as progress is to congress From firewalls-owner Mon May 6 15:41:58 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id PAA03997 for firewalls-outgoing; Mon, 6 May 1996 15:36:02 -0700 (PDT) Received: from burgoyne.com (burgoyne.com [205.164.108.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id PAA03985 for ; Mon, 6 May 1996 15:35:57 -0700 (PDT) Received: from pv25.burgoyne.com (pv14.burgoyne.com [204.157.177.24]) by burgoyne.com (8.6.12/8.6.9) with SMTP id QAA04698 for ; Mon, 6 May 1996 16:33:58 -0600 Received: by pv25.burgoyne.com with Microsoft Mail id <01BB3B71.870C63E0@pv25.burgoyne.com>; Mon, 6 May 1996 17:29:06 -0600 Message-ID: <01BB3B71.870C63E0@pv25.burgoyne.com> From: Brian Beebe To: "'Firewalls@greatcircle.com'" Subject: Cisco Access-lists Date: Mon, 6 May 1996 17:25:53 -0600 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I have set up a router as access to an Internet provider. Everything works fine until add the following access-list. access-list 101 permit tcp any any established access-list 101 permit tcp any any eq 53 access-list 101 permit udp any any eq 53 access-list 101 permit tcp any host A.B.C.70 eq 21 access-list 101 permit tcp any host A.B.C.70 eq 20 access-list 101 permit tcp any host A.B.C.70 eq 25 access-list 101 permit icmp any any access-list 101 permit tcp any host A.B.C.70 eq 80 int e 0 ip access-group 101 out This ethernet is the internal network. Internet | | ------S0-------- | | ------E0--------- | ----------------------- | |---------| | WIN95 | |---------| The FTP,HTTP, and SMTP server is at A.B.C.70. I can access all of these functions from the Internet fine. The DNS server is external to the router. When a Windows 95 client tries to do anything that requires a namelookup it does not make it. Going to an IP address works fine. Something is preventing DNS queries. When I type the command show ip access-list only the first access-list shows any counts. DNS should be using UDP to 53 right? And the external DNS server should respond to the client's port 53 right? So what am I doing wrong? Brian Beebe From firewalls-owner Mon May 6 15:57:05 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id PAA04561 for firewalls-outgoing; Mon, 6 May 1996 15:49:10 -0700 (PDT) Received: from boyes.its.utas.edu.au (boyes.its.utas.edu.au [144.6.1.7]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id PAA04541 for ; Mon, 6 May 1996 15:49:01 -0700 (PDT) Received: from [144.6.27.56] (mpg11-56.admin.utas.edu.au [144.6.27.56]) by boyes.its.utas.edu.au (8.7.1/8.7.1) with SMTP id IAA25039 for ; Tue, 7 May 1996 08:46:39 +1000 (EST) Message-Id: <199605062246.IAA25039@boyes.its.utas.edu.au> X-Sender: mhall@postoffice.newnham.utas.edu.au Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Tue, 7 May 1996 08:46:25 +0100 To: firewalls-digest@GreatCircle.COM From: MiFoong.Hall@admin.utas.edu.au (Tiny Hall) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk signoff firewalls mhall@postoffice.newnham.utas.edu.au From firewalls-owner Mon May 6 16:41:51 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id QAA08498 for firewalls-outgoing; Mon, 6 May 1996 16:33:23 -0700 (PDT) Received: from oxygen.house.gov (oxygen.house.gov [137.18.128.6]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id QAA08489 for ; Mon, 6 May 1996 16:33:19 -0700 (PDT) Received: by oxygen.house.gov (AIX 3.2/UCB 5.64/4.03) id AA58708; Mon, 6 May 1996 19:26:20 -0400 Date: Mon, 6 May 1996 19:26:20 -0400 From: johns@oxygen.house.gov (John Schnizlein) Message-Id: <9605062326.AA58708@oxygen.house.gov> To: Firewalls@greatcircle.com, beebe@burgoyne.com Subject: Re: Cisco Access-lists Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > I have set up a router as access to an Internet provider. Everything > works fine until add the following access-list. > > access-list 101 permit tcp any any established > access-list 101 permit tcp any any eq 53 > access-list 101 permit udp any any eq 53 > access-list 101 permit tcp any host A.B.C.70 eq 21 > access-list 101 permit tcp any host A.B.C.70 eq 20 > access-list 101 permit tcp any host A.B.C.70 eq 25 > access-list 101 permit icmp any any > access-list 101 permit tcp any host A.B.C.70 eq 80 > > int e 0 > ip access-group 101 out > > This ethernet is the internal network. The Internet connection is on the serial 0 of this router. > > The FTP,HTTP, and SMTP server is at A.B.C.70. I can access all of these > functions from the Internet fine. The DNS server is external to the > router. When a Windows 95 client tries to do anything that requires a > namelookup it does not make it. Going to an IP address works fine. > Something is preventing DNS queries. When I type the command > show ip access-list only the first access-list shows any counts. > > DNS should be using UDP to 53 right? And the external DNS server should > respond to the client's port 53 right? So what am I doing wrong? The wrong assumption is that the name resolver (client) is at UDP port 53. Many DNS resolver "sessions" could be active at the same time, so many resolvers use dynamic UDP ports. To make this work, you would need to "permit udp any" which is not very safe against attacks including address spoofs if you have NFS. Many organizations avoid this risk by configuring a DNS server inside the packet screen to forward queries out over the Internet for local resolvers. Many DNS servers make the forwarded query from (their own) UDP port 53, so you might not have to expose this server to unrestricted UDP ports either. -- John From firewalls-owner Mon May 6 16:57:05 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id QAA09713 for firewalls-outgoing; Mon, 6 May 1996 16:45:47 -0700 (PDT) Received: from mcfeely.bsfs.org (mcfeely.bsfs.org [204.91.13.34]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id QAA09696 for ; Mon, 6 May 1996 16:45:35 -0700 (PDT) Received: (from wombat@localhost) by mcfeely.bsfs.org (8.6.12/8.6.12) id TAA17989; Mon, 6 May 1996 19:38:24 -0400 Date: Mon, 6 May 1996 19:38:19 -0400 (EDT) From: Rabid Wombat To: firewalls@greatcircle.com Subject: RFI - re: Identifier assignments in Sun OS Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Does anyone know how ICMP echo identifier and sequence fields are assigned in Sun OS? Checked rfc 792 & 950, doesn't appear to be mandated by RFC. TIA ---------------------------------------- Rabid Wombat wombat@mcfeely.bsfs.org ---------------------------------------- From firewalls-owner Mon May 6 17:57:04 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA13932 for firewalls-outgoing; Mon, 6 May 1996 17:42:58 -0700 (PDT) Received: from revenge.net (revenge.net [206.181.184.50]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id RAA13926 for ; Mon, 6 May 1996 17:42:53 -0700 (PDT) Received: (from security@localhost) by revenge.net (8.6.12/8.6.12) id TAA03762; Mon, 6 May 1996 19:43:33 GMT Date: Mon, 6 May 1996 19:43:33 +0000 () From: Security To: casey@justice.usdoj.gov cc: Firewalls@GreatCircle.COM Subject: Re: Firewalls-Digest V5 #289 In-Reply-To: <9605061225.aa20825@justice.usdoj.gov> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 6 May 1996 casey@justice.usdoj.gov wrote: > Others were less polite. I don't really understand > why people feel comfortable typing things that > they would never say in person. But that's a > subject for a different grad student perhaps. > > Sincerely, > > Mary Casey > simple.. because those people have some feeling of power and control while sitting in front of a computer.. something they can't acquire away from their desks.. sadly, living vicariously off of the 'net, is the only way they know how to validate their existence. don't let it discourage you.. good luck.. btw.. while thelist.com is a great resource for many ISPs.. you may just want to do a net search on altavista.digital.com or any other search engine. another option would be to check with the Internic,. since most domain names must be listed with a purpose (ie. Internet Service Provider) or just do a mass search on .net,. keep in mind, that the internic is supposed to only allow Internet Service Providers the .net ,. but you will also find many that are not.. =) security@revenge.net From firewalls-owner Mon May 6 20:11:51 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id TAA19636 for firewalls-outgoing; Mon, 6 May 1996 19:56:06 -0700 (PDT) Received: from idea.sec.dsi.unimi.it (idea.sec.dsi.unimi.it [149.132.121.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id TAA19627 for ; Mon, 6 May 1996 19:55:58 -0700 (PDT) Received: (from smap@localhost) by idea.sec.dsi.unimi.it (8.7.5/8.7.3) id EAA27326 for ; Tue, 7 May 1996 04:52:30 +0200 (MET DST) Received: from h153-64-253-5.ncr.com(153.64.253.5) by idea via smap (V1.3) id sma027324; Tue May 7 04:52:08 1996 Received: by npg-sd.SanDiegoCA.ATTGIS.COM; 6 May 96 19:52:22 PDT Message-Id: <2.2.32.19960506235221.006606b4@opus.SanDiegoCA.ATTGIS.com> X-Sender: claborne@opus.SanDiegoCA.ATTGIS.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Mon, 06 May 1996 19:52:21 -0400 To: stel-channels@idea.sec.dsi.unimi.it From: Chris Claborne Subject: STEL b5 released Cc: cert-it@dsi.unimi.it Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Just a FYI :) From: cert-it@dsi.unimi.it -----BEGIN PGP SIGNED MESSAGE----- STEL beta5 has been released. 1. WHAT IS STEL? STEL is a free telnet surrogate which provides strong mutual authentication, encryption, secure file transfer, automatic s/Key password generation, centralization and management of s/Key passwords and more. 2. WHERE IS STEL AVAILABLE? STEL is available as: ftp://idea.sec.dsi.unimi.it/cert-it/stel.tar.gz Please note that ftp.dsi.unimi.it is not supporting security stuff anymore. All the security archive has been moved to idea.sec.dsi.unimi.it. 3. WHAT IS THE STATUS OF STEL? The latest version of STEL is beta 5. It has been (quite) extensively tested on the following systems: hpux sunos4 solaris24 solaris25 irix linux aix It has been reported to work (but no testing) on: ultrix freebsd bsdi Bug reports, comments and suggestions should be sent to: stel-authors@idea.sec.dsi.unimi.it - -- ******************************************************** ******** Computer Emergency Response Team ITALY ******** ******************************************************** E-mail: cert-it@idea.dsi.unimi.it Mailing list: unix-security-request@idea.sec.dsi.unimi.it Ftp: ftp://idea.sec.dsi.unimi.it WWW: http://idea.sec.dsi.unimi.it - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.3 mQBNAi1eowgAAAECAOTEMFRZHfBb+ndAmdk3vl20EpynEWwB3ZJo/ocZUXgSjBKS op11p19WyyTV9eW2Sosu9GoC4i7VLDiuFRfmKZUABRG0HkNFUlQtSVQgPGNlcnQt aXRAZHNpLnVuaW1pLml0PokAVQIFEC1epVbakBlHrAS41wEBnskB/iXnREAs044y ngOa8uJtYwFaDKc15GUKx9VV2klikcoWKPgaD6WjFs82HmdY86IQL2bFTi8FTKS2 2auGllxW2zaJAJUCBRAtXqV3kbMTtv2Q670BAccAA/sFW+OVkfr8FnClSAlD7fQc /PL0y8qDF4hYx3tIw1utM5zRGlti+KIOpuUIkQpIX4j8f9lIe/cihL5rlusQFsX4 d7cEJWW8GUM3+/mv89jM0ds6IX9KjfJAQPvPFr5rlRgmHdVm9K4ugCTkOzGsv1E4 o5+ZCN5dJW0+EbmjoghwoA== =WPYC - -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv iQBVAwUBMY4wESw4rhUX5imVAQFs1gIAuYqr5IAWRoFQzm71sWdBJCOKTCq/G4ti eucdKJ+5FlmyeQUavWseepozKF019KXElfoHkDVdjl8bnyhFIm7u1w== =nQd0 -----END PGP SIGNATURE----- ... __o .. -\<, Chris.Claborne@SanDiegoCA.ATTGIS.Com ...(*)/(*). CI$: 76340.2422 http://bordeaux.sandiegoca.attgis.com/ PGP Pub Key fingerprint = A8 FA 55 92 23 20 72 69 52 AB 64 CC C7 D9 4F CA Avail on Pub Key server. Dreams. They're just screen savers for the brain. From firewalls-owner Mon May 6 21:02:20 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id UAA21256 for firewalls-outgoing; Mon, 6 May 1996 20:44:35 -0700 (PDT) Received: from ucsu.Colorado.EDU (ucsu.Colorado.EDU [128.138.129.83]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id UAA21243 for ; Mon, 6 May 1996 20:44:30 -0700 (PDT) Received: (from sieber@localhost) by ucsu.Colorado.EDU (8.7.5/8.7.3/CNS-4.0p) id VAA04786; Mon, 6 May 1996 21:42:27 -0600 (MDT) Date: Mon, 6 May 1996 21:42:27 -0600 (MDT) From: chris sieber To: firewalls@greatcircle.com Subject: Firewall-1 Newbie Question Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Greetings- I am currently establishing filter rules on a sparc 5 using firewall-1. Everything is pretty straight forward but I have two questions: 1) Is there a way I can define access to certain services for an entire network?( i.e. give standard telnet service to an entire subnet without defining access for each host.) I tried defining access for a network object using the subnetwork address but that didn't seem to work. 2) Is there a way a can "define" my own services and allow/disallow services not covered in the menu selection? I would like to be able to allow Netscape commerce server but am not sure how to go about it. Thanks for your time, Chris Sieber From firewalls-owner Mon May 6 21:11:54 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id UAA21445 for firewalls-outgoing; Mon, 6 May 1996 20:50:20 -0700 (PDT) Received: from gaia.internex.net (gaia.internex.net [198.67.38.22]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id UAA21438 for ; Mon, 6 May 1996 20:50:15 -0700 (PDT) Received: from hidata.com by gaia.internex.net (8.6.9/InterNex-SM8.6.9) id UAA18678; Mon, 6 May 1996 20:48:12 -0700 Received: by hidata.com (SMI-8.6/SMI-SVR4) id UAA01427; Mon, 6 May 1996 20:48:11 -0700 Received: from osc(205.158.62.10) by hds-gw via smap (V1.3) id sma001425; Mon May 6 20:47:46 1996 Received: from enterprise by osc.hidata.com (SMI-8.6/SMI-SVR4) id UAA20058; Mon, 6 May 1996 20:47:45 -0700 Date: Mon, 6 May 1996 20:47:45 -0700 Message-Id: <199605070347.UAA20058@osc.hidata.com> X-Sender: bstout@osc.hidata.com X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: Firewalls@GreatCircle.COM From: Bill Stout Subject: Re: Ethernet MAC address to Firewall Q? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk With some reply help and RTF(textbooks), I discovered my problem. An odd byte 0 of the six byte ethernet address marks the packet as a multicast packet(bit 47). Bytes are sent bitwise backwards on the wire, so byte 0 bit 0 hits the wire first. The second bit to hit the wire (bit 46) marks the packet as IEEE assigned (0) or locally assigned (1). The first three bytes usually identify the manufacturer of the adapter. All F's(h) or binary 1's mark the packet as ethernet broadcast. I vaguely remember 4 or 5 reiterative old lectures about this now. Bill At 05:34 PM 5/3/96 -0700, you wrote: >I have an interesting problem. Users from a device can't reach the >firewall (I'm stretching this as a firewall question). > >Someone changed the MAC address of a device on my network (don't ask), >and suddenly users from that device can't connect to the firewall. > >The MAC address is now 11-22-33-44-55-66. None of my NT 3.51 systems, >or my UNIX boxes can ping or be ping'd from that system. However, >NT4.0, W95, and Japanese NT3.51 can ping/reply to the device. > >Any ethernet MAC rules being broken with the new MAC address? > >Any clues? > > ><=======10========20====Ruler for Eudora users==50========60========70========80 >William B. Stout | "Official student of 'the internet school of fire'." >Senior Systems Admin | >Hitachi Data Systems | "If it's in a textbook, it's obsolete." >Open Systems Center | >Santa Clara, California | "My opinions are my own." >408-970-4822 | #include ><=======10========20========30========40========50========60========70===== ===80 > > > <=======10========20====Ruler for Eudora users==50========60========70========80 William B. Stout | "Official student of 'the internet school of fire'." Senior Systems Admin | Hitachi Data Systems | "If it's in a textbook, it's obsolete." Open Systems Center | Santa Clara, California | "My opinions are my own." 408-970-4822 | #include <=======10========20========30========40========50========60========70========80 From firewalls-owner Mon May 6 22:56:56 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id WAA27468 for firewalls-outgoing; Mon, 6 May 1996 22:46:18 -0700 (PDT) Received: from popalex1.linknet.net (popalex1.linknet.net [206.103.79.89]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id WAA27462 for ; Mon, 6 May 1996 22:46:13 -0700 (PDT) From: zarquon@popalex1.linknet.net Received: from dsrvlaf1-10.linknet.net by popalex1.linknet.net; (5.65v3.2/1.1.8.2/06Mar96-1224PM) id AA32584; Tue, 7 May 1996 00:49:57 -0500 Received: (from zarq@localhost) by dsrvlaf1-10.linknet.net (8.6.12/8.6.9) id AAA00353 for firewalls@GreatCircle.COM; Tue, 7 May 1996 00:44:00 -0500 Message-Id: <199605070544.AAA00353@dsrvlaf1-10.linknet.net> Subject: Re: Linux network monitoring To: firewalls@GreatCircle.COM (Firewalls) Date: Tue, 7 May 1996 00:43:53 -0500 (CDT) X-Mailer: ELM [version 2.4 PL24] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Thanks to everyone who gave me feedback on what monitoring software I could use on Linux. I'm currently debating whether I should install argus or klaxon, and I will probably give both a try to see what works best. Argus has the ability to record connection attemps without ever accepting the connection, since it operates on the packet level, which is something I wanted. Still, I might have to sacrifice that if it eats too much of my cpu time (which isn't a whole lot! :) in the process. Before I get started installing all this, I thought I'd throw out a few more questions... Will Argus receive *all* packets, or just the packets that weren't filtered out by the kernel based firewall in Linux? How would a stealth port scan appear in logs? Is Argus even able to log it? Does anyone have a pointer to more information on how these scans work, and what can be done to prevent them? ...oh well, this has nothing to do with any of this, *or* firewalls, but since I'm already sending this message, I thought I'd ask all you sendmail wizards out there a quick question too... :) If you look at my "From" line, you'll notice that it has just my address in it, not my name. This is because I made a quick little sendmail wrapper to do a sendmail -f on all outgoing mail to force it to show my pop address. Now, I can't figure out how to put a name in there to go with the address! I tried all kinds of combinations with "" and '', name in <>, name in (), before address, after address, quoting spaces -- everything! Can someone *please* tell me how to do it? :) .../zarq Runar Jensen [zarquon@popalex1.linknet.net] From firewalls-owner Mon May 6 23:58:51 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id XAA02220 for firewalls-outgoing; Mon, 6 May 1996 23:50:24 -0700 (PDT) Received: from okjunc.junction.net (okjunc.junction.net [199.166.227.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id XAA02214 for ; Mon, 6 May 1996 23:50:20 -0700 (PDT) Received: from sidhe.memra.com (sidhe.memra.com [199.166.227.105]) by okjunc.junction.net (8.6.11/8.6.11) with SMTP id XAA31636; Mon, 6 May 1996 23:02:30 -0700 Date: Mon, 6 May 1996 23:45:46 -0700 (PDT) From: Michael Dillon To: casey@justice.usdoj.gov cc: Firewalls@GreatCircle.COM Subject: Re: Firewalls-Digest V5 #289 In-Reply-To: <9605061225.aa20825@justice.usdoj.gov> Message-ID: Organization: Memra Software Inc. - Internet consulting MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 6 May 1996 casey@justice.usdoj.gov wrote: > Some of you have been very helpful and indeed > "point(ed) me in the right direction" of > thelist.com. Thank you. Only that's not the right direction. thelist.com doesn't have anywhere near a complete list of ISP's in the world let alone the over 3,000 ISP's estimated to be operational in the USA. There are too many of them and too many new ones start up every day. Michael Dillon Voice: +1-604-546-8022 Memra Software Inc. Fax: +1-604-546-3049 http://www.memra.com E-mail: michael@memra.com From firewalls-owner Tue May 7 02:56:55 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id CAA09148 for firewalls-outgoing; Tue, 7 May 1996 02:43:38 -0700 (PDT) Received: from ppgw.pp.nsw.gov.au (ppgw.pp.nsw.gov.au [143.119.99.9]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id CAA09133 for ; Tue, 7 May 1996 02:42:41 -0700 (PDT) Received: (from smtp@localhost) by ppgw.pp.nsw.gov.au id TAA10542 (8.7.4/IDA-1.6); Tue, 7 May 1996 19:42:53 +1000 (EST) X-Authentication-Warning: ppgw.pp.nsw.gov.au: smtp set sender to using -f Received: from netman.pp.nsw.gov.au(143.119.1.25) by ppgw.pp.nsw.gov.au via smap (V1.3) id sma010548; Tue May 7 19:42:46 1996 Received: from spike.pp.nsw.gov.au (spike [143.119.1.100]) by netman.pp.nsw.gov.au with ESMTP id TAA31372 (8.7.4/IDA-1.6); Tue, 7 May 1996 19:37:23 +1000 (EST) Received: (from garry@localhost) by spike.pp.nsw.gov.au id TAA19815 (8.7.4/IDA-1.6); Tue, 7 May 1996 19:37:19 +1000 (EST) Date: Tue, 7 May 1996 19:37:18 +1000 (EST) From: Garry Optland To: "Ing. Rosa Isela Gonzalez Alvarez." cc: Firewalls@GreatCircle.com Subject: Re: Tape question ... In-Reply-To: <9605061926.AA17927@leo.uacj.mx> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 6 May 1996, Ing. Rosa Isela Gonzalez Alvarez. wrote: > Hello, > > I don't know if this is the correct place to make this question: I > want to connect an EXABYTE EXB-2501T tape unit (it's an SCSI device) to a > DEC 3000 (Digital) Alpha OSF/1. I'm having some problems to make it > readable. Any suggestions are appreciated. > Hi Rosa, The correct place for OSF/1 questions is the Alpha-OSF-Managers mailing list. If you give enough detail about your problem, and show that you have read the manual pages, then people on that list are very willing to help. I have attached information describing the charter and rules of the Alpha-OSF-Managers list so you, (or anyone else), can subscribe to it if they want to. The attached information was written by the list maintainer, Dave Sill. Regards, Garry. -------------------------------------------------------------------- Garry Optland - Unix Specialist Email: garry@pp.nsw.gov.au Pacific Power phone: +61 2 268 6160 Park & Elizabeth Streets Sydney NSW 2001 Australia -------------------------------------------------------------------- SUBJECT: Alpha-OSF-Managers Information and Rules I've updated the info file for this list and put and HTML-ized version in the list archive area. The URL is: http://www.ornl.gov/cts/archives/mailing-lists/alpha-osf-managers.html ---- This message is a summary of the Alpha-OSF-managers charter and rules. Failure to adhere to these guidelines may result in severe chastisement by the list maintainer and other list participants. Retain a copy of this statement and refer to it before submitting messages to the list or the list administrator. 0: Send DEC Alpha AXP management queries and summaries to alpha-osf-managers@ornl.gov. 1: This list is NOT moderated! Every message that is sent to the list will be passed on to every member of the list (with a few small exceptions). 2: This mailing list is managed by a utility called Majordomo. You can subscribe to the list by sending a message like: subscribe alpha-osf-managers to Majordomo@ornl.gov. Likewise, if you want to remove yourself from the list, send the message: unsubscribe alpha-osf-managers to the same address. For a complete list of Majordomo commands, use the command: help 3: This list is intended to be a quick-turnaround troubleshooting aid for those who administer and manage Alpha AXP systems runnning Digital UNIX (formerly OSF/1). Its primary purpose is to provide the Alpha manager with a quick source of information for time-critical system management problems. 4: Answers to questions are to be mailed back to the questioner and are NOT to be sent to the entire list. The person who originally asked the question has the responsibility of summarizing the answers and sending the entire summary back to the list. When a summary is sent back to the list, it should contain the word "SUMMARY" as the first word of the "Subject" line. 5: Discussions on ANY topic are very strongly discouraged and will not normally be tolerated. 6: If it is not specifically related to Alpha AXP/Digital UNIX management, then it does NOT belong on this list. Requests for vendor recommendations are tolerated, provided that the hardware in question is something that system managers normally purchase. 7: Requests for software (free or otherwise) should be limited to software that is directly related to Alpha/OSF management. 8: PLEASE PLEASE PLEASE...Think before you send a message! Ask yourself "is this really appropriate?" There are enough other newsgroups and mailing lists around to cover the marginal topics. Perhaps there is another forum that is more appropriate. 9: Alpha-OSF-Managers messages are archived and available via the World Wide Web (WWW) and anonymous FTP. The official Web archives are available at http://www.ornl.gov/cts/archives/mailing-lists/. The FTP archives are in ftp://ftp.ornl.gov/pub/archives/mailing_lists/alpha-osf-managers/. Unofficial Web archives are available at http://www-archive.stanford.edu/mail-archs.html. 10: Similar lists for non-Alpha/UNIX platforms are: Vendor List Name How to Subscribe ====== ========= ================ DEC decstation-managers send "subscribe decstation-managers" to majordomo@ornl.gov IBM AIX-L send "subscribe aix-l your name" to listserv@pucc.princeton.edu SGI info-iris-admin ask info-iris-maintainer@brl.mil Sun sun-managers ask sun-managers-request@ra.mcs.anl.gov 11: Other forums that relate to DEC Alpha systems: Newsgroups: comp.sys.dec includes all DEC hardware and software comp.unix.osf.osf1 OSF/1 on Alpha and other platforms Dave Sill Alpha-OSF-managers maintainer Workstation Support Oak Ridge National Laboratory From firewalls-owner Tue May 7 04:05:42 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id DAA10913 for firewalls-outgoing; Tue, 7 May 1996 03:44:00 -0700 (PDT) Received: from relay.ioffe.rssi.ru (relay.ioffe.rssi.ru [194.85.224.33]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id DAA10887 for ; Tue, 7 May 1996 03:43:26 -0700 (PDT) Received: from ssrouter.ioffe.rssi.ru by relay.ioffe.rssi.ru with SMTP (8.7.5/Serv-2.12-AS-eef) id OAA25579; Tue, 7 May 1996 14:41:01 +0400 (MSD) Date: Tue, 7 May 1996 14:42:08 +0400 (MSD) From: Kirill Bolshakov To: firewalls@greatcircle.com Subject: FreeBSD network monitoring Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi All! Could anyone suggest a package for FreeBSD network monitoring ? Thanks in advance. ------------------------------------------------------------------------- | Research Systems Software Laboratory | Kirill Bolshakov | | Ioffe Institute | raven@ssrouter.ioffe.rssi.ru | ------------------------------------------------------------------------- From firewalls-owner Tue May 7 05:27:06 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA13118 for firewalls-outgoing; Tue, 7 May 1996 05:18:51 -0700 (PDT) Received: from ns2.trytel.com (ns2.trytel.com [204.191.54.15]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id FAA13112 for ; Tue, 7 May 1996 05:18:43 -0700 (PDT) Received: from tryc.on.ca (master.tryc.on.ca [204.191.54.8]) by ns2.trytel.com (8.7.3/8.6.12) with SMTP id IAA23040; Tue, 7 May 1996 08:15:11 -0400 (EDT) Received: by tryc.on.ca (SMI-8.6/SMI-SVR4) id IAA22826; Tue, 7 May 1996 08:15:26 -0400 Date: Tue, 7 May 1996 08:15:26 -0400 From: wojtek@solaris.tryc.on.ca (Wojciech Tryc) Message-Id: <199605071215.IAA22826@tryc.on.ca> To: firewalls@greatcircle.com, sieber@Colorado.EDU Subject: Re: Firewall-1 Newbie Question Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Content-MD5: bf0d5405v+nxfxnKzGf3KQ== Sender: firewalls-owner@GreatCircle.COM Precedence: bulk You may want to create a network object and than create a rule using this object as a destination. You can add generic TCP service on port 443, which is being assigned for SSL-httpd. Sincerely, Wojciech Tryc > From sieber@Colorado.EDU Tue May 7 00:51:13 1996 > Date: Mon, 6 May 1996 21:42:27 -0600 (MDT) > From: chris sieber > To: firewalls@greatcircle.com > Subject: Firewall-1 Newbie Question > MIME-Version: 1.0 > > Greetings- > > I am currently establishing filter rules on a sparc 5 using firewall-1. > Everything is pretty straight forward but I have two questions: > > 1) Is there a way I can define access to certain services for an entire > network?( i.e. give standard telnet service to an entire subnet without > defining access for each host.) I tried defining access for a network > object using the subnetwork address but that didn't seem to work. > > 2) Is there a way a can "define" my own services and allow/disallow services > not covered in the menu selection? I would like to be able to allow Netscape > commerce server but am not sure how to go about it. > > Thanks for your time, > > Chris Sieber ********************************************************************** * Wojciech M. Tryc * * http://www.tryc.on.ca/ * * Pager: http://www.tryc.on.ca/cgi-bin/pager.cgi or pager@tryc.on.ca * * * ********************************************************************** -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.3i mQBtAzFMTmQAAAEDALAdPjtPQU7FgC114Zb4bW30l2hgWaKRxru+ZTZZZRcI9AwD y5scV9qn/dngQ1hiAJ3au3TWE1+fOnAOQXsw5ylq3+T79K/fk5D8tTYeyaN2RviW jJsn0cgU9f8Cze6idQAFEbQkV29qY2llY2ggTS4gVHJ5YyA8d29qdGVrQHRyeWMu b24uY2E+iQB1AwUQMUxOZBT1/wLN7qJ1AQHOIwL+NU6g15AXj7lT9wDYIiM1AF+o rV+E12vwPfxcvEuWz7RXTeRNN/RxSDVvG1IsClzmPZZe364t3Uc7/CaNkzz/6/1L sMMYH/F/zt+CCP39oFSZ+ASrbiNC2xueUHZLDvK6 =INya -----END PGP PUBLIC KEY BLOCK----- From firewalls-owner Tue May 7 05:57:53 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA14103 for firewalls-outgoing; Tue, 7 May 1996 05:43:05 -0700 (PDT) Received: from ultra1.dreamscape.com (ultra1.dreamscape.com [206.64.128.7]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id FAA14097 for ; Tue, 7 May 1996 05:42:59 -0700 (PDT) Received: from bertha (sa7.dreamscape.com [206.64.128.57]) by ultra1.dreamscape.com (8.7.4/8.7.3) with SMTP id IAA03118; Tue, 7 May 1996 08:40:56 -0400 (EDT) Message-ID: <318F4577.4480@dreamscape.com> Date: Tue, 07 May 1996 08:43:35 -0400 From: "Steven E. Matkoski" X-Mailer: Mozilla 2.0 (WinNT; I) MIME-Version: 1.0 To: Firewalls@GreatCircle.COM CC: matkoski@dreamscape.com Subject: gauntlet - TN3270 proxy? References: <199605070800.BAA04531@miles.greatcircle.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I would like to know how the tn3270 proxy works on the Gauntlet firewall? Does it use a true tn3270 proxy or do users telnet as vtxxx's and then telnet out as 3270 terminals? We are trying to configure the latter on the IBM NetSP and are getting nowhere. I am thinking of changing to Gauntlet on Solaris if it allows connections from tn3270 clients. -- Thanks! -steve. matkoski@dreamscape.com From firewalls-owner Tue May 7 06:12:07 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA15570 for firewalls-outgoing; Tue, 7 May 1996 06:06:16 -0700 (PDT) Received: from smtp2.interramp.com (smtp2.interramp.com [38.8.200.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id GAA15554 for ; Tue, 7 May 1996 06:06:10 -0700 (PDT) From: dabasing@interramp.com Received: from dabasing by smtp2.interramp.com (8.6.12/SMI-4.1.3-PSI-irsmtp) id JAA02646; Tue, 7 May 1996 09:04:07 -0400 Date: Tue, 7 May 96 09:03:07 Subject: Firewall/Internet Security Policies To: firewalls@greatcircle.com X-PRIORITY: 3 (Normal) X-Mailer: Chameleon 5.0.1, TCP/IP for Windows, NetManage Inc. Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Does anyone have the names of any company that specializes in developing security policies for business, specifically for Firewall/Internet implementation? Would prefer companies in mid-west, Ohio or even better, Columbus, Ohio. Thanx loads ------------------------------------- Name: David A. Basinger E-mail: dabasing@pop3.interramp.com (David A. Basinger) Date: 5/7/96 Time: 9:03:07 AM ------------------------------------- From firewalls-owner Tue May 7 06:27:40 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA15447 for firewalls-outgoing; Tue, 7 May 1996 06:04:18 -0700 (PDT) Received: from ns1.ptd.net (ns1.ptd.net [198.80.46.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id GAA15441 for ; Tue, 7 May 1996 06:04:13 -0700 (PDT) Received: from anaconda (cable005011.cable.tv13.ptd.net [204.186.5.11]) by ns1.ptd.net (8.7.3/8.7.3) with SMTP id JAA05000; Tue, 7 May 1996 09:01:49 -0400 (EDT) Message-ID: <318F4B14.632A@prolog.net> Date: Tue, 07 May 1996 09:07:32 -0400 From: Stefan Gal Organization: segco.com X-Mailer: Mozilla 2.01 (X11; I; SunOS 5.4 sun4c) MIME-Version: 1.0 To: Michael Baumann CC: firewalls@greatcircle.com Subject: Re: Fakemail (again) References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Michael Baumann wrote: > > On Sat, 4 May 1996, Stefan Gal wrote: > > > 15:52:02 EST > > Received: > > (from devnull@localhost) by mail.untraceable.net (8.6.12/8.6.6) id RAA21538 > > for > > marchany@vtserf.cc.vt.edu; Fri, 26 Apr 1996 17:50:24 -0200 > > > > good enough for ya...I particularly like the devnull@localhost by > > mail.untraceable.net bit, so are you a Montclair student, wannabe > > hacker or just think your slick? > > > > pretty cute trick, though. > Minor point: he still made his point. What machine in the lab did he send > the mail from? Can you tell? yes, now it is just a matter of getting in touch with the sys. admin. for the site, finding out what machines had users logged into them on that particular day/time and then checking syslog for which ones sent mail, match that with the users on the system and I have enough evidence to take the matter to court , if so desired... -- Stefan Gal voice: 610-760-0747 c/o S.E.G. Co. email: sgaul@prolog.net NOTE: standard disclamer applies and send all flames > /dev/null From firewalls-owner Tue May 7 06:47:32 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA17018 for firewalls-outgoing; Tue, 7 May 1996 06:32:39 -0700 (PDT) Received: from uu5.psi.com (uu5.psi.com [38.145.226.3]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id GAA17012 for ; Tue, 7 May 1996 06:32:34 -0700 (PDT) Received: by uu5.psi.com (5.65b/4.0.071791-PSI/PSINet) via UUCP; id AA05926 for ; Tue, 7 May 96 09:15:27 -0400 Date: Tue, 7 May 96 09:04:10 EDT From: gcl@nikko.com (George Lee) Received: from tamago.nikko (tamago.ARPA) by nikko.com (4.1/3.2.083191-The Nikko Securities Company) id AA02974; Tue, 7 May 96 09:04:10 EDT Message-Id: <9605071304.AA02974@nikko.com> To: dolphin@interramp.com Subject: Re: Gauntlet vs. Firewall-1 Cc: Firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, The reason that I made Gauntlet one of the selection was that both UUNET and PSI (ISP) supports and sales it. And for Firewall-1, it on UNIX and it is powerful and it is well supported. ( Can be installed on a SUN ). Actually, the very first firewall product that I was exported to was Boarderware. I am not to crazy about Intel-ware( PC-BSDI's ). However, I am open to all suggestions and options. Thank You George:-) > From dolphin@interramp.com Mon May 6 15:16:12 1996 > X-Sender: cd000565@pop3.interramp.com > Mime-Version: 1.0 > Content-Type> : > text/plain> ; > charset="us-ascii"> > Date: Mon, 6 May 1996 15:48:54 +0900 > To: gcl@nikko.com (George Lee) > From: dolphin@interramp.com (Tidewater Cyberfish) > Subject: Re: Gauntlet vs. Firewall-1 > Content-Length: 431 > > >Hi All, > > > > I need your options... > > > > We are deciding in purchasing a firewall and our choices are > >between Firewall-1 and Gauntlet. > > Just curious...of all of the firewall's that you could have chosen...why > did it come down to these? > > _____________________________________ > Bob McKisson > Cypress Systems Corporation > Virginia Beach, VA 23451 > (804) 436-1780 Voice > (804) 436-4136 FAX > (804) 442-0888 STU-III > dolphin@interramp.com > > > From firewalls-owner Tue May 7 07:26:53 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA20495 for firewalls-outgoing; Tue, 7 May 1996 07:20:15 -0700 (PDT) Received: from kpgwy.kpscal.org (kpgwy.kpscal.org [167.117.0.140]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id HAA20486 for ; Tue, 7 May 1996 07:20:09 -0700 (PDT) Received: from mailhub.kp.org ([206.18.242.135]) by kpgwy.kpscal.org (8.6.9/8.6.9) with SMTP id HAA00467 for ; Tue, 7 May 1996 07:18:56 -0700 X400-Received: by /c=us/admd=/prmd=kp/; converted ( IA5-Text); Relayed; 07 May 1996 07:17:12 -0700 X400-Received: by mta KPMTA in /c=us/admd=/prmd=kp/; converted ( IA5-Text); Relayed; 07 May 1996 07:17:12 -0700 X400-MTS-Identifier: [/c=us/admd=/prmd=kp/; 318F69E9.CCC8.1969.000] Content-Identifier: 00908318F5B68014 Content-Return: Allowed X400-Content-Type: P2-1988 ( 22 ) Conversion: Allowed Original-Encoded-Information-Types: IA5-Text Disclose-Recipients: Prohibited Alternate-Recipient: Allowed X400-Originator: Mark.Moore@kp.org X400-Recipients: non-disclosure; Message-Id: <"318F69E9.CCC8.1969.000*/c=us/admd= /prmd=kp/o=ga/ou=gwise/s=Moore/g=Mark/"@MHS> Expiry-Date: 22 May 1996 00:00: Z Date: 07 May 1996 07:17:12 -0700 From: "Moore, Mark" To: firewalls@GreatCircle.COM (Return requested) (Receipt notification requested) Subject: NT MIME-Version: 1.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Off the subject of firewalls for a moment. Does anyone know the address to a NT list ?? Thanks in-advance. Regards, Mark.Moore@kp.org From firewalls-owner Tue May 7 07:42:39 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA21012 for firewalls-outgoing; Tue, 7 May 1996 07:27:25 -0700 (PDT) Received: from hermes.intel.com (hermes.intel.com [143.183.152.3]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id HAA20994 for ; Tue, 7 May 1996 07:27:18 -0700 (PDT) Received: from argus.intel.com by hermes.intel.com (8.7.4/10.0i); Tue, 7 May 1996 07:25:15 -0700 Received: by argus.intel.com (8.7.4/10.0i); Tue, 7 May 1996 07:25:13 -0700 From: sedayao@argus.intel.com (Jeffrey C. Sedayao) Message-Id: <199605071425.HAA03681@argus.intel.com> Subject: Re: Switched Ethernet and Vlans with a Firewall To: ndg@reachit.com (N D Ghaznavi) Date: Tue, 7 May 96 7:25:12 PDT Cc: Firewalls@GreatCircle.COM In-Reply-To: from "N D Ghaznavi" at May 3, 96 09:59:18 am X-Mailer: ELM [version 2.4dev PL66] MIME-Version: 1.0 Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > We're also in the process of upgrading our network topology. My > understanding of `Intelligent Ethernet Switches' is that they `remember' > what machine is on which segment (keeps track of the MAC) addresses. So > there is *no* configuration. Essentially the switch is used to reduce > network traffic, not as a `security box'. > Can anyone comment on this? Specifically: Switch type, and level of > configurability. On a switch that you are configuring VLANs, you need to configure which ports will go on which VLAN. While you don't have worry about MAC addresses, you do have do configure the segments. A switch doing VLANS is different from a regular ethernet switch. > > 1. Be careful about allowing access to the switch. The switch I have > > been working with is configured by telnetting in, and certainly you > > don't want the whole Internet doing that. You certainly don't want > > everyone doing SNMP requests or uploading configurations via TFTP. Once > > you have enable access on the switch, you can set up holes and routing > > through various ports and wreak some real havoc. > What kind of a switch was it? Can it do packet filtering? Hmm. Actually, I am not so sure about routing through other ports. You can set up static routes though. It is a Cisco catalyst 5000, and I don't think that it can packet filter. > Cheers, > Nadim > > --N D Ghaznavi----------------------------------------------------------- > Unix System Administrator ndg@CADlink.com > --CADlink.com--------Reachit.com--------Ghaznavi.com--------Apparel.org-- > > -- Jeff Sedayao Intel Corporation sedayao@argus.intel.com From firewalls-owner Tue May 7 08:11:57 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA22662 for firewalls-outgoing; Tue, 7 May 1996 08:02:40 -0700 (PDT) Received: from rodan.UU.NET (rodan.UU.NET [153.39.130.10]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id IAA22654 for ; Tue, 7 May 1996 08:02:34 -0700 (PDT) Received: from woobie.uu.net by rodan.UU.NET with SMTP id QQaork29381; Tue, 7 May 1996 11:00:28 -0400 (EDT) Message-ID: <318F658B.7991A45@uu.net> Date: Tue, 07 May 1996 11:00:27 -0400 From: Norm Laudermilch Organization: Uunet Technologies X-Mailer: Mozilla 2.01 (X11; I; SunOS 4.1.3_U1 sun4c) MIME-Version: 1.0 To: firewalls@greatcircle.com Subject: Java problemites References: <199605071445.KAA28166@clark.net> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In light of the recent discussions on Java security, I think we should all be *very* interested in the following URL: http://www.math.gatech.edu/~mladue/HostileApplets.html Norm Norm Laudermilch Manager, Information Security Uunet Technologies, Inc. From firewalls-owner Tue May 7 08:31:01 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA23457 for firewalls-outgoing; Tue, 7 May 1996 08:16:56 -0700 (PDT) Received: from gatekeeper.3Com.COM (gatekeeper.3Com.COM [129.213.128.5]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id IAA23451 for ; Tue, 7 May 1996 08:16:52 -0700 (PDT) Received: from manzanita.DEV.3Com.COM.noname (manzanita.DEV.3Com.COM) by gatekeeper.3Com.COM with SMTP id AA10908 (5.65c/IDA-1.4.4-910725 for ); Tue, 7 May 1996 08:14:06 -0700 Received: by manzanita.DEV.3Com.COM.noname (4.1/SMI-4.1) id AA10972; Tue, 7 May 96 08:13:36 PDT Date: Tue, 7 May 96 08:13:36 PDT From: bobk@manzanita.DEV.3Com.COM (Bob Konigsberg) Message-Id: <9605071513.AA10972@manzanita.DEV.3Com.COM.noname> To: firewalls@greatcircle.com, sieber@Colorado.EDU Subject: Re: Firewall-1 Newbie Question Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Define each network (subnet or the whole class B or C) as an object unto itself, and then grant access From that object to All for Service. In fact, I've set up a group called "Common Services" which includes Telnet, FTP, HTTP (in various flavors), HTTPS, Gopher etc. This group is made up of ONLY those services that can go to the outside with no further restrictions. Just make sure that the internal nets are defined as Internal with respect to Firewall-1. Good luck, BobK From firewalls-owner Tue May 7 08:42:05 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA24043 for firewalls-outgoing; Tue, 7 May 1996 08:26:04 -0700 (PDT) Received: from csc.com (explorer.csc.com [20.1.10.27]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id IAA24028 for ; Tue, 7 May 1996 08:26:00 -0700 (PDT) Received: from @explorer.csc.com by csc.com with smtp (Smail3.1.29.1 #1) id m0uGobU-001AeuC; Tue, 7 May 96 11:23 EDT Message-Id: Date: Tue, 7 May 96 11:23 EDT X-Sender: asafier@explorer.csc.com X-Mailer: Windows Eudora Light Version 1.5.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: dabasing@interramp.com From: Adam Safier Subject: Re: Firewall/Internet Security Policies Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 09:03 AM 5/7/96, dabasing@interramp.com wrote: >Does anyone have the names of any company that specializes in developing >security policies for business, specifically for Firewall/Internet implementation? > >Would prefer companies in mid-west, Ohio or even better, Columbus, Ohio. > Not in Ohio, but CSC-SED-Infosec has a group specializing in security policies. Mr. Virgil Gibson Manager - Policy and Risk Analysis CSC-SED-InfoSec Hanover Md 410-684-6325 Adam Safier CSC-SED-Infosec asafier@csc.com "Oh No! You did exactly what I told you to do!" - Cartoon caption, author unknown (but I'm looking. :) Expressed opinions are my own and do not reflect the views and opinions of my employer. From firewalls-owner Tue May 7 08:42:49 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA22776 for firewalls-outgoing; Tue, 7 May 1996 08:05:10 -0700 (PDT) Received: from vampire.org (vampire.org [199.125.161.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id IAA22737 for ; Tue, 7 May 1996 08:04:40 -0700 (PDT) Received: (from discodan@localhost) by vampire.org (8.6.12/8.6.12) id LAA07463; Tue, 7 May 1996 11:01:15 -0400 Date: Tue, 7 May 1996 11:01:14 -0400 (EDT) From: Squawk To: George Lee cc: dolphin@interramp.com, Firewalls@GreatCircle.COM Subject: Re: Gauntlet vs. Firewall-1 In-Reply-To: <9605071304.AA02974@nikko.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 7 May 1996, George Lee wrote: > Hi, > The reason that I made Gauntlet one of the selection > was that both UUNET and PSI (ISP) supports and sales it. > > And for Firewall-1, it on UNIX and it is powerful and it is well > supported. ( Can be installed on a SUN ). > > Actually, the very first firewall product that I was exported to > was Boarderware. I am not to crazy about Intel-ware( PC-BSDI's ). > > However, I am open to all suggestions and options. Many firewall products are intel based.. I have a bias against intel as well, there hardware uis usually a big mess.. I much prefer the standards of sun's or sgi.. however I would never buy a firewall based entirely on the hardware.. while intel is usually a mess, BSD based OSes blow the doors off of solaris with their networking code.. it handles much more of my type of load, which is good or i'd have to redesign my entire network.. Therefore BSD has me hooked.. its very stable, it's a little more secure out of the box (at least as far as we know), and its an excellent little firewall. usually from these big vendors of firewalls you don't get bad intel based hardware either.. as for the software, well... thats all a matter of personal preferance -Dan From firewalls-owner Tue May 7 09:00:31 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA25997 for firewalls-outgoing; Tue, 7 May 1996 08:47:03 -0700 (PDT) Received: from bridge.coy.com (bridge.coy.com [206.224.78.16]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id IAA25991 for ; Tue, 7 May 1996 08:46:58 -0700 (PDT) Received: (from coy@localhost) by bridge.coy.com (8.7.1/8.7.1) id KAA14264; Tue, 7 May 1996 10:46:39 -0500 Date: Tue, 7 May 1996 10:46:38 -0500 (CDT) From: Chip Coy To: dabasing@interramp.com cc: firewalls@GreatCircle.COM Subject: Re: Firewall/Internet Security Policies In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk IBM. Manager of the I/T and Internet Security Consulting Practice is Al Decker at (919) 301-4598. On Tue, 7 May 1996 dabasing@interramp.com wrote: > Does anyone have the names of any company that specializes in developing > security policies for business, specifically for Firewall/Internet implementation? > > Would prefer companies in mid-west, Ohio or even better, Columbus, Ohio. > > Thanx loads Chip Coy coy@coy.com http://bridge.coy.com/~coy/ "Do not mistake composure for ease." - Tuvok From firewalls-owner Tue May 7 09:14:04 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA24986 for firewalls-outgoing; Tue, 7 May 1996 08:35:21 -0700 (PDT) Received: from emory.mathcs.emory.edu (emory.mathcs.emory.edu [199.76.28.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id IAA24980 for ; Tue, 7 May 1996 08:35:16 -0700 (PDT) Received: from wittsend.wittsend.com by emory.mathcs.emory.edu (5.65/Emory_mathcs.4.0.18) via SMTP id AA28458 ; Tue, 7 May 96 11:32:06 -0400 Received: by wittsend (/\==/\ Smail3.1.28.1 #28.1) for id ; Tue, 7 May 96 11:32 EDT Message-Id: Subject: Re: NT To: Mark.Moore@kp.ORG (Moore, Mark) Date: Tue, 7 May 1996 11:32:00 -0400 (EDT) From: "Michael H. Warfield" Cc: firewalls@GreatCircle.COM In-Reply-To: from "Moore, Mark" at May 7, 96 07:17:12 am X-Mailer: ELM [version 2.4 PL20] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Moore, Mark enscribed thusly: > Off the subject of firewalls for a moment. Does anyone know the > address to a NT list ?? Thanks in-advance. Sort of off topic but maybe on topic would be the NT Security list. ntsecurity@iss.net Subscribe by sending message to majordomo@iss.net with a "Subscribe ntsecurity" in the body. > Regards, > Mark.Moore@kp.org Mike -- Michael H. Warfield | (770) 985-6132 | mhw@WittsEnd.com (The Mad Wizard) | (770) 925-8248 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it! From firewalls-owner Tue May 7 09:42:09 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA00261 for firewalls-outgoing; Tue, 7 May 1996 09:29:15 -0700 (PDT) Received: from gaia.internex.net (gaia.internex.net [198.67.38.22]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id JAA00255 for ; Tue, 7 May 1996 09:29:11 -0700 (PDT) Received: from hidata.com by gaia.internex.net (8.6.9/InterNex-SM8.6.9) id JAA26252; Tue, 7 May 1996 09:27:00 -0700 Received: by hidata.com (SMI-8.6/SMI-SVR4) id JAA02872; Tue, 7 May 1996 09:26:59 -0700 Received: from osc(205.158.62.10) by hds-gw via smap (V1.3) id sma002870; Tue May 7 09:26:40 1996 Received: from enterprise by osc.hidata.com (SMI-8.6/SMI-SVR4) id JAA21602; Tue, 7 May 1996 09:26:38 -0700 Date: Tue, 7 May 1996 09:26:38 -0700 Message-Id: <199605071626.JAA21602@osc.hidata.com> X-Sender: bstout@osc.hidata.com X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: "Moore, Mark" From: Bill Stout Subject: Re: NT Cc: Firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk NT Security problems: majordomo@ntsecurity@iss.net At 07:17 AM 5/7/96 -0700, you wrote: > >Off the subject of firewalls for a moment. Does anyone know the >address to a NT list ?? Thanks in-advance. > >Regards, > > >Mark.Moore@kp.org > > <=======10========20====Ruler for Eudora users==50========60========70========80 William B. Stout | "Official student of 'the internet school of fire'." Senior Systems Admin | Hitachi Data Systems | "If it's in a textbook, it's obsolete." Open Systems Center | Santa Clara, California | "My opinions are my own." 408-970-4822 | #include <=======10========20========30========40========50========60========70========80 From firewalls-owner Tue May 7 09:58:59 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA00456 for firewalls-outgoing; Tue, 7 May 1996 09:30:50 -0700 (PDT) Received: from habanero.jmu.edu (habanero.jmu.edu [134.126.70.210]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id JAA00426; Tue, 7 May 1996 09:30:40 -0700 (PDT) Message-Id: <199605071630.JAA00426@miles.greatcircle.com> Received: by habanero.jmu.edu (1.37.109.16/16.2) id AA205276517; Tue, 7 May 1996 12:28:37 -0400 Date: Tue, 7 May 1996 12:28:37 -0400 From: gary flynn To: firewalls-owner@GreatCircle.COM, gcl@nikko.com Subject: Re: Gauntlet vs. Firewall-1 Cc: Firewalls@GreatCircle.COM, dolphin@interramp.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > From: Squawk > To: George Lee > > On Tue, 7 May 1996, George Lee wrote: > > > Hi, > > The reason that I made Gauntlet one of the selection > > was that both UUNET and PSI (ISP) supports and sales it. > > > > And for Firewall-1, it on UNIX and it is powerful and it is well > > supported. ( Can be installed on a SUN ). > > > > Actually, the very first firewall product that I was exported to > > was Boarderware. I am not to crazy about Intel-ware( PC-BSDI's ). > > > > However, I am open to all suggestions and options. > > Many firewall products are intel based.. I have a bias against intel as > well, there hardware uis usually a big mess.. I much prefer the standards > of sun's or sgi.. however I would never buy a firewall based entirely on > the hardware.. while intel is usually a mess, BSD based OSes blow the > doors off of solaris with their networking code.. it handles much more of > my type of load, which is good or i'd have to redesign my entire > network.. Therefore BSD has me hooked.. its very stable, it's a little > more secure out of the box (at least as far as we know), and its an > excellent little firewall. usually from these big vendors of firewalls > you don't get bad intel based hardware either.. > > as for the software, well... thats all a matter of personal preferance I think the issue here is that on a Sun or SGI based platform a single vendor controls the hardware and OS development. Hence, I believe, the overall platform should be more stable as there are less variables introduced by other vendors software or hardware. Think about the number of times you've had to download this or that patch for this or that hardware/software product so it would run properly with this or that other hardware/software product. Multivendor solutions are wonderful for price competition and providing choices. However, in my opinion, on a super critical piece of equipment they add a significant number of unknown interoperability problems. Gary Flynn James Madison University From firewalls-owner Tue May 7 10:12:05 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA03900 for firewalls-outgoing; Tue, 7 May 1996 10:01:49 -0700 (PDT) Received: from livedgar.gsionline.com (livedgar.gsionline.com [204.254.209.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id KAA03885 for ; Tue, 7 May 1996 10:01:44 -0700 (PDT) Received: from GEORGE by livedgar.gsionline.com (NTMail 3.01.01) id ra014551; Tue, 7 May 1996 16:59:05 +0000 X-Sender: nbk@livedgar X-Mailer: Windows Eudora Version 1.4.3 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: Stefan Gal From: nkeenan@gsionline.com (Nick Keenan) Subject: Re: Fakemail (again) Cc: firewalls@greatcircle.com Date: Tue, 7 May 1996 16:59:05 +0000 Message-Id: 16590578501482@gsionline.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >> Minor point: he still made his point. What machine in the lab did he send >> the mail from? Can you tell? > >yes, now it is just a matter of getting in touch with the sys. admin. >for the site, finding out what machines had users logged into them on >that particular day/time and then checking syslog for which ones sent >mail, match that with the users on the system and I have enough evidence >to take the matter to court , if so desired... What if he runs a network (like mine) where such information is not even kept? What if the user came in over a dialup account, or a guest account? And what if the sysadmin is uncooperative? A big assumption here is that sysadmins will subscribe to the "we're all on the same side" doctrine. That may have been true a while ago, when the 'net was smaller, and access was more tightly controlled. Now anyone can be a sysadmin. There are lots out there who value privacy over security, and deliberately disable tracking software. Anonymity is a valuable commodity, and a service that customers will pay for. If a sysadmin is going to sell anonymity, the only way to he can avoid legal trouble is to keep no records. If the information does not exist, it cannot be suppoenaed, and you cannot be held in contempt for not providing it. Finally, I have to contest your assumption that a computer log would hold a lot of weight in court. In reality, the opposite is true: unless you set up your logging system with the intention of someday using them as evidence, any lawyer worth his salt should be able to get them excluded on a number of grounds. Just my .02 From firewalls-owner Tue May 7 10:45:00 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA03993 for firewalls-outgoing; Tue, 7 May 1996 10:03:00 -0700 (PDT) Received: from relay4.UU.NET (relay4.UU.NET [192.48.96.14]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id KAA03977 for ; Tue, 7 May 1996 10:02:52 -0700 (PDT) Received: from nic.dn.se by relay4.UU.NET with SMTP (peer crosschecked as: nic.dn.se [193.180.36.70]) id QQaors09727; Tue, 7 May 1996 13:00:48 -0400 (EDT) Received: by nic.dn.se; id AA26359; Tue, 7 May 96 18:57:53 +0200 Date: Tue, 7 May 96 18:57:53 +0200 Message-Id: <9605071657.AA26359@nic.dn.se> Received: from simba.dn.se(151.177.67.90) by nic.dn.se via smap (V3.1) id xma026357; Tue, 7 May 96 18:57:51 +0200 X-Sender: viding@rafiki.dn.se X-Mailer: Windows Eudora Light Version 1.5.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: gcl@nikko.com (George Lee) From: Lars Viding Subject: Re: Gauntlet vs. Firewall-1 Cc: Firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, Ther is a very god Lab test done by Data Communications. http://www.data.com/Lab_Tests/Firewalls.html I recommend reading it if you don't know which one to choose. One thing you had to decide is which technics do you trust/belief packetfilter-firewall (Firewall-1) or Proxy-firewall (Gauntlet) or both (Cybergard). /Lars >Hi, > The reason that I made Gauntlet one of the selection >was that both UUNET and PSI (ISP) supports and sales it. > >And for Firewall-1, it on UNIX and it is powerful and it is well >supported. ( Can be installed on a SUN ). > >Actually, the very first firewall product that I was exported to >was Boarderware. I am not to crazy about Intel-ware( PC-BSDI's ). > >However, I am open to all suggestions and options. > > >Thank You >George:-) > >> From dolphin@interramp.com Mon May 6 15:16:12 1996 >> X-Sender: cd000565@pop3.interramp.com >> Mime-Version: 1.0 >> Content-Type> : > text/plain> ; > charset="us-ascii"> >> Date: Mon, 6 May 1996 15:48:54 +0900 >> To: gcl@nikko.com (George Lee) >> From: dolphin@interramp.com (Tidewater Cyberfish) >> Subject: Re: Gauntlet vs. Firewall-1 >> Content-Length: 431 >> >> >Hi All, >> > >> > I need your options... >> > >> > We are deciding in purchasing a firewall and our choices are >> >between Firewall-1 and Gauntlet. >> >> Just curious...of all of the firewall's that you could have chosen...why >> did it come down to these? >> >> _____________________________________ >> Bob McKisson >> Cypress Systems Corporation >> Virginia Beach, VA 23451 >> (804) 436-1780 Voice >> (804) 436-4136 FAX >> (804) 442-0888 STU-III >> dolphin@interramp.com >> >> >> > > From firewalls-owner Tue May 7 10:57:12 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA06093 for firewalls-outgoing; Tue, 7 May 1996 10:32:57 -0700 (PDT) Received: from igate.hibbertco.com (hibbertco.com [204.240.226.14]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id KAA06082 for ; Tue, 7 May 1996 10:32:49 -0700 (PDT) Received: by igate.hibbertco.com (5.x/) id AA10233; Tue, 7 May 1996 11:31:14 -0600 Received: from imailgw(204.240.226.72) by igate via smap (V1.3) id sma010230; Tue May 7 11:30:59 1996 Message-Id: Date: 7 May 1996 11:30:00 -0700 From: "Anton Rager" Subject: http hacking?? To: "firewall-digest" X-Mailer: Mail*Link SMTP-MS 3.0.2 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello All, I was reviewing my logs and noticed some problems with my HTTP rules with FWTK and HTTP-GW -- someone was able to get to the proxy who wasn't supposed to. I have found the typo in my rules table, but have some questions now that I have reviewed my logs. I have been getting pretty regular hits from sparc.berkeley.edu and puck.berkeley.edu on HTTP only (there is not a HTTP server inside the firewall.....only outside the firewall). The odd thing is that the duration and bytes-in values seem high (on one of the entries I have 24008 bytes in for a duration of 93). Am I dealing with someone trying to interactivily hack thru my firewall via HTTP? Could I have been comprimised via FTP or Telnet from the HTTP-GW Proxy? How can I get more info from the http-gw process? Here's the syslog entries (they are probably out of date/time order) # grep berkeley /var/adm/messages May 4 16:26:19 igate http-gw[5457]: permit host=puck.berkeley.edu/128.32.92.12 use of gateway (Ver 1.0 / 49) May 4 16:26:20 igate http-gw[5457]: exit host=puck.berkeley.edu/128.32.92.12 cmds=1 in=0 out=0 user=unauth duration=2 May 4 16:26:22 igate http-gw[5458]: permit host=puck.berkeley.edu/128.32.92.12 use of gateway (Ver 1.0 / 49) May 4 16:26:26 igate http-gw[5458]: exit host=puck.berkeley.edu/128.32.92.12 cmds=1 in=13668 out=0 user=unauth duration=5 May 7 00:50:41 igate http-gw[6931]: deny host=puck.berkeley.edu/128.32.92.12 use of gateway (Ver 1.0 / 49) May 7 00:50:41 igate http-gw[6931]: exit host=puck.berkeley.edu/128.32.92.12 cmds=1 in=0 out=0 user=unauth duration=1 # grep berkeley /var/adm/messages.* /var/adm/messages.0:May 2 19:13:11 igate http-gw[25141]: permit host=puck.berkeley.edu/128.32.92.12 use of gateway (Ver 1.0 / 49) /var/adm/messages.0:May 2 19:13:13 igate http-gw[25141]: exit host=puck.berkeley.edu/128.32.92.12 cmds=1 in=0 out=0 user=unauth duration=2 /var/adm/messages.0:May 2 19:13:39 igate http-gw[25142]: permit host=puck.berkeley.edu/128.32.92.12 use of gateway (Ver 1.0 / 49) /var/adm/messages.0:May 2 19:13:42 igate http-gw[25142]: exit host=puck.berkeley.edu/128.32.92.12 cmds=1 in=13668 out=0 user=unauth duration=4 /var/adm/messages.0:May 3 00:59:01 igate http-gw[26079]: permit host=puck.berkeley.edu/128.32.92.12 use of gateway (Ver 1.0 / 49) /var/adm/messages.0:May 3 00:59:03 igate http-gw[26079]: exit host=puck.berkeley.edu/128.32.92.12 cmds=1 in=0 out=0 user=unauth duration=3 /var/adm/messages.0:May 3 00:59:04 igate http-gw[26080]: permit host=puck.berkeley.edu/128.32.92.12 use of gateway (Ver 1.0 / 49) /var/adm/messages.0:May 3 00:59:09 igate http-gw[26080]: exit host=puck.berkeley.edu/128.32.92.12 cmds=1 in=13668 out=0 user=unauth duration=5 /var/adm/messages.1:Apr 25 13:40:54 igate http-gw[8801]: permit host=sparc.berkeley.edu/128.32.92.121 use of gateway (Ver 1.0 / 49) /var/adm/messages.1:Apr 25 13:42:26 igate http-gw[8801]: exit host=sparc.berkeley.edu/128.32.92.121 cmds=1 in=24008 out=0 user=unauth duration=93 /var/adm/messages.1:Apr 25 13:42:34 igate http-gw[8806]: permit host=sparc.berkeley.edu/128.32.92.121 use of gateway (Ver 1.0 / 49) /var/adm/messages.1:Apr 25 13:42:45 igate http-gw[8806]: exit host=sparc.berkeley.edu/128.32.92.121 cmds=1 in=1016 out=0 user=unauth duration=15 /var/adm/messages.1:Apr 26 16:02:00 igate http-gw[18051]: permit host=sparc.berkeley.edu/128.32.92.121 use of gateway (Ver 1.0 / 49) /var/adm/messages.1:Apr 26 16:02:07 igate http-gw[18051]: exit host=sparc.berkeley.edu/128.32.92.121 cmds=1 in=24008 out=0 user=unauth duration=8 /var/adm/messages.1:Apr 26 16:02:10 igate http-gw[18052]: permit host=sparc.berkeley.edu/128.32.92.121 use of gateway (Ver 1.0 / 49) /var/adm/messages.1:Apr 26 16:02:12 igate http-gw[18052]: exit host=sparc.berkeley.edu/128.32.92.121 cmds=1 in=1008 out=0 user=unauth duration=3 /var/adm/messages.3:Apr 10 20:20:50 igate http-gw[15102]: permit host=puck.berkeley.edu/128.32.92.12 use of gateway (Ver 1.0 / 49) /var/adm/messages.3:Apr 10 20:20:57 igate http-gw[15102]: exit host=puck.berkeley.edu/128.32.92.12 cmds=1 in=9214 out=0 user=unauth duration=7 Any Ideas? Anton Rager arager@hibbertco.com From firewalls-owner Tue May 7 11:58:16 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA12553 for firewalls-outgoing; Tue, 7 May 1996 11:33:18 -0700 (PDT) Received: from gateway.tpp.com (gateway.TPP.com [198.81.246.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id LAA12527 for ; Tue, 7 May 1996 11:33:12 -0700 (PDT) From: egreen@tpp.com Received: from mail.tpp.com by gateway.tpp.com with SMTP id AA08776 (InterLock SMTP Gateway 3.0 for ); Tue, 7 May 1996 14:30:01 -0400 Received: from ccMail by mail.tpp.com (IMA Internet Exchange v1.04) id 18f96ad1; Tue, 7 May 96 14:30:05 -0400 Mime-Version: 1.0 Date: Tue, 7 May 1996 14:22:11 -0400 Message-Id: <18f96ad1@mail.tpp.com> Subject: ANS InterLock Support Issues To: firewalls@greatcircle.com Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Description: cc:Mail note part Sender: firewalls-owner@GreatCircle.COM Precedence: bulk We have been an ANS InterLock customer for several years and have up to this point been generally pleased with the InterLock support team. Recently, however it seems problems I report go on for weeks into months. The only status of the problems I get is when I call and 'dog' them. Even my e-mail's often are not responded to. Giving this kind of service we are strongly leaning towards replacing the InterLock with the Gauntlet. In fact, soon we will be managing two internet connections (in sep states), so probably two Gauntlets. My questions, 1) are there any other ANS customers experiencing the same things? 2) How about Gauntlet users, are you pleased with the support and responsiveness? Ed From firewalls-owner Tue May 7 12:12:03 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA12714 for firewalls-outgoing; Tue, 7 May 1996 11:35:30 -0700 (PDT) Received: from lafvax (lafvax.lafayette.edu [139.147.8.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id LAA12701 for ; Tue, 7 May 1996 11:35:24 -0700 (PDT) Received: from farber21.farber.lafayette.edu by lafvax.lafayette.edu (PMDF V5.0-4 #6834) id <01I4FEQKB80W00B1SX@lafvax.lafayette.edu> for firewalls@greatcircle.com; Tue, 07 May 1996 14:36:09 -0400 (EDT) Date: Tue, 07 May 1996 14:32:34 -0400 From: john mulligan Subject: RE: Fakemail (contacting sysadmins) X-Sender: mulligaj@lafayette.edu To: firewalls@greatcircle.com Message-id: <2.2.32.19960507183234.8693c8fc@lafvax.lafayette.edu> MIME-version: 1.0 X-Mailer: Windows Eudora Pro Version 2.2 (32) Content-type: text/plain; charset="us-ascii" Content-transfer-encoding: 7BIT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 02:01 PM 05/07/96, you wrote: >>yes, now it is just a matter of getting in touch with the sys. admin. >>for the site, finding out what machines had users logged into them on >>that particular day/time and then checking syslog for which ones sent >>mail, match that with the users on the system and I have enough evidence >>to take the matter to court , if so desired... > >What if he runs a network (like mine) where such information is not even >kept? What if the user came in over a dialup account, or a guest account? > I agree. The person obviously came from an .edu domain which tend to be very tricky to trace. No doubt they have lab computers. If they are set up like most campuses they have public access lab site computers. Sure they all have assigned IPs so you can tell which machine it came from, but a 100 users a day use the same machine with no record of who was using it when. Perhaps ISP fake mail can be traced with cooperation of a sysadmin, but educational sites are far beyond that. ---------------------------------------------------------------------------- ----- John P. Mulligan PGP Public key at http://www.lafayette.edu/~mulligaj I believe Uebercracker is german for 'lame copy-cat that can get root with 3 year old bugs.' --Christopher Klaus ---------------------------------------------------------------------------- ----- From firewalls-owner Tue May 7 12:27:01 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA14866 for firewalls-outgoing; Tue, 7 May 1996 11:52:43 -0700 (PDT) Received: from SantaClara01.pop.internex.net (SantaClara01.POP.InterNex.Net [205.158.3.18]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id LAA14859 for ; Tue, 7 May 1996 11:52:39 -0700 (PDT) From: carl@hdshq.com Received: from SYSMKT.hdshq.com ([206.215.16.130]) by SantaClara01.pop.internex.net (post.office MTA v1.9.3 ID# 0-11030) with ESMTP id AAA19157; Tue, 7 May 1996 11:50:34 -0700 Received: from [198.92.130.5] (lan.hdshq.com [198.92.130.5]) by SYSMKT.hdshq.com (1/HDS MAIL SYSTEM) with SMTP id LAA19359; Tue, 7 May 1996 11:50:22 -0700 (PDT) Message-Id: <199605071850.LAA19359@SYSMKT.hdshq.com> X-Sender: carl@lan.hdshq.com Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Tue, 7 May 1996 11:50:26 -0800 To: fwtk-users@tis.com, firewalls@greatcircle.com Subject: Error in JavaScript/Java version 2 patch file Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Thanks to an alert reader I recognize an oversight in my version 2 patch kit for http-gw, that provides screening for Java and JavaScript. This only affects someone applying the patch file V0diffV2. The file did not include the patches needed against hmain.c, only updates to http-gw.c. It is now fixed. I have updated the tar archive, butI also provide the updated patch file at http://www.hdshq.com/fixes/fwtk/V0diffV2 to minimize the inconvenience for those of you who may have fetched this already. Sorry for the foul-up. Carl V Claunch Hitachi Data Systems From firewalls-owner Tue May 7 12:27:17 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA15074 for firewalls-outgoing; Tue, 7 May 1996 11:54:45 -0700 (PDT) Received: from ccci.com (fridge.ccci.com [192.101.187.204]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id LAA15050 for ; Tue, 7 May 1996 11:54:24 -0700 (PDT) Received: (from urban@localhost) by ccci.com (8.7.3/8.7.3) id OAA26868; Tue, 7 May 1996 14:48:30 -0400 (EDT) Date: Tue, 7 May 1996 14:48:30 -0400 (EDT) From: Greg Urban To: Firewalls@GreatCircle.COM Subject: Re: Fakemail (again) In-Reply-To: <199605071713.KAA04618@miles.greatcircle.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk You write: yes, now it is just a matter of getting in touch with the sys. admin. for the site, finding out what machines had users logged into them on that particular day/time and then checking syslog for which ones sent mail, match that with the users on the system and I have enough evidence to take the matter to court , if so desired... I reply: What do you do when you find out this account was hacked? What to you do when you find out the connection was initiated by a PC on the local LAN? Or better yet, a Mac with dynamic IP allocation. You by no means have caught anyone, yet. Greg U From firewalls-owner Tue May 7 12:42:28 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA13142 for firewalls-outgoing; Tue, 7 May 1996 11:40:19 -0700 (PDT) Received: from europa.com ([199.2.194.14]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id LAA13085 for ; Tue, 7 May 1996 11:40:06 -0700 (PDT) Received: by europa.com (/\==/\ Smail3.1.28.1 #28.13) id ; Tue, 7 May 96 11:37 PDT Received: from pcmail by NMHG.com (4.1/SMI-4.1) id AA20820; Fri, 3 May 96 16:35:45 PDT Received: by pcmail with Microsoft Mail id <318A9835@pcmail>; Fri, 03 May 96 16:35:17 PDT From: "Mathes, Jeff" To: "'Firewalls Digest'" Subject: FW: FW: Linux Internet Server & firewall Date: Fri, 03 May 96 16:34:00 PDT Message-Id: <318A9835@pcmail> X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Paper based (magazine). It can be found in technical or well stocked bookstores. Good Luck! ---------- From: John Armstrong To: jeff Cc: john Subject: RE: FW: Linux Internet Server & firewall Date: Monday, April 29, 1996 4:52PM Jeff, >The last two editions of the "Linux Journal" have good articles on this Pardon my ignorance - is this a paper-based journal or online? John --------------------------------------------------------------------------- John Armstrong LRF Centre at Leeds University john@leva.leeds.ac.uk 17 Springfield Mount Leeds LS2 9NG 0113 233 3912 (phone) 0113 242 6065 (fax) From firewalls-owner Tue May 7 12:49:24 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA15243 for firewalls-outgoing; Tue, 7 May 1996 11:59:50 -0700 (PDT) Received: from relay7.UU.NET (relay7.UU.NET [192.48.96.17]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id LAA15231 for ; Tue, 7 May 1996 11:59:46 -0700 (PDT) Received: from archimedes.vislab.navy.mil by relay7.UU.NET with ESMTP (peer crosschecked as: archimedes.chinalake.navy.mil [129.131.31.8]) id QQaorz12422; Tue, 7 May 1996 14:57:41 -0400 (EDT) Received: from archimedes.vislab.navy.mil (parcival [129.131.31.12]) by archimedes.vislab.navy.mil (8.7.3/akira1-CL) with ESMTP id LAA12580 for ; Tue, 7 May 1996 11:52:04 -0700 (PDT) Posted-Date: Tue, 7 May 1996 11:52:04 -0700 (PDT) Message-Id: <199605071852.LAA12580@archimedes.vislab.navy.mil> To: firewalls@greatcircle.com Date: Tue, 07 May 1996 11:52:01 -0700 From: Benjamin Allan Smith Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In message you wrote: > another option would be to check with the Internic,. since most > domain names must be listed with a purpose (ie. Internet Service > Provider) or just do a mass search on .net,. keep in mind, that the > internic is supposed to only allow Internet Service Providers the .net ,. > but you will also find many that are not.. =) Many IAPs don't have .net addresses. For example the one that I work on is ridgecrest.ca.us. (for the City of Ridgecrest, California). They got the domain name by promising that they would give DNS support for anyone in Ridgecrest that wanted to uses the ridgecrest.ca.us domain. Ben ------------------------------------------------------------------------------- Benjamin Smith------------bens@vislab.navy.mil---------1972 Land Rover SIII 88 Science Applications International Corporation Naval Air Warfare Center, Weapons Division, China Lake From firewalls-owner Tue May 7 12:57:33 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA13597 for firewalls-outgoing; Tue, 7 May 1996 11:42:13 -0700 (PDT) Received: from relay6.UU.NET (relay6.UU.NET [192.48.96.16]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id LAA13507 for ; Tue, 7 May 1996 11:41:52 -0700 (PDT) Received: from lexicon.ins.com by relay6.UU.NET with ESMTP (peer crosschecked as: lexicon.ins.com [199.0.193.11]) id QQaory15335; Tue, 7 May 1996 14:39:48 -0400 (EDT) Received: from chrpc (mtv-dynamic234.ins.com [199.0.193.234]) by lexicon.ins.com (8.7.5/8.7.3) with SMTP id LAA27998; Tue, 7 May 1996 11:27:34 -0700 (PDT) Message-Id: <2.2.32.19960507182652.00a3bfb4@lexicon.ins.com> X-Sender: ragan@lexicon.ins.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Tue, 07 May 1996 13:26:52 -0500 To: sedayao@argus.intel.com (Jeffrey C. Sedayao) From: Charles Ragan Subject: Re: Switched Ethernet and Vlans with a Firewall Cc: ndg@reachit.com (N D Ghaznavi), Firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk If you have a cco account, you can check out the following url for different switching/vlan technologies. http://www.cisco.com/univercd/data/doc/cintrnet/idg3/idglans.htm Charles At 07:25 AM 5/7/96 PDT, Jeffrey C. Sedayao wrote: >> We're also in the process of upgrading our network topology. My >> understanding of `Intelligent Ethernet Switches' is that they `remember' >> what machine is on which segment (keeps track of the MAC) addresses. So >> there is *no* configuration. Essentially the switch is used to reduce >> network traffic, not as a `security box'. > >> Can anyone comment on this? Specifically: Switch type, and level of >> configurability. > >On a switch that you are configuring VLANs, you need to configure >which ports will go on which VLAN. While you don't have worry about MAC >addresses, you do have do configure the segments. A switch doing VLANS >is different from a regular ethernet switch. > >> > 1. Be careful about allowing access to the switch. The switch I have >> > been working with is configured by telnetting in, and certainly you >> > don't want the whole Internet doing that. You certainly don't want >> > everyone doing SNMP requests or uploading configurations via TFTP. Once >> > you have enable access on the switch, you can set up holes and routing >> > through various ports and wreak some real havoc. > >> What kind of a switch was it? Can it do packet filtering? > >Hmm. Actually, I am not so sure about routing through other ports. You >can set up static routes though. It is a Cisco catalyst 5000, and I >don't think that it can packet filter. > >> Cheers, > >> Nadim >> >> --N D Ghaznavi----------------------------------------------------------- >> Unix System Administrator ndg@CADlink.com >> --CADlink.com--------Reachit.com--------Ghaznavi.com--------Apparel.org-- >> >> > > >-- >Jeff Sedayao >Intel Corporation >sedayao@argus.intel.com > > ====================================================================== = Charles Ragan International Network Services = = Network Systems Engineer Dallas, TX = = CCIE, CBE, MCSE, MCNE Pager: 1-800-INS-1-INS Text = = Voice: 214-774-3620 = ====================================================================== From firewalls-owner Tue May 7 13:12:15 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA21821 for firewalls-outgoing; Tue, 7 May 1996 13:10:12 -0700 (PDT) Received: from relay3.UU.NET (relay3.UU.NET [192.48.96.8]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id NAA21783 for ; Tue, 7 May 1996 13:10:03 -0700 (PDT) Received: from gaia.internex.net by relay3.UU.NET with SMTP (peer crosschecked as: gaia.internex.net [198.67.38.22]) id QQaose26855; Tue, 7 May 1996 16:08:00 -0400 (EDT) Received: from hidata.com by gaia.internex.net (8.6.9/InterNex-SM8.6.9) id NAA29651; Tue, 7 May 1996 13:01:07 -0700 Received: by hidata.com (SMI-8.6/SMI-SVR4) id NAA04235; Tue, 7 May 1996 13:01:05 -0700 Received: from osc(205.158.62.10) by hds-gw via smap (V1.3) id sma004233; Tue May 7 13:00:36 1996 Received: from enterprise by osc.hidata.com (SMI-8.6/SMI-SVR4) id NAA22249; Tue, 7 May 1996 13:00:35 -0700 Date: Tue, 7 May 1996 13:00:35 -0700 Message-Id: <199605072000.NAA22249@osc.hidata.com> X-Sender: bstout@osc.hidata.com X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: Firewalls@GreatCircle.COM From: Bill Stout Subject: Re: NT Cc: Mark.Moore@kp.ORG Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Ooops, typo, obviously. Send to: majordomo@iss.net Body type: suscribe 'v' your_e-mail_address 'v'=: alert inforeq internal nsa nsa-digest ntsecurity ntsecurity-digest scanner test test-digest Bill At 09:26 AM 5/7/96 -0700, you wrote: >NT Security problems: >majordomo@ntsecurity@iss.net > >At 07:17 AM 5/7/96 -0700, you wrote: >> >>Off the subject of firewalls for a moment. Does anyone know the >>address to a NT list ?? Thanks in-advance. >> >>Regards, >> >> >>Mark.Moore@kp.org >> >> ><=======10========20====Ruler for Eudora users==50========60========70========80 >William B. Stout | "Official student of 'the internet school of fire'." >Senior Systems Admin | >Hitachi Data Systems | "If it's in a textbook, it's obsolete." >Open Systems Center | >Santa Clara, California | "My opinions are my own." >408-970-4822 | #include ><=======10========20========30========40========50========60========70===== ===80 > > > From firewalls-owner Tue May 7 13:27:03 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA22802 for firewalls-outgoing; Tue, 7 May 1996 13:23:19 -0700 (PDT) Received: from relay2.UU.NET (relay2.UU.NET [192.48.96.7]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id NAA22796 for ; Tue, 7 May 1996 13:23:12 -0700 (PDT) Received: from gaia.internex.net by relay2.UU.NET with SMTP (peer crosschecked as: gaia.internex.net [198.67.38.22]) id QQaosf19919; Tue, 7 May 1996 16:21:05 -0400 (EDT) Received: from hidata.com by gaia.internex.net (8.6.9/InterNex-SM8.6.9) id NAA29904; Tue, 7 May 1996 13:14:11 -0700 Received: by hidata.com (SMI-8.6/SMI-SVR4) id NAA04267; Tue, 7 May 1996 13:14:06 -0700 Received: from osc(205.158.62.10) by hds-gw via smap (V1.3) id sma004259; Tue May 7 13:13:59 1996 Received: from enterprise by osc.hidata.com (SMI-8.6/SMI-SVR4) id NAA22299; Tue, 7 May 1996 13:13:58 -0700 Date: Tue, 7 May 1996 13:13:58 -0700 Message-Id: <199605072013.NAA22299@osc.hidata.com> X-Sender: bstout@osc.hidata.com X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: Firewalls@GreatCircle.COM From: Bill Stout Subject: Firewall location Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Question: If placing a firewall at the internet only addresses 20% of the security breaches, why not address part of the 80% internal breaches by moving (the) firewall towards the servers? Has anyone done this? | Internet---Router---Desktops---Firewall----Servers/Multiuser systems | I realize the desktop systems can't have 'services', but hopefully all critical data will reside on servers only. BTW - This is for Corporate use, not NSA, not CIA, not Military. Unless we use Ranum's V-One smartgate software which encrypts all traffic between desktops and the firewall anyway. Bill <=======10========20====Ruler for Eudora users==50========60========70========80 William B. Stout | "Stop socialism in America" Senior Systems Admin | Hitachi Data Systems | "Will you just stand idle as the constitution gets Open Systems Center | hacked for the 'New World Order'?" Santa Clara, California | 408-970-4822 | #include <=======10========20========30========40========50========60========70========80 From firewalls-owner Tue May 7 13:43:16 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA24566 for firewalls-outgoing; Tue, 7 May 1996 13:34:10 -0700 (PDT) Received: from tweety.bhp.com.au (tweety.bhp.com.au [192.83.224.130]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id NAA24550 for ; Tue, 7 May 1996 13:33:57 -0700 (PDT) Received: from gossamer (gossamer.itmel.bhp.com.au [134.18.115.254]) by tweety.bhp.com.au (8.7.5/8.7.5) with ESMTP id HAA08513; Wed, 8 May 1996 07:31:48 +1100 (EST) Received: from stimpy.itmel.bhp.com.au (stimpy.itmel.bhp.com.au [134.18.153.212]) by gossamer (8.7.1/8.7.1) with ESMTP id GAA17768; Wed, 8 May 1996 06:32:01 +1000 (EST) Received: (from ianh@localhost) by stimpy.itmel.bhp.com.au (8.7.1/8.7.1) id GAA14947; Wed, 8 May 1996 06:22:00 +1000 (EST) Date: Wed, 8 May 1996 06:21:59 +1000 (EST) From: Ian Hoyle To: Norm Laudermilch cc: firewalls@GreatCircle.COM Subject: Re: Java problemites In-Reply-To: <318F658B.7991A45@uu.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 7 May 1996, Norm Laudermilch wrote: > In light of the recent discussions on Java security, I think we should > all be *very* interested in the following URL: > > http://www.math.gatech.edu/~mladue/HostileApplets.html Netscape 2.02 has just been released and purports (I'm running it now) to have fixed the security problems found to date (see the release notes ..) Ian Ian Hoyle, Senior Consultant |"Now I've got the bead on you with MY BHP Information Technology | disintegrating gun. And when it disintegrates, 600 Bourke St | brother it disintegrates. (pulls trigger) Melbourne VIC 3000, AUSTRALIA | Well, what do you know, it disintegrated." Phone : +61-3-9609-3375 | -- Duck Dodgers in the 24 1/2 century E-mail: ianh@itmel.bhp.com.au | From firewalls-owner Tue May 7 13:46:53 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA17278 for firewalls-outgoing; Tue, 7 May 1996 12:29:08 -0700 (PDT) Received: from sparc14.cs.uiuc.edu (sparc14.cs.uiuc.edu [128.174.244.24]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id MAA17270 for ; Tue, 7 May 1996 12:29:02 -0700 (PDT) Received: (from jwthomp@localhost) by sparc14.cs.uiuc.edu (8.7.5/8.7.3) id OAA08318; Tue, 7 May 1996 14:26:52 -0500 (CDT) Date: Tue, 7 May 1996 14:26:51 -0500 (CDT) From: thompson jeffrey w To: zarquon@popalex1.linknet.net cc: Firewalls Subject: Re: Linux network monitoring In-Reply-To: <199605070544.AAA00353@dsrvlaf1-10.linknet.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 7 May 1996 zarquon@popalex1.linknet.net wrote: > Thanks to everyone who gave me feedback on what monitoring software I could > use on Linux. I'm currently debating whether I should install argus or klaxon, > and I will probably give both a try to see what works best. Argus has the > ability to record connection attemps without ever accepting the connection, > since it operates on the packet level, which is something I wanted. Still, I > might have to sacrifice that if it eats too much of my cpu time (which isn't > a whole lot! :) in the process. > > Before I get started installing all this, I thought I'd throw out a few more > questions... > > Will Argus receive *all* packets, or just the packets that weren't filtered > out by the kernel based firewall in Linux? > > How would a stealth port scan appear in logs? Is Argus even able to log it? > Does anyone have a pointer to more information on how these scans work, and > what can be done to prevent them? A "stealth" scan is another name for what is termed a SYN scanner. In TCP, a connection is initiated with a SYN packet. The recipient then acknowledges the SYN, and finally the original sender acknowledges the acknowledgement. So, if you build a scanner which sends out SYNs to every port on a machine you can watch for all of the ACKs. If you see one then you know that the port is active. However, in order to keep simple port monitoring programs from loggin this you must not allow the connection to complete. This is done by simply sending a RST (reset) after you see the ACK. This will cause the connection to not be established, thus keeping it from being seen by most port loggers. However, it is trivial to write a program that watches for SYNs and logs them. I did it in about 5 minutes after seeing post on this. I'm cleaning it up, and writing a SYN scanner as well. I'll post when the code is available. As far as stopping these types of scans, it is not possible to stop them directly as they are inherent in the TCP/IP protocol. Good references are the RFCs and any of Comer or Steven's books. Jeff Thompson Jeff Thompson(jwthomp@uiuc.edu) Argus Systems Group http://www.uiuc.edu/ph/www/jwthomp - Trusted Network Kernel Developer ACM at UIUC Vice Chair / SigNET Chair Member *The Guild From firewalls-owner Tue May 7 14:03:36 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA22551 for firewalls-outgoing; Tue, 7 May 1996 13:19:33 -0700 (PDT) Received: from relay4.UU.NET (relay4.UU.NET [192.48.96.14]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id NAA22544 for ; Tue, 7 May 1996 13:19:27 -0700 (PDT) From: marchany@vtserf.cc.vt.edu Received: from vtserf.cc.vt.edu by relay4.UU.NET with SMTP (peer crosschecked as: vtserf.CC.VT.EDU [128.173.4.6]) id QQaosf20127; Tue, 7 May 1996 16:17:17 -0400 (EDT) Received: by vtserf.cc.vt.edu (5.65/DEC-Ultrix/4.3) id AA01039; Tue, 7 May 1996 16:16:48 -0400 Message-Id: <9605072016.AA01039@vtserf.cc.vt.edu> To: john mulligan Cc: firewalls@greatcircle.com, marchany@vtserf.cc.vt.edu Subject: Re: Fakemail (contacting sysadmins) In-Reply-To: Your message of "Tue, 07 May 96 14:32:34 EDT." <2.2.32.19960507183234.8693c8fc@lafvax.lafayette.edu> Date: Tue, 07 May 96 16:16:42 -0400 X-Mts: smtp Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >What if he runs a network (like mine) where such information is not even >kept? What if the user came in over a dialup account, or a guest account? Hopefully, your policy will dictate how people access your network. If you don't have that in place, you're asking for trouble. I am making the assumption that you live in the 1 person/1 acct world (I know, I know....:-)). Again, it doesn't matter whether the access is via dialup or guest or whatever, the access information can and should be logged. You don't have to keep the logs online, you just have to save them. >Perhaps ISP fake mail can be traced with cooperation of a sysadmin, but >educational sites are far beyond that. We're an edu site with 45,000 mail users and we average about 7 email related complaints (forged mail, abusive mail, etc.) a week. Yes, we have public labs and yes, we've had to modify our signup procedures in order to help us track who signed on the machine (yeah, student X uses machine Y and when done, they sign out). We started out with no access controls and then had to tighten up. It's a pain but we were forced to do that. Nothing like having a faculty member or university admin being victimized to get the ol' ball rolling. Actually, we've had better luck tracking thru other edu sites because they're in the same boat. Most ISP's usually don't have as much experience in that type of management. I've traced stuff back to an ISP only to have them tell me that they don't keep logs and the trail ends there. Sometimes the abuser knows that and continues to go thru that channel. My point in my earlier post (the one that triggered that 'track this' message) is that if all the components in the net (and that does include remote sites...we are in this together) such as tacacs, sendmail, last, tcp wrapper, usenet and syslog logs are kept, it's possible to trace an event back to a machine. Yes, it's a pain and how much effort is spent depends on the severity of the event. Yes, it's hard to prove WHO was actually at the machine/acct but that's another matter. The only thing I can add is that once it happens to you, you realize what needs to be in place. "A conservative is a liberal who's been mugged" "A liberal is a conservative who's been arrested" -Randy Marchany VA Tech Computing Center Blacksburg, VA 24060 From firewalls-owner Tue May 7 14:12:31 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA19234 for firewalls-outgoing; Tue, 7 May 1996 12:46:18 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id MAA19164 for ; Tue, 7 May 1996 12:45:58 -0700 (PDT) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) id MAA18743; Tue, 7 May 1996 12:38:12 -0700 Received: from unknown(199.2.194.14) by mycroft via smap (V1.3mjr) id sma018741; Tue May 7 12:37:24 1996 Received: by europa.com (/\==/\ Smail3.1.28.1 #28.13) id ; Tue, 7 May 96 12:40 PDT Received: from pcmail by NMHG.com (4.1/SMI-4.1) id AA09273; Tue, 7 May 96 12:30:17 PDT Received: by pcmail with Microsoft Mail id <318FA4A7@pcmail>; Tue, 07 May 96 12:29:43 PDT From: "Mathes, Jeff" To: "'Firewalls Digest'" Subject: RE: Firewall Setup Date: Tue, 07 May 96 12:27:00 PDT Message-Id: <318FA4A7@pcmail> X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Look into Instant Internet ($3,000) from Performance Technologies (a Bay company). It does IP to IPX routing as well as application proxies. ---------- From: Gopakumar Chirukandath To: 'Firewall Discussion Group' Subject: Firewall Setup Date: Friday, May 03, 1996 1:13PM We are setting Internet Server and an Intranet server. These are Windows NT Based. Could someone suggest a good firewall product. We have about 50 users on the LAN. gopa@bc.cybernex.net Gopakumar Chirukandath From firewalls-owner Tue May 7 14:29:57 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA29265 for firewalls-outgoing; Tue, 7 May 1996 14:21:47 -0700 (PDT) Received: from madge.dhss.state.wi.us (madge.dhss.state.wi.us [165.189.41.10]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id OAA29259 for ; Tue, 7 May 1996 14:21:41 -0700 (PDT) Received: by madge.dhss.state.wi.us; id AA06877; Tue, 7 May 96 16:17:43 CDT Received: from tomodachi.dhss.state.wi.us(159.158.53.9) by madge.dhss.state.wi.us via smap (g3.0.3) id xma006859; Tue, 7 May 96 16:17:33 -0500 Received: from DHSS.STATE.WI.US by tomodachi.dhss.state.wi.us (SMI-8.6/SMI-SVR4) id QAA01447; Tue, 7 May 1996 16:17:45 -0500 Received: from DHSS1-Message_Server by DHSS.STATE.WI.US with Novell_GroupWise; Tue, 07 May 1996 16:21:20 -0500 Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Tue, 07 May 1996 16:20:55 -0500 From: Kevin Cherek To: firewalls@greatcircle.com Subject: Gauntlet and tn3270 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, We're running Gauntlet v 3.0 as supplied by Mergent International. They claim that the tn3270 proxy is part of the telnet proxy and operates on port 23. Thus it can supposedly be configured for transparent operation if desired with connections initiated from inside the firewall to hosts on the outside. If your tn3270 is running on a non-standard port then you must implement a plug-gw for it. Since our tn3270 is operating on a non-standard port (connections are initiated from behind the firewall with hosts outside) I was never able to verify Mergent's position. However, I find it interesting that the keyword 'tn3270' is absent from their documentation. I haven't tried this but I believe this is how its supposed to work: To initiate a tn3270 session from the outside with a host on the inside you'd (presumably) specify the external interface of the firewall as your tn3270 host from within your tn3270 terminal emulator. Once connected to the firewall, you'd use the 'connect' option to establish a session with the real 3270 host (after verifying who you are). The firewall proxy makes no distinction between telnet and tn3270 traffic. Later... Kevin Cherek Wisconsin Dept. of Health and Social Services ------------------------------------------------------------------------------------- Steve writes... From: "Steven E. Matkoski" Date: Tue, 07 May 1996 08:43:35 -0400 Subject: gauntlet - TN3270 proxy? I would like to know how the tn3270 proxy works on the Gauntlet firewall? Does it use a true tn3270 proxy or do users telnet as vtxxx's and then telnet out as 3270 terminals? We are trying to configure the latter on the IBM NetSP and are getting nowhere. I am thinking of changing to Gauntlet on Solaris if it allows connections from tn3270 clients. - -- Thanks! - -steve. matkoski@dreamscape.com From firewalls-owner Tue May 7 14:39:53 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA18876 for firewalls-outgoing; Tue, 7 May 1996 12:44:00 -0700 (PDT) Received: from mail13.digital.com (mail13.digital.com [192.208.46.30]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id MAA18838; Tue, 7 May 1996 12:43:43 -0700 (PDT) Received: from dasmts.imc.das.dec.com by mail13.digital.com (8.7.5/UNX 1.2/1.0/WV) id PAA12478; Tue, 7 May 1996 15:17:17 -0400 (EDT) Received: from mts.dec.com by dasmts.imc.das.dec.com (PMDF V5.0-7 #16470) id <01I4FG39N4OG007QH5@dasmts.imc.das.dec.com>; Tue, 07 May 1996 15:14:52 -0400 (EDT) Received: with PMDF-MR; Tue, 07 May 1996 19:13:56 +0000 (GMT) MR-Received: by mta MSDOA2; Relayed; Tue, 07 May 1996 19:13:56 +0000 MR-Received: by mta SOAREA; Relayed; Tue, 07 May 1996 19:12:43 +0000 MR-Received: by mta DASMTS; Relayed; Tue, 07 May 1996 19:14:34 +0000 Alternate-recipient: prohibited Date: Tue, 07 May 1996 19:11:11 +0000 (GMT) From: "WENDY HEDGPETH @CEO 704-827-7687" Subject: Re: Firewall/Internet Security Policies 1 In-reply-to: To: firewalls-owner Cc: dabasing , firewalls Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; CHARSET=US-ASCII Content-transfer-encoding: 7BIT Posting-date: Tue, 07 May 1996 19:13:00 +0000 (GMT) Importance: normal UA-content-id: E1593ZWHFLR66Z X400-MTS-identifier: [;65319170506991/3285716@MSDOA] A1-type: MAIL Hop-count: 3 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Saundra Anderson Digital Equipment Corporation telephone #301-918-5859 Digital offers Security Reviews of various systems and assist with creation of security policies. From firewalls-owner Tue May 7 14:43:30 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA20645 for firewalls-outgoing; Tue, 7 May 1996 12:59:12 -0700 (PDT) Received: from europa.com ([199.2.194.14]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id MAA20601 for ; Tue, 7 May 1996 12:58:59 -0700 (PDT) Received: by europa.com (/\==/\ Smail3.1.28.1 #28.13) id ; Tue, 7 May 96 12:55 PDT Received: from pcmail by NMHG.com (4.1/SMI-4.1) id AA09313; Tue, 7 May 96 12:44:16 PDT Received: by pcmail with Microsoft Mail id <318FA7EE@pcmail>; Tue, 07 May 96 12:43:42 PDT From: "Mathes, Jeff" To: "'Firewalls Digest'" Subject: Re: Firewalls-Digest V5 #289 Date: Tue, 07 May 96 12:42:00 PDT Message-Id: <318FA7EE@pcmail> X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk BoardWatch Magazine is comming out with just such a book in the near future. ---------- From: Paul Ferguson To: casey Cc: Firewalls Subject: Re: Firewalls-Digest V5 #289 Date: Friday, May 03, 1996 4:01PM Try: http://www.thelist.com - paul At 02:03 PM 5/3/96 -0400, casey@justice.usdoj.gov wrote: >I am looking for a list of all the Internet >Service Providers world-wide. Can anyone point me >in the right direction? > >Thanks in advance, > >Mary L. Casey, Program Analyst >Information Management & > Security Staff >Information Resources Management >Justice Management Division >U.S. Dept of Justice > -- Paul Ferguson || || Consulting Engineering || || Reston, Virginia USA |||| |||| tel: +1.703.716.9538 ..:||||||:..:||||||:.. e-mail: pferguso@cisco.com c i s c o S y s t e m s From firewalls-owner Tue May 7 14:57:14 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA00194 for firewalls-outgoing; Tue, 7 May 1996 14:33:15 -0700 (PDT) Received: from relay5.UU.NET (relay5.UU.NET [192.48.96.15]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id OAA00167 for ; Tue, 7 May 1996 14:33:05 -0700 (PDT) Received: from netaccess.leg.wa.gov by relay5.UU.NET with SMTP (peer crosschecked as: netaccess.leg.wa.gov [198.238.209.5]) id QQaosk12941; Tue, 7 May 1996 17:31:01 -0400 (EDT) Received: by netaccess.leg.wa.gov; id OAA01768; Tue, 7 May 1996 14:28:25 -0700 Received: from unknown(161.240.15.232) by netaccess.leg.wa.gov via smap (V3.1) id xma001731; Tue, 7 May 96 14:28:05 -0700 Received: from legmail.leg.wa.gov by leg.wa.gov (PMDF V5.0-7 #11571) id <01I4FEGJSDC090QIRD@leg.wa.gov> for Firewalls@GreatCircle.COM; Tue, 07 May 1996 14:28:03 -0700 (PDT) Received: by legmail.leg.wa.gov with Microsoft Exchange (IMC 4.0.837.3) id <01BB3C21.66056EC0@legmail.leg.wa.gov>; Tue, 07 May 1996 14:28:02 -0700 Date: Tue, 07 May 1996 14:28:01 -0700 From: "Fry, Jason" Subject: RE: gauntlet - TN3270 proxy? To: "'Firewalls@GreatCircle.COM'" Message-id: MIME-version: 1.0 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.837.3 Content-type: text/plain; charset="us-ascii" Content-transfer-encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I don't know of a separate TN3270 proxy. TN3270 should just be using the telnet protocol and should use the basic telnet proxy on the firewall. When I install TN3270 on Windows clients, I don't have to touch the telnet proxy at all. Jason Fry Washington State Legislative Service Center fry_ja@leg.wa.gov >---------- >From: Steven E. Matkoski[SMTP:matkoski@dreamscape.com] >Sent: Tuesday, May 07, 1996 5:43 AM >To: Firewalls@GreatCircle.COM >Cc: matkoski@dreamscape.com >Subject: gauntlet - TN3270 proxy? > >I would like to know how the tn3270 proxy works on the Gauntlet >firewall? Does it use a true tn3270 proxy or do users telnet as >vtxxx's and then telnet out as 3270 terminals? We are trying to >configure the latter on the IBM NetSP and are getting nowhere. I >am thinking of changing to Gauntlet on Solaris if it allows >connections from tn3270 clients. > >-- >Thanks! >-steve. >matkoski@dreamscape.com > From firewalls-owner Tue May 7 14:59:36 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA18511 for firewalls-outgoing; Tue, 7 May 1996 12:41:48 -0700 (PDT) Received: from pegasus.mobil.com (pegasus.mobil.com [131.126.220.6]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id MAA18503 for ; Tue, 7 May 1996 12:41:43 -0700 (PDT) Received: (from daemon@localhost) by pegasus.mobil.com (Mobil-3/pegasus-4) id OAA16165; Tue, 7 May 1996 14:41:52 -0500 Received: from dlsn30.dal.mobil.com(131.126.10.77) by pegasus via smap (V1.3) id sma016154; Tue May 7 14:41:40 1996 Received: from dalsn092.rtd.mobil.com (dalsn092.dal.mobil.com) by dal.mobil.com (4.1/SMI-4.1-R) id AA04472; Tue, 7 May 96 14:39:38 CDT Received: from DALPC39D (dalpc39d.dal.mobil.com) by dalsn092.rtd.mobil.com (5.x/SMI-SVR4) id AA00157; Tue, 7 May 1996 14:42:32 -0500 Date: Tue, 7 May 1996 14:42:32 -0500 Message-Id: <9605071942.AA00157@dalsn092.rtd.mobil.com> X-Sender: oemaster@dalsn092.dal.mobil.com X-Mailer: Windows Eudora Version 2.0.3 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: Firewalls@GreatCircle.COM From: oemaster@dal.mobil.com (oscar masters) Subject: Re: gauntlet - TN3270 proxy? Cc: matkoski@dreamscape.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >I would like to know how the tn3270 proxy works on the Gauntlet >firewall? Does it use a true tn3270 proxy or do users telnet as >vtxxx's and then telnet out as 3270 terminals? We are trying to >configure the latter on the IBM NetSP and are getting nowhere. I >am thinking of changing to Gauntlet on Solaris if it allows >connections from tn3270 clients. > Gauntlet does not use a true tn3270 proxy. We must first telnet to the firewall and then telnet to the TN3270 application. However the first Telnet is performed under a TN3270 client and the second telnet is the standard tn-gw. We found that standard Winsock TN3270 clients required no special customization but using Xbased TN3270 clients required additional parmaterization to support Binary & EOR Modes. This was not an issue for Winsock based clients but it was an issue for Xterm based clients. Most X-Based Clients have an option that allows the Xterm to emulate an X.64 terminal until the host puts it into 3270 mode. For example the logon string for X3270 is as follows : X3270 -model 2 -efont 3270-12 a: >-- >Thanks! >-steve. >matkoski@dreamscape.com > > From firewalls-owner Tue May 7 15:27:07 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id PAA04824 for firewalls-outgoing; Tue, 7 May 1996 15:12:43 -0700 (PDT) Received: from service.britgas.co.uk (gate.britgas.co.uk [193.133.101.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id PAA04777 for ; Tue, 7 May 1996 15:12:32 -0700 (PDT) Received: (from daemon@localhost) by service.britgas.co.uk (8.6.12/8.6.9) id XAA15125; Tue, 7 May 1996 23:14:00 +0100 To: firewalls@greatcircle.com Path: not-for-mail From: "WENDY HEDGPETH @CEO 704-827-7687"" -a"@service.britgas.co.uk Newsgroups: britgas.maillist.firewalls Subject: Re: Firewall/Internet Security Policies 1 Date: 7 May 1996 23:13:59 +0100 Organization: British Gas Service Lines: 6 Message-ID: <4mohv7$eoi@gate.service.britgas.co.uk> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Saundra Anderson Digital Equipment Corporation telephone #301-918-5859 Digital offers Security Reviews of various systems and assist with creation of security policies. From firewalls-owner Tue May 7 15:41:57 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id PAA06442 for firewalls-outgoing; Tue, 7 May 1996 15:26:06 -0700 (PDT) Received: from issfw.palomar.edu (issfw.palomar.edu [192.30.115.3]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id PAA06407 for ; Tue, 7 May 1996 15:25:54 -0700 (PDT) Received: from issfw.palomar.edu (daemon@localhost) by issfw.palomar.edu (8.7.2/8.7.2) with ESMTP id PAA26139 for ; Tue, 7 May 1996 15:24:57 -0700 (PDT) Received: from hal.palomar.edu (hal.palomar.edu [191.30.115.11]) by issfw.palomar.edu (8.7.2/8.7.2) with SMTP id PAA26135 for ; Tue, 7 May 1996 15:24:57 -0700 (PDT) Received: from [191.30.115.237] by hal.palomar.edu with SMTP (16.7/16.2) id AA03652; Tue, 7 May 96 15:25:05 -0700 X-Sender: mark@hal.palomar.edu Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Tue, 7 May 1996 15:30:39 -0800 To: firewalls@GreatCircle.COM From: mark@issfw.palomar.edu (Mark Hopkins) Subject: DMZ Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'm looking for info. on setting-up a DMZ; anybody know where a FAQ or other info. on the subject resides? Mark Hopkins (mark@palomar.edu) Palomar College Information Systems & Services From firewalls-owner Tue May 7 16:00:25 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id PAA07649 for firewalls-outgoing; Tue, 7 May 1996 15:37:26 -0700 (PDT) Received: from mail.Clark.Net (mail.clark.net [168.143.0.10]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id PAA07609 for ; Tue, 7 May 1996 15:37:16 -0700 (PDT) Received: from clark.net (proberts@clark.net [168.143.0.7]) by mail.Clark.Net (8.7.3/8.6.5) with ESMTP id SAA22748; Tue, 7 May 1996 18:35:11 -0400 (EDT) Received: from localhost (proberts@localhost) by clark.net (8.7.1/8.7.1) with SMTP id SAA03424; Tue, 7 May 1996 18:35:05 -0400 (EDT) X-Authentication-Warning: clark.net: proberts owned process doing -bs Date: Tue, 7 May 1996 18:35:03 -0400 (EDT) From: "Paul D. Robertson" To: "Steven E. Matkoski" cc: Firewalls@GreatCircle.COM Subject: Re: gauntlet - TN3270 proxy? In-Reply-To: <318F4577.4480@dreamscape.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 7 May 1996, Steven E. Matkoski wrote: > I would like to know how the tn3270 proxy works on the Gauntlet > firewall? Does it use a true tn3270 proxy or do users telnet as > vtxxx's and then telnet out as 3270 terminals? We are trying to > configure the latter on the IBM NetSP and are getting nowhere. I > am thinking of changing to Gauntlet on Solaris if it allows > connections from tn3270 clients. > Since tn3270 is a psuedo protocol, I think that part of the answer lies in how it is implemented. I know that out of the two main IP stack vendors for mainframes, one of them does all the session negotiation in EBCDIC, and the other will negotiate its way into EBCDIC mode starting with ASCII. Some tn3270 clients also have trouble with this. You may want to log the data at both ends, and see if this is what is happening. I'd guess that most proxies don't handle this very well, and you may indeed end up running plug-gw to handle this, assuming that fits your policy. You can run plug-gw on your SNG box so long as you make the appropirate filter changes. Hope this helps some, Paul. ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts@clark.net which may have no basis whatsoever in fact." PSB#9280 From firewalls-owner Tue May 7 18:17:03 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id SAA18558 for firewalls-outgoing; Tue, 7 May 1996 18:04:17 -0700 (PDT) Received: from igate.hibbertco.com (hibbertco.com [204.240.226.14]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id SAA18543 for ; Tue, 7 May 1996 18:04:09 -0700 (PDT) Received: by igate.hibbertco.com (5.x/) id AA14247; Tue, 7 May 1996 19:02:39 -0600 Received: from imailgw(204.240.226.72) by igate via smap (V1.3) id sma014245; Tue May 7 19:02:13 1996 Message-Id: Date: 7 May 1996 19:01:57 -0700 From: "Anton Rager" Subject: More HTTP-GW Hacking....... To: "firewall-digest" X-Mailer: Mail*Link SMTP-MS 3.0.2 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello again all, Here are the beginnings of an exploit for HTTP-GW 1.0 on FWTK...I don't know if it works for other versions of firewalls and the proxy. Looks like something to think about to me!! Try this from a workstation that has HTTP proxy access to your firewall. 1 - telnet to proxy server on port 80 2 - type -- gopher://anyhost:anyport/0commands This should return things like SMTP greetings, FTP greetings, etc.......depending on service accessed. This allows a user who may not have Telnet, SMTP, FTP, NFS access to access them via the http-gw (can bypass firewall rules for Telnet, FTP....). I haven't figured out how to embed hard returns in the gopher string, but I have been able to pass things like 'user root' to ftp -- just can't quite figure out how get ftp to recognize the password. I found this after investigating the big hole I had with some rules in my http-gw [earlier post today about sparc.berkeley.edu -- I found out that sparc.berkeley.edu is some sort of www robot]. I assume that this could also be accomplished via a http:// or ftp:// url also with a little creativity. This definately is one of the many good reasons why a WWW server should be outside the firewall...Then you only have to worry about internal users hacking the http proxy!! Anyone else have comments, thoughts, or experiances with this?? Anton Rager arager@hibbertco.com From firewalls-owner Tue May 7 19:28:04 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id TAA22374 for firewalls-outgoing; Tue, 7 May 1996 19:14:03 -0700 (PDT) Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.76.24]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id TAA22359 for ; Tue, 7 May 1996 19:13:40 -0700 (PDT) Message-Id: <199605080213.TAA22359@miles.greatcircle.com> Received: by cheops.anu.edu.au (1.37.109.16/16.2) id AA069871487; Wed, 8 May 1996 12:11:27 +1000 From: Darren Reed Subject: Normal Firewall, anyone ? To: Firewalls@GreatCircle.COM (Firewalls Mailing List) Date: Wed, 8 May 1996 12:11:27 +1000 (EST) X-Mailer: ELM [version 2.4 PL23] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk (This is regarding "The Age", Tuesday 7 May, 1996, a newspaper local to Melbourne, Australia) In one article titled "Firewall makes intruders hot under the collar", an ex-US Army Signals Intelligence office (current army reserve major) Jay Nispel had a few interesting things to say about current firewalls and hackers. The article goes on to say 'Nispel says approximatelyg two-thirds of the firewalls in the market have been built on top of routers and they are essentially filters based on IP addresses. The other one-third are built on classical secure computers, certified systems. "These higher-end products are pretty much all dual-home proxy servers. That means there are two network cards: one to the wider, unsecure network and the other to the secure, or local area network; and the magic firewall performs is between those two network cards. You don't ever let them talk directly to each other." Nispel said his product came out of the US Government's Department of Defence need to secure a network that contained classified data yet is able to communicate out to the Internet, as well as to other wide-area network environments.' Nispel is, according to the article, the president of Internet Security Inc. for which Norman Data defence systems is a parent company. Their firewall is known as the "Norman Firewall" - does anyone have a URL for them ? Another article, from the same paper, same day was about an Australian Army Major, Nic Chandler, was titled "Study finds hackers can be handy". The most annoying statement is: 'Most sites that haven been "hacked" are based on the UNIX operating system, and the study concludes that all sites that use UNIX are basically insecure.' The rest of the article goes on to explain the difference between hackers who do it for malicious reasons and those who do it to `learn'. Read the wrong way, it is almost encouraging hacking (or supportive of hackers). Darren From firewalls-owner Tue May 7 20:12:03 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id UAA24237 for firewalls-outgoing; Tue, 7 May 1996 20:04:15 -0700 (PDT) Received: from gauntlet-1.trusted.com (gauntlet-1.trusted.com [204.254.155.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id UAA24231 for ; Tue, 7 May 1996 20:04:11 -0700 (PDT) Received: by gauntlet-1.trusted.com; id XAA00338; Tue, 7 May 1996 23:14:29 -0400 Received: from hilo.trusted.com(10.0.1.126) by gauntlet-1.trusted.com via smap (V3.1) id xma000334; Tue, 7 May 96 23:14:13 -0400 Received: from localhost by hilo.trusted.com with SMTP (1.37.109.4/16.2) id AA00149; Tue, 7 May 96 23:03:40 -0400 Message-Id: <9605080303.AA00149@hilo.trusted.com> To: "Anton Rager" Cc: firewalls@greatcircle.com Subject: Re: More HTTP-GW Hacking....... In-Reply-To: Your message of "07 May 1996 19:01:57 EDT." Date: Tue, 07 May 1996 23:03:39 EDT From: "Rick Murphy" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Here are the beginnings of an exploit for HTTP-GW 1.0 on FWTK...I don't know >if it works for other versions of firewalls and the proxy. Looks like >something to think about to me!! An interesting idea, however it's only that - you can't use the http proxy from the untrusted side of the firewall unless things are very badly misconfigured (if a random hacker on the internet can use your http-gw to look at inside machines, you're wide open.) >I haven't figured out how to embed hard returns in the gopher string ... The 2.0 http-gw explicitly removes hard returns from URLs. Now you know why. -Rick From firewalls-owner Tue May 7 22:26:54 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id WAA27734 for firewalls-outgoing; Tue, 7 May 1996 22:13:37 -0700 (PDT) Received: from po-external.FCNBD.COM (po-external.FCNBD.COM [147.113.146.4]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id WAA27726 for ; Tue, 7 May 1996 22:13:32 -0700 (PDT) Received: from po-internal.FCNBD.COM (internalhost.FCNBD.COM [147.113.112.122]) by po-external.FCNBD.COM (8.7.2/fcnbd/domain/1.5) with ESMTP id AAA06892; Wed, 8 May 1996 00:13:43 -0500 (CDT) Received: from abacab.cmg.FCNBD.COM (abacab.cmg.FCNBD.COM [147.113.112.11]) by po-internal.FCNBD.COM (8.7.2/fcnbd/internal-domain/1.4) with ESMTP id AAA00955; Wed, 8 May 1996 00:12:06 -0500 (CDT) Received: from abernathy.fnbc.com (pmarc@abernathy.FNBC.COM [147.113.112.83]) by abacab.cmg.FCNBD.COM (8.7.2/fcnbd/server-subdomain/2.1) with ESMTP id AAA27487; Wed, 8 May 1996 00:10:13 -0500 (CDT) Received: (from pmarc@localhost) by abernathy.fnbc.com (8.7.3/8.7.1) id AAA00279; Wed, 8 May 1996 00:11:13 -0500 (CDT) Message-Id: <199605080511.AAA00279@abernathy.fnbc.com> MIME-Version: 1.0 (NeXT Mail 3.3risc v118.3) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable In-Reply-To: <199605072013.NAA22299@osc.hidata.com> X-Nextstep-Mailer: Mail 3.3 (Enhance X) Received: by NeXT.Mailer (1.118.3) From: "Paul M. Cardon" Date: Wed, 8 May 96 00:11:00 -0500 To: Bill Stout Subject: Re: Firewall location cc: Firewalls@GreatCircle.COM Reply-To: pmarc@fnbc.com References: <199605072013.NAA22299@osc.hidata.com> X-Warners: Yakko, Wakko, and Dot Sender: firewalls-owner@GreatCircle.COM Precedence: bulk My MUA insists that Bill Stout wrote: > If placing a firewall at the internet only addresses 20% of the > security breaches, why not address part of the 80% internal > breaches by moving (the) firewall towards the servers? >=20 > Has anyone done this? >=20 > Internet---Router---Desktops---Firewall----Servers/Multiuser = systems >=20 > I realize the desktop systems can't have 'services', but = hopefully > all critical data will reside on servers only. The issue I have with this is the trust that is necessary between = the servers and desktop systems. I see firewalls primarily = sitting at the interface between networks (Internet or, as much as = I hate to use a new buzzword, Intranet). I agree that it could be = useful to have some of the same functionality of a firewall where = you suggest in certain environments, but not likely a fullblown = firewall. However, simply shifting or expanding the location of the = firewall(s) misses the entire point of this 75-80% that has become = so hip to mention lately. While critical data may 'reside' only = on the servers, people need to see it for it to be useful. It = will reach the desktop and the network the desktop uses in some = form. To cover this part, security at the host, network, and = social levels needs to be examined as well. =20 --- Paul M. Cardon - System Officer Capital Markets Systems - First Chicago NBD Corporation pmarc@cmg.fcnbd.com - (312) 732-7392 I never give them hell. I just tell the truth and they think it's = hell. - H. Truman MD5 (/dev/null) =3D d41d8cd98f00b204e9800998ecf8427e From firewalls-owner Tue May 7 23:56:58 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id XAA02659 for firewalls-outgoing; Tue, 7 May 1996 23:51:50 -0700 (PDT) Received: from relay.datev.de (relay.datev.de [193.27.48.40]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id XAA02653 for ; Tue, 7 May 1996 23:51:37 -0700 (PDT) Received: from p07948t0.datev.de ([172.16.201.108]) by relay.datev.de with SMTP (1.37.109.16/16.2) id AA218968698; Wed, 8 May 1996 08:58:18 +0200 Date: Wed, 8 May 96 08:28:26 PDT From: Juergen Mueller Subject: RE: Normal Firewall, anyone ? To: Darren Reed Cc: firewalls@greatcircle.com X-Priority: 3 (Normal) X-Mailer: Chameleon 4.6, TCP/IP for Windows, NetManage Inc. Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=ISO-8859-1 Content-Transfer-Encoding: 8BIT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk --- On Wed, 8 May 1996 12:11:27 +1000 (EST) Darren Reed wrote: >(This is regarding "The Age", Tuesday 7 May, 1996, a newspaper local to > Melbourne, Australia) [..deleted...] > >Nispel is, according to the article, the president of Internet Security >Inc. for which Norman Data defence systems is a parent company. Their >firewall is known as the "Norman Firewall" - does anyone have a URL for >them ? > [...deleted...] > >Darren > -----------------End of Original Message----------------- Hello! Here is the URL for Norman Data Defense: http://www.norman.com Some people from Norman visited our company for a presentation of their Firewall last week. IMHO, the main goal of the product is to have security mechanisms similar to those of IBM RACF or CA-Unicenter. That means, you can e.g. define classes of users with defined acces rights to network-ressources. You have very sophisticated capabilities for auditing and logging. The product was developed for military purposes and is B1-certified. But it seems to me that they intergrated the Internet-Firewall mechanisms "on top" of the system. So I´m not sure if this product can handle the challenges of a real Internet Firewall, for that´s not the aim it was first developed for. But this is only my personal opinion (and the opinion of some co-employees here ;-) ). Just take a look at the product and see... Hope that helps. greetinx Juergen ----------------------------+--------------------------------------- Dipl. Ing. Juergen Mueller | "Eaten any good books lately?" Datev e.G. | -- Q to Worf in TNG -- Abt. P1521, Online-Systeme +--------------------------------------- Paumgartnerstr. 6-14 Fon:+49-911-2763189 Fax:+49-911-2765559 D-90329 Nuernberg Email: Juergen.Mueller@post.datev.de -------------------------------------------------------------------- From firewalls-owner Wed May 8 00:56:57 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id AAA04992 for firewalls-outgoing; Wed, 8 May 1996 00:50:53 -0700 (PDT) Received: from info.clever.be (info.clever.be [194.7.107.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id AAA04985 for ; Wed, 8 May 1996 00:50:47 -0700 (PDT) Received: from lucvm.clever.be (lucvm.clever.be [194.7.107.10]) by info.clever.be (8.6.9/8.6.9) with SMTP id KAA21315; Wed, 8 May 1996 10:01:48 +0200 Received: by lucvm.clever.be with Microsoft Mail id <01BB3CC3.C0D51560@lucvm.clever.be>; Wed, 8 May 1996 09:50:13 +-200 Message-ID: <01BB3CC3.C0D51560@lucvm.clever.be> From: luc Van Maldeghem To: "firewalls@GreatCircle.COM" , "'Mark Hopkins'" Subject: RE: DMZ Date: Wed, 8 May 1996 09:50:05 +-200 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Look at " firewalls ANd Internet Security " From Cheswick and Bellovin ---------- From: Mark Hopkins[SMTP:mark@issfw.palomar.edu] Sent: Wednesday, May 08, 1996 1:30 AM To: firewalls@GreatCircle.COM Subject: DMZ I'm looking for info. on setting-up a DMZ; anybody know where a FAQ or other info. on the subject resides? Mark Hopkins (mark@palomar.edu) Palomar College Information Systems & Services From firewalls-owner Wed May 8 01:26:57 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id BAA06479 for firewalls-outgoing; Wed, 8 May 1996 01:16:30 -0700 (PDT) Received: from gmap-gw.gmap.leeds.ac.uk (gmap15.leeds.ac.uk [129.11.84.200]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id BAA06450 for ; Wed, 8 May 1996 01:16:13 -0700 (PDT) Received: (from root@localhost) by gmap-gw.gmap.leeds.ac.uk (8.7.3/8.6.9) id IAA08718 for ; Wed, 8 May 1996 08:19:30 +0100 (BST) Received: from gmap3.gmap.leeds.ac.uk(129.11.200.3) by gmap-gw via smap (V1.3) id sma008711; Wed May 8 08:19:15 1996 Received: from gmap.leeds.ac.uk (gmap124 [129.11.200.124]) by gmap3 (8.6.12/8.6.9) with SMTP id JAA09349; Wed, 8 May 1996 09:14:39 +0100 From: Danny Cox Date: Wed, 8 May 1996 09:14:11 +0100 Message-Id: <13065.9605080814@gmap.leeds.ac.uk> X-Planation: X-Faces images can be viewed with the XFaces program To: firewalls@greatcircle.com Subject: Multiple IP addresses on one ethernet card? Cc: dannyc@gmap-mailhub.gmap.leeds.ac.uk X-Sun-Charset: US-ASCII X-Face: (:_YnQcTM$q\Nl0.mYy:C'Y|(;&7.2m~Rc%xt; Wed, 8 May 1996 02:18:18 -0700 (PDT) From: dehtpnmk@ibmmail.com Message-Id: <199605080918.CAA11129@miles.greatcircle.com> Received: from ibmmail by ibmmail.COM (IBM VM SMTP V2R3) with BSMTP id 6701; Wed, 08 May 96 05:16:11 EDT Date: Wed, 08 May 1996 05:16:04 EDT To: FIREWALLS@GREATCIRCLE.COM MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk From: Amadeus Forums AT MUCVM1 Organization: AMADEUS Global travel - Erding - DE Subject: Firewall-1 reporting Amadeus FORUMS for DAVID BLACK : private replies to: Can Firewall-1 log statistics about usage, ie: where I can produce reports that show the following Source IP address Target IP address MBs transferred Timestamps Authenticated userid(important for UNIX boxes using our gateway) If not can the Cern HTTP proxy do this as we are running this behind the Firewall-1 proxy for its caching functions. Thanks, Dave Black System Programmer, Amadeus Global Travel, Munich, Germany osg023@mucvm1, dehtpz79@ibmmail.com, (49) 8122-43-5795 fax(3260) From firewalls-owner Wed May 8 02:41:55 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id CAA11388 for firewalls-outgoing; Wed, 8 May 1996 02:25:48 -0700 (PDT) Received: from stella.quantum.si (stella.quantum.si [193.138.6.17]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id CAA11375 for ; Wed, 8 May 1996 02:25:29 -0700 (PDT) Message-Id: <199605080925.CAA11375@miles.greatcircle.com> Received: from ([194.152.15.196]) by stella.quantum.si with SMTP (1.37.109.14/16.2) id AA104257263; Wed, 8 May 1996 11:21:04 +0200 X-Sender: lojze@stella.quantum.si Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 08 May 1996 11:30:49 -0100 To: sedayao@argus.intel.com (Jeffrey C. Sedayao), ndg@reachit.com (N D Ghaznavi) From: alojz.zadravec@quantum.si (Alojz Zadravec) Subject: Re: Switched Ethernet and Vlans with a Firewall Cc: Firewalls@GreatCircle.COM X-Mailer: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Would you please help us defining which ethernet switch is the right for implementing VLAN's. Please consider expecially Bay Networks, Cisco and Alantec, but give us other names also. Best regards Alojz At 07:25 AM 5/7/96 PDT, Jeffrey C. Sedayao wrote: >> We're also in the process of upgrading our network topology. My >> understanding of `Intelligent Ethernet Switches' is that they `remember' >> what machine is on which segment (keeps track of the MAC) addresses. So >> there is *no* configuration. Essentially the switch is used to reduce >> network traffic, not as a `security box'. > >> Can anyone comment on this? Specifically: Switch type, and level of >> configurability. > >On a switch that you are configuring VLANs, you need to configure >which ports will go on which VLAN. While you don't have worry about MAC >addresses, you do have do configure the segments. A switch doing VLANS >is different from a regular ethernet switch. > >> > 1. Be careful about allowing access to the switch. The switch I have >> > been working with is configured by telnetting in, and certainly you >> > don't want the whole Internet doing that. You certainly don't want >> > everyone doing SNMP requests or uploading configurations via TFTP. Once >> > you have enable access on the switch, you can set up holes and routing >> > through various ports and wreak some real havoc. > >> What kind of a switch was it? Can it do packet filtering? > >Hmm. Actually, I am not so sure about routing through other ports. You >can set up static routes though. It is a Cisco catalyst 5000, and I >don't think that it can packet filter. > >> Cheers, > >> Nadim >> >> --N D Ghaznavi----------------------------------------------------------- >> Unix System Administrator ndg@CADlink.com >> --CADlink.com--------Reachit.com--------Ghaznavi.com--------Apparel.org-- >> >> > > >-- >Jeff Sedayao >Intel Corporation >sedayao@argus.intel.com > > --------------------------------------------------------- Alojz Zadravec Quantum d.o.o. Stegne 21d tel: +386 61 159-7256 61000 Ljubljana fax: +386 61 159-7192 Slovenija e-mail: alojz.zadravec@quantum.si ---------------------------------------------------------- From firewalls-owner Wed May 8 02:57:33 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id CAA12216 for firewalls-outgoing; Wed, 8 May 1996 02:52:20 -0700 (PDT) Received: from tucker.guardian.co.uk (tucker.guardian.co.uk [194.200.80.130]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id CAA12206 for ; Wed, 8 May 1996 02:52:12 -0700 (PDT) Received: (from uwolfie@localhost) by tucker.guardian.co.uk (8.7.5/1.01) with UUCP id KAA04574 for firewalls@GreatCircle.COM; Wed, 8 May 1996 10:50:10 +0100 Received: from [191.191.4.46] (marc1 [191.191.4.46]) by wolfie.guardian.co.uk (8.7.5/1.01) with SMTP id KAA26661 for ; Wed, 8 May 1996 10:49:30 +0100 X-Sender: marc@popserver.guardian.co.uk Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 8 May 1996 10:49:28 +0100 To: firewalls@GreatCircle.COM From: marc@guardian.co.uk (Marc Lueck) Subject: Synopsis of proxying firewall requested Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I have been reading quite a bit about firewalls, and have been asked to give a talk to a group of non-technical people on the subject. Here, I have to reveal my bias. I purchased and installed and do indeed like Firewall-1, a packet-filtering firewall component. However, I want to give the group a wide range of choices, and though I know what a proxying firewall DOES, I don't exactly see why it would be a substitute for a packet filter. I CAN see it in a firewall using both proxying AND packet filtering, but then only as a supplemental device that protects an organization against mistakes by users makjing outgoing connections. Please tell me otherwise. I know there are hundreds of people out there who use them and for I am sure very good reasons. I just don't know them! Thanks in advance, Marc Lueck The Guardian Newspaper marc@guardian.co.uk From firewalls-owner Wed May 8 04:41:55 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id EAA16488 for firewalls-outgoing; Wed, 8 May 1996 04:33:38 -0700 (PDT) Received: from ns1.ptd.net (ns1.ptd.net [198.80.46.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id EAA16482 for ; Wed, 8 May 1996 04:33:34 -0700 (PDT) Received: from anaconda (cable005011.cable.tv13.ptd.net [204.186.5.11]) by ns1.ptd.net (8.7.3/8.7.3) with SMTP id HAA16922; Wed, 8 May 1996 07:31:06 -0400 (EDT) Message-ID: <31908750.6E45@prolog.net> Date: Wed, 08 May 1996 07:36:48 -0400 From: Stefan Gal Organization: segco.com X-Mailer: Mozilla 2.01 (X11; I; SunOS 5.4 sun4c) MIME-Version: 1.0 To: Nick Keenan CC: firewalls@GreatCircle.COM Subject: Re: Fakemail (again) References: 16590578501482@gsionline.com Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Nick Keenan wrote: [snip] I think all the poinst made were extremelt valid. However, having been involved with a few people that have testified as expert witness for "high technology" court cases, I am able to say that the lawyers and judges I've seen DO NOT know enough about or even understand the technology they are bringing to trial. This presents a BIG problem that this and other countries and going to have to face in the near future regarding ELECTRONIC LAWS and COMPUTER CRIMES. I would like to find out what individuals comments are concerning the following statement: > > Finally, I have to contest your assumption that a computer log would hold a > lot of weight in court. In reality, the opposite is true: unless you set up > your logging system with the intention of someday using them as evidence, > any lawyer worth his salt should be able to get them excluded on a number of > grounds. > Given the fact that lawyers are particularly good at getting evidence "thrown out" (regardless of whether or not they understand it), is it possible to set up a system where the "logs" could be used or proven as valid evidence? Before this thread gets out of hand, I would like to say that I am glad to see the interest and comments regarding the this Fakemail thread and the prior one that sparked my initial reply. One last point: E-mail has been the "weakest" security link on the net since the inception of both the net and SMTP. Can anyone come up with a solution to the problem, that is practical to implement and would address everyone's security concerns and I'm NOT looking to start the ENCRYPTION thread again. I'm after a REAL practical solution to the problem. Telnetting to port 25 and faking a mail session, will usually break most everyone's security. Can this problem ever be fixed? -- Stefan Gal voice: 610-760-0747 c/o S.E.G. Co. email: sgaul@prolog.net NOTE: standard disclamer applies and send all flames > /dev/null From firewalls-owner Wed May 8 05:57:27 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA18243 for firewalls-outgoing; Wed, 8 May 1996 05:46:45 -0700 (PDT) Received: from calima (CALIMA.CIAT.CGIAR.ORG [198.93.225.3]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id FAA18199 for ; Wed, 8 May 1996 05:44:31 -0700 (PDT) Received: from calima.ciat.cgiar.org by calima with smtp (Smail3.1.29.1 #1) id m0uH7eO-00035cC; Wed, 8 May 96 07:43 WST Message-ID: <31909737.2786@ciat.cgiar.org> Date: Wed, 08 May 1996 07:44:39 -0500 From: "Juan Carlos Machado Z." Reply-To: juank@ciat.cgiar.org Organization: CIAT X-Mailer: Mozilla 3.0B2 (Win95; I) MIME-Version: 1.0 To: firewalls@greatcircle.com Subject: Denying Telnet sessions from some sites Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello All, I'm new in this security world, and I want some help in this matter: I want to deny some telnet sessions from some sites, and we don't have the necessary budget to buy a firewall machine. Could someone tell me how to do this ? Thanks a lot for your help and excuse my poor English. Juank -- _________________________________________________________ ========================================================= Juan Carlos Machado Z. Information Management & Network Services Network Support C I A T Centro Internacional de Agricultura Tropical International Center for Tropical Agriculture Phone: (57-2) 4450-000 Ext. 3691 [Colombia] (1) (415) 833-6625 [USA/Direct] Fax: (57-2) 4450-073 [Colombia] (1) (415) 833-6626 [USA/Direct] E-mail: juank@ciat.cgiar.org j.machado@cgnet.com Mailing Address: CIAT, A.A 6713, Cali, Colombia ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Juank:= NOT(reflect(opinions' self,opinions' employer)) _________________________________________________________ _____ __ /\___ \ /\ \ \/__/\ \ __ __ __ ___\ \ \/'\ _\ \ \/\ \/\ \ /'__`\ /' _ `\ \ , < /\ \_\ \ \ \_\ \/\ \L\.\_/\ \/\ \ \ \\`\ \ \____/\ \____/\ \__/.\_\ \_\ \_\ \_\ \_\ \/___/ \/___/ \/__/\/_/\/_/\/_/\/_/\/_/ From firewalls-owner Wed May 8 06:51:45 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA19763 for firewalls-outgoing; Wed, 8 May 1996 06:37:27 -0700 (PDT) Received: from dns.eng.auburn.edu (dns.eng.auburn.edu [131.204.10.13]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id GAA19750 for ; Wed, 8 May 1996 06:37:23 -0700 (PDT) Received: from netman.eng.auburn.edu (netman.eng.auburn.edu [131.204.12.24]) by dns.eng.auburn.edu (8.7.4/8.6.4) with ESMTP id IAA19475 for ; Wed, 8 May 1996 08:35:01 -0500 (CDT) From: Doug Hughes Received: (doug@localhost) by netman.eng.auburn.edu (SMI-8.6/8.6.4) id IAA03404; Wed, 8 May 1996 08:35:00 -0500 Date: Wed, 8 May 1996 08:35:00 -0500 Subject: RE: Fakemail (contacting sysadmins) To: firewalls@GreatCircle.COM Message-Id: In-Reply-To: <2.2.32.19960507183234.8693c8fc@lafvax.lafayette.edu> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >At 02:01 PM 05/07/96, somebody wrote: >>>yes, now it is just a matter of getting in touch with the sys. admin. >>>for the site, finding out what machines had users logged into them on >>>that particular day/time and then checking syslog for which ones sent >>>mail, match that with the users on the system and I have enough evidence >>>to take the matter to court , if so desired... >> >>What if he runs a network (like mine) where such information is not even >>kept? What if the user came in over a dialup account, or a guest account? >> > >I agree. The person obviously came from an .edu domain which tend to be >very tricky to trace. No doubt they have lab computers. If they are set up >like most campuses they have public access lab site computers. Sure they >all have assigned IPs so you can tell which machine it came from, but a 100 >users a day use the same machine with no record of who was using it when. > >Perhaps ISP fake mail can be traced with cooperation of a sysadmin, but >educational sites are far beyond that. > > Oh, not all of them, to be sure. We have process accounting and ident turned on on all our lab machines. Several other universities do similar things. If we are contacted with a problem of this nature we take it very seriously. You should try contacting them before dismissing them as an 'edu' site out of hand. I know quite a few 'edu' sites that take more and better security measures than ISP's. Some of the ISP's could care less. (Check your logs recently on hack attempts by netcom? I know that's where most of mine come from. I've sent several messages, but hadn't gotten any response. Not to say that they don't care about security. I don't know since they don't answer. ;) -- ____________________________________________________________________________ Doug Hughes Engineering Network Services System/Net Admin Auburn University doug@eng.auburn.edu Pro is to Con as progress is to congress From firewalls-owner Wed May 8 06:59:36 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA20011 for firewalls-outgoing; Wed, 8 May 1996 06:45:08 -0700 (PDT) Received: from gw1.att.com (gw1.att.com [192.20.239.133]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id GAA20005 for ; Wed, 8 May 1996 06:45:03 -0700 (PDT) Received: from vodka.sse.att.com (vodka.gc.att.com) by ig1.att.att.com id AA18749; Wed, 8 May 96 09:38:11 EDT Message-Id: <9605081338.AA18749@ig1.att.att.com> From: mdr@vodka.sse.att.com Subject: Re: Fakemail (again) To: sgaul@prolog.net (Stefan Gal) Date: Wed, 8 May 1996 09:37:01 -0400 (EDT) Cc: firewalls@greatcircle.com, baumann@proton.llumc.edu In-Reply-To: <318F4B14.632A@prolog.net> from "Stefan Gal" at May 7, 96 09:07:32 am X-Mailer: ELM [version 2.4 PL23-upenn2.7] Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Stefan Gal wrote: > mail, match that with the users on the system and I have enough evidence > to take the matter to court , if so desired... Not really. All that you can prove is that someone/someprocess operated under that account. The thesis falls apart unless the host uses strong authentication and has sufficient auditing to trace the creation of processes and generation of mail. Needed: 1) assurance that the individual in question was the one who logged on 2) assurance that the operations were performed by the individual. 3) assurance that the operations performed by the individual where of his own volition. Perhaps he ran joe's utility program (the one that also sends mail) ... I've seen some hostile web pages that actually forge email from your site while you sit at the console/Xterm/pc just by virtue that you browsed the site. Someone who claims to be a lawyer should answer this. The scary part is that you might be right anyway. Mark Riggins Secure Systems Engineering AT&T Bell Labs From firewalls-owner Wed May 8 07:13:36 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA20837 for firewalls-outgoing; Wed, 8 May 1996 07:03:28 -0700 (PDT) Received: from relay6.UU.NET (relay6.UU.NET [192.48.96.16]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id HAA20793 for ; Wed, 8 May 1996 07:03:15 -0700 (PDT) Received: from gatekeeper.Bridge.COM by relay6.UU.NET with SMTP (peer crosschecked as: gatekeeper.bridge.com [167.76.159.11]) id QQaouy22710; Wed, 8 May 1996 10:01:13 -0400 (EDT) Received: (from mailproxy@localhost) by gatekeeper.Bridge.COM (8.6.12/8.6.9) id IAA26265; Wed, 8 May 1996 08:53:56 -0500 Received: from ignatz.bridge.com(167.76.24.6) by gatekeeper.Bridge.COM via smap (V1.0mjr) id sma026259; Wed May 8 08:53:47 1996 Received: from ignatz (ignatz.bridge.com) by ignatz.bridge.com with SMTP id AA19584 (5.67b/IDA-1.5); Wed, 8 May 1996 09:03:05 -0500 Date: Wed, 8 May 1996 09:03:05 -0500 (CDT) From: Ken Hardy X-Sender: ken@ignatz To: Darren Reed Cc: Firewalls Mailing List Subject: Re: Normal Firewall, anyone ? In-Reply-To: <199605080213.TAA22359@miles.greatcircle.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 8 May 1996, Darren Reed wrote: >Their firewall is known as the "Norman Firewall" - does anyone have a >URL for them ? To all who periodically as for URLs for this or that, there's a host of dandy tools on the Web known as search engines. Entering "norman firewall" as the query at www.altavista.digital.com, e.g., gives quite satisfactory results. Try it; you'll like it. From firewalls-owner Wed May 8 07:29:16 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA21722 for firewalls-outgoing; Wed, 8 May 1996 07:17:59 -0700 (PDT) Received: from gatekeeper.Bridge.COM (gatekeeper.bridge.com [167.76.159.11]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id HAA21716 for ; Wed, 8 May 1996 07:17:52 -0700 (PDT) Received: (from mailproxy@localhost) by gatekeeper.Bridge.COM (8.6.12/8.6.9) id JAA27424; Wed, 8 May 1996 09:14:57 -0500 Received: from ignatz.bridge.com(167.76.24.6) by gatekeeper.Bridge.COM via smap (V1.0mjr) id sma027422; Wed May 8 09:14:53 1996 Received: from ignatz (ignatz.bridge.com) by ignatz.bridge.com with SMTP id AA20030 (5.67b/IDA-1.5); Wed, 8 May 1996 09:24:11 -0500 Date: Wed, 8 May 1996 09:24:08 -0500 (CDT) From: Ken Hardy X-Sender: ken@ignatz To: Stefan Gal Cc: Nick Keenan , firewalls@GreatCircle.COM Subject: Re: Fakemail (again) In-Reply-To: <31908750.6E45@prolog.net> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 8 May 1996, Stefan Gal wrote: [snip] > Given the fact that lawyers are particularly good at getting evidence "thrown out" > (regardless of whether or not they understand it), is it possible to set up a system > where the "logs" could be used or proven as valid evidence? > > Before this thread gets out of hand, I would like to say that I am glad to > see the interest and comments regarding the this Fakemail thread and the prior one > that sparked my initial reply. [snip] I am afraid of it getting out of hand, especially as it's not really related to firewalls at all, except for the fact that those, like every *other* system I have, generate logs. This list has been too noisy recently, IMHO. Not that this isn't an interesting topic. I humbly suggest that those interested in such subjects consider joining the LACC (Legal Aspects of Computer Crime) list hosted by Julian Assange at suburbia.net. I think Julian hangs around this list too; perhaps he could comment on whether this discussion is welcome there (or has already occured.) To subscribe, send mail to lacc-request@suburbia.net with the body of: subscribe lacc -- KH From firewalls-owner Wed May 8 07:42:28 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA21850 for firewalls-outgoing; Wed, 8 May 1996 07:20:13 -0700 (PDT) Received: from pegasus.mobil.com (pegasus.mobil.com [131.126.220.6]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id HAA21834 for ; Wed, 8 May 1996 07:20:07 -0700 (PDT) Received: (from daemon@localhost) by pegasus.mobil.com (Mobil-3/pegasus-4) id JAA29801 for ; Wed, 8 May 1996 09:20:23 -0500 Received: from dlsn30.dal.mobil.com(131.126.10.77) by pegasus via smap (V1.3) id sma029793; Wed May 8 09:20:21 1996 Received: from dalsn092.rtd.mobil.com (dalsn092.dal.mobil.com) by dal.mobil.com (4.1/SMI-4.1-R) id AA09510; Wed, 8 May 96 09:18:19 CDT Received: from DALPC39D (dalpc39d.dal.mobil.com) by dalsn092.rtd.mobil.com (5.x/SMI-SVR4) id AA07554; Wed, 8 May 1996 09:21:14 -0500 Date: Wed, 8 May 1996 09:21:14 -0500 Message-Id: <9605081421.AA07554@dalsn092.rtd.mobil.com> X-Sender: oemaster@dalsn092.dal.mobil.com X-Mailer: Windows Eudora Version 2.0.3 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: Firewalls@GreatCircle.COM From: oemaster@dal.mobil.com (oscar masters) Subject: Re: gauntlet - TN3270 proxy? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Based on some questions i received my response was not as clear as i had hoped for. One can tn3270 through a gauntlet firewall to a tn3270 host without any special proxies, filters, or access lists. This process uses only the tn-gw proxy provided by gauntlet. here is the process from an X-Terminal : 1) Invoke the tn3270 client to the gauntlet firewall : X3270 -model 2 -efont 3270-12 a: < gauntlet.firewall> Note: the "a:" parm on the X3270 statement sets the mode to disable true TN3270 until the host enables. This is not required for winsock based tn3270 clients. 2) Authenticate at the firewall 3) Connect to the internal tn3270 server (Mainframe TCPIP) from gauntlet : connect mainframe.tcpip.com I have tested the X3270 (X-based) client in Linux Slackware and the tn3270 client of FTP Software with no problems. hope this helps. oem > >>>I would like to know how the tn3270 proxy works on the Gauntlet >>>firewall? Does it use a true tn3270 proxy or do users telnet as >>>vtxxx's and then telnet out as 3270 terminals? We are trying to >>>configure the latter on the IBM NetSP and are getting nowhere. I >>>am thinking of changing to Gauntlet on Solaris if it allows >>>connections from tn3270 clients. >>> >Gauntlet does not use a true tn3270 proxy. We must first telnet to the >firewall and then telnet to the TN3270 application. However the first >Telnet is performed under a TN3270 client and the second telnet is the >standard tn-gw. We found that standard Winsock TN3270 clients required >no special customization but using Xbased TN3270 clients required additional >parmaterization to support Binary & EOR Modes. This was not an issue for >Winsock based clients but it was an issue for Xterm based clients. >Most X-Based Clients have an option that allows the Xterm to >emulate an X.64 terminal until the host puts it into 3270 mode. >For example the logon string for X3270 is as follows : > > X3270 -model 2 -efont 3270-12 a: > > oem. > > > >>>-- >>>Thanks! >>>-steve. >>>matkoski@dreamscape.com >>> >>> >> >> >> > From firewalls-owner Wed May 8 08:09:45 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA23715 for firewalls-outgoing; Wed, 8 May 1996 07:47:00 -0700 (PDT) Received: from artemis.rus.uni-stuttgart.de (artemis.rus.uni-stuttgart.de [129.69.18.28]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id HAA23668 for ; Wed, 8 May 1996 07:46:46 -0700 (PDT) Received: from visbl.rus.uni-stuttgart.de (visbl.rus.uni-stuttgart.de [129.69.50.72]) by artemis.rus.uni-stuttgart.de with ESMTP id QAA09830 (8.6.13/IDA-1.6); Wed, 8 May 1996 16:44:10 +0200 Received: by visbl.rus.uni-stuttgart.de (950511.SGI.8.6.12.PATCH526/930416.SGI/BelWue-1.1) id QAA19214; Wed, 8 May 1996 16:42:37 +0200 From: Bernd.Lehle@RUS.Uni-Stuttgart.DE (Bernd Lehle) Message-Id: <199605081442.QAA19214@visbl.rus.uni-stuttgart.de> Subject: Re: Fakemail (again) To: sgaul@prolog.net (Stefan Gal) Date: Wed, 8 May 1996 16:42:37 +0200 (DST) Cc: nkeenan@gsionline.com, firewalls@GreatCircle.COM In-Reply-To: <31908750.6E45@prolog.net> from "Stefan Gal" at May 8, 96 07:36:48 am X-Scapegoat: Blame any mailing Problems on this header entry. X-pgp-fingerprint: 3E B0 35 8D 59 D5 AE AA 5A F9 60 80 9E E0 55 48 Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > One last point: E-mail has been the "weakest" security link on the net since > the inception of both the net and SMTP. Can anyone come up with a solution to > the problem, that is practical to implement and would address everyone's > security > concerns and I'm NOT looking to start the ENCRYPTION thread again. I'm after > a REAL practical solution to the problem. > Telnetting to port 25 and faking a mail session, will usually break most > everyone's > security. Can this problem ever be fixed? That's one thing that's been going around my mind for awhile, too. I did not get a satisfying response on my question regarding protection against mail bombing, which is much more dangerous than fake mail. How about getting a few clever people together and try to work out a tool that provides at least some protection against unwanted mail. Maybe open up a mailing list or a developpers group. I'm thinking about a little thingie like the TCP-Wrapper or the Sendmail Restricted Shell. Any comments, ideas, interest ? -- > Bernd Lehle - Stuttgart University Computer Center * A supercomputer < > Visualization / Security / Astrophysics * is a machine < > lehle@rus.uni-stuttgart.de Tel:+49-711-685-5531 * that runs an < > http://www.tat.physik.uni-tuebingen.de/~lehle * endless loop < > pgp? -> finger bernd@visbl.rus.uni-stuttgart.de * in 2 seconds < From firewalls-owner Wed May 8 08:12:23 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA25486 for firewalls-outgoing; Wed, 8 May 1996 08:07:16 -0700 (PDT) Received: from vampire.org (vampire.org [199.125.161.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id IAA25476 for ; Wed, 8 May 1996 08:07:06 -0700 (PDT) Received: (from discodan@localhost) by vampire.org (8.6.12/8.6.12) id LAA08669; Wed, 8 May 1996 11:03:00 -0400 Date: Wed, 8 May 1996 11:02:59 -0400 (EDT) From: Squawk To: "Moore, Mark" cc: Return requested Subject: Re: Getting started with firewall. In-Reply-To: <"318676F0.CCC8.02A3.000*/c=us/admd= /prmd=kp/o=ga/ou=gwise/s=Moore/g=Mark/"@MHS> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On 30 Apr 1996, Moore, Mark wrote: > Does anyone know what documentation I can purchase so that I can > better understand firewall technology ?? k O'reilly offers a book on firewalls... i'm not sure how comprehensive it is but O'reilly books rock in general.. and you can find them at almost any bookstore. -Dan From firewalls-owner Wed May 8 08:28:09 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA25209 for firewalls-outgoing; Wed, 8 May 1996 08:04:25 -0700 (PDT) Received: from aspen3.aspensys.com (ns.aspensys.com [198.77.70.84]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id IAA25190 for ; Wed, 8 May 1996 08:04:16 -0700 (PDT) Received: from smtpinet.aspensys.com by aspen3.aspensys.com (SMI-8.6/SMI-SVR4) id LAA11802; Wed, 8 May 1996 11:02:13 -0400 Received: from ccMail by smtpinet.aspensys.com (SMTPLINK V2.10.08) id AA831578809; Wed, 08 May 96 11:05:43 EST Date: Wed, 08 May 96 11:05:43 EST From: "Jim Meritt" Message-Id: <9604088315.AA831578809@smtpinet.aspensys.com> To: firewalls@greatcircle.com, juank@ciat.cgiar.org Subject: Re: Denying Telnet sessions from some sites Sender: firewalls-owner@GreatCircle.COM Precedence: bulk No problem. Put a tcp wrapper into your /etc/inetd.conf and put the sitesinto the hosts.deny. Jim Meritt ______________________________ Reply Separator _________________________________ Subject: Denying Telnet sessions from some sites Author: juank@ciat.cgiar.org at SMTPINET Date: 5/8/96 10:53 AM Hello All, I'm new in this security world, and I want some help in this matter: I want to deny some telnet sessions from some sites, and we don't have the necessary budget to buy a firewall machine. Could someone tell me how to do this ? Thanks a lot for your help and excuse my poor English. Juank -- _________________________________________________________ ========================================================= Juan Carlos Machado Z. Information Management & Network Services Network Support C I A T Centro Internacional de Agricultura Tropical International Center for Tropical Agriculture Phone: (57-2) 4450-000 Ext. 3691 [Colombia] (1) (415) 833-6625 [USA/Direct] Fax: (57-2) 4450-073 [Colombia] (1) (415) 833-6626 [USA/Direct] E-mail: juank@ciat.cgiar.org j.machado@cgnet.com Mailing Address: CIAT, A.A 6713, Cali, Colombia ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Juank:= NOT(reflect(opinions' self,opinions' employer)) _________________________________________________________ _____ __ /\___ \ /\ \ \/__/\ \ __ __ __ ___\ \ \/'\ _\ \ \/\ \/\ \ /'__`\ /' _ `\ \ , < /\ \_\ \ \ \_\ \/\ \L\.\_/\ \/\ \ \ \\`\ \ \____/\ \____/\ \__/.\_\ \_\ \_\ \_\ \_\ \/___/ \/___/ \/__/\/_/\/_/\/_/\/_/\/_/ From firewalls-owner Wed May 8 08:43:07 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA27261 for firewalls-outgoing; Wed, 8 May 1996 08:26:28 -0700 (PDT) Received: from h01.scientia.com (h01.scientia.com [194.216.183.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id IAA27248 for ; Wed, 8 May 1996 08:26:22 -0700 (PDT) Received: by h01.scientia.com with SMTP id QAA00847 for ; Wed, 8 May 1996 16:24:37 +0100 Message-Id: <199605081524.QAA00847@h01.scientia.com> X-Sender: firewall@pop-server X-Mailer: Windows Eudora Light Version 1.5.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 08 May 1996 15:24:40 +0100 To: firewalls@greatcircle.com From: Ian Miller Subject: Re: Fakemail (again) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 09:07 07/05/96 -0400, you wrote: >> > good enough for ya...I particularly like the devnull@localhost by >> > mail.untraceable.net bit, so are you a Montclair student, wannabe >> > hacker or just think your slick? >> > >> > pretty cute trick, though. >> Minor point: he still made his point. What machine in the lab did he send >> the mail from? Can you tell? You don't even know if the guy as at Montclair. Try telneting port 25 to apollo.montclair.edu. If you can put what you like after the HELO and it gets put in the header as "Received: from by apollo....". You can do this from _any_ Internet connected machine _anywhere_. I could have sent the John Doe message. (I didn't as it happens but I can't prove that.) > >yes, now it is just a matter of getting in touch with the sys. admin. >for the site, You might be lucky. The faker might be at Montclair and they might have sufficiently comprehensive log files. I think the latter is very unlikely. If not you are at a dead-end. Of course, you only know it is a dead-end because it was a demo bit of fake-mail. There is nothing to stop a faker putting in some fake "received: from" headers to point the finger at someone else. Ian From firewalls-owner Wed May 8 09:03:04 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA25249 for firewalls-outgoing; Wed, 8 May 1996 08:04:55 -0700 (PDT) Received: from vampire.org (vampire.org [199.125.161.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id IAA25242 for ; Wed, 8 May 1996 08:04:48 -0700 (PDT) Received: (from discodan@localhost) by vampire.org (8.6.12/8.6.12) id LAA08658; Wed, 8 May 1996 11:00:54 -0400 Date: Wed, 8 May 1996 11:00:53 -0400 (EDT) From: Squawk To: Rachel Rosencrantz cc: Firewalls@GreatCircle.COM Subject: Re: Firewalls-Digest V5 #281 In-Reply-To: <31863AFC.6CA1@pobox.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 30 Apr 1996, Rachel Rosencrantz wrote: > Besides Penn's points on this, the PC architecture was not designed with > DOS or NT in mind. Unless NT/Win95 has changed its structure > considerably from earlier Win products these Operating systems don't use > the full facilitites of the x86/Pentium architecture in terms of access > control. If the operating system is robust it will come back. If this > is the case then we aren't talking a hardware problem. I have a SCO 5.0 > system at home on a "built" box rather than a Dell or Compaq or HP type > PC. If I switch off the power and then power back up Unix comes up very > nicely in about 3 minutes time. No fsck necessary. This is a lot better > than the performance I have heard of on some workstation class machines. > your measuring a workstations performance by how fast it boots?? booting should have nothing to do with a workstations performance.. a low end sparc will beat a pentiums i/o anyday for the same or even less cost. even if it boots in 10 minutes.. if you want power protection, spend a little bit of money for a ups.. no computer is worth it if you don't have some protection for you data. > > > > > Why would you buy a server from "Best Buy"? Get a Compac or Dell. You > > are using the worst case examples in your argument. I work for a retailer > > that has over 6,500 Intel Unix systems in the field. EVERY one has a UPS. > > Why would you pay $5,000 - $20,000 for a server, intrust it with your data > > and NOT spend $300 on a UPS. > > And if my $2500 box can do this, then certainly you can buy a much less > expensive intel machine and with a robust operating system you will be > fine. Who knows, maybe Linux will have some of these more robust > filesystems in the near future. It's quite possible.. Linux is one of the fastest developing operating systems.. and as a server it functions well.. however, its definatly not suited for all applications.. Its not an ideal NFS server. It doesn't run very many commercial apps.. etc. but it makes a nice xterm with a 20 inch monitor -Dan From firewalls-owner Wed May 8 09:07:15 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA28684 for firewalls-outgoing; Wed, 8 May 1996 08:42:27 -0700 (PDT) Received: from jaring.my (jaring.my [192.228.128.20]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id IAA28667 for ; Wed, 8 May 1996 08:42:19 -0700 (PDT) Received: from extol.extol.my (j9.ptl5.jaring.my [161.142.1.25]) by jaring.my (8.7.5/8.7.1) with SMTP id XAA05180; Wed, 8 May 1996 23:39:54 +0800 (MYT) Message-ID: <3190CFD1.D8B@pc.jaring.my> Date: Wed, 08 May 1996 23:46:09 +0700 From: peng-chiew low X-Mailer: Mozilla 2.01 (Win95; I) MIME-Version: 1.0 To: Ken Hardy CC: Darren Reed , Firewalls Mailing List Subject: Re: Normal Firewall, anyone ? References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > On Wed, 8 May 1996, Darren Reed wrote: > > >Their firewall is known as the "Norman Firewall" - does anyone have a > >URL for them ? Try www.norman.com Hope that helps. From firewalls-owner Wed May 8 09:31:51 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA28368 for firewalls-outgoing; Wed, 8 May 1996 08:39:43 -0700 (PDT) Received: from cadet2.usma.edu (cadet2.usma.edu [129.29.199.15]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id IAA28339 for ; Wed, 8 May 1996 08:39:30 -0700 (PDT) Received: from x85899c4.CDTUSMA ([129.29.187.250]) by cadet2.usma.edu (5.x/SMI-SVR4) id AA10504; Wed, 8 May 1996 11:36:57 -0400 Message-Id: <9605081536.AA10504@cadet2.usma.edu> Comments: Authenticated sender is From: Jesse-Whyte@cadet2.usma.edu To: juank@ciat.cgiar.org, firewalls@greatcircle.com Date: Wed, 8 May 1996 11:35:54 +0000 Subject: Re: Denying Telnet sessions from some sites X-Mailer: Pegasus Mail for Windows (v2.01) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > I'm new in this security world, and I want some help in this matter: > > I want to deny some telnet sessions from some sites, and we don't have the > necessary budget to buy a firewall machine. > > Could someone tell me how to do this ? > Wietse Venema has written a package called TCP Wrapper that will do what you want through access control lists...It can be found at ftp://coast.cs.purdue.edu/pub/tools/unix/tcp_wrappers/ Hope this helps... Jesse *********************************************************** Jesse Whyte (914)938-4120 x85899c4@cadet2.usma.edu -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.2 mQCNAzGO+2gAAAEEAL16zr0uC9KS4SfcgJEz5MMSHJCSvnWIEIYd4q8N2aSTGpV7 C5Q3qvD/zFzJvb8NyUF/8vtmQRThhhbSxG9zMY5th4u/YlPtpbzVuHhf67oAxjRt IKyjBTpv8dPAlCGJ9RMuRGgfp6Jeftp54z6gU0PergLvD3q+5T7ad9rSKFuVAAUR tCZKZXNzZSBXaHl0ZSA8eDg1ODk5YzRAY2FkZXQyLnVzbWEuZWR1PokAlQMFEDGO +6U+2nfa0ihblQEB068D/ibk/uwL3xCc0HG0BZ3vRQBFwoBq4ALKaSxR7xjSbYai XoW3UPMiUtkW7gxJNXxuZCU4F63FGpzPlbaFixpmT0a7p4yX9NmYMWRxBdcI3sjx xY2oh6H8OlMkIKPwgo00injZe/vJRCWcVXltBvRIHD5NhwkQIv6Mx1t5DgoL3I4k =qUnx -----END PGP PUBLIC KEY BLOCK----- From firewalls-owner Wed May 8 09:42:42 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA27753 for firewalls-outgoing; Wed, 8 May 1996 08:31:32 -0700 (PDT) Received: from igate.hibbertco.com (hibbertco.com [204.240.226.14]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id IAA27745 for ; Wed, 8 May 1996 08:31:26 -0700 (PDT) Received: by igate.hibbertco.com (5.x/) id AA16951; Wed, 8 May 1996 09:03:57 -0600 Received: from imailgw(204.240.226.72) by igate via smap (V1.3) id sma016947; Wed May 8 09:03:38 1996 Message-Id: Date: 8 May 1996 09:03:33 -0700 From: "Anton Rager" Subject: RE: More HTTP-GW Hacking....... To: "Rick Murphy" Cc: firewalls@greatcircle.com X-Mailer: Mail*Link SMTP-MS 3.0.2 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 07 May 1996, Rick Murphy replied, >>I haven't figured out how to embed hard returns in the gopher string ... >The 2.0 http-gw explicitly removes hard returns from URLs. Now you know why. Thanks....looking at the http-gw source last night I saw where it is filtering out \n and \r......I still wonder if there are other ways to pass multiple commands to a greeting?? >An interesting idea, however it's only that - you can't use the http proxy >from the untrusted side of the firewall unless things are very badly >misconfigured (if a random hacker on the internet can use your http-gw >to look at inside machines, you're wide open.) I did have a wide open hole from the internet to my internal network via http -- It's fixed now!! Like I said...This could be a very good argument for putting http servers in the DMZ. Let's think about intranets and your internal users for a bit (this is a bit of a stretch, but some may be concerned).....I may not want my internal users to telnet/ftp to other servers that they may be firewalled from within my organization...but they might have access to a http server in another department. I also may want to restrict what services my internal users can access on the internet and within my DMZ -- This problem with http-gw could possibly render my other proxies useless. ----- Am I just being too paranoid?? Thanks for the reply, Anton Rager arager@hibbertco.com From firewalls-owner Wed May 8 10:12:42 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA28188 for firewalls-outgoing; Wed, 8 May 1996 08:37:56 -0700 (PDT) Received: from ereapp.erenj.com (ereapp.ERENJ.COM [159.70.31.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id IAA28181 for ; Wed, 8 May 1996 08:37:51 -0700 (PDT) Received: (from smap@localhost) by ereapp.erenj.com (8.7.4/8.7.3) id LAA21240; Wed, 8 May 1996 11:35:13 -0400 Received: from eredns.erenj.com(159.70.1.252) by ereapp.erenj.com via smap (V1.3) id sma021227; Wed May 8 11:34:48 1996 Received: from stargate.erenj.com (stargate.erenj.com [159.70.1.8]) by eredns.erenj.com (8.7.4/8.7.3) with SMTP id LAA16062; Wed, 8 May 1996 11:34:47 -0400 Received: by stargate.erenj.com; (5.65v3.2/1.1.8.2/12Feb96-1009AM/bdboyle@erenj.com) id AA15472; Wed, 8 May 1996 11:34:47 -0400 From: "Bryan D. Boyle" Message-Id: <9605081134.ZM15460@stargate.erenj.com> Date: Wed, 8 May 1996 11:34:47 -0400 In-Reply-To: Squawk "Re: Getting started with firewall." (May 8, 11:02am) References: X-Mailer: Z-Mail (3.2.1 10oct95) To: Squawk Subject: Re: Getting started with firewall. Cc: firewalls@greatcircle.com Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On May 8, 11:02am, Squawk wrote: } Subject: Re: Getting started with firewall. > O'reilly offers a book on firewalls... i'm not sure how comprehensive it > is but O'reilly books rock in general.. and you can find them at almost > any bookstore. Well, considering the book is co-authored by the owner of this list, someone around since the beginning, I think you can say it is good enough for most of the newcomers to get them up to speed, and certainly a reference us oldtimers consult. It should be on your shelf, right next to Belovin and Cheswick's book. If it isn't, then, perhaps you should make sure it gets there. And, no, I have no $$$ relationship here. -- Bryan D. Boyle | EMAIL: bdboyle@erenj.com 908-730-3338 #include | http://www.access.digex.net/~bdboyle/index.html "It is only the ignorant who suppose themselves omniscient." --General Robert Edward Lee-- From firewalls-owner Wed May 8 10:16:23 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA03442 for firewalls-outgoing; Wed, 8 May 1996 09:29:52 -0700 (PDT) Received: from gw.genre.com (gw.genre.com [204.149.79.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id JAA03412 for ; Wed, 8 May 1996 09:29:41 -0700 (PDT) Received: by gw.genre.com id AA24170 (InterLock SMTP Gateway 3.0 for firewalls@greatcircle.com); Wed, 8 May 1996 12:26:40 -0400 Received: by gw.genre.com (Internal Mail Agent-2); Wed, 8 May 1996 12:26:40 -0400 Message-Id: <9605081626.AA8112@grcstm-nx02.genre.com> Received: by gw.genre.com (Internal Mail Agent-1); Wed, 8 May 1996 12:26:40 -0400 To: firewalls From: ygerman Date: 8 May 96 12:23:54 Subject: Sight Blocking Mime-Version: 1.0 Content-Type: Text/Plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I was wondering if anyone has some experience with products shareware/comercial that allow you to block users from accessing certain pages. I am currently using somewhat of an antique scheme using hosts file to redirect output for certain sights but would actually like to do it without tricks. I am actually looking for a server based product not one of those PC based products. There is a comercial product called Web Track that I am looking at but would like other options. I can see doing this through a proxy server where it would look at a list (probably a flat file) and either pass along the sight or display a web page or return text. Has anyone set up something like this or has experience with something of this sort. I would really appreciate any input you have. Statement: I believe in free speech. But a job is a job :-) From firewalls-owner Wed May 8 10:29:27 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA02370 for firewalls-outgoing; Wed, 8 May 1996 09:17:45 -0700 (PDT) Received: from gauntlet-1.trusted.com (gauntlet-1.trusted.com [204.254.155.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id JAA02362 for ; Wed, 8 May 1996 09:17:34 -0700 (PDT) Received: by gauntlet-1.trusted.com; id MAA04165; Wed, 8 May 1996 12:28:02 -0400 Received: from hilo.trusted.com(10.0.1.126) by gauntlet-1.trusted.com via smap (V3.1) id xma004162; Wed, 8 May 96 12:28:00 -0400 Received: from localhost by hilo.trusted.com with SMTP (1.37.109.4/16.2) id AA09927; Wed, 8 May 96 12:17:22 -0400 Message-Id: <9605081617.AA09927@hilo.trusted.com> X-Mailer: exmh version 1.6.4 10/10/95 To: oemaster@dal.mobil.com (oscar masters) Cc: Firewalls@greatcircle.com Subject: Re: gauntlet - TN3270 proxy? In-Reply-To: Your message of "Wed, 08 May 1996 09:21:14 EDT." <9605081421.AA07554@dalsn092.rtd.mobil.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Wed, 08 May 1996 12:17:21 EDT From: "Rick Murphy" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk One thing I should point out about Oscar's description of how they use the telnet proxy for TN3270 is that they're authenticating users - that means that the user must interact with the firewall to identify themselves before they're allowed through - that's the reason for forcing deferral of the 3270 negotiation. For transparent access, you simply connect to the remote host directly. When the negotiation for the 3270 protocol takes place isn't important in this case. -Rick From firewalls-owner Wed May 8 10:34:14 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA02267 for firewalls-outgoing; Wed, 8 May 1996 09:16:43 -0700 (PDT) Received: from uuneo.neosoft.com (uuneo.neosoft.com [206.109.1.3]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id JAA02237 for ; Wed, 8 May 1996 09:16:31 -0700 (PDT) Received: from baileynm.com (ficc@localhost) by uuneo.neosoft.com (8.7.5/8.7.4) with UUCP id LAA21519; Wed, 8 May 1996 11:01:04 -0500 (CDT) Received: from sonic.nmti.com (peter@sonic.nmti.com [198.178.0.2]) by web.nmti.com (8.6.12/8.6.9) with SMTP id KAA29602; Wed, 8 May 1996 10:57:44 -0500 Received: by sonic.nmti.com; id AA25497; Wed, 8 May 1996 10:57:44 -0500 From: peter@baileynm.com (Peter da Silva) Message-Id: <9605081557.AA25497@sonic.nmti.com.nmti.com> Subject: Re: Linux network monitoring To: jwthomp@cs.uiuc.edu (thompson jeffrey w) Date: Wed, 8 May 1996 10:57:43 -0500 (CDT) Cc: zarquon@popalex1.linknet.net, firewalls@GreatCircle.COM In-Reply-To: from "thompson jeffrey w" at May 7, 96 02:26:51 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > As far as stopping these types of scans, it is not possible to stop them > directly as they are inherent in the TCP/IP protocol. There's an old fairy tale about a bloke in Ireland who caught a leprechaun. He had the little fellow show him where his pot of gold was hidden, and tied a ribbon about the tree after the wooden shoe maker promised to not remove the ribbon nor the gold. He headed off home to get a cart, and when he got back he found the cunning devil had tied a ribbon around every tree in the forest. If your bastion host has klaxon, or something similar, on every port from 1 to 1000 it's unlikely that your attacker would be able to do anything useful with the information he gets from his scan, no? From firewalls-owner Wed May 8 10:42:14 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA06758 for firewalls-outgoing; Wed, 8 May 1996 10:07:25 -0700 (PDT) Received: from absolut-zero.winternet.com (absolut-zero.winternet.com [198.174.169.4]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id KAA06733 for ; Wed, 8 May 1996 10:07:15 -0700 (PDT) Received: from parka (dufresne@parka.winternet.com [198.174.169.9]) by absolut-zero.winternet.com (8.7.5/8.7.5) with ESMTP id MAA14123; Wed, 8 May 1996 12:05:04 -0500 (CDT) Received: (from dufresne@localhost) by parka (8.7.4/8.6.12) id MAA12929; Wed, 8 May 1996 12:05:03 -0500 (CDT) Posted-Date: Wed, 8 May 1996 12:05:03 -0500 (CDT) Date: Wed, 8 May 1996 12:05:03 -0500 (CDT) From: Ron DuFresne To: Stefan Gal cc: Nick Keenan , firewalls@GreatCircle.COM Subject: Re: Fakemail (again) In-Reply-To: <31908750.6E45@prolog.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 8 May 1996, Stefan Gal wrote: > Nick Keenan wrote: > > [snip] > > > I think all the poinst made were extremelt valid. However, having been involved with > a few people that have testified as expert witness for "high technology" court cases, > I am able to say that the lawyers and judges I've seen DO NOT know enough about or > even understand the technology they are bringing to trial. This presents a BIG problem > that this and other countries and going to have to face in the near future regarding > ELECTRONIC LAWS and COMPUTER CRIMES. I would like to find out what individuals > comments are concerning the following statement: > > > > > Finally, I have to contest your assumption that a computer log would hold a > > lot of weight in court. In reality, the opposite is true: unless you set up > > your logging system with the intention of someday using them as evidence, > > any lawyer worth his salt should be able to get them excluded on a number of > > grounds. > > > Given the fact that lawyers are particularly good at getting evidence "thrown out" > (regardless of whether or not they understand it), is it possible to set up a system > where the "logs" could be used or proven as valid evidence? Let me start here by stating that I'm not a legal expert. Still, it seems to me that the first step to over-come here concerns the ability to 'change' log files. Unless it could be shown that the logs are kept on a permanent, write once media, if I were facing such evidence, I'd question the accuracy of the changable nature of those logs. I'd also fight the admissability of log entries that were routed to a printer, since these entries come from writable files. Seems that this could be a good call to go out and obtain that WORM drive... > > Before this thread gets out of hand, I would like to say that I am glad to > see the interest and comments regarding the this Fakemail thread and the prior one > that sparked my initial reply. > > One last point: E-mail has been the "weakest" security link on the net since > the inception of both the net and SMTP. Can anyone come up with a solution to > the problem, that is practical to implement and would address everyone's security > concerns and I'm NOT looking to start the ENCRYPTION thread again. I'm after > a REAL practical solution to the problem. > > Telnetting to port 25 and faking a mail session, will usually break most everyone's > security. Can this problem ever be fixed? Later folks, Ron Dufresne ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything. From firewalls-owner Wed May 8 11:12:10 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA12334 for firewalls-outgoing; Wed, 8 May 1996 11:06:51 -0700 (PDT) Received: from ALABAMA.CF.CS.YALE.EDU (RT-GW.CS.YALE.EDU [128.36.0.13]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id LAA12309 for ; Wed, 8 May 1996 11:06:42 -0700 (PDT) From: long-morrow@CS.YALE.EDU Received: from SPARKY.CF.CS.YALE.EDU by ALABAMA.CF.CS.YALE.EDU (8.7.1/res.host.cf-4.0) with ESMTP id OAA24105; Wed, 8 May 1996 14:04:21 -0400 (EDT) sender long-morrow@CS.YALE.EDU for Received: by SPARKY.CF.CS.YALE.EDU (Sendmail-8.7.1/res.client.cf-4.0) id OAA18963; Wed, 8 May 1996 14:04:18 -0400 (EDT) Date: Wed, 8 May 1996 14:04:18 -0400 (EDT) Message-Id: <199605081804.OAA18963@SPARKY.CF.CS.YALE.EDU> To: firewalls@greatcircle.com, ygerman@genre.com Subject: Re: Sight Blocking Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >I am actually looking for a server based product not one of those PC based >products. There is a comercial product called Web Track that I am looking at >but would like other options. I can see doing this through a proxy server where >it would look at a list (probably a flat file) and either pass along the sight >or display a web page or return text. Has anyone set up something like this or >has experience with something of this sort. I would really appreciate any input >you have. Check out: ftp://www.cs.yale.edu/pub/long/src/network/security/wwwblock-1.4.README ftp://sparky.cs.yale.edu/pub/long/src/network/security/wwwblock-1.4.README http://www.cs.yale.edu/pub/long/src/network/security/wwwblock-1.4.README http://sparky.cs.yale.edu/pub/long/src/network/security/wwwblock-1.4.README - Morrow From firewalls-owner Wed May 8 11:27:08 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA12434 for firewalls-outgoing; Wed, 8 May 1996 11:08:11 -0700 (PDT) Received: from dockmaster.hasp.com (dockmaster.hasp.com [204.5.88.177]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id LAA12418 for ; Wed, 8 May 1996 11:08:00 -0700 (PDT) Received: (from news@localhost) by dockmaster.hasp.com (8.6.9/8.6.9-djw) id OAA10926; Wed, 8 May 1996 14:09:18 -0400 Received: from rigel.hasp.com(10.1.1.2) by dockmaster.hasp.com via smap (V1.3) id sma010924; Wed May 8 14:09:07 1996 Received: from titan.hasp.com (titan.hasp.com [10.1.2.11]) by rigel.hasp.com (8.6.12/8.6.12) with SMTP id MAA26911; Wed, 8 May 1996 12:12:37 -0400 From: duncan@us.aks.com (Duncan J Watson) Message-Id: <9605081409.ZM115@titan.hasp.com> Date: Wed, 8 May 1996 14:09:44 -0400 X-Mailer: ZM-Win (3.2.1 11Sep94) To: , Duncan.Watson@us.aks.com, firewalls@GreatCircle.COM Subject: Fake Mail (again and again...) Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk -----BEGIN PGP SIGNED MESSAGE----- Nick, You were postulating that there must be a way to secure email but you didn't want to start up the Encryption thread again. The problem is basically the problem the encryption was designed for. Secure communication over insecure channels. To come across this problem in a new form and then to willfully ignore the solution that has been designed for it is silly and a waste of resources. You might argue that email is not inherently insecure that we may add features to make it more secure. But the Internet as a whole is insecure, hence firewalls, and so we have the original problem again. As to why it is more vulnernable to assault than http, ftp, etc, we find that of all the standard protocols email is the one of the few that is a store and forward technology. Usenet shares some of the email traits, being store and forward. and is just as vulnerable. Now we may be able to incorperate encryption into the back-end software for a new mail protocol and design a more secure network of mail servers that utilizes it. You would run into compatibility issues amoung others and it would only be as secure as the servers that participated in the network BUT you could hide encryption from the end-users if that was your goal. But you find that encryption is only completely secure if it is used properly and end-to-end. You can certainly raise the cost of admission with a properly built back-end network, which may be all we want. Sincerely, Duncan J Watson -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQB1AwUBMZDjYhFLY1ZerGB9AQHJgwL/V1RxZ9oTVeCqNh7uJhX47Uw+qHtILRuq rMhzY9uhnR9kynR2rTVHnuCNTJl10EIDzm7zGazKpdLO0IYCVoBwpXSJDxsBuZJA AUlrRJz3YtBDVgH8+lhDskKJ0/I0snXa =cW2k -----END PGP SIGNATURE----- -- Duncan J Watson Email:Duncan@hasp.com Tech Support Manager/Sys Admin Ph#: +1 212 564 5678 Aladdin Software Security Inc Fax#: +1 212 564 3377 Check out our Web Site ==============> http://www.aks.com/ From firewalls-owner Wed May 8 11:49:40 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA13144 for firewalls-outgoing; Wed, 8 May 1996 11:14:56 -0700 (PDT) Received: from Farstar (Farstar.secapl.com [192.131.69.9]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id LAA13128 for ; Wed, 8 May 1996 11:14:50 -0700 (PDT) Received: from fozzie.secapl.com (Fozzie.secapl.com [192.131.46.3]) by Farstar (8.6.12/8.6.12) with SMTP id NAA196610; Wed, 8 May 1996 13:08:51 -0500 Received: from localhost by fozzie.secapl.com with SMTP id AA92111 (5.65c/IDA-1.4.4); Wed, 8 May 1996 14:14:02 -0400 Date: Wed, 8 May 1996 14:14:01 -0400 (EDT) From: Tony Iannotti To: "Bryan D. Boyle" Cc: Squawk , firewalls@GreatCircle.COM Subject: Re: Getting started with firewall. In-Reply-To: <9605081134.ZM15460@stargate.erenj.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 8 May 1996, Bryan D. Boyle wrote: > It should be on your shelf, right next to Belovin and Cheswick's book. I thought it _was_ the Bellovin & Cheswick book? From firewalls-owner Wed May 8 11:58:08 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA15491 for firewalls-outgoing; Wed, 8 May 1996 11:46:40 -0700 (PDT) Received: from godzilla.projo.com (gate.projo.com [147.136.254.253]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id LAA15463 for ; Wed, 8 May 1996 11:46:26 -0700 (PDT) Received: (from smtp@localhost) by godzilla.projo.com (8.7.3/8.6.9) id OAA25805 for ; Wed, 8 May 1996 14:44:04 -0400 (EDT) Received: from argos.projo.com(147.136.1.204) by godzilla.projo.com via smap (V1.3) id sma025803; Wed May 8 14:43:35 1996 Received: by ProJo.COM (5.x/projo-srv1.0) id AA20704; Wed, 8 May 1996 14:43:13 -0400 Date: Wed, 8 May 1996 14:43:13 -0400 Message-Id: <9605081843.AA20704@ProJo.COM> X-Disclaimer: testing Xtended headers From: "Brian Stormont" To: firewalls@greatcircle.com Subject: Re: Multiple IP addresses on one ethernet card? X-Orcl-Application: In-Reply-To:INET.PJB.PROJO.COM:firewalls-digest-owner@GreatCircle.COM's message of 08-May-96 09:05 Mime-Version: 1.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Can anyone >clue me in, as to how to setup two IP addresses on the internal ethernet >interface on the firewall. With Solaris you can configure a single interface to support several ip addresses. I'm not sure if it is documented in the ifconfig man page, but I know you can do: ifconfig le0 xxx.xxx.xxx.xxx ifconfig le0:1 xxx.xxx.xxx.xxx ifconfig le0:2 xxx.xxx.xxx.xxx etc... and then a single ethernet card uses all the ip addresses you told it to. -brian ------------------------ brian_stormont@projo.com From firewalls-owner Wed May 8 12:14:17 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA17548 for firewalls-outgoing; Wed, 8 May 1996 12:03:20 -0700 (PDT) Received: from popalex1.linknet.net (popalex1.linknet.net [206.103.79.89]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id MAA17500 for ; Wed, 8 May 1996 12:03:04 -0700 (PDT) From: zarquon@popalex1.linknet.net Received: from dsrvlaf1-9.linknet.net by popalex1.linknet.net; (5.65v3.2/1.1.8.2/06Mar96-1224PM) id AA10271; Wed, 8 May 1996 14:06:37 -0500 Received: (from zarq@localhost) by dsrvlaf1-9.linknet.net (8.6.12/8.6.9) id OAA00167 for firewalls@GreatCircle.COM; Wed, 8 May 1996 14:00:46 -0500 Message-Id: <199605081900.OAA00167@dsrvlaf1-9.linknet.net> Subject: Re: Linux network monitoring To: firewalls@GreatCircle.COM (Firewalls) Date: Wed, 8 May 1996 14:00:41 -0500 (CDT) X-Mailer: ELM [version 2.4 PL24] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >> As far as stopping these types of scans, it is not possible to stop them >> directly as they are inherent in the TCP/IP protocol. > There's an old fairy tale about a bloke in Ireland who caught a leprechaun. > He had the little fellow show him where his pot of gold was hidden, and tied > a ribbon about the tree after the wooden shoe maker promised to not remove > the ribbon nor the gold. He headed off home to get a cart, and when he got > back he found the cunning devil had tied a ribbon around every tree in the > forest. > If your bastion host has klaxon, or something similar, on every port from 1 > to 1000 it's unlikely that your attacker would be able to do anything useful > with the information he gets from his scan, no? Nice story, but wouldn't it still be easier to run argus or something similar? I can imagine what would happen if my box started running klaxon 1000 times -- that is what would happen, right? If so, then that would be a *very* effective denial of service attack, at least on this machine. .../zarq Runar Jensen [zarquon@popalex1.linknet.net] From firewalls-owner Wed May 8 12:34:58 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA17379 for firewalls-outgoing; Wed, 8 May 1996 12:02:26 -0700 (PDT) Received: from Arizona.EDU (Penny.Telcom.Arizona.EDU [128.196.128.217]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id MAA17341 for ; Wed, 8 May 1996 12:02:15 -0700 (PDT) Received: from sun1paztcn.wr.usgs.gov by Arizona.EDU (PMDF V5.0-5 #2381) id <01I4GNJWY1RKCDSY49@Arizona.EDU>; Wed, 08 May 1996 11:59:42 -0700 (MST) Received: from localhost by sun1paztcn.wr.usgs.gov (4.1/SMI-4.1) id AA02253; Wed, 08 May 1996 10:52:24 -0700 (MST) Date: Wed, 08 May 1996 10:52:23 -0700 From: Doug Wellington Subject: Re: Fakemail (again) In-reply-to: "Your message of Wed, 08 May 1996 16:42:37 +0200." <199605081442.QAA19214@visbl.rus.uni-stuttgart.de> To: Bernd.Lehle@RUS.Uni-Stuttgart.DE (Bernd Lehle) Cc: firewalls@GreatCircle.COM, doug@sun1paztcn.wr.usgs.gov Message-id: <9605081752.AA02253@sun1paztcn.wr.usgs.gov> MIME-version: 1.0 Content-type: TEXT/PLAIN; CHARSET=US-ASCII Content-transfer-encoding: 7BIT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Previously: >> One last point: E-mail has been the "weakest" security link on the net >>[SNIP] >That's one thing that's been going around my mind for awhile, too. I did not >get a satisfying response on my question regarding protection against mail >bombing, which is much more dangerous than fake mail. After looking at the SMAP program in the TIS firewall kit, I decided to hack together my own version of what I am calling recvmail, which is a counterpart to sendmail. I hope to get permission to install it on my work system soon, but for the moment I have been testing it on a FreeBSD box at home. Basically, recvmail answers all incoming mail requests, does a chroot to the incoming mail directory, and stores everything into a file. Recvmail checks diskspace and only allows half the available space to be used. I am invoking it from inetd, so that it is possible to use it in conjunction with the TCP wrappers. Also, recvmail does NO forwarding. I have designed it strictly as the end point of mail - it only accepts mail for local users. Also, I have an option for checking to see if the user actually exists - that is, I actually allow mail to non-existant users - it just gets stored into a file of that name in the spool directory. That way, a would be hacker can't discover actual account names by sending mail. (I also have turned off verifies, although I have considered adding that back in...) Since I don't allow any non ascii characters in my usernames, I strip the email address down so that it is just letters and numbers before I create the file; that way, nobody should be able to sneak in any quoted commands or anything. Of course, I do store the actual fields that were transmitted in the SMTP exchange, and I do all kinds of syslogging. One "limitation" that I have designed in is that recvmail does not look for aliases or .forward files... Since I personally use MH, I do all of my mail sorting with shell scripts, so I don't need to use the .forward file. I know that lots of people use mailagent and other filtering programs, so I have thought about either parsing the .forward file myself, or allowing some local delivery agent like deliver, procmail or mailagent's filter. (I'm going to wait on that until version 2 either way...) Of course, my program doesn't do anything for a mail hub machine, but I do think it will help with the "leaf node" computers... Any thoughts? -Doug Doug Wellington doug@sun1paztcn.wr.usgs.gov System and Network Administrator US Geological Survey Tucson, AZ Project Office (602) 670-6821 x26 According to proposed Federal guidelines, this message is a "non-record". Hmm, I wonder if _everything_ I say is a "non-record"... The hardest thing in the world is to truly think for oneself. It is amazing how many people have let angst replace their self confidence. From firewalls-owner Wed May 8 12:57:05 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA22052 for firewalls-outgoing; Wed, 8 May 1996 12:47:31 -0700 (PDT) Received: from po-external.FCNBD.COM (po-external.FCNBD.COM [147.113.146.4]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id MAA22044 for ; Wed, 8 May 1996 12:47:25 -0700 (PDT) Received: from po-internal.FCNBD.COM (internalhost.FCNBD.COM [147.113.112.122]) by po-external.FCNBD.COM (8.7.2/fcnbd/domain/1.5) with ESMTP id OAA09373; Wed, 8 May 1996 14:47:41 -0500 (CDT) Received: from abacab.cmg.FCNBD.COM (abacab.cmg.FCNBD.COM [147.113.112.11]) by po-internal.FCNBD.COM (8.7.2/fcnbd/internal-domain/1.4) with ESMTP id OAA13165; Wed, 8 May 1996 14:46:05 -0500 (CDT) Received: from abraxas.fnbc.com (pmarc@abraxas.FNBC.COM [147.113.112.127]) by abacab.cmg.FCNBD.COM (8.7.2/fcnbd/server-subdomain/2.1) with ESMTP id OAA12058; Wed, 8 May 1996 14:44:11 -0500 (CDT) Received: (from pmarc@localhost) by abraxas.fnbc.com (8.7.3/8.7.1) id OAA09890; Wed, 8 May 1996 14:45:20 -0500 (CDT) Message-Id: <199605081945.OAA09890@abraxas.fnbc.com> MIME-Version: 1.0 (NeXT Mail 3.3 v118.2) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable In-Reply-To: <9605081843.AA20704@ProJo.COM> X-Nextstep-Mailer: Mail 3.3 (Enhance X) Received: by NeXT.Mailer (1.118.2) From: "Paul M. Cardon" Date: Wed, 8 May 96 14:45:18 -0500 To: "Brian Stormont" Subject: Re: Multiple IP addresses on one ethernet card? cc: firewalls@greatcircle.com Reply-To: pmarc@fnbc.com References: <9605081843.AA20704@ProJo.COM> X-Warners: Yakko, Wakko, and Dot Sender: firewalls-owner@GreatCircle.COM Precedence: bulk My MUA insists that "Brian Stormont" wrote: >=20 > >Can anyone=20 > >clue me in, as to how to setup two IP addresses on the internal > >ethernet interface on the firewall. =20 >=20 > With Solaris you can configure a single interface to support > several ip addresses.=20 > I'm not sure if it is documented in the ifconfig man page, but I > know you can do:=20 >=20 > ifconfig le0 xxx.xxx.xxx.xxx=20 > ifconfig le0:1 xxx.xxx.xxx.xxx=20 > ifconfig le0:2 xxx.xxx.xxx.xxx=20 > etc...=20 >=20 > and then a single ethernet card uses all the ip addresses you = told > it to. >=20 > -brian=20 Actually it is possible to do it on nearly any Unix system, but in = some cases it may require a patch from the vendor. Take a look at = this in the context of serving different domains from a single web = server at: http://www.thesphere.com/~dlp/TwoServers/ --- Paul M. Cardon - System Officer Capital Markets Systems - First Chicago NBD Corporation pmarc@cmg.fcnbd.com - (312) 732-7392 I never give them hell. I just tell the truth and they think it's = hell. - H. Truman MD5 (/dev/null) =3D d41d8cd98f00b204e9800998ecf8427e From firewalls-owner Wed May 8 13:17:17 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA22892 for firewalls-outgoing; Wed, 8 May 1996 12:57:17 -0700 (PDT) Received: from disclosure.com ([206.181.208.4]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id MAA22866 for ; Wed, 8 May 1996 12:57:08 -0700 (PDT) Received: (from scott@localhost) by disclosure.com (8.7.3/8.7.3) id PAA03122; Wed, 8 May 1996 15:58:36 -0400 (EDT) Date: Wed, 8 May 1996 15:58:36 -0400 (EDT) From: Scott Barman To: firewalls@GreatCircle.COM Subject: Re: Linux network monitoring In-Reply-To: <199605081900.OAA00167@dsrvlaf1-9.linknet.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 8 May 1996 zarquon@popalex1.linknet.net wrote: > > If your bastion host has klaxon, or something similar, on every port from 1 > > to 1000 it's unlikely that your attacker would be able to do anything useful > > with the information he gets from his scan, no? > > Nice story, but wouldn't it still be easier to run argus or something > similar? I can imagine what would happen if my box started running klaxon > 1000 times -- that is what would happen, right? If so, then that would be a > *very* effective denial of service attack, at least on this machine. Interesting thought... I wonder if klaxon can be re-written to as a multi- threaded server that would limit the number of connections it would allow? It was just a thought... scott barman -- scott barman DISCLAIMER: I speak to anyone who will listen, scott@disclosure.com and I speak only for myself. barman@ix.netcom.com "... [witness for the defense Dan] Olsen [of BYU] testified that, because the government was involved in the initial development of the Internet, he believes that the government has a role in determining appropriate technical standards for content labeling." (Dr. Olsen must not have read "1984" -sb) - quoted from Citizens Internet Empowerment Coalition Trial Update No. 9 Re: ACLU, et. al. v. Reno on the constitutionality of the CDA From firewalls-owner Wed May 8 13:33:43 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA25444 for firewalls-outgoing; Wed, 8 May 1996 13:23:22 -0700 (PDT) Received: from uuneo.neosoft.com (uuneo.neosoft.com [206.109.1.3]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id NAA25431 for ; Wed, 8 May 1996 13:23:15 -0700 (PDT) Received: from baileynm.com (ficc@localhost) by uuneo.neosoft.com (8.7.5/8.7.4) with UUCP id OAA22710; Wed, 8 May 1996 14:46:31 -0500 (CDT) Received: from sonic.nmti.com (peter@sonic.nmti.com [198.178.0.2]) by web.nmti.com (8.6.12/8.6.9) with SMTP id OAA07256; Wed, 8 May 1996 14:41:40 -0500 Received: by sonic.nmti.com; id AA04347; Wed, 8 May 1996 14:41:39 -0500 From: peter@baileynm.com (Peter da Silva) Message-Id: <9605081941.AA04347@sonic.nmti.com.nmti.com> Subject: Re: Linux network monitoring To: zarquon@popalex1.linknet.net Date: Wed, 8 May 1996 14:41:39 -0500 (CDT) Cc: firewalls@GreatCircle.COM In-Reply-To: <199605081900.OAA00167@dsrvlaf1-9.linknet.net> from "zarquon@popalex1.linknet.net" at May 8, 96 02:00:41 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Nice story, but wouldn't it still be easier to run argus or something > similar? Argus doesn't return a SYN/ACK, does it? It just snoops on the packets using a filter, like tcpdump. You want to generate a false positive... the logging klaxon does is nice but not necessary. > I can imagine what would happen if my box started running klaxon > 1000 times -- that is what would happen, right? A large number of times. Probably not 1000 unless the guy was stupid enough to send you 1000 SYNs at once, which would be immediately suspicious if you had even minimal logging. > If so, then that would be a > *very* effective denial of service attack, at least on this machine. So write a new daemon to do the job. Just have it open all the ports and feed him poisoned bait. Now that I think of it, klaxon's the wrong way to go, too. You want a program that completes the open and waits for the bad guy to go away. Echo would work. From firewalls-owner Wed May 8 13:42:09 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA25935 for firewalls-outgoing; Wed, 8 May 1996 13:30:31 -0700 (PDT) Received: from offns.corp.netcom.com (offns.corp.netcom.com [199.35.110.68]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id NAA25922 for ; Wed, 8 May 1996 13:30:26 -0700 (PDT) Received: from office5 (office5.corp.netcom.com [199.35.110.246]) by offns.corp.netcom.com (8.6.12/Netcom-Corp) with ESMTP id NAA19610 for ; Wed, 8 May 1996 13:36:53 -0700 Received: by office5 (SMI-8.6/SMI-SVR4) id NAA13379; Wed, 8 May 1996 13:25:36 -0700 Date: Wed, 8 May 1996 13:25:29 -0700 (PDT) From: Ashish Kumar X-Sender: nc0876@office5 Reply-To: Ashish Kumar To: firewalls@GreatCircle.com Subject: PC-Windows based Sniffer Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, I am looking for a PC-Windows based sniffer product. Does anyone know if a good product exists. Thanx ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ __ _ O _ | | / | / \ ___| |__ _ ___| |__ | |/ / _ _ ____ ____ ___ _ _ __ / /\ \ / __| '_ \| |/ __| '_ \ | | /\ | | | | _ \/ _ |/ ' | |/ _| / __ \ \__ \ | | | |\__ \ | | | | |/\ \ | |_| | | | | | | <> | / /__/ \__\|___/_| |_|_||___/_| |_| |_| \_| \___/|_| |__| |_|\__/|_|__| Ashish.Kumar@corp.netcom.com ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From firewalls-owner Wed May 8 13:51:35 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA23029 for firewalls-outgoing; Wed, 8 May 1996 12:58:16 -0700 (PDT) Received: from sparc42.cs.uiuc.edu (sparc42.cs.uiuc.edu [128.174.244.52]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id MAA23007 for ; Wed, 8 May 1996 12:58:06 -0700 (PDT) Received: (from jwthomp@localhost) by sparc42.cs.uiuc.edu (8.7.5/8.7.3) id OAA18043; Wed, 8 May 1996 14:55:46 -0500 (CDT) Date: Wed, 8 May 1996 14:55:45 -0500 (CDT) From: thompson jeffrey w To: Peter da Silva cc: zarquon@popalex1.linknet.net, firewalls@GreatCircle.COM Subject: Re: Linux network monitoring In-Reply-To: <9605081557.AA25497@sonic.nmti.com.nmti.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 8 May 1996, Peter da Silva wrote: > > As far as stopping these types of scans, it is not possible to stop them > > directly as they are inherent in the TCP/IP protocol. > > There's an old fairy tale about a bloke in Ireland who caught a leprechaun. > He had the little fellow show him where his pot of gold was hidden, and tied > a ribbon about the tree after the wooden shoe maker promised to not remove > the ribbon nor the gold. He headed off home to get a cart, and when he got > back he found the cunning devil had tied a ribbon around every tree in the > forest. Cute story. > > If your bastion host has klaxon, or something similar, on every port > from 1 to 1000 it's unlikely that your attacker would be able to do > anything useful with the information he gets from his scan, no? > I do not agree. First off, by using a connection monitor you allow an attacker to scan your entire network for vulnerable machines without any fear of being noticed. Now that the attacker has a list of machines which may contain potential vulnerabilities s/he can attack those machines specifically. Granted, the attacks will now be logged. However, they will only be logged on specific machines, which reduces the chance of them being noticed. This becomes especially true if the attacks are obscure. Assuming the hacker gains access, (which becomes more likely thanks to their information gathering) if they simply have to clean the logs of a machine. Of course, there are good ways around this. (For example, hard logging, log host, etc) What I am getting at here is that this allows the attacker quite a bit of freedom in exploring the network, and only risks detection at the moment of attack. Something any general would love. As always, comments are welcome. Jeff Thompson Jeff Thompson(jwthomp@uiuc.edu) Argus Systems Group http://www.uiuc.edu/ph/www/jwthomp - Trusted Network Kernel Developer ACM at UIUC Vice Chair / SigNET Chair Member *The Guild From firewalls-owner Wed May 8 14:21:53 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA26931 for firewalls-outgoing; Wed, 8 May 1996 13:47:37 -0700 (PDT) Received: from gatewayx.lsis.loral.com (gatewayx.lsis.loral.com [141.205.30.120]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id NAA26915 for ; Wed, 8 May 1996 13:47:27 -0700 (PDT) From: DEEVEE@gatewayx.lsis.loral.com Received: by gatewayx.lsis.loral.com (AIX 3.2/UCB 5.64/4.03) id AA09770; Wed, 8 May 1996 15:38:49 -0500 Message-Id: <9605082038.AA09770@gatewayx.lsis.loral.com> Received: by gatewayx via smwrap Version 2.1 id smwrapNCQD71; Wed May 8 15:38:01 1996 (IBM VM SMTP V2R2) with BSMTP id 2206; Wed, 08 May 96 15:46:16 CDT Date: Wed, 8 May 96 15:46:16 CDT To: firewalls%greatcircle.com@gateway.lsis.loral.com Subject: 8250's Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Can someone please tell me if 8250's can tie MAC and IP addresses to ports? If not, do you know of anything that will do both? We need to find a way to keep someone on the unsecure side of our network from spoofing an address on the secure side of the network. We have developed a software switch that allows someone to switch from one side to the other. Secure side can't see unsecure IP addresses and vice-versa. I just need to implement something that would make it hard or impossible to spoof an IP address on the secure network. Thanks, Dee Veasey, DEEVEE@GATEWAYX.LSIS.LORAL.COM, Security Analyst.... From firewalls-owner Wed May 8 14:42:48 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA00634 for firewalls-outgoing; Wed, 8 May 1996 14:33:58 -0700 (PDT) Received: from hermes.intel.com (hermes.intel.com [143.183.152.3]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id OAA00626 for ; Wed, 8 May 1996 14:33:51 -0700 (PDT) Received: from iil.intel.com by hermes.intel.com (8.7.4/10.0i); Wed, 8 May 1996 14:31:36 -0700 Received: from ilx005.iil.intel.com by iil.intel.com with SMTP id AA32218 (5.65c+/IDA-1.4.4 for ); Thu, 9 May 1996 00:33:04 +0300 From: Sikary Avry Received: by ilx005.iil.intel.com (AIX 3.2/UCB 5.64/IDC-RS6000-AIX-3.2) id AA37682; Thu, 9 May 1996 00:31:34 +0300 Message-Id: <9605082131.AA37682@ilx005.iil.intel.com> To: firewalls-digest@GreatCircle.COM Date: Thu, 9 May 1996 00:31:34 +0300 (IDT) X-Mailer: ELM [version 2.4 PL24] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk signoff firewalls asikary@iil.intel.com From firewalls-owner Wed May 8 14:45:25 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA28383 for firewalls-outgoing; Wed, 8 May 1996 14:14:17 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id OAA28369 for ; Wed, 8 May 1996 14:14:12 -0700 (PDT) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) id OAA24814; Wed, 8 May 1996 14:06:26 -0700 Received: from uuneo.neosoft.com(206.109.1.3) by mycroft via smap (V1.3mjr) id sma024812; Wed May 8 14:06:08 1996 Received: from baileynm.com (ficc@localhost) by uuneo.neosoft.com (8.7.5/8.7.4) with UUCP id PAA25744; Wed, 8 May 1996 15:15:24 -0500 (CDT) Received: from sonic.nmti.com (peter@sonic.nmti.com [198.178.0.2]) by web.nmti.com (8.6.12/8.6.9) with SMTP id PAA08178; Wed, 8 May 1996 15:05:24 -0500 Received: by sonic.nmti.com; id AA05406; Wed, 8 May 1996 15:05:23 -0500 From: peter@baileynm.com (Peter da Silva) Message-Id: <9605082005.AA05406@sonic.nmti.com.nmti.com> Subject: Re: Linux network monitoring To: jwthomp@cs.uiuc.edu (thompson jeffrey w) Date: Wed, 8 May 1996 15:05:23 -0500 (CDT) Cc: peter@baileynm.com, zarquon@popalex1.linknet.net, firewalls@GreatCircle.COM In-Reply-To: from "thompson jeffrey w" at May 8, 96 02:55:45 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > If your bastion host has klaxon, or something similar, on every port > > from 1 to 1000 it's unlikely that your attacker would be able to do > > anything useful with the information he gets from his scan, no? > I do not agree. First off, by using a connection monitor you allow an > attacker to scan your entire network for vulnerable machines without any fear > of being noticed. No he can't. He can only scan the bastion host and other systems in the DMZ, all of which have all ports returning a SYN/ACK to his SYN. So what he'll get back is "YES" for every port on every machine, which tells him nothing he can use. Like the bloke in the story, he'll come to the forest with his wagon, and see a yellow ribbon around the trunk of every tree. He knows no more about the location of any pot of gold than if he'd never searched in the first place. From firewalls-owner Wed May 8 14:57:11 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA01058 for firewalls-outgoing; Wed, 8 May 1996 14:38:04 -0700 (PDT) Received: from gaia.internex.net (gaia.internex.net [198.67.38.22]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id OAA01051 for ; Wed, 8 May 1996 14:37:56 -0700 (PDT) Received: from hidata.com by gaia.internex.net (8.6.9/InterNex-SM8.6.9) id OAA19142; Wed, 8 May 1996 14:28:53 -0700 Received: by hidata.com (SMI-8.6/SMI-SVR4) id OAA10046; Wed, 8 May 1996 14:28:52 -0700 Received: from osc(205.158.62.10) by hds-gw via smap (V1.3) id sma010044; Wed May 8 14:28:29 1996 Received: from enterprise by osc.hidata.com (SMI-8.6/SMI-SVR4) id OAA27198; Wed, 8 May 1996 14:28:07 -0700 Date: Wed, 8 May 1996 14:28:07 -0700 Message-Id: <199605082128.OAA27198@osc.hidata.com> X-Sender: bstout@osc.hidata.com X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: Danny Cox From: Bill Stout Subject: Re: Multiple IP addresses on one ethernet card? Cc: Firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk If your ethernet port is le0: ifconfig le0:1 10.0.0.1 netmask 255.255.255.0 up Bang. Works. To remove the virtual port, type: ifconfig le0:1 10.0.0.1 down You can have 255 virtual ports (le0:1-le0:255). Solaris 2.x can do this, other UNIX brands might if you dig for an O.S. patch. Related situation: I have a problem where mail sent to my old domain is not received by the new mail system, which is using the same IP address and a new one on a single port. Sendmail.cf has an additional entry to accept mail for the old domain, 'Cw olddomain.com'. Sendmail is constantly restarted. I don't think the MX record for the old domain needs to change, since my new mailhost also has the old IP address. If I try /usr/lib/sendmail -bt >0 username ... rewrite: ruleset 0 returns: $# local $: username >0 username@olddomain.com ... rewrite: ruleset 0 returns: $# ether $@ gateway . newdomain . com $: user < @ olddomain . com > I think this should state '..$# local $: username'. Mail sent from the new system (which is supposed to accept mail addressed to the old domain) to an old domain address, loops between the old gateway and the new mailhost until maximum hops is reached. Anything else need to change/any other ideas out there? Bill At 09:14 AM 5/8/96 +0100, you wrote: >Dear all, > > we're looking here to renumbering our IP setup. Currently we use IP >addresses within a class C address which has been granted us within the >official DNS. In order to be able to expand much beyond where we are, >we want to use the RFC1597 class A network 10. > > Things move slowly here as they do everywhere I guess, and it's probably >going to be a while before we can do this to all machines. Meantime there >is a pressure to allocate IP addresses to machines here which haven't one >currently - PCs generally, as the Solaris (2.3/2.4) workstations already >have their own on the class C which we have. > > We also run a firewall here which performs all the translation between >our class C and its external address - works just dandy. What would be >particularly convenient right now, would be to be able to setup this >firewall which is a dual homed beast running fwtk on Solaris 2.4 in such >a way that we have two classes of IP addresses running round our internal >network, but which can both see the firewall, and reach outside. Can anyone >clue me in, as to how to setup two IP addresses on the internal ethernet >interface on the firewall. I will have to do this on one or two other >machines also, as we run internal POP servers and a split DNS. > >Nice complicated mess, but it might help the bureacracy along a little if I >can set this up. > >Thanks for your comments, >Danny > > From firewalls-owner Wed May 8 15:48:50 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id PAA07165 for firewalls-outgoing; Wed, 8 May 1996 15:31:08 -0700 (PDT) Received: from research.att.com (ns.research.att.com [192.20.225.4]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id PAA07158 for ; Wed, 8 May 1996 15:31:03 -0700 (PDT) Received: from research.att.com by ns; Wed May 8 18:27:07 EDT 1996 Received: from raptor.research.att.com by research; Wed May 8 18:26:16 EDT 1996 Received: from research.att.com (localhost.research.att.com [127.0.0.1]) by raptor.research.att.com (8.7.5/8.7) with ESMTP id SAA17038; Wed, 8 May 1996 18:26:15 -0400 (EDT) Message-Id: <199605082226.SAA17038@raptor.research.att.com> To: Tony Iannotti cc: Firewalls@GreatCircle.COM Subject: Re: Firewalls-Digest V5 #299 Date: Wed, 08 May 1996 18:26:15 -0400 From: Steven Bellovin Sender: firewalls-owner@GreatCircle.COM Precedence: bulk From: Tony Iannotti Date: Wed, 8 May 1996 14:14:01 -0400 (EDT) Subject: Re: Getting started with firewall. On Wed, 8 May 1996, Bryan D. Boyle wrote: > It should be on your shelf, right next to Belovin and Cheswick's boo k. I thought it _was_ the Bellovin & Cheswick book? ``Firewalls and Internet Security: Repelling the Wily Hacker'', by Bill Cheswick and myself, is published by Addison-Wesley. ``Building Internet Firewalls'', by Chapman and Zwicky, is published by O'Reilly. --Steve Bellovin From firewalls-owner Wed May 8 16:12:53 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id QAA10896 for firewalls-outgoing; Wed, 8 May 1996 16:11:00 -0700 (PDT) Received: from powergrid.electriciti.com (powergrid.electriciti.com [198.5.212.8]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id QAA10878 for ; Wed, 8 May 1996 16:10:51 -0700 (PDT) Received: from Molecule.electriciti.com by powergrid.electriciti.com with smtp (Smail3.1.29.1 #3) id m0uHIMD-0005zAC; Wed, 8 May 96 16:09 PDT Message-Id: X-Sender: molecul1@electriciti.com X-Mailer: Windows Eudora Version 1.4.3b4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 08 May 1996 16:10:48 -0700 To: firewalls-digest@GreatCircle.COM From: molecul1@electriciti.com (Molecule One Scientific Research Institute) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk signoff firewalls molecul1@electriciti.com From firewalls-owner Wed May 8 18:11:58 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id SAA16161 for firewalls-outgoing; Wed, 8 May 1996 18:01:45 -0700 (PDT) Received: from dcc.com (gateway.dcc.com [204.147.95.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id SAA16148 for ; Wed, 8 May 1996 18:01:38 -0700 (PDT) Received: from smtp.dcc.com ([204.147.93.69]) by gateway.perigee.com with SMTP id <71429>; Wed, 8 May 1996 20:13:10 -0500 Received: by smtp.dcc.com with Microsoft Mail id <31915F8D@smtp.dcc.com>; Wed, 08 May 96 19:59:25 PDT From: "Moubray, Steve" To: "'firewalls@greatcircle.com'" Subject: Re: Getting started with firewall Date: Wed, 8 May 1996 21:58:00 -0500 Message-ID: <31915F8D@smtp.dcc.com> X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > >On 30 Apr 1996, Moore, Mark wrote: > >>Does anyone know what documentation I can purchase so that I can >> better understand firewall technology ?? >k >O'reilly offers a book on firewalls... i'm not sure how comprehensive it >is but O'reilly books rock in general.. and you can find them at almost >any bookstore. I can vouch for the O'reily book written by Brent Chapmen and Elizabeth Zwicky ISBN 1-56592-124-0. I've purchased 3 copies. One for me and two for staff. Brent also does a course which is worth the price and if your in DC and they have some "no shows" Marcus Ranum is doing Firewalls 101 at SANS. Unfortunately SANS has been sold out for about 2 weeks now :( These are good places to start. From firewalls-owner Wed May 8 18:26:57 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id SAA16788 for firewalls-outgoing; Wed, 8 May 1996 18:18:08 -0700 (PDT) Received: from Farstar (Farstar.secapl.com [192.131.69.9]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id SAA16775 for ; Wed, 8 May 1996 18:18:03 -0700 (PDT) Received: from fozzie.secapl.com (Fozzie.secapl.com [192.131.46.3]) by Farstar (8.6.12/8.6.12) with SMTP id UAA431206; Wed, 8 May 1996 20:12:06 -0500 Received: from localhost by fozzie.secapl.com (AIX 3.2/UCB 5.64/4.03) id AA188902; Wed, 8 May 1996 21:17:22 -0400 Date: Wed, 8 May 1996 21:17:19 -0400 (EDT) From: Tony Iannotti To: Steven Bellovin Cc: Firewalls@GreatCircle.COM Subject: Re: Firewalls-Digest V5 #299 In-Reply-To: <199605082226.SAA17038@raptor.research.att.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Yep, got the correction from a few people, thanks. Mea Culpa! On Wed, 8 May 1996, Steven Bellovin wrote: > From: Tony Iannotti > Date: Wed, 8 May 1996 14:14:01 -0400 (EDT) > Subject: Re: Getting started with firewall. > > On Wed, 8 May 1996, Bryan D. Boyle wrote: > > > It should be on your shelf, right next to Belovin and Cheswick's boo > k. > > I thought it _was_ the Bellovin & Cheswick book? > > ``Firewalls and Internet Security: Repelling the Wily Hacker'', by > Bill Cheswick and myself, is published by Addison-Wesley. > > ``Building Internet Firewalls'', by Chapman and Zwicky, is published > by O'Reilly. > > > --Steve Bellovin > From firewalls-owner Wed May 8 18:44:01 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id SAA17548 for firewalls-outgoing; Wed, 8 May 1996 18:37:09 -0700 (PDT) Received: from shifra.info.umoncton.ca ([139.103.16.13]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id SAA17533 for ; Wed, 8 May 1996 18:37:03 -0700 (PDT) Received: (from musta@localhost) by shifra.info.umoncton.ca (8.6.11/8.6.9) id WAA03784; Wed, 8 May 1996 22:35:18 -0300 Date: Wed, 8 May 1996 22:35:13 -0300 (ADT) From: Mustapha To: "Juan Carlos Machado Z." cc: firewalls@GreatCircle.COM Subject: Re: Denying Telnet sessions from some sites In-Reply-To: <31909737.2786@ciat.cgiar.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 8 May 1996, Juan Carlos Machado Z. wrote: > [...] > I want to deny some telnet sessions from some sites, and we don't have the > necessary budget to buy a firewall machine. > [...] Juan, You got to install a package called ``tcp wrappers''. It is available from ftp.win.tue.nl:/pub/security. The latest version is 7.4, dated on April 5, 1996. Do not hesitate to contact me if you should have any more questions regarding this. Regards, -Mustapha -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Mustapha Obeid Student Computer Science Department, "Universite de Moncton" Moncton, NB, Canada - E1A 3E9 Field of Interest: Network Security & Cryptography *Life would be much easier if we could just look at the source code* -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= From firewalls-owner Wed May 8 20:41:58 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id UAA22718 for firewalls-outgoing; Wed, 8 May 1996 20:27:25 -0700 (PDT) Received: from sparc42.cs.uiuc.edu (sparc42.cs.uiuc.edu [128.174.244.52]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id UAA22712 for ; Wed, 8 May 1996 20:27:18 -0700 (PDT) Received: (from jwthomp@localhost) by sparc42.cs.uiuc.edu (8.7.5/8.7.3) id WAA18427; Wed, 8 May 1996 22:25:10 -0500 (CDT) Date: Wed, 8 May 1996 22:25:10 -0500 (CDT) From: thompson jeffrey w To: Peter da Silva cc: peter@baileynm.com, zarquon@popalex1.linknet.net, firewalls@GreatCircle.COM Subject: Re: Linux network monitoring In-Reply-To: <9605082005.AA05406@sonic.nmti.com.nmti.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 8 May 1996, Peter da Silva wrote: > > > If your bastion host has klaxon, or something similar, on every port > > > from 1 to 1000 it's unlikely that your attacker would be able to do > > > anything useful with the information he gets from his scan, no? > > > I do not agree. First off, by using a connection monitor you allow an > > attacker to scan your entire network for vulnerable machines without any fear > > of being noticed. > > No he can't. He can only scan the bastion host and other systems in the > DMZ, all of which have all ports returning a SYN/ACK to his SYN. So what > he'll get back is "YES" for every port on every machine, which tells him > nothing he can use. > > Like the bloke in the story, he'll come to the forest with his wagon, and > see a yellow ribbon around the trunk of every tree. He knows no more about > the location of any pot of gold than if he'd never searched in the first > place. I see I have made an error. You are quite correct if the machine is a bastion host. As there is little else to scan on the network, you have essentially "tied ribbons on all of the trees". A good idea. However, I would probably only lay klaxon on popular ports, whether they are active or not to pass along misleading information. Jeff Thompson Jeff Thompson(jwthomp@uiuc.edu) Argus Systems Group http://www.uiuc.edu/ph/www/jwthomp - Trusted Network Kernel Developer ACM at UIUC Vice Chair / SigNET Chair Member *The Guild From firewalls-owner Wed May 8 20:56:59 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id UAA22921 for firewalls-outgoing; Wed, 8 May 1996 20:38:46 -0700 (PDT) Received: from ibmmail.COM (ibmmail.com [199.171.26.3]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id UAA22915 for ; Wed, 8 May 1996 20:38:42 -0700 (PDT) From: myvadlam@ibmmail.com Message-Id: <199605090338.UAA22915@miles.greatcircle.com> Received: from ibmmail by ibmmail.COM (IBM VM SMTP V2R3) with BSMTP id 7951; Wed, 08 May 96 23:36:33 EDT Date: Wed, 08 May 1996 23:36:26 EDT To: firewalls@greatcircle.com MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: Re: Multiple IP addresses on one ethernet card? cc: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Is there a file where all the ifconfig definitions can be written to such that upon boot up of the AIX machine, that the definitions are setup ? ********************************************************************* * Lines wrapped by IBM Mail Exchange are marked in col 1 with '...' * ********************************************************************** From: "Paul M. Cardon" Date: Wed, 8 May 96 14:45:18 -0500 To: "Brian Stormont" Subject: Re: Multiple IP addresses on one ethernet card? cc: firewalls@greatcircle.com My MUA insists that "Brian Stormont" wrote: > > >Can anyone > >clue me in, as to how to setup two IP addresses on the internal > >ethernet interface on the firewall. > > With Solaris you can configure a single interface to support > several ip addresses. > I'm not sure if it is documented in the ifconfig man page, but I > know you can do: > > ifconfig le0 xxx.xxx.xxx.xxx > ifconfig le0:1 xxx.xxx.xxx.xxx > ifconfig le0:2 xxx.xxx.xxx.xxx > etc... > > and then a single ethernet card uses all the ip addresses you told > it to. > > -brian Actually it is possible to do it on nearly any Unix system, but in some cases ...it may require a patch from the vendor. Take a look at this in the context ...of serving different domains from a single web server at: http://www.thesphere.com/~dlp/TwoServers/ --- Paul M. Cardon - System Officer Capital Markets Systems - First Chicago NBD Corporation pmarc@cmg.fcnbd.com - (312) 732-7392 I never give them hell. I just tell the truth and they think it's hell. - ...H. Truman MD5 (/dev/null) = d41d8cd98f00b204e9800998ecf8427e ---- End of mail text Additional SMTP headers from original mail item follow: Received: from relay2.UU.NET by ibmmail.COM (IBM VM SMTP V2R3) with TCP; Wed, 08 May 96 21:38:17 EDT Received: from miles.greatcircle.com by relay2.UU.NET with ESMTP (peer crosschecked as: miles.greatcircle.com [198.102.244.34]) id QQaovy22484; Wed, 8 May 1996 16:34:03 -0400 (EDT) Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-9604 17-1) id MAA22052 for firewalls-outgoing; Wed, 8 May 1996 12:47:31 -0700 (PDT) Received: from po-external.FCNBD.COM (po-external.FCNBD.COM [147.113.146.4]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id MAA22044 for ; Wed, 8 May 1996 12:47:25 -0700 (PDT) Received: from po-internal.FCNBD.COM (internalhost.FCNBD.COM [147.113.112.122]) by po-external.FCNBD.COM (8.7.2/fcnbd/domain/1.5) with ESMTP id OAA09373; Wed, 8 May 1996 14:47:41 -0500 (CDT) Received: from abacab.cmg.FCNBD.COM (abacab.cmg.FCNBD.COM [147.113.112.11]) by po-internal.FCNBD.COM (8.7.2/fcnbd/internal-domain/1.4) with ESMTP id OAA13165; Wed, 8 May 1996 14:46:05 -0500 (CDT) Received: from abraxas.fnbc.com (pmarc@abraxas.FNBC.COM [147.113.112.127]) by a bacab.cmg.FCNBD.COM (8.7.2/fcnbd/server-subdomain/2.1) with ESMTP id OAA12058; Wed, 8 May 1996 14:44:11 -0500 (CDT) Received: (from pmarc@localhost) by abraxas.fnbc.com (8.7.3/8.7.1) id OAA09890; Wed, 8 May 1996 14:45:20 -0500 (CDT) Message-Id: <199605081945.OAA09890@abraxas.fnbc.com> MIME-Version: 1.0 (NeXT Mail 3.3 v118.2) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable In-Reply-To: <9605081843.AA20704@ProJo.COM> X-Nextstep-Mailer: Mail 3.3 (Enhance X) Received: by NeXT.Mailer (1.118.2) Reply-To: pmarc@fnbc.com References: <9605081843.AA20704@ProJo.COM> X-Warners: Yakko, Wakko, and Dot Sender: firewalls-owner@GreatCircle.COM Precedence: bulk From firewalls-owner Wed May 8 22:26:57 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id WAA27954 for firewalls-outgoing; Wed, 8 May 1996 22:24:40 -0700 (PDT) Received: from ns2.emirates.net.ae (ns2.emirates.net.ae [194.170.1.7]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id WAA27948 for ; Wed, 8 May 1996 22:24:32 -0700 (PDT) Received: from adia_dso ([194.170.24.20]) by ns2.emirates.net.ae (5.x/SMI-SVR495081401) id AA18078; Thu, 9 May 1996 09:22:14 +0400 Date: Thu, 9 May 1996 09:22:14 +0400 Message-Id: <2.2.32.19960509092142.002bf408@emirates.net.ae> X-Sender: forster@emirates.net.ae X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: ygerman From: Andrew & Terri Forster Subject: Re: Sight Blocking Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Have a look at http://n2h2.bess.net/filters/bess.html. This product Bess the Internet Retriever can be utilised via ISP or as a proxy server within your organisation. We are currently evaluating this product for our organisation. Regards, AMF At 12:23 8/05/96, you wrote: >I was wondering if anyone has some experience with products shareware/comercial >that allow you to block users from accessing certain pages. I am currently >using somewhat of an antique scheme using hosts file to redirect output for >certain sights but would actually like to do it without tricks. > >I am actually looking for a server based product not one of those PC based >products. ========================================================================== Andrew M Forster [GMT +4] Email: forster@emirates.net.ae Phone: +9712 262556 or +9712 453613 Fax: +9712 465344 ========================================================================== From firewalls-owner Wed May 8 23:56:57 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id XAA02518 for firewalls-outgoing; Wed, 8 May 1996 23:42:01 -0700 (PDT) Received: from popalex1.linknet.net (popalex1.linknet.net [206.103.79.89]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id XAA02510 for ; Wed, 8 May 1996 23:41:55 -0700 (PDT) From: zarquon@popalex1.linknet.net Received: from dsrvlaf1-23.linknet.net by popalex1.linknet.net; (5.65v3.2/1.1.8.2/06Mar96-1224PM) id AA30085; Thu, 9 May 1996 01:45:38 -0500 Received: (from zarq@localhost) by dsrvlaf1-23.linknet.net (8.6.12/8.6.9) id BAA00270 for firewalls@GreatCircle.COM; Thu, 9 May 1996 01:39:48 -0500 Message-Id: <199605090639.BAA00270@dsrvlaf1-23.linknet.net> Subject: Re: Linux network monitoring To: firewalls@GreatCircle.COM (Firewalls) Date: Thu, 9 May 1996 01:39:46 -0500 (CDT) X-Mailer: ELM [version 2.4 PL24] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >> Nice story, but wouldn't it still be easier to run argus or something >> similar? > Argus doesn't return a SYN/ACK, does it? It just snoops on the packets using > a filter, like tcpdump. You want to generate a false positive... the logging > klaxon does is nice but not necessary. Ah, now I see what you were getting at. I just didn't consider the importance of your little story, and with my limited knowledge of computer security, it didn't seem that obvious at first. Yes, I suppose that would make things more difficult for someone doing a simple port scan, but it should also be trivial to write a scanner that would record only those ports where data was received. Then again, that could be countered by installing a daemon that would send a preset string, or perhaps even random data with a random length, which should *really* make it hard to decide