From firewalls-owner Sat Jun 1 01:33:42 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id BAA02460 for firewalls-outgoing; Sat, 1 Jun 1996 01:13:36 -0700 (PDT) Received: from artemis.rus.uni-stuttgart.de (artemis.rus.uni-stuttgart.de [129.69.18.28]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id BAA02453 for ; Sat, 1 Jun 1996 01:13:26 -0700 (PDT) Received: from visbl.rus.uni-stuttgart.de (visbl.rus.uni-stuttgart.de [129.69.50.72]) by artemis.rus.uni-stuttgart.de with ESMTP id KAA17349 Received: by visbl.rus.uni-stuttgart.de (951211.SGI.8.6.12.PATCH1042/930416.SGI/BelWue-1.1) From: Bernd.Lehle@RUS.Uni-Stuttgart.DE (Bernd Lehle) Message-Id: <199606010808.KAA12275@visbl.rus.uni-stuttgart.de> Subject: Re: FTP Encryption To: adam@homeport.org (Adam Shostack) Date: Sat, 1 Jun 1996 10:08:25 +0200 (DST) Cc: Bernd.Lehle@RUS.Uni-Stuttgart.DE, CWSTAFFORD@deserthosp.org In-Reply-To: <199605311614.LAA16235@homeport.org> from "Adam Shostack" at May 31, 96 11:14:47 am X-pgp-fingerprint: 3E B0 35 8D 59 D5 AE AA 5A F9 60 80 9E E0 55 48 X-Joke: If cryptography is outlawed, only #%8fd 26(@^($$ Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > I like ssh, but if you use FTP + pgp, anyone can download & decrypt. > With ssh, Mac users, VMS users, IBM mainframe users, fidonet users, > and the like are all out of luck. If You are trying to set up an ftp server for many people, then this is a better solution. The original question reffered to transfer within a company though. > If you use scp, you get link encryption, but not file encryption, > which may be more important. Are you trying to let anyone download > your files, and only those who give you money read what they've > downloaded? This would be a nice idea to charge for information supplied over Internet. Here in Stuttgart we use secure shell for administrative logins and file transfers across the campus network, which is considered insecure. -- > Bernd Lehle - Stuttgart University Computer Center * A supercomputer < > Visualization / Security / Astrophysics * is a machine < > lehle@rus.uni-stuttgart.de Tel:+49-711-685-5531 * that runs an < > http://www.tat.physik.uni-tuebingen.de/~lehle * endless loop < > pgp? -> finger bernd@visbl.rus.uni-stuttgart.de * in 2 seconds < From firewalls-owner Sat Jun 1 06:18:48 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA11081 for firewalls-outgoing; Sat, 1 Jun 1996 06:14:27 -0700 (PDT) Received: from gateway.gallup.com (gateway.gallup.com [206.158.235.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id GAA11022 for ; Sat, 1 Jun 1996 06:14:10 -0700 (PDT) Received: (from uucp@localhost) by gateway.gallup.com (8.7.4/8.6.11) id IAA12830; Sat, 1 Jun 1996 08:11:32 -0500 (CDT) Received: from internet.gallup.com(198.247.195.180) by gateway.gallup.com via smap (V3.1.1) Received: from ccMail by internet.gallup.com (SMTPLINK V2.11 PreRelease 4) Date: Sat, 01 Jun 96 08:11:04 CST From: "Todd Beebe" Message-Id: <9605018336.AA833641884@internet.gallup.com> To: kotler@pcta00.bamimpr.inpr.br, Russ Cc: Firewalls@GreatCircle.COM Subject: Re[2]: Windows/NT as a Comm. Server Sender: firewalls-owner@GreatCircle.COM Precedence: bulk What are "all NT wholes"? I am trying to defend using UNIX over NT as our firewall and since I know little on NT I can't make a strong case. (except the obvious, NT hasn't been subject to being outside a protected network as long as UNIX so its impossible to know its vulnerabilities until its open to hackers). Thanks. ______________________________ Reply Separator _________________________________ Subject: RE: Windows/NT as a Comm. Server Author: Russ at Internet Date: 5/31/96 5:49 PM % % Does anybody uses Windows/NT (RAS) as a front-end communication server for remote access? Yeh, some crazy people do. Actually, lots of crazy people do...;-] % (instead of traditional communication servers like Shiva or Livingston) but why? Each RAS connection uses 2MHz of CPU (continously, so a loaded server will effect comms speed) and 1MB of ram..... Well, this is not exactly true. If you use a ChiliPort, or Digiboard, comm port, there is no directly load on the CPU or RAM for handling the users. With these types of boards, NT becomes nothing more than a router. % THEY claim that it is so secure that we do not even need a firewall... % What about that? aahahaha If they can make a network connection to your NT box, then they can exploit all NT's wholes remotely...... Dont see why making it a RAS server makes it more secure...... I have to agree here, RAS doesn't make NT more secure by any means. In fact, it could be argued that RAS makes NT a little less secure because when it is implemented NT automatically enables IP Forwarding between all its adapters. If your NT box is multi-homed, and forwarding had not previously been enabled, it would be after RAS was installed. That said, RAS can be set to follow the same rules for user authentication as clients on the LAN have to follow. Its possible to establish encrypted sessions between RAS users who are running NT. As for being able to exploit all of NT's holes, well, if you can establish a network connection with an NT box, whether you are local or remote, there are things that can be exploited. But you have to establish that network connection first. I wouldn't be more afraid of someone exploiting my NT box remote than someone exploiting it locally. Of course, providing dial-up access to any network is a risk unto itself. Your NT RAS server can be set up as part of an untrusted domain, forcing authentication to take place on a third machine, which does help somewhat in ensuring proper authentication. Out of curiosity, what "firewall" is not needed because of RAS? Might you be talking about using RAS to connect to the Internet providing a gateway between your LAN and the Internet? Cheers, Russ From firewalls-owner Sat Jun 1 07:18:44 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA12980 for firewalls-outgoing; Sat, 1 Jun 1996 07:02:43 -0700 (PDT) Received: from mailbox.neosoft.com (mailbox.neosoft.com [206.109.1.16]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id HAA12972 for ; Sat, 1 Jun 1996 07:02:34 -0700 (PDT) Received: from fw.nmti.com (fw.baileynm.com [206.109.159.11]) by mailbox.neosoft.com (8.7.5/8.7.3) with SMTP id JAA11058 for ; Sat, 1 Jun 1996 09:00:00 -0500 (CDT) Received: from web.nmti.com(198.178.0.201) by fw.nmti.com via smap (V1.3) Received: from sonic.nmti.com (peter@sonic.nmti.com [198.178.0.2]) by web.nmti.com (8.6.12/8.6.9) with SMTP id IAA04407 for ; Sat, 1 Jun 1996 08:55:15 -0500 Received: by sonic.nmti.com; id AA30718; Sat, 1 Jun 1996 08:55:14 -0500 From: peter@baileynm.com (Peter da Silva) Message-Id: <9606011355.AA30718@sonic.nmti.com.nmti.com> Subject: Re: Raptor's Eagle Firewall To: firewalls@greatcircle.com Date: Sat, 1 Jun 1996 08:55:14 -0500 (CDT) In-Reply-To: from "Chris Pugrud" at May 30, 96 04:59:28 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > The biggest complaint that I have about the Eagle NT product is that it is > not an NT firewall. It doesn't use NT as anything more than a "boot > loader". It is still not complete yet for NT, they cut back on features to > rush it out the door. It seems like a good product, but I won't cut a PO > until it can take advantage of the NT user database, network login, etc... *jaw drops* Why would you put your firewall into the same authentication domain as your users? Maybe I'm missing something, but that seems like you're putting an awful lot of trust in the NT security model. From firewalls-owner Sat Jun 1 09:03:51 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA15858 for firewalls-outgoing; Sat, 1 Jun 1996 08:58:00 -0700 (PDT) Received: from mail.ee.net (mail.ee.net [206.31.38.3]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id IAA15842 for ; Sat, 1 Jun 1996 08:57:49 -0700 (PDT) Received: from goffer.ee.net (digital60.ee.net [206.230.35.60]) by mail.ee.net (8.7.4/8.7.3) with SMTP id LAA11973; Sat, 1 Jun 1996 11:53:49 -0400 (EDT) Received: by goffer.ee.net (SMI-8.6/SMI-SVR4) Date: Sat, 1 Jun 1996 11:51:35 -0400 Message-Id: <199606011551.LAA14217@goffer.ee.net> From: C Matthew Curtin To: Duan Zhenhai Cc: firewalls@GreatCircle.COM Subject: Re: packet filter In-Reply-To: <199605280117.KAA01384@shoukui.pku.edu.cn> References: <199605280117.KAA01384@shoukui.pku.edu.cn> Reply-To: cmcurtin@fahlgren.com X-Attribution: Matt Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >>>>> "Duan" == Duan Zhenhai writes: Duan> the second question is what can we do and what should we Duan> consider when we want to antispoofing,does controling the source Duan> route enough? (Warning added after I got done composing this: I kinda went off onto a tangent about packet filtering options, etc., so I'm sure that I'm inundating poor Duan with more information than he ever wanted, but there's probably a fair bit of useful information here about packet filtering considerations... at least I hope so :-) Well, there are certain things that you can do to limit the boundaries of IP address spoofing. This might prove to be sufficient for what you're doing, but it is important to understand the limits of such a mechanism. Let's draw a connection to the Internet that will allow connection to the Internet, and provide a space for a web site, dns server, or whatever... | Big bad Internet | /\ packet filtering router (1) \/ one that logs what it rejects, and what it allows | ___|_____________ | _|_ _|_ "DMZ" | |WWW| |DNS| | |___| |___| some machines (accessible to the Internet) _|_ |PF | another packet filter |___| (maybe a commercial packet filtering "firewall," or a | packet filtering router that will LOG everything) | __|___________ | | /\ packet filtering router (2) \/ same deal with logging, blah, blah, blah | ___|________ corporate private network backbone OK, the packet filtering router (1) that connects our DMZ network(s) to the Internet can be configured such that it will deny any packets that claim to originate from either the DMZ or our private network's address space. Additionally, we'll want to weed out ridiculous things like 127.* (loopback); 10.*, 172.16.0.0 - 172.31.255.255, 192.168.0.0 - 192.168.255.255 (used for private internets (dare I even say "intranets" :) only, as per RFC 1918); anything else you can think of that makes sense to weed out should go here ... this is off of the top of my head. Now, what we've done is ensured by rules (note, we're not guaranteeing, because if someone breaks into our router and changes the rules, then this changes things... so, lock the router down by only allowing physical console access - NO REMOTE LOGINS TO YOUR ROUTERS! ... do some other common sense things to keep anyone from being able to mess with it.) that any packets that real our DMZ networks are from the Internet. Anyone can spoof something to look like it's from some OTHER Internet address, but if you group ALL Internet (i.e., not yours) IP addresses into one category: "untrusted," this is OK. Now, the "PF" packet filter ("firewall," another router, or whatever) is critical, because it provides a level of redundancy here. Put the same ACLs that you put on packet filtering router (1) on there, JUST IN CASE someone does something "impossible" and breaks through your first router. Again, LOG EVERYTHING that you allow and deny. Also, put the same ACLs that you have on packet filtering router (2) on there, just in case something screwy is going on from the inside (perhaps a bad guy has broken into a terminal server, and is trying to attack your firewall from the inside out!) that has gotten through your internal packet filtering router... Now, your packet filtering router (2) should be configured just as (1) was, with the exception that it's the reverse: don't allow things from teh inside the claim to be from anywhere but your own IP address space. Dont' allow loopback, RFC 1918 addresses, etc. through. Log everything that you accept or reject. Logging is a big deal, especially in a packet filtering type of firewall environment, for several reasons: (1) logging rejects serve as alarms that will tell you when you're actively under attack. Don't panic if you get one poke from a site, but if someone is attempting a portscan of your web server, for example, this is something you'll definitely want to know, and the logs will show this attempt. (2) Logging what you're allowing will tell you if your rules are working. Don't just audit the reject logs. Take a look at what you're allowing, and make sure that no stupid things are going on. Test them once in a while (not once a year, I'd say monthly at the worst, depending on your paranoia.) Also, make sure that the place your logs go (perhaps you're using a machine somewhere in your DMZ to accept all of the log data from all of your packet filters via syslogd) is (1) protected, so that someone from outside the DMZ (i.e., anything but your packet filters, and whatever else that's YOURS that is logging to it via syslog) can't write to it, and (2) it has BOATLOADS of free disk space. If someone IS able to start writing crap to your log machine's syslogd, they'll try to fill up your disk space before commencing the attack. If you've got, say, 10GB of free space at any given time, the liklihood of success is significantly lower than if you're down to 14k of free space :-) Another note, which is depending on your needs and paranoia, is where to put the publicly accessable servers (like WWW, DNS, etc.) I've drawn them as part of the DMZ, which might be OK, but might not be. There is an additional level of security if you subnet them off of your outside packet filtering router (1), becaues if someone breaks through your router, and then breaks into one of those machines, an attack can't commense from the same LAN: it has to attack your firewall from a LAN that can be labeled "untrusted" by the firewall. Perhaps they can break through there, too. So you've got ACLs redundant to what your outside packet filter and "firewall" packet filter have on your inside packet filter. Again, now they've got ANOTHER layer to break through. (By this time, your alarms have been going nuts and have paged everyone from your sysadmins to the CIO to look into this, right?) All of this really boils down to a few simple maxims: * know exactly what it is that you need to do * don't allow anything to go on that you don't have defined as being absolutely necessary * understand the technology you're dealing with: its limits, its features, and what other people are doing with it * decide HOW MUCH protection you want, and understand what your tradeoffs are. (For example, I've shown the above network to have three packet filtering mechanisms. You could increase security by adding a fourth, fifth, etc., but are you spending $1,000,000 to protect $1,000? Also, the more ACLs you have on a router, the more you're going to slow it down. Are all of those redundant ACLs going to kill your network performance? Not if you can afford faster routers, but what if you can only afford Cisco 4500-Ms? Do you have so many ACLs that to get the same level of performance that the 4500 offers that you'd need to get into a 7000 series?) I personally a bit leery of using purely packet filtering for building firewalls, but perhaps that's because I don't understand all of the details of packet filtering technology as it exists right at this moment. There might be some newfangled ways of doing things that I don't know about. Perhaps it's because I'm paranoid. Perhaps it's because there really are significant limitations to what packet filters can do at this very moment and there is good reason to doubt them. However, I *do* think that packet filtering is very important. There is a definite layer of security that is provided there, and something as simple as adding some common sense ACLs to a router in front of (and behind) a good application-layer firewall can provide very useful logs and additional security. Of course, in really huge environments, application layer firewalls tend to be problematic from performance standpoints, although there are ways to solve that problem. I guess I went off a little more than I intended, but in any event, I hope the information is useful. Also, if you haven't done so already, I highly recommend getting ahold of Cheswick & Bellovin's "Firewalls and Internet Security: Repelling the Wily Hacker," Addison-Wesley Professional Computing Series 0-201-63357-4 * Paperback * 320 pages * ©1994 (See http://www.aw.com/cp/Ches.html for more info.) This is a more theoretical approach to security in general, and will leave you with a much better understanding of the kinds of things to think about when dealing with security, especially firewalls. Also, also, I recommend Building Internet Firewalls by D. Brent Chapman and Elizabeth D. Zwicky. Published by O'Reilly & Associates, 1st Edition September 1995, 517 Pages, ISBN 1-56592-124-0, List price $29.95. (See http://www.greatcircle.com/firewalls-book/ for more info.) This is the hands-on approach of HOW to build a firewall: you'll also get a good appreciation for the kinds of things to think about, etc., but this is structured for the specific purpose of showing you how to do it. This book and the C&B book compliment each other very well. C Matthew Curtin Chief Hacker Fahlgren, Inc. 655 Metro Pl S, Ste 700, Box 7159 Dublin OH 43017-7159 http://users1.ee.net/cmcurtin/ cmcurtin@fahlgren.com PGP Mail Preferred From firewalls-owner Sat Jun 1 10:03:49 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA19825 for firewalls-outgoing; Sat, 1 Jun 1996 09:51:06 -0700 (PDT) Received: from mail.ee.net (mail.ee.net [206.31.38.3]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id JAA19818 for ; Sat, 1 Jun 1996 09:50:56 -0700 (PDT) Received: from goffer.ee.net (digital60.ee.net [206.230.35.60]) by mail.ee.net (8.7.4/8.7.3) with SMTP id MAA14071; Sat, 1 Jun 1996 12:47:21 -0400 (EDT) Received: by goffer.ee.net (SMI-8.6/SMI-SVR4) Date: Sat, 1 Jun 1996 12:45:01 -0400 Message-Id: <199606011645.MAA14340@goffer.ee.net> From: C Matthew Curtin To: eckes Cc: nmorgan@smtp.dgs.ca.gov (Morgan, Noel), Firewalls@GreatCircle.COM Subject: Re: Countermeasures ? In-Reply-To: References: <9604288332.AA833297486@smtp.dgs.ca.gov> Reply-To: cmcurtin@fahlgren.com X-Attribution: Matt Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >>>>> "Bernd" == eckes writes: Bernd> Automated responses are Bernd> simply too easy to be used for deny of service. And X-Bombs are Bernd> very unsocial on the already overloaded Internet. Agreed. At a previous place of employment, our highly visible web server underwent a denial of service attack. We traced it back to a dialup account from a small ISP in another state. It was kind of interesting, because they were pretty uncooperative until we started getting threatening, wich is exactly what we were trying to avoid: * we had our SA call the ISP's technical contact, but she didn't get to talk to him directly: a message was taken by the receptionist. * after about 15 minutes of nonresponse, our webmaster called and explained AGAIN that this is so-and-so from a big company's R&D org, and one of your users is attacking one of our machines. Not terribly useful, because it was left in another message to the contact, who was in the privy :) * the webmaster called 10 minutes later and finally talked directly with the contact, who explained that he wouldn't be able to get around to dealing with it anytime soon, because he was real busy. It was on the speaker, so the four of us in the room just kinda looked at each other and grinned while the webmaster roasted his butt. * the attack stopped about two minutes after he got off the horn, so the webmaster called back to thank the guy for dealing with it so quickly. Turns out that the attack was coming from a rogue account, and that they suspect it was an ex-employee who was an admin there. They've had their stuff broken into several times, but didn't even do as much as advise their customers to change their passwords. Very strange. We gave him some advice (after prefacing it by saying 'we really can't tell you what to do, but...') and I can only hope that he took it. The story is more than mildly amusing: it helps to underscore a very serious problem with mismanaged (or undermanaged ... or perhaps we should say [mis|under]-administered :) sites, such as ISPs who really ought not be ISPs. I suppose this is another Bad Thing(tm) that has come about because of the explosive growth and popularity of the 'net. It was nice to be able to (until about '93 or early '94) be able to quickly talk to someone clued whenever there was a problem like that and have it immediately dealt with. But I've digressed beyond the scope of firewalls... C Matthew Curtin Chief Hacker Fahlgren, Inc. 655 Metro Pl S, Ste 700, Box 7159 Dublin OH 43017-7159 http://users1.ee.net/cmcurtin/ cmcurtin@fahlgren.com PGP Mail Preferred From firewalls-owner Sat Jun 1 11:48:50 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA23414 for firewalls-outgoing; Sat, 1 Jun 1996 11:44:27 -0700 (PDT) Received: from mail.ee.net (mail.ee.net [206.31.38.3]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id LAA23407 for ; Sat, 1 Jun 1996 11:44:16 -0700 (PDT) Received: from goffer.ee.net (digital60.ee.net [206.230.35.60]) by mail.ee.net (8.7.4/8.7.3) with SMTP id OAA18023; Sat, 1 Jun 1996 14:40:26 -0400 (EDT) Received: by goffer.ee.net (SMI-8.6/SMI-SVR4) Date: Sat, 1 Jun 1996 14:38:16 -0400 Message-Id: <199606011838.OAA14650@goffer.ee.net> From: C Matthew Curtin To: Brian Murrell Cc: bill.stout@hidata.com, Firewalls@GreatCircle.COM Subject: Re: Re[2]: Encryption Technology In-Reply-To: <199605282145.OAA23262@mocha.bctel.net> References: <199605281703.KAA22787@osc.osc.hidata.com> Reply-To: cmcurtin@fahlgren.com X-Attribution: Matt Sender: firewalls-owner@GreatCircle.COM Precedence: bulk (I apologize in advance, but I've followed up on a thread of questionable relevance to firewalls, and taken it further from the charter of the list with my comments. However, it is an issue that is likely of interest to at least a significant number of subscribers. If you are not among these, or you're tired of me rambling, please read no further, and delete this message. :-) >>>>> "Brian" == Brian Murrell writes: Brian> Great story. Agreed :-) Brian> That's what scares me. How does one know it's DES-3 without Brian> successfully decrypting the datastream?? Does DES-3 (and other Brian> encryption) have a "signature" that identifies it without Brian> decrypting it?? Yes, triple-DES does have a signature identifying what it is. Brian> I'm not quite grasping how any of the above lead you to believe Brian> that DES-1 is crackable in near real-time. I don't necessarily Brian> disagree with that statement however. Doing so in software certainly isn't here today, but an MP DES-cracking machine (i.e., built specifically for that purpose, everything in silicon) that can do so in real- or near-real-time isn't terribly infeasible, given the size of a 56-bit key... >> 5. If above=true, then Feds dropping the Zimmerman PGP case >> probably also points to it also being crackable in a similar >> manner. Brian> 128 bit keys. Yeah probably. Or you mean they have broken Brian> RSA?? I think that this might be grasping a bit. I tend to think that the reasons for dropping the Zimmermann case were more political than technical: the persecution (sic :-) had pretty shaky ground, in the opinion of lots of lawyers (and while I'm at it, a lawyer I am not) and legal analyst types. Additionally, these laws that they were using to base their case on have been untried, and there is the risk of having them declared unconstitutional by a court. The liklihood of that happening on such a tremendously high publicity (and weak) case seems even higher. Rather than taking the risk of having those laws challanged, I tend to agree with the folks that think the DoJ was simply choosing its fights, actually throwing a punch only when it is reasonably sure that it can win. Zimmermann had (has?) quite the posse behind him, and the DoJ might have determined that it was too outnumbered (or outgunned :-) to fight that day. Now, the security of DES is well known, with weak keys, and the small key size being its only known serious problems. IDEA is also widely believed to be secure, however, it has not had the same amount of time to be studied by as many folks as DES, and it's certainly possible that the NSA has figured a way to efficiently cryptanalyse the cipher. I, for probably no good reasons, tend to doubt this postulation: IDEA *has* been studied quite a bit, simply not as much as DES. Successful cryptanalysis (that's a tough word to type) of RSA would be a Really Big Deal, indeed. I wonder if the NSA would quietly stop opposing efforts to allow its export, or if it would continue the facade of allowing its export being a National Security Threat(tm). Again, as far as anyone in academic or published corporate research circles knows, RSA's problems are limited to key size (and weak keys? probably, but don't remember for sure.) >> 6. Using encryption only flags traffic for capture and decryption, >> using strong encryption makes you all that more interesting. Brian> I made the point a couple of weeks ago that everybody should Brian> encrypt everything - then interested parties won't necessarily Brian> know what to go after. Agreed, of course, this was the general theory behind the use of Emacs' "spook" function. One of my favorite things to do is encrypt a message, and then append the output of "spook" to my message. I'm sure that more than one of my messages has found its way into a message collection machine of sorts. :-) For the unenlightened, spook simply attaches three lines of random(ish) words and phrases that are likely to be caught by scanners of Internet traffic, like this: Clinton Qaddafi Ft. Meade KGB NSA FSF explosion CIA quiche Khaddafi bomb Treasury cryptographic $400 million in gold bullion [Hello to all my fans in domestic surveillance] C Matthew Curtin Chief Hacker Fahlgren, Inc. 655 Metro Pl S, Ste 700, Box 7159 Dublin OH 43017-7159 http://users1.ee.net/cmcurtin/ cmcurtin@fahlgren.com PGP Mail Preferred From firewalls-owner Sat Jun 1 12:03:45 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA23700 for firewalls-outgoing; Sat, 1 Jun 1996 11:56:56 -0700 (PDT) Received: from mail.ee.net (mail.ee.net [206.31.38.3]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id LAA23692 for ; Sat, 1 Jun 1996 11:56:45 -0700 (PDT) Received: from goffer.ee.net (digital60.ee.net [206.230.35.60]) by mail.ee.net (8.7.4/8.7.3) with SMTP id OAA18507; Sat, 1 Jun 1996 14:53:13 -0400 (EDT) Received: by goffer.ee.net (SMI-8.6/SMI-SVR4) Date: Sat, 1 Jun 1996 14:50:57 -0400 Message-Id: <199606011850.OAA14727@goffer.ee.net> From: C Matthew Curtin To: Kyle_Amon@jabil.com Cc: Brad.Aikins@internetmci.com, Michael Ryan Subject: Re: Re[2]: Sprayd In-Reply-To: <1ab33b80@jabil.com> References: <1ab33b80@jabil.com> Reply-To: cmcurtin@fahlgren.com X-Attribution: Matt Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > (a) sprayd used RPC/UDP/IP; ping uses IP. Actually, ping uses the ICMP protocol's ECHO_REQUEST, trying to get an ICMP ECHO_RESPONSE from the target, not raw IP. Check your man pages or a good bok like TCP/IP Illustrated (published by Addison-Wesley) for more detailed discussion of how it works... C Matthew Curtin Chief Hacker Fahlgren, Inc. 655 Metro Pl S, Ste 700, Box 7159 Dublin OH 43017-7159 http://users1.ee.net/cmcurtin/ cmcurtin@fahlgren.com PGP Mail Preferred From firewalls-owner Sat Jun 1 12:33:47 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA25342 for firewalls-outgoing; Sat, 1 Jun 1996 12:18:02 -0700 (PDT) Received: from mail.ee.net (mail.ee.net [206.31.38.3]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id MAA25326 for ; Sat, 1 Jun 1996 12:17:52 -0700 (PDT) Received: from goffer.ee.net (digital60.ee.net [206.230.35.60]) by mail.ee.net (8.7.4/8.7.3) with SMTP id PAA19403; Sat, 1 Jun 1996 15:14:22 -0400 (EDT) Received: by goffer.ee.net (SMI-8.6/SMI-SVR4) Date: Sat, 1 Jun 1996 15:12:03 -0400 Message-Id: <199606011912.PAA14787@goffer.ee.net> From: C Matthew Curtin To: Luis Cesar Maiaru Cc: firewalls@GreatCircle.COM Subject: Re: Solaris and SCO Firewalls In-Reply-To: <9605291125.ab11033@indec.mecon.ar> References: <9605291125.ab11033@indec.mecon.ar> Reply-To: cmcurtin@fahlgren.com X-Attribution: Matt Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >>>>> "Luis" == Luis Cesar Maiaru writes: Luis> Hi, I'm looking for information about the firewalls (FireWall-1, Luis> TIS, etc.) for Solaris and SCO. In particular, I would like to Luis> hear opinions about the FireWall-1 for Solaris: Solstice Luis> FireWall-1. I haven't testing of Firewall-1 on Solaris, but I have done a fair bit with using Solaris as the basis for a home-grown application-layer firewall. There are some good things about using Solaris for a firewall, which might be interesting for you, regardless of whether you choose Firewall-1 or something else which has the option to be Solaris-based. * its modular nature (packages) makes it really easy to pull stuff that you don't want out of there. If you go to a little bit of extra effort to create packages for everything that you put on the firewall, like tcp_wrappers, tripwire, configuration files, etc., then you can eliminate a lot of other things (like editors, tar, etc., that will make things tough for a bad guy who manages to break into your machine) AND simplify the management of your firewall: it simply does its thing, while all of your testing, and messing with things takes place on a similarly configured machine, where you build your packages. The production firewall machine just gets the packages moved over (via tape?), and then you can pkgadd your stuff. Great for revision control, too. For managing multiple machine-firewall environments, this is REALLY useful. The procedures for managing, creating, and installing packages are both simple and very well documented. I think Sun should be commended for really good work in this area. * Its TCP/IP implementation seems pretty good. I haven't done much quantatative analysis of it vs. other stacks that interest me (such as BSDI's and IRIX's), but I have done that analysis vs. SunOS 4.1.3_U1 and 4.1.4, and found huge improvements. (Using patched-and-stripped- out-the-wazoo Solaris 2.4, as well as the first two releases of 2.5 (which *seemed* even better than 2.4.)) * Because of its current availability on SPARC and Intel platforms (and RSN availability for the PowerPC), you've got a choice of hardware: going the all-Sun route might make things a bit easier (and you have a higher top-end), although using commodity Intel stuff, if you're willing to fight some potential headaches of a multivendor system and don't need to be right on the cutting edge, you can get more horsepower for less money. Also, some of the PowerPC-based servers that folks are working on (especially Motorola's headless server that was featured a few months back in Unix Today or something) look pretty cool. (Although until Solaris/PowerPC is available, that thing only runs strange-but-sometimes-nifty AIX.) C Matthew Curtin Chief Hacker Fahlgren, Inc. 655 Metro Pl S, Ste 700, Box 7159 Dublin OH 43017-7159 http://users1.ee.net/cmcurtin/ cmcurtin@fahlgren.com PGP Mail Preferred From firewalls-owner Sat Jun 1 13:04:00 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA27312 for firewalls-outgoing; Sat, 1 Jun 1996 12:45:57 -0700 (PDT) Received: from rbit.co.za (rbit.co.za [196.7.71.94]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id MAA27305 for ; Sat, 1 Jun 1996 12:45:47 -0700 (PDT) Received: (from johnb@localhost) by rbit.co.za (8.7.3/8.7.3) id VAA22371; Sat, 1 Jun 1996 21:43:15 +0200 From: John Betts Message-Id: <199606011943.VAA22371@rbit.co.za> Subject: Re: Re[2]: Windows/NT as a Comm. Server To: Todd_Beebe@internet.gallup.com (Todd Beebe) Date: Sat, 1 Jun 1996 21:43:14 +0200 (SAT) Cc: firewalls@greatcircle.com In-Reply-To: <9605018336.AA833641884@internet.gallup.com> from "Todd Beebe" at Jun 1, 96 08:11:04 am Reply-to: johnb@aztec.co.za Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk % % What are "all NT wholes"? I am trying to defend using UNIX over NT % as our firewall and since I know little on NT I can't make a strong case. % If you know more about Unix than you do NT, I'd recommend sticking with the platform you know best. ciao -- John -- John Betts, Aztec Internet Services Port Elizabeth, South Africa johnb@aztec.co.za, Tel. +27(0)41 303 475, Fax. +27(0)41 301 052 The world is complex. The Sendmail configuration reflects this. From firewalls-owner Sat Jun 1 13:33:45 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA00580 for firewalls-outgoing; Sat, 1 Jun 1996 13:29:37 -0700 (PDT) Received: from mail.ee.net (mail.ee.net [206.31.38.3]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id NAA00541 for ; Sat, 1 Jun 1996 13:29:21 -0700 (PDT) Received: from goffer.ee.net (digital60.ee.net [206.230.35.60]) by mail.ee.net (8.7.4/8.7.3) with SMTP id QAA23220; Sat, 1 Jun 1996 16:25:38 -0400 (EDT) Received: by goffer.ee.net (SMI-8.6/SMI-SVR4) Date: Sat, 1 Jun 1996 16:23:14 -0400 Message-Id: <199606012023.QAA14941@goffer.ee.net> From: C Matthew Curtin To: Russ Cc: Subject: Re: What do you want to know about Windows NT? In-Reply-To: <01BB4DB7.9D7EAFE0@ts1-13.vcr.iSTAR.ca> References: <01BB4DB7.9D7EAFE0@ts1-13.vcr.iSTAR.ca> Reply-To: cmcurtin@fahlgren.com X-Attribution: Matt Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >>>>> "Russ" == Russ writes: Russ> I have an offer to you all. I have been working very hard for Russ> the past 6 months or so to try and raise the level of awareness Russ> about Windows NT and the Internet. My motivation was selfish, of Russ> course, in that I hope to gain knowledge about where the Russ> obstacles are in getting NT accepted by you, the security Russ> administrators. (I'm not particularly venomous toward Microsoft, although I loathe the promotion of computer "business" over computer science, proprietary "black box" solutions, and anticompetetive business practices. I resist any product or company where this is the case: Microsoft is merely the biggest perpetrator of these crimes.) I refuse to allow NT in my organization for several reasons (relevance to firewalls follows in several points, and is absent in others): * Microsoft's business practices are clearly anti-competitive and just downright ridiculous (packaging inferior products with alreday popular packages, then claiming huge amounts of market share with the inferior crap, causing more managers who only read trade rags to buy the servers to drive the crappy clients (i.e., MS-Mail) ... that's just plain obscene.) * NT, regardless of what version number they slap on it, or claim how far its ancestry goes back (to the VMS, of which NT is merely a rehash with a new and nasty GUI front end), is a very new operating system. It has yet to be proven in any kind of significant environments, which must be the case before it can be trusted in secure ones. * I don't trust Microsoft (as an outgrowth of my distrust of any software where I can't read and understand the code)...otherwise, we simply don't have anything on which to base the complexity of what's going on underneath. Further, Microsoft has proven that it's simply market-driven, not in the business for anything but the business (perhaps as opposed to the science?). As such, I don't believe that it has any reason to worry about security until forced to do so by the marketplace, which is much too late when talking about deploying firwalls today. Particularly worrysome, mjr posted last week or so that he sent some folks to Microsoft for some NT training. He related that the Microsoft employed(?), Microsoft certified trainer asserted that Microsoft has "administrative hooks" into the operating system. That isn't the kind of crap that I need on a secure system. How long will it take before someone (either a malicious Microsoft (ex?-)employee, or a bad guy with the ability to reverse-engineer the object code) writes something to exploit those hooks, successfully breaking every NT box that can be touched by the 'net? * NT is severely lacking in very important tools. For example, how does NT know if it's being port scanned? How does it know if someone has broken in? How does it know if files have been modified? (Some of this can no doubt be answered by the NT auditing tools, and some add-on solutions, but they certainly can't address everything, and in my admittedly limited experience, many of these NT type tools are less functional and stable than their Unix counterparts.) * All of this third-party software to make NT even usable (like, oh, as something as basic and trivial as a DNS server) cost money. Why would I want to spend money on software that's not as functional or stable as the free stuff that I can easily get for Unix - in source form? * All of NT's vapor promises and current deliverables, will at best, provide me with the same level of stability as a reasonably good (not stellar) Unix implementation. So, what's it offering me? * NT, being a black box solution, is not tweakable at a low level, cannot be stripped to provide a minimal level of functionality, or have insecurities removed or replaced, etc., etc., etc. So, why do I want to run this thing in an environment where some bad guys are banging on this on a regular basis? Or any other environment where anyone cares about security? * On a more philosophical note, I don't think Microsoft even gets it. Bill Gates and his stormtroopers have been marketing the crap out of their proprietary MSN, again in corporating it into their latest OS, Windoze 95 (shall we even address the ridiculously stupid security issues there?), until it became apparant that there was more money to be made getting into this "Internet thing." Less than six months ago, the Internet was the "frothiest thing [Bill Gates] has ever seen." Unix vendors not only get the Internet, they're some of the folks who have helped define what it is, technically, and provided the foundation that made it possible. I have observed that a fair number of consultant-types have a serious agenda to get NT everywhere they possibly can, pushing it where it even clearly doesn't make sense. I'm curious as to your motivations (if you do follow up, please do so to me directly... I don't know that the rest of the list is interested. If enough folks ask, I'll post your response to the list, if you would allow me to) for desiring wide deployment of NT. Haven't the lessons of the closed IBM machines and proprietary DEC boxes gotten through? Openness in architecture provides so many advantages that I'm nearly dumbfounded by the number of people who insist on following their black-box solutions, happily paying for every little component, without the foggiest idea of what's happening. This is silliness, and anything BUT computer science. (Maybe the older guys who can remember aren't speaking loud enough, and maybe the younger folks need to spend a little less time writing code, in favor of doing a bit more study of the history of their industry...) C Matthew Curtin Chief Hacker Fahlgren, Inc. 655 Metro Pl S, Ste 700, Box 7159 Dublin OH 43017-7159 http://users1.ee.net/cmcurtin/ cmcurtin@fahlgren.com PGP Mail Preferred From firewalls-owner Sat Jun 1 14:18:53 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA02880 for firewalls-outgoing; Sat, 1 Jun 1996 14:01:45 -0700 (PDT) Received: from homeport.org (lighthouse.homeport.org [205.136.65.198]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id OAA02844 for ; Sat, 1 Jun 1996 14:01:31 -0700 (PDT) Received: (adam@localhost) by homeport.org (8.6.9/8.6.9) id RAA20132; Sat, 1 Jun 1996 17:03:56 -0500 From: Adam Shostack Message-Id: <199606012203.RAA20132@homeport.org> Subject: Re: Re[2]: Encryption Technology To: cmcurtin@fahlgren.com Date: Sat, 1 Jun 1996 17:03:56 -0500 (EST) Cc: firewalls@greatcircle.com (Firewalls mailing list) In-Reply-To: <199606011838.OAA14650@goffer.ee.net> from "C Matthew Curtin" at Jun 1, 96 02:38:16 pm X-Mailer: ELM [version 2.4 PL24 ME8b] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk C Matthew Curtin wrote: | >>>>> "Brian" == Brian Murrell writes: [...] | Brian> That's what scares me. How does one know it's DES-3 without | Brian> successfully decrypting the datastream?? Does DES-3 (and other | Brian> encryption) have a "signature" that identifies it without | Brian> decrypting it?? | | Yes, triple-DES does have a signature identifying what it is. Thats a rather tall assertion. Can you back it up? I'll claim that some instance of 3des might have a signature that identifies it, (------ Begin PGP 3.0 Message -----), but that 3des does not have a signature that distinguishes its ciphertext from des or IDEA. Actually, I'll take it a step further, and argue that without substantial analysis, 3des can not be distinguished from DES, since the output of the final round of 3des is the output of a des encryption, albeit one with apparently random input. Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume From firewalls-owner Sat Jun 1 14:33:51 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA03500 for firewalls-outgoing; Sat, 1 Jun 1996 14:24:28 -0700 (PDT) Received: from mail.ee.net (mail.ee.net [206.31.38.3]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id OAA03489 for ; Sat, 1 Jun 1996 14:24:19 -0700 (PDT) Received: from goffer.ee.net (digital60.ee.net [206.230.35.60]) by mail.ee.net (8.7.4/8.7.3) with SMTP id RAA25597; Sat, 1 Jun 1996 17:20:52 -0400 (EDT) Received: by goffer.ee.net (SMI-8.6/SMI-SVR4) Date: Sat, 1 Jun 1996 17:18:49 -0400 Message-Id: <199606012118.RAA15092@goffer.ee.net> From: C Matthew Curtin To: Adam Shostack Cc: firewalls@greatcircle.com (Firewalls mailing list) Subject: Re: Re[2]: Encryption Technology In-Reply-To: <199606012203.RAA20132@homeport.org> References: <199606011838.OAA14650@goffer.ee.net> Reply-To: cmcurtin@fahlgren.com X-Attribution: Matt Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >>>>> "Adam" == Adam Shostack writes: Me> Yes, triple-DES does have Me> a signature identifying what it is. Adam> Thats a rather tall assertion. Can you back it up? Actually, I took a look since you raised the qustion, and it would appear that I suffered a brainfart. (I think I was confused by a particular product that used triple-DES that identified itself (much like the PGP 3.0 example you cited.) Adam> Actually, I'll take it a step further, and argue that without Adam> substantial analysis, 3des can not be distinguished from DES, Adam> since the output of the final round of 3des is the output of a Adam> des encryption, albeit one with apparently random input. After re-evaluating several flavors of triple-DES since getting your message, I'll agree with this assertion. Sorry for the error, thank you for catching it and bringing it to my attention. C Matthew Curtin Chief Hacker Fahlgren, Inc. 655 Metro Pl S, Ste 700, Box 7159 Dublin OH 43017-7159 http://users1.ee.net/cmcurtin/ cmcurtin@fahlgren.com PGP Mail Preferred From firewalls-owner Sat Jun 1 15:18:45 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id PAA06925 for firewalls-outgoing; Sat, 1 Jun 1996 15:09:46 -0700 (PDT) Received: from world.net (sydney2.world.net [198.142.12.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id PAA06916 for ; Sat, 1 Jun 1996 15:09:37 -0700 (PDT) Received: from suburbia.net (suburbia.net [203.4.184.1]) by world.net (8.7.4/8.6.6) with ESMTP id IAA16563 for ; Sun, 2 Jun 1996 08:05:43 +1000 (EST) Received: (proff@localhost) by suburbia.net (8.7.4/Proff-950810) id IAA29465 for firewalls@greatcircle.com; Sun, 2 Jun 1996 08:06:58 +1000 From: Julian Assange Message-Id: <199606012206.IAA29465@suburbia.net> Subject: NNTPCACHE-0.87.9 (fast nntp cache/proxy) To: firewalls@greatcircle.com Date: Sun, 2 Jun 1996 08:06:58 +1000 (EST) X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk NNTPCACHE 0.87.9UL (BETA #2) (nntpcache-users@nntpcache.org) [...] Theory of operation: nntpcache (efficiently) executes on the localhost pretending to be an NNRP news reading server. In fact, what it does is pass certain NNTP commands through to real (remote and possibly local) news-servers based on various pattern matching rules. nntpcache then takes the output from those servers and caches & indexes it in funky ways (much specific case magic goes into this). The next time such information is asked for, or other information which can be logically inferred from the previously collated information, it is sent directly from the cache, without consulting the remote servers. [...] nntpcache can also act selectively as an intelligent firewall NNTP application proxy and supports full RFC931/ident & source address and newsgroup access controls with quite a reasonable degree of granularity. Presently nntpcache caches the active, active.times, newsgroups and overview.fmt files, article, head, body, group, listgroup, xover and xhdr commands. nntpcache cross-posts seeds its cache and also maintains a database of message-id -> group/article_number tuples. [...] Archive: ftp://ftp.nntpcache.org/pub/nntpcache/nntpcache.tgz Mailinglist: Send a message with "Subject: subscribe" to: nntpcache-users-request@nntpcache.org -- "Of all tyrannies a tyranny sincerely exercised for the good of its victims may be the most oppressive. It may be better to live under robber barons than under omnipotent moral busybodies, The robber baron's cruelty may sometimes sleep, his cupidity may at some point be satiated; but those who torment us for own good will torment us without end, for they do so with the approval of their own conscience." - C.S. Lewis, _God in the Dock_ +---------------------+--------------------+----------------------------------+ |Julian Assange RSO | PO Box 2031 BARKER | Secret Analytic Guy Union | |proff@suburbia.net | VIC 3122 AUSTRALIA | finger for PGP key hash ID = | |proff@gnu.ai.mit.edu | FAX +61-3-98199066 | 0619737CCC143F6DEA73E27378933690 | +---------------------+--------------------+----------------------------------+ From firewalls-owner Sat Jun 1 17:18:45 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA10660 for firewalls-outgoing; Sat, 1 Jun 1996 17:10:09 -0700 (PDT) Received: from su1.in.net (su1.in.net [199.0.62.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id RAA10632 for ; Sat, 1 Jun 1996 17:09:58 -0700 (PDT) Received: from pm2-10.in.net by su1.in.net with SMTP (5.65/1.2-eef) Date: Sat, 1 Jun 96 19:06:45 -0400 Message-Id: <9606012306.AA28038@su1.in.net> X-Sender: frankw@in.net X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@GreatCircle.com From: Frank Willoughby Subject: RE: Raptor's Eagle Firewall Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 04:59 PM 5/30/96 -0600, Chris Pugrud allegedly wrote: Your points are well taken. A few caveats, if I may. >The biggest complaint that I have about the Eagle NT product is that it is >not an NT firewall. It doesn't use NT as anything more than a "boot >loader". I wouldn't quite go as far to say that it is a "boot loader". It does load Windows NT & then disables services and features which are not firewall related or have been deemed to be insecure. >It is still not complete yet for NT, they cut back on features to >rush it out the door. Granted, however, the first release of any product is always missing some features. >It seems like a good product, but I won't cut a PO >until it can take advantage of the NT user database, network login, etc... Personally, I see this as an advantage rather than a disadvantage. I wouldn't want to use any NT features which may be critical to the use of the firewall for two main reasons: 1) You can't be sure that the software will be stable. Micro$oft could accidently let a bug creep into their software which could render the firewall insecure or inoperable - requiring that the vendor "freeze" their version of Windows NT ("We will only support NT version X.Y.") - leaving them in a strategically vulnerable position. Also, if the software is written internally, then you have full control of the s/w development, you can provide better support, and you can provide a quicker response to problems/bugs. 2) Security Pretty much the same rasons as in #1. Further, it is never a good idea to outsource Information Security. Relying on Micro$oft's security mechanisms would place the vendor's product & reputation at the mercy of Micro$oft's ability to write tight secure code. >Chris Best Regards, Frank Any sufficiently advanced bug is indistinguishable from a feature. -- Rich Kulawiec The opinions expressed above are of the author and may not necessarily be representative of Fortified Networks Inc. Fortified Networks Inc. - Information Security Consulting http://www.fortified.com Phone: (317) 573-0800 FAX: (317) 573-0817 Home of the Free Internet Firewall Evaluation Checklist From firewalls-owner Sat Jun 1 18:03:46 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA13526 for firewalls-outgoing; Sat, 1 Jun 1996 17:54:08 -0700 (PDT) Received: from mail.rc.toronto.on.ca ([207.6.29.231]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id RAA13458 for ; Sat, 1 Jun 1996 17:53:49 -0700 (PDT) Received: from rwcooper.rc.toronto.on.ca ([207.6.29.232]) Received: by rwcooper.rc.toronto.on.ca with Microsoft Mail Message-ID: <01BB4FFB.C1CC5500@rwcooper.rc.toronto.on.ca> From: Russ To: "'Peter da Silva'" Cc: "'Firewalls'" Subject: RE: Raptor's Eagle Firewall Date: Sat, 1 Jun 1996 20:48:57 -0400 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk jaw drops* Why would you put your firewall into the same authentication domain as your users? Maybe I'm missing something, but that seems like you're putting an awful lot of trust in the NT security model. Actually, its possible to establish a trust relationship between two seperate NT domains such that attempts to log onto the Firewall Domain would be validated against an internal Administrative Domain, but accounts on the Firewall Domain would not be permitted to log into the Administrative Domain. So even if the Firewall were compromised, none of its accounts would be permitted to access the resources protected internally by the Administrative Domain security, and remember, neither the user ID or the password are transmitted across the network between the two. Cheers, Russ From firewalls-owner Sat Jun 1 19:03:46 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id SAA17079 for firewalls-outgoing; Sat, 1 Jun 1996 18:47:29 -0700 (PDT) Received: from mail.rc.toronto.on.ca ([207.6.29.231]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id SAA17019 for ; Sat, 1 Jun 1996 18:47:12 -0700 (PDT) Received: from rwcooper.rc.toronto.on.ca ([207.6.29.232]) Received: by rwcooper.rc.toronto.on.ca with Microsoft Mail Message-ID: <01BB5003.3BD59E40@rwcooper.rc.toronto.on.ca> From: Russ To: "'Frank Willoughby'" Cc: "'Firewalls'" Subject: RE: Raptor's Eagle Firewall Date: Sat, 1 Jun 1996 21:42:28 -0400 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk "I wouldn't quite go as far to say that it is a "boot loader". It does load Windows NT & then disables services and features which are not firewall related or have been deemed to be insecure." If it did that, and, integrated with the NT Security subsystems, I might not agree with Chris. However, what I have seen are systems that implement their own drivers and then link to them once NT has completed loading, effectively by-passing much of NT's own code to get to the packets early enough to work the Firewall's magic. For the vendor, this has the advantage of making them less dependent on code changes by Microsoft, but has the side-effect of making it more difficult to integrate into an existing NT environment. If its not integrating to the NT environment, then why would I be thinking of NT. The only reason left, IMO, is that I want the familiarity of the NT environment when it comes to administration of the Firewall. Once again, however, I haven't seen one yet that truly looks like NT or provides me any real leverage of my existing NT Administration skills. Until both of these things are done well, then NT is just a boot loader. "Personally, I see this as an advantage rather than a disadvantage. I wouldn't want to use any NT features which may be critical to the use of the firewall for two main reasons:" Its an NT-based Firewall!!! Using this logic, I'm far better off with one of their UNIX implementations. I'm paying an extra $600 bucks for an NT Server license, why shouldn't I expect them to make some use of it? If it doesn't make use of NT for its critical features, then its not an NT Firewall, plain and simple. Hey, I like the guys at Raptor as much as the next guy, but I've told them, and I'm telling you, its not NT until it uses NT. If its not NT, then get their UNIX version. 1) You can't be sure that the software will be stable. Micro$oft could accidently let a bug creep into their software which could render the firewall insecure or inoperable - requiring that the vendor "freeze" their version of Windows NT ("We will only support NT version X.Y.") - leaving them in a strategically vulnerable position. True, and this is why its important to have a strong relationship with Microsoft for these products. Microsoft does not go blindly off changing code to suit their needs, despite what anyone thinks. There are quite a number of vendors who reject changes as a result of the impact they will have on their code. As we all know, there are many ways to skin a cat. That said, Microsoft is also not going to prevent a code change just because a vendor has too few programmers put into their NT efforts. Many small vendors, Executive Software (Diskkeeper) for example, replace the NT HAL with their own code, no small task. Yet these guys are able to release NT service packs about 60 days behind Microsoft, consistently. This is pretty good testimony to how bound and tied vendors really are to Microsoft's changes. Also, if the software is written internally, then you have full control of the s/w development, you can provide better support, and you can provide a quicker response to problems/bugs. 2) Security Pretty much the same rasons as in #1. Further, it is never a good idea to outsource Information Security. Relying on Micro$oft's security mechanisms would place the vendor's product & reputation at the mercy of Micro$oft's ability to write tight secure code. I agree here, but you always have the ability to go the driver route should your "real" implementation be found susceptible to a bug. Many people have written work-arounds to accommodate problems that Microsoft either deny, or have problems dealing with. Bob Denny wrote defensive code into Website for 3 service pack releases of NT, finally getting the problems resolved in NT 3.51 service pack 4. This is not good testimony to Microsoft's responsiveness to problems, but it may also have been a matter of a transient problem that was difficult to isolate. It caused server crashes, so it was important, but it only affected a small number of machines, so its importance was diminished. Bob found it made more sense to code around the problem, and accept a performance hit in the process, than to wait for MS to fix it. It was detrimental to his product, but he was the only one that bothered to implement a patch, shows you where the market is. Website was able to be more reliable than anybody else, with a cost of slower performance. This kind of problem is not a small one, and it has to be addressed properly by Microsoft. I'm not privy to what was said between the two parties in the above example, so who knows why it wasn't fixed sooner. Would a stronger relationship between the two have been better? I doubt it. Has Microsoft realized that these types of problems need to be fixed faster, I think so. If the issue was one of security, would Microsoft deal with it differently, the unqualified answer I have received is yes, and believe me, I've been very vocal with them about this possibility. Raptor have, in my opinion, taken an aggressive stance with respect to Windows NT. The first NT implementation of their Firewall has its limitations, and is more designed to keep customers demanding an NT solution from buying into some other vendor's futures. Global Internet's Centri has its own legs because of its TIS background, but the fact that they are selling evaluation copies, rather than giving them away, will make their story something less heard. It will be very interesting to see where PPTP takes either of these products in the future. Do you buy into VPN, or do you use PPP encryption? VPN offers the flexibility of being accessible by most clients, whereas PPTP is limited, for now, to a select few clients. As the deployment of FEPs ramp up in Telco's, I suspect that PPTP is going to have greater widespread use than VPN. Because of the way its implemented on NT, it offers a pretty good security story, but that's for NDA and not for here...Sorry Bill...;-] Cheers, Russ From firewalls-owner Sun Jun 2 02:04:04 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id BAA00818 for firewalls-outgoing; Sun, 2 Jun 1996 01:53:05 -0700 (PDT) Received: from halon.sybase.com (halon.sybase.com [192.138.151.33]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id BAA00811 for ; Sun, 2 Jun 1996 01:52:54 -0700 (PDT) Received: from smtp1.sybase.com (sybgate) by halon.sybase.com (5.x/SMI-SVR4/SybFW4.0) Received: from notesgw3.sybase.com by smtp1.sybase.com (4.1/SMI-4.1/SybH3.5-030896) Received: by notesgw3.sybase.com (5.x/SMI-4.1/SybEGW3.3) Message-Id: <9606020850.AA05547@notesgw3.sybase.com> Received: by SybaseNotes (Lotus Notes Mail Gateway for SMTP V1.1) id To: Chris Watson Cc: "Wojno Jim" From: Ryan.Russell/SYBASE Date: 30 May 96 9:19:48 EDT Subject: Re: Email Virus Scanner X-Lotus-Type: Reply All Mime-Version: 1.0 Content-Type: Text/Plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I think people often forget that a recognizable virus signature may often be encoded in such a way (uuencode, zip, zip w/encryption, mime etc..) that any scanner will always miss some method, besides the ones that can't be scanned (any strong encryption.) That's why I think it more useful to spend one's time picking the antivirus package for your desktop that best meets your needs, that can do its job when the virus etc... is unencoded/unpacked/ unencrypted etc.. Ryan ---------- Previous Message ---------- To: jwojn cc: firewalls From: scanner @ webspan.net (Chris Watson) @ smtp Date: 05/29/96 06:10:19 PM Subject: Re: Email Virus Scanner On Wed, 29 May 1996, Wojno, Jim wrote: > 2.4), that could scan all incoming mail for any virus code. So far, we > haven't come up with much. Anyone else ROFL as hard as i am? -- ===================================| Webspan Inc., ISP Division. FreeBSD 2.1.0 is available now! | Phone: 908-367-8030 ext. 126 -----------------------------------| 500 West Kennedy Blvd., Lakewood, NJ-08701 Turning PCs into Workstations | E-Mail: scanner@webspan.net http://www.freebsd.org | SysAdmin / Network Engineer / Security ===================================| Member BSDNET team! http://www.bsdnet.org From firewalls-owner Sun Jun 2 02:18:49 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id BAA00669 for firewalls-outgoing; Sun, 2 Jun 1996 01:48:21 -0700 (PDT) Received: from halon.sybase.com (halon.sybase.com [192.138.151.33]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id BAA00662 for ; Sun, 2 Jun 1996 01:48:12 -0700 (PDT) Received: from smtp1.sybase.com (sybgate) by halon.sybase.com (5.x/SMI-SVR4/SybFW4.0) Received: from notesgw3.sybase.com by smtp1.sybase.com (4.1/SMI-4.1/SybH3.5-030896) Received: by notesgw3.sybase.com (5.x/SMI-4.1/SybEGW3.3) Message-Id: <9606020845.AA04931@notesgw3.sybase.com> Received: by SybaseNotes (Lotus Notes Mail Gateway for SMTP V1.1) id To: "KABERNARD) kabernard @ techsoft.com (KABERNARD" Cc: kaberna , firewalls From: Ryan.Russell/SYBASE Date: 30 May 96 9:42:50 EDT Subject: Re: Extra Social Engineering X-Lotus-Type: Reply All Mime-Version: 1.0 Content-Type: Text/Plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Yes look for a CERT advisory regarding an increase in the use of psychics to "crack" passwords. Until patches are available from the various vendors (Sun has announced that they will have a jumbo patch available for Solaris 2.x ready withing 3 weeks.) Currently, the CERT team advises that users should think about their passwords as little as possible. ------------------------------------------------------------------------------ Where do people get this stuff? Is this a troll? Ryan ---------- Previous Message ---------- To: kaberna, firewalls cc: From: kabernard @ techsoft.com (KABERNARD) kabernard@techsoft.com (KABERNARD) @ smtp Date: 05/30/96 08:40:15 AM Subject: Extra Social Engineering by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id FAA29281 for ; Thu, 30 May 1996 05:41:04 -0700 (PDT) Received: from cc:Mail (PU Serial #1520) From: kabernard@techsoft.com (KABERNARD) To: firewalls@greatcircle.com Message-ID: <1996May30.073934.1520.3754@abyss.techsoft.com> X-Conversion-ID: X-Mailer: cc:Mail via PostalUnion/SMTP for Windows NT Mime-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Date: Thu, 30 May 1996 07:41:01 -0500 Subject: Extra Social Engineering Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Has anyone experienced an attack where you were unable to determine how the system was cracked? Recently an overzealous employee who was "Just trying to help" attained root access on several of my UNIX boxes. She stated that she got the passwords from her "Psychic Friend". Is that possible? I've seen the commercials but never imagined there was anything to it.....does anyone out there think that there are alot of attacks as a the result of this type of "Extra Social Engineering".....couldn't this be disasterous for the entire industry? I bet I haven't heard about this before because the "Big Companies" know that if word of this got out, there would be a mass exodus from the INTERNET.... tks.....kurt From firewalls-owner Sun Jun 2 03:48:46 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id DAA05329 for firewalls-outgoing; Sun, 2 Jun 1996 03:33:51 -0700 (PDT) Received: from rbit.co.za (rbit.co.za [196.7.71.94]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id DAA05321 for ; Sun, 2 Jun 1996 03:33:35 -0700 (PDT) Received: (from johnb@localhost) by rbit.co.za (8.7.3/8.7.3) id MAA26566; Sun, 2 Jun 1996 12:31:03 +0200 From: John Betts Message-Id: <199606021031.MAA26566@rbit.co.za> Subject: Re: Raptor's Eagle Firewall To: Russ.Cooper@RC.Toronto.on.ca (Russ) Date: Sun, 2 Jun 1996 12:31:03 +0200 (SAT) Cc: firewalls@greatcircle.com In-Reply-To: <01BB4FFB.C1CC5500@rwcooper.rc.toronto.on.ca> from "Russ" at Jun 1, 96 08:48:57 pm Reply-to: johnb@aztec.co.za Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk % So even if the Firewall were compromised, none of its accounts would be % permitted to access the resources protected internally by the % Administrative Domain security, and remember, neither the user ID or the % password are transmitted across the network between the two. % Uhm, what we mean is, that if your _PRIMARY NT DOMAIN CONTROLLER_ got compromised, your firewall would be useless....... ciao -- John -- John Betts, Aztec Internet Services Port Elizabeth, South Africa johnb@aztec.co.za, Tel. +27(0)41 303 475, Fax. +27(0)41 301 052 The world is complex. The Sendmail configuration reflects this. From firewalls-owner Sun Jun 2 09:03:48 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA14415 for firewalls-outgoing; Sun, 2 Jun 1996 08:48:17 -0700 (PDT) Received: from mail.rc.toronto.on.ca ([207.6.29.231]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id IAA14408 for ; Sun, 2 Jun 1996 08:48:07 -0700 (PDT) Received: from rwcooper.rc.toronto.on.ca ([207.6.29.232]) Received: by rwcooper.rc.toronto.on.ca with Microsoft Mail Message-ID: <01BB5078.AC30D680@rwcooper.rc.toronto.on.ca> From: Russ To: "'johnb@aztec.co.za'" Cc: "firewalls@greatcircle.com" Subject: RE: Raptor's Eagle Firewall Date: Sun, 2 Jun 1996 11:43:08 -0400 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk % So even if the Firewall were compromised, none of its accounts would be % permitted to access the resources protected internally by the % Administrative Domain security, and remember, neither the user ID or the % password are transmitted across the network between the two. % "Uhm, what we mean is, that if your _PRIMARY NT DOMAIN CONTROLLER_ got compromised, your firewall would be useless......." Yes, and that's also true if you are using an ACE Server, or Radius, or any other authentication server for your firewall. So what's your point, that its too easy to compromise a Windows NT Primary Domain Controller? I don't happen to agree. In any site that is already using NT for security of networked resources, extending the security model to the firewall is logical, for them, if they desire to focus their attention on a single authentication scheme. I see no reason why this is not perfectly viable providing that their security policy addresses it properly, as it would have to do with any source of ACL's. It means, from an administrative perspective, that they fewer sources of security audits to monitor, which can make detection easier. In addition, management of a single set of accounts can streamline a security policy, making its adoption, adherence, and proper usage more likely. In my book, these are two of the most important issues relating to an effective security policy. Let me restate a premise: I am not suggesting that an organization, whose security personnel are already familiar with brand X UNIX, or brand Y firewall, dump their equipment and go out and buy some Windows NT Firewall. I am suggesting that there are a lot of organizations who are in the process of implementing a firewall who do not have such personnel, but instead, have people who already understand and/or manage Windows NT resources. It does not make sense to say that the only way these organizations can safely connect themselves to the Internet is through a UNIX flavored fir ewall. As X.500 is more widely adopted, the need to provide a single user administration database becomes more apparent. NT offers this capability today, through the use of Exchange Server, which supports multiple name spaces for a single account, single logon, bulk imports from other systems, etc... As more Directory Structure vendors, like Banyan, write products to the ODSI specification which allow them to integrate their naming systems into NT, there will be even great adoption of NT as a centralized authentication server. We already have Radius and TACACS support, and I doubt that ACE is very far away. NT cannot just be ignored, but if its unsafe for Enterprise Authentication, let's not find that out after you've been tasked with implementing it. Cheers, Russ From firewalls-owner Sun Jun 2 09:48:52 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA16275 for firewalls-outgoing; Sun, 2 Jun 1996 09:35:09 -0700 (PDT) Received: from homeport.org (lighthouse.homeport.org [205.136.65.198]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id JAA16245 for ; Sun, 2 Jun 1996 09:34:58 -0700 (PDT) Received: (adam@localhost) by homeport.org (8.6.9/8.6.9) id MAA21956; Sun, 2 Jun 1996 12:37:26 -0500 From: Adam Shostack Message-Id: <199606021737.MAA21956@homeport.org> Subject: Re: Raptor's Eagle Firewall To: Russ.Cooper@RC.Toronto.on.ca (Russ) Date: Sun, 2 Jun 1996 12:37:26 -0500 (EST) Cc: peter@baileynm.com, firewalls@GreatCircle.COM In-Reply-To: <01BB4FFB.C1CC5500@rwcooper.rc.toronto.on.ca> from "Russ" at Jun 1, 96 08:48:57 pm X-Mailer: ELM [version 2.4 PL24 ME8b] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Russ wrote: (Responding, I think, to Peter Da Silva) | >Why would you put your firewall into the same authentication domain as | >your users? | | >Maybe I'm missing something, but that seems like you're putting an awful | >lot of trust in the NT security model. | | Actually, its possible to establish a trust relationship between two | seperate NT domains such that attempts to log onto the Firewall Domain | would be validated against an internal Administrative Domain, but accounts | on the Firewall Domain would not be permitted to log into the | Administrative Domain. Could you expand on this? How is the trust maintained? How is information moved between the two systems? Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume From firewalls-owner Sun Jun 2 17:48:48 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA02338 for firewalls-outgoing; Sun, 2 Jun 1996 17:45:25 -0700 (PDT) Received: from okjunc.junction.net (okjunc.junction.net [199.166.227.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id RAA02329 for ; Sun, 2 Jun 1996 17:45:17 -0700 (PDT) Received: from sidhe.memra.com (sidhe.memra.com [199.166.227.105]) by okjunc.junction.net (8.6.11/8.6.11) with SMTP id QAA06788 for ; Sun, 2 Jun 1996 16:58:36 -0700 Date: Sun, 2 Jun 1996 17:41:51 -0700 (PDT) From: Michael Dillon To: firewalls@GreatCircle.COM Subject: Re: packet filter In-Reply-To: <199606011551.LAA14217@goffer.ee.net> Message-ID: Organization: Memra Software Inc. - Internet consulting MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Sat, 1 Jun 1996, C Matthew Curtin wrote: > the rules, then this changes things... so, lock the router down by > only allowing physical console access - NO REMOTE LOGINS TO YOUR > ROUTERS! Or out-of-band remote logins via a secure channel. Basically hook up the router's serial port to some magic box that is more secure than the network itself. Maybe a serial MUX connected to a private frame relay network. Or attach it to some machine inside the firewall so that an outsider would have to break through all your defenses in order to get to the serial port that attaches to the border router. But this should not be used from outside the firewall, only for convenient administration within the protected network, say if the router is on a different floor in your building. The frame-relay scenario would be used in a situation where head-office must administer a firewall at a branch office site. A dial-up modem could be used here but is inherently less secure than a connection to a private frame relay network. Just make sure you put your "devious devil" cap on and review your plans before implementation because this ain't a "one-size-fits-all" theatre of operations here. > Also, make sure that the place your logs go (perhaps you're using a > machine somewhere in your DMZ to accept all of the log data from all > of your packet filters via syslogd) is (1) protected, so that someone > from outside the DMZ (i.e., anything but your packet filters, and > whatever else that's YOURS that is logging to it via syslog) can't > write to it, and (2) it has BOATLOADS of free disk space. If someone > IS able to start writing crap to your log machine's syslogd, they'll > try to fill up your disk space before commencing the attack. If you've > got, say, 10GB of free space at any given time, the liklihood of > success is significantly lower than if you're down to 14k of free > space :-) Some people set up a separate Ethernet segment for the log host and connect the filtering machines to it using a 10baseT card that allows you to cut the receive pair so that it is impossible to establish TCP sessions of any sort with the loghost, therefore crackers cannot erase or modify logs if they do manage to get in somehow. > However, I *do* think that packet filtering is very important. There > is a definite layer of security that is provided there, Agreed. Just about everyone has a border router that is capable of packet filtering so you may as well use it. But adding a proxy layer is a good idea too. Like NASA's design for onboard spacecraft computer system, they install 3 systems using at least two independent designs under the theory that a failure due to design flaws is unlikely to knock out more than two systems of the three. Michael Dillon ISP & Internet Consulting Memra Software Inc. Fax: +1-604-546-3049 http://www.memra.com E-mail: michael@memra.com From firewalls-owner Sun Jun 2 18:03:48 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA02435 for firewalls-outgoing; Sun, 2 Jun 1996 17:51:05 -0700 (PDT) Received: from okjunc.junction.net (okjunc.junction.net [199.166.227.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id RAA02428 for ; Sun, 2 Jun 1996 17:50:56 -0700 (PDT) Received: from sidhe.memra.com (sidhe.memra.com [199.166.227.105]) by okjunc.junction.net (8.6.11/8.6.11) with SMTP id RAA06846 for ; Sun, 2 Jun 1996 17:04:15 -0700 Date: Sun, 2 Jun 1996 17:47:31 -0700 (PDT) From: Michael Dillon To: Firewalls@GreatCircle.COM Subject: Re: Countermeasures ? In-Reply-To: <199606011645.MAA14340@goffer.ee.net> Message-ID: Organization: Memra Software Inc. - Internet consulting MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Sat, 1 Jun 1996, C Matthew Curtin wrote: > The story is more than mildly amusing: it helps to underscore a very > serious problem with mismanaged (or undermanaged ... or perhaps we > should say [mis|under]-administered :) sites, such as ISPs who really > ought not be ISPs. I suppose this is another Bad Thing(tm) that has > come about because of the explosive growth and popularity of the > 'net. It was nice to be able to (until about '93 or early '94) be able > to quickly talk to someone clued whenever there was a problem like > that and have it immediately dealt with. And now a bunch of those ISP's are a bit more clued in since I just forwarded your nice case-study to 5 ISP mailing lists. Fortunately, the ISP's who do subscribe to the mailing lists are eager to learn more and the existence of these mailing lists contributes to getting them clued in much more quickly than any other means I can think of. Michael Dillon ISP & Internet Consulting Memra Software Inc. Fax: +1-604-546-3049 http://www.memra.com E-mail: michael@memra.com From firewalls-owner Sun Jun 2 19:03:49 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id SAA07935 for firewalls-outgoing; Sun, 2 Jun 1996 18:57:36 -0700 (PDT) Received: from okjunc.junction.net (okjunc.junction.net [199.166.227.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id SAA07917 for ; Sun, 2 Jun 1996 18:57:26 -0700 (PDT) Received: from sidhe.memra.com (sidhe.memra.com [199.166.227.105]) by okjunc.junction.net (8.6.11/8.6.11) with SMTP id SAA07610; Sun, 2 Jun 1996 18:10:42 -0700 Date: Sun, 2 Jun 1996 18:53:57 -0700 (PDT) From: Michael Dillon To: C Matthew Curtin cc: firewalls@GreatCircle.COM Subject: Re: What do you want to know about Windows NT? In-Reply-To: <199606012023.QAA14941@goffer.ee.net> Message-ID: Organization: Memra Software Inc. - Internet consulting MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Sat, 1 Jun 1996, C Matthew Curtin wrote: > Haven't the lessons of the closed IBM machines and proprietary DEC > boxes gotten through? Openness in architecture provides so many > advantages that I'm nearly dumbfounded by the number of people who > insist on following their black-box solutions, happily paying for > every little component, without the foggiest idea of what's happening. > This is silliness, and anything BUT computer science. > > (Maybe the older guys who can remember aren't speaking loud enough, > and maybe the younger folks need to spend a little less time writing > code, in favor of doing a bit more study of the history of their > industry...) I remember in the mid-70's when we all hated monolithic mainframe punch-card batch-processing IBM and we gravitated to the Honeywell time sharing system with neat Bell Labs tools like the QED editor, ROFF and the B programming language. Then when they came out with their own programming language, life was good. When the DOS PC came on the scene lots of us gravitated to it because it was cheap enough to own our very own computer and if you stuck a 10-meg drive on an XT those babies really screamed. I remember getting large program compiles in only 5 minutes! A quarter of the time it took on a minicomputer. And Microsoft made wonderful tools like the Multiplan spreadsheet and MS Word with a consistent user interface (ESC, T, L) to load your file, (ESC, T, S). And when they announced MS-DOS 2.0 with subdirectories and their plans to grow DOS and XENIX into a single merged OS, life was better. But then things turned ugly, Microsoft changed, IBM changed, the world changed, a new generation grew up, the Internet was born. There's a story I once read about two high-school buddies who grew up and went to the same college. The first one became active in a Marxist organization, the other joined the Young Republicans. They ceased to speak with each other, graduated and went their separate ways. Many years later, they encountered one another again. The first one said, you know, after years of working for the people's revolution, I've come to realize that you were right after all and I'm now the campaign manager for the Republican Congressional candidate in my district. The other fellow's smile dropped off his face. Oh, he said, it happens that I'm leaving next week for Nicaragua to help train teachers in the Sandanista's literacy program. The moral of this story is that you really cannot judge a company on past glories, you are foolish to attach your company's well-being to the fickleness of another company, and don't believe what Microsoft says they are gonna do next year because they may change their minds yet again. I still think firewalls should be chosen based on security criteria and the OS platform used is 100% irrelevant to the decision. Remember the old advice, determine your system requirements, find the software that will meet those requirements, buy the platform that runs this software best. Why do people always insist on doing it the other way around? Michael Dillon ISP & Internet Consulting Memra Software Inc. Fax: +1-604-546-3049 http://www.memra.com E-mail: michael@memra.com From firewalls-owner Sun Jun 2 19:18:47 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id TAA08477 for firewalls-outgoing; Sun, 2 Jun 1996 19:08:52 -0700 (PDT) Received: from okjunc.junction.net (okjunc.junction.net [199.166.227.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id TAA08465 for ; Sun, 2 Jun 1996 19:08:43 -0700 (PDT) Received: from sidhe.memra.com (sidhe.memra.com [199.166.227.105]) by okjunc.junction.net (8.6.11/8.6.11) with SMTP id SAA07789 for ; Sun, 2 Jun 1996 18:22:03 -0700 Date: Sun, 2 Jun 1996 19:05:18 -0700 (PDT) From: Michael Dillon To: "'Firewalls'" Subject: RE: Raptor's Eagle Firewall In-Reply-To: <01BB5003.3BD59E40@rwcooper.rc.toronto.on.ca> Message-ID: Organization: Memra Software Inc. - Internet consulting MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Sat, 1 Jun 1996, Russ wrote: > when it comes to administration of the Firewall. Once again, however, I > haven't seen one yet that truly looks like NT or provides me any real > leverage of my existing NT Administration skills. Maybe that's because it's not NT and it's not an operating system. It's a firewall. Why should a firewall look like an operating system? > Its an NT-based Firewall!!! Using this logic, I'm far better off with one > of their UNIX implementations. I'm paying an extra $600 bucks for an NT > Server license, why shouldn't I expect them to make some use of it? If it > doesn't make use of NT for its critical features, then its not an NT > Firewall, plain and simple. One of the goals in designing a firewall is to strip away unnecessary functionality. This accomplishes two things. It minimizes the possibility of buggy code because the code is so simple it can easily be checked for correctness. And it minimizes the profile that outsiders can attack. These are good things. Michael Dillon ISP & Internet Consulting Memra Software Inc. Fax: +1-604-546-3049 http://www.memra.com E-mail: michael@memra.com From firewalls-owner Sun Jun 2 20:18:54 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id UAA12605 for firewalls-outgoing; Sun, 2 Jun 1996 20:08:33 -0700 (PDT) Received: from mail.rc.toronto.on.ca ([207.6.29.231]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id UAA12598 for ; Sun, 2 Jun 1996 20:08:22 -0700 (PDT) Received: from rwcooper.rc.toronto.on.ca ([207.6.29.232]) Received: by rwcooper.rc.toronto.on.ca with Microsoft Mail Message-ID: <01BB50D7.BFA9FD40@rwcooper.rc.toronto.on.ca> From: Russ To: "'Firewalls'" Subject: RE: Raptor's Eagle Firewall Date: Sun, 2 Jun 1996 23:03:43 -0400 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk "Maybe that's because it's not NT and it's not an operating system. It's a firewall. Why should a firewall look like an operating system?" What if I don't want a Firewall Administrator, what if I want to use my NOS Administrator? What if I have a small company who cannot afford a dedicated Firewall, or a dedicated Firewall Administrator? Anyway, you've made my point again. If its going to be an NT-based Firewall, it should incorporate NT into its functionality, otherwise, we shouldn't be looking at the NT version and instead should be considering the original UNIX version. Both Raptor and Centri are ports of UNIX products to NT. The point is, if the objective of the port was merely to duplicate the Firewall environment running on top of NT, its ill conceived. "One of the goals in designing a firewall is to strip away unnecessary functionality. This accomplishes two things. It minimizes the possibility of buggy code because the code is so simple it can easily be checked for correctness. And it minimizes the profile that outsiders can attack. These are good things." Fine, I agree. Account Administration, however, is not unnecessary functionality. Neither is interface commonality. If the program is going to present a window with menus, and its going to run on NT, then why not use the NT routines to create the windows and the menus? Anyway, I suspect that people have gotten my point by now, so I'll stop repeating it...;-] Cheers, Russ From firewalls-owner Sun Jun 2 20:48:47 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id UAA13697 for firewalls-outgoing; Sun, 2 Jun 1996 20:40:14 -0700 (PDT) Received: from po-external.FCNBD.COM (po-external.FCNBD.COM [147.113.146.4]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id UAA13681 for ; Sun, 2 Jun 1996 20:40:02 -0700 (PDT) Received: from po-internal.FCNBD.COM (internalhost.FCNBD.COM [147.113.104.10]) by po-external.FCNBD.COM (8.7.2/fcnbd/domain/1.5) with ESMTP id WAA23411; Sun, 2 Jun 1996 22:39:57 -0500 (CDT) Received: from abacab.cmg.FCNBD.COM (abacab.cmg.FCNBD.COM [147.113.112.11]) by po-internal.FCNBD.COM (8.7.2/fcnbd/internal-domain/1.4) with ESMTP id WAA17935; Sun, 2 Jun 1996 22:38:10 -0500 (CDT) Received: from abernathy.fnbc.com (pmarc@abernathy.FNBC.COM [147.113.112.83]) by abacab.cmg.FCNBD.COM (8.7.2/fcnbd/server-subdomain/2.1) with ESMTP id WAA27006; Sun, 2 Jun 1996 22:35:42 -0500 (CDT) Received: (from pmarc@localhost) by abernathy.fnbc.com (8.7.3/8.7.1) id WAA00332; Sun, 2 Jun 1996 22:37:03 -0500 (CDT) Message-Id: <199606030337.WAA00332@abernathy.fnbc.com> MIME-Version: 1.0 (NeXT Mail 3.3risc v118.3) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable In-Reply-To: <199605301428.HAA11329@miles.greatcircle.com> X-Nextstep-Mailer: Mail 3.3 (Enhance X) Received: by NeXT.Mailer (1.118.3) From: "Paul M. Cardon" Date: Sun, 2 Jun 96 22:36:55 -0500 To: Darren Reed Subject: Re: Firewall-1 and Gauntlet cc: jct@edelweb.fr (Jean-Christophe Touvet), Leif.Gyllenberg@sweden.sun.com Reply-To: pmarc@fnbc.com References: <199605301428.HAA11329@miles.greatcircle.com> X-Warners: Yakko, Wakko, and Dot Sender: firewalls-owner@GreatCircle.COM Precedence: bulk We noticed some strangeness in this area when running the fwtk ftp = proxy with Firewall-1 1.2 (both running on Solaris 2.5). We = tracked it down to the following function that is common to all of = the proxies: sayn(fd,s,n) int fd; char *s; int n; { if(write(fd,s,n) !=3D n) return(1); return(write(fd,"\r\n",2) !=3D 2); } For whatever reason, the two writes were always being sent in = separate packets. We had our network analyzer looking at it and = verified this behavior. I hacked the ftp-gw code to fix this = problem. The behavior disappeared when we upgraded to version 2 = of Firewall-1 so there must have been something wrong there. = However, the new Firewall-1 then made some other assumptions about = port numbers that caused ftp-gw to fail. I will share details = when I have a chance. --- Paul M. Cardon - System Officer Capital Markets Systems - First Chicago NBD Corporation pmarc@cmg.fcnbd.com - (312) 732-7392 I never give them hell. I just tell the truth and they think it's = hell. - H. Truman MD5 (/dev/null) =3D d41d8cd98f00b204e9800998ecf8427e From firewalls-owner Sun Jun 2 21:33:54 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id VAA17081 for firewalls-outgoing; Sun, 2 Jun 1996 21:22:54 -0700 (PDT) Received: from okjunc.junction.net (okjunc.junction.net [199.166.227.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id VAA17074 for ; Sun, 2 Jun 1996 21:22:47 -0700 (PDT) Received: from sidhe.memra.com (sidhe.memra.com [199.166.227.105]) by okjunc.junction.net (8.6.11/8.6.11) with SMTP id UAA09943; Sun, 2 Jun 1996 20:36:00 -0700 Date: Sun, 2 Jun 1996 21:19:15 -0700 (PDT) From: Michael Dillon To: Russ cc: "'Firewalls'" Subject: RE: Raptor's Eagle Firewall In-Reply-To: <01BB50D7.BFA9FD40@rwcooper.rc.toronto.on.ca> Message-ID: Organization: Memra Software Inc. - Internet consulting MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Sun, 2 Jun 1996, Russ wrote: > "Maybe that's because it's not NT and it's not an operating system. It's a > firewall. Why should a firewall look like an operating system?" > > What if I don't want a Firewall Administrator, what if I want to use my NOS > Administrator? What if I have a small company who cannot afford a dedicated > Firewall, or a dedicated Firewall Administrator? Buy a pair of wirecutters! ;-) > Anyway, you've made my point again. If its going to be an NT-based > Firewall, it should incorporate NT into its functionality, otherwise, we > shouldn't be looking at the NT version and instead should be considering > the original UNIX version. Both Raptor and Centri are ports of UNIX > products to NT. The point is, if the objective of the port was merely to > duplicate the Firewall environment running on top of NT, its ill conceived. IMHO these vendors should be selling their firewalls just the way they originally built them, running on top of UNIX. No doubt they could build a black box with Pentium CPU, RAM and UNIX on ROM *AND* include an NT GUI for administering the thing. Then you could have your cake and eat it too. So could the MAC sites by simply including a Mac admin tool. So could the UNIX sites by supplying an X-Windows admin tool. And so on. Whatever happened to object-oriented design??? > Fine, I agree. Account Administration, however, is not unnecessary > functionality. Neither is interface commonality. If the program is going to > present a window with menus, and its going to run on NT, then why not use > the NT routines to create the windows and the menus? Just subtract the part about "run on NT". Does a Livingston Portmaster terminal server run on NT? No. Does it have an NT GUI admin tool. Yes. Michael Dillon ISP & Internet Consulting Memra Software Inc. Fax: +1-604-546-3049 http://www.memra.com E-mail: michael@memra.com From firewalls-owner Sun Jun 2 23:18:48 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id XAA21183 for firewalls-outgoing; Sun, 2 Jun 1996 23:08:03 -0700 (PDT) Received: from SDG.DRA.COM (sdg.dra.com [192.65.218.29]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id XAA21169 for ; Sun, 2 Jun 1996 23:07:53 -0700 (PDT) Date: Mon, 3 Jun 1996 1:05:23 -0500 (CDT) From: Sean Donelan To: firewalls@greatcircle.com Message-Id: <960603010523.926e@SDG.DRA.COM> Subject: Re: Countermeasures ? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Agreed. At a previous place of employment, our highly visible web >server underwent a denial of service attack. We traced it back to a >dialup account from a small ISP in another state. 27 minutes from first attempted contact until the problem was stopped, not that bad of a response. Even Domino's Pizza gave its drivers a full 30 minutes. Contacting someone at a small ISP is fairly easy (as evidence by the previous example, even given the slight delay caused by the restroom). There just aren't that many people to pass the buck at a small ISP. Trying to reach a person at a Big & Important company can be much more difficult. In 27 minutes you'd still be listening to muzak waiting for a generic customer service representative, because no human is listed as a contact, at Big & Important to pick up the phone. Or, heaven forbid, you try to report a security problem with the Really Big & Important, e.g. a US government computer. Did the General Accounting Office ask how many people tried to tell the US Military about computer security breakins, but got the run around? Yes, I know the US Military has lots, and lots of computer security teams. Some of them actually know what they are doing. But I didn't know I needed the correct telephone extension to report an attack against the USA. As the net has grown, it has gotten much harder to reach a cluefull person at every type of site; big, small, important, or not. Even the CERT says they can't handle calls from everyone. The flip-side is it discourages the few people who used to report problems from even trying. One thing I find missing from many companies' computer security procedures is what to do when Joe Q. Public calls up and tells your receptionist someone broke into your computers. Does your receptionist know who to send the information to if someone called your company? -- Sean Donelan, Data Research Associates, Inc, St. Louis, MO Affiliation given for identification not representation From firewalls-owner Sun Jun 2 23:33:57 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id XAA21528 for firewalls-outgoing; Sun, 2 Jun 1996 23:22:30 -0700 (PDT) Received: from whirlwind.momentum.com.au (whirlwind.momentum.com.au [203.2.238.131]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id XAA21514 for ; Sun, 2 Jun 1996 23:22:20 -0700 (PDT) Received: (from uucp@localhost) by whirlwind.momentum.com.au (8.6.12/8.6.12) id OAA01097 for ; Mon, 3 Jun 1996 14:17:30 +0800 Received: from snowcrash.momentum.com.au(203.2.238.134) by whirlwind via smap (V1.3mjr) X-Sender: todd@mailhost.momentum.com.au Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Mon, 3 Jun 1996 14:19:24 +0800 To: Firewalls@GreatCircle.COM From: todd@momentum.com.au (Todd Hooper) Subject: Re: Firewall-1 and Gauntlet Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Jean-Christophe Touvet writes: > As far as I know, this is a Firewall-1 bug. The reason is that Gauntlet used >to split its PORT commands in two packets (two write() system calls). Since >Firewall-1's filtering code works only with one packet at once, it fails. TIS >guys wrote some patches to solve this problem (contact your Gauntlet reseller), >but IMHO that's really a packet filtering design problem: how do you inspect >data when it doesn't fit in the same packet ? Of course, you could keep data >in your sate machine, but in that case you've just written a proxy. Any >comments ? Isn't that one of the issues (specifically, the problems with TIS and Gauntlet ftp) that Checkpoint fixed in Firewall-1 version 2.0d? Regards, Todd -- Todd Hooper Internet : todd@momentum.com.au Internet and Open Systems Division Phone : 09 429 6000 AlphaWest Pty Ltd Fax : 09 429 6030 From firewalls-owner Mon Jun 3 00:33:48 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id AAA25403 for firewalls-outgoing; Mon, 3 Jun 1996 00:28:37 -0700 (PDT) Received: from gemsgw.med.ge.com (gemsgw.med.ge.com [192.88.230.10]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id AAA25396 for ; Mon, 3 Jun 1996 00:28:28 -0700 (PDT) Received: from gemed.med.ge.com (gemed.med.ge.com [3.7.12.4]) by gemsgw.med.ge.com (8.6.12/8.6.12) with ESMTP id CAA21787; Mon, 3 Jun 1996 02:24:05 -0500 Received: from wiproge.med.ge.com (jogin [3.70.200.53]) by gemed.med.ge.com (8.6.12/8.6.12) with SMTP id CAA26918; Mon, 3 Jun 1996 02:26:32 -0500 Received: from ashwini.wiproge.med.ge.com by wiproge.med.ge.com (4.1/SMI-4.1) Received: by ashwini.wiproge.med.ge.com (SMI-8.6/SMI-SVR4) Date: Mon, 3 Jun 1996 12:58:30 -0500 From: sameer@wiproge.med.ge.com (Sameer ) Message-Id: <199606031758.MAA20152@wiproge.med.ge.com> To: adam@homeport.org, firewalls@GreatCircle.COM Subject: Re: Raptor's Eagle Firewall X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk hi, Even i would like an answer to that....trust relationship.... .....sam E-Mail : sameer@wiproge.med.ge.com Wipro GE Medical Systems - Bangalore sameer@wiproge.gemse.fr Name : Sameer [Sam] Wipro GE Medical Systems Ltd.,GPDC, A-1,Corporate Towers,Golden Enclave, Airport Road,Bangalore- 560017, INDIA ------------------------------------------------------------------------- "Opinions expressed are my own and may not confirm to my Employers" ********************THOUGHT FOR THE DAY************************** Diplomacy is the art of saying "GOOD DOGGY" till you find a very BIG stick. ***************************************************************** You may delegate AUTHORITY but not RESPONSIBILITY -------------------------------------------------------------------------- *SAM*From firewalls-owner@GreatCircle.COM Mon Jun 3 09:14:52 1996 *SAM*From: Adam Shostack *SAM*Subject: Re: Raptor's Eagle Firewall *SAM*To: Russ.Cooper@RC.Toronto.on.ca (Russ) *SAM*Date: Sun, 2 Jun 1996 12:37:26 -0500 (EST) *SAM*Cc: peter@baileynm.com, firewalls@GreatCircle.COM *SAM* *SAM*Russ wrote: *SAM*(Responding, I think, to Peter Da Silva) *SAM*| >Why would you put your firewall into the same authentication domain as *SAM*| >your users? *SAM*| *SAM*| >Maybe I'm missing something, but that seems like you're putting an awful *SAM*| >lot of trust in the NT security model. *SAM*| *SAM*| Actually, its possible to establish a trust relationship between two *SAM*| seperate NT domains such that attempts to log onto the Firewall Domain *SAM*| would be validated against an internal Administrative Domain, but accounts *SAM*| on the Firewall Domain would not be permitted to log into the *SAM*| Administrative Domain. *SAM* *SAM* Could you expand on this? How is the trust maintained? How *SAM*is information moved between the two systems? *SAM* *SAM*Adam *SAM* *SAM*-- *SAM*"It is seldom that liberty of any kind is lost all at once." *SAM* -Hume *SAM* *SAM* From firewalls-owner Mon Jun 3 01:19:25 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id AAA26039 for firewalls-outgoing; Mon, 3 Jun 1996 00:47:57 -0700 (PDT) Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.76.24]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id AAA26010 for ; Mon, 3 Jun 1996 00:47:45 -0700 (PDT) Message-Id: <199606030747.AAA26010@miles.greatcircle.com> Received: by cheops.anu.edu.au From: Darren Reed Subject: Re: Firewall-1 and Gauntlet To: todd@momentum.com.au (Todd Hooper) Date: Mon, 3 Jun 1996 17:45:02 +1000 (EST) Cc: Firewalls@GreatCircle.COM In-Reply-To: from "Todd Hooper" at Jun 3, 96 02:19:24 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In some mail from Todd Hooper, sie said: > > Jean-Christophe Touvet writes: > > > As far as I know, this is a Firewall-1 bug. The reason is that Gauntlet used > >to split its PORT commands in two packets (two write() system calls). Since > >Firewall-1's filtering code works only with one packet at once, it fails. TIS > >guys wrote some patches to solve this problem (contact your Gauntlet reseller), > >but IMHO that's really a packet filtering design problem: how do you inspect > >data when it doesn't fit in the same packet ? Of course, you could keep data > >in your sate machine, but in that case you've just written a proxy. Any > >comments ? > > Isn't that one of the issues (specifically, the problems with TIS and Gauntlet > ftp) that Checkpoint fixed in Firewall-1 version 2.0d? Do you know if they fixed the problem in general or just patched their ftp proxy code to do the "PORT" command correctly ? darren From firewalls-owner Mon Jun 3 01:33:48 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id BAA29415 for firewalls-outgoing; Mon, 3 Jun 1996 01:25:18 -0700 (PDT) Received: from gmap-gw.gmap.leeds.ac.uk (gmap15.leeds.ac.uk [129.11.84.200]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id BAA29394 for ; Mon, 3 Jun 1996 01:25:05 -0700 (PDT) Received: (from root@localhost) by gmap-gw.gmap.leeds.ac.uk (8.7.3/8.6.9) id IAA21111 for ; Mon, 3 Jun 1996 08:27:24 +0100 (BST) Received: from gmap3.gmap.leeds.ac.uk(129.11.200.3) by gmap-gw via smap (V1.3) Received: from gmap.leeds.ac.uk (gmap124 [129.11.200.124]) by gmap3 (8.6.12/8.6.9) with SMTP id JAA16306 for ; Mon, 3 Jun 1996 09:22:58 +0100 From: Danny Cox Date: Mon, 3 Jun 1996 09:22:18 +0100 Message-Id: <5263.9606030822@gmap.leeds.ac.uk> X-Planation: X-Faces images can be viewed with the XFaces program To: Firewalls@GreatCircle.COM Subject: Re: Firewalls-Digest V5 #347 X-Sun-Charset: US-ASCII X-Face: (:_YnQcTM$q\Nl0.mYy:C'Y|(;&7.2m~Rc%xt Date: Wed, 29 May 1996 23:03:31 -0400 > From: Russ > Subject: What do you want to know about Windows NT? > > - - There is a C2 configuration guide (manual), maybe it should be included Russ, nothing really to do with your recent posting although I wonder whether you'd be good enough to clarify this bit for me. My understanding is that NT has only been C2 accredited for a couple of hardware platforms and only for stand-alone versions, rather than networked ones. The implication behind having a C2 configuration guide would be, to me at least, that NT is C2 certified. This seems misleading to me, although I'd like to here other comments. It seems to me that there is a load of baloney around regarding C2 and NT and MS are happily using this confusion to claim without claiming that NT==C2. Would you agree with me here or have I the wrong end of the stick altogether ? Thanks for your thoughts .. Danny From firewalls-owner Mon Jun 3 03:33:51 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id DAA05952 for firewalls-outgoing; Mon, 3 Jun 1996 03:28:30 -0700 (PDT) Received: from psyche.the-wire.com (psyche.the-wire.com [198.53.192.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id DAA05945 for ; Mon, 3 Jun 1996 03:28:22 -0700 (PDT) Received: from anton.the-wire.com (anton.the-wire.com [198.53.192.186]) by psyche.the-wire.com (8.6.10/8.6.12) with SMTP id GAA05728; Mon, 3 Jun 1996 06:23:30 -0400 Date: Mon, 3 Jun 1996 06:23:30 -0400 Message-Id: <199606031023.GAA05728@psyche.the-wire.com> X-Sender: anton@the-wire.com X-Mailer: Windows Eudora Light Version 1.5.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: Rolf Weber From: Anton J Aylward Subject: Re: Re[2]: US Justice Dept (Not really) Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 11:40 3/6/96 +0200, you wrote: >> >> >> >> Yes. That requires a (vulnerable) server to be visible on >> >> the Internet. >> >> >> 1. Lets assume that mail isn't (what the American's term) mission >> critical to you. Then none of this matters. >> >not true. >if email isn't mission critical, but a bug in it can be used to attack >mission critical services or data - then it's mission critical. This is a key point which I think you fail to understand. Which is why I refer to the Americanism. Does any aspect of your business depend on the mail? If the mail failed would it impact you? Would it cost money due to delays? Never mind BUGS. That's not relevant here. Never mind penetration. We are talking "Denial of service". If something prevented you or one of your managers from getting to work or comunicating with the office, would that impact the business. DENIAL OF SERVICE only counts if that service is key. Denying you that ability to finger my site doesn't impact your business. If all you're in this for is mail, then you could be using UUCP not IP. In that case the denial of service attack still applies, even though the store and forward nature of UUCP make penetration of your site completely impossible. >> 2. Somewhere there has to be a server which contains your mail, either >> inside or outside some arbitrry boundary of your control. The mail is >> 'delivered' - that is sits in mailboxes (aka /var/spool/mail/ - >> on that box. >> >> 3. It that server is down you cannot get the service. DENIAL OF SERVICE. >> >1. denial-of-service is (almost) better as break-in. Meaningless sentence, I don't know if its your poor English or if you're missing the point. I suspect from other things you say its the latter. >2. how could you prevent denial-of-service with a firewall? No short answer. But basically its an issue of who controls the server. >> >> 4. See 1 >> >> 5. If that server is compromised, someone is reading your mail. >you have to assume email to be insecure - in every case. >OTOH, you're surely right. this is the main reason why i wish to have >my email server under my control. That mail _transmission_ is insecure is a bit of a myth. Its _easy_ to read mail sitting in a box on the server, its diffucult to read packets in transit. >> 6. See 1. >> >i think we both spoke of different things. >at the beginning of this threat, there was something said like "if i >don't offer any services inside, why should i use a firewall?". >rick answered "So you're not doing e-mail.", with which a disagreed. >(i don't say i wouldn't use a firewall. i just say if a site is *sure* >they don't have *any* services inside (which is, of course, quite >unrealistic), it *could* be adeaquate not to use a firewall. security >policies are different.) >my main point was that you can avoid email-server-bugs which can >compromise your *whole* security by placing it outside. No. You're placing undue emphasis on "bugs" in the E-Mail server. There are servers which are - at this level - bug free. But you would still have a firewall. STOP THINKING OF A FIREWALL as a single machine. Its not, its a whole seiries of technigues, a way of orgainizing your networks and a way of doing business. /anton ---------------------------------------------------------------------------- Anton J Aylward | Security is not something that comes in The Strahn and Strachan Group Inc | a self-contained box. It is an attribute Information Security Consultants | of how you do business and as such Voice: (416) 494-8661 | needs to be managed carefully. Fax: (416) 494-8803 | - Karen Goertzel, Wang Federal Inc. From firewalls-owner Mon Jun 3 04:33:55 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id EAA08544 for firewalls-outgoing; Mon, 3 Jun 1996 04:19:10 -0700 (PDT) Received: from iez.com (mail.iez.com [194.218.38.3]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id EAA08537 for ; Mon, 3 Jun 1996 04:18:52 -0700 (PDT) Received: by iez.com (AIX 3.2/UCB 5.64/4.03) Received: from spibm02(172.16.13.62) by iez.com via smap (V1.3) Received: from iez.com by spibm02 (AIX 3.2/UCB 5.64/4.03) Message-Id: <9606031115.AA12594@spibm02> Received: from inhps-a by iez.com with SMTP Received: by inhps-a From: Rolf Weber Subject: Re: Re[2]: US Justice Dept (Not really) To: anton@the-wire.com (Anton J Aylward) Date: Mon, 3 Jun 1996 13:15:27 +0200 (MESZ) Cc: firewalls@greatcircle.com (firewalls) In-Reply-To: <199606031023.GAA05728@psyche.the-wire.com> from "Anton J Aylward" at Jun 3, 96 06:23:30 am X-Mailer: ELM [version 2.4 PL24] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk [this morning, i had two *private* mails from you in my mailbox. in the first, you asked me why "Why are you sending two copies to me/" (BTW, you can as well use the headers to check). i answered to both mails *privatly*. now you choosed to reply again, but with CC to firewalls. it's not that anything a said couldn't go to the list. but you *tried* to use my private mail to flame me in the list. you mentioned my poor english. i never denied this, but this is *much* better as to have a bad behaviour as you.] > > At 11:40 3/6/96 +0200, you wrote: > >> >> > >> >> Yes. That requires a (vulnerable) server to be visible on > >> >> the Internet. > >> >> > > >> 1. Lets assume that mail isn't (what the American's term) mission > >> critical to you. Then none of this matters. > >> > >not true. > >if email isn't mission critical, but a bug in it can be used to attack > >mission critical services or data - then it's mission critical. > > This is a key point which I think you fail to understand. > Which is why I refer to the Americanism. > Does any aspect of your business depend on the mail? > If the mail failed would it impact you? Would it cost money > due to delays? Never mind BUGS. That's not relevant here. Never mind > penetration. We are talking "Denial of service". If something prevented > you or one of your managers from getting to work or comunicating with the > office, would that impact the business. DENIAL OF SERVICE only counts if > that service is key. Denying you that ability to finger my site doesn't > impact your business. > maybe you're right, but you changed the topic to "denial-of-service". please re-read the thread from the beginning. > > If all you're in this for is mail, then you could be using UUCP not IP. > In that case the denial of service attack still applies, even though the > store and forward nature of UUCP make penetration of your site completely > impossible. > you really know what you're speaking about? smtp as itself is "store and forward". UUCP has a great flaw history. > > >> 2. Somewhere there has to be a server which contains your mail, either > >> inside or outside some arbitrry boundary of your control. The mail is > >> 'delivered' - that is sits in mailboxes (aka /var/spool/mail/ - > >> on that box. > >> > >> 3. It that server is down you cannot get the service. DENIAL OF SERVICE. > >> > >1. denial-of-service is (almost) better as break-in. > > Meaningless sentence, I don't know if its your poor English or if you're > missing the point. I suspect from other things you say its the latter. > thanx, i like you, too. > > >2. how could you prevent denial-of-service with a firewall? > > No short answer. But basically its an issue of who controls the server. > if the server is outside the firewall but inside your net, you still have it under control. > > >> > >> 4. See 1 > >> > >> 5. If that server is compromised, someone is reading your mail. > > >you have to assume email to be insecure - in every case. > >OTOH, you're surely right. this is the main reason why i wish to have > >my email server under my control. > > That mail _transmission_ is insecure is a bit of a myth. > Its _easy_ to read mail sitting in a box on the server, its diffucult to > read packets in transit. > huh??? if i'd take this for real, i could also say "don't encrypt telnet, because it's difficult to hijack a session." sorry, this is not the way i see security. > > >> 6. See 1. > >> > >i think we both spoke of different things. > >at the beginning of this threat, there was something said like "if i > >don't offer any services inside, why should i use a firewall?". > >rick answered "So you're not doing e-mail.", with which a disagreed. > >(i don't say i wouldn't use a firewall. i just say if a site is *sure* > >they don't have *any* services inside (which is, of course, quite > >unrealistic), it *could* be adeaquate not to use a firewall. security > >policies are different.) > >my main point was that you can avoid email-server-bugs which can > >compromise your *whole* security by placing it outside. > > No. You're placing undue emphasis on "bugs" in the E-Mail server. There > are servers which are - at this level - bug free. But you would still have > a firewall. > today, probably all *latest* servers are bug free. one important reason (besides others) why i use a firewall is that you can't know what's tomorrow. > > STOP THINKING OF A FIREWALL as a single machine. Its not, its a whole > seiries of technigues, a way of orgainizing your networks and a way of doing > business. > yes, i agree. this was my view before your mail and it will be after. rolf -- ----------------------------------------- Rolf Weber | All I ask is a chance IEZ AG D-64625 Bensheim | to prove that money ++49-6251-1309-109 | can't make me happy. From firewalls-owner Mon Jun 3 05:33:54 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA11403 for firewalls-outgoing; Mon, 3 Jun 1996 05:25:55 -0700 (PDT) Received: from habanero.jmu.edu (habanero.jmu.edu [134.126.70.210]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id FAA11396; Mon, 3 Jun 1996 05:25:48 -0700 (PDT) Message-Id: <199606031225.FAA11396@miles.greatcircle.com> Received: by habanero.jmu.edu Date: Mon, 3 Jun 1996 08:23:20 -0400 From: gary flynn To: firewalls-owner@GreatCircle.COM, firewalls@GreatCircle.COM Subject: RE: Raptor's Eagle Firewall Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > From: Russ > Subject: RE: Raptor's Eagle Firewall > > What if I don't want a Firewall Administrator, what if I want to use my NOS > Administrator? What if I have a small company who cannot afford a dedicated > Firewall, or a dedicated Firewall Administrator? You get what you pay for. > Anyway, you've made my point again. If its going to be an NT-based > Firewall, it should incorporate NT into its functionality, otherwise, we > shouldn't be looking at the NT version and instead should be considering > the original UNIX version. Both Raptor and Centri are ports of UNIX > products to NT. The point is, if the objective of the port was merely to > duplicate the Firewall environment running on top of NT, its ill conceived. NT is a marketing reality to all applications vendors. Current firewall design minimizes dependance on operating system security. The whole idea behind firewalls is to have tightly controlled code. It is the instability and poor security design of present operating systems that necessitate firewalls in the first place. > Fine, I agree. Account Administration, however, is not unnecessary > functionality. Neither is interface commonality. If the program is going to > present a window with menus, and its going to run on NT, then why not use > the NT routines to create the windows and the menus? 1. Because they might have bugs? 2. Because they might change resulting in an undiscovered change in reliability and security. I agree with you that it would be nice if a firewall application could be written and administered like any other application. But I don't think its realistic or advisable. Gary Flynn Network Manager James Madison University From firewalls-owner Mon Jun 3 05:48:48 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA11301 for firewalls-outgoing; Mon, 3 Jun 1996 05:19:30 -0700 (PDT) Received: from connectnet1.connectnet.com (connectnet1.connectnet.com [207.110.0.50]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id FAA11293 for ; Mon, 3 Jun 1996 05:19:21 -0700 (PDT) Received: from it.is.my.broken.net (it.is.my.broken.net [204.252.2.92]) by connectnet1.connectnet.com (15.9/Connectnet-2.2) with SMTP id FAA25240; Mon, 3 Jun 1996 05:16:31 -0700 (PDT) Received: by it.is.my.broken.net (4.1/SMI-4.1) Date: Mon, 3 Jun 1996 05:16:25 -0700 (PDT) From: Jason Matthews X-Sender: jason@it.is.my.broken.net To: Anton J Aylward Cc: Rolf Weber , firewalls@greatcircle.com Subject: Re: Re[2]: US Justice Dept (Not really) In-Reply-To: <199606031023.GAA05728@psyche.the-wire.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 3 Jun 1996, Anton J Aylward wrote: [snip] > In that case the denial of service attack still applies, even though the > store and forward nature of UUCP make penetration of your site completely > impossible. Nothing is for sure in this world and hacking into machines via UUCP accounts is not unheard of. You would surprised how many open UUCP accounts one could find if one looked for them. [snip] > >you have to assume email to be insecure - in every case. > >OTOH, you're surely right. this is the main reason why i wish to have > >my email server under my control. > > That mail _transmission_ is insecure is a bit of a myth. > Its _easy_ to read mail sitting in a box on the server, its diffucult to > read packets in transit. Your joking right? It's no harder to read a piece of email in transit than it is read a plaintext password. Sites are compromised every day by sniffing network traffic. What makes you think those interested in your daily affairs will stop with passwords? [snip] > >my main point was that you can avoid email-server-bugs which can > >compromise your *whole* security by placing it outside. > > No. You're placing undue emphasis on "bugs" in the E-Mail server. There > are servers which are - at this level - bug free. But you would still have > a firewall. I am not sure I am willing to make that assumption. History shows us that email services are the most insecure of all. To place this service on any machine intended to filter, restrict, or otherwise alter network connections from foriegn networks is a mistake. Jason From firewalls-owner Mon Jun 3 06:04:07 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA12716 for firewalls-outgoing; Mon, 3 Jun 1996 05:56:03 -0700 (PDT) Received: from hermes.hurwitz.com (hermes.hurwitz.com [206.234.77.20]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id FAA12641 for ; Mon, 3 Jun 1996 05:55:42 -0700 (PDT) Received: from pheonix.hurwitz.com (desktop_21.hurwitz.com [206.234.77.41]) by hermes.hurwitz.com (8.7.4/8.7.3) with SMTP id IAA02335 for ; Mon, 3 Jun 1996 08:56:09 -0400 Message-Id: <1.5.4.32.19960603125128.0069f378@smtp.hurwitz.com> X-Sender: abrenton@smtp.hurwitz.com X-Mailer: Windows Eudora Light Version 1.5.4 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Mon, 03 Jun 1996 08:51:28 -0400 To: Firewalls@GreatCircle.COM From: Andrea Brenton Subject: filter packets on MicroRouter 900i Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I've been having some serious problems with getting a packet filter set working on the Micro Router 900i that we have from Compatible Systems. I have spent quite a bit of time with tech support, but we still can't figure out the problem. Someone had setup a filter set long before I was working here. No gaping holes or anything, but now I want to improve on this set to tighten things up. The problem I keep running into is basically, no other filter sets we come up with will work! I want to allow the people here on the inside to be able to pretty much do anything outbound. I want to handle it all on the incoming side by preventing all but the absolute necessities- DNS, SMTP, and replies to initiated sessions of web access to the outside, ftp, telnet, ping, etc. I want to specifically deny access to all of the processes running on my server. I don't seem to be able to create the deny statements and then do a permit of all else; or do permit statements of only the things I want coming in (harder for me to determine), and then deny all else. No matter what I do to change these filters, I always end up with no access at all outbound (or at least no replies come back). Anyone have experience with these routers? Any ideas? I would greatly appreciate any help that can be given, as I've been working on this for some time, and Compatible Systems hasn't been able to come up with an answer. TIA! xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Disclaimer: Any errors in spelling, tact, or fact are transmission errors. Andrea Brenton abrenton@hurwitz.com From firewalls-owner Mon Jun 3 06:18:55 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA13399 for firewalls-outgoing; Mon, 3 Jun 1996 06:02:26 -0700 (PDT) Received: from zen.com (zen.com [156.70.135.251]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id GAA13383 for ; Mon, 3 Jun 1996 06:02:15 -0700 (PDT) Received: from by zen.com (4.1/SMI-4.1) Received: by usuwphmsx03.zen.con with Microsoft Exchange (IMC 4.0.837.3) Message-Id: From: Miller Robert RC To: "'Peter da Silva'" Cc: "'Firewalls'" Subject: RE: Raptor's Eagle Firewall Date: Mon, 3 Jun 1996 09:01:47 -0400 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.837.3 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >> Why would you put your firewall into the same authentication domain >> as your users? >> Maybe I'm missing something, but that seems like you're putting an >> awful lot of trust in the NT security model. There are two reasons that come immediately to mind for wanting to do that: 1 - So that users have the same usernames and passwords going out to the Internet as they do for internal network file and print services (i.e., the never-ending struggle to minimize the number of user account people have to deal with). 2 - Similarly, it would be nice to gain the same benefit for proxied WWW access to the 'net. While Netscape's Proxy servers have their own separate user databases (for the time-being, at least), the Microsoft "Catapult" WWW Proxy Server is expected to integrate its access security with the NT accounts. (Note that this is not an endoresment or promotion of an MS product - just a comment on an expected feature!) As to what security risks are involved with doing so ... I'm sure there are some concerns - the NT "security wholes" discussed recently on this list, and other firewall design issues - but I guess it boils down to the old question of how far you want to go, and to which side, in the pervasive compromise between strength of security measure and ease of use. Each to their own, I guess... From firewalls-owner Mon Jun 3 07:36:45 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA20183 for firewalls-outgoing; Mon, 3 Jun 1996 07:22:52 -0700 (PDT) Received: from mailbox.neosoft.com (mailbox.neosoft.com [206.109.1.16]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id HAA20152 for ; Mon, 3 Jun 1996 07:22:33 -0700 (PDT) Received: from fw.nmti.com (fw.baileynm.com [206.109.159.11]) by mailbox.neosoft.com (8.7.5/8.7.3) with SMTP id JAA21546; Mon, 3 Jun 1996 09:20:01 -0500 (CDT) Received: from web.nmti.com(198.178.0.201) by fw.nmti.com via smap (V1.3) Received: from sonic.nmti.com (peter@sonic.nmti.com [198.178.0.2]) by web.nmti.com (8.6.12/8.6.9) with SMTP id JAA24412; Mon, 3 Jun 1996 09:12:53 -0500 Received: by sonic.nmti.com; id AA12987; Mon, 3 Jun 1996 09:12:52 -0500 From: peter@baileynm.com (Peter da Silva) Message-Id: <9606031412.AA12987@sonic.nmti.com.nmti.com> Subject: Re: Raptor's Eagle Firewall To: Russ.Cooper@RC.Toronto.on.ca (Russ) Date: Mon, 3 Jun 1996 09:12:52 -0500 (CDT) Cc: peter@baileynm.com, firewalls@GreatCircle.COM In-Reply-To: <01BB4FFB.C1CC5500@rwcooper.rc.toronto.on.ca> from "Russ" at Jun 1, 96 08:48:57 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I wrote: > Why would you put your firewall into the same authentication domain as > your users? > > Maybe I'm missing something, but that seems like you're putting an awful > lot of trust in the NT security model. Russ responds: > Actually, its possible to establish a trust relationship between two > seperate NT domains such that attempts to log onto the Firewall Domain > would be validated against an internal Administrative Domain, but accounts > on the Firewall Domain would not be permitted to log into the > Administrative Domain. Like I said, you're putting an awful lot of trust in the NT security model. And in any case that doesn't even begin to address my concerns. That reduces the security of the firewall to the security of your administrative domain. My firewall doesn't trust any other host... all administration has to be done from the console. Users even have to go through challenge-response to change their passphrases, or request a new one from me if they forget them. > So even if the Firewall were compromised, none of its accounts would be > permitted to access the resources protected internally by the > Administrative Domain security, And if the Administrative Domain is compromised (say by an ActiveX trapdoor), the firewall is wide open to whatever additional holes the malicious code is capable of installing. And... I've mentioned this before, but the biggest invasion of a system I know of was the result of a cracker stumbling across a trapdoor left by a naive insider. I'd prefer it if this sort of compromise of internal security didn't leave a company open to a secondary infection. From firewalls-owner Mon Jun 3 07:48:56 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA21091 for firewalls-outgoing; Mon, 3 Jun 1996 07:37:35 -0700 (PDT) Received: from typhoon.dial.pipex.net (typhoon.dial.pipex.net [158.43.128.46]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id HAA21060 for ; Mon, 3 Jun 1996 07:37:16 -0700 (PDT) Received: from unknown by typhoon.dial.pipex.net (8.7.4/) Message-ID: In-Reply-To: <5263.9606030822@gmap.leeds.ac.uk> References: Conversation <5263.9606030822@gmap.leeds.ac.uk> with last message <5263.9606030822@gmap.leeds.ac.uk> To: Danny Cox , firewalls@GreatCircle.COM MIME-Version: 1.0 From: Ian Johnstone-Bryden Subject: Re: Firewalls-Digest V5 #347 Date: Mon, 03 Jun 96 15:24:24 GMT Content-Type: text/plain; charset=US-ASCII; X-MAPIextension=".TXT" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > > Date: Wed, 29 May 1996 23:03:31 -0400 > > From: Russ > > Subject: What do you want to know about Windows NT? > > > > - - There is a C2 configuration guide (manual), maybe it should be included > > Russ, nothing really to do with your recent posting although I wonder whether > you'd be good enough to clarify this bit for me. My understanding is that NT > has only been C2 accredited for a couple of hardware platforms and only for > stand-alone versions, rather than networked ones. > > The implication behind having a C2 configuration guide would be, to me at > least, that NT is C2 certified. This seems misleading to me, although I'd > like to here other comments. It seems to me that there is a load of baloney > around regarding C2 and NT and MS are happily using this confusion to claim > without claiming that NT==C2. Would you agree with me here or have I the > wrong end of the stick altogether ? > > Thanks for your thoughts .. > Danny Doesnt this come down to terminology? NCSC said a long while back that they really didnt want to devote US government money on evaluating products which could only make a trivial C2 when their time could be spent on looking at serious products. NCSC has always been in the business of evaluating "in the national interest" and their manpower has always been very limited. As the national interest was *US* national interest, other countries were motivated to establish their own systems and Europe eventually moved to develop the ITSEC criteria. In the US this created several problems. US G had made public statements that it would mandate C2 as a *MINIMUM REQUIREMENT FOR ALL* US Federal procurements of information systems. That, together with NCSC saying they wouldnt spend time on C2 evaluations, implied that really US G was mandating B1 by default because vendors were moving to B1 for OS and RDBMS products. Therefore the lowest *CERTIFIED* level was likely to become B1. That suggested that the cost of Federal purchases would rise astronomically although it overlooked the fact that B1 product was costly largely because very few people even knew it existed much less had any intention to purchase it ( one reason for this was the US G desire to control technology in the same way that it persists with encryption controls). This resulted in USG wobbling on C2 mandates. The establishment of ITSEC should have created a new opportunity but political dogma in the US denied this option to Federal procurement teams. Since then we have spent a lot of time fudging about with FC-FIPS and now the Common Criteria when it might have been better to adopt ITSEC and then work to improve it. All this government level confusion makes it very easy for a marketeer to confuse customers to obtain an order. ITSEC has established a system where any vendor or user who wants to pay for an evaluation of a product can do so at whatever security target they desire. The system is not perfect and most evaluations are still funded largely by government customers, but it does measure Functionality and Integrity as well as Assurance. The major weakness is that a vendor can demand a product listing as 'under evaluation' from the moment he signs a contract with a CLEF to evaluate his product. That has meant that a product might not actually be available for evaluation for months or more and once available might never see the evaluation completed. ITSEC Scheme Bodies are now planning to list product only when the CLEF starts evaluation but its unclear where that leaves all the products already listed as under evaluation but still have to become available for evaluation. At present, MS appear to be claiming, or encouraging others to claim, that they have the most secure OS in NT because they have a US C2 Certificate and are listed at F-C2/E3 under ITSEC. There have been claims that the ITSEC listing is the same as a US B1 certificate and other claims that NT is really a B2 product. Its entirely logical that as the inheritor of the IBM proprietary mantel, MS would also make maximum use of FUD. Without carefull study of the NT TOE, it is difficult to know how successfull the product will be in meeting the Assurance level of E3. As a new product under exclusive control of the vendor and with very few versions/patches/layers, it should present no difficulty to provide the documentation necessary for the Assurance. However, it would appear that the products functionality achievement (in Integrity and Availability) is strictly limited to a hope to achieve C2. We wont of course know until either MS publish their TOE or they receive a certificate and that could be years away. Obviously MS does have a major problem in marketing. Security is now becoming headline interest and virtually every flavour of UNIX is available in a B1 or B1+ certified form. This year, most UNIX OS flavours will be certified under ITSEC at F-B1/E3 and a few will achieve a certified F-B2/E4. That can not be unrestrained joy for MS marketeers. Why would anyone want to make a strategic decision on an OS which not only makes them captive of MS, but is also unable to satisfy emerging security requirements? The only thing to fall back on is the claim that "everyone" is moving to NT, NT is the cheapest product available, NT is the most secure OS known to man. Thats fine provided no one asks for proof and, fortunately, history has shown that the capacity for mankind to fool itself is almost unlimited, or as someone else put it "no one ever went broke by underestimating the customer". OTOH, a C2 accreditation means something. Provided that your situation and requirements are *EXACTLY* the same as those of someone who has accredited, it means much more than a criteria certificate. NOW BEFORE MS enthusiasts start claiming that this means that NT is now far more secure than anything else, and under a more meaningfull method of assessment because its been accredited on a couple of sites, the KEYWORD is EXACTLY. The chances of it being the case that 2 organizations are EXACTLY the same is pretty remote. Thats why evaluation criteria and certification schemes have never been a total answer and any serious user will run accreditation on the implemented system (that includes all the unique things like risk policies, system administration etc.). The two values of evaluation criteria are that they make a vendor think more carefully about the product and they do eventually provide an independent assessment of the product's performance against the claims in the security target. However, whatever the merits or demerits of NT as an Operating System, the security situation today appears fairly clear cut. If you want an operating system which can achieve C2 provided you implement an exact hardware platform and provided that you dont want to connect it to any networks, NT might be exactly what you are looking for. OTOH you could be an unfashionable fuddy duddy and buy a UNIX OS with a B1 ticket that can be used in a networking environment. You might even buy one with a B2 ticket. Or you might buy a UNIX-like OS with an A1 ticket. You would of course have the problem of multiple choice which can sometimes be a terrible burden. Its so much easier to just do what someone like MS tells you than to go out and select from a range of choices - and take responsibility for making decisions. Some subscribers to this list may not remember the odd statement "no ever got fired for buying IBM" - well odd today but not so odd 20 years back. In the pre-UNIX days it was a familiar cry and IBM grew fat on the back of it. Equally, many people lost many opportunities and also spent vast sums of money which they did not need to spend. Ian J-B. From firewalls-owner Mon Jun 3 08:04:06 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA20515 for firewalls-outgoing; Mon, 3 Jun 1996 07:31:10 -0700 (PDT) Received: from aurora.cdev.com ([160.207.114.200]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id HAA20477 for ; Mon, 3 Jun 1996 07:30:58 -0700 (PDT) Message-Id: <199606031430.HAA20477@miles.greatcircle.com> Received: from cdi1p10.cdev.com by aurora.cdev.com id SMTP-00131b2f6f5009817; Mon, 3 Jun 96 09:30:15 -0500 X-Sender: djs3wn39@aurora.cdev.com X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Mon, 03 Jun 1996 06:06:52 -0700 To: firewalls@greatcircle.com From: Donald.J.Smith@cdev.com (Donald J Smith) Cc: Blast@worldbit.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk My mailer believes Blast said: > >Hello, > >I am looking for information on anyone who has working knowledge of >modems that use strong cryptography for authentication and data >confidentiality. > >Please email direct (blast@worldbit.com). > >- --blast Blast, there was a big list compiled several months ago. It started with a question like yours. I thought I kept a copy so far I haven't found it. It was a long thread (more than 2 msgs). So I recommend looking at the archives around feb96. Donald J Smith Network Security Engineer @Computing Devices International design in security @ the begining & ease_of_use != A*(1/Data_Security) (my opinions are mine and so are the spelling errors ;-) From firewalls-owner Mon Jun 3 08:34:11 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA24484 for firewalls-outgoing; Mon, 3 Jun 1996 08:22:00 -0700 (PDT) Received: from typhoon.dial.pipex.net (typhoon.dial.pipex.net [158.43.128.46]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id IAA24463 for ; Mon, 3 Jun 1996 08:21:47 -0700 (PDT) Received: from unknown by typhoon.dial.pipex.net (8.7.4/) Message-ID: In-Reply-To: <199606031225.FAA11396@miles.greatcircle.com> References: Conversation <199606031225.FAA11396@miles.greatcircle.com> with last message <199606031225.FAA11396@miles.greatcircle.com> To: Firewall List MIME-Version: 1.0 From: Ian Johnstone-Bryden Subject: Re: RE: Raptor's Eagle Firewall Date: Mon, 03 Jun 96 16:16:24 GMT Content-Type: text/plain; charset=US-ASCII; X-MAPIextension=".TXT" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk gary flynn wrote in part: > The whole idea > behind > firewalls is to have tightly controlled code. It is the instability > and > poor security design of present operating systems that necessitate > firewalls > in the first place. > ?????????????????????????Really!! The firewall exists most commonly as a placebo to allow people who poorly specify, procure, implement, maintain, manage untrusted informtion systems, to feel comfortable and secure from the fear of attack via public networks. Like marriage it is a triumph of hope over experience, which doesnt mean it cant work for some people. That doesnt of course mean that a firewall cannot reduce risks, just that its a costly way of doing so in many cases and no substitute for implementing and running reliable information systems. Even if all internal networks were well specified, procured, implemented and operated, there would still be a need for a guard at the gateways to public systems (at least for most people) because there would still be the potential risk of attack from outside. OTOH some internal networks could be traditional poor design and require no firewall because there was nothing worth attacking or protecting. BTST a firewall built on an untrusted OS has itself got a number of exploitable vulnerabilities. As many firewalls are built in the same careless fashion, as the internal networks they are supposed to protect, it is no great surprise to find that they are largely ineffective in most things other than consuming corporate funding. There really is no substitute for enterprise planning to ensure achievement by objective. That means identifying the objectives and risks and then building the policies necessary to sustain achievement. In the short term this could mean that internal networks cannot be connected directly to the public networks until adequate reconstruction has taken place internally. While this is in progress, an air-gapped, or sneakernet, service may be provided. This could be described as a firewall but not in the sense that many would understand as a firewall. The inner and outer machines would be typical untrusted systems. The 'firewall' would be the person in the sneakers running between the two machine. Ian J-B. From firewalls-owner Mon Jun 3 08:49:03 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA26566 for firewalls-outgoing; Mon, 3 Jun 1996 08:37:47 -0700 (PDT) Received: from gw.genre.com (gw.genre.com [204.149.79.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id IAA26489 for ; Mon, 3 Jun 1996 08:37:25 -0700 (PDT) Received: by gw.genre.com id AA09212 Received: by gw.genre.com (Internal Mail Agent-2); Message-Id: <9606031534.AA0078@grcstm-nx02.genre.com> Received: by gw.genre.com (Internal Mail Agent-1); To: Firewalls From: ygerman Date: 3 Jun 96 11:32:41 Subject: Ability To Track Logs Mime-Version: 1.0 Content-Type: Text/Plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am in a bind on how to accomplish something on our firewall. I would like to check the logs on the firewall continuosly looking for certain fields and based on the fields initiate an action. The action will be mail to a different address depending on the field found. Currently I am seting this up via a c shell script and doing a grep for certain things every hour. The problem is I would like not to have to wait an hour. Has anyone had any experience with this. Is there a way to accomplish this easier? Please respond as soon as possible, thanks! From firewalls-owner Mon Jun 3 09:04:00 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA27807 for firewalls-outgoing; Mon, 3 Jun 1996 08:49:37 -0700 (PDT) Received: from dub-img-7.compuserve.com (dub-img-7.compuserve.com [198.4.9.8]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id IAA27756 for ; Mon, 3 Jun 1996 08:49:09 -0700 (PDT) Received: by dub-img-7.compuserve.com (8.6.10/5.950515) Date: 03 Jun 96 11:44:27 EDT From: "Patrick M. Bartkus" <102557.3370@CompuServe.COM> To: Firewalls List Subject: Re: Sidewinder: Re: FW: MISSI- and DMS- compliancy Message-ID: <960603154427_102557.3370_HHU82-1@CompuServe.COM> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk AT Fri, 31 May 96 08:15:18 -0400 Frank Willoughby wrote: >At 11:09 AM 5/30/96 -0500, Rick Smith allegedly wrote: >>If Frank Willoughby wishes to carry on a public discussion >about how >user to firewall encryption might acheive various >security objectives >or be effective against various threats, >then I'm all in favor of it. >I thought I mentioned some of them in one of my last couple of >postings. Probably, the easiest thing for someone doing their >research is to grab a copy of Steve Bellovin's paper entitled >"Security Problems in the TCP/IP Protocol Suite". List out >the vulnerabilities & ask the vendor's engineers (not the >salespeople) if their firewall can protect against these >vulnerabilities. I was going to ask Frank where I could find this paper. I decided to check out my favorite web search machine, Meta Crawler (http://metacrawler.cs.washington.edu:8080/index.html), and low and behold it pointed me to: http://www.cs.wisc.edu/~cs740-1/740.poon/paper.html Enjoy! Patrick --- Patrick M. Bartkus Fleet Mortgage Group Sr. Network Support Anal. 102557.3370@CompuServe.COM If truth were not absolute, how could there be justice? From firewalls-owner Mon Jun 3 09:49:17 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA01401 for firewalls-outgoing; Mon, 3 Jun 1996 09:24:07 -0700 (PDT) Received: from route1.france3.fr (route1.france3.fr [194.51.91.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id JAA01257 for ; Mon, 3 Jun 1996 09:23:05 -0700 (PDT) Received: by route1.france3.fr (8.7.1/SMI-4.1) Received: from miles.greatcircle.com by relay6.UU.NET with ESMTP Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id JAA02670 for firewalls-outgoing; Tue, 9 Apr 1996 09:00:16 -0700 (PDT) Received: from www.ddddf.com (www.ddddf.com [199.203.68.10]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id IAA02575 for ; Tue, 9 Apr 1996 09:00:00 -0700 (PDT) Received: from sunserver (gatekeeper.ddddf.com [199.203.68.2]) by www.ddddf.com (8.6.9/8.6.9) with ESMTP id SAA04969 for ; Tue, 9 Apr 1996 18:19:04 +0300 Received: from sunserver by sunserver (SMI-8.6/SMI-SVR4) Date: Tue, 9 Apr 1996 18:57:50 +0300 (IDT) From: Yossi Goltz To: Firewalls@GreatCircle.COM Subject: WWW proxy to cut off Java. In-Reply-To: <199604052113.NAA19679@miles.greatcircle.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi! Could a nice sole advice me how to set up a proxy http server that can cut off java applets on their way in to our site. I'm becoming more and more concerned about Java (after reading the last messages from Netscape and Sun), and would like to keep off Java and Javascript until they become more safe. Best regards, Yossi. From firewalls-owner Mon Jun 3 12:56:02 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA01246 for firewalls-outgoing; Mon, 3 Jun 1996 09:22:40 -0700 (PDT) Received: from route1.france3.fr (ms-paris.france3.fr [194.51.91.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id JAA01172 for ; Mon, 3 Jun 1996 09:21:59 -0700 (PDT) Received: by route1.france3.fr (8.7.1/SMI-4.1) Received: from miles.greatcircle.com by relay6.UU.NET with ESMTP Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id XAA02036 for firewalls-outgoing; Tue, 9 Apr 1996 23:17:41 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id XAA00421 for ; Tue, 9 Apr 1996 23:02:10 -0700 (PDT) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) Received: from p192.iwl.net(204.177.208.192) by mycroft via smap (V1.3mjr) Received: (from dennis@localhost) by SterCtl.com (8.6.12/8.6.12) id WAA08510; Tue, 9 Apr 1996 22:03:04 -0600 From: Dennis Moroney Message-Id: <199604100403.WAA08510@SterCtl.com> Subject: Re: Interesting packets fron the net To: epperson@vak12ed.edu (W.C. Epperson) Date: Tue, 9 Apr 1996 22:03:02 -0600 (CST) Cc: firewalls@greatcircle.com (firewalls) In-Reply-To: from "W.C. Epperson" at Apr 9, 96 09:39:16 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk According to W.C. Epperson: > > Not on mine _anywhere_, nor does it appear in _anything_ regarding 10.3 > on CIO. Curious they'd burn it on your CD but not put it on their website. Mea culpa. Only IOS 11.0 currently supports logging. Here is where the information is found: UniverCD Vol 2, No. 12, Rev. E0, PN: 80-0283-01, data/doc/software/11_0/rpcs/sip.htm Router Products Release Note for Cisco IOS Release 11.0, Document No. 78-2115-04, Nov. 1995, New Software Features in Release 11.0(1) pp. 23-31 I really looked at my documentation this time. Geez, I could use some humble pie right about now. -- Dennis Moroney From firewalls-owner Mon Jun 3 13:04:18 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA01337 for firewalls-outgoing; Mon, 3 Jun 1996 09:23:43 -0700 (PDT) Received: from route1.france3.fr (ms-paris.france3.fr [194.51.91.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id JAA01248 for ; Mon, 3 Jun 1996 09:22:51 -0700 (PDT) Received: by route1.france3.fr (8.7.1/SMI-4.1) Received: from miles.greatcircle.com by relay6.UU.NET with ESMTP Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id LAA12423 for firewalls-outgoing; Tue, 9 Apr 1996 11:56:44 -0700 (PDT) Received: from tuna.wang.com (tuna.wang.com [150.124.136.4]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id LAA12417 for ; Tue, 9 Apr 1996 11:56:37 -0700 (PDT) Received: from mail.wangfed.com (ns.wangfed.com [159.94.10.19]) Received: from hfsi.hfsi.com by mail.wangfed.com (1.37.109.4/A.09.00a) Received: from [159.94.14.48] by hfsi.hfsi.com (BULL 5.61++/B.O.S 02.01) Date: Tue, 9 Apr 96 14:47:53 -0400 Message-Id: <9604091847.AA19336@hfsi.hfsi.com> From: "KM" Reply-To: "KM" To: firewalls@GreatCircle.COM Subject: Re: complaining to the CEO Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In message 01435825702728@gsionline.com Mr. Nick Keenan writes: > > Just an FYI, for those of you who haven't been there: > >Complaining to the CEO of a company is not an effective strategy > >unless what you're trying to accomplish is a short-term reduction > >of your blood pressure. > > As a chronic complainer, I have to disagree. I have written letters of > complaint to CEO's, Congressmen and Governors, and virtually every time I > have gotten the action that I wanted and was unable to get through regular > channels. > > It helps to write a reasonable and reasoned letter, and regular mail is > better than email. I also helps when it's *not* the CEO of the company you work for. K.M. Goertzel Manager, International Programs and Special Projects Secure Systems and Services Operation WANG FEDERAL, Inc. 7900 Westpark Drive - MS 700 McLean, VA 22102-4299 USA TEL: 703-827 3914 FAX: 703-827 3161 EMAIL: goertzek@wangfed.com WEB: http://www.wangfed.com +------------------------------------------+ | Never put off until Tomorrow what should | | have been Done early in the Seventies. | | - George Ade | +------------------------------------------+ From firewalls-owner Mon Jun 3 16:19:13 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA01256 for firewalls-outgoing; Mon, 3 Jun 1996 09:23:02 -0700 (PDT) Received: from route1.france3.fr (route1.france3.fr [194.51.91.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id JAA01214 for ; Mon, 3 Jun 1996 09:22:21 -0700 (PDT) Received: by route1.france3.fr (8.7.1/SMI-4.1) Received: from miles.greatcircle.com by relay5.UU.NET with ESMTP Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id XAA09931 for firewalls-outgoing; Tue, 9 Apr 1996 23:50:02 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id XAA01176 for ; Tue, 9 Apr 1996 23:13:37 -0700 (PDT) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) Received: from quark.gmi.edu(192.138.137.39) by mycroft via smap (V1.3mjr) Received: (from chiner@localhost) by quark.gmi.edu (8.7.1/8.7.1) id TAA28075 for Firewalls@GreatCircle.COM; Tue, 9 Apr 1996 19:18:36 -0400 From: Chris Hiner Message-Id: <199604092318.TAA28075@quark.gmi.edu> Subject: Re: ICMP Loopback etc.. To: Firewalls@GreatCircle.COM Date: Tue, 9 Apr 1996 19:18:36 -0400 (EDT) In-Reply-To: <199604091745.KAA07981@miles.greatcircle.com> from "firewalls-digest-owner@GreatCircle.COM" at Apr 9, 96 10:45:55 am Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > From: Rob Sansom > Date: Mon, 08 Apr 1996 22:10:41 -0500 > Subject: ICMP Loopback etc.. > Here are some interesting logs I got from my router: > > Apr 9 15:23:03 gate247158.connectix.com 1275: %SEC-6-IPACCESSLOGDP: list > 191 denied icmp 127.0.0.1 -> 204.247.159.242 (11/0), 1 packet > Apr 9 15:42:03 gate247158.connectix.com 1276: %SEC-6-IPACCESSLOGDP: list > 191 denied icmp 127.0.0.1 -> 204.247.159.242 (11/0), 1 packet > Apr 9 15:47:03 gate247158.connectix.com 1277: %SEC-6-IPACCESSLOGDP: list > 191 denied icmp 127.0.0.1 -> 204.247.159.242 (11/0), 2 packets > Apr 9 15:53:03 gate247158.connectix.com 1278: %SEC-6-IPACCESSLOGDP: list > 191 denied icmp 127.0.0.1 -> 204.247.159.242 (11/0), 2 packets > > 204.247.159.242 is our mail hub. We have had some spoofing incidents here, > so I contacted CERT with this info, and they know of no way that ICMP TTL > exceeded messages have been used for preveious attacks. If this is indeed a > these packets over the past few weeks, and tend to come in bursts. Hmmm... the increasing port numbers, and the fact that they come in bursts... (and TTL exceeded) I think traceroute... not sure why it'd have the funny source address, but it does sound traceroutish... Just my guesses... Chris Hiner -- chiner@quark.gmi.edu From firewalls-owner Mon Jun 3 16:33:49 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA01905 for firewalls-outgoing; Mon, 3 Jun 1996 09:30:08 -0700 (PDT) Received: from route1.france3.fr (route1.france3.fr [194.51.91.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id JAA01745 for ; Mon, 3 Jun 1996 09:29:14 -0700 (PDT) Received: by route1.france3.fr (8.7.1/SMI-4.1) Received: from miles.greatcircle.com by relay6.UU.NET with ESMTP Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id NAA06156 for firewalls-outgoing; Wed, 10 Apr 1996 13:18:36 -0700 (PDT) Received: from csc.com (explorer.csc.com [20.1.10.27]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id NAA06142 for ; Wed, 10 Apr 1996 13:18:31 -0700 (PDT) Received: from @explorer.csc.com by csc.com with smtp Message-Id: Date: Wed, 10 Apr 96 16:16 EDT X-Sender: asafier@explorer.csc.com X-Mailer: Windows Eudora Light Version 1.5.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: Firewalls@GreatCircle.COM From: Adam Safier Subject: Re: Cross Realm Kerberos/DCE Proxy, NAT, UDP Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Talking to oneself is not all that uncommon nor considered impolite nor crazy in many countries. So I thought I'd do that.... Just in case anyone is interested. At 04:34 PM 4/8/96 EDT, Adam Safier wrote: >Can anyone relate war stories, gotchas and victories re: Cross Realm >Kerberos or DCE across firewalls and to another Kerberized realm? > >I want to make sure my understanding of Kerberos traffic isn't twisted. >Please make corrections if I'm missing things. I am correcting myself. >We need to talk to a different organization running Kerberos (actually some >are DCE - I already heard Kerberos and DCE are not 100% compatible but we >all agree to support the lowest common denominator.) so we need to do cross >realm authentication, ticket granting and encryption all working across a >firewall. Actually a kerberos vendor just informed me that the IP address of the delivery packet is NOT checked against the !optional! IP address included as part of the user identifier. We need some clarification from experts but this does not look like it would prevent NAT. However, I thought of another NAT killer. When a client inside the realm contacts a TGS in the other realm, I think the TGS will address the return packet to the firewall. How does the firewall know to which internal client to forward the returned UDP packet (containing the server ticket)? The rest is deleted since I have no additional comments on it. for anyone interested, RFC 1510 deals with Kerberos and there is another RFC (I don't know the number) that deals with a GSS API for security program calls. Kerberos comes from MIT but Cygnus (www.cynus.com) also distributes a popular (at NASA) version of it. I'm trying to read the RFC..zzz.zzz Adam Safier CSC-SED-Infosec asafier@csc.com "If you show me yours, I still won't show you mine." Expressed opinions are my own and might not be shared by my employer or anyone else. From firewalls-owner Mon Jun 3 16:51:06 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA00375 for firewalls-outgoing; Mon, 3 Jun 1996 09:17:05 -0700 (PDT) Received: from factset.com (sunscreen.factset.com [164.55.1.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id JAA00342 for ; Mon, 3 Jun 1996 09:16:51 -0700 (PDT) Received: by factset.com (4.1/SMI-4.1) Received: from unknown(164.55.4.71) by sunscreen.factset.com via smap (V1.3) Received: from overlord.factset.com by sundog.factset.com (4.1/SMI-4.1) From: scox@factset.com (Sean Cox) Message-Id: <9606031617.AA15785@sundog.factset.com> Subject: NT firewalls & NOS admins To: Firewalls@GreatCircle.COM Date: Mon, 3 Jun 1996 12:11:21 -0400 (EDT) In-Reply-To: <199606030800.BAA27474@miles.greatcircle.com> from "Firewalls-Digest" at Jun 3, 96 01:00:32 am Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >From: Russ [ Original poster deleted before I got here...] >"Maybe that's because it's not NT and it's not an operating system. It's a >firewall. Why should a firewall look like an operating system?" >What if I don't want a Firewall Administrator, what if I want to use my NOS >Administrator? What if I have a small company who cannot afford a dedicated >Firewall, or a dedicated Firewall Administrator? Then I'd be willing to bet you'll have problems. I've seen a variety of folks setting up "firewalls" for their networks that are to be run by people who don't understand the Internet. They may undestand Novell/IPX, or NT/NetBEUI/NbT, but they don't have a clue about how IP works on the 'net. Even if you have a nice happy NT firewall that gives you the same "comfortable" interface that you're used to when dealing with file services, you still need to understand the big picture. UNIX is useful because that's where the picture came from! If you have a decent UNIX geek on staff, then you likely have someone who understands how things work on the Internet (i.e. how the services are provided, how mail flows, etc). If you have some guy with a Microsoft Certification for NT, then you probably don't. If you choose not to supply yourself with the necessary people or capabilities to understand the problem, you are very unlikely to find a good solution! At this stage in the game, things are still very primitive WRT network security, and for that reason, anyone looking to protect something important needs to find someone with a clue. Perhaps soon the systems will be easy enough to be handled by unskilled (in that particular field) workers, but I don't think anyone outside a marketing department thinks that the tools are there now. If you choose to use an unskilled person as a pseudo-admin, then you'll probably get what you pay for. The Bad Guys (TM) know their stuff, do you? >Anyway, you've made my point again. If its going to be an NT-based >Firewall, it should incorporate NT into its functionality, otherwise, we >shouldn't be looking at the NT version and instead should be considering >the original UNIX version. Both Raptor and Centri are ports of UNIX >products to NT. The point is, if the objective of the port was merely to >duplicate the Firewall environment running on top of NT, its ill conceived. Isn't the whole idea "duplicating the firewall environment running on top of NT" the entire point? When Microsoft took "netstat" from BSD, did they give it a mongo GUI and lots of bitmaps? No, it's a command-line tool because it's useful that way (%System_Root%/SYSTEM32/NETSTAT.EXE, try it). Now I have not seen the NT Eagle, but we do use the UNIX version. Both the command line stuff & the Hawk GUI. I personally prefer the command line stuff, as it makes it real easy to config (in our particular circumstances) with a couple of perl scripts, but the Hawk is useful for some other config work. If I had to config the Eagle with something like User Manager and Control Panel applets, I'd go nuts, I prefer to let the computer (not my fingers/wrists) do all the repetitive stuff.... --Sean I apologize if seem like I'm attacking (I'm merely ranting some :) but it comtinues to fascinate me how so many people feel the need to setup a half-assed Internet attachment based on what they think want, rather than what makes sense. (My hammer is so cool, I want to drive screws with it!) _______________________________________________________ Sean Cox, Systems Engineer FactSet Research Systems scox@factset.com Greenwich, CT From firewalls-owner Mon Jun 3 17:03:51 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA00740 for firewalls-outgoing; Mon, 3 Jun 1996 09:19:28 -0700 (PDT) Received: from route1.france3.fr (ms-paris.france3.fr [194.51.91.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id JAA00363 for ; Mon, 3 Jun 1996 09:16:59 -0700 (PDT) Received: by route1.france3.fr (8.7.1/SMI-4.1) Received: from miles.greatcircle.com by relay6.UU.NET with ESMTP Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id NAA25586 for firewalls-outgoing; Mon, 8 Apr 1996 13:36:28 -0700 (PDT) Received: from csc.com (explorer.csc.com [20.1.10.27]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id NAA25580 for ; Mon, 8 Apr 1996 13:36:21 -0700 (PDT) Received: from @explorer.csc.com by csc.com with smtp Message-Id: Date: Mon, 8 Apr 96 16:34 EDT X-Sender: asafier@explorer.csc.com X-Mailer: Windows Eudora Light Version 1.5.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: Firewalls@GreatCircle.COM From: Adam Safier Subject: Cross Realm Kerberos/DCE Proxy, NAT, UDP Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Can anyone relate war stories, gotchas and victories re: Cross Realm Kerberos or DCE across firewalls and to another Kerberized realm? I want to make sure my understanding of Kerberos traffic isn't twisted. Please make corrections if I'm missing things. We need to talk to a different organization running Kerberos (actually some are DCE - I already heard Kerberos and DCE are not 100% compatible but we all agree to support the lowest common denominator.) so we need to do cross realm authentication, ticket granting and encryption all working across a firewall. We have a client that would like to run cross realm Kerberos across the Firewall for process to process communication (no live user). Why firewall if we use Kerberos? - some nodes on the inside might not be able to run Kerberos. - we don't want to do encryption on all the traffic. - we will have some internal X-traffic. (idle curiosity - kerberized X-terminals anyone?) In addition, we like to follow Internet standards and Best Practices so Network Address Translation (RFC 1918, 1597) is a desired architectural feature. (We could drop it if it's totally incompatible with kerberos so I don't call it a requirement but it's like birthday cake without decorations.) The NAT could be a real problem. Kerberos apparently packs the nodes network address as part of the authentication packet so if your IP address is hidden by the firewall I expect the authentication at the client/server to fail when source and encrypted address are compared. (are they?). The kerberos protocol uses UDP for the initial ticket request and delivery. Simply communicating with a single outside client registered with our TGS should not be a problem - all UDP traffic with Kerberos port numbers simply gets routed to the appropriate TGS/authenticator. What I'm having a hard time with is the Kerberos V5 Cross Realm. In that scenario the internal client must get ticket from the internal TGS (I) which lets him talk to the inter-realm TGS (1) which lets him talk to the remote realm TGS (R) to get a ticket for the final destination service (D). The result is UDP packets to and from all internal clients that want to talk to the other realms. X Dest(D) TGS(R) TGS(1) X TGS(I) Client | | | X | | | | | X |---1---| | | |-------2----------| | |----------------3-------------| |--------------------4------------------| 1, 2 and 3 are UDP. Only 4 is a TCP connection XXXX=firewall All UDP packets have a "well known" Kerberos port number but that still leaves a lot of UDP flying around. The firewall can have filter rules to restrict the Kerberos UDP packets to Kerberized nodes but that only works on a small internal net. What do people do with large mixed nets? (Luckily I'm dealing with a small net so we can have the filter rules for individual clients but since I'm learning I would like to understand the other options.) True, the Kerberos ports are well known and the non-kerberized clients should not be listening on them so attacks on those ports should not work. But how many applications might there be that simply listen on incorrect ports? (I don't know. If everyone was carefull and followed standards I would feel secure, but I've hacked code in a hurry (vs. leasurly programming in a "development enviornment") so I recognize the temptations during a rushed job...;) I guess I'll be joining the Kerberos mailing list or newsgroup, but I thought this might be an appropriate discussion for Firewalls as well. By the way, while some gurus are anouncing the death of RPC due to security holes and better CORBA tools I am under the distinct impression that DCE (which is RPC based) is growing rapidly, at least from my myopic view of some government entities and a growing list of vendors. Sorry for the length of the above - I can't believe I wrote all that! Adam Safier CSC-SED-Infosec asafier@csc.com - It's scary when people call me an "expert" in a subject just as I start to realize how little I know and how much I still need to learn. Expressed opinions are my own and might not be shared by my employer or anyone else. From firewalls-owner Mon Jun 3 17:04:08 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA10438 for firewalls-outgoing; Mon, 3 Jun 1996 10:39:23 -0700 (PDT) Received: from route1.france3.fr (ms-paris.france3.fr [194.51.91.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id KAA10354 for ; Mon, 3 Jun 1996 10:38:39 -0700 (PDT) Received: by route1.france3.fr (8.7.1/SMI-4.1) Received: from miles.greatcircle.com by relay5.UU.NET with ESMTP Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA10567 for firewalls-outgoing; Sun, 21 Apr 1996 05:59:22 -0700 (PDT) Received: from Piano.Opus1.COM (Piano.Opus1.COM [192.245.12.69]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id FAA10561 for ; Sun, 21 Apr 1996 05:59:18 -0700 (PDT) Received: from Opus1.COM by Opus1.COM (PMDF V5.0-5 #9830) Date: Sun, 21 Apr 1996 05:33:59 -0700 (MST) From: "Joel M Snyder, in absentia" Subject: RE: Stopping Fakemail To: firewalls@greatcircle.com Cc: mulligaj Message-id: <01I3SJW5DLXGDQGXSP@Opus1.COM> Organization: Opus One - +1 520 324 0494 MIME-version: 1.0 Content-type: MULTIPART/MIXED; BOUNDARY="Boundary (ID YA6Qi+v2v6QAXerBsRdolA)" Fruit-of-the-day: cashew Comments: Telecommunications and Information Technology Services Sender: firewalls-owner@GreatCircle.COM Precedence: bulk --Boundary (ID YA6Qi+v2v6QAXerBsRdolA)-- From firewalls-owner Mon Jun 3 17:18:51 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA08071 for firewalls-outgoing; Mon, 3 Jun 1996 10:12:06 -0700 (PDT) Received: from route1.france3.fr (route1.france3.fr [194.51.91.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id KAA07892 for ; Mon, 3 Jun 1996 10:10:42 -0700 (PDT) Received: by route1.france3.fr (8.7.1/SMI-4.1) Received: from miles.greatcircle.com by relay3.UU.NET with ESMTP Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id SAA06518 for firewalls-outgoing; Thu, 11 Apr 1996 18:16:32 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id RAA02922 for ; Thu, 11 Apr 1996 17:29:53 -0700 (PDT) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) Received: from uu5.psi.com(38.145.226.3) by mycroft via smap (V1.3mjr) Received: from SMTP.CHILTONCO.COM by uu5.psi.com (5.65b/4.0.071791-PSI/PSINet) via SMTP; Received: from Chilton_Radnor-Message_Server by chiltonco.com Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Thu, 11 Apr 1996 17:28:58 -0500 From: Tom James To: Firewalls@GreatCircle.COM Subject: Firewalls-Digest V5 #147 -Reply Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I will be out of the office from 4/12 thru 4/19. All mail wil be handled upon my return. Regards Tom James From firewalls-owner Mon Jun 3 17:24:32 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA07949 for firewalls-outgoing; Mon, 3 Jun 1996 10:11:10 -0700 (PDT) Received: from route1.france3.fr (route1.france3.fr [194.51.91.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id KAA07879 for ; Mon, 3 Jun 1996 10:10:29 -0700 (PDT) Received: by route1.france3.fr (8.7.1/SMI-4.1) Received: from miles.greatcircle.com by relay5.UU.NET with ESMTP Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id RAA04881 for firewalls-outgoing; Thu, 11 Apr 1996 17:46:00 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id RAA03001 for ; Thu, 11 Apr 1996 17:30:10 -0700 (PDT) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) Received: from uu5.psi.com(38.145.226.3) by mycroft via smap (V1.3mjr) Received: from SMTP.CHILTONCO.COM by uu5.psi.com (5.65b/4.0.071791-PSI/PSINet) via SMTP; Received: from Chilton_Radnor-Message_Server by chiltonco.com Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Thu, 11 Apr 1996 17:28:58 -0500 From: Tom James To: firewalls@GreatCircle.COM Subject: firewalls-digest V5 #162 -Reply Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I will be out of the office from 4/12 thru 4/19. All mail wil be handled upon my return. Regards Tom James From firewalls-owner Mon Jun 3 17:33:53 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA07936 for firewalls-outgoing; Mon, 3 Jun 1996 10:10:54 -0700 (PDT) Received: from route1.france3.fr (route1.france3.fr [194.51.91.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id KAA07762 for ; Mon, 3 Jun 1996 10:09:41 -0700 (PDT) Received: by route1.france3.fr (8.7.1/SMI-4.1) Received: from miles.greatcircle.com by relay5.UU.NET with ESMTP Received: from localhost (daemon@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) with SMTP id XAA23209; Mon, 15 Apr 1996 23:59:46 -0700 (PDT) Received: by miles.greatcircle.com (bulk_mailer v1.5); Mon, 15 Apr 1996 23:57:58 -0700 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id XAA22182 for firewalls-outgoing; Mon, 15 Apr 1996 23:50:36 -0700 (PDT) Received: from helvetiapatria.ch (socrates.helvetiapatria.ch [194.209.2.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id XAA22156 for ; Mon, 15 Apr 1996 23:50:24 -0700 (PDT) Received: by helvetiapatria.ch (SMI-8.6/SMI-SVR4) Date: Tue, 16 Apr 1996 08:43:42 +0200 From: ugb@socrates.helvetiapatria.ch (Bortoluzzi) Message-Id: <199604160643.IAA27951@helvetiapatria.ch> To: firewalls@GreatCircle.com Subject: Maintenance of firewall-1 2.0 Content-Type: text X-Sun-Charset: us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi! We are planning to install Firewall-1 Version 2.0. Only HTTP and SMTP shall pass through. Can somebody tell me how much manpower we will need to maintain the installation after the first implementation? Thanks Giulio Bortoluzzi From firewalls-owner Mon Jun 3 17:36:35 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA08103 for firewalls-outgoing; Mon, 3 Jun 1996 10:12:35 -0700 (PDT) Received: from route1.france3.fr (route1.france3.fr [194.51.91.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id KAA08005 for ; Mon, 3 Jun 1996 10:11:36 -0700 (PDT) Received: by route1.france3.fr (8.7.1/SMI-4.1) Received: from miles.greatcircle.com by relay6.UU.NET with ESMTP Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id DAA18264 for firewalls-outgoing; Thu, 25 Apr 1996 03:31:48 -0700 (PDT) Received: from relay-4.mail.demon.net (relay-4.mail.demon.net [158.152.1.108]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id DAA18220 for ; Thu, 25 Apr 1996 03:31:31 -0700 (PDT) Received: from post.demon.co.uk ([158.152.1.72]) by relay-4.mail.demon.net Received: from fishcons.demon.co.uk ([158.152.148.154]) Date: Thu, 25 Apr 96 11:24:43 PDT From: Chris Subject: location of public hosts To: firewalls@greatcircle.com X-Mailer: Chameleon - TCP/IP for Windows by NetManage, Inc. Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Please can someone give me some advice. I have a connection to the net through a Gauntlet firewall. I want to run a web server (NT) and have received conflicting advice as to where it should be located, internal or external to the firewall. In addition, what other risks need to be considered with using an NT server either internal or external. Thanks in advance for your help Chris From firewalls-owner Mon Jun 3 17:40:38 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA07048 for firewalls-outgoing; Mon, 3 Jun 1996 10:03:28 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id JAA02273 for ; Mon, 3 Jun 1996 09:33:10 -0700 (PDT) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) Received: from route1.france3.fr(194.51.91.1) by mycroft via smap (V1.3mjr) Received: by route1.france3.fr (8.7.1/SMI-4.1) Received: from miles.greatcircle.com by relay3.UU.NET with ESMTP Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id JAA00146 for firewalls-outgoing; Fri, 12 Apr 1996 09:10:51 -0700 (PDT) Received: from ibmmail.COM (ibmmail.com [199.171.26.3]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id EAA01557 for ; Fri, 12 Apr 1996 04:53:11 -0700 (PDT) From: gblolmxb@ibmmail.com Message-Id: <199604121153.EAA01557@miles.greatcircle.com> Received: from ibmmail by ibmmail.COM (IBM VM SMTP V2R3) with BSMTP id 1281; Date: Fri, 12 Apr 1996 07:50:59 EDT To: ac141@typhoon.dial.pipex.net, firewalls@greatcircle.com MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: Re Finding domain name from IP address Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Ben said: >We have a combination of registered and unregistered IP addresses on >our network (no Internet connection yet). >Is there a way I can find out who the unregistered ones are really >registered to? Try telnetting to rs.internic.net and run whois. or for European registrations, try info.ripe.net, or even ns.ripe.net. Mark. From firewalls-owner Mon Jun 3 17:48:51 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA08080 for firewalls-outgoing; Mon, 3 Jun 1996 10:12:12 -0700 (PDT) Received: from route1.france3.fr (route1.france3.fr [194.51.91.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id KAA07963 for ; Mon, 3 Jun 1996 10:11:18 -0700 (PDT) Received: by route1.france3.fr (8.7.1/SMI-4.1) Received: from miles.greatcircle.com by relay6.UU.NET with ESMTP Received: from localhost (daemon@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) with SMTP id HAA06560; Wed, 17 Apr 1996 07:30:57 -0700 (PDT) Received: by miles.greatcircle.com (bulk_mailer v1.5); Wed, 17 Apr 1996 07:28:44 -0700 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id HAA05688 for firewalls-outgoing; Wed, 17 Apr 1996 07:19:11 -0700 (PDT) Received: from emout06.mail.aol.com ([198.81.10.43]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id HAA05682 for ; Wed, 17 Apr 1996 07:19:07 -0700 (PDT) From: BARACCUS@aol.com Received: by emout06.mail.aol.com (8.6.12/8.6.12) id KAA00906 for firewalls@greatcircle.com; Wed, 17 Apr 1996 10:17:01 -0400 Date: Wed, 17 Apr 1996 10:17:01 -0400 Message-ID: <960417101701_377118038@emout06.mail.aol.com> To: firewalls@greatcircle.com Subject: Filtering by Source Port Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In Brent's book Building Internet Firewalls it says that the ability to filter by source port is very important. We have a Cisco 2501 which I just found out can't filter by source port. If Cisco routers can't do source port filtering then what routers can???? Thanks, Kevin ps. When I talked to Cisco Tech Support they couldn't understand why anyone would even want to filter by source port. From firewalls-owner Mon Jun 3 17:50:51 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA08093 for firewalls-outgoing; Mon, 3 Jun 1996 10:12:22 -0700 (PDT) Received: from route1.france3.fr (route1.france3.fr [194.51.91.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id KAA07995 for ; Mon, 3 Jun 1996 10:11:28 -0700 (PDT) Received: by route1.france3.fr (8.7.1/SMI-4.1) Received: from miles.greatcircle.com by relay6.UU.NET with ESMTP Received: from localhost (daemon@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) with SMTP id FAA24323; Wed, 17 Apr 1996 05:01:30 -0700 (PDT) Received: by miles.greatcircle.com (bulk_mailer v1.5); Wed, 17 Apr 1996 04:58:32 -0700 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id EAA23533 for firewalls-outgoing; Wed, 17 Apr 1996 04:47:20 -0700 (PDT) Received: from wombat.rmplc.co.uk (dns1.rmplc.co.uk [194.80.132.3]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id EAA23440 for ; Wed, 17 Apr 1996 04:44:53 -0700 (PDT) Received: from mailbox.rmplc.co.uk (dns0.rmplc.co.uk [194.80.132.2]) by wombat.rmplc.co.uk (8.6.12/8.6.12) with ESMTP id MAA00662 for ; Wed, 17 Apr 1996 12:52:26 +0100 Received: from brent-17.rmplc.co.uk (brent-17.rmplc.co.uk [194.36.84.177]) by mailbox.rmplc.co.uk (8.6.12/8.6.9) with SMTP id MAA10306 for ; Wed, 17 Apr 1996 12:42:18 +0100 Date: Wed, 17 Apr 1996 12:42:18 +0100 Message-Id: <199604171142.MAA10306@mailbox.rmplc.co.uk> X-Sender: hagstsch@mail.rmplc.co.uk X-Mailer: Windows Eudora Version 1.4.3 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@greatcircle.com From: hagstsch@rmplc.co.uk (MICHAEL ST HILAIRE) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk From firewalls-owner Mon Jun 3 17:51:47 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA08793 for firewalls-outgoing; Mon, 3 Jun 1996 10:26:21 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id KAA08622 for ; Mon, 3 Jun 1996 10:25:45 -0700 (PDT) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) Received: from route1.france3.fr(194.51.91.1) by mycroft via smap (V1.3mjr) Received: by route1.france3.fr (8.7.1/SMI-4.1) Received: from miles.greatcircle.com by relay6.UU.NET with ESMTP Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA10412 for firewalls-outgoing; Tue, 23 Apr 1996 13:19:59 -0700 (PDT) Received: from indigo.mit.edu (INDIGO.MIT.EDU [18.170.0.143]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id NAA10398 for ; Tue, 23 Apr 1996 13:19:53 -0700 (PDT) From: equaad@indigo.mit.edu Message-Id: <199604232019.NAA10398@miles.greatcircle.com> Received: by indigo.mit.edu Date: Tue, 23 Apr 96 16:14:14 -0400 To: firewalls@greatcircle.com Subject: suspicious packets in firewall logs?? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, I have a question for you firewall gurus about some packets that are arriving at my firewall's door. They look like this: proto udp src 555.555.555.555 dst 444.444.444.444 service 1064 s_port domain-udp len 378 rule 9 proto udp src 555.555.555.555 dst 444.444.444.444 service 1065 s_port domain-udp len 353 rule 9 proto udp src 555.555.555.555 dst 444.444.444.444 service 1066 s_port domain-udp len 371 rule 9 proto udp src 555.555.555.555 dst 444.444.444.444 service 1067 s_port domain-udp len 353 rule 9 where 555.555.555.555 is an address outside the firewall and 444.444.444.444 is an address inside. This is using checkpoint firewall-1 as a firewall. Notice how the service (which is just the destination port number I believe) increments by one each time. What kind of application would generate traffic like this?? Or is someone sending packets to a bunch of different ports on the system to see whether any of those might be running an unusual service that they can then use to break in? Any ideas would be helpful. Right now the firewall is set up to drop such packets. Thanks! -Ellen equaad@indigo.mit.edu From firewalls-owner Mon Jun 3 17:59:32 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA05821 for firewalls-outgoing; Mon, 3 Jun 1996 09:56:15 -0700 (PDT) Received: from arthur.crpht.lu (arthur.crpht.lu [158.64.4.8]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id JAA05768 for ; Mon, 3 Jun 1996 09:55:51 -0700 (PDT) Received: from cnsmac1.crpht.lu by arthur.crpht.lu with SMTP X-Sender: security@arthur.crpht.lu Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Mon, 3 Jun 1996 18:54:58 +0100 To: Firewalls@GreatCircle.COM From: security@crpht.lu (Security Responsible) Subject: FTPing with a GUI thru a fw Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello, Some time ago, david.black@e-mail.com launched the debate on using a GUI ftp client to connect thru FW1.... Now suppose this: (ftp) you ---------> FW1 (gateway) -------> host >From a UNIX station, ftping is no problem, * HOST: you connect to the gateway * USER: give your user name on the gateway * PASSWD: give your passwd on the gateway * INTERNAL HOST: give the host to which you want to connect and you get connected to that host. Now supposedly your should be able to do the same from a GUI client by giving out: * HOST: the name of the gateway * USER: when asked for your user name on the gateway, giving host_username@gateway_username@host * PASSWD: host_passwd@gateway_passwd But as said David Black, it doesn't work ! Now to test things, I tried to ftp from a unix box thru the gateway and act as if I came from a GUI client. That is: * HOST: gateway * USER: host_username@gateway_username@host .... STOP and there it doesn't work. The gateway says it doesn't know the user "host_username@gateway_username@host" which seems to indicate it doesn't interpret the @ in the username as it should, and looks in the database for the name as is! No need to go further and give the passwd... Has somebody worked this out ? Are there people from Checkpoint out there ? Bruno MAMER __________________________________________________________________ Bruno MAMER bruno.mamer@crpht.lu Centre de Recherche Public Henri Tudor - Computer Network Services Our local archive on security : http://www.crpht.lu/CNS/html/PubServ/Security/home.html --------------------------------------------------------------- From firewalls-owner Mon Jun 3 18:03:51 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA09797 for firewalls-outgoing; Mon, 3 Jun 1996 10:31:46 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id KAA09622 for ; Mon, 3 Jun 1996 10:30:46 -0700 (PDT) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) Received: from route1.france3.fr(194.51.91.1) by mycroft via smap (V1.3mjr) Received: by route1.france3.fr (8.7.1/SMI-4.1) Received: from miles.greatcircle.com by relay6.UU.NET with ESMTP Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id WAA07861 for firewalls-outgoing; Sun, 21 Apr 1996 22:39:49 -0700 (PDT) Received: from arnie.systems.sa.gov.au (arnie.systems.sa.gov.au [143.216.242.3]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id WAA07844 for ; Sun, 21 Apr 1996 22:39:38 -0700 (PDT) Received: from state.systems.sa.gov.au by arnie.systems.sa.gov.au Received: from dogbert.systems.sa.gov.au (dogbert.systems.sa.gov.au) Received: from jolt.systems.sa.gov.au (jolt.systems.sa.gov.au [143.216.237.8]) Date: Mon, 22 Apr 1996 15:08:50 +0930 From: Garth Kidd Subject: Re: Firewalls-Digest V5 #250 In-reply-to: firewalls-digest-owner@GreatCircle.COM "Firewalls-Digest V5 #250" To: Firewalls@GreatCircle.COM Message-id: <960422150853.ZM2871@jolt.systems.sa.gov.au> MIME-version: 1.0 X-Mailer: Z-Mail 4.0 (4.0.0 Aug 21 1995) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7BIT References: <199604210800.BAA19892@miles.greatcircle.com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Apr 21, 1:00, firewalls-digest-owner@GreatCircle.COM wrote: > As I too have seen, this does normally tend to be the case. Or a > comparable situation would be that we eventually do learn a good deal > about a hole, but months after the 'black hat' people do. This is due to > the perceived damage control that these organizations and individuals > believe they are doing by preventing the further spreading of info about > the hole. There's also the matter of liability -- nobody wants to be sued for revealing to the intruder community a security hole later exploited to . -- garth@dogbert.systems.sa.gov.au | Garth Kidd +61-8-207-7740 (voice) | Network Services Branch +61-8-207-7860 (fax) | Southern Systems | Adelaide, AUSTRALIA From firewalls-owner Mon Jun 3 18:08:36 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA10878 for firewalls-outgoing; Mon, 3 Jun 1996 10:46:37 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id KAA10761 for ; Mon, 3 Jun 1996 10:45:59 -0700 (PDT) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) Received: from ms-paris.france3.fr(194.51.91.1) by mycroft via smap (V1.3mjr) Received: by route1.france3.fr (8.7.1/SMI-4.1) Received: from miles.greatcircle.com by relay4.UU.NET with ESMTP Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id VAA18631 for firewalls-outgoing; Thu, 25 Apr 1996 21:24:06 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id VAA18439 for ; Thu, 25 Apr 1996 21:23:30 -0700 (PDT) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) Received: from walden.mo.net(199.250.196.5) by mycroft via smap (V1.3mjr) Received: from spiff.mo.net (pm0x23.dialip.mo.net [205.139.231.23]) by Walden.MO.NET (8.6.12/8.6.10) with SMTP id XAA27289; Thu, 25 Apr 1996 23:20:34 -0500 Date: Thu, 25 Apr 1996 23:20:34 -0500 Message-Id: <199604260420.XAA27289@Walden.MO.NET> X-Sender: rhicks@mail.mo.net X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: fwtk-users@tis.com From: rhicks@MO.NET (Rick Hicks) Subject: Sendmail with firewall relay - Update Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk First, thanks to all who have responded so far. I now have internal mail delivery working. I found the solution tucked away in one of the sendmail book's appedixes, and a few people mailed me the same advice shortly after (Thanks!). The solution was not to use the Fw macro as most replied - I needed mail delivered to other hosts once it hit the hub, I believe Fw only works if I wanted to keep the mail on the hub. The only problem left is to get the firewall to rewrite internal senders as user@my.domain instead of user@host.my.domain. I don't know that this can be done since the firewall just relays mail to the providers mail host or my internal hub and never gets to any rules other than rule set 0, which, as far as I know, only investigates recipient addresses. With this being the case is there any way to hack around it? TIA, Rick __________________________________ Rick Hicks System Specialist Hussmann Corporation From firewalls-owner Mon Jun 3 18:08:50 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA09786 for firewalls-outgoing; Mon, 3 Jun 1996 10:31:36 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id KAA09615 for ; Mon, 3 Jun 1996 10:30:45 -0700 (PDT) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) Received: from route1.france3.fr(194.51.91.1) by mycroft via smap (V1.3mjr) Received: by route1.france3.fr (8.7.1/SMI-4.1) Received: from miles.greatcircle.com by relay6.UU.NET with ESMTP Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA15940 for firewalls-outgoing; Sun, 28 Apr 1996 10:24:34 -0700 (PDT) Received: from so.scsnet.com (so.scsnet.com [146.126.86.241]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id KAA15908 for ; Sun, 28 Apr 1996 10:24:25 -0700 (PDT) Received: from smap@localhost by so.scsnet.com Received: from sa1.emss.com by so.scsnet.com Received: from chernobyl.emss.com (chernobyl.emss.com [154.2.16.115]) by Emss.Com (8.7.5/8.7.5) with ESMTP id MAA07827 for ; Sun, 28 Apr 1996 12:23:19 -0500 (CDT) Received: (from madderra@localhost) by chernobyl.emss.com (8.7.5/8.7.5) id MAA05074 for firewalls@greatcircle.com; Sun, 28 Apr 1996 12:21:32 -0500 (CDT) From: "Bob Madderra" Message-Id: <9604281221.ZM5072@chernobyl.emss.com> Date: Sun, 28 Apr 1996 12:21:31 -0500 X-Mailer: Z-Mail (3.2.1 10oct95) To: firewalls@greatcircle.com Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello, I'm looking for the best way to partition off a small, but sensative work area from our larger corporate WAN. Router filtering doesn't seem to do all I need (I need to log everything, and be able to make frequent changes to rule sets). Most traffic over this firewall is PC destined, like DHCP, SMB, and even IPX over IP (and speed is important), so I don't think a proxy based answer is there. We would usualy prefer a Sun based solution, since that's where our experience, service arangements, spare parts, etc. are, but I'm open to alternatives. Someone mentioned SunScreen, which I hadn't been considering. I don't need to create virtual networks -- but still may be something to consider. I need something that's as invisible as possible, but still come as close as is reasonable to matching the performance of a router (10MB/s on each side). Any pointers appreciated. Thanks, --Bob Madderra (madderra@emss.com) Southern Co. Services From firewalls-owner Mon Jun 3 18:18:52 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA11047 for firewalls-outgoing; Mon, 3 Jun 1996 10:47:41 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id KAA10968 for ; Mon, 3 Jun 1996 10:46:59 -0700 (PDT) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) Received: from route1.france3.fr(194.51.91.1) by mycroft via smap (V1.3mjr) Received: by route1.france3.fr (8.7.1/SMI-4.1) Received: from miles.greatcircle.com by relay6.UU.NET with ESMTP Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id VAA29706 for firewalls-outgoing; Sun, 21 Apr 1996 21:37:52 -0700 (PDT) Received: from natproxy.ferntree.com.au ([203.12.79.20]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id VAA29680 for ; Sun, 21 Apr 1996 21:37:39 -0700 (PDT) Received: by natproxy.ferntree.com.au; id OAA13241; Mon, 22 Apr 1996 14:36:24 +1000 Received: from unknown(172.16.128.20) by natproxy.ferntree.com.au via smap (V3.1) Received: by natmailnotes.ferntree.com.au (IBM OS/2 SENDMAIL VERSION 1.3.14/2.12um) id AA0325; Mon, 22 Apr 96 14:35:50 +1000 Message-Id: <9604220435.AA0325@natmailnotes.ferntree.com.au> Received: from Ferntree with "Lotus Notes Mail Gateway for SMTP" id To: firewalls Cc: Peter Court From: Colin Spence Date: 22 Apr 96 14:30:54 Subject: TIS Gauntlet 3.1 Log Enhancements Mime-Version: 1.0 Content-Type: Text/Plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, We are using Trusted Information Systems (TIS) Gauntlet Version 3.1 as our firewall. To date, we have been impressed with the functonality, logging and (perceived) security features. With respect to the logging features installed with Gauntlet, we receive: (1) hourly reports of events (warnings, errors, configuration issues etc) (2) daily summary reports of usage (mail, http, telnet, ftp etc) (3) weekly summary reports of usage (mail, http, telnet, ftp, etc) What are other Gauntlet sites doing for enhanced: (a) Control (b) Monitoring and Reporting of Internet access other than the standard 'reports'. For example, a report detailing IP address/name and HTTP sites visited would be of interest. WebTrack sounds nice, but seems to be another complete Proxy Firewall. Are there any addons for Gantlet out there - commercial or otherwise? Regards, Colin Spence Ferntree Computer Corporation Phone: +61 3 9622-8000 Fax: +61 3 9614-2009 Internet: colin_spence@ferntree.com.au From firewalls-owner Mon Jun 3 18:18:44 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA11077 for firewalls-outgoing; Mon, 3 Jun 1996 10:47:51 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id KAA10969 for ; Mon, 3 Jun 1996 10:46:59 -0700 (PDT) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) Received: from ms-paris.france3.fr(194.51.91.1) by mycroft via smap (V1.3mjr) Received: by route1.france3.fr (8.7.1/SMI-4.1) Received: from miles.greatcircle.com by relay4.UU.NET with ESMTP Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA07360 for firewalls-outgoing; Sat, 27 Apr 1996 09:05:48 -0700 (PDT) Received: from guarddog.ftc.gov (guarddog.ftc.gov [164.62.7.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id JAA07338 for ; Sat, 27 Apr 1996 09:05:39 -0700 (PDT) Received: by guarddog.ftc.gov; id MAA18754; Sat, 27 Apr 1996 12:03:18 -0400 Received: from watchdog.ftc.gov(164.62.3.2) by guarddog.ftc.gov via smap (g3.0.1) Received: by watchdog.ftc.gov (4.1/SMI-4.1-MHS-7.1) From: mfrank@ftc.gov (Mike Frank) Message-Id: <9604271602.AA12931@watchdog.ftc.gov> Subject: Re: Why am I getting these To: shadixdl@gccs.cpf.navy.mil (Danny L. Shadix) Date: Sat, 27 Apr 1996 12:02:56 -0400 (EDT) Cc: firewalls@greatcircle.com In-Reply-To: from "Danny L. Shadix" at Apr 26, 96 07:20:22 am Reply-To: mfrank@watchdog.ftc.gov X-Organization: Federal Trade Commission X-Mailer: ELM [version 2.4 PL21] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi: Max hops greater than 17. This is a sendmail configuration parameter, Oh 17. This is the default set when you build V8 sendmail. It is okay for debugging, but way too low for inbound mailing lists like firewalls. Set it up to about 35 or so, after you are sure that all mail gateway machine at you site are MX'ed correctly and not ping/ponging mail when, for instance, one box goes down for repair, etc. This MAX_HOP parameter is simply a count of the number of "received" headers in a message. When it reaches the limit, sendmail thinks something must be wrong. Mike -- +-------------------------------------------------------------------+ Mike Frank, Federal Trade Commission Voice: 202-326-2217 Fax: 202-326-2050 Email: mfrank@ftc.gov X.400: /pn=Michael.Frank/c=us/admd=telemail/prmd=gov+ftc/o=wpo/ +-------------------------------------------------------------------+ From firewalls-owner Mon Jun 3 18:24:23 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA10876 for firewalls-outgoing; Mon, 3 Jun 1996 10:46:33 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id KAA10762 for ; Mon, 3 Jun 1996 10:45:59 -0700 (PDT) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) Received: from route1.france3.fr(194.51.91.1) by mycroft via smap (V1.3mjr) Received: by route1.france3.fr (8.7.1/SMI-4.1) Received: from miles.greatcircle.com by relay5.UU.NET with ESMTP Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA06796 for firewalls-outgoing; Fri, 26 Apr 1996 13:12:54 -0700 (PDT) Received: from wolf.microserve.com (wolf.microserve.com [205.160.114.119]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id NAA06771 for ; Fri, 26 Apr 1996 13:12:43 -0700 (PDT) Received: (from root@localhost) by wolf.microserve.com (8.6.12/8.6.9) id QAA03680; Fri, 26 Apr 1996 16:09:59 -0400 From: "" Message-Id: <199604262009.QAA03680@wolf.microserve.com> Subject: Re: Cisco 11.0(7) bugs anyone? To: br966@freenet.toronto.on.ca (W.C. Epperson) Date: Fri, 26 Apr 1996 16:09:58 -0400 (EDT) Cc: firewalls@greatcircle.com Action: When it's over, maybe we'll be able to get some REAL work done! Reply-To: lonewolf@wolf.microserve.com In-Reply-To: from "W.C. Epperson" at Apr 26, 96 09:54:57 am X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In this Millenium, Epperson dreamt that he said: > > Bill sez: > > >I need to upgrade my Cisco. > > >Has anyone found bugs or security holes in IOS 11.0(7)? > > > No, WaY, d00d. tHEreZ n0 unDocUmENted feAturZ or buGs anyWhEre for > us^H^H thE bAd GuYz to eXpl0it. PaUl seZ iTs reAlLy GD buT thAtZ noT > In ThE reLeaSe dOcuMentZ yEt. > > Bes1dEz, the m3dia aRe yUr wUrst eNeMieZ. > > If YoU sEnd me yUr rOuter aDdress and enAbuL pAsSwurd, IlL be GLad to > chEcK yOur c0nf1gUrati0n for yoU. > > > W.Z. Epperson "You can't go in there: > SeNior $e There's a flashing red light." > InfUrmation SecUr1ty OfFicer --Firesign Theater-- > EPA AmeRiCus > PiNCusH10n-for-Life > VirginYa Dept. of EduCation > epp3rson@pen.kI2.va.u$ (yEs, I aM) > > hehehehehehhe, LOL! :) quipS? what quips? i'm holding my sides to keep my intestines inside instead of on the floor! (blame W.Z.!) thanks for the side-splitter! -brian lonewolf@wolf.microserve.com From firewalls-owner Mon Jun 3 18:28:01 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA09785 for firewalls-outgoing; Mon, 3 Jun 1996 10:31:36 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id KAA09614 for ; Mon, 3 Jun 1996 10:30:45 -0700 (PDT) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) Received: from route1.france3.fr(194.51.91.1) by mycroft via smap (V1.3mjr) Received: by route1.france3.fr (8.7.1/SMI-4.1) Received: from miles.greatcircle.com by relay6.UU.NET with ESMTP Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id AAA17588 for firewalls-outgoing; Mon, 22 Apr 1996 00:40:38 -0700 (PDT) Received: from okjunc.junction.net (okjunc.junction.net [199.166.227.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id AAA17582 for ; Mon, 22 Apr 1996 00:40:34 -0700 (PDT) Received: from sidhe.memra.com (sidhe.memra.com [199.166.227.105]) by okjunc.junction.net (8.6.11/8.6.11) with SMTP id AAA17674 for ; Mon, 22 Apr 1996 00:49:38 -0700 Date: Mon, 22 Apr 1996 01:36:39 -0700 (PDT) From: Michael Dillon To: firewalls@GreatCircle.COM Subject: RE: Stopping Fakemail In-Reply-To: Message-ID: Organization: Memra Software Inc. - Internet consulting MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Sun, 21 Apr 1996, Martin Cooper wrote: > Ident is pointless on insecure Windozes machines, and the IP address of > the sending machine is no use on a public access machine. With the IP address you can verify where the mail is coming from. If you have public access machines it woul make a lot of sense to insert that info into any mail messages originating there... From: president@whitehouse.gov To: dean@cs.your.edu Subject: Invitation to dinner Probably From: unknown@public07.cs.your.edu (Public Terminal User) Dear Dean, Hillary and I would like to have the pleasure of your company.... Even if you can't stop the attempt at spoofing, you can make give the recipient some info to help them make a judgement on whether or not the message is valid. But a real hacker could *STILL* spoof some people even with that kind of a header in the message body. As Abe Lincoln said "You can fool some of the people all of the time..." Michael Dillon Voice: +1-604-546-8022 Memra Software Inc. Fax: +1-604-546-3049 http://www.memra.com E-mail: michael@memra.com From firewalls-owner Mon Jun 3 18:33:51 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA07761 for firewalls-outgoing; Mon, 3 Jun 1996 10:09:36 -0700 (PDT) Received: from route1.france3.fr (ms-paris.france3.fr [194.51.91.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id JAA01809 for ; Mon, 3 Jun 1996 09:29:29 -0700 (PDT) Received: by route1.france3.fr (8.7.1/SMI-4.1) Received: from miles.greatcircle.com by relay7.UU.NET with ESMTP Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id GAA25577 for firewalls-outgoing; Tue, 9 Apr 1996 06:31:06 -0700 (PDT) Received: from lint.cisco.com (lint-ether.cisco.com [198.93.170.22]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id GAA25227 for ; Tue, 9 Apr 1996 06:23:04 -0700 (PDT) Received: from pferguso-pc.cisco.com (c2robo5.cisco.com [171.68.13.37]) by lint.cisco.com (8.6.10/CISCO.SERVER.1.1) with SMTP id GAA29770 for ; Tue, 9 Apr 1996 06:18:29 -0700 Message-Id: <199604091318.GAA29770@lint.cisco.com> X-Sender: pferguso@lint.cisco.com X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Tue, 09 Apr 1996 09:19:30 -0400 To: firewalls@GreatCircle.com From: Paul Ferguson Subject: Network Engineering Technologies Announces $10,000 Firewall Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Excerpt from: -(BUSINESS WIRE) via Individual Inc. [04-08-96 at 15:41 EDT, Business Wire] [snip] The Challenge To claim the $10,000 in NET's Firewall Challenge, individuals must first register with NET, then use a computer to break into NET's secure transaction server and retrieve information stored there about paper currency totaling $10,000, namely: (1) the number of notes, (2) the denomination of each note and (3) the serial number of each note. The first person to supply the correct information to NET between 12:01 a.m. May 1 and 12:01 a.m. May 31 will win the $10,000. In the case of multiple break-ins, the first person sending the correct information to NET's e-mail address will be declared the winner. Participants must be individuals over 18 years of age, not companies, and must also agree to surrender to NET all relevant information about the methods they used to break through the firewall. Further details on the Network Engineering Technologies' $10,000 Firewall Challenge available on the World-Wide Web at http://thefirewall.com or by writing NET at 1714 Ringwood Ave., San Jose, CA 95131. [snip] -- Paul Ferguson || || Consulting Engineering || || Reston, Virginia USA |||| |||| tel: +1.703.716.9538 ..:||||||:..:||||||:.. e-mail: pferguso@cisco.com c i s c o S y s t e m s From firewalls-owner Mon Jun 3 18:39:44 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA11483 for firewalls-outgoing; Mon, 3 Jun 1996 10:50:04 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id KAA11282 for ; Mon, 3 Jun 1996 10:48:59 -0700 (PDT) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) Received: from route1.france3.fr(194.51.91.1) by mycroft via smap (V1.3mjr) Received: by route1.france3.fr (8.7.1/SMI-4.1) Received: from miles.greatcircle.com by relay7.UU.NET with ESMTP Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA12234 for firewalls-outgoing; Sun, 28 Apr 1996 09:32:41 -0700 (PDT) Received: from Eng.Auburn.EDU (wilbur.eng.auburn.edu [131.204.110.10]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id JAA12228 for ; Sun, 28 Apr 1996 09:32:32 -0700 (PDT) Received: (from root@localhost) by Eng.Auburn.EDU (8.7.4/8.7.3) id LAA10942; Sun, 28 Apr 1996 11:28:54 -0500 (CDT) Received: from relay3.UU.NET (relay3.UU.NET [192.48.96.8]) by Eng.Auburn.EDU (8.7.4/8.7.3) with ESMTP id TAA11528 for ; Tue, 19 Mar 1996 19:59:07 -0600 (CST) Received: from miles.greatcircle.com by relay3.UU.NET with ESMTP Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id DAA20267 for firewalls-outgoing; Tue, 19 Mar 1996 03:12:06 -0800 (PST) Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.76.24]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id DAA20251 for ; Tue, 19 Mar 1996 03:11:57 -0800 (PST) Message-Id: <199603191111.DAA20251@miles.greatcircle.com> Received: by cheops.anu.edu.au From: Darren Reed Subject: Re: NAT vs trad FW? To: Petter.Haggman@lule.frontec.se (Petter H{ggman) Date: Tue, 19 Mar 1996 22:10:39 +1100 (EDT) Cc: firewalls@GreatCircle.COM In-Reply-To: <199603181611.RAA01045@goozer.arctic> from "Petter H{ggman" at Mar 18, 96 05:11:40 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In some mail from Petter H{ggman, sie said: > > > Hi there! > > I'm interested in opinions/facts about using NAT as > a firewall concept. Beside the fact that one can save > some official address-space by using NAT, are there > any relevant arguments for/against the security of > for example Cisco's PIX vs Gauntlet or Firewall-1? A NAT (alone, and in the pure sense of the acronym) DOESN'T provide any security, per-se. It might be implied by assuming that an internal IP# doesn't have an externally accessible one all the time, but those external addresses will become evident when the host(s) go through the NAT to the other network. The NAT provides what some people call "address hiding", which is, as it suggests, security through obscurity at best. Gauntlet/FW-1 are going to provide you with an equivalent to this (assume FW-1 v2.0) plus extra things like user authentication for proxied services. darren From firewalls-owner Mon Jun 3 18:39:56 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA09985 for firewalls-outgoing; Mon, 3 Jun 1996 10:32:58 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id KAA09807 for ; Mon, 3 Jun 1996 10:31:48 -0700 (PDT) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) Received: from ms-paris.france3.fr(194.51.91.1) by mycroft via smap (V1.3mjr) Received: by route1.france3.fr (8.7.1/SMI-4.1) Received: from miles.greatcircle.com by relay5.UU.NET with ESMTP Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id MAA14430 for firewalls-outgoing; Fri, 12 Apr 1996 12:32:52 -0700 (PDT) Received: from whiz.mfi.com (whiz.mfi.com [198.71.19.34]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id MAA14422 for ; Fri, 12 Apr 1996 12:32:48 -0700 (PDT) Received: from ccmail.mfi.com by whiz.mfi.com (AIX 3.2/UCB 5.64/4.03) Received: from ccMail by mfi.com Date: Fri, 12 Apr 96 12:23:24 PST From: "Power, Richard" Message-Id: <9603128293.AA829337004@mfi.com> To: Firewalls@GreatCircle.COM Subject: Re: Firewalls-Digest V5 #226 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Free firewall product matrix available from CSI SAN FRANCSICO -- Firewall revenues are estimated to surge from $160 million in 1995 to $980 million in 2000. But a recent CSI survey shows that 30% of Internet-based intrusions occured with a firewall installed. Clearly, there is a vital need for better information on which to make buying decisions. The CSI 1996 Firewall Product Matrix is a practical tool. The comprehensive evaluation of 22 different firewall products covers every feature of firewall design: e.g., administration, reports, alarms, encryption, training costs. It even lists proxies, gateways and servers. "You should be leery of vendor-sponsored evaluations," says Richard Power, CSI editor, "They lack the real-world perspective of practitioners. Our matrix was developed with input from both actual practitioners and leading independent experts in the field." "This year's firewall matrix attempts to pick out the areas that indicate a product's capabilities in filtering out attacks while passing other data through transparently," says Rik Farrow, a leading authority on Internet and UNIX security who worked on the matrix. "We looked for indications of flexibility that do not come at the expense of security. We want to provide you with a good starting point on your search." To obtain a free copy of the CSI 1996 Firewall Product Matrix, e-mail your address to prapalus@mfi.com, phone 415/905-2310 or fax 415/905-2218. This document is not available electronically. ### Computer Security Institute is the oldest international membership organization specifically serving the information security professional. Established in 1974, CSI has thousands of members worldwide and provides a wide variety of information and educational programs to assist practitioner in protecting the information assets of corporations and governmental organizations. From firewalls-owner Mon Jun 3 18:47:16 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA09986 for firewalls-outgoing; Mon, 3 Jun 1996 10:32:58 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id KAA09799 for ; Mon, 3 Jun 1996 10:31:46 -0700 (PDT) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) Received: from ms-paris.france3.fr(194.51.91.1) by mycroft via smap (V1.3mjr) Received: by route1.france3.fr (8.7.1/SMI-4.1) Received: from miles.greatcircle.com by relay7.UU.NET with ESMTP Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA10863 for firewalls-outgoing; Mon, 22 Apr 1996 07:46:52 -0700 (PDT) Received: from telxon.mis.telxon.com (telxon.mis.telxon.com [149.23.2.4]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id HAA10857 for ; Mon, 22 Apr 1996 07:46:48 -0700 (PDT) Received: from SBRIDG.mis.telxon.com by telxon.mis.telxon.com (SMI-8.6/3.1.090690-Telxon Corporation) Message-Id: <199604221445.OAA27313@telxon.mis.telxon.com> From: jwojn@telxon.mis.telxon.com (Wojno, Jim) Date: Mon, 22 Apr 1996 10:41 To: firewalls@greatcircle.com Subject: Firewall outsourcing Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Just a quick question; what is the general consensus of outsourcing your company's firewall? We are currently looking into various options to upgrade our current security measures, one of which is to outsource the firewall to a third party. Specifically, the company in question is BBN. While I am aware of their reputation and history, I am not sure how I feel about someone from outside the company controlling our firewall. Has anyone had direct dealings with BBN in this capacity, and if so, what can you tell me about this? If you like, respond to me off-list at jwojn@telxon.com. My specific concerns are: 1.) Response time: this is not only in times of break-in or equipment failure, although I am interested in that. I also want to know how fast, and effectively they respond to required changes in configuration, implementing new technologies, installing patches, etc. 2.) How would you rate their service; good, bad or poor? Why? 3.) How helpful and knowledgeable is their technical support? When they had to work on the system, did they explain what they were doing and why, or did they just do it and leave? 4.) Were there any services that you couldn't use on their firewall, such as Real Audio? What measures have been taken to accommodate this? The firewall they offer is TIS Guantlet, which I know has a good reputation. Also, some features such as 24 hour monitoring, 365 days a year are attractive, considering that even if I were paged in the evening, it would take at least 10 to 15 minutes for me to respond. I like the idea that there is someone keeping an eye on things, ready to respond at any minute. On the other hand, I am nervous about giving our security over to a stranger. Any info that anyone feels will be helpful is greatly appreciated. Thanks in advance........................... Jim Wojno Systems Administrator Telxon Corporation jwojn@telxon.com From firewalls-owner Mon Jun 3 18:48:51 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA09991 for firewalls-outgoing; Mon, 3 Jun 1996 10:33:08 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id KAA09811 for ; Mon, 3 Jun 1996 10:31:48 -0700 (PDT) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) Received: from ms-paris.france3.fr(194.51.91.1) by mycroft via smap (V1.3mjr) Received: by route1.france3.fr (8.7.1/SMI-4.1) Received: from miles.greatcircle.com by relay4.UU.NET with ESMTP Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA00139 for firewalls-outgoing; Sat, 27 Apr 1996 06:11:55 -0700 (PDT) Received: from mail.Clark.Net (mail.clark.net [168.143.0.10]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id GAA00133 for ; Sat, 27 Apr 1996 06:11:49 -0700 (PDT) Received: from clark.net (mjr@clark.net [168.143.0.7]) by mail.Clark.Net (8.7.3/8.6.5) with ESMTP id JAA28049 for ; Sat, 27 Apr 1996 09:09:23 -0400 (EDT) From: "Marcus J. Ranum" Received: (from mjr@localhost) by clark.net (8.7.1/8.7.1) id JAA17719 for Firewalls@GreatCircle.COM; Sat, 27 Apr 1996 09:09:21 -0400 (EDT) Message-Id: <199604271309.JAA17719@clark.net> Subject: pros and CONS: Intel/UNIX To: Firewalls@GreatCircle.COM Date: Sat, 27 Apr 1996 09:09:21 -0400 (EDT) In-Reply-To: <199604270358.UAA16309@miles.greatcircle.com> from "firewalls-digest-owner@GreatCircle.COM" at Apr 26, 96 08:58:41 pm Reply-To: mjr@v-one.com Organization: V-One Corporation, Baltimore, MD Office Phone: 410-889-8569 X-Mailer: ELM [version 2.4 PL24alpha3] MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk gcl@nikko.com (George Lee) writes: >Question: What are the PROS and CONS between using an intel box vs. > UNIX box ? (beside pricing and support)... Intel boxes are an architecture. UNIX is an operating system. Unix can run on a lot of architectures, including Intel boxes. Gauntlet runs UNIX on an Intel box. You can also buy it on SPARC boxes and a couple of other architectures. I forget the whole list. What I suspect you're asking is whether Intel boxes have as much horsepower as SPARCs or whatever for building firewalls. Which raises a lot of questions about cost effectiveness, the kind of load you are planning on pushing through it, etc. My experience is that an Intel box running BSDI frequently humiliates much more expensive Sun workstations at handling network loads. Unless you have some unique requirement an Intel box is my recommended platform. That's based on the fact that they can scale up to (easily) ether to ether speeds, and they are very much a commodity. Most Intel boxes are CPU-upgradeable and use very cheap components. If you are concerned about spares or spare parts, it's nice to know that you can buy an off-the-shelf motherboard, hard disk controller, or network card replacement at (practially) the grocery store down the street. The case where I recommend using a high-end workstation instead of an Intel box is for sites that already have the hardware lying around, and who have good maintenance contracts they want to take advantage of. Also for sites that have a lot of spare cash they'd rather spend on boxes than on other things. mjr. From firewalls-owner Mon Jun 3 18:51:48 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA12061 for firewalls-outgoing; Mon, 3 Jun 1996 10:55:08 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id KAA11969 for ; Mon, 3 Jun 1996 10:54:16 -0700 (PDT) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) Received: from ms-paris.france3.fr(194.51.91.1) by mycroft via smap (V1.3mjr) Received: by route1.france3.fr (8.7.1/SMI-4.1) Received: from miles.greatcircle.com by relay2.UU.NET with ESMTP Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA14988 for firewalls-outgoing; Thu, 25 Apr 1996 09:29:59 -0700 (PDT) Received: from dns2.noc.best.net (dns2.noc.best.net [206.86.0.21]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id JAA14982 for ; Thu, 25 Apr 1996 09:29:54 -0700 (PDT) Received: from shellx.best.com (shellx.best.com [206.86.0.11]) by dns2.noc.best.net (8.6.12/8.6.5) with ESMTP id JAA09894; Thu, 25 Apr 1996 09:27:40 -0700 Received: from yobie.csaa.com (yobie.vip.best.com [204.156.155.53]) by shellx (8.6.12/8.6.5) with SMTP id JAA29269; Thu, 25 Apr 1996 09:27:13 -0700 Message-ID: <317FA7C6.21B1@yobie.com> Date: Thu, 25 Apr 1996 09:26:46 -0700 From: Yobie Benjamin Organization: MetaGenesis, Inc. X-Mailer: Mozilla 2.01Gold (Win95; I) MIME-Version: 1.0 To: Chris CC: firewalls@GreatCircle.COM Subject: Re: location of public hosts References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk -----BEGIN PGP SIGNED MESSAGE----- Chris wrote: > > Please can someone give me some advice. > > I have a connection to the net through a Gauntlet firewall. I want to run a > web server (NT) and have received conflicting advice as to where it should be > located, internal or external to the firewall. > > In addition, what other risks need to be considered with using an NT server > either internal or external. This could be a long drawn out thread... Let me start... 1) No disk quota controls. Let's say you designate drive "D", which has 2.0 gigabytes of space as your internet drive... irrelevant whether it's inside or outside the firewall. It is possible to flood that disk's entire space with "flood mail" or "fake mail" because you cannot impose a quota on disk usage. 2) No port control...Try it, if you can. This is not available on NT 4.0 either unless they change things on the GA release. Next... Opppss... Don't get me wrong, I'm not implying that you should not use NT. That's a call for you to make. > > Thanks in advance for your help > > Chris -- http://www.yobie.com yobie@yobie.com -----BEGIN PGP SIGNATURE----- Version: 2.6.2 mQINAzBWg18AAAEQANnXKRohQlsdi+E2pVGH9/0ljIJFwg6TCQQ37Lcv8LfIR1RP FbwXDfMAWtRKQkYtHUa18png/qMlDJeaethHDaotRMuhUtDpvWxLH7HmWyJ6sz78 ZHN3/ddtLrzrb+fYgjXhBnkSckmxwNQ8o1k4E45UvWGL2BzldVeOKmmBHjI8hgxX lgPAw+Ozl2JESYvRjj3OT1jHFGlri/Hzvd/D7kbkhF6eMcCotX1h6ZcoTUka5qqh PzKr04zCzQrw0z/Qy5St1gA2gB40mwsxICnrLo7y0fXilFT0qtQI+bj2pV2rfPhe KQYXLHuL3Hrv8vUhciPtNrS3iPESTsIeADZ3r+0g6RJ1XDkZ1P9iaM4S6TRjugw1 CmBaj9rpkJ79MV235n3a0q6ZlWMzhPJ5yz+kt2UdBMeeWXT5eV+AB0tfgYUt9Mss G8/h+m8FypdxKlEs/9e3PtROmoIm2OXKUEFzY9Cl6Ew0nisCXyPYtuRRrC7w6EWR oj5WItiIdZvbN9GmTJ5seBA2TwAxKcDw7LEieaItCcUsG955jbagOaptBOPSUrv8 LJA40PIPgXpXP+SEJiL9wJQ5TGvkAsZkw+X9z26c9chImPy5A7qCZy3R/XZYu0Hc OCd2zQnjzw87LKfIhJ3LDHMZADBdLvVdFfCd4EihjldGdzGzoQJ1FGhpIpSRAAUT tCBZb2JpZSBCZW5qYW1pbiA8eW9iaWVAeW9iaWUuY29tPg== =9HBa -----END PGP SIGNATURE----- From firewalls-owner Mon Jun 3 18:52:48 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA13873 for firewalls-outgoing; Mon, 3 Jun 1996 11:09:30 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id KAA08643 for ; Mon, 3 Jun 1996 10:25:48 -0700 (PDT) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) Received: from ms-paris.france3.fr(194.51.91.1) by mycroft via smap (V1.3mjr) Received: by route1.france3.fr (8.7.1/SMI-4.1) Received: from miles.greatcircle.com by relay6.UU.NET with ESMTP Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA16912 for firewalls-outgoing; Fri, 26 Apr 1996 05:10:12 -0700 (PDT) Received: from uu9.psi.com (uu9.psi.com [38.145.107.9]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id FAA16882 for ; Fri, 26 Apr 1996 05:09:50 -0700 (PDT) Received: from infosys.inf.COM by uu9.psi.com (5.65b/4.0.071791-PSI/PSINet) via SMTP; Received: by Inf.COM (4.1/SMI-4.1) Received: from unknown(204.4.59.106) by infosys.inf.COM via smap (V1.3) Received: from cc:Mail by smtp_gw.inf.com Date: Fri, 26 Apr 96 17:30:20 EST From: "MURALIKRISHNAK" Message-Id: <9603268305.AA830533461@smtp_gw.inf.com> To: Firewalls@GreatCircle.COM Subject: Monitoring CISCO 4K Router under RLW Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, Is it possible for Cabletron Remote LANVIEW/Windows (RLW) software to monitor the Cisco 4000 Router whose software ver. is 9.14(7)? In fact, I have configured the Cisco 4K under RLW as shown below along with the error messages I am getting : 1. Selected the Generic component - Router Message : CoomWindProc Communication with this device has not been established yet 2. Contacted thru the MIB Stats Confign, which gives an error Error : OVWIN No Alarm notification available (OV1409) 3. Status under Unacknowledged alarms is shown as CRITICAL Can anyone tell me what the problem is and how to overcome that? TIA - Murali Krishna (INFOSYS TECHNOLOGIES LTD, BANGALORE, INDIA) From firewalls-owner Mon Jun 3 18:56:46 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA13273 for firewalls-outgoing; Mon, 3 Jun 1996 11:05:00 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id KAA08703 for ; Mon, 3 Jun 1996 10:25:55 -0700 (PDT) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) Received: from ms-paris.france3.fr(194.51.91.1) by mycroft via smap (V1.3mjr) Received: by route1.france3.fr (8.7.1/SMI-4.1) Received: from miles.greatcircle.com by relay3.UU.NET with ESMTP Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA29539 for firewalls-outgoing; Tue, 23 Apr 1996 07:08:07 -0700 (PDT) Received: from hades.wvs.com ([204.247.81.10]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id HAA29533 for ; Tue, 23 Apr 1996 07:08:01 -0700 (PDT) Received: from sol.wvs.com (sol.wvs.com [204.247.80.10]) by hades.wvs.com (8.7.4/8.7.3) with ESMTP id HAA11352 for ; Tue, 23 Apr 1996 07:05:08 -0700 (PDT) Received: from zorch.sf-bay.org (Uzorch@localhost) by sol.wvs.com (8.7.4/8.7.3) with UUCP id HAA29308 for firewalls@greatcircle.com; Tue, 23 Apr 1996 07:05:07 -0700 (PDT) X-Authentication-Warning: sol.wvs.com: Uzorch set sender to zorch.sf-bay.org!news using -f Received: (from news@localhost) by zorch.sf-bay.org (8.6.11/8.6.9) id HAA23592 for firewalls@greatcircle.com; Tue, 23 Apr 1996 07:01:07 -0700 Newsgroups: zorch.lists.firewalls Path: zorch.sf-bay.org!scott From: scott@zorch.sf-bay.org (Scott Hazen Mueller) Subject: Re: Filtering by Source Port Distribution: zorch Reply-To: scott@zorch.sf-bay.org Organization: At Home; Salida, CA Message-ID: References: <199604221540.IAA21891@dfw-ix7.ix.netcom.com> X-Nntp-Posting-Host: localhost.sf-bay.org Date: Tue, 23 Apr 1996 14:01:04 GMT Apparently-To: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >>ps. When I talked to Cisco Tech Support they couldn't understand why anyone >>would even want to filter by source port. >I don't understand why you would want to filter by source port either. Given x.y.z.0 as your internal network: access-list 101 permit tcp any eq ftp-data x.y.z.0 gt 1023 It's sure not perfect, but if you don't have an active gateway, it's a tiny bit better than just allowing random TCP connections to internal high ports. -- Scott Hazen Mueller | scott@zorch.SF-Bay.ORG or tandem!zorch!scott From firewalls-owner Mon Jun 3 19:00:34 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA14496 for firewalls-outgoing; Mon, 3 Jun 1996 11:14:11 -0700 (PDT) Received: from route1.france3.fr (route1.france3.fr [194.51.91.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id LAA14117 for ; Mon, 3 Jun 1996 11:11:34 -0700 (PDT) Received: by route1.france3.fr (8.7.1/SMI-4.1) Received: from miles.greatcircle.com by relay7.UU.NET with ESMTP Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id QAA27869 for firewalls-outgoing; Fri, 26 Apr 1996 16:22:46 -0700 (PDT) Received: from mail.RC.Toronto.on.ca ([207.6.29.231]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id QAA27791 for ; Fri, 26 Apr 1996 16:22:32 -0700 (PDT) Received: from rwcooper.rc.toronto.on.ca ([207.6.29.232]) Received: by rwcooper.rc.toronto.on.ca with Microsoft Mail Message-ID: <01BB338A.E5C95120@rwcooper.rc.toronto.on.ca> From: Russ To: Rolf Weber , "'Rick Smith'" Cc: firewalls Subject: RE: location of public hosts Date: Fri, 26 Apr 1996 16:10:32 -0700 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk "Typical commercial hosts just don't cut it. You need mandatory access control like on "multilevel secure" systems or like type enforcement on Sidewinder. Then it can even be part of the site's firewall." I'm sorry Rick, but are you saying that the only Web Servers that can be run have to allow the use of type enforcement or similar security? Come on guys, this attitude which says that if it can't withstand the most serious types of attacks it ain't good enough is just not going to cut it in a world where most companies have a web site. Sure, I agree, it is the best security, but is there no room to evaluate the value of the information being protected against the cost of the security implementation? After all, it is said over and over again that the biggest security risk is not from the Internet but from the local network. By putting a web server outside of the local LAN, protected from it by a firewall, you have taken care of your biggest risk by securing it from your local network. This has nothing to do with NT or any other OS, but if people come to the Firewalls list to get a feel for what their personal security needs might be, and are sifting through all the information they can get from here, these kinds of answers are going to make many people believe that the cost of making a presence on the WWW is simply way to high and complex for them to try. Nobody asked the person what they wanted to do with the web server, what kind of web server software they were planning to use, and whether or not there was a need for the web server to participate in an Intranet. I understand that there is a Gatekeeper motto that says "nothing in, nothing out", but there is a tidal wave of commerce that says "if I ain't out there, I won't get the new shareholders in", or something like that. For example, with BorderWare I could put the NT Web server on a secure side network, a third adapter in the Firewall. This has its own access lists and HTTP would be proxied from the outside onto the side network directly to the NT Web server. Only requests from the external adapter address on the specified port would be allowed to connect to the web server. If the web server needed to connect to a SQL server, for example, a proxy would be established between the secure side network and the internal network. Only access from the IP address (translated address) would be allowed through the proxy on the specified port into the internal network. Now the only question in my mind is the security of the web server software, not the NT box. Considering the HTTP request would be on one port, and the SQL access would be on a different port, and only HTTP is allowed in/out between the side network and external network, and only SQL in/out between the side network and the internal network, sounds pretty secure to me. Now I could be completely wrong here, but I think it would take a pretty sophisticated hack to get into the internal network. Getting access to the SQL data in some way not intended is up to the HTTP server. How about some simpler solutions with proviso's rather than just tons of warnings and expensive or complex solutions...there's ideal, and then there's the rest of us... Cheers, Russ From firewalls-owner Mon Jun 3 19:52:17 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA05137 for firewalls-outgoing; Mon, 3 Jun 1996 09:51:48 -0700 (PDT) Received: from route1.france3.fr (route1.france3.fr [194.51.91.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id JAA04873 for ; Mon, 3 Jun 1996 09:50:52 -0700 (PDT) Received: by route1.france3.fr (8.7.1/SMI-4.1) Received: from miles.greatcircle.com by relay3.UU.NET with ESMTP Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id JAA00146 for firewalls-outgoing; Fri, 12 Apr 1996 09:10:51 -0700 (PDT) Received: from ibmmail.COM (ibmmail.com [199.171.26.3]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id EAA01557 for ; Fri, 12 Apr 1996 04:53:11 -0700 (PDT) From: gblolmxb@ibmmail.com Message-Id: <199604121153.EAA01557@miles.greatcircle.com> Received: from ibmmail by ibmmail.COM (IBM VM SMTP V2R3) with BSMTP id 1281; Date: Fri, 12 Apr 1996 07:50:59 EDT To: ac141@typhoon.dial.pipex.net, firewalls@greatcircle.com MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: Re Finding domain name from IP address Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Ben said: >We have a combination of registered and unregistered IP addresses on >our network (no Internet connection yet). >Is there a way I can find out who the unregistered ones are really >registered to? Try telnetting to rs.internic.net and run whois. or for European registrations, try info.ripe.net, or even ns.ripe.net. Mark. From firewalls-owner Tue Jun 4 05:50:43 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA19776 for firewalls-outgoing; Mon, 3 Jun 1996 11:39:47 -0700 (PDT) Received: from gladiator.transdyn.com (gladiator.transdyn.com [206.217.196.10]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id LAA19702 for ; Mon, 3 Jun 1996 11:39:24 -0700 (PDT) Received: (from mail@localhost) by gladiator.transdyn.com (8.6.12/8.6.12) id LAA14631; Mon, 3 Jun 1996 11:35:46 -0700 Message-Id: <199606031833-38781@Transdyn.COM> Date: Mon, 03 Jun 1996 11:33:04 -0800 X-Mailer: Microsoft Mail with Intergate/SMTP (v9603.07) X-Sender: JRankin@Transdyn.COM From: JRankin@transdyn.com (Jeff Rankin) To: fwtk-users@tis.com, rhicks@MO.NET Cc: firewalls@greatcircle.com Subject: RE: Sendmail with firewall relay - Updat Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk We implemented a couple line hack to smap.c to remove change from user@internal.domain.com to user@domain.com. I'm pretty sure it can be done with sendmail also but this was easier for us. Jeff Rankin Transdyn Controls ---------- From: Rick Hicks To: fwtk-users Cc: firewalls Subject: Sendmail with firewall relay - Update Date: Thursday, April 25, 1996 11:20PM [To unsubscribe from this list send the message "unsubscribe fwtk-users" in the BODY of a mail message to majordomo@tis.com.] First, thanks to all who have responded so far. I now have internal mail delivery working. I found the solution tucked away in one of the sendmail book's appedixes, and a few people mailed me the same advice shortly after (Thanks!). The solution was not to use the Fw macro as most replied - I needed mail delivered to other hosts once it hit the hub, I believe Fw only works if I wanted to keep the mail on the hub. The only problem left is to get the firewall to rewrite internal senders as user@my.domain instead of user@host.my.domain. I don't know that this can be done since the firewall just relays mail to the providers mail host or my internal hub and never gets to any rules other than rule set 0, which, as far as I know, only investigates recipient addresses. With this being the case is there any way to hack around it? TIA, Rick __________________________________ Rick Hicks System Specialist Hussmann Corporation From firewalls-owner Tue Jun 4 06:05:28 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id DAA02805 for firewalls-outgoing; Tue, 4 Jun 1996 03:00:57 -0700 (PDT) Received: from relay2.UU.NET (relay2.UU.NET [192.48.96.7]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id CAA01605 for ; Tue, 4 Jun 1996 02:57:16 -0700 (PDT) Received: from mail.rc.toronto.on.ca by relay2.UU.NET with ESMTP Received: from rwcooper.rc.toronto.on.ca ([207.6.29.232]) Received: by rwcooper.rc.toronto.on.ca with Microsoft Mail Message-ID: <01BB519B.75874280@rwcooper.rc.toronto.on.ca> From: Russ To: "Firewalls@GreatCircle.COM" Subject: RE: NT firewalls & NOS admins Date: Mon, 3 Jun 1996 22:24:40 -0400 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk It never ceases to amaze me how some Unichs seem to think that only UNIX experience is viable when it comes to working with an Internet connection. Some may be surprised to find out that TCP/IP has been included in NT since it was first released, and its been around for quite some time in DOS or Windows. One doesn't need a UNIX degree to know how IP works, or how the Internet works, for that matter. I know quite a few UNIX SQL administrators who wouldn't know how to configure their inetd if it bit them in the ass. Some thoughts: - Lots of companies want to get an Internet connection. - More security breaches occur internally than happen via an Internet connection. - Lots of companies are none too concerned about their security issues (some less concerned than they should be, others not). - Most companies do not have a security policy of any kind. - Not everyone will be hacked to death on the Internet! - Not every company will handle their own connection. - Consultants can do much of what a company might be able to do itself. - One can learn TCP/IP without learning anything about UNIX (even though some or all of the tools they use might be UNIX tools) There are lots of places where a dedicated Firewall Administrator *must* exist, and lots of places where dedicated security administration staff *have to* be on staff. Then there are the *majority* of companies who neither need, nor can afford, to have either, yet still want to be part of the 'net. The Internet, and vendors that make tools that utilize it, are just going to have to accept that fact and provide for it accordingly, that's just a reality we're all going to have to accept. Stupid ISP's, auto-responders on mail IDs, spamming, live CuSeeMe Poison concerts, casual hackers, and of course, Bad Guys (tm). "UNIX is useful because that's where the picture came from! If you have a decent UNIX geek on staff, then you likely have someone who understands how things work on the Internet (i.e. how the services are provided, how mail flows, etc). If you have some guy with a Microsoft Certification for NT, then you probably don't." Surely you jest...like IP is rocket science or something...sheesh. I've never administered a UNIX system in my life, does it show that much? Cheers, Russ From firewalls-owner Tue Jun 4 06:21:24 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id DAA05288 for firewalls-outgoing; Tue, 4 Jun 1996 03:09:56 -0700 (PDT) Received: from relay2.UU.NET (relay2.UU.NET [192.48.96.7]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id DAA05221 for ; Tue, 4 Jun 1996 03:09:28 -0700 (PDT) Received: from plum.cyber.com.au by relay2.UU.NET with SMTP Received: (from mikec@localhost) by plum.cyber.com.au (8.6.12/8.6.6) id LAA07588; Tue, 4 Jun 1996 11:14:56 +1000 From: Michael Ciavarella Message-Id: <199606040114.LAA07588@plum.cyber.com.au> Subject: Re: What do you want to know about Windows NT? To: Russ.Cooper@RC.Toronto.on.ca (Russ) Date: Tue, 4 Jun 1996 11:14:55 +1000 (EST) Cc: firewalls@GreatCircle.COM In-Reply-To: <01BB4DB7.9D7EAFE0@ts1-13.vcr.iSTAR.ca> from "Russ" at May 29, 96 11:03:31 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi Russ, (background: I'm one of those wierd people who believes that picking the right tool for the job is more important than "running unix" or "running NT". I'm much more familiar with security in UNIX environments, but even with less experience in NT environments, it's become obvious that security admins in general lack detailed knowledge about NT. Part of this is that the relevant information isn't easily available in the one place. On this point, I think Russ's idea is a Good Thing. On the other side, I've experienced M$ support (spell 'oxymoron'), misleading technotes, etc. For an application which is as business-critical as a firewall tends to be, these are part of _my_ considerations when searching for "the right tools", and hence U*X-type solutions tend to win out. On with the show... ) > However, if we assume that I was able to get Microsoft to put together a CD > that contained White Paper and technical information regarding Windows NT, > what would you like to know about Windows NT to help you evaluate its > impact on the security within your environment? > > A few assumptions; > > - it will not contain source code for any products which source code is not > already publically available Does this include Microsoft modifications to publically available source code, in particular, encryption algorithms? What about code fragments eg. for key exchange?? > - it will contain all available API specifications > - it will contain RFC implementations and any MS-specific extentions to > them > - it will contain information from 3rd party ISV's who offer security > solutions It would be worthwhile breaking this down further... some NT products which shall remain nameless O:-) just uze NT as a boot loader before taking over the machine and having their wicked way. They don't use SAM or take advantage of any of the other NT features which a "real" NT package would do. Some areas which might be worthwhile: * Single signon systems * Remote access control * Security management tools > Some ideas; > - The CD could come with a 60-day Windows NT Server/BackOffice evaluation, > would that be useful? > - There is a C2 configuration guide (manual), maybe it should be included Might also be an idea to include technical information on the NT architecture features which support C2 requirements, and which allow performance to be maintained when running C2 (sic). > - There is a Network Monitoring tool (Netmon), maybe it should be included > - There are a variety of tools that are part of the Resource kits to add > unix-like functionality to NT, maybe they should be included > - More information could be given if the CD was available under NDA, would > you prefer that? *sigh* the people who know enough about NT to break it will already have this information - if Beelzegates wants people to consider NT as a basis for their security then maybe he should consider that as security admins, we DON'T like being left behind by a vendor's need to hide the information we need to do our job. Unless of course he's throwing in the source code for NT :-ppp > - The NT Knowledgebase includes articles about many issues relating to > security problems, misconfigurations, and bugs, should that be included? > - There are numerous SDK's for the various NT BackOffice products, would > these be useful? For an evaluation? probably not. The API's and documentation however would be important to assessing the extent to which local customisations etc. can be made. > What kind of information, what format should it be in, and what level > should it be positioned for? Suggestion: Put it on two CD's - eval software on one CD and doco/papers/api references etc on the second CD. If the doco isn't accessible then this whole exercise would be wasted - something a little more than Knowledgebase (ie. more indexing) would be a good start. > Treat me like the university student asking for information about a thesus. Russ, you should read the FAQ (http://www.whitehouse.gov), and get copies of Cheswick and Bellovin's "Firewalls and Internet Seucirty", and "Building Internet Firewalls" by Chapman and Zwicky. They will be very helpful in writing your thesis. :-)))) cheers mike From firewalls-owner Tue Jun 4 06:37:53 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA26160 for firewalls-outgoing; Mon, 3 Jun 1996 12:16:10 -0700 (PDT) Received: from greatcircle.com ([206.172.56.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id MAA25881 for ; Mon, 3 Jun 1996 12:15:12 -0700 (PDT) Date: Mon, 3 Jun 1996 12:15:12 -0700 (PDT) From: bobm@network.com Message-Id: <199606031915.MAA25881@miles.greatcircle.com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Test From firewalls-owner Tue Jun 4 06:45:27 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA24116 for firewalls-outgoing; Mon, 3 Jun 1996 12:06:39 -0700 (PDT) Received: from brahma.iitm.ernet.in (brahma.iitm.ernet.in [144.16.224.3]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id MAA23049 for ; Mon, 3 Jun 1996 12:00:32 -0700 (PDT) Received: by brahma.iitm.ernet.in; (5.65/1.1.8.2/07Feb96-0917AM) Date: Tue, 4 Jun 1996 00:14:38 +0530 (IST) From: Natchu Vishnu Priya To: gblolmxb@ibmmail.com Cc: ac141@typhoon.dial.pipex.net, firewalls@greatcircle.com Subject: Re: Re Finding domain name from IP address In-Reply-To: <199604121153.EAA01557@miles.greatcircle.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 12 Apr 1996 gblolmxb@ibmmail.com wrote: > Ben said: > > >We have a combination of registered and unregistered IP addresses on > >our network (no Internet connection yet). > > >Is there a way I can find out who the unregistered ones are really > >registered to? > > Try telnetting to rs.internic.net and run whois. or for European > registrations, try info.ripe.net, or even ns.ripe.net. just use nslookup or dig and look for the nameservers of the inverted ip domains.. like if the ip address are 10.11.12.xx look for the nameservers of 12.11.10.in-addr.arpa. -vishnu _______________________________________________________ Vishnu Priya Natchu System Administrator 225, Saraswathi, Network Systems Lab, IIT Madras 600 036 Computer Science & Engg. INDIA IIT Madras 0091-044-235-1889 0091-044-235-1921 _______________________________________________________ Email: mailto:vishnu@brahma.iitm.ernet.in WWW page: http://brahma.iitm.ernet.in/~vishnu _______________________________________________________ From firewalls-owner Tue Jun 4 06:50:24 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id EAA19490 for firewalls-outgoing; Tue, 4 Jun 1996 04:24:31 -0700 (PDT) Received: from relay6.UU.NET (relay6.UU.NET [192.48.96.16]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id CAA17224 for ; Tue, 4 Jun 1996 02:14:35 -0700 (PDT) Received: from mail.marben.com by relay6.UU.NET with SMTP Received: (from girsch@localhost) From: girsch@marben.com (Arnaud Girsch) Message-Id: <199606040133.SAA07814@mail.marben.com> Subject: Re: suspicious packets in firewall logs?? To: equaad@indigo.mit.edu Date: Mon, 3 Jun 1996 18:33:06 -0700 (PDT) Cc: firewalls@greatcircle.com In-Reply-To: <199604232019.NAA10398@miles.greatcircle.com> from "equaad@indigo.mit.edu" at Apr 23, 96 04:14:14 pm X-Organization: Marben Products, Inc. X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > proto udp src 555.555.555.555 dst 444.444.444.444 service 1064 s_port > domain-udp len 378 rule 9 > > proto udp src 555.555.555.555 dst 444.444.444.444 service 1065 s_port > domain-udp len 353 rule 9 > > proto udp src 555.555.555.555 dst 444.444.444.444 service 1066 s_port > domain-udp len 371 rule 9 > > proto udp src 555.555.555.555 dst 444.444.444.444 service 1067 s_port > domain-udp len 353 rule 9 > > firewall-1 as a firewall. Notice how the service (which is just the > destination port number I believe) increments by one each time. What > kind of application would generate traffic like this?? Or is someone > sending packets to a bunch of different ports on the system to see > whether any of those might be running an unusual service that they can > then use to break in? Any ideas would be helpful. Right now the > firewall is set up to drop such packets. Could be answers to DNS queries ... if 555.555.555.555 can send DNS queries to 444.444.444.444 (according to your outgoing filter) Arnaud. -- Arnaud Girsch -+- agirsch@marben.com -+- Marben Products, Inc. - San Jose, CA From firewalls-owner Tue Jun 4 07:10:15 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA07373 for firewalls-outgoing; Mon, 3 Jun 1996 13:11:10 -0700 (PDT) Received: from lifeguard.com ([38.249.226.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id NAA07172 for ; Mon, 3 Jun 1996 13:10:24 -0700 (PDT) Received: from is-am ([199.181.86.146]) by firewall.lifeguard.com with SMTP id <36865>; Mon, 3 Jun 1996 13:13:47 -0700 Comments: Authenticated sender is From: "Alan Millar" To: firewalls@greatcircle.com Date: Mon, 3 Jun 1996 06:09:02 -0700 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Strange mail Sender: problem with Borderware? X-mailer: Pegasus Mail for Windows (v2.33) Message-Id: <96Jun3.131347pdt.36865@firewall.lifeguard.com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I've just inherited a Borderware Firewall Server and I'm having a strange mail problem with it. The Sender: header and envelope sender are being rewritten on both incoming and outgoing mail, to the ID of one particular POP mailbox. When we deleted that mailbox, it changed to the next one in line. The From: header is untouched, so most person-to-person mail is OK. But for anything that looks at the envelope sender (Microsoft Mail SMTP gateway, Listproc, Listserv) it's really a problem. Borderware tech support had me install a 7 megabyte patch file to bring me up to the latest release, which went smoothly but didn't help :-( Other than that they don't seem to know what to do with it. This thing is basically a black box that doesn't let you in to see what's going on. I know it's BSDI in there somewhere from the boot messages, but it's locked down tight through the user interface. I was undecided if that's good or bad, but my opinion is starting to lean.... Has anyone else had this problem on a Borderware Firewall Server, or can offer any suggestions? I'd appreciate any and all tips. Thanks! - Alan -- Alan Millar AMillar@LifeGuard.com Internetworking Manager LifeGuard HMO From firewalls-owner Tue Jun 4 07:13:38 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id EAA19810 for firewalls-outgoing; Tue, 4 Jun 1996 04:30:02 -0700 (PDT) Received: from relay3.UU.NET (relay3.UU.NET [192.48.96.8]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id AAA14599 for ; Tue, 4 Jun 1996 00:39:46 -0700 (PDT) Received: from cheops.anu.edu.au by relay3.UU.NET with ESMTP Message-Id: Received: by cheops.anu.edu.au From: Darren Reed Subject: Re: Cross Realm Kerberos/DCE Proxy, NAT, UDP To: asafier@explorer.csc.com (Adam Safier) Date: Tue, 4 Jun 1996 10:33:51 +1000 (EST) Cc: Firewalls@GreatCircle.COM In-Reply-To: from "Adam Safier" at Apr 8, 96 04:34:00 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In some mail from Adam Safier, sie said: [...] > The NAT could be a real problem. Kerberos apparently packs the nodes > network address as part of the authentication packet so if your IP address > is hidden by the firewall I expect the authentication at the client/server > to fail when source and encrypted address are compared. (are they?). First, you can't change the encrypted addresses. Second, having done this recently, you don't send any encrypted data to the server unless you have the IP addresses in your preauthentication data. If I send a Kerberos TGT request, rewrite the packet IP#'s and then look inside the Kerberos packet and do the same, so long as the data matches your DNS/hosts database, things are fine. However, the TGT reply will quite likely have IP#'s encrypted. This is a problem for the client. If memory serves me correctly, Kerberos4 doesn't use IP#'s in tickets yet, and in Kerberos5-Beta5 (RFC1510), IP#'s are documented as being optional. If you're buying a commercial Kerberos solution, check with them before assuming what is in the RFC to be correct and how they've implemented it. The IP#'s for the source and destination of the packet don't need to match those inside the Kerberos packet: this is easily tested by setting up a host with a UDP relay on port 88 to the real KDC and pretending the relay host is the KDC when doing the kinit. darren From firewalls-owner Tue Jun 4 07:16:55 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA06003 for firewalls-outgoing; Mon, 3 Jun 1996 13:03:12 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id MAA00575 for ; Mon, 3 Jun 1996 12:34:01 -0700 (PDT) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) Received: from unknown(194.218.38.3) by mycroft via smap (V1.3mjr) Received: by iez.com (AIX 3.2/UCB 5.64/4.03) Received: from spibm02(172.16.13.62) by iez.com via smap (V1.3) Received: from iez.com by spibm02 (AIX 3.2/UCB 5.64/4.03) Message-Id: <9606031714.AA18507@spibm02> Received: from inhps-a by iez.com with SMTP Received: by inhps-a From: Rolf Weber Subject: Re: RE: Raptor's Eagle Firewall To: ianj-b@dial.pipex.com (Ian Johnstone-Bryden) Date: Mon, 3 Jun 1996 19:14:37 +0200 (MESZ) Cc: firewalls@greatcircle.com (firewalls) In-Reply-To: from "Ian Johnstone-Bryden" at Jun 3, 96 04:16:24 pm X-Mailer: ELM [version 2.4 PL24] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > gary flynn wrote in part: > > > The whole idea > > behind > > firewalls is to have tightly controlled code. It is the instability > > and > > poor security design of present operating systems that necessitate > > firewalls > > in the first place. > > > > ?????????????????????????Really!! > > The firewall exists most commonly as a placebo to allow people who > poorly specify, procure, implement, maintain, manage untrusted > informtion systems, to feel comfortable and secure from the fear of > attack via public networks. > > Like marriage it is a triumph of hope over experience, which doesnt > mean it cant work for some people. > > That doesnt of course mean that a firewall cannot reduce risks, just > that its a costly way of doing so in many cases and no substitute for > implementing and running reliable information systems. > you're right that you can't neglect internal security even when you have a firewall. but all threats i know about require, in any way, help from inside. i don't believe that users on "trusted systems" are better educated as others, so this threat is still true with trusted systems. of course, the attacker will firstly only have the permissions of this user, and it may be harder for the attacker to gain higher privileges, but even to have this reduced permissions are almost (i think) worse enough. > > Even if all internal networks were well specified, procured, > implemented and operated, there would still be a need for a guard at > the gateways to public systems (at least for most people) because > there would still be the potential risk of attack from outside. > yes, i agree. > > OTOH some internal networks could be traditional poor design and > require no firewall because there was nothing worth attacking or > protecting. > i really doubt this. there is, at least, the risk to lose reputation. another point is that you can't say "this internal host isn't worth to protect". if *one* internal hosts did fall, the attacker has: - access to the internal net with the possibility to use sniffers. - a very fast connection to the other hosts. - direct access to the internal DNS server. - the hope there is a misconfiguration an another internal host trust it. a nightmare, i think. > > BTST a firewall built on an untrusted OS has itself got a number of > exploitable vulnerabilities. As many firewalls are built in the same > careless fashion, as the internal networks they are supposed to > protect, it is no great surprise to find that they are largely > ineffective in most things other than consuming corporate funding. > i think this is said too common. i'm sure there are a lot of poor firewalls, however not because of the firewall's software but because of some guys configuring it. (those of you who are subscribed to fwall-users@tis.com know what i'm speaking about, i think.) rolf -- ----------------------------------------- Rolf Weber | All I ask is a chance IEZ AG D-64625 Bensheim | to prove that money ++49-6251-1309-109 | can't make me happy. From firewalls-owner Tue Jun 4 07:20:13 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id EAA17069 for firewalls-outgoing; Tue, 4 Jun 1996 04:01:00 -0700 (PDT) Received: from relay5.UU.NET (relay5.UU.NET [192.48.96.15]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id AAA05829 for ; Tue, 4 Jun 1996 00:13:36 -0700 (PDT) Received: from nsco.network.com by relay5.UU.NET with SMTP Received: from anubis.network.com by nsco.network.com (4.1/1.34) Received: from blefscu.network.com by anubis.network.com (4.1/SMI-4.1) Date: Mon, 3 Jun 96 21:56:37 CDT From: amolitor@anubis.network.com (Andrew Molitor) Message-Id: <9606040256.AA13204@anubis.network.com> To: firewalls@greatcircle.com Subject: Re: Filtering by Source Port Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Basically any router built can filter by source port. Even newer cisco software can filter by source port (11.x?). Cisco tech support has apparently been given a stock 'you must be crazy' answer to at least the source port thing, and apparently have not yet received the new gospel. Certainly the fine, wonderful and all-around special Network Systems products can, and has been able to do so for going on 10 years now. I am quite certain that 3Com and Bay equipemnt can as well, and I am almost certain cisco can as well. Andrew P.S. My praises of Network Systems equipment is, obviously, biased. I work there, and in fact do packet filtering stuff. From firewalls-owner Tue Jun 4 07:20:19 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA07764 for firewalls-outgoing; Tue, 4 Jun 1996 06:03:40 -0700 (PDT) Received: from cass.ma02.bull.com (cass.ma02.bull.com [128.35.32.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id GAA07732 for ; Tue, 4 Jun 1996 06:03:21 -0700 (PDT) Received: from flight.ma02.bull.com by cass.ma02.bull.com with SMTP Received: from flight.ma02.bull.com by flight.ma02.bull.com (AIX 4.1/UCB 5.64/4.03) Message-Id: <31B43435.41C6@flight.ma02.bull.com> Date: Tue, 04 Jun 1996 09:03:49 -0400 From: "John B. Young" Organization: International Bull Telecommunications X-Mailer: Mozilla 2.01 (X11; I; AIX 1) Mime-Version: 1.0 To: firewalls@greatcircle.com Subject: Re: Filtering by Source Port References: <199604221540.IAA21891@dfw-ix7.ix.netcom.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Note that this feature only exists in release 10.3 and above, none of which is considered general release yet... Scott Hazen Mueller wrote: > > >>ps. When I talked to Cisco Tech Support they couldn't understand why anyone > >>would even want to filter by source port. > > >I don't understand why you would want to filter by source port either. > > Given x.y.z.0 as your internal network: > > access-list 101 permit tcp any eq ftp-data x.y.z.0 gt 1023 > > It's sure not perfect, but if you don't have an active gateway, it's a tiny > bit better than just allowing random TCP connections to internal high ports. > > -- > Scott Hazen Mueller | scott@zorch.SF-Bay.ORG or tandem!zorch!scott -- *********************************************************************** * John B. Young (JY235) * * Network Engineer Phone: (508)294-6384 * * Bull HN Information Systems Fax: (508)294-4274 * * Technology Park MA02-203S Email: j.o.young@bull.com * * Billerica, MA 01821 * *********************************************************************** From firewalls-owner Tue Jun 4 07:50:18 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA15666 for firewalls-outgoing; Mon, 3 Jun 1996 13:51:21 -0700 (PDT) Received: from .cdnoxy.com ([206.172.56.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id NAA15602 for ; Mon, 3 Jun 1996 13:51:02 -0700 (PDT) From: . Date: Mon, 3 Jun 96 13:55:13 PDT Subject: test To: firewalls@greatcircle.com X-PRIORITY: 3 (Normal) X-Mailer: Chameleon 4.6, TCP/IP for Windows, NetManage Inc. Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ------------------------------------- E-mail: . Date: 6/3/96 Time: 1:55:13 PM This message was sent by Chameleon ------------------------------------- From firewalls-owner Tue Jun 4 08:05:25 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA20417 for firewalls-outgoing; Mon, 3 Jun 1996 11:43:18 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id LAA16208 for ; Mon, 3 Jun 1996 11:23:38 -0700 (PDT) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) Received: from ivac.ivac.com(206.216.182.1) by mycroft via smap (V1.3mjr) Received: from auspex (auspex.ivac.com [204.193.38.33]) by ivac2arpa.ivac.com (8.7.5/8.7.3) with SMTP id JAA04123 for ; Mon, 3 Jun 1996 09:25:16 -0700 (PDT) Received: from ivac35.ivac_eng by auspex (4.1/SMI-4.1) Date: Mon, 3 Jun 96 09:24:40 PDT From: dengland@ivac.com (Dave England) Message-Id: <9606031624.AA11827@auspex> To: firewalls@GreatCircle.COM Subject: Re: Psychic Friends as Sysadmins! Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I wonder if this guy is running a program like Crack, he never said that he takes measures to protect his root passwords and ensure that they can't be broken by normal human efforts. From firewalls-owner Tue Jun 4 08:05:26 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA22472 for firewalls-outgoing; Mon, 3 Jun 1996 11:58:10 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id LAA16280 for ; Mon, 3 Jun 1996 11:23:47 -0700 (PDT) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) Received: from access1.digex.net(205.197.245.192) by mycroft via smap (V1.3mjr) Received: from localhost (brads@localhost) by access1.digex.net (8.6.12/8.6.12) with SMTP id NAA12269 ; for ; Mon, 3 Jun 1996 13:19:40 -0400 Date: Mon, 3 Jun 1996 13:19:40 -0400 (EDT) From: Bradley Smith X-Sender: brads@access1.digex.net To: ygerman cc: Firewalls Subject: Re: Ability To Track Logs In-Reply-To: <9606031534.AA0078@grcstm-nx02.genre.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The swatch package is what you need; it's available at coast.cs.purdue.edu in /pub/tools/unix/swatch -brad On 3 Jun 1996, ygerman wrote: > I am in a bind on how to accomplish something on our firewall. > I would like to check the logs on the firewall continuosly looking for certain > fields and based on the fields initiate an action. The action will be mail to a > different address depending on the field found. > > Currently I am seting this up via a c shell script and doing a grep for certain > things every hour. The problem is I would like not to have to wait an hour. Has > anyone had any experience with this. Is there a way to accomplish this easier? > Please respond as soon as possible, thanks! > From firewalls-owner Tue Jun 4 08:05:31 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA16801 for firewalls-outgoing; Mon, 3 Jun 1996 13:55:54 -0700 (PDT) Received: from dns.eng.auburn.edu (dns.eng.auburn.edu [131.204.10.13]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id NAA16650 for ; Mon, 3 Jun 1996 13:55:21 -0700 (PDT) Received: from netman.eng.auburn.edu (netman.eng.auburn.edu [131.204.12.24]) by dns.eng.auburn.edu (8.7.4/8.6.4) with ESMTP id PAA25057; Mon, 3 Jun 1996 15:52:46 -0500 (CDT) From: Doug Hughes Received: (doug@localhost) by netman.eng.auburn.edu (SMI-8.6/8.6.4) id PAA24351; Mon, 3 Jun 1996 15:52:43 -0500 Date: Mon, 3 Jun 1996 15:52:43 -0500 Subject: Re: Ability To Track Logs To: ygerman@genre.com Cc: firewalls@greatcircle.com Message-Id: In-Reply-To: <9606031534.AA0078@grcstm-nx02.genre.com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >I am in a bind on how to accomplish something on our firewall. >I would like to check the logs on the firewall continuosly looking for certain >fields and based on the fields initiate an action. The action will be mail to a >different address depending on the field found. > >Currently I am seting this up via a c shell script and doing a grep for certain >things every hour. The problem is I would like not to have to wait an hour. Has >anyone had any experience with this. Is there a way to accomplish this easier? >Please respond as soon as possible, thanks! > > > Do an archie search for 'swatch'. It is a Perl program that can be configured to do what you want. -- ____________________________________________________________________________ Doug Hughes Engineering Network Services System/Net Admin Auburn University doug@eng.auburn.edu Pro is to Con as progress is to congress From firewalls-owner Tue Jun 4 08:20:14 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA25479 for firewalls-outgoing; Mon, 3 Jun 1996 14:39:36 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id OAA18513 for ; Mon, 3 Jun 1996 14:03:19 -0700 (PDT) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) Received: from disperse.demon.co.uk(158.152.1.77) by mycroft via smap (V1.3mjr) Received: from post.demon.co.uk ([158.152.1.72]) by relay-2.mail.demon.net Received: from youngman.demon.co.uk ([158.152.67.147]) by relay-3.mail.demon.net Message-ID: <31B3486F.67BD@youngman.demon.co.uk> Date: Mon, 03 Jun 1996 20:17:51 +0000 From: Jeremy Youngman X-Mailer: Mozilla 2.02 (Win16; I) MIME-Version: 1.0 To: firewalls@greatcircle.com, firewalls-digest@greatcircle.com CC: "Jeremy Youngman (home)" Subject: Compuserve Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, does anybody allow Compuserve access through their Firewall (TCP port 4144)? Are there any security considerations, so long as i only allow SYN's outbound? Are there any good places to read up about this? I've got a user who wants this access. TIA, PS This is the 5th time i've send this, so apologies if you keep getting copies -- but i've been subscribing to firewalls-digest for the last couple of weeks and never seen my note appear -- and because i've had no replies i'm still not absolutely sure whether it is getting delivered properly! -- Jeremy Youngman | ###### ## ## | ("`-/")_.-'"``-. jeremy@youngman.demon.co.uk | ## ##### | . . `; -._ )-;-,_`) Tel: +44 (0)1603 686258 | # ## ## | (v_,)' _ )`-.\ ``-' PGP: Key avail on request | #### ##### | _.- _..-_/ / ((.' ----- All cats look grey in the dark ----- ((,.-' ((,/ From firewalls-owner Tue Jun 4 08:40:10 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA24453 for firewalls-outgoing; Mon, 3 Jun 1996 14:33:26 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id OAA18523 for ; Mon, 3 Jun 1996 14:03:20 -0700 (PDT) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) Received: from disperse.demon.co.uk(158.152.1.77) by mycroft via smap (V1.3mjr) Received: from post.demon.co.uk ([158.152.1.72]) by relay-2.mail.demon.net Received: from youngman.demon.co.uk ([158.152.67.147]) by relay-3.mail.demon.net Message-ID: <31B3486F.67BD@youngman.demon.co.uk> Date: Mon, 03 Jun 1996 20:17:51 +0000 From: Jeremy Youngman X-Mailer: Mozilla 2.02 (Win16; I) MIME-Version: 1.0 To: firewalls@greatcircle.com, firewalls-digest@greatcircle.com CC: "Jeremy Youngman (home)" Subject: Compuserve Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, does anybody allow Compuserve access through their Firewall (TCP port 4144)? Are there any security considerations, so long as i only allow SYN's outbound? Are there any good places to read up about this? I've got a user who wants this access. TIA, PS This is the 5th time i've send this, so apologies if you keep getting copies -- but i've been subscribing to firewalls-digest for the last couple of weeks and never seen my note appear -- and because i've had no replies i'm still not absolutely sure whether it is getting delivered properly! -- Jeremy Youngman | ###### ## ## | ("`-/")_.-'"``-. jeremy@youngman.demon.co.uk | ## ##### | . . `; -._ )-;-,_`) Tel: +44 (0)1603 686258 | # ## ## | (v_,)' _ )`-.\ ``-' PGP: Key avail on request | #### ##### | _.- _..-_/ / ((.' ----- All cats look grey in the dark ----- ((,.-' ((,/ From firewalls-owner Tue Jun 4 08:50:41 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA10413 for firewalls-outgoing; Tue, 4 Jun 1996 06:27:00 -0700 (PDT) Received: from okjunc.junction.net (okjunc.junction.net [199.166.227.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id GAA10244 for ; Tue, 4 Jun 1996 06:26:18 -0700 (PDT) Received: from sidhe.memra.com (sidhe.memra.com [199.166.227.105]) by okjunc.junction.net (8.6.11/8.6.11) with SMTP id FAA02288; Tue, 4 Jun 1996 05:38:23 -0700 Date: Tue, 4 Jun 1996 06:21:42 -0700 (PDT) From: Michael Dillon To: Isaac Labaton cc: firewalls@GreatCircle.COM Subject: RE: Stopping Fakemail In-Reply-To: Message-ID: Organization: Memra Software Inc. - Internet consulting MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 4 Jun 1996, Isaac Labaton wrote: > How can you send fake mail? Using Eudora or Netscape, change your config to have a fake Reply-To: address before sending the message. There are other ways too, but a bit harder. Michael Dillon ISP & Internet Consulting Memra Software Inc. Fax: +1-604-546-3049 http://www.memra.com E-mail: michael@memra.com From firewalls-owner Tue Jun 4 09:16:40 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA20175 for firewalls-outgoing; Mon, 3 Jun 1996 14:10:04 -0700 (PDT) Received: from okjunc.junction.net (okjunc.junction.net [199.166.227.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id OAA20020 for ; Mon, 3 Jun 1996 14:09:31 -0700 (PDT) Received: from sidhe.memra.com (sidhe.memra.com [199.166.227.105]) by okjunc.junction.net (8.6.11/8.6.11) with SMTP id NAA21796 for ; Mon, 3 Jun 1996 13:22:52 -0700 Date: Mon, 3 Jun 1996 14:06:09 -0700 (PDT) From: Michael Dillon To: firewalls@greatcircle.com Subject: ISP mailing lists Message-ID: Organization: Memra Software Inc. - Internet consulting MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I've gotten 5 requests so far for these ISP mailing lists so I thought I would share this with the list... > > And now a bunch of those ISP's are a bit more clued in since I just > > forwarded your nice case-study to 5 ISP mailing lists. > > I'm curious to know which 5 ISP mailing lists are you talking about.. Send a message reading as follows: subscribe To one of the following addresses: inet-access-request@earth.com linuxisp-request@lightning.com freebsd-isp-request@freebsd.org Send the following subscribe IAP Your Name to the address listserv@vma.cc.nd.edu Send the following subscribe os2-isp Your Name to the address listserv@dental.stat.com inet-access is general stuff for medium to large providers, IAP is general stuff for small to medium providers and the other three are OS specific. Michael Dillon ISP & Internet Consulting Memra Software Inc. Fax: +1-604-546-3049 http://www.memra.com E-mail: michael@memra.com From firewalls-owner Tue Jun 4 09:20:14 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA23160 for firewalls-outgoing; Mon, 3 Jun 1996 14:25:22 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id OAA23080 for ; Mon, 3 Jun 1996 14:24:55 -0700 (PDT) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) Message-Id: <199606031732.KAA02546@mycroft.GreatCircle.COM> Received: from habanero.jmu.edu(134.126.70.210) by mycroft via smap (V1.3mjr) Received: by habanero.jmu.edu Date: Mon, 3 Jun 1996 13:37:31 -0400 From: gary flynn To: firewalls-owner@GreatCircle.COM, firewalls@GreatCircle.COM Subject: Re: RE: Raptor's Eagle Firewall Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > From: Ian Johnstone-Bryden > Subject: Re: RE: Raptor's Eagle Firewall > > gary flynn wrote in part: > > > The whole idea behind firewalls is to have tightly controlled code. > > It is the instability and poor security design of present operating > > systems that necessitate firewalls in the first place. > > > > ?????????????????????????Really!! Is this a statement expressing sarcasm as the result of my stating the obvious or is it something that represents your disagreement with my statement. If the former, your arguments are exactly those that I would make. If the latter, you've argued my case extremely well :-) > The firewall exists most commonly as a placebo to allow people who > poorly specify, procure, implement, maintain, manage untrusted > informtion systems, to feel comfortable and secure from the fear of > attack via public networks. Its more than a placebo. Filtering ports 512-514 protects poorly administered unix machines. Completely blocking telnet other than through a proxy with "strong" authentication protects buggy telnet implementations and also the lack of design security in the underlying protocols, the applications, and the underlying operating systems. The average end user of a desktop system is generally unwilling or incapable of properly managing a desktop in today's environment. Training would be prohibitive and ongoing (hell, I can't keep up and end users do have jobs besides maintaining their computers). If the computer architecture itself were designed with security in mind, there would exist some method of central administration that can't be circumvented at the desktop. Today's architecture of random plug and play components matched with whatever application one can download off the Internet all running over a shared, wide open data communications path doesn't match this very well. I'm not complaining...I love working in the environment... I just don't like managing it...or worse, securing it :-) > Like marriage it is a triumph of hope over experience, which doesnt > mean it cant work for some people. > > That doesnt of course mean that a firewall cannot reduce risks, just > that its a costly way of doing so in many cases and no substitute for > implementing and running reliable information systems. The cost of PROPERLY administering hundreds or thousands of desktop machines in such a way to ensure some semblance of security far outweighs the cost of a firewall. > Even if all internal networks were well specified, procured, > implemented and operated, there would still be a need for a guard at > the gateways to public systems (at least for most people) because > there would still be the potential risk of attack from outside. You've reversed yourself. If all the machines were "well specified, procured, implemented, and operated" that only leaves poor design to protect. That was my original statement. > OTOH some internal networks could be traditional poor design and > require no firewall because there was nothing worth attacking or > protecting. > > BTST a firewall built on an untrusted OS has itself got a number of > exploitable vulnerabilities. As many firewalls are built in the same > careless fashion, as the internal networks they are supposed to > protect, it is no great surprise to find that they are largely > ineffective in most things other than consuming corporate funding. This was the other point I was trying to make. A firewall application that depends upon unknown underlying operating system structure has a large window of vulnerability. Its unfortunate that people have the mindset that everything that doesn't run on off-the-shelf operating systems, hardware, etc. (and, of course, has a GUI, OLE support, etc) is necessarily bad. No one yells at Cisco because their IOS doesn't run on 386 PCs under Windows. Cheap, fast, or good...pick any two. Yes, its complex to maintain and administer. Thats the state of the industry today. > There really is no substitute for enterprise planning to ensure > achievement by objective. That means identifying the objectives and > risks and then building the policies necessary to sustain > achievement. But in the real world, policies aren't enough. There must be an enforcement arm. A firewall is a form of policy enforcement. So if an organization's risk analysis said that direct, unencryted telnet access posed an unacceptable risk, the firewall could enforce that policy. (Of course, one would have to get someone in one's organization to make such a statement :-) > In the short term this could mean that internal networks cannot be > connected directly to the public networks until adequate > reconstruction has taken place internally. > > While this is in progress, an air-gapped, or sneakernet, service may > be provided. This could be described as a firewall but not in the > sense that many would understand as a firewall. The inner and outer > machines would be typical untrusted systems. The 'firewall' would be > the person in the sneakers running between the two machine. > Ian J-B. > gary From firewalls-owner Tue Jun 4 11:40:22 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA28350 for firewalls-outgoing; Tue, 4 Jun 1996 11:21:24 -0700 (PDT) Received: from gauntlet-1.trusted.com (gauntlet-1.trusted.com [204.254.155.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id KAA23655 for ; Tue, 4 Jun 1996 10:55:55 -0700 (PDT) Received: by gauntlet-1.trusted.com; id OAA17387; Tue, 4 Jun 1996 14:07:56 -0400 Received: from hilo.trusted.com(10.0.1.126) by gauntlet-1.trusted.com via smap (V3.1.1) Received: from freds.trusted.com by hilo.trusted.com with SMTP Date: Tue, 4 Jun 96 13:54:31 -0400 Message-Id: <2.2.16.19960604135220.0d673ba4@pop.trusted.com> X-Sender: avolio@pop.trusted.com X-Mailer: Windows Eudora Pro Version 2.2 (16) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: cmcurtin@fahlgren.com, Yossi Goltz From: Frederick M Avolio Subject: Re: WWW proxy to cut off Java. Cc: Firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 05:24 PM 6/3/96 -0400, C Matthew Curtin wrote: >Because JavaScript is typically embedded within your HTML, you really >can't block it at the firewall. It is difficult, but you can. We do in the Gauntlet Internet Firewall. SO, don't give up on doing it. Fred From firewalls-owner Tue Jun 4 11:56:36 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA02914 for firewalls-outgoing; Tue, 4 Jun 1996 11:40:51 -0700 (PDT) Received: from gatekeeper.strydr.com (gatekeeper.strydr.com [199.217.201.253]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id LAA02834 for ; Tue, 4 Jun 1996 11:40:20 -0700 (PDT) Received: (from Unknown UID 6@localhost) by gatekeeper.strydr.com (8.6.9/8.6.9) id NAA07072 for ; Tue, 4 Jun 1996 13:39:12 -0500 Received: from strydr.strydr.com(198.134.134.1) by gatekeeper.strydr.com via smap (V1.3) Received: (from ds3721@localhost) by strydr.strydr.com (8.6.12/8.6.11) id NAA27655 for firewalls@greatcircle.com; Tue, 4 Jun 1996 13:36:42 -0500 From: David Schnardthorst Message-Id: <199606041836.NAA27655@strydr.strydr.com> Subject: FWTK / BSD Checklist To: firewalls@greatcircle.com Date: Tue, 4 Jun 1996 13:36:42 -0500 (CDT) Organization: Stryder Communications, Inc. Address: 869 St. Francois, Florissant, Mo. 63031 Telephone: (314)838-6839 Fax: (314)838-8527 X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk A few weeks ago, I answered some replies for people who were installing the Firewall Toolkit on FreeBSD. Due to the overwhelming responses from people interested in receiving this checklist, I have put it at the following URL, http://www.strydr.com/misc/checklists/fwtkchk.html. Thank You, ============================================================================ David Schnardthorst, Systems/Network Eng. * Phone: (314)838-6839 Stryder Communications, Inc. * Fax: (314)838-8527 869 St. Francois * E-Mail: ds3721@strydr.com Florissant, MO 63031 * URL: http://www.strydr.com ============================================================================ From firewalls-owner Tue Jun 4 12:05:48 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA14010 for firewalls-outgoing; Tue, 4 Jun 1996 10:09:38 -0700 (PDT) Received: from iez.com (mail.iez.com [194.218.38.3]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id KAA13984 for ; Tue, 4 Jun 1996 10:09:24 -0700 (PDT) Received: by iez.com (AIX 3.2/UCB 5.64/4.03) Received: from spibm02(172.16.13.62) by iez.com via smap (V1.3) Received: from iez.com by spibm02 (AIX 3.2/UCB 5.64/4.03) Message-Id: <9606041708.AA12343@spibm02> Received: from inhps-a by iez.com with SMTP Received: by inhps-a From: Rolf Weber Subject: Re: WWW proxy to cut off Java. To: cmcurtin@fahlgren.com Date: Tue, 4 Jun 1996 19:08:05 +0200 (MESZ) Cc: firewalls@greatcircle.com (firewalls) In-Reply-To: <199606032124.RAA24377@goffer.ee.net> from "C Matthew Curtin" at Jun 3, 96 05:24:47 pm X-Mailer: ELM [version 2.4 PL24] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > Because JavaScript is typically embedded within your HTML, you really > can't block it at the firewall. > sorry, why not? the proxy has all the data. (sure, you have to stay up to date with new javascript commands.) i think there is a patch in the fwall-users@tis.com archive for the TIS http-gw. rolf -- ----------------------------------------- Rolf Weber | All I ask is a chance IEZ AG D-64625 Bensheim | to prove that money ++49-6251-1309-109 | can't make me happy. From firewalls-owner Tue Jun 4 12:12:33 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA15398 for firewalls-outgoing; Tue, 4 Jun 1996 10:20:11 -0700 (PDT) Received: from mail.ee.net (mail.ee.net [206.31.38.3]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id KAA15356 for ; Tue, 4 Jun 1996 10:19:54 -0700 (PDT) Received: from goffer.ee.net (digital31.ee.net [206.230.35.31]) by mail.ee.net (8.7.4/8.7.3) with SMTP id NAA10051; Tue, 4 Jun 1996 13:16:28 -0400 (EDT) Received: by goffer.ee.net (SMI-8.6/SMI-SVR4) Date: Tue, 4 Jun 1996 13:14:22 -0400 Message-Id: <199606041714.NAA00677@goffer.ee.net> From: C Matthew Curtin To: Rolf Weber Cc: firewalls@greatcircle.com (firewalls) Subject: Re: WWW proxy to cut off Java. In-Reply-To: <9606041708.AA12343@spibm02> References: <199606032124.RAA24377@goffer.ee.net> Reply-To: cmcurtin@fahlgren.com X-Attribution: Matt Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >>>>> "Rolf" == Rolf Weber writes: Rolf> sorry, why not? the proxy has all the data. (sure, you have to Rolf> stay up to date with new javascript commands.) i think there is Rolf> a patch in the fwall-users@tis.com archive for the TIS http-gw. Perhaps I phrased my statement poorly. It probably isn't practical, since you would need to filter all incoming HTML to remove the JavaScript. -- C Matthew Curtin Chief Hacker Fahlgren, Inc. 655 Metro Pl S, Ste 700, Box 7159 Dublin OH 43017-7159 http://users1.ee.net/cmcurtin/ cmcurtin@fahlgren.com PGP Mail Preferred From firewalls-owner Tue Jun 4 12:42:34 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA05868 for firewalls-outgoing; Tue, 4 Jun 1996 12:11:01 -0700 (PDT) Received: from london.micrognosis.com (midas.london.micrognosis.com [193.114.123.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id MAA05849 for ; Tue, 4 Jun 1996 12:10:49 -0700 (PDT) Received: by london.micrognosis.com (4.1/NAR-Gateway) Received: from zeus.london.micrognosis.com(192.83.165.17) by midas via smap (V1.0mjr) Received: from moria by zeus.london.micrognosis.com (4.1/SMI-4.1) From: nreadwin@london.micrognosis.com (Neil Readwin) Received: by moria Message-Id: <9606041906.AA01093@moria> Subject: Re: WWW proxy to cut off Java. To: cmcurtin@fahlgren.com Date: Tue, 4 Jun 1996 20:06:49 +0100 (BST) Cc: Firewalls@GreatCircle.COM In-Reply-To: <199606032124.RAA24377@goffer.ee.net> from "C Matthew Curtin" at Jun 3, 96 05:24:47 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Because JavaScript is typically embedded within your HTML, you really > can't block it at the firewall. But you can try - Carl Claunch wrote a patch to the TIS http-gw that will filter java and javascript out of HTML as it goes by. Details are at http://www.hdshq.com/fixes/fwtk/welcome.html Pointers to various other fwtk patches are at http://www.micrognosis.com/%7enreadwin/fwtk.html fwtk related followups to the fwtk-users list please. Neil. -- "For some reason all the very worst install scripts are written in csh." Geoff. Lane. (in bofh.jobfh.misc) From firewalls-owner Tue Jun 4 12:53:05 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA26582 for firewalls-outgoing; Mon, 3 Jun 1996 14:45:38 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id OAA23999 for ; Mon, 3 Jun 1996 14:30:55 -0700 (PDT) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) Received: from mail.ee.net(206.31.38.3) by mycroft via smap (V1.3mjr) Received: from goffer.ee.net (digital57.ee.net [206.230.35.57]) by mail.ee.net (8.7.4/8.7.3) with SMTP id RAA02269; Mon, 3 Jun 1996 17:26:55 -0400 (EDT) Received: by goffer.ee.net (SMI-8.6/SMI-SVR4) Date: Mon, 3 Jun 1996 17:24:47 -0400 Message-Id: <199606032124.RAA24377@goffer.ee.net> From: C Matthew Curtin To: Yossi Goltz Cc: Firewalls@GreatCircle.COM Subject: Re: WWW proxy to cut off Java. In-Reply-To: References: <199604052113.NAA19679@miles.greatcircle.com> Reply-To: cmcurtin@fahlgren.com X-Attribution: Matt Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >>>>> "Yossi" == Yossi Goltz writes: Yossi> Hi! Could a nice sole advice me how to set up a proxy http Yossi> server that can cut off java applets on their way in to our Yossi> site. You'll need to tell your proxy server to not allow "*.class" or "*.cla" files through to block Java applets. Yossi> I'm becoming more and more concerned about Java (after reading Yossi> the last messages from Netscape and Sun), and would like to Yossi> keep off Java and Javascript until they become more safe. Because JavaScript is typically embedded within your HTML, you really can't block it at the firewall. You're best off with a configuration policy that will have to be enforced at the browser level, IMHO. -- C Matthew Curtin Chief Hacker Fahlgren, Inc. 655 Metro Pl S, Ste 700, Box 7159 Dublin OH 43017-7159 http://users1.ee.net/cmcurtin/ cmcurtin@fahlgren.com PGP Mail Preferred From firewalls-owner Tue Jun 4 13:40:14 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA08383 for firewalls-outgoing; Tue, 4 Jun 1996 12:29:44 -0700 (PDT) Received: from okjunc.junction.net (okjunc.junction.net [199.166.227.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id MAA08376 for ; Tue, 4 Jun 1996 12:29:35 -0700 (PDT) Received: from sidhe.memra.com (sidhe.memra.com [199.166.227.105]) by okjunc.junction.net (8.6.11/8.6.11) with SMTP id LAA10122; Tue, 4 Jun 1996 11:42:54 -0700 Date: Tue, 4 Jun 1996 12:26:13 -0700 (PDT) From: Michael Dillon To: Alan Millar cc: firewalls@GreatCircle.COM Subject: Re: Strange mail Sender: problem with Borderware? In-Reply-To: <96Jun3.131347pdt.36865@firewall.lifeguard.com> Message-ID: Organization: Memra Software Inc. - Internet consulting MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 3 Jun 1996, Alan Millar wrote: > This thing is basically a black box that doesn't let you in to see > what's going on. I know it's BSDI in there somewhere from the boot > messages, but it's locked down tight through the user interface. > I was undecided if that's good or bad, but my opinion is starting to > lean.... If you can open up the box then it's not locked down tight. Maybe the previous admin cracked it open and installed some custom mail processing stuff. You should ask Borderware if there is a way to check whether this has happened, or better yet, reset everything to a known starting point. Michael Dillon ISP & Internet Consulting Memra Software Inc. Fax: +1-604-546-3049 http://www.memra.com E-mail: michael@memra.com From firewalls-owner Tue Jun 4 13:45:27 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA07325 for firewalls-outgoing; Tue, 4 Jun 1996 12:21:58 -0700 (PDT) Received: from mail.Clark.Net (mail.clark.net [168.143.0.10]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id MAA07240 for ; Tue, 4 Jun 1996 12:21:28 -0700 (PDT) Received: from explorer2.clark.net (mjr@explorer2.clark.net [168.143.0.5]) by mail.Clark.Net (8.7.3/8.6.5) with ESMTP id PAA28497 for ; Tue, 4 Jun 1996 15:18:52 -0400 (EDT) From: "Marcus J. Ranum" Received: (from mjr@localhost) by explorer2.clark.net (8.7.1/8.7.1) id PAA13158 for firewalls@greatcircle.com; Tue, 4 Jun 1996 15:18:51 -0400 (EDT) Message-Id: <199606041918.PAA13158@explorer2.clark.net> Subject: Firewalls performance To: firewalls@greatcircle.com Date: Tue, 4 Jun 1996 15:18:51 -0400 (EDT) Reply-To: mjr@v-one.com Organization: V-One Corporation, Baltimore, MD Office Phone: 410-889-8569 X-Mailer: ELM [version 2.4 PL24alpha3] MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Since I'm not sure how much cross-pollination there is between firewalls@greatcircle.com and firewalls-performance@greatcircle.com, I thought I'd mention that lately there have been a number of good papers and tools posted for measuring performance. All are available on the firewalls performance web page http://www.v-one.com/pubs/perf Firewall performance, as a thread, seems to appear in this list about every month, and I thought I'd inject the pointer now since the topic is about due for it's periodic rehashing. Please redirect follow-up discussion to firewalls-performance. mjr. -- Chief Scientist, V-ONE Corporation -- "Security for a connected world" work http://www.v-one.com personal http://www.clark.net/pub/mjr/mjr-top.html From firewalls-owner Tue Jun 4 14:11:47 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA07174 for firewalls-outgoing; Tue, 4 Jun 1996 12:21:11 -0700 (PDT) Received: from okjunc.junction.net (okjunc.junction.net [199.166.227.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id MAA07009 for ; Tue, 4 Jun 1996 12:20:28 -0700 (PDT) Received: from sidhe.memra.com (sidhe.memra.com [199.166.227.105]) by okjunc.junction.net (8.6.11/8.6.11) with SMTP id LAA09822; Tue, 4 Jun 1996 11:33:12 -0700 Date: Tue, 4 Jun 1996 12:16:30 -0700 (PDT) From: Michael Dillon To: Russ cc: "Firewalls@GreatCircle.COM" Subject: RE: NT firewalls & NOS admins In-Reply-To: <01BB519B.75874280@rwcooper.rc.toronto.on.ca> Message-ID: Organization: Memra Software Inc. - Internet consulting MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 3 Jun 1996, Russ wrote: > It never ceases to amaze me how some Unichs seem to think that only UNIX > experience is viable when it comes to working with an Internet connection. Who said that? Anyway, experience comes from doing it and since UNIX and the Internet have been around a lot longer than NT it's not surprising that most of the people with solid time-tested Internet experience have a UNIX background. > Some may be surprised to find out that TCP/IP has been included in NT since > it was first released, and its been around for quite some time in DOS or > Windows. Most UNIX network admins have been attaching DOS boxes, Macs and Windows machines via TCP/IP to UNIX servers for eons. > One doesn't need a UNIX degree to know how IP works, or how the > Internet works, for that matter. I beg to differ. It only takes a while to get a basic familiarity with IP and the Internet but while I didn't get a degree in IP I certainly did spend an equivalent amount of time and effort in studying and learning the finer details. > I know quite a few UNIX SQL administrators > who wouldn't know how to configure their inetd if it bit them in the ass. Doesn't surprise me. Why should a database administrator need to know anything about configuring the network. Managing the company's central mission-critical database is important enough on its own. > - More security breaches occur internally than happen via an Internet > connection. This is a good point and some people are looking at ways to use firewall technology internally to protect against this. > - Most companies do not have a security policy of any kind. Unfortunately... > Then there are the *majority* of companies who > neither need, nor can afford, to have either, yet still want to be part of > the 'net. Right now these folks tend to be installing firewalls that are recommended to them by a consultant (or their ISP) and are maintained by the consultant (or their ISP). > Surely you jest...like IP is rocket science or something...sheesh. I've > never administered a UNIX system in my life, does it show that much? When you are talking about firewalls, then yes, IP *IS* rocket science. If you just mean setting up a few Windows or Macintosh or OS/2 desktops to connect to the net, then no, there is no rocket science. Michael Dillon ISP & Internet Consulting Memra Software Inc. Fax: +1-604-546-3049 http://www.memra.com E-mail: michael@memra.com From firewalls-owner Tue Jun 4 14:13:48 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA16606 for firewalls-outgoing; Tue, 4 Jun 1996 13:33:06 -0700 (PDT) Received: from hidata.com ([205.158.61.34]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id NAA16596 for ; Tue, 4 Jun 1996 13:32:56 -0700 (PDT) Received: by hidata.com; id AA13553; Tue, 4 Jun 96 13:30:30 PDT Received: from osc.hidata.com(205.158.62.10) by hds-gw.hidata.com via smap (V3.1) Received: from enterprise by osc.osc.hidata.com (SMI-8.6/SMI-SVR4) Date: Tue, 4 Jun 1996 13:30:15 -0700 Message-Id: <199606042030.NAA08202@osc.osc.hidata.com> X-Sender: bstout@osc.hidata.com X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: Firewalls@GreatCircle.COM From: Bill Stout Subject: NT DNS in 4.0b2 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I've just inspected my newly arrived NT4.0b2 software. DNS seems to work! Amazing that DNS can be setup via point and click. DNS setup within the Solaris and SunOS systems I've setup as firewalls is not a trivial task, usually taking days or weeks (depending on process time). NT DNS setup took minutes, even giving you drop-down selections for record types that you want to add for hosts, zones, addresses, etc. The only drawback I've seen is not being able to connect to non-NT DNS server properties. BTW - My opinion is that MS is run by 'Beezelgates', but NT was written by the VMS guys from DEC, they know UNIX too, and are no dummies. The use of NT as a firewall platform is unstoppable. However I still think that using NT as a base for a firewall system needs to be attacked three ways; the I/O, the filesystem, and the O.S. The I/O can be addressed by a 'Raptor' approach, which replaces the network stack, or listing areas that need attention; Control Panel - Services, and Networks. Any other area need attention?. Does anyone know of a 3rd party OPEN SOURCE network stack replacement for NT? The Filesystem currently can be compromised two ways that I know of, via Linux boot disk mount, and DOS boot diskette with NTFSDOS.EXE driver. The filesystem needs to be protected for use as a firewall. Anyone know of a cryptographic filesystem for NT? The O.S. has multiple security privileges/holes that need to be watched. I don't know of a way to watch each and every permission without MS sending out a feature-stripped version of NT. I know I've had a problem with 3.51 server, 4.0b1 workstation, and seeing all (private user access only) areas on the 3.51 server with any user logged in on the 4.0b1 workstation. My belief is that features in Firewalls are holes, and that firewalls should be functionally stripped. Maybe some company can resell NT with just the basics installed on CD for a firewall install? How about UNIX kernel with an NT GUI? That'll fake out our managers! Yeah boss, it's BSD-NT! Well I'm impressed by the features and functions of NT, and the ever growing list. But the three areas in NT that need to be addressed for use as a firewall all seem to need replacement. Bill <=======10========20====Ruler for Eudora users==50========60========70========80 William B. Stout | "Stop socialism in America!" Senior Systems Admin | "Dilbert for President." Hitachi Data Systems | "Police power today=police state tomorrow." Open Systems Center | "The secret of life - being part of the process of Santa Clara, California | creation." 408-970-4822 | #include <=======10========20========30========40========50========60========70========80 From firewalls-owner Tue Jun 4 16:35:28 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id QAA02098 for firewalls-outgoing; Tue, 4 Jun 1996 16:18:09 -0700 (PDT) Received: from ns1.ptd.net (ns1.ptd.net [198.80.46.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id QAA02091 for ; Tue, 4 Jun 1996 16:18:01 -0700 (PDT) Received: from cs1-2.leh.ptd.net (cs1-2.leh.ptd.net [204.186.4.2]) by ns1.ptd.net (8.7.3/8.7.3) with SMTP id TAA13512 for ; Tue, 4 Jun 1996 19:15:19 -0400 (EDT) Date: Tue, 4 Jun 1996 19:15:19 -0400 (EDT) Message-Id: <199606042315.TAA13512@ns1.ptd.net> X-Sender: darkwing@postoffice.ptd.net X-Mailer: Windows Eudora Light Version 1.5.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@greatcircle.com From: Ed Mulligan Subject: RE: Stopping Fakemail Sender: firewalls-owner@GreatCircle.COM Precedence: bulk -----BEGIN PGP SIGNED MESSAGE----- At 06:21 AM 6/4/96 -0700, you wrote: >On Tue, 4 Jun 1996, Isaac Labaton wrote: > >> How can you send fake mail? > >Using Eudora or Netscape, change your config to have a fake Reply-To: >address before sending the message. There are other ways too, but a bit >harder. Actually, as many of you remember, we had this whole discussion before. Im sure all of the articles are in the firewalls archives. Sending mail with a forged from: field is easy to do, as stated. But it is also easy to track with the x-ref headers and stamps along the way. The orginal question on this thread was "How do you stop fakemail sent via telnet to port 25". Granted, Eudora and Netscape can forge mail to some extent, but Im sure that with the help of your friendly neighborhood sysadmin, the perpetrator can be caught. (We catch them on our network which is a 5000+ user system). I can see this thread doing a loop... next will come the deluge of people saying that if we all used PGP we wouldnt have this problem. Which is very true, and my personal favorite (if utopian) solution. It simply is not practicle at this time. PGP is beyond Joe User on most systems. It works... but not dumbed down enough yet for eveyone to handle it. The documentation of TCP Wrappers (7.4) suggests running sendmail as a daemon and wrapping it with tcpd. Anyone tried this? Sincerely, John P. Mulligan Lafayette College Academic Computing Services (systems) -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQB1AwUBMbTtXX+KnP1k0ErJAQFSHwL/cmnNDbMkpKiGir2IoCF7A6wk6bps+9Dn WRPvNWbx+O4d4NgTxwjw4ooR5u/1njZWPsWdcIuqEi05v8kBYI+CxcdkO8AyLQxs 2GtPiNqrCdvkkNzrxRMiYi4U5ewoTcel =Y8FQ -----END PGP SIGNATURE----- Use Public Key for From firewalls-owner Tue Jun 4 17:20:28 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA04026 for firewalls-outgoing; Tue, 4 Jun 1996 17:02:10 -0700 (PDT) Received: from fionn.lbl.gov (fionn.lbl.gov [128.3.128.60]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id RAA03998 for ; Tue, 4 Jun 1996 17:01:56 -0700 (PDT) Received: (mike@localhost) by fionn.lbl.gov (LBNLMWH3/LBNLCF) id QAA21190; Tue, 4 Jun 1996 16:59:22 -0700 (PDT) Message-Id: <199606042359.QAA21190@fionn.lbl.gov> From: mike@fionn.lbl.gov (Michael Helm) Date: Tue, 4 Jun 1996 16:59:22 PDT In-Reply-To: Ed Mulligan Reply-To: mike@fionn.lbl.gov X-Mailer: Mail User's Shell (7.2.3 5/22/91) To: Ed Mulligan Subject: RE: Stopping Fakemail Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Jun 4, 7:15pm, Ed Mulligan wrote: > The documentation of TCP Wrappers (7.4) suggests running sendmail as a > daemon and wrapping it with tcpd. Anyone tried this? If the mail server isn't too busy, this may be ok. If the mail server is a busy one, the number of processes spawned can overwhelm the mail server & cause lots of ugly side effects (bounced mail, hangs, & system crashes). I don't recommend this. I've seen some pretty poor results with it. BTW it's hard to tell what "too busy" will be, tho you will know it when you get there! I have heard that there are patches for some revs of sendmail8-7-* to integrate the tcp wrapper's host checking abstraction (call outs to the library). I haven't used this but I've seen it go by in comp.mail.sendmail. From firewalls-owner Tue Jun 4 18:20:42 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id SAA08080 for firewalls-outgoing; Tue, 4 Jun 1996 18:16:14 -0700 (PDT) Received: from Arizona.EDU (Penny.Telcom.Arizona.EDU [128.196.128.217]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id SAA08073 for ; Tue, 4 Jun 1996 18:16:03 -0700 (PDT) Received: from sun1paztcn.wr.usgs.gov by Arizona.EDU (PMDF V5.0-5 #2381) Received: from localhost by sun1paztcn.wr.usgs.gov (4.1/SMI-4.1) Date: Tue, 04 Jun 1996 18:12:12 -0700 From: Renaissance Man - The Enigma Subject: Re: Stopping Fakemail In-reply-to: "Your message of Tue, 04 Jun 1996 19:15:19 -0400." To: Ed Mulligan Cc: firewalls@greatcircle.com, doug@sun1paztcn.wr.usgs.gov Message-id: <9606050112.AA02724@sun1paztcn.wr.usgs.gov> MIME-version: 1.0 Content-type: TEXT/PLAIN; CHARSET=US-ASCII Content-transfer-encoding: 7BIT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Previously: >The documentation of TCP Wrappers (7.4) suggests running sendmail as a >daemon and wrapping it with tcpd. Anyone tried this? Hmmm... Sendmail DOES run as a daemon. My guess is that you really mean to NOT run sendmail as a full-time daemon, but to use inetd as the starting point and have it spawn sendmail via tcpd... I ran sendmail from inetd as a test, but sendmail is pretty huge, so it took a lot of resources. (Then again, at the time I was running a Sun 386i...) Also, if you receive a lot of mail, spawning it from inetd can really load you down. And if you run any kind of mailing list... Ugh, forget it...! An option is to run a simpler program that only functions to receive mail. In it, you can include various "checks" such as logging the IP addresses, ports, and maybe ident or finger information. I wrote a simple program I call recvmail, which involves a small smtpd process which can be spawned from inetd with much less overhead than sendmail. (And it doesn't have to run as root, either...) Sendmail is still available for sending mail OUT, but you wouldn't have to use it to receive mail. The other feature about recvmail is that it does NO forwarding - it only accepts mail for the localhost. This won't work for a mail hub of course, but it does cut down on the number of computers that can be used to transfer faked mail... -Doug Doug Wellington doug@sun1paztcn.wr.usgs.gov System and Network Administrator US Geological Survey, Tucson, AZ Project Office According to proposed Federal guidelines, this message is a "non-record". Hmm, I wonder if _everything_ I say is a "non-record"...? FreeBSD and Apache - the best real tools for the virtual world! Check out www.freebsd.org and www.apache.org... Just say NO to Netscape Navigator! From firewalls-owner Tue Jun 4 19:38:25 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id TAA10995 for firewalls-outgoing; Tue, 4 Jun 1996 19:34:30 -0700 (PDT) Received: from orion.webspan.net (orion.webspan.net [206.154.70.41]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id TAA10988 for ; Tue, 4 Jun 1996 19:34:23 -0700 (PDT) Received: from localhost (scanner@localhost) by orion.webspan.net (8.7.5/8.6.12) with SMTP id WAA09452 for ; Tue, 4 Jun 1996 22:31:36 -0400 (EDT) Date: Tue, 4 Jun 1996 22:31:35 -0400 (EDT) From: Chris Watson To: firewalls@greatcircle.com Subject: unknown in tcpwrappers? Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk what does this mean? Jun 4 22:21:48 orion telnetd[9207]: refused connect from unknown whats the unknown part? what causes this? is this a denied spoof attempt? or is it a DNS failure? -- ===================================| Webspan Inc., ISP Division. FreeBSD 2.1.0 is available now! | Phone: 908-367-8030 ext. 126 -----------------------------------| 500 West Kennedy Blvd., Lakewood, NJ-08701 Turning PCs into Workstations | E-Mail: scanner@webspan.net http://www.freebsd.org | SysAdmin / Network Engineer / Security ===================================| Member BSDNET team! http://www.bsdnet.org From firewalls-owner Tue Jun 4 22:20:30 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id WAA15440 for firewalls-outgoing; Tue, 4 Jun 1996 22:05:37 -0700 (PDT) Received: from SterCtl.com (p208.iwl.net [204.177.208.208]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id WAA15422 for ; Tue, 4 Jun 1996 22:05:21 -0700 (PDT) Received: (from dennis@localhost) by SterCtl.com (8.6.12/8.6.12) id XAA00602; Tue, 4 Jun 1996 23:04:37 -0500 From: Dennis Moroney Message-Id: <199606050404.XAA00602@SterCtl.com> Subject: Re: Ability To Track Logs To: ygerman@genre.com (ygerman) Date: Tue, 4 Jun 1996 23:04:34 -0500 (CDT) Cc: firewalls@greatcircle.com (firewalls) In-Reply-To: <9606031534.AA0078@grcstm-nx02.genre.com> from "ygerman" at Jun 3, 96 11:32:41 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk According to ygerman: > > I am in a bind on how to accomplish something on our firewall. > I would like to check the logs on the firewall continuosly looking for certain > fields and based on the fields initiate an action. The action will be mail to a > different address depending on the field found. > > Currently I am seting this up via a c shell script and doing a grep for certain > things every hour. The problem is I would like not to have to wait an hour. Has > anyone had any experience with this. Is there a way to accomplish this easier? > Please respond as soon as possible, thanks! > ftp://ftp.coast.purdue.edu:/pub/tools/unix/swatch* -- Dennis Moroney From firewalls-owner Tue Jun 4 22:35:34 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id WAA15557 for firewalls-outgoing; Tue, 4 Jun 1996 22:11:41 -0700 (PDT) Received: from SterCtl.com (p208.iwl.net [204.177.208.208]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id WAA15550 for ; Tue, 4 Jun 1996 22:11:32 -0700 (PDT) Received: (from dennis@localhost) by SterCtl.com (8.6.12/8.6.12) id XAA00612; Tue, 4 Jun 1996 23:10:49 -0500 From: Dennis Moroney Message-Id: <199606050410.XAA00612@SterCtl.com> Subject: Re: Re Finding domain name from IP address To: gblolmxb@ibmmail.com Date: Tue, 4 Jun 1996 23:10:48 -0500 (CDT) Cc: firewalls@greatcircle.com (firewalls) In-Reply-To: <199604121153.EAA01557@miles.greatcircle.com> from "gblolmxb@ibmmail.com" at Apr 12, 96 07:50:59 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk According to gblolmxb@ibmmail.com: > > > Ben said: > > >We have a combination of registered and unregistered IP addresses on > >our network (no Internet connection yet). > > >Is there a way I can find out who the unregistered ones are really > >registered to? > > Try telnetting to rs.internic.net and run whois. or for European > registrations, try info.ripe.net, or even ns.ripe.net. > > Mark. > better yet, use the private network numbers assigned by IANA for your internal network and stop the nonsense of using 'unregistered' numbers. one day your network may leak one of the unregistered network numbers you are using and break your network or worse still break someone elses network. -- Dennis Moroney From firewalls-owner Wed Jun 5 01:35:42 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id BAA23415 for firewalls-outgoing; Wed, 5 Jun 1996 01:06:38 -0700 (PDT) Received: (mcb@localhost) by miles.greatcircle.com (8.7.4/Miles-951221-1) id BAA23393 for firewalls@greatcircle.com; Wed, 5 Jun 1996 01:06:23 -0700 (PDT) Received: from bbnplanet.com (poblano.near.net [198.114.157.116]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id KAA20619 for ; Fri, 31 May 1996 10:57:43 -0700 (PDT) Subject: New List: SdAdmin (SecurID cards & related things) To: firewalls@greatcircle.com Date: Fri, 31 May 1996 13:55:07 -0400 (EDT) From: Adam Shostack X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Message-ID: <9605311355.aa08979@poblano.bbnplanet.com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This is an announcement of a new mailing list, sdadmin, aimed at systems managers, security professionals, and others with a need to discuss issues relating to the management and administration of the SecurID card from Security Dynamics, and associated software and hardware. The list is managed by majordomo. To subscribe, send a message to majordomo@jabberwocky.bbnplanet.com with a body of: subscribe sdadmin Mail sent to sdadmin@jabberwocky.bbnplanet.com will go to the list. All adminstrative requests should be sent to majordomo. The list is hosted on a machine graciously provided by BBNPlanet. However, BBNPlanet is not responsible for the contents of the list. Adam From firewalls-owner Wed Jun 5 01:50:27 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id AAA22351 for firewalls-outgoing; Wed, 5 Jun 1996 00:52:42 -0700 (PDT) Received: from i-gw ([207.42.153.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id AAA22323 for ; Wed, 5 Jun 1996 00:52:30 -0700 (PDT) Received: (from smap@localhost) by i-gw (8.6.9/8.6.9) id CAA01345 for ; Wed, 5 Jun 1996 02:50:04 -0500 Received: from dev.dsc.dalsys.com(199.170.161.3) by i-gw.dalsys.com via smap (V1.3) Received: by dev.dsc.dalsys.com (AIX 3.2/UCB 5.64/8.6.12) From: manoj@dev.dsc.dalsys.com (Manoj Shroff) Message-Id: <9606050758.AA55240@dev.dsc.dalsys.com> Subject: Majordomo results: Help with FWTK (PartII) (fwd) To: firewalls@GreatCircle.com Date: Wed, 5 Jun 1996 02:58:27 -0500 (CDT) X-Mailer: ELM [version 2.4 PL24] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Thanks to everyone who helped me in order to get the FWTK compiled on the Linux box. However I now have another problem. When I run authsrv, and do a add user I get a segmentation fault and a core is dumped. When I run authmgr , " " " " " " " " " " " a permission denied error. Would appreciate all help. ##################### Manoj Schroff (Systems Engineer) ##### ############## Dallas Systems plc ##### ### Ocean House ## * # The Ring Tel: +44 (0)1344 420144 ##### ## Bracknell +44 (0)1344 418448 ###### # Berkshire ###### #### RG12 1AH Fax: +44 (0)1344 418400 ####### ### ##### ############# ###### ############# ####### manoj@dalsys.com ##################### +--------------------------------------------------------------+ |"He who laughs last, obviously did not understand the joke !!"| +--------------------------------------------------------------+ From firewalls-owner Wed Jun 5 02:05:27 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id BAA23331 for firewalls-outgoing; Wed, 5 Jun 1996 01:05:46 -0700 (PDT) Received: (mcb@localhost) by miles.greatcircle.com (8.7.4/Miles-951221-1) id BAA23260 for firewalls@greatcircle.com; Wed, 5 Jun 1996 01:05:30 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id OAA25296 for ; Thu, 30 May 1996 14:28:31 -0700 (PDT) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) Received: from disperse.demon.co.uk(158.152.1.77) by mycroft via smap (V1.3mjr) Received: from post.demon.co.uk ([158.152.1.72]) by relay-2.mail.demon.net Received: from youngman.demon.co.uk ([158.152.67.147]) by relay-3.mail.demon.net Message-ID: <31ADFA1E.563C@youngman.demon.co.uk> Date: Thu, 30 May 1996 19:42:22 +0000 From: Jeremy Youngman X-Mailer: Mozilla 2.02 (Win16; I) MIME-Version: 1.0 To: firewalls@greatcircle.com Subject: Compuserve Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, does anybody allow Compuserve access through their Firewall (TCP port 4144)? Are there any security considerations, so long as i only allow SYN's outbound? Are there any good places to read up about this? I've got a user who wants this access. Please reply by email if poss as I don't usually subscribe to this mailing list (yes, it's good and interesting but a little too much traffic for me normally). TIA, PS This is the 4th time i've send this, so apologies if you keep getting copies -- but i've been subscribing to firewalls-digest for the last couple of weeks and never seen my note appear -- and because i've had no replies i'm still not absolutely sure whether it is getting delivered properly! -- Jeremy Youngman | ###### ## ## | ("`-/")_.-'"``-. jeremy@youngman.demon.co.uk | ## ##### | . . `; -._ )-;-,_`) Tel: +44 (0)1603 686258 | # ## ## | (v_,)' _ )`-.\ ``-' PGP: Key avail on request | #### ##### | _.- _..-_/ / ((.' ----- All cats look grey in the dark ----- ((,.-' ((,/ From firewalls-owner Wed Jun 5 02:06:06 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id BAA23549 for firewalls-outgoing; Wed, 5 Jun 1996 01:08:10 -0700 (PDT) Received: (mcb@localhost) by miles.greatcircle.com (8.7.4/Miles-951221-1) id BAA23530 for firewalls@greatcircle.com; Wed, 5 Jun 1996 01:08:02 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id EAA22482 for ; Tue, 4 Jun 1996 04:55:44 -0700 (PDT) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) Received: from rt.synx.com(194.167.81.239) by mycroft via smap (V1.3mjr) Received: from s3.synx.com (s3 [192.1.1.247]) by bsd.synx.com (8.6.12/8.6.12) with SMTP id KAA04022; Tue, 4 Jun 1996 10:55:48 +0100 Received: from rs1 by s3.synx.com id aa23038; 4 Jun 96 11:37 BST Date: Tue, 4 Jun 1996 11:52:32 -2300 () From: Remy NONNENMACHER To: Russ cc: "'Firewalls'" Subject: Re: What do you want to know about Windows NT? In-Reply-To: <01BB4DB7.9D7EAFE0@ts1-13.vcr.iSTAR.ca> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 29 May 1996, Russ wrote: > I have an offer to you all. I have been working very hard for the past 6 > months or so to try and raise the level of awareness about Windows NT and > the Internet. My motivation was selfish, of course, in that I hope to gain > knowledge about where the obstacles are in getting NT accepted by you, the > security administrators. > > I am now in the process of putting together the information that you need > to be able to better understand the risks involved with Windows NT and its > deployment in your organization. I have always believed that you, the > security administrators, hold in your hand the ability to delay the > deployment of NT on as broad a scale as I might like to see. Microsoft, I > should add, has not necessarily agreed with me on this, which is why, IMHO, > I have been the one here and not them...;-] > > However, if we assume that I was able to get Microsoft to put together a CD > that contained White Paper and technical information regarding Windows NT, God !!, He *IS* god !! He will do a miracle for all of us !! > what would you like to know about Windows NT to help you evaluate its > impact on the security within your environment? > > A few assumptions; > > - it will not contain source code for any products which source code is not > already publically available Too bad !!. I wont never rely on the "guaranteed" security of the code made by a company known for the great amount of bugs in their past (and present) products without an external, huge and deep review by many external eyes. Otherwise, nothing will guarantee me that trap codes as not been included in the product. (ie : the 'special' WINSOCK.DLL needed for MSN in Europe that can "upgrade" dll's !!). This argument is also true for a lot of commercial products. BUT M$ is a too offensive company to be believed without care. > - it will contain all available API specifications M$ sells a lot of API docs about their products. I can give you the conclusions of the Windows (all flavor) programmers here : 10% written tradition, 90% oral tradition. That is : an API could have the right or wrong behaviour depending on undocumented parameters or ranges in parameters or call order. If you only read the doc, you will *NEVER* succeed in producing more than a 2+2=4 program. API programming is stochastic. When you know that, and assuming that firewall product MUST use APIs, and even if the product itself is public, you will never be sure that the underlying M$ code won't fail, weaking the whole security. > - it will contain RFC implementations and any MS-specific extentions to > them That's a great point : RFC'ing is publicly done. The technical points exposed on an RFC as been discussed, reviewed, criticized, improved many time before the final edition. I do not grant the right to M$ to modify by its own the specifications. This is a lack of culture when you work in the Internet. > - it will contain information from 3rd party ISV's who offer security > solutions > > Some ideas; > > - The CD could come with a 60-day Windows NT Server/BackOffice evaluation, > would that be useful? may be > - There is a C2 configuration guide (manual), maybe it should be included indispensable > - There is a Network Monitoring tool (Netmon), maybe it should be included indispensable > - There are a variety of tools that are part of the Resource kits to add > unix-like functionality to NT, maybe they should be included helpfull > - More information could be given if the CD was available under NDA, would > you prefer that? NO. NDA is the right way to give a sword to a possible bad guy just before anyone else can wear an armor. > - The NT Knowledgebase includes articles about many issues relating to > security problems, misconfigurations, and bugs, should that be included? ^^^^ and bugs !, simply !!. . (I'm probably dreaming !!). Are you asking us why we don't go right now with our money in our little hands to the Great Bill House to buy a *BUGGED* product ? For my own, i buy software with the great hope there is NO bug in it. Anyway, i doubt that commercial dept of M$ frequently spot this point. That means the bad guy will better have a machine gun than a sword. (Remember how long it take to M$ teams to fix a bug ? would you really risk a "stop using it while we repair" answer ?). > - There are numerous SDK's for the various NT BackOffice products, would > these be useful? > > What kind of information, what format should it be in, and what level > should it be positioned for? > > Now I don't speak for Microsoft, never have, but I do believe I can get > this CD put together and make it available to you for free, or a nominal > charge. If you give me the feedback that I hope to see, it will be done. > > Treat me like the university student asking for information about a thesus. > > Cheers, > Russ > > The thesus would better point on : "Why people do buy a private, costy, bugged, unmanageable, corruptable, unreliable and young and product better than a free (or cheap), stable, reliable, simple, fast and powerfull one ?" (Please, feel no offense in all of this. I would also like to have the answer to that question.). ------------------------------------------------------------------------------- S Y N C H R O N I X S.A. Avn des ANDES, Bat. LE CEDRE - 91952 LES ULIS - FRANCE Tel : +33 1 64462626 - FAX : +33 1 64466976 - Internet : Synx.com Remy NONNENMACHER - APAV Dpt. (remy@synx.com) #include #include ---- "My uncle and I entered a better life" - Alfonse Allais (When his rich uncle died). From firewalls-owner Wed Jun 5 04:35:41 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id EAA08578 for firewalls-outgoing; Wed, 5 Jun 1996 04:30:07 -0700 (PDT) Received: from gatekeeper.3Com.COM (gatekeeper.3Com.COM [129.213.128.5]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id EAA08568 for ; Wed, 5 Jun 1996 04:29:54 -0700 (PDT) Received: from manzanita.DEV.3Com.COM.noname (manzanita.DEV.3Com.COM) by gatekeeper.3Com.COM with SMTP id AA02874 Received: by manzanita.DEV.3Com.COM.noname (4.1/SMI-4.1) Date: Wed, 5 Jun 96 04:26:27 PDT From: bobk@manzanita.DEV.3Com.COM (Bob Konigsberg) Message-Id: <9606051126.AA05951@manzanita.DEV.3Com.COM.noname> To: firewalls@greatcircle.com Subject: ICMP Source Quench Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I've noticed a lot of ICMP Source Quench packets in my firewall logs. They are (or were more precisely) outbound. My references say that this is a primitive form of flow control. What are people's experiences with allowing this as an outbound packet. I don't see any security risk offhand, but I'd like to know what others have seen. Does anyone know of any security weaknesses related to Source Quench? Thanks, BobK From firewalls-owner Wed Jun 5 05:20:45 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA09948 for firewalls-outgoing; Wed, 5 Jun 1996 05:04:58 -0700 (PDT) Received: from lint.cisco.com (lint.cisco.com [171.68.223.44]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id FAA09940 for ; Wed, 5 Jun 1996 05:04:49 -0700 (PDT) Received: from pferguso-pc.cisco.com (c1robo14.cisco.com [171.68.13.14]) by lint.cisco.com (8.6.10/CISCO.SERVER.1.1) with SMTP id FAA07347; Wed, 5 Jun 1996 05:03:05 -0700 Message-Id: <199606051203.FAA07347@lint.cisco.com> X-Sender: pferguso@lint.cisco.com X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 05 Jun 1996 08:02:22 -0400 To: bobk@manzanita.DEV.3Com.COM (Bob Konigsberg) From: Paul Ferguson Subject: Re: ICMP Source Quench Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk My vote is to block it. I 'primitive' is an accurate description of the effectiveness of icmp source-quench. :-) - paul At 04:26 AM 6/5/96 PDT, Bob Konigsberg wrote: >I've noticed a lot of ICMP Source Quench packets in my firewall logs. They >are (or were more precisely) outbound. My references say that this is a >primitive form of flow control. What are people's experiences with allowing >this as an outbound packet. I don't see any security risk offhand, but >I'd like to know what others have seen. Does anyone know of any security >weaknesses related to Source Quench? > >Thanks, > >BobK > -- Paul Ferguson || || Consulting Engineering || || Reston, Virginia USA |||| |||| tel: +1.703.716.9538 ..:||||||:..:||||||:.. e-mail: pferguso@cisco.com c i s c o S y s t e m s From firewalls-owner Wed Jun 5 06:05:51 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA11968 for firewalls-outgoing; Wed, 5 Jun 1996 05:47:55 -0700 (PDT) Received: from babylon5.ccd.harris.com (babylon5.ccd.harris.com [192.68.26.5]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id FAA11948 for ; Wed, 5 Jun 1996 05:47:43 -0700 (PDT) Received: (from root@localhost) by babylon5.ccd.harris.com (8.6.10/8.6.10) id IAA19840 for ; Wed, 5 Jun 1996 08:45:14 -0400 Received: from rs2.ccd.harris.com(147.90.4.5) by babylon5.ccd.harris.com via smap (V1.3) Received: by rs2.ccd.harris.com (AIX 3.2/UCB 5.64/4.03) From: akakinad@ccd.harris.com (Achari U.M. Kakinada) Message-Id: <9606051245.AA341733@rs2.ccd.harris.com> Subject: IANA private network numbers .. To: firewalls@GreatCircle.com Date: Wed, 5 Jun 1996 08:45:04 -0400 (EDT) X-Mailer: ELM [version 2.4 PL22] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >> better yet, use the private network numbers assigned by IANA for >> your internal network and stop the nonsense of using 'unregistered' >> numbers. one day your network may leak one of the unregistered network >> numbers you are using and break your network or worse still break someone >> elses network. >> >> -- >> Dennis Moroney >> Can you please elaborate on the IANA private network numbers, and how it shall help if some one has a mix of registered and unregistered networks. -Achari From firewalls-owner Wed Jun 5 06:40:22 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA14050 for firewalls-outgoing; Wed, 5 Jun 1996 06:22:29 -0700 (PDT) Received: from relay1.pipex.net (relay1.pipex.net [158.43.128.6]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id GAA14042; Wed, 5 Jun 1996 06:22:18 -0700 (PDT) Received: from mailhost.ashridge.org.uk by flow.pipex.net with SMTP (PP); Received: from ccMail by mailhost.ashridge.org.uk Mime-Version: 1.0 Date: Wed, 5 Jun 1996 09:58:00 +0100 Message-ID: <1b53e6f0@ashridge.org.uk> From: Mike.Baxter@ashridge.org.uk (Mike Baxter) Subject: Re: Compuserve To: firewalls@greatcircle.com, firewalls-digest@greatcircle.com Cc: jeremy@youngman.demon.co.uk Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Description: cc:Mail note part Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, I am not entirely clear what it is you are doing. I am in the process of joining the CompuServe mail system to our cc:Mail system. When I went through this process I looked at the option of connecting for a full logon over the Internet. I think this was possible but it was only telnet access not WinCIM, which is too basic for our needs. The system that was proposed for WinCIM was a modem server. So are you looking for a mail connection or a telnet connection? The telnet makes more sense. If telnet I would be interested in what front end you are using. Mike Baxter ______________________________ Reply Separator _________________________________ Subject: Compuserve Author: Jeremy Youngman at Internet Date: 03/06/96 20:17 Hi, does anybody allow Compuserve access through their Firewall (TCP port 4144)? Are there any security considerations, so long as i only allow SYN's outbound? Are there any good places to read up about this? I've got a user who wants this access. TIA, PS This is the 5th time i've send this, so apologies if you keep getting copies -- but i've been subscribing to firewalls-digest for the last couple of weeks and never seen my note appear -- and because i've had no replies i'm still not absolutely sure whether it is getting delivered properly! -- Jeremy Youngman | ###### ## ## | ("`-/")_.-'"``-. jeremy@youngman.demon.co.uk | ## ##### | . . `; -._ )-;-,_`) Tel: +44 (0)1603 686258 | # ## ## | (v_,)' _ )`-.\ ``-' PGP: Key avail on request | #### ##### | _.- _..-_/ / ((.' ----- All cats look grey in the dark ----- ((,.-' ((,/ From firewalls-owner Wed Jun 5 06:50:32 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA15421 for firewalls-outgoing; Wed, 5 Jun 1996 06:36:42 -0700 (PDT) Received: from lint.cisco.com (lint.cisco.com [171.68.223.44]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id GAA15384 for ; Wed, 5 Jun 1996 06:36:26 -0700 (PDT) Received: from pferguso-pc.cisco.com (c1robo14.cisco.com [171.68.13.14]) by lint.cisco.com (8.6.10/CISCO.SERVER.1.1) with SMTP id GAA22217; Wed, 5 Jun 1996 06:34:46 -0700 Message-Id: <199606051334.GAA22217@lint.cisco.com> X-Sender: pferguso@lint.cisco.com X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 05 Jun 1996 09:33:58 -0400 To: akakinad@ccd.harris.com (Achari U.M. Kakinada) From: Paul Ferguson Subject: Re: IANA private network numbers .. Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 08:45 AM 6/5/96 -0400, Achari U.M. Kakinada wrote: > > Can you please elaborate on the IANA private network numbers, and how it > shall help if some one has a mix of registered and unregistered networks. > > -Achari > > See RFC-1918. - paul -- Paul Ferguson || || Consulting Engineering || || Reston, Virginia USA |||| |||| tel: +1.703.716.9538 ..:||||||:..:||||||:.. e-mail: pferguso@cisco.com c i s c o S y s t e m s From firewalls-owner Wed Jun 5 07:05:59 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA15134 for firewalls-outgoing; Wed, 5 Jun 1996 06:33:31 -0700 (PDT) Received: from sbergeon.neosoft.com (sbergeon.neosoft.com [206.109.21.126]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id GAA15127 for ; Wed, 5 Jun 1996 06:33:23 -0700 (PDT) Received: by sbergeon.neosoft.com (951211.SGI.8.6.12.PATCH1042/bit.tweeker) From: "Steve Bergeon" Message-Id: <9606050828.ZM6392@sbergeon.neosoft.com> Date: Wed, 5 Jun 1996 08:28:31 -0500 References: X-Mailer: Z-Mail (3.2.0 26oct94 MediaMail) To: scanner@webspan.net, firewalls@GreatCircle.COM Subject: Re: unknown in tcpwrappers? Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Wrappers were unable to verify the systems name and ip address match. This could just be someone attempting access from an isp that does not have dns names assigned to all of its' address space. Or... If you want unresolvable systems to have access to a service, you can use the keyword UNKNOWN in your hosts.allow file. On Jun 4, 10:31pm, Chris Watson allegedly wrote: | Subject: unknown in tcpwrappers? | | what does this mean? | | Jun 4 22:21:48 orion telnetd[9207]: refused connect from unknown | | whats the unknown part? what causes this? is this a denied spoof attempt? | or is it a DNS failure? | | | -- | | ===================================| Webspan Inc., ISP Division. | FreeBSD 2.1.0 is available now! | Phone: 908-367-8030 ext. 126 | -----------------------------------| 500 West Kennedy Blvd., Lakewood, NJ-08701 | Turning PCs into Workstations | E-Mail: scanner@webspan.net | http://www.freebsd.org | SysAdmin / Network Engineer / Security | ===================================| Member BSDNET team! http://www.bsdnet.org | | | |-- End of excerpt blamed on Chris Watson -- (713) 917-0425 Office "Spirit is the journey, Body is the Bus. I am the driver, From Dust to dust." - Jaluka - PGP Keys: http://www-swiss.ai.mit.edu/~bal/pks-toplev.html From firewalls-owner Wed Jun 5 07:42:32 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA18804 for firewalls-outgoing; Wed, 5 Jun 1996 07:25:05 -0700 (PDT) Received: from babylon5.ccd.harris.com (babylon5.ccd.harris.com [192.68.26.5]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id HAA18796 for ; Wed, 5 Jun 1996 07:24:54 -0700 (PDT) Received: (from root@localhost) by babylon5.ccd.harris.com (8.6.10/8.6.10) id KAA23905 for ; Wed, 5 Jun 1996 10:22:28 -0400 Received: from rs2.ccd.harris.com(147.90.4.5) by babylon5.ccd.harris.com via smap (V1.3) Received: by rs2.ccd.harris.com (AIX 3.2/UCB 5.64/4.03) From: akakinad@ccd.harris.com (Achari U.M. Kakinada) Message-Id: <9606051422.AA263413@rs2.ccd.harris.com> Subject: CISCO serial links To: firewalls@GreatCircle.com Date: Wed, 5 Jun 1996 10:22:09 -0400 (EDT) X-Mailer: ELM [version 2.4 PL22] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk For the following net configuration H1 H2 H3 H4 | | | | ------------------------------------------ | | | --- Cisco Router \ \ \ --- Serial link. \ ISP Cisco Router ---- | | INTERNET In the above configuration, is it be possible to configue the serial interfaces of both Cisco routers with out assigning any IP addresses OR assigning IP host address ( only two IP addresses shall be used ). Can some kind soul help. -- Achari From firewalls-owner Wed Jun 5 07:50:39 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA19793 for firewalls-outgoing; Wed, 5 Jun 1996 07:35:50 -0700 (PDT) Received: from .cdnoxy.com ([206.172.56.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id HAA19763 for ; Wed, 5 Jun 1996 07:35:30 -0700 (PDT) From: . Date: Wed, 5 Jun 96 07:33:37 PDT Subject: Memra To: firewalls@greatcircle.com X-PRIORITY: 3 (Normal) X-Mailer: Chameleon 4.6, TCP/IP for Windows, NetManage Inc. Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Last Friday, Michael Dillon wrote: >Date: Fri, 31 May 1996 10:12:07 -0700 (PDT) >rom: Michael Dillon >Subject: Re: commercial license for fwtk from TIS > >On Fri, 31 May 1996, Ralf Naegele wrote: > >> our organization is thinking about providing the fwtk. >> I need very urgent an answer what we must pay for a >>commercial license for >> the firewall toolkit. >> On the ftp-server of TIS I don't found the pricing for a >>commercial license. > >Why don't you ask them? > >If you would rather have me ask them, my fee to act as your >agent would be >US$2,000 per day. Send me email to get my bank account >information to >deposit the money. > >;-) > >Michael Dillon ISP & >Internet Consulting >Memra Software Inc. Fax: >+1-604-546-3049 >http://www.memra.com E-mail: >michael@memra.com Michael, Please do not use this forum for advertising your services. I personally have had trouble getting simple answers from companies, and I don't think Ralf's question was out of line. Is your arrogant, condescending, and unprofessional attitude a reflection on your entire British Columbia based company? From firewalls-owner Wed Jun 5 08:05:46 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA19733 for firewalls-outgoing; Wed, 5 Jun 1996 07:35:05 -0700 (PDT) Received: from Firewall.dofasco.ca (firewall.dofasco.ca [192.139.152.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id HAA19682 for ; Wed, 5 Jun 1996 07:34:48 -0700 (PDT) Received: (from smap@localhost) by Firewall.dofasco.ca (8.6.12/8.6.10) id JAA29510; Wed, 5 Jun 1996 09:34:54 -0400 Received: from usenet.dofasco.ca(142.153.128.2) by Firewall.dofasco.ca via smap (V1.3) Received: from hugh_fraser.dofasco.ca by USENET.DOFASCO.CA (MX V4.1 VAX) with Received: (from hugh@localhost) by hugh_fraser.dofasco.ca (8.6.12/8.6.9) id Date: Wed, 5 Jun 1996 10:34:30 -0400 (EDT) From: Hugh Fraser To: Jeremy Youngman CC: firewalls@GreatCircle.COM Subject: Re: Compuserve In-Reply-To: <31ADFA1E.563C@youngman.demon.co.uk> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk We've done exactly this to reduce the cost of phone lines to people's desks, modems, etc.. We use an application proxy firewall and simply connect Compuserve's port through the firewall. Functionally, it works as expected. Performance, though, doesn't seem much faster that through one of their dial-in ports. >From a security standpoint, the connection is one-way, and I don't expect any unique security concerns that don't already exist with providing access to other services. On Thu, 30 May 1996, Jeremy Youngman wrote: > Hi, does anybody allow Compuserve access through their Firewall > (TCP port 4144)? Are there any security considerations, so long > as i only allow SYN's outbound? Are there any good places to read > up about this? I've got a user who wants this access. > > Please reply by email if poss as I don't usually subscribe to this > mailing list (yes, it's good and interesting but a little too much > traffic for me normally). > > TIA, > > PS This is the 4th time i've send this, so apologies if you keep > getting copies -- but i've been subscribing to firewalls-digest > for the last couple of weeks and never seen my note appear -- > and because i've had no replies i'm still not absolutely sure > whether it is getting delivered properly! > > -- > Jeremy Youngman | ###### ## ## | ("`-/")_.-'"``-. > jeremy@youngman.demon.co.uk | ## ##### | . . `; -._ )-;-,_`) > Tel: +44 (0)1603 686258 | # ## ## | (v_,)' _ )`-.\ ``-' > PGP: Key avail on request | #### ##### | _.- _..-_/ / ((.' > ----- All cats look grey in the dark ----- ((,.-' ((,/ > > From firewalls-owner Wed Jun 5 08:35:43 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA25525 for firewalls-outgoing; Wed, 5 Jun 1996 08:26:26 -0700 (PDT) Received: from okjunc.junction.net (okjunc.junction.net [199.166.227.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id IAA25484 for ; Wed, 5 Jun 1996 08:26:08 -0700 (PDT) Received: from sidhe.memra.com (sidhe.memra.com [199.166.227.105]) by okjunc.junction.net (8.6.11/8.6.11) with SMTP id HAA07325; Wed, 5 Jun 1996 07:39:27 -0700 Date: Wed, 5 Jun 1996 08:22:48 -0700 (PDT) From: Michael Dillon To: "Achari U.M. Kakinada" cc: firewalls@GreatCircle.COM Subject: Re: IANA private network numbers .. In-Reply-To: <9606051245.AA341733@rs2.ccd.harris.com> Message-ID: Organization: Memra Software Inc. - Internet consulting MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 5 Jun 1996, Achari U.M. Kakinada wrote: > Can you please elaborate on the IANA private network numbers, and how it > shall help if some one has a mix of registered and unregistered networks. Read RFC1918. It is all explained there. As long as the unregistered networks use the private network numbers from RFC1918 you won't ever have any problems. Michael Dillon ISP & Internet Consulting Memra Software Inc. Fax: +1-604-546-3049 http://www.memra.com E-mail: michael@memra.com From firewalls-owner Wed Jun 5 08:50:44 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA27395 for firewalls-outgoing; Wed, 5 Jun 1996 08:47:16 -0700 (PDT) Received: from hp01.vak12ed.edu (hp01.vak12ed.edu [141.104.150.251]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id IAA27388 for ; Wed, 5 Jun 1996 08:47:06 -0700 (PDT) Message-Id: <199606051547.IAA27388@miles.greatcircle.com> Received: by hp01.vak12ed.edu From: "W.C. Epperson" Subject: Re: Memra To: firewalls@greatcircle.com Date: Wed, 05 Jun 1996 11:44:46 EDT In-Reply-To: ; from ".@GreatCircle.COM" at Jun 5, 96 7:33 am X-Mailer: Elm [revision: 109.17] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Someone in search of a clue flamed Michael Dillon thusly: > > Michael, > > Please do not use this forum for advertising your services. > > I personally have had trouble getting simple answers from > companies, and I don't think Ralf's question was out of line. > > Is your arrogant, condescending, and unprofessional attitude > a reflection on your entire British Columbia based company? > Dear .@greatcircle.com mailing from .cdnoxy.com: Since you appear to be using a forged (inadvertently, from the looks of it) >From address and mailing from a domain with a busted DNS and a net with a hosed or non-existent inverse arpa domain, I can conjecture as to why you might have difficulty getting replies from vendors. Michael's _reply_ did not seem out of line either: he pointed out the obvious line of inquiry and gently poked the poster for not having followed it to start with (the fwtk distribution and the TIS ftp server are replete with references on where to turn, and Fred is nothing if not responsive....). Oh, and my attitude is a reflection of yours. Have a nice day. -- W.C. Epperson "I have great faith in fools. Senior SE Self-confidence, my friends call it." Information Security Officer --Edgar Allan Poe-- DBA Emeritus Curmudgeon-for-Life Virginia Dept. of Education epperson@pen.k12.va.us From firewalls-owner Wed Jun 5 09:07:37 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA26334 for firewalls-outgoing; Wed, 5 Jun 1996 08:35:03 -0700 (PDT) Received: from bastion.sware.com (bastion.sware.com [139.131.15.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id IAA26325 for ; Wed, 5 Jun 1996 08:34:53 -0700 (PDT) Received: from shlep.sware.com (shlep.sware.com [139.131.1.14]) by bastion.sware.com (8.6.12/8.6.5) with SMTP id LAA12676 for ; Wed, 5 Jun 1996 11:31:39 -0400 Received: by shlep.sware.com (5.65/2.0) from localhost id AA11012; Wed, 5 Jun 96 11:26:49 -0400 Message-Id: <9606051526.AA11012@shlep.sware.com> From: Renee Landers X-Mailer: SecureMail [2.3.2] Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: cisco docs, user access To: firewalls@greatcircle.com Date: Wed, 05 Jun 96 11:26:48 EDT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk First, does anyone know of any third-party guides to configuring Cisco routers? (i.e. IOS for Dummies :-) Or does Cisco put out anything more useful than the UniverCD -- something that would provide guidelines for configuring, including information on some of the different configuration possibilities, something with actual chapters, and sections, and paragraphs? Perhaps I am just not looking hard enough at the UniverCD? Second, I have a Cisco router with version 10.2 of the software. I have several modems connected via async line to that router. I have defined several usernames with passwords. Is there a way to limit which users can connect to which modems? (I know I can prevent certain users from doing stuff once they get on, via access- classes, but can I reject the connection altogether?) Am I missing something, or is the capability just not there? Thanks for your help From firewalls-owner Wed Jun 5 09:20:59 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA27730 for firewalls-outgoing; Wed, 5 Jun 1996 08:51:47 -0700 (PDT) Received: from okjunc.junction.net (okjunc.junction.net [199.166.227.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id IAA27721; Wed, 5 Jun 1996 08:51:31 -0700 (PDT) Received: from sidhe.memra.com (sidhe.memra.com [199.166.227.105]) by okjunc.junction.net (8.6.11/8.6.11) with SMTP id IAA07966; Wed, 5 Jun 1996 08:04:49 -0700 Date: Wed, 5 Jun 1996 08:48:09 -0700 (PDT) From: Michael Dillon To: .@GreatCircle.COM cc: firewalls@GreatCircle.COM Subject: Re: Memra In-Reply-To: Message-ID: Organization: Memra Software Inc. - Internet consulting MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 5 Jun 1996 .@GreatCircle.COM wrote: > >> I need very urgent an answer what we must pay for a > >>commercial license for > >> the firewall toolkit. > >> On the ftp-server of TIS I don't found the pricing for a > >>commercial license. > > > >Why don't you ask them? > > > >If you would rather have me ask them, my fee to act as your > >agent would be > >US$2,000 per day. Send me email to get my bank account > >information to > >deposit the money. > > > >;-) ^^^ See that? > Please do not use this forum for advertising your services. I thought the ridiculously high dollar figure would make everyone realize that this was a bit of sarcasm but I added the winking smiley just to be sure. For the record, I don't charge $2,000 per day to make a few phone calls that people can make for themselves. > I personally have had trouble getting simple answers from > companies, and I don't think Ralf's question was out of line. He wants to negotiate a dealership agreement and you think that's a good question for the list? IMHO it's OK for end-users to ask "how much will it cost me" but dealers had better find out for themselves. > Is your arrogant, condescending, and unprofessional attitude > a reflection on your entire British Columbia based company? I'll agree with the arrogant part and the message was definitely condescending, but I draw the line at "unprofessional". The most unprofessional thing I do on this list is give away information and opinions for free. That is the mark of an amateur. But I do try to give the most accurate and complete answers that I can. Sometimes that means I do a little bit of research before answering the question. In the case above, my research included a quick check of the TIS website and a readthrough of their license agreement to refresh my memory. But I'm human to and subject to all the emotional foibles of being human and, being that I'm arrogant, can't resist dishing out a little sarcastic humor with my advice sometimes. Consider it my emotional payment for the "free" advice. Michael Dillon ISP & Internet Consulting Memra Software Inc. Fax: +1-604-546-3049 http://www.memra.com E-mail: michael@memra.com From firewalls-owner Wed Jun 5 09:35:38 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA29168 for firewalls-outgoing; Wed, 5 Jun 1996 09:03:46 -0700 (PDT) Received: from okjunc.junction.net (okjunc.junction.net [199.166.227.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id JAA29105 for ; Wed, 5 Jun 1996 09:03:22 -0700 (PDT) Received: from sidhe.memra.com (sidhe.memra.com [199.166.227.105]) by okjunc.junction.net (8.6.11/8.6.11) with SMTP id IAA08062; Wed, 5 Jun 1996 08:08:17 -0700 Date: Wed, 5 Jun 1996 08:51:38 -0700 (PDT) From: Michael Dillon To: Hugh Fraser cc: Jeremy Youngman , firewalls@GreatCircle.COM Subject: Re: Compuserve In-Reply-To: Message-ID: Organization: Memra Software Inc. - Internet consulting MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 5 Jun 1996, Hugh Fraser wrote: > expected. Performance, though, doesn't seem much faster that through one > of their dial-in ports. I found it faster on the net, but then, I also set the speed in the Settings dialog to 38400 bps. I remember when I used to telnet directly to COmpuserve that they would ask what speed you wanted to "simulate" because, of course, there were different fees for different speeds. Maybe WinCIM still negotiates the simulated speed? Or maybe you just have good dialin ports in your area. Michael Dillon ISP & Internet Consulting Memra Software Inc. Fax: +1-604-546-3049 http://www.memra.com E-mail: michael@memra.com From firewalls-owner Wed Jun 5 09:50:41 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA29341 for firewalls-outgoing; Wed, 5 Jun 1996 09:05:04 -0700 (PDT) Received: from okjunc.junction.net (okjunc.junction.net [199.166.227.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id JAA29039 for ; Wed, 5 Jun 1996 09:02:54 -0700 (PDT) Received: from sidhe.memra.com (sidhe.memra.com [199.166.227.105]) by okjunc.junction.net (8.6.11/8.6.11) with SMTP id HAA07596; Wed, 5 Jun 1996 07:48:05 -0700 Date: Wed, 5 Jun 1996 08:31:25 -0700 (PDT) From: Michael Dillon To: Mike Baxter cc: firewalls@GreatCircle.COM, jeremy@youngman.demon.co.uk Subject: Re: Compuserve In-Reply-To: <1b53e6f0@ashridge.org.uk> Message-ID: Organization: Memra Software Inc. - Internet consulting MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 5 Jun 1996, Mike Baxter wrote: > I am not entirely clear what it is you are doing. I am in the > process of joining the CompuServe mail system to our cc:Mail system. > When I went through this process I looked at the option of connecting > for a full logon over the Internet. I think this was possible but it > was only telnet access not WinCIM, which is too basic for our needs. Wait a minute. Don't you realize that you can connect with WinCIM over the Internet? In WinCIM 1.4 you go into the Special menu, then Session Setting... and then choose WINSOCK in the Connector drop-down list as well as Internet in the Network drop-down list. If you are behind a firewall you also need to open a plug-gw on port 4144 and you need to go into the CIS.INI file and change occurences of "compuserve.com" to "firewall-machine.yourdomain.com". I don't have an original CIS.INI here any more but I find lines like the following in mine: LogonParams=firewall-machine.yourdomain.com HostIPName=firewall-machine.yourdomain.com > So are you looking for a mail connection or a telnet connection? The > telnet makes more sense. If telnet I would be interested in what front > end you are using. WinCIM 1.4 :-) Michael Dillon ISP & Internet Consulting Memra Software Inc. Fax: +1-604-546-3049 http://www.memra.com E-mail: michael@memra.com From firewalls-owner Wed Jun 5 10:05:52 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA29108 for firewalls-outgoing; Wed, 5 Jun 1996 09:03:23 -0700 (PDT) Received: from connectnet1.connectnet.com (connectnet1.connectnet.com [207.110.0.50]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id JAA29076 for ; Wed, 5 Jun 1996 09:03:09 -0700 (PDT) Received: from it.is.my.broken.net (it.is.my.broken.net [204.252.2.92]) by connectnet1.connectnet.com (15.9/Connectnet-2.2) with SMTP id IAA15515; Wed, 5 Jun 1996 08:19:30 -0700 (PDT) Received: by it.is.my.broken.net (4.1/SMI-4.1) Date: Wed, 5 Jun 1996 08:19:24 -0700 (PDT) From: Jason Matthews X-Sender: jason@it.is.my.broken.net To: Steve Bergeon Cc: scanner@webspan.net, firewalls@GreatCircle.COM Subject: Re: unknown in tcpwrappers? In-Reply-To: <9606050828.ZM6392@sbergeon.neosoft.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Unless this has recently been changed in tcpd that is incorrect. Even if no PTR record is recorded with the authoriatative name servers tcpd will return a message with the offending ip address. If unknown was returned it was because of some -special- condition. I would have to read the code to see what that is however ;-) j. On Wed, 5 Jun 1996, Steve Bergeon wrote: > Wrappers were unable to verify the systems name and ip address match. > This could just be someone attempting access from an isp that does not > have dns names assigned to all of its' address space. Or... > > If you want unresolvable systems to have access to a service, you can > use the keyword UNKNOWN in your hosts.allow file. > > > On Jun 4, 10:31pm, Chris Watson allegedly wrote: > | Subject: unknown in tcpwrappers? > | > | what does this mean? > | > | Jun 4 22:21:48 orion telnetd[9207]: refused connect from unknown > | > | whats the unknown part? what causes this? is this a denied spoof attempt? > | or is it a DNS failure? > | > | > | -- > | > | ===================================| Webspan Inc., ISP Division. > | FreeBSD 2.1.0 is available now! | Phone: 908-367-8030 ext. 126 > | -----------------------------------| 500 West Kennedy Blvd., Lakewood, > NJ-08701 > | Turning PCs into Workstations | E-Mail: scanner@webspan.net > | http://www.freebsd.org | SysAdmin / Network Engineer / Security > | ===================================| Member BSDNET team! > http://www.bsdnet.org > | > | > | > |-- End of excerpt blamed on Chris Watson > > > > -- > (713) 917-0425 Office > "Spirit is the journey, Body is the Bus. > I am the driver, From Dust to dust." - Jaluka > - PGP Keys: http://www-swiss.ai.mit.edu/~bal/pks-toplev.html > From firewalls-owner Wed Jun 5 10:42:29 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA06209 for firewalls-outgoing; Wed, 5 Jun 1996 10:10:19 -0700 (PDT) Received: from lint.cisco.com (lint.cisco.com [171.68.223.44]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id KAA06200 for ; Wed, 5 Jun 1996 10:10:07 -0700 (PDT) Received: from pferguso-pc.cisco.com (c6robo16.cisco.com [171.68.13.176]) by lint.cisco.com (8.6.10/CISCO.SERVER.1.1) with SMTP id KAA21902; Wed, 5 Jun 1996 10:07:57 -0700 Message-Id: <199606051707.KAA21902@lint.cisco.com> X-Sender: pferguso@lint.cisco.com X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 05 Jun 1996 13:07:10 -0400 To: Michael Dillon From: Paul Ferguson Subject: Re: IANA private network numbers .. Cc: "Achari U.M. Kakinada" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 08:22 AM 6/5/96 -0700, Michael Dillon wrote: >On Wed, 5 Jun 1996, Achari U.M. Kakinada wrote: > >> Can you please elaborate on the IANA private network numbers, and how it >> shall help if some one has a mix of registered and unregistered networks. > >Read RFC1918. It is all explained there. >As long as the unregistered networks use the private network numbers from >RFC1918 you won't ever have any problems. > Well, of course, you will not be able to *advertise* them to The World. :-) - paul >Michael Dillon ISP & Internet Consulting >Memra Software Inc. Fax: +1-604-546-3049 >http://www.memra.com E-mail: michael@memra.com > -- Paul Ferguson || || Consulting Engineering || || Reston, Virginia USA |||| |||| tel: +1.703.716.9538 ..:||||||:..:||||||:.. e-mail: pferguso@cisco.com c i s c o S y s t e m s From firewalls-owner Wed Jun 5 10:51:55 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA04365 for firewalls-outgoing; Wed, 5 Jun 1996 09:58:11 -0700 (PDT) Received: from halon.sybase.com (halon.sybase.com [192.138.151.33]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id JAA04336 for ; Wed, 5 Jun 1996 09:57:56 -0700 (PDT) Received: from smtp1.sybase.com (sybgate) by halon.sybase.com (5.x/SMI-SVR4/SybFW4.0) Received: from notesgw2.sybase.com by smtp1.sybase.com (4.1/SMI-4.1/SybH3.5-030896) Received: by notesgw2.sybase.com (5.x/SMI-4.1/SybEGW3.3) Message-Id: <9606051655.AA27060@notesgw2.sybase.com> Received: by SybaseNotes (Lotus Notes Mail Gateway for SMTP V1.1) id To: "Achari U.M. Kakinada" Cc: firewalls From: Ryan.Russell/SYBASE Date: 5 Jun 96 9:55:50 EDT Subject: Re: CISCO serial links X-Lotus-Type: Reply All Mime-Version: 1.0 Content-Type: Text/Plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'm not sure I follow you, but... You can put the two routers in bridging mode (ISP willing, of course) and and long as the ISP has routes to the 2 addresses you want, it will work. You do have four hosts shown in the picture tho.. Did I miss part of your question? Ryan ---------- Previous Message ---------- To: firewalls cc: From: akakinad @ ccd.harris.com (Achari U.M. Kakinada) @ smtp Date: 06/05/96 10:22:09 AM Subject: CISCO serial links For the following net configuration H1 H2 H3 H4 | | | | ------------------------------------------ | | | --- Cisco Router \ \ \ --- Serial link. \ ISP Cisco Router ---- | | INTERNET In the above configuration, is it be possible to configue the serial interfaces of both Cisco routers with out assigning any IP addresses OR assigning IP host address ( only two IP addresses shall be used ). Can some kind soul help. -- Achari From firewalls-owner Wed Jun 5 11:06:01 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA07940 for firewalls-outgoing; Wed, 5 Jun 1996 10:22:16 -0700 (PDT) Received: from lint.cisco.com (lint.cisco.com [171.68.223.44]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id KAA07849 for ; Wed, 5 Jun 1996 10:21:49 -0700 (PDT) Received: from pferguso-pc.cisco.com (c6robo16.cisco.com [171.68.13.176]) by lint.cisco.com (8.6.10/CISCO.SERVER.1.1) with SMTP id KAA25825; Wed, 5 Jun 1996 10:19:23 -0700 Message-Id: <199606051719.KAA25825@lint.cisco.com> X-Sender: pferguso@lint.cisco.com X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 05 Jun 1996 13:18:35 -0400 To: Renee Landers From: Paul Ferguson Subject: Re: cisco docs, user access Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 11:26 AM 6/5/96 EDT, Renee Landers wrote: >First, does anyone know of any third-party guides to configuring Cisco routers? >(i.e. IOS for Dummies :-) Or does Cisco put out anything more useful than the >UniverCD -- something that would provide guidelines for configuring, including >information on some of the different configuration possibilities, something with >actual chapters, and sections, and paragraphs? Perhaps I am just not looking >hard enough at the UniverCD? > You're not looking hard enough at the CD. ;-) >Second, I have a Cisco router with version 10.2 of the software. I have several >modems connected via async line to that router. I have defined several usernames >with passwords. Is there a way to limit which users can connect to which modems? >(I know I can prevent certain users from doing stuff once they get on, via access- >classes, but can I reject the connection altogether?) Am I missing something, >or is the capability just not there? > >Thanks for your help > Why don't you re-send this to the cisco Users mailing list [cisco@spot.colorado.edu] instead? It would be a much more appropriate forum than the firewalls list. - paul -- Paul Ferguson || || Consulting Engineering || || Reston, Virginia USA |||| |||| tel: +1.703.716.9538 ..:||||||:..:||||||:.. e-mail: pferguso@cisco.com c i s c o S y s t e m s From firewalls-owner Wed Jun 5 11:29:58 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA10534 for firewalls-outgoing; Wed, 5 Jun 1996 10:47:12 -0700 (PDT) Received: from okjunc.junction.net (okjunc.junction.net [199.166.227.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id KAA10526 for ; Wed, 5 Jun 1996 10:47:03 -0700 (PDT) Received: from sidhe.memra.com (sidhe.memra.com [199.166.227.105]) by okjunc.junction.net (8.6.11/8.6.11) with SMTP id JAA10160 for ; Wed, 5 Jun 1996 09:59:45 -0700 Date: Wed, 5 Jun 1996 10:43:05 -0700 (PDT) From: Michael Dillon To: firewalls@GreatCircle.COM Subject: Re: IANA private network numbers .. In-Reply-To: <199606051707.KAA21902@lint.cisco.com> Message-ID: Organization: Memra Software Inc. - Internet consulting MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 5 Jun 1996, Paul Ferguson wrote: > >> Can you please elaborate on the IANA private network numbers, and how it > >> shall help if some one has a mix of registered and unregistered networks. > > > >Read RFC1918. It is all explained there. > >As long as the unregistered networks use the private network numbers from > >RFC1918 you won't ever have any problems. > > > > Well, of course, you will not be able to *advertise* them to The World. :-) Which means .. *ding* *ding* *ding* .. you'll have to install a proxy firewall! I don't suppose those Cisco NAT's will do any good here will they Paul? However, if you can't renumber the bad hosts or if you are using RFC1918 numbers solely to protect yourself against having to renumber when you change providers, then a NAT is a very handy solution to use along with packet filtering. Michael Dillon ISP & Internet Consulting Memra Software Inc. Fax: +1-604-546-3049 http://www.memra.com E-mail: michael@memra.com From firewalls-owner Wed Jun 5 11:36:15 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA11132 for firewalls-outgoing; Wed, 5 Jun 1996 10:54:27 -0700 (PDT) Received: from elsol.dataway.com (elsol.dataway.com [205.158.49.17]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id KAA11065 for ; Wed, 5 Jun 1996 10:54:04 -0700 (PDT) Received: from wildcat ([205.158.49.16]) by elsol.dataway.com Message-ID: <31B5C8D1.167E@dataway.com> Date: Wed, 05 Jun 1996 10:50:09 -0700 From: Mathias Kolehmainen Organization: DataWay Design X-Mailer: Mozilla 3.0b4Gold (X11; I; IRIX 5.3 IP22) MIME-Version: 1.0 To: "Achari U.M. Kakinada" CC: firewalls@GreatCircle.COM Subject: Re: CISCO serial links References: <9606051422.AA263413@rs2.ccd.harris.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, Although I've never used it, I belive that the "ip-unnumbered" interface command will do the trick. It takes as an argument the number of another interface that does have an IP address. Achari U.M. Kakinada wrote: > Cisco Router > \ > \ > \ --- Serial link. > \ > ISP Cisco Router > > In the above configuration, is it be possible to configue the > serial interfaces of both Cisco routers with out assigning any IP > addresses OR assigning IP host address ( only two IP addresses > shall be used ). -- ------------------------------------- Mathias Kolehmainen ripper@dataway.com "Now it flushes away AUTOMATICALLY!" From firewalls-owner Wed Jun 5 11:48:57 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA11496 for firewalls-outgoing; Wed, 5 Jun 1996 10:57:38 -0700 (PDT) Received: from zen.com (zen.com [156.70.135.251]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id KAA11433 for ; Wed, 5 Jun 1996 10:57:13 -0700 (PDT) Received: from by zen.com (4.1/SMI-4.1) Received: by usuwphmsx03.zen.con with Microsoft Exchange (IMC 4.0.837.3) Message-Id: From: Miller Robert RC To: "'Michael Dillon'" Cc: "'firewalls@GreatCircle.COM'" Subject: RE: Memra Date: Wed, 5 Jun 1996 13:56:46 -0400 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.837.3 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I concur w/ Michael and agree with his response to the original note. If people can't understand a tongue-in-cheek response when they see one, despite the use of a smiley, then TS for them. Also, it did seem to me that the sender of the original note was using this list to get specific vendor/pricing info which could easily have been gotten directly from the vendor. Bob Miller millerrc@zen.com Zeneca Pharmaceuticals, Inc. PS: Also, at least Michael was not such a wus as to send a harassing note (and his WASN'T really harassing!) and at the same time try to hide his return email address! (.@GreatCircle.COM a.k.a. ???@.cdnoxy.com). I'll refrain here from saying anything sarcastic about your Ontario-based company... (cdnoxy.com = Canadian Occidental Petroleum Ltd. @ Calgary, Ontario) >---------- >From: Michael Dillon[SMTP:michael@memra.com] >Sent: Wednesday, June 05, 1996 11:48 AM >To: .@GreatCircle.COM >Cc: firewalls@GreatCircle.COM >Subject: Re: Memra > >On Wed, 5 Jun 1996 .@GreatCircle.COM wrote: > >> >> I need very urgent an answer what we must pay for a >> >>commercial license for >> >> the firewall toolkit. >> >> On the ftp-server of TIS I don't found the pricing for a >> >>commercial license. >> > >> >Why don't you ask them? >> > >> >If you would rather have me ask them, my fee to act as your >> >agent would be >> >US$2,000 per day. Send me email to get my bank account >> >information to >> >deposit the money. >> > >> >;-) > ^^^ >See that? > >> Please do not use this forum for advertising your services. > >I thought the ridiculously high dollar figure would make everyone >realize >that this was a bit of sarcasm but I added the winking smiley just to >be >sure. For the record, I don't charge $2,000 per day to make a few phone >calls that people can make for themselves. > >> I personally have had trouble getting simple answers from >> companies, and I don't think Ralf's question was out of line. > >He wants to negotiate a dealership agreement and you think that's a >good >question for the list? IMHO it's OK for end-users to ask "how much will >it >cost me" but dealers had better find out for themselves. > >> Is your arrogant, condescending, and unprofessional attitude >> a reflection on your entire British Columbia based company? > >I'll agree with the arrogant part and the message was definitely >condescending, but I draw the line at "unprofessional". The most >unprofessional thing I do on this list is give away information and >opinions for free. That is the mark of an amateur. > >But I do try to give the most accurate and complete answers that I can. >Sometimes that means I do a little bit of research before answering the >question. In the case above, my research included a quick check of the >TIS >website and a readthrough of their license agreement to refresh my >memory. >But I'm human to and subject to all the emotional foibles of being >human >and, being that I'm arrogant, can't resist dishing out a little >sarcastic >humor with my advice sometimes. Consider it my emotional payment for >the >"free" advice. > >Michael Dillon ISP & Internet >Consulting >Memra Software Inc. Fax: >+1-604-546-3049 >http://www.memra.com E-mail: >michael@memra.com > > From firewalls-owner Wed Jun 5 11:51:18 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA13791 for firewalls-outgoing; Wed, 5 Jun 1996 11:14:48 -0700 (PDT) Received: from wormhole.nav.cc.tx.us (wormhole.nav.cc.tx.us [205.165.189.130]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id LAA13711 for ; Wed, 5 Jun 1996 11:14:13 -0700 (PDT) Received: by wormhole.nav.cc.tx.us (AIX 3.2/UCB 5.64/4.03) Received: from dilbert.nav.cc.tx.us(205.165.188.145) by wormhole via smap (V1.3) Received: from localhost by dilbert.nav.cc.tx.us (AIX 3.2/UCB 5.64/4.03) Date: Wed, 5 Jun 1996 13:16:10 -0500 (CDT) From: Dana Brewer To: firewalls@GreatCircle.COM Subject: Re: Compuserve In-Reply-To: Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 5 Jun 1996, Michael Dillon wrote: > If you are behind a firewall you also need to open a plug-gw on port 4144 > and you need to go into the CIS.INI file and change occurences of > "compuserve.com" to "firewall-machine.yourdomain.com". I don't have an > original CIS.INI here any more but I find lines like the following in > mine: Thanks! I needed this information. Does anyone know how to connect to America Online via TCP/IP from behind a firewall? ************************************************************************** Dana Brewer Director, Computer Center Internet: dana@nav.cc.tx.us Navarro College Phone : 903-874-6501 3200 W. 7th Ave. FAX : 903-874-4636 Corsicana, TX 75110 All opinions stated are my own, and probably don't even vaguely resemble those of Navarro College. :) ************************************************************************** From firewalls-owner Wed Jun 5 12:35:44 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA19958 for firewalls-outgoing; Wed, 5 Jun 1996 12:01:52 -0700 (PDT) Received: from lint.cisco.com (lint.cisco.com [171.68.223.44]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id MAA19887 for ; Wed, 5 Jun 1996 12:01:30 -0700 (PDT) Received: from pferguso-pc.cisco.com (c1robo3.cisco.com [171.68.13.3]) by lint.cisco.com (8.6.10/CISCO.SERVER.1.1) with SMTP id LAA02285; Wed, 5 Jun 1996 11:59:34 -0700 Message-Id: <199606051859.LAA02285@lint.cisco.com> X-Sender: pferguso@lint.cisco.com X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 05 Jun 1996 14:58:46 -0400 To: Michael Dillon From: Paul Ferguson Subject: Re: IANA private network numbers .. Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 10:43 AM 6/5/96 -0700, Michael Dillon wrote: > >Which means .. *ding* *ding* *ding* .. you'll have to install a proxy >firewall! I don't suppose those Cisco NAT's will do any good here will >they Paul? However, if you can't renumber the bad hosts or if you are >using RFC1918 numbers solely to protect yourself against having to >renumber when you change providers, then a NAT is a very handy solution to >use along with packet filtering. > Having NAT functionality in IOS doesn't offer proxy services. Nope. - paul -- Paul Ferguson || || Consulting Engineering || || Reston, Virginia USA |||| |||| tel: +1.703.716.9538 ..:||||||:..:||||||:.. e-mail: pferguso@cisco.com c i s c o S y s t e m s From firewalls-owner Wed Jun 5 12:52:56 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA26008 for firewalls-outgoing; Wed, 5 Jun 1996 12:48:01 -0700 (PDT) Received: from 198.68.45.121 (www.steldyn.com [198.68.45.121]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id MAA25948 for ; Wed, 5 Jun 1996 12:47:36 -0700 (PDT) Received: from juneau.steldyn.com (172.16.31.1) by www.steldyn.com Received: by juneau.steldyn.com with Microsoft Exchange (IMC 4.12.736) Message-ID: From: Chris Pugrud To: Firewalls Mailing list Subject: RE: Windows NT and Firewalls Date: Wed, 5 Jun 1996 13:45:28 -0600 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.12.736 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'm going to try to respond here to the blast of messages that came back after I made known my feelings about Raptor's Eagle NT firewall product. If I missed your point, I'm sorry, it's Monday, and the coffee's just not strong enough. [frankw@in.net] "I wouldn't quite go as far to say that it is a "boot loader"." I can't agree Frank. Raptor does not use NT as anything but a boot loader, a memory manager, and low level I/O. At this point it is not an NT firewall. It's a firewall that "runs on top of NT". If it just runs on top of NT then there is no reason to run on NT, there is too much overhead involved. A tight Linux kernel usually comes in at about 550k and uses 1-2MB of RAM at run time. "Jaw drops... I can't believe that you would place your firewall in the same domain" ... "Can you elaborate on the trust issue." An explanation of trusts: In NT a trust is always one way. You can establish reciprocal trusts, but this negates (usually) the reasons for having separate domains. User accounts are put into the trusted (top level) domain. Access permissions in the trusting domain can be set using accounts from the trusted domain. When a user accesses a machine in the trusting domain the computer encrypts the user's ID and password and then forwards that to the trusted domain for authentication (My understanding of the encryption involved is shaky, Russ can correct any errors here). simple chart next: Accounts set up on a computer can only be used on that computer. Accounts set up in a domain can be used by any computer in that domain, and any computers in domains that trust that domain. Computer's ACL's can use any account on that computer, any account in the domain the computer belongs to, and any accounts in domains that the computer's domain trusts. Trust is one-way. Domains only have access to accounts in domains they trust. Domains have no access to domains that trust them. Trusts must be set up and authorized by the administrators of both domains involved. Trust is not inherited. If domain A trusts B, and B trusts C, A does not trust C until a trusts is explicitly set up. The key word in the above is "can". Machines can be individually configured as to whether or not to allow network access to individual resources. Where this is useful and relevant to firewalls that I can set up a proxy server on a machine and then deny all network access to the machine (this is slightly misleading, it only denies access to resources on that machine, ports are not resources, and it in no way prevents that machine from going out and accessing resources) and set up my proxy ACL's using my existing users and groups, and to get accounting and audit trails based on these accounts. This is fairly clean because of NT's single logon approach. When a user logs in they are passed back a token (encrypted?) that contains their user id (a unique hex string), and the ID's of all the groups that they belong to. When the user heads out to kill time on the Internet the proxy server requests their security token. It then checks the individual and group ID's against it's ACL to see when and if the user is permitted to loaf the Internet. This information is then logged and you have a transparent proxy with individual accounting (at least the individual that last logged on, but that's not platform specific). Side points and counter points: Small businesses are connecting up to the Internet like nobody's business. If you feel that companies that can't afford a full time network security administrator to sit around and go "wow, the Internet sure is dangerous" don't have a right to be on the Internet then you really ought to buy a ticket to Jamaica while you can still afford it. (okay I've relaxed now) Small businesses desperately want to be on the Internet right now, and a few thousand dollar setup and a couple hundred bucks a month is already straining their budget. If everybody has them convinced that it's going to cost them 20-30-50 K$ then they are far more likely to say "ahh CDA it, plug it in, we're too small to get hacked. Who would want to?" OTOH if you can walk in the door and say "my fee is a $1000 bucks, but I can have you on the Internet full time for $2000 and $200 a month." you will probably be pretty busy (this is assuming that your work is good and you have properly licensed the FWTK). Ideally my firewalls would have the Internet connected to a filtering router connected to a hard, fast firewall connected to a caching proxy, connected to a filtering router connected to the internal network all in series. Only the internal proxy would have any connection to the NT domain. This would give me good accepting and feedback and two layers of isolation to protect NT from the Internet. I dream big, but my customers have budgets. I have one customer that is biding their time waiting for the Integrated NT proxy so they can do just this design. Fortunately they are very patient. It's a lot like a Ferrari, everybody goes "WoW, that's really cool! So what do you have in the $5K price range?" Windows NT is not the be all and end all of NOS's. For the most part it is friendly and damn easy to use. If all you know is UNIX than there is a stumble until you get turned around and used to it. I heard evidence lately that IBM is still selling more copies of WARP in a month than NT has ever sold in a year. This could be entirely true. (don't people get fired for buying IBM these days?). This is just kind of scary, everyday administration of NT doesn't require any black magic (I don't think UNIX does, but most people do). Windows NT is not a secure operating system. NT has it's share of holes "out of the box." NT has a wider range of security and auditing functions than standard UNIX OS's, but they have to be turned on. NT can be setup in a very secure fashion, but it is not certifiable in any usable configuration unless you favor putting computers in vaults ala mission implausible. I love tuning systems with my bare hands. I'm a happy camper when I'm under the hood adjusting the screws, setting the valves and just adding my own characteristic signature that makes the machine hum the way I like. I've had a really fun life with the flavors of UNIX, and I've been having fun with NT lately. Now I can afford to hire lower cost help desk people for basic administration. Now I might be able to keep up on this list and stay up to date. That sounds great to me. I started on computers when I had to stand on a chair to load the punch cards and plan to be plugged in when I pass along. Short cuts and simplicity make life easier for me and my users. Thanks for hearing me out. I'll leave the flame suit in the closet, it's kind of cold in the dungeon anyways. Chris --- #include Chris Pugrud Network Engineering Stellar Dynamics, Idaho Power - Some mornings it's not worth gnawing through the restraints - From firewalls-owner Wed Jun 5 13:06:33 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA27263 for firewalls-outgoing; Wed, 5 Jun 1996 12:59:51 -0700 (PDT) Received: from gw.intuit.com (fw.intuit.com [199.2.32.4]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id MAA27206 for ; Wed, 5 Jun 1996 12:59:30 -0700 (PDT) Received: by gw.intuit.com (4.1/SMI-4.1) Received: from cliff.intuit.com(199.2.34.38) by gw.intuit.com via smap (V1.3) Received: from ra.intuit.com by cliff (4.1/SMI-4.1d) From: corby@intuit.com (Corby Anderson) Message-Id: <9606051950.AA05815@cliff> Subject: Re: Compuserve To: dana@dilbert.nav.cc.tx.us (Dana Brewer) Date: Wed, 5 Jun 1996 12:51:15 -0700 (PDT) Cc: firewalls@GreatCircle.COM In-Reply-To: from "Dana Brewer" at Jun 5, 96 01:16:10 pm X-Mailer: ELM [version 2.4 PL22] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > On Wed, 5 Jun 1996, Michael Dillon wrote: > > > If you are behind a firewall you also need to open a plug-gw on port 4144 > > and you need to go into the CIS.INI file and change occurences of > > "compuserve.com" to "firewall-machine.yourdomain.com". I don't have an > > original CIS.INI here any more but I find lines like the following in > > mine: > > Thanks! I needed this information. Does anyone know how to connect to > America Online via TCP/IP from behind a firewall? Pretty much the same thing. Open a plug-gw on port 5190 to a machine called americaonline.aol.com. They have three A records for this host in their DNS and will return any of the following three IP addresses: 198.81.8.18 198.81.18.82 198.81.18.84 To use it from AOL, find where you specify the connection type and set it to TCP/IP. Corby From firewalls-owner Wed Jun 5 13:21:32 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA28356 for firewalls-outgoing; Wed, 5 Jun 1996 13:08:15 -0700 (PDT) Received: from anchorsteam (anchorsteam.unifiedtech.com [38.251.136.100]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id NAA28319 for ; Wed, 5 Jun 1996 13:07:56 -0700 (PDT) Received: from bass.unifiedtech.com by anchorsteam (5.x/SMI-SVR4) Received: by bass.unifiedtech.com (5.x/SMI-SVR4) Date: Wed, 5 Jun 1996 15:53:32 -0400 From: Mike.Jones@unifiedtech.com (Mike Jones) Message-Id: <9606051953.AA05961@bass.unifiedtech.com> To: firewalls@greatcircle.com Subject: Re: IANA private network numbers .. X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Paul Ferguson writes... > >Which means .. *ding* *ding* *ding* .. you'll have to install a proxy > >firewall! I don't suppose those Cisco NAT's will do any good here will > >they Paul? However, if you can't renumber the bad hosts or if you are > >using RFC1918 numbers solely to protect yourself against having to > >renumber when you change providers, then a NAT is a very handy solution to > >use along with packet filtering. > Having NAT functionality in IOS doesn't offer proxy services. Nope. In fact, FireWall-1 offers NAT and it's not a proxy firewall. Michael, you're completely off base on this one. Mike Jones Sr. Network Computing Advisor Unified Technologies From firewalls-owner Wed Jun 5 13:35:44 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA28847 for firewalls-outgoing; Wed, 5 Jun 1996 13:13:45 -0700 (PDT) Received: from gatekeeper.strydr.com (gatekeeper.strydr.com [199.217.201.253]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id NAA28828 for ; Wed, 5 Jun 1996 13:13:26 -0700 (PDT) Received: (from Unknown UID 6@localhost) by gatekeeper.strydr.com (8.6.9/8.6.9) id PAA14113; Wed, 5 Jun 1996 15:12:30 -0500 Received: from strydr.strydr.com(198.134.134.1) by gatekeeper.strydr.com via smap (V1.3) Received: (from ds3721@localhost) by strydr.strydr.com (8.6.12/8.6.11) id PAA27907; Wed, 5 Jun 1996 15:09:55 -0500 From: David Schnardthorst Message-Id: <199606052009.PAA27907@strydr.strydr.com> Subject: Re: Compuserve To: dana@dilbert.nav.cc.tx.us (Dana Brewer) Date: Wed, 5 Jun 1996 15:09:55 -0500 (CDT) Cc: firewalls@GreatCircle.COM In-Reply-To: from "Dana Brewer" at Jun 5, 96 01:16:10 pm Organization: Stryder Communications, Inc. Address: 869 St. Francois, Florissant, Mo. 63031 Telephone: (314)838-6839 Fax: (314)838-8527 X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In the Original, Dana Brewer Says > >On Wed, 5 Jun 1996, Michael Dillon wrote: > >> If you are behind a firewall you also need to open a plug-gw on port 4144 >> and you need to go into the CIS.INI file and change occurences of >> "compuserve.com" to "firewall-machine.yourdomain.com". I don't have an >> original CIS.INI here any more but I find lines like the following in >> mine: > >Thanks! I needed this information. Does anyone know how to connect to >America Online via TCP/IP from behind a firewall? > In response to this question, which I myself have even asked, I have added the proxy information for AOL and Compuserve to the URL, http://www.strydr.com/misc/FAQ/firewalls/fwtk I will continue to add proxy information to this site. If you have some information to add to this site, please feel free to e-mail me your sample configurations. Configurations in HTML format would be preferred. BTW., this is not meant to be an advertisement, just an area where people can go to get sample configurations for various firewalls. ============================================================================ David Schnardthorst, Systems/Network Eng. * Phone: (314)838-6839 Stryder Communications, Inc. * Fax: (314)838-8527 869 St. Francois * E-Mail: ds3721@strydr.com Florissant, MO 63031 * URL: http://www.strydr.com ============================================================================ From firewalls-owner Wed Jun 5 14:11:12 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA03572 for firewalls-outgoing; Wed, 5 Jun 1996 13:57:19 -0700 (PDT) Received: from pangeia.com.br (acme.pangeia.com.br [200.239.53.33]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id NAA03517 for ; Wed, 5 Jun 1996 13:56:56 -0700 (PDT) Received: from localhost (nelson@localhost) by pangeia.com.br (8.7.5/8.7.3) with SMTP id SAA02260 for ; Wed, 5 Jun 1996 18:00:24 -0400 Date: Wed, 5 Jun 1996 18:00:24 -0400 (WST) From: Nelson Murilo To: firewalls@GreatCircle.COM Subject: Re: unknown in tcpwrappers? In-Reply-To: <9606050828.ZM6392@sbergeon.neosoft.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 5 Jun 1996, Steve Bergeon wrote: sbergeon>Wrappers were unable to verify the systems name and ip address match. sbergeon>This could just be someone attempting access from an isp that does not sbergeon>have dns names assigned to all of its' address space. Or... sbergeon> sbergeon>If you want unresolvable systems to have access to a service, you can sbergeon>use the keyword UNKNOWN in your hosts.allow file. FiILE: eval.c (tcp_wraper package) (...) /* * When a string has the value STRING_UNKNOWN, it means: don't bother, I * tried to look up the data but it was unavailable for some reason. When a * host name has the value STRING_PARANOID it means there was a name/address * conflict. */ char unknown[] = STRING_UNKNOWN; char paranoid[] = STRING_PARANOID; (...) TIA Nelson Murilo Pangeia Informatica - Provedor de solucoes Internet. http://www.pangeia.com.br http://www.bluesky.net/pangeia From firewalls-owner Wed Jun 5 14:50:38 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA09757 for firewalls-outgoing; Wed, 5 Jun 1996 14:33:43 -0700 (PDT) Received: from aecgate.aec.ca (aecgate.aec.ca [142.56.1.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id OAA09659 for ; Wed, 5 Jun 1996 14:33:10 -0700 (PDT) Received: from sol.aec.ca ([142.56.17.16]) by aecgate.aec.ca with ESMTP id <46891-4>; Wed, 5 Jun 1996 14:34:59 -0600 Received: from clavin017.aec.ca ([142.56.17.22]) by aec.ca with SMTP id <137389-1>; Wed, 5 Jun 1996 14:34:53 -0600 Received: by clavin017.aec.ca with Microsoft Mail From: "Post, Lenny" To: "'Firewalls'" Subject: RE: Memra Date: Wed, 05 Jun 96 13:58:00 MDT Message-ID: <31B5EF48@clavin017.aec.ca> X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk [ahhh the munch monster has struck ...] >Bob Miller >millerrc@zen.com >Zeneca Pharmaceuticals, Inc. >PS: Also, at least Michael was not such a wus as to send a harassing >note (and his WASN'T really harassing!) and at the same time try to hide >his return email address! (.@GreatCircle.COM a.k.a. ???@.cdnoxy.com). >'ll refrain here from saying anything sarcastic about your >Ontario-based company... (cdnoxy.com = Canadian Occidental Petroleum >Ltd. @ Calgary, Ontario) The city of Calgary resides in the province of Alberta (not Ontario). (We in the west just want to make that clear :-) :-) :-) Lenny Post email: lenny.post@aec.ca IT Coordinator AEC West Ltd. Calgary born and raised and Calgary, AB T2P 1H5 overall a nice guy :-) From firewalls-owner Wed Jun 5 15:09:14 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA08674 for firewalls-outgoing; Wed, 5 Jun 1996 14:27:10 -0700 (PDT) Received: from pangeia.com.br (www.pangeia.com.br [200.239.53.33]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id OAA08607 for ; Wed, 5 Jun 1996 14:26:49 -0700 (PDT) Received: from localhost (nelson@localhost) by pangeia.com.br (8.7.5/8.7.3) with SMTP id SAA02347 for ; Wed, 5 Jun 1996 18:30:40 -0400 Date: Wed, 5 Jun 1996 18:30:39 -0400 (WST) From: Nelson Murilo To: firewalls@GreatCircle.COM Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 5 Jun 1996, Steve Bergeon wrote: sbergeon>Wrappers were unable to verify the systems name and ip address match. sbergeon>This could just be someone attempting access from an isp that does not sbergeon>have dns names assigned to all of its' address space. Or... sbergeon> sbergeon>If you want unresolvable systems to have access to a service, you can sbergeon>use the keyword UNKNOWN in your hosts.allow file. FiILE: eval.c (tcp_wraper package) (...) /* * When a string has the value STRING_UNKNOWN, it means: don't bother, I * tried to look up the data but it was unavailable for some reason. When a * host name has the value STRING_PARANOID it means there was a name/address * conflict. */ char unknown[] = STRING_UNKNOWN; char paranoid[] = STRING_PARANOID; (...) TIA Nelson Murilo Pangeia Informatica - Provedor de solucoes Internet. http://www.pangeia.com.br http://www.bluesky.net/pangeia From firewalls-owner Wed Jun 5 15:20:55 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA09752 for firewalls-outgoing; Wed, 5 Jun 1996 14:33:39 -0700 (PDT) Received: from ve6bc.ampr.ab.ca (ve6bc.worldgate.com [206.75.11.41]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id OAA09657 for ; Wed, 5 Jun 1996 14:33:10 -0700 (PDT) Received: (from doug@localhost) by ve6bc.ampr.ab.ca (8.7.4/8.7.3) id PAA22194 for firewalls@greatcircle.com; Wed, 5 Jun 1996 15:30:35 -0600 (MDT) From: "Douglas R. Mackintosh" Message-Id: <199606052130.PAA22194@ve6bc.ampr.ab.ca> Subject: FLAME (was: Re: Memra) To: firewalls@greatcircle.com Date: Wed, 5 Jun 1996 15:30:35 -0600 (MDT) X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Last Friday, Michael Dillon wrote: > > >Date: Fri, 31 May 1996 10:12:07 -0700 (PDT) > >rom: Michael Dillon > >Subject: Re: commercial license for fwtk from TIS > > > >On Fri, 31 May 1996, Ralf Naegele wrote: > > > >> our organization is thinking about providing the fwtk. > >> I need very urgent an answer what we must pay for a > >>commercial license for > >> the firewall toolkit. > >> On the ftp-server of TIS I don't found the pricing for a > >>commercial license. > > > >Why don't you ask them? > > > >If you would rather have me ask them, my fee to act as your > >agent would be > >US$2,000 per day. Send me email to get my bank account > >information to > >deposit the money. > > > >;-) > > > >Michael Dillon ISP & > >Internet Consulting > >Memra Software Inc. Fax: > >+1-604-546-3049 > >http://www.memra.com E-mail: > >michael@memra.com > > Michael, > > Please do not use this forum for advertising your services. > > I personally have had trouble getting simple answers from > companies, and I don't think Ralf's question was out of line. > > Is your arrogant, condescending, and unprofessional attitude > a reflection on your entire British Columbia based company? > (My sincere apologies to the list for this email which should be private. If you don't want to read yet another flame then move along to the next message.) Dear Gomer, Since your email is BROKEN to the point that one CANNOT EVEN REPLY to it I am forced to subject the gentle readers of this list to my reply to your idiocy. (Maybe this is why you can't get your simple answers. Maybe all your simple answers are bouncing back to the vendors in question.) My points: 1) Mr. Dillon was not advertising. It was a minor flame. Get a grip. 2) Ralf's question *was* out of line in that a call to the vendor in question would have resolved it instantly. His question, asked here, is like someone walking into a Safeway store and asking the people there how much the cars cost at the Chevy dealer across the street. Can you say stooopid? 3) Mr. Dillon's attitude was neither arrogant nor unprofessional. Perhaps a wee bit condescending, but this is the normal voice one adopts when speaking to an apparently dense person. 4) Methinks you're ALONE on this one. -- Doug From firewalls-owner Wed Jun 5 15:20:55 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id PAA12469 for firewalls-outgoing; Wed, 5 Jun 1996 15:05:12 -0700 (PDT) Received: from orion.webspan.net (orion.webspan.net [206.154.70.41]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id PAA12462 for ; Wed, 5 Jun 1996 15:05:04 -0700 (PDT) Received: from localhost (scanner@localhost) by orion.webspan.net (8.7.5/8.6.12) with SMTP id SAA25768; Wed, 5 Jun 1996 18:02:01 -0400 (EDT) Date: Wed, 5 Jun 1996 18:02:01 -0400 (EDT) From: Chris Watson To: Steve Bergeon cc: firewalls@GreatCircle.COM Subject: Re: unknown in tcpwrappers? In-Reply-To: <9606050828.ZM6392@sbergeon.neosoft.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 5 Jun 1996, Steve Bergeon wrote: > Wrappers were unable to verify the systems name and ip address match. > This could just be someone attempting access from an isp that does not > have dns names assigned to all of its' address space. Or... > > If you want unresolvable systems to have access to a service, you can > use the keyword UNKNOWN in your hosts.allow file. No i DONT want them to get in but what is getting em riled is the fact that this line: Jun 4 23:23:32 orion telnetd[10526]: refused connect from unknown will repeat over and over and over and over for like 5 pages of logs. Im getting extremely annoyed at this at first i thought it was a random goof but then i sit down and look at 9 or more pages of logs with nothing in them but the same line above for 9 pages something is going on no one is dumb enough to keep trying and trying and trying to telnet in with no luck. I get the same line everynight repeatedly. I dont know if is hould be worried about this or not. I mean their NOT getting in but they are constantly trying its driving me nuts. Anyway to find out the soruce IP? I want to figure out how to get rid of this person or automated something. -- ===================================| Webspan Inc., ISP Division. FreeBSD 2.1.0 is available now! | Phone: 908-367-8030 ext. 126 -----------------------------------| 500 West Kennedy Blvd., Lakewood, NJ-08701 Turning PCs into Workstations | E-Mail: scanner@webspan.net http://www.freebsd.org | SysAdmin / Network Engineer / Security ===================================| Member BSDNET team! http://www.bsdnet.org From firewalls-owner Wed Jun 5 15:37:09 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id PAA14681 for firewalls-outgoing; Wed, 5 Jun 1996 15:28:35 -0700 (PDT) Received: from gatekeeper.alcatel.com.au (gatekeeper.alcatel.com.au [203.17.66.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id PAA14674 for ; Wed, 5 Jun 1996 15:28:21 -0700 (PDT) Received: from 139.188.22.50 (139.188.22.50) by gatekeeper.alcatel.com.au Received: from gsms01.alcatel.com.au (gsms01.alcatel.com.au) Received: (from jeremyp@localhost) by gsms01.alcatel.com.au (8.6.12/8.6.12) Date: Thu, 06 Jun 1996 08:25:46 +1000 From: Peter Jeremy Subject: Re: IANA private network numbers .. To: firewalls@GreatCircle.COM Message-id: <199606052225.IAA25447@gsms01.alcatel.com.au> Content-transfer-encoding: 7BIT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 5 Jun 1996, Michael Dillon wrote: >As long as the unregistered networks use the private network numbers from >RFC1918 you won't ever have any problems. At least until you merge with another company that is also using the same RFC1918 address block. Peter ---- Peter Jeremy (VK2PJ) peter.jeremy@alcatel.com.au Alcatel Australia Limited 41 Mandible St Phone: +61 2 690 5019 ALEXANDRIA NSW 2015 Fax: +61 2 690 5247 PGP fingerprint: 2A C6 47 D1 BF 56 5A 10 CC 02 2D 89 EA 10 AA 40 From firewalls-owner Wed Jun 5 15:37:59 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA06105 for firewalls-outgoing; Wed, 5 Jun 1996 14:12:37 -0700 (PDT) Received: from lexicon.ins.com (lexicon.ins.com [199.0.193.11]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id OAA05971 for ; Wed, 5 Jun 1996 14:11:55 -0700 (PDT) Received: from lexicon.ins.com (atl-dynamic5.ins.com [199.0.194.5]) by lexicon.ins.com (8.7.5/8.7.3) with SMTP id OAA03812; Wed, 5 Jun 1996 14:08:49 -0700 (PDT) Date: Wed, 5 Jun 1996 14:08:49 -0700 (PDT) Message-Id: <2.2.16.19960605141155.31ef8f70@lexicon.ins.com> X-Sender: matovu_g@lexicon.ins.com X-Mailer: Windows Eudora Pro Version 2.2 (16) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: bobk@manzanita.DEV.3Com.COM (Bob Konigsberg) From: George Matovu Subject: Re: ICMP Source Quench Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I would say block them. They would indicate to a denial of service attacker how effective his/her efforts are. George. At 04:26 AM 6/5/96 PDT, you wrote: >I've noticed a lot of ICMP Source Quench packets in my firewall logs. They >are (or were more precisely) outbound. My references say that this is a >primitive form of flow control. What are people's experiences with allowing >this as an outbound packet. I don't see any security risk offhand, but >I'd like to know what others have seen. Does anyone know of any security >weaknesses related to Source Quench? > >Thanks, > >BobK > > From firewalls-owner Wed Jun 5 16:40:13 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id QAA22106 for firewalls-outgoing; Wed, 5 Jun 1996 16:14:18 -0700 (PDT) Received: from okjunc.junction.net (okjunc.junction.net [199.166.227.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id QAA22086 for ; Wed, 5 Jun 1996 16:14:07 -0700 (PDT) Received: from sidhe.memra.com (sidhe.memra.com [199.166.227.105]) by okjunc.junction.net (8.6.11/8.6.11) with SMTP id PAA19482; Wed, 5 Jun 1996 15:26:18 -0700 Date: Wed, 5 Jun 1996 16:09:40 -0700 (PDT) From: Michael Dillon To: "'Firewalls'" cc: bbench@cdnoxy.com Subject: RE: Memra In-Reply-To: <31B5EF48@clavin017.aec.ca> Message-ID: Organization: Memra Software Inc. - Internet consulting MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 5 Jun 1996, Post, Lenny wrote: > >Ontario-based company... (cdnoxy.com = Canadian Occidental Petroleum > >Ltd. @ Calgary, Ontario) > > The city of Calgary resides in the province of Alberta (not Ontario). > (We in the west just want to make that clear :-) :-) :-) Guess what? Canadian Occidental has it listed as Ontario in the Internic's whois database too. Maybe we should tell Brian Bench about this? Note CC above.... Of course this may just be another case of those Eastern Imperialists attempting to foment Western alienation.... You guys at Atomic Energy Canada wouldn't have a firewall that we could install between Ontario and Manitoba, would you? And for the rest of you, it is always a good idea to review your registration info in the Internic's database because they DO make mistakes, they DO get nameserver IP addresses wrong and the DO occasionally change things unannounced and without your permission. If you review your info every once in a while you can keep it on track. I have even heard of denial of service attacks caused by people maliciously updating a company's Internic info. Michael Dillon ISP & Internet Consulting Memra Software Inc. Fax: +1-604-546-3049 http://www.memra.com E-mail: michael@memra.com From firewalls-owner Wed Jun 5 17:15:05 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id QAA20970 for firewalls-outgoing; Wed, 5 Jun 1996 16:07:10 -0700 (PDT) Received: from okjunc.junction.net (okjunc.junction.net [199.166.227.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id QAA20923 for ; Wed, 5 Jun 1996 16:06:52 -0700 (PDT) Received: from sidhe.memra.com (sidhe.memra.com [199.166.227.105]) by okjunc.junction.net (8.6.11/8.6.11) with SMTP id PAA19325; Wed, 5 Jun 1996 15:19:51 -0700 Date: Wed, 5 Jun 1996 16:03:11 -0700 (PDT) From: Michael Dillon To: Mike Jones cc: firewalls@GreatCircle.COM Subject: Re: IANA private network numbers .. In-Reply-To: <9606051953.AA05961@bass.unifiedtech.com> Message-ID: Organization: Memra Software Inc. - Internet consulting MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 5 Jun 1996, Mike Jones wrote: > In fact, FireWall-1 offers NAT and it's not a proxy firewall. Michael, > you're completely off base on this one. I think what you mean to say is that using RFC1918 addresses doesn't necessarily require a proxy firewall if you have a set of registered addresses that can be used with a NAT in between to translate. I was thinking of the scenario in which no NAT is used, all hosts on the internal networks have RFC1918 addresses and all access to the Internet is through a proxy firewall that consumes one single registered host IP address. Both scenarios are possible and both accomplish different things. For instance, in the NAT scenario anyone can set up a WWW server on their desktop and give access to the global Internet assuming that there are no packet filters in place to prevent it. In the non-NAT scenario the desktop WWW server is inaccessible to the global Internet because only the one proxy server is visible globally. However, the admin could open up a plug-gw on som port of the proxy server to provide access to that desktop WWW server if it was warranted but the URL would then be http://firewall.yourdomain.com:5555 or some such. Just in case someone is lurking out there wondering what NAT is, it stands for Network Address Translator and it converts IP addresses (and a bit of other stuff) on the fly so that you can renumber your network from the global point of view without doing anything locally other than installing and configuring the NAT. Michael Dillon ISP & Internet Consulting Memra Software Inc. Fax: +1-604-546-3049 http://www.memra.com E-mail: michael@memra.com From firewalls-owner Wed Jun 5 17:36:12 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id QAA24914 for firewalls-outgoing; Wed, 5 Jun 1996 16:44:39 -0700 (PDT) Received: (mcb@localhost) by miles.greatcircle.com (8.7.4/Miles-951221-1) id QAA24903 for firewalls@greatcircle.com; Wed, 5 Jun 1996 16:44:33 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id XAA00978 for ; Mon, 3 Jun 1996 23:59:13 -0700 (PDT) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) Received: from ns.coy.com(206.224.78.2) by mycroft via smap (V1.3mjr) Received: (from coy@localhost) by ns.coy.com (8.7.4/8.7.3) id SAA26486; Mon, 3 Jun 1996 18:14:55 -0500 Date: Mon, 3 Jun 1996 18:14:54 -0500 (CDT) From: RHS Linux User To: ygerman cc: Firewalls Subject: Re: Ability To Track Logs In-Reply-To: <9606031534.AA0078@grcstm-nx02.genre.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On 3 Jun 1996, ygerman wrote: > I am in a bind on how to accomplish something on our firewall. > I would like to check the logs on the firewall continuosly looking for certain > fields and based on the fields initiate an action. The action will be mail to a > different address depending on the field found. > > Currently I am seting this up via a c shell script and doing a grep for certain > things every hour. The problem is I would like not to have to wait an hour. Has > anyone had any experience with this. Is there a way to accomplish this easier? > Please respond as soon as possible, thanks! Have you considered Swatch (available at ftp://coast.cs.purdue.edu/pub/tools/unix/swatch)? It watches a log file and takes an action when a pattern matches. Chip Coy coy@coy.com http://www.awebs.com/~coy/ "Do not mistake composure for ease." - Tuvok From firewalls-owner Wed Jun 5 17:38:35 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id PAA17130 for firewalls-outgoing; Wed, 5 Jun 1996 15:43:01 -0700 (PDT) Received: from okjunc.junction.net (okjunc.junction.net [199.166.227.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id PAA17091 for ; Wed, 5 Jun 1996 15:42:32 -0700 (PDT) Received: from sidhe.memra.com (sidhe.memra.com [199.166.227.105]) by okjunc.junction.net (8.6.11/8.6.11) with SMTP id OAA18866; Wed, 5 Jun 1996 14:55:59 -0700 Date: Wed, 5 Jun 1996 15:39:19 -0700 (PDT) From: Michael Dillon To: Dana Brewer cc: firewalls@GreatCircle.COM Subject: Re: Compuserve In-Reply-To: Message-ID: Organization: Memra Software Inc. - Internet consulting MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 5 Jun 1996, Dana Brewer wrote: > On Wed, 5 Jun 1996, Michael Dillon wrote: > > > If you are behind a firewall you also need to open a plug-gw on port 4144 > > and you need to go into the CIS.INI file and change occurences of > > "compuserve.com" to "firewall-machine.yourdomain.com". I don't have an > > original CIS.INI here any more but I find lines like the following in > > mine: > > Thanks! I needed this information. Does anyone know how to connect to > America Online via TCP/IP from behind a firewall? Basically the same way except that the port number that needs the plug-gw is 5190 and you need to edit TCP.CCL in the CCL directory to read like this: NetConnect 1 5190 10 firewall.yourdomain.com instead of what was already there I am using AOL 2.5 for Windows. On the startup screen click Setup, then Edit Location, then select TCP/IP from the Network drop-down box. Michael Dillon ISP & Internet Consulting Memra Software Inc. Fax: +1-604-546-3049 http://www.memra.com E-mail: michael@memra.com From firewalls-owner Wed Jun 5 17:38:57 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id PAA17168 for firewalls-outgoing; Wed, 5 Jun 1996 15:43:09 -0700 (PDT) Received: from mailbox.neosoft.com (mailbox.neosoft.com [206.109.1.16]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id PAA17064 for ; Wed, 5 Jun 1996 15:42:27 -0700 (PDT) Received: from fw.nmti.com (fw.baileynm.com [206.109.159.11]) by mailbox.neosoft.com (8.7.5/8.7.3) with SMTP id RAA29845; Wed, 5 Jun 1996 17:40:00 -0500 (CDT) Received: from web.nmti.com(198.178.0.201) by fw.nmti.com via smap (V1.3) Received: from sonic.nmti.com (peter@sonic.nmti.com [198.178.0.2]) by web.nmti.com (8.6.12/8.6.9) with SMTP id RAA10123; Wed, 5 Jun 1996 17:33:35 -0500 Received: by sonic.nmti.com; id AA29790; Wed, 5 Jun 1996 17:33:34 -0500 From: peter@baileynm.com (Peter da Silva) Message-Id: <9606052233.AA29790@sonic.nmti.com.nmti.com> Subject: Re: Windows NT and Firewalls To: ChrisP@steldyn.com (Chris Pugrud) Date: Wed, 5 Jun 1996 17:33:33 -0500 (CDT) Cc: firewalls@GreatCircle.COM In-Reply-To: from "Chris Pugrud" at Jun 5, 96 01:45:28 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > The key word in the above is "can". Machines can be individually configured > as to whether or not to allow network access to individual resources. Where > this is useful and relevant to firewalls that I can set up a proxy server on > a machine and then deny all network access to the machine (this is slightly > misleading, it only denies access to resources on that machine, ports are > not resources, and it in no way prevents that machine from going out and > accessing resources) and set up my proxy ACL's using my existing users and > groups, and to get accounting and audit trails based on these accounts. And if someone compromises your internal server, they can waltz through your firewall. Basically, the only way I can see having a firewall on top of NT that I could trust would be one where Workstation and Server are *completely* islated from TCP/IP, and there's a router between you and the internal network. > Small businesses are connecting up to the Internet like nobody's business. > If you feel that companies that can't afford a full time network security > administrator to sit around and go "wow, the Internet sure is dangerous" > don't have a right to be on the Internet then you really ought to buy a > ticket to Jamaica while you can still afford it. (okay I've relaxed now) If NT security is good enough that you can leave the bastion sitting there using it to manage accesses, then it's good enough you don't need a bastion at all. When you set up a UNIX (BSD, Linux) bastion the first thing you do is shut down inetd, sendmail, syslogd, lpd, and so on. NOW you can add proxies without any concern that someone's going to hack the firewall through the normal administration channels. I can't see how you can get that sort of assurance with NT, and if you do have that level of assurance you might as well toss the bastion, and simply filter out accesses to low ports in case some twit's turned on the FTP service or something... you can set up a filtering router a lot cheaper than a dual homed bastion... if you bought an Ascend Pipeline to hook into the Internet you've already got one, and the filtering rules for that are simple enough even I'd trust you to get them right. Personally, I don't have that level of trust in NT security. And whether the firewall is running on top of NT or BSD or LSD I'm not going to administer it over the network from a less-secure server. I'm going to sit down at the console and drive the thing, or drive it from a VPN that only contains other equally secure hosts. And if you're a small enough company that you can't afford a full time net nerd you're a small enough company it's not going to take more than half an hour a week to do that. From firewalls-owner Wed Jun 5 18:35:40 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id SAA06537 for firewalls-outgoing; Wed, 5 Jun 1996 18:30:26 -0700 (PDT) Received: from mailhub.cts.com (mailhub.cts.com [192.188.72.25]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id SAA06518 for ; Wed, 5 Jun 1996 18:30:15 -0700 (PDT) Received: from rruda(really [204.212.129.32]) by mailhub.cts.com Received: by rruda with Microsoft Mail Message-ID: <01BB530D.1A1848E0@rruda> From: Richard Ruda To: "'Firewalls@GreatCircle.COM'" Cc: "'bill.stout@hidata.com'" Subject: RE: Firewalls-Digest V5 #356 Date: Wed, 5 Jun 1996 18:01:55 -0700 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="---- =_NextPart_000_01BB530D.1A417BC0" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ------ =_NextPart_000_01BB530D.1A417BC0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit On Tue, 4 Jun 1996 13:30:15 -0700 Bill Stout Wrote Subject: NT DNS in 4.0b2 "The only drawback I've seen is not being able to connect to non-NT DNS server properties." Can you explain exactly what you mean. Will an internal DNS running on NT4.0b2 not be able to say talk to a Unix firewall?? Thanks Richard ------ =_NextPart_000_01BB530D.1A417BC0 Content-Type: application/x-tnef Content-Transfer-Encoding: base64 eJ8+IioBAQaQCAAEAAAAAAABAAEAAQeQBgAIAAAA5AQAAAAAAADoAAENgAQAAgAAAAIAAgABBJAG ALACAAACAAAADQAAAAMAADAEAAAACwAPDgEAAAACAf8PAQAAAEkAAAAAAAAAgSsfpL6jEBmdbgDd AQ9UAgAAAQBiaWxsLnN0b3V0QGhpZGF0YS5jb20AU01UUABiaWxsLnN0b3V0QGhpZGF0YS5jb20A AAAAHgACMAEAAAAFAAAAU01UUAAAAAAeAAMwAQAAABYAAABiaWxsLnN0b3V0QGhpZGF0YS5jb20A AAADABUMAgAAAAIB+Q8BAAAASQAAAAAAAACBKx+kvqMQGZ1uAN0BD1QCAAABAGJpbGwuc3RvdXRA aGlkYXRhLmNvbQBTTVRQAGJpbGwuc3RvdXRAaGlkYXRhLmNvbQAAAAADAP4PBgAAAB4AATABAAAA GAAAACdiaWxsLnN0b3V0QGhpZGF0YS5jb20nAAIBCzABAAAAGwAAAFNNVFA6QklMTC5TVE9VVEBI SURBVEEuQ09NAAADAAA5AAAAAAsAQDoAAAAAAgH2DwEAAAAEAAAAAAAABAwAAAADAAAwBQAAAAsA Dw4AAAAAAgH/DwEAAABRAAAAAAAAAIErH6S+oxAZnW4A3QEPVAIAAAAARmlyZXdhbGxzQEdyZWF0 Q2lyY2xlLkNPTQBTTVRQAEZpcmV3YWxsc0BHcmVhdENpcmNsZS5DT00AAAAAHgACMAEAAAAFAAAA U01UUAAAAAAeAAMwAQAAABoAAABGaXJld2FsbHNAR3JlYXRDaXJjbGUuQ09NAAAAAwAVDAEAAAAD AP4PBgAAAB4AATABAAAAHAAAACdGaXJld2FsbHNAR3JlYXRDaXJjbGUuQ09NJwACAQswAQAAAB8A AABTTVRQOkZJUkVXQUxMU0BHUkVBVENJUkNMRS5DT00AAAMAADkAAAAACwBAOgEAAAACAfYPAQAA AAQAAAAAAAAFuYoBCIAHABgAAABJUE0uTWljcm9zb2Z0IE1haWwuTm90ZQAxCAEEgAEAHQAAAFJF OiBGaXJld2FsbHMtRGlnZXN0IFY1ICMzNTYAswgBBYADAA4AAADMBwYABQASAAEANwADACsBASCA AwAOAAAAzAcGAAUAEQAsABwAAwA6AQEJgAEAIQAAAEI5RDRBRkQzQTlCRUNGMTFBOEQyMDBBQTAw MTQ0RjMxAFEHAQOQBgBkAwAAEgAAAAsAIwAAAAAAAwAmAAAAAAALACkAAAAAAAMANgAAAAAAQAA5 AMAkR8FDU7sBHgBwAAEAAAAdAAAAUkU6IEZpcmV3YWxscy1EaWdlc3QgVjUgIzM1NgAAAAACAXEA AQAAABYAAAABu1NDwLfTr9S6vqkRz6jSAKoAFE8xAAAeAB4MAQAAAAUAAABTTVRQAAAAAB4AHwwB AAAADwAAAHJydWRhQG9zdGkuY29tAAADAAYQHei5DQMABxAJAQAAHgAIEAEAAABlAAAAT05UVUUs NEpVTjE5OTYxMzozMDoxNS0wNzAwQklMTFNUT1VUPEJJTExTVE9VVEBISURBVEFDT01XUk9URVNV QkpFQ1Q6TlRETlNJTjQwQjIiVEhFT05MWURSQVdCQUNLSVZFUwAAAAACAQkQAQAAAOcBAADjAQAA OQMAAExaRnVa/q3i/wAKAQ8CFQKoBesCgwBQAvIJAgBjaArAc2V0MjcGAAbDAoMyA8UCAHByQnER 4nN0ZW0CgzN3AuQHEwKAfQqACM8J2TvxFg8yNTUCgAqBDbELYOBuZzEwMxRQCwoUUaUL8mMN4CBP A6BUGc9rDfATUG8T0GMFQApQLCAgNCBKdQOgMTkEOTYdcDM6MzA6gDE1IC0wNzAKdmZCAxADIFN0 CGAFQDwaYh8xLhPAH5FAaGmUZGEBkC4FoG0+CodxGe0xIFccciGvHDlTKHViahyhOgewVCAcRE4F 8AuAHRAuMGI2MiFPGmciJu8cSFRoAyMgAiBseSBkcmEEd2IA0GsgSSd2XyMgEbAJ8CXgBCBuHIAg pGJlC4BnIAGgbCMg5R+AIAWgbm4coiyxK8Dsbi0lhRGwcisQBcAcYcpwBJB0CJBzLigvJ/EVCoVD A5F5CGAgZXjXC1MxgQDQdCoxdxGABUCnMVIHgABwLiAKhVcfMr8DkQuAE9AEoAdAJaNyHVDfAwAs MQIgJXEmIyArtSxXbHNhKkABkGwq0CyxYYQgVQMAeCBmaRYQ4ncHQGw/PwqFCoUp0EkAcGtzOUxS aRFyZIcKjyIMO9tsaTM2HEEXL4ozdhUxAECAAAMAEBAAAAAAAwAREAAAAABAAAcwIP4vUUFTuwFA AAgwIP4vUUFTuwEeAD0AAQAAAAUAAABSRTogAAAAAHna ------ =_NextPart_000_01BB530D.1A417BC0-- From firewalls-owner Wed Jun 5 18:59:45 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id SAA06566 for firewalls-outgoing; Wed, 5 Jun 1996 18:31:16 -0700 (PDT) Received: from mercury.Sun.COM (mercury.Sun.COM [192.9.25.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id SAA06559 for ; Wed, 5 Jun 1996 18:31:04 -0700 (PDT) Received: by mercury.Sun.COM (Sun.COM) Received: from nsg.Singapore.Sun.COM by Singapore.Sun.COM (SMI-8.6/SMI-5.3) Received: by nsg.Singapore.Sun.COM (SMI-8.6/SMI-SVR4) Date: Thu, 6 Jun 1996 09:25:32 +0800 From: rc@Singapore.Sun.COM (Ran-Chi Huang - Asia ENS Manager) Message-Id: <199606060125.JAA13569@nsg.Singapore.Sun.COM> To: akakinad@ccd.harris.com, ripper@dataway.com Subject: Re: CISCO serial links Cc: firewalls@GreatCircle.COM X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Mathias, You are absolutely right. We are using the ip unnumbered command which takes the address of the ethernet interface. E.g. interface Serial0 ip unnumbered Ethernet0 Hope this helps -rc > From ripper@dataway.com Thu Jun 6 03:10:34 1996 > Date: Wed, 05 Jun 1996 10:50:09 -0700 > From: Mathias Kolehmainen > MIME-Version: 1.0 > To: "Achari U.M. Kakinada" > CC: firewalls@GreatCircle.COM > Subject: Re: CISCO serial links > Content-Transfer-Encoding: 7bit > > Hi, > > Although I've never used it, I belive that the "ip-unnumbered" interface command > will do the trick. It takes as an argument the number of another interface that > does have an IP address. > > > > Achari U.M. Kakinada wrote: > > Cisco Router > > \ > > \ > > \ --- Serial link. > > \ > > ISP Cisco Router > > > > In the above configuration, is it be possible to configue the > > serial interfaces of both Cisco routers with out assigning any IP > > addresses OR assigning IP host address ( only two IP addresses > > shall be used ). > -- > > ------------------------------------- > Mathias Kolehmainen > ripper@dataway.com > > "Now it flushes away AUTOMATICALLY!" > From firewalls-owner Thu Jun 6 00:46:09 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id AAA17530 for firewalls-outgoing; Thu, 6 Jun 1996 00:21:47 -0700 (PDT) Received: from gatekeeper.ebrd.com (gatekeeper.ebrd.com [193.128.203.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id AAA17511 for ; Thu, 6 Jun 1996 00:21:23 -0700 (PDT) Received: by gatekeeper.ebrd.com; id IAA24688; Thu, 6 Jun 1996 08:19:03 +0100 Received: from camalot.ebrd.com(193.128.31.1) by gatekeeper.ebrd.com via smap (g3.0.3) Received: from ariel (ariel.ebrd.com) by ebrd.com (4.1/SMI-4.1) Message-Id: <31B68655.3372@ebrd.com> Date: Thu, 06 Jun 1996 08:18:45 +0100 From: Martin Marshall Organization: European Bank for Reconstruction and Development X-Mailer: Mozilla 2.01 (X11; I; SunOS 5.4 sun4m) Mime-Version: 1.0 To: firewalls@GreatCircle.COM Subject: NT Firewalls Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk We currently have a Unix Firewall solution, we would like to move to a NT Firewall (If Possible). Could anyone let me know where to jump, if a jump is to be made at all ! Any comments will be welcomed Martin Marshall From firewalls-owner Thu Jun 6 01:20:33 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id AAA18166 for firewalls-outgoing; Thu, 6 Jun 1996 00:42:10 -0700 (PDT) Received: (mcb@localhost) by miles.greatcircle.com (8.7.4/Miles-951221-1) id AAA18158 for firewalls@greatcircle.com; Thu, 6 Jun 1996 00:42:06 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id PAA17726 for ; Wed, 5 Jun 1996 15:47:58 -0700 (PDT) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) Received: from relay-4.mail.demon.net(158.152.1.108) by mycroft via smap (V1.3mjr) Received: from post.demon.co.uk ([158.152.1.72]) by relay-4.mail.demon.net Received: from youngman.demon.co.uk ([158.152.67.147]) by relay-3.mail.demon.net Message-ID: <31B5F253.6DF@youngman.demon.co.uk> Date: Wed, 05 Jun 1996 20:47:15 +0000 From: Jeremy Youngman X-Mailer: Mozilla 2.02 (Win16; I) MIME-Version: 1.0 To: firewalls@greatcircle.com Subject: Compuserve results Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi and thanks to everybody who has replied to my note about Compuserve. I hope you get this reply - I sent five queries and apparently they did not all arrive (some people only got one, and some people got the 5th followed by the 4th; I got none :( but I digress...) I had four replies from people successfully allowing Compuserve access. Nobody said they had considered it but decided against, and nobody was aware of any problems. So far so good... I also had a few queries asking what i was talking about, so: You can connect to Compuserve via the Internet instead of a dial-up link. You do this by configuring your software to use WINSOCK and giving it the name of a Compuserve gateway. The s/ware then talks to Compuserve's TCP PORT 4144 (that's a rough summary). I guess the benefit of this is that you can access Compuserve so long as you have access to the Internet, without having to pay phone bills (unless your Internet connection is a dial-up one ;) ). So this could be an advantage to companies with direct Internet access. A couple of people said they thought that Internet access only provided a limited Telnet-type connection. As far as I could tell the access via PORT 4144 gives full Compuserve functionality - I can't tell for sure because i'm not a great Compuserve user, but one of my respondents certainly thought this. It's certainly more than just Telnet. Note that you may need a certain level of WinCIM (V1.4?). In summary: a number of people are doing it, there are no known probs, and you can plug-gw it. Hope this helps, -- Jeremy Youngman | ###### ## ## | ("`-/")_.-'"``-. jeremy@youngman.demon.co.uk | ## ##### | . . `; -._ )-;-,_`) Tel: +44 (0)1603 686258 | # ## ## | (v_,)' _ )`-.\ ``-' PGP: Key avail on request | #### ##### | _.- _..-_/ / ((.' ----- All cats look grey in the dark ----- ((,.-' ((,/ From firewalls-owner Thu Jun 6 03:05:46 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id CAA27833 for firewalls-outgoing; Thu, 6 Jun 1996 02:43:51 -0700 (PDT) Received: from Legato.COM (legato.Legato.COM [137.69.1.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id CAA27822 for ; Thu, 6 Jun 1996 02:43:35 -0700 (PDT) Received: from jupiter.Legato.COM by Legato.COM (4.1/SMI-4.1) Received: from hydrus.Legato.COM by jupiter.Legato.COM (5.x/SMI-SVR4) Date: Thu, 6 Jun 1996 02:41:11 -0700 From: wbelfer@jupiter.Legato.COM (Warren Belfer) Message-Id: <9606060941.AA19105@jupiter.Legato.COM> To: firewalls@greatcircle.com Subject: Re: Compuserve Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi folks, Just to verify Compuserve access via direct internet. I'm the sysop for our forum on compuserve and my only access is directly over the internet. I use the latest version or wincim and have it setup to use winsock. The only limitation I'm aware of, is that during the day you may have trouble getting in. I do my stuff at nite, but once the sun starts to come up, I get lots of "WinSock" errors with the program advising me to fix my winsock setup. In reality this is just a "busy signal" from their gateway that the program doesn't handle very well. Good luck Warren From firewalls-owner Thu Jun 6 03:20:38 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id CAA27925 for firewalls-outgoing; Thu, 6 Jun 1996 02:46:19 -0700 (PDT) Received: from swissbank.swissbank.com (swissbank.swissbank.com [146.180.1.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id CAA27904 for ; Thu, 6 Jun 1996 02:45:35 -0700 (PDT) Received: by swissbank.swissbank.com with UUCP Received: from il.us.swissbank.com by gatekeeper.swissbank.com with SMTP Received: from chmail.ch.swissbank.com (chmailhost) by il.us.swissbank.com (4.1/SBCW oconnor v1.3 96/06/04) Received: from chbslu08 by chmail.ch.swissbank.com with SMTP id AA25562 Received: from cp690016 ([161.20.3.107]) by chbslu08 (4.1/SMI-4.1) Date: Thu, 6 Jun 96 11:36:49 +0200 Message-Id: <9606060936.AA16675@chbslu08> X-Sender: t075456@jupiter X-Mailer: Windows Eudora Light Version 1.5.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: Firewalls@GreatCircle.COM From: Martin Hauser Subject: Re: Compuserve Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > On Wed, 5 Jun 1996, Michael Dillon wrote: > > > If you are behind a firewall you also need to open a plug-gw on port 4144 > > and you need to go into the CIS.INI file and change occurences of > > "compuserve.com" to "firewall-machine.yourdomain.com". I don't have an > > original CIS.INI here any more but I find lines like the following in > > mine: ... SNIP OK - this seems to work, but how secure is it? Are there any specs available for this compuserve protocol (Compuserve has not been responsive for such requests in the past)? Before opening a hole in the wall it would be nice to know more about the protocol. Martin From firewalls-owner Thu Jun 6 04:55:27 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id EAA03248 for firewalls-outgoing; Thu, 6 Jun 1996 04:32:30 -0700 (PDT) Received: from mail.vtx.ch (mail.vtx.ch [194.51.92.4]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id EAA03239 for ; Thu, 6 Jun 1996 04:32:15 -0700 (PDT) Received: from tla03 (194.235.15.17) by mail.vtx.ch Message-ID: <31B6BF97.2D00@tla.ch> Date: Thu, 06 Jun 1996 13:23:03 +0200 From: Christian ALT X-Mailer: Mozilla 2.01Gold (WinNT; I) MIME-Version: 1.0 To: firewalls@greatcircle.com Subject: SNA Gateways on NT Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk hi to all, We are conceiving a TCP/IP network with some other companies. We intend to secure the access to our network by setting a firewall. We have several services that we want to let incoming. Among those services is the SNA gateway trafic, from external clients to our internal SNA gateway running on NT. We discovered that the port 1478/tcp and 1477/tcp were used. We do not know the content of that protocol. We are interested in getting informations about the security aspects of that protocol, authentification, encryption. We went through the Microsoft documentation and were unable to find something specific to those two points. Does anybody have that kind of information, or did anyone study that point. TIA CHA From firewalls-owner Thu Jun 6 05:08:15 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id EAA03233 for firewalls-outgoing; Thu, 6 Jun 1996 04:31:47 -0700 (PDT) Received: from inetgate.scitexdpi.com (firewall.sdp.scitex.com [149.115.248.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id EAA03225 for ; Thu, 6 Jun 1996 04:31:34 -0700 (PDT) Received: by inetgate.scitexdpi.com; id AA04264; Thu, 6 Jun 96 07:29:09 EDT Received: from mailhub.scitexdpi.com(172.16.9.23) by inetgate.scitexdpi.com via smap (V3.1) Received: from mailhub.scitexdpi.com by mailhub with SMTP id AA24477 Received: from sdphq-Message_Server by mailhub.scitexdpi.com Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Thu, 06 Jun 1996 07:28:22 -0400 From: Bob Allison To: firewalls@GreatCircle.COM Subject: Re: Compuserve -Reply Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Quick reminder to everyone using the Internet to get to Compu$erve and AOL: Last I heard, your account/password information was transmitted in the clear, which means, of course, that a snooper has access to your CS or AOL account. (If this info is outdated, I'm sure someone will be kind enough to tell me.) >>> Dana Brewer 06/05/96 02:16pm >>> On Wed, 5 Jun 1996, Michael Dillon wrote: > If you are behind a firewall you also need to open a plug-gw on port 4144 > and you need to go into the CIS.INI file and change occurences of > "compuserve.com" to "firewall-machine.yourdomain.com". I don't have an > original CIS.INI here any more but I find lines like the following in > mine: Thanks! I needed this information. Does anyone know how to connect to America Online via TCP/IP from behind a firewall? ************************************************************************** Dana Brewer Director, Computer Center Internet: dana@nav.cc.tx.us Navarro College Phone : 903-874-6501 3200 W. 7th Ave. FAX : 903-874-4636 Corsicana, TX 75110 All opinions stated are my own, and probably don't even vaguely resemble those of Navarro College. :) ************************************************************************** From firewalls-owner Thu Jun 6 05:16:34 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id EAA03084 for firewalls-outgoing; Thu, 6 Jun 1996 04:25:22 -0700 (PDT) Received: from fire1.sprintlink.net (fire1.sprintlink.net [206.229.244.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id EAA03053 for ; Thu, 6 Jun 1996 04:25:00 -0700 (PDT) Received: from fire2.int.sprintlink.net ([206.229.244.28]) by fire1.sprintlink.net Received: from athens.int.sprintlink.net ([208.0.2.203]) by fire2.int.sprintlink.net Received: (from rquinn@localhost) by athens.int.sprintlink.net (8.7.5/8.7.3) id HAA11347 for Firewalls@GreatCircle.COM; Thu, 6 Jun 1996 07:22:09 -0400 (EDT) From: Rob Quinn Message-Id: <199606061122.HAA11347@athens.int.sprintlink.net> Subject: Re: unknown in tcpwrappers? To: Firewalls@GreatCircle.COM Date: Thu, 6 Jun 1996 07:22:09 -0400 (EDT) In-Reply-To: <199606060800.BAA19258@miles.greatcircle.com> from "Firewalls-Digest" at Jun 6, 96 01:00:38 am X-Alternate-Address: rjq@phys.ksu.edu Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Date: Wed, 5 Jun 1996 18:02:01 -0400 (EDT) > From: Chris Watson > Subject: Re: unknown in tcpwrappers? > > No i DONT want them to get in but what is getting em riled is the fact > that this line: > Jun 4 23:23:32 orion telnetd[10526]: refused connect from unknown > will repeat over and over and over and over for like 5 pages of logs. You get that when you invoke the tcp wrappers from the command like. For instance I just type ``tcpd'' and I get: athens tcpd[11337]: refused connect from unknown Did wrap some program that's being invoked from a cron job, like sendmail or something? > Im getting extremely annoyed at this at first i thought it was a random > goof but then i sit down and look at 9 or more pages of logs with nothing > in them but the same line above for 9 pages something is going on no one > is dumb enough to keep trying and trying and trying to telnet in with no > luck. I get the same line everynight repeatedly. At fixed intervals? That would be a clue that it's cron. -- | Rob Quinn | | (703)904-2125 | | rquinn@sprint.net | | Sprint Corporate Security | From firewalls-owner Thu Jun 6 06:00:07 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA08527 for firewalls-outgoing; Thu, 6 Jun 1996 05:40:51 -0700 (PDT) Received: from anchorsteam (anchorsteam.unifiedtech.com [38.251.136.100]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id FAA08470 for ; Thu, 6 Jun 1996 05:40:26 -0700 (PDT) Received: from bass.unifiedtech.com by anchorsteam (5.x/SMI-SVR4) Received: by bass.unifiedtech.com (5.x/SMI-SVR4) Date: Thu, 6 Jun 1996 08:26:01 -0400 From: Mike.Jones@unifiedtech.com (Mike Jones) Message-Id: <9606061226.AA06299@bass.unifiedtech.com> To: michael@memra.com Subject: Re: IANA private network numbers .. Cc: firewalls@greatcircle.com X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk You write.. > On Wed, 5 Jun 1996, Mike Jones wrote: > > In fact, FireWall-1 offers NAT and it's not a proxy firewall. Michael, > > you're completely off base on this one. > I think what you mean to say is that using RFC1918 addresses doesn't > necessarily require a proxy firewall if you have a set of registered > addresses that can be used with a NAT in between to translate. Basically, yes. > I was thinking of the scenario in which no NAT is used, all hosts on the > internal networks have RFC1918 addresses and all access to the Internet is > through a proxy firewall that consumes one single registered host IP > address. Ah. I would normally consider this to be a special case of NAT, but that's more a terminology difference than anything else. > Both scenarios are possible and both accomplish different things. For > instance, in the NAT scenario anyone can set up a WWW server on their > desktop and give access to the global Internet assuming that there are no > packet filters in place to prevent it. It depends on how the NAT is done. FW-1, for example, supports three modes of doing this: All-to-1, which is the scenario you describe where the firewall only consumes 1 "real" IP address, Fixed, where there is a set correspondence between internal and translated addresses, which is the scenario you describe in the paragraph immediately above, and Dynamic, where "real" IPs are assigned "on demand" when connections are made. In this case it's generally not possible to give outside access to a desktop server because only specified addresses (typically for the organization's central mail server, web server, etc.) are allowed to be issued on a request from the outside. From firewalls-owner Thu Jun 6 06:49:49 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA11891 for firewalls-outgoing; Thu, 6 Jun 1996 06:31:03 -0700 (PDT) Received: from wormhole.nav.cc.tx.us (wormhole.nav.cc.tx.us [205.165.189.130]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id GAA11872 for ; Thu, 6 Jun 1996 06:30:50 -0700 (PDT) Received: by wormhole.nav.cc.tx.us (AIX 3.2/UCB 5.64/4.03) Received: from dilbert.nav.cc.tx.us(205.165.188.145) by wormhole via smap (V1.3) Received: from localhost by dilbert.nav.cc.tx.us (AIX 3.2/UCB 5.64/4.03) Date: Thu, 6 Jun 1996 08:32:34 -0500 (CDT) From: Dana Brewer To: firewalls@greatcircle.com Subject: Re: Compuserve -Reply In-Reply-To: Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Thanks for the answers about connecting AOL through a firewall. ************************************************************************** Dana Brewer Director, Computer Center Internet: dana@nav.cc.tx.us Navarro College Phone : 903-874-6501 3200 W. 7th Ave. FAX : 903-874-4636 Corsicana, TX 75110 All opinions stated are my own, and probably don't even vaguely resemble those of Navarro College. :) ************************************************************************** From firewalls-owner Thu Jun 6 06:50:54 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA12356 for firewalls-outgoing; Thu, 6 Jun 1996 06:43:52 -0700 (PDT) Received: from hprofsdv.nwscc.sea06.navy.mil ([130.163.113.128]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id GAA12348 for ; Thu, 6 Jun 1996 06:43:43 -0700 (PDT) Received: from JB4061CACI by hprofsdv.nwscc.sea06.navy.mil with SMTP Message-Id: <31B6FC00.2DC0@hprofsdv.nwscc.sea06.navy.mil> Date: Thu, 06 Jun 1996 08:40:48 -0700 From: John Bell Organization: CACI Inc (Federal) X-Mailer: Mozilla 2.02 (Win16; I) Mime-Version: 1.0 To: Martin Marshall Cc: firewalls@greatcircle.com Subject: Re: NT Firewalls References: <31B68655.3372@ebrd.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Martin Marshall wrote: > > We currently have a Unix Firewall solution, we would like to move to a > NT Firewall (If Possible). Why? > > Could anyone let me know where to jump, if a jump is to be made at all ! > Why the urge to jump? Doesn't your firewall work properly? You said above the firewall you have is a firewall solution... what new problems/wants/ desires for feeping creaturism have you identified? > Any comments will be welcomed That's mine... -- John Bell, CACI Inc (Federal) Bloomington, Indiana (Midwest RE-Engineering Division) job@hprofsdv.nwscc.sea06.navy.mil -OR- jbii@mama.indstate.edu "Hi ho! Yow! I'm surfing ARPANET!" - anagram for "The Information Superhighway" From firewalls-owner Thu Jun 6 07:27:17 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA14225 for firewalls-outgoing; Thu, 6 Jun 1996 07:02:36 -0700 (PDT) Received: from Cee-Jay ([199.126.187.170]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id HAA14015 for ; Thu, 6 Jun 1996 07:01:50 -0700 (PDT) Received: Smail 3.1.29.1 running on Cee-Jay - router: match_mx_hosts - transport: smtp) Date: Thu, 6 Jun 1996 09:59:41 -0400 (EDT) From: N D Ghaznavi X-Sender: ndg@Cee-Jay.Reachit.com To: Chris Watson cc: firewalls@GreatCircle.COM Subject: Re: unknown in tcpwrappers? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > On Wed, 5 Jun 1996, Steve Bergeon wrote: > > I dont know if is hould be worried about this or not. I mean their NOT > getting in but they are constantly trying its driving me nuts. I'm having a similar experience from named, which leads me to think that you're probably having DNS problems. I *think* this might be related to the version of BIND running, but that's really only a guess. This is from syslogd's `daemon' facility: Jun 5 18:36:06 Cee-Jay named[75]: recvfrom: Connection refused Jun 5 18:36:31 Cee-Jay named[75]: recvfrom: Connection refused Jun 5 21:22:16 Cee-Jay named[75]: recvfrom: Connection refused Jun 5 22:50:16 Cee-Jay named[75]: recvfrom: Connection refused Jun 5 23:20:14 Cee-Jay named[75]: recvfrom: Connection refused Jun 6 01:42:59 Cee-Jay named[75]: recvfrom: Connection refused Jun 6 09:20:17 Cee-Jay named[75]: recvfrom: Connection refused Jun 6 09:40:00 Cee-Jay named[75]: recvfrom: Connection refused If anyone has any ideas about what exactly this is, please comment. Nadim --N D Ghaznavi----------------------------------------------------------- Unix System Administrator ndg@CADlink.com --CADlink.com--------Reachit.com--------Ghaznavi.com--------Apparel.org-- From firewalls-owner Thu Jun 6 07:35:56 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA13758 for firewalls-outgoing; Thu, 6 Jun 1996 06:59:57 -0700 (PDT) Received: from eclipse.esr.com (eclipse.esr.com [204.77.128.18]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id GAA13728 for ; Thu, 6 Jun 1996 06:59:43 -0700 (PDT) Received: from cerberus.esr.com by eclipse.esr.com with SMTP (5.65/1.2-eef) Received: from esig.esr.com ([204.77.128.38]) by cerberus.esr.com Received: by esig.esr.com; Wed, 5 Jun 96 18:41:46 EDT Date: Wed, 5 Jun 96 18:39:09 EDT Message-Id: X-Priority: 3 (Normal) To: From: "Mike Weaver, Senior Systems Consultant" Subject: Re: WWW proxy to cut off Java. X-Incognito-Sn: 946 X-Incognito-Format: VERSION=2.01a ENCRYPTED=NO Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Raptor Systems has also announced a patch for its Eagle Firewall that will allow their httpd to now support filtering based on mime types, the most important consequence of which is that you can now filter out Java applets. ------------- Original Text >From nreadwin@london.micrognosis.com (Neil Readwin), on 6/4/96 8:06 PM: > Because JavaScript is typically embedded within your HTML, you really > can't block it at the firewall. But you can try - Carl Claunch wrote a patch to the TIS http-gw that will filter java and javascript out of HTML as it goes by. Details are at http://www.hdshq.com/fixes/fwtk/welcome.html Pointers to various other fwtk patches are at http://www.micrognosis.com/%7enreadwin/fwtk.html fwtk related followups to the fwtk-users list please. Neil. -- "For some reason all the very worst install scripts are written in csh." Geoff. Lane. (in bofh.jobfh.misc) ####################################################### # Mike Weaver Electronic Systems, Inc # # Senior Systems Consultant Richmond, Virginia # # mike@esr.com (804) 330-5555 # ####################################################### # Network Integration Services, Consulting, Internet # # A Commercial Internet Exchange Member # ####################################################### From firewalls-owner Thu Jun 6 07:50:47 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA14364 for firewalls-outgoing; Thu, 6 Jun 1996 07:03:58 -0700 (PDT) Received: from gatekeeper.mpsisys.com (ppp.mpsisys.com [198.65.132.134]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id HAA14330 for ; Thu, 6 Jun 1996 07:03:33 -0700 (PDT) Received: (from smap@localhost) by gatekeeper.mpsisys.com (8.6.10/8.6.10) id JAA08818 for ; Thu, 6 Jun 1996 09:01:10 -0500 Received: from mpsi.mpsisys.com(139.45.3.26) by gatekeeper.mpsisys.com via smap (V1.3) Received: from omni.mpsisys.com by mpsi.mpsisys.com (AIX 3.2/UCB 5.64/4.03) Received: by omni.mpsisys.com (AIX 4.1/UCB 5.64/4.03) From: ralph@omni.mpsisys.com (Ralph Mitchell) Message-Id: <9606061401.AA32826@omni.mpsisys.com> Subject: Re: FLAME (was: Re: Memra) To: firewalls@GreatCircle.COM Date: Thu, 6 Jun 1996 09:01:05 -0500 (CDT) In-Reply-To: <199606052130.PAA22194@ve6bc.ampr.ab.ca> from "Douglas R. Mackintosh" at Jun 5, 96 03:30:35 pm X-Mailer: ELM [version 2.4 PL24] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > (My sincere apologies to the list for this email which should be private. If > you don't want to read yet another flame then move along to the next message.) I would like to apologise in advance too, as this is not really firewall related... > Dear Gomer, > > Since your email is BROKEN to the point that one CANNOT EVEN REPLY to it I > am forced to subject the gentle readers of this list to my reply to your > idiocy. > > (Maybe this is why you can't get your simple answers. Maybe all your simple > answers are bouncing back to the vendors in question.) If his email is so completely broken, how is he getting mail from this list in the first place ? Can he even see these replies & flames ? If not, we might as well stop thumping on the table... :) Just my $0.02 Ralph Mitchell (System Administrator) -- MPSI Inc., 8282 South Memorial Drive, Tulsa, Oklahoma 74133 Email: ralph@mpsisys.com PHONE: 918-250-9611 x237 FAX: 918-254-8764 "Never underestimate the power of human stupidity" - Salvor Hardin, Foundation From firewalls-owner Thu Jun 6 08:05:44 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA18051 for firewalls-outgoing; Thu, 6 Jun 1996 07:39:33 -0700 (PDT) Received: from 198.68.45.121 (www.steldyn.com [198.68.45.121]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id HAA18041 for ; Thu, 6 Jun 1996 07:39:18 -0700 (PDT) Received: from juneau.steldyn.com (172.16.31.1) by www.steldyn.com Received: by juneau.steldyn.com with Microsoft Exchange (IMC 4.12.736) Message-ID: From: Chris Pugrud To: "'Martin Marshall'" Subject: RE: NT Firewalls Date: Thu, 6 Jun 1996 08:37:30 -0600 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.12.736 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Since you already have a working UNIX firewall, there really is no compelling reason to switch to an NT product unless some exec on high (or really high exec ;>) is demanding the NT switch. The current generation of NT firewalls (0.9) offer no advantages over their UNIX counterparts. We have been going through some very heavy debating about what advantages we feel would be appropriate to use in NT and not create an extra security breach. There is also a very heated and long running debate about whether or not NT is an appropriate platform to run a firewall on. In short: At this point in time a jump is not appropriate (if the money is burning that bad of a hole in your pocket hire a security consultant to evaluate your current firewall). If you have an NT based network then at some point in the future (hopefully 8-12 months) feature sets will come about on NT platforms that do give them a distinct advantage. Hopefully at that time several of the security questions and snags will be worked out. When that time comes I don't doubt that we will still be here pissing and squabbling about the appropriateness of NT as a firewall, but don't worry, most of us here are more than a little conservative and paranoid about security. Chris >---------- >From: Martin Marshall[SMTP:marshall@ebrd.com] >Sent: Thursday, June 06, 1996 1:18 AM >To: Firewalls Mailing list >Subject: NT Firewalls > >We currently have a Unix Firewall solution, we would like to move to a >NT Firewall (If Possible). > >Could anyone let me know where to jump, if a jump is to be made at all ! > >Any comments will be welcomed > >Martin Marshall > From firewalls-owner Thu Jun 6 08:42:22 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA23214 for firewalls-outgoing; Thu, 6 Jun 1996 08:23:28 -0700 (PDT) Received: from pimaia2y.prodigy.com (pimaia2y.prodigy.com [198.83.18.95]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id IAA23194 for ; Thu, 6 Jun 1996 08:23:17 -0700 (PDT) Received: from mime3.prodigy.com ([192.168.253.27]) by pimaia2y.prodigy.com (8.6.10/8.6.9) with ESMTP id KAD15772 for ; Thu, 6 Jun 1996 10:58:09 -0400 Received: (from root@localhost) by mime3.prodigy.com (8.6.10/8.6.9) id KAA21600 for firewalls@greatcircle.com; Thu, 6 Jun 1996 10:53:15 -0400 Message-Id: <199606061453.KAA21600@mime3.prodigy.com> X-Mailer: Prodigy Internet GW(v0.9beta) - ae01dm04sc03 From: HFDK41A@prodigy.com (MR. JOHN K MOLNAR) Date: Thu, 6 Jun 1996 10:53:15, -0500 To: firewalls@greatcircle.com Subject: RE: cisco docs, user access Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Date: Wed, 05 Jun 96 11:26:48 EDT >From: Renee Landers [rlanders@sware.com] >Sender: firewalls-owner@GreatCircle.COM [firewalls- owner@GreatCircle.COM] >Subject: cisco docs, user access > >First, does anyone know of any third-party guides to configuring Cisco routers? >(i.e. IOS for Dummies :-) Or does Cisco put out anything more useful than the >UniverCD -- something that would provide guidelines for configuring, including i>nformation on some of the different configuration possibilities, something with >actual chapters, and sections, and paragraphs? Perhaps I am just not looking >hard enough at the UniverCD? > >Second, I have a Cisco router with version 10.2 of the software. I have several >modems connected via async line to that router. I have defined several usernames >with passwords. Is there a way to limit which users can connect to which modems? >(I know I can prevent certain users from doing stuff once they get on, via access- >classes, but can I reject the connection altogether?) Am I missing something, >or is the capability just not there? > >Thanks for your help Try taking a look at CCO, Cisco Online at www.cisco.com -John Molnar From firewalls-owner Thu Jun 6 09:21:19 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA25881 for firewalls-outgoing; Thu, 6 Jun 1996 08:49:59 -0700 (PDT) Received: from fw.pco.gc.ca (FW.PCO.GC.CA [198.103.111.3]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id IAA25862 for ; Thu, 6 Jun 1996 08:49:37 -0700 (PDT) Received: from CABNET-Message_Server by pco.gc.ca Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Thu, 06 Jun 1996 11:46:49 -0400 From: Nicolas Tolstoy To: Firewalls-Digest@GreatCircle.COM Subject: Subject: Re: IANA private network numbers .. Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 5 Jun 1996, Mike Jones wrote: > In fact, FireWall-1 offers NAT and it's not a proxy firewall. Michael, > you're completely off base on this one. The please explain why Checkpoint advertises Firewall -1 as an application gateway ? From firewalls-owner Thu Jun 6 09:26:33 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA25594 for firewalls-outgoing; Thu, 6 Jun 1996 08:45:52 -0700 (PDT) Received: from mailhub.cts.com (mailhub.cts.com [192.188.72.25]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id IAA25558 for ; Thu, 6 Jun 1996 08:45:33 -0700 (PDT) Received: from rruda(really [204.212.129.32]) by mailhub.cts.com Received: by rruda with Microsoft Mail Message-ID: <01BB5384.98427020@rruda> From: Richard Ruda To: "'GreatCircles firewall message host'" Subject: NT-DNS Date: Thu, 6 Jun 1996 08:45:56 -0700 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 4 Jun 1996 13:30:15 -0700 Bill Stout Wrote Subject: NT DNS in 4.0b2 "The only drawback I've seen is not being able to connect to non-NT DNS server properties." Can you explain exactly what you mean. Will an internal DNS running on NT4.0b2 not be able to say talk to a Unix firewall?? Thanks Richard From firewalls-owner Thu Jun 6 09:39:43 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA25266 for firewalls-outgoing; Thu, 6 Jun 1996 08:42:45 -0700 (PDT) Received: from fw.pco.gc.ca (FW.PCO.GC.CA [198.103.111.3]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id IAA25228 for ; Thu, 6 Jun 1996 08:42:30 -0700 (PDT) Received: from CABNET-Message_Server by pco.gc.ca Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Thu, 06 Jun 1996 11:29:31 -0400 From: Nicolas Tolstoy To: Firewalls-Digest@GreatCircle.COM Subject: Re:Flame memra Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On June 5, someone wrote: > Is your arrogant, condescending, and unprofessional attitude > a reflection on your entire British Columbia based company? > >(My sincere apologies to the list for this E-mail which should be private. 1) BC is an independent entity from Micheal, name four cities in the province and your dig can stand; otherwise "what a cheap shot at a great place". 2.) If meant as private mail, not only are you out of line, you've got your hat on backwards too. 3.) Perhaps Ralf's wording should have said "can someone get me a telephone number for TIS or a TIS fw var, I need a quote for.... it's urgent." None the less, Michael 9 Gomer 0 From firewalls-owner Thu Jun 6 09:53:31 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA26787 for firewalls-outgoing; Thu, 6 Jun 1996 09:01:38 -0700 (PDT) Received: from lafvax (lafvax.lafayette.edu [139.147.8.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id JAA26780 for ; Thu, 6 Jun 1996 09:01:29 -0700 (PDT) Received: from stupid.lafayette.edu by lafvax.lafayette.edu (PMDF V5.0-4 #6834) Received: from localhost by stupid.lafayette.edu (SMI-8.6/SMI-SVR4) Date: Thu, 06 Jun 1996 11:56:23 -0400 (EDT) From: John Mulligan Subject: REQ:rshd command logging To: firewalls@greatcircle.com Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Content-transfer-encoding: 7BIT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk -----BEGIN PGP SIGNED MESSAGE----- Does anyone know of an rsh daemon replacement that will allow command logging? We have TCP_Wrappers 7.4 installed, if anything could be used in conjuction with that. Systems include: SunSparcs running Soalris 2.5 and SunOS 4.1.3 Please reply via direct email to mulligan@stupid.lafayette.edu Thanks! John John P. Mulligan Lafayette College ACS PGP Public Key available at http://www.lafayette.edu/~mulligaj -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQB1AwUBMbb/rX+KnP1k0ErJAQHtggMAjSZg4zInApXBda35pC4v1+0+XjXqCaH2 h8sbAVG2f9WYihuuqKPw6FnTMVwwySfOomQroTyfIVK6g9zFVkCUJVCNJXQeE2F2 W7NmZ/I57Nm92iR+7eQXZM9/bdQ2HbDG =zpbe -----END PGP SIGNATURE----- From firewalls-owner Thu Jun 6 10:26:40 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA03029 for firewalls-outgoing; Thu, 6 Jun 1996 10:01:03 -0700 (PDT) Received: from netcom21.netcom.com (netcom21.netcom.com [192.100.81.135]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id KAA02878 for ; Thu, 6 Jun 1996 10:00:21 -0700 (PDT) Received: (from das@localhost) by netcom21.netcom.com (8.6.13/Netcom) Date: Thu, 6 Jun 1996 09:56:42 -0700 (PDT) From: Das Devaraj Reply-To: Das Devaraj Subject: Re: FLAME (was: Re: Memra) To: Ralph Mitchell cc: firewalls@GreatCircle.COM In-Reply-To: <9606061401.AA32826@omni.mpsisys.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 6 Jun 1996, Ralph Mitchell wrote: > If his email is so completely broken, how is he getting mail from this > list in the first place ? Can he even see these replies & flames ? If > not, we might as well stop thumping on the table... :) May be not. Lot of people have taken to faking e-mail addresses, including fake domains, when they post to mailing list and news groups. This is to prevent "personalized" spam messages, which are becoming increasingly popular these days. Das ------------------------------------------------------------------- Interested in Vegetarianism? Vegetarian Restaurant Trek Web http://www.VegInfo.com 712 Bancroft Road #320 e-mail info@VegInfo.com (subject Help) Walnut Creek, CA 94598 Interactive Voice/fax Response (510) 256-8420 USA From firewalls-owner Thu Jun 6 10:41:21 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA06219 for firewalls-outgoing; Thu, 6 Jun 1996 10:23:58 -0700 (PDT) Received: from mailhub.cts.com (mailhub.cts.com [192.188.72.25]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id KAA06180 for ; Thu, 6 Jun 1996 10:23:43 -0700 (PDT) Received: from rruda(really [204.212.129.32]) by mailhub.cts.com Received: by rruda with Microsoft Mail Message-ID: <01BB5392.4C79C540@rruda> From: Richard Ruda To: "'GreatCircles firewall message host'" Cc: "'bill.stout@hidata.com'" Subject: NT-DNS Date: Thu, 6 Jun 1996 10:24:03 -0700 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 4 Jun 1996 13:30:15 -0700 Bill Stout Wrote Subject: NT DNS in 4.0b2 "The only drawback I've seen is not being able to connect to non-NT DNS server properties." Can you explain exactly what you mean. Will an internal DNS running on NT4.0b2 not be able to say talk to a Unix firewall?? Thanks Richard From firewalls-owner Thu Jun 6 10:50:46 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA06308 for firewalls-outgoing; Thu, 6 Jun 1996 10:25:18 -0700 (PDT) Received: from netcomsv.netcom.com (uucp2.netcom.com [163.179.3.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id KAA06273 for ; Thu, 6 Jun 1996 10:25:04 -0700 (PDT) Received: from rise_2.UUCP by netcomsv.netcom.com with UUCP (8.6.12/SMI-4.1) Received: from viper.rise.com by rise_2.rise_2.uucp.netcom.COM (4.1/SMI-4.1) Date: Thu, 6 Jun 96 10:20:07 PDT From: rise_2!dzung@netcom.com (Dzung Tran) Message-Id: <9606061720.AA24039@rise_2.rise_2.uucp.netcom.COM> To: Firewalls-Digest@GreatCircle.COM Subject: Re: Subject: Re: IANA private network numbers .. Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > On Wed, 5 Jun 1996, Mike Jones wrote: > > > In fact, FireWall-1 offers NAT and it's not a proxy firewall. Michael, > > you're completely off base on this one. > > The please explain why Checkpoint advertises Firewall -1 as an > application gateway ? > > > According to Network Computing Magazine (4/1/96): ".. CheckPoint FireWall-1 uses a powerful scripting language called Inspect, which dynamically tracks and examines packets up through the application layer. Even though it does not implement proxies in the traditional sense, like Gauntlet and CyberGuard, its ability to analyze the applicatin data allows CheckPoint to implement many of the same capabilities without sacrificing performance.." From firewalls-owner Thu Jun 6 11:02:44 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA03030 for firewalls-outgoing; Thu, 6 Jun 1996 10:01:04 -0700 (PDT) Received: from mail13.digital.com (mail13.digital.com [192.208.46.30]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id KAA02841 for ; Thu, 6 Jun 1996 10:00:13 -0700 (PDT) Received: from dasmts.imc.das.dec.com by mail13.digital.com (8.7.5/UNX 1.2/1.0/WV) Received: from mts.dec.com by dasmts.imc.das.dec.com (PMDF V5.0-7 #16470) Received: with PMDF-MR; Thu, 06 Jun 1996 16:33:03 +0000 (GMT) MR-Received: by mta MSDOA2; Relayed; Thu, 06 Jun 1996 16:33:03 +0000 MR-Received: by mta SOAREA; Relayed; Thu, 06 Jun 1996 16:32:51 +0000 MR-Received: by mta DASMTS; Relayed; Thu, 06 Jun 1996 16:33:05 +0000 Alternate-recipient: prohibited Date: Thu, 06 Jun 1996 16:26:12 +0000 (GMT) From: "WENDY HEDGPETH @CEO 704-827-7687" Subject: RE: digital unix firewall 1 To: firewalls@greatcircle.com Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; CHARSET=US-ASCII Content-transfer-encoding: 7BIT Posting-date: Thu, 06 Jun 1996 16:33:00 +0000 (GMT) Importance: normal UA-content-id: E115ZWIJHXGNB X400-MTS-identifier: [;30336160606991/3331481@MSDOA] A1-type: MAIL Hop-count: 3 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Juan, I have been installing the digital unix firewall for the past year. We have recently rolled out DFU 2.0 which is GUI managed and can be integrated with a high-end multiple nodes solution. This should be what you are upgrading to. If you have any questions fire away and I'll do my best. I think there is another Digital firewall person on this list as well. :) Wendy From firewalls-owner Thu Jun 6 11:06:56 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA00911 for firewalls-outgoing; Thu, 6 Jun 1996 09:48:49 -0700 (PDT) Received: from hidata.com ([205.158.61.34]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id JAA00842 for ; Thu, 6 Jun 1996 09:48:29 -0700 (PDT) Received: by hidata.com; id AA19648; Thu, 6 Jun 96 09:46:06 PDT Received: from osc.hidata.com(205.158.62.10) by hds-gw.hidata.com via smap (V3.1) Received: from enterprise by osc.osc.hidata.com (SMI-8.6/SMI-SVR4) Date: Thu, 6 Jun 1996 09:46:00 -0700 Message-Id: <199606061646.JAA15537@osc.osc.hidata.com> X-Sender: bstout@osc.hidata.com X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: Firewalls@GreatCircle.COM From: Bill Stout Subject: RE: Firewalls-Digest V5 #356 Cc: "'bill.stout@hidata.com'" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 06:01 PM 6/5/96 -0700, Richard Ruda wrote: >On Tue, 4 Jun 1996 13:30:15 -0700 >Bill Stout >Wrote Subject: NT DNS in 4.0b2 >"The only drawback I've seen is not being able to connect to non-NT DNS server properties." >Can you explain exactly what you mean. >Will an internal DNS running on NT4.0b2 not be able to say talk to a Unix firewall?? I don't mean the NT system can't do nslookups with a forwarder set to a firewall, it's just that the DNS administration program can only graphically display properties of other NT DNS systems. NT uses the control panel - networks to set the address of DNS servers. >Thanks > >Richard > > > > <=======10========20====Ruler for Eudora users==50========60========70========80 William B. Stout | "Stop socialism in America!" Senior Systems Admin | "Dilbert for President." Hitachi Data Systems | "Police power today=police state tomorrow." Open Systems Center | "The secret of life - being part of the process of Santa Clara, California | creation." 408-970-4822 | #include <=======10========20========30========40========50========60========70========80 From firewalls-owner Thu Jun 6 11:20:39 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA12009 for firewalls-outgoing; Thu, 6 Jun 1996 11:14:22 -0700 (PDT) Received: from dsacg1.dsac.dla.mil (dsacg1.dsac.dla.mil [131.78.1.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id LAA11843 for ; Thu, 6 Jun 1996 11:13:00 -0700 (PDT) Received: by dsacg1.dsac.dla.mil (1.38.193.5/1.40 (DSDC Columbus DSDCG1)) From: nto2584@dsacg1.dsac.dla.mil (Steven C. Payne) Message-Id: <9606061805.AA17298@dsacg1.dsac.dla.mil> Subject: Re: NT-DNS To: rruda@osti.com (Richard Ruda) Date: Thu, 6 Jun 96 14:05:19 EDT Cc: firewalls@greatcircle.com In-Reply-To: <01BB5384.98427020@rruda>; from "Richard Ruda" at Jun 6, 96 8:45 am Mailer: Elm [revision: 70.85.2.1] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > > On Tue, 4 Jun 1996 13:30:15 -0700 > Bill Stout > Wrote Subject: NT DNS in 4.0b2 > "The only drawback I've seen is not being able to connect to non-NT DNS server properties." > Can you explain exactly what you mean. > Will an internal DNS running on NT4.0b2 not be able to say talk to a Unix firewall?? Hi, I setup an older version of DNS and in my testing, I ran into 2 problems which maybe you can elaborate on in this new version. First, I could not just "move" my zone and revs to the NT server because we do secondary DNS for 50 domains. This equates to 50 zone files and 50 rev files. Well When I set up the dns boot file on the NT box, I started the service it ran for maybe 5 mins caching and then died, no errors, nothing. I also could not stop the service, I had to reboot the NT server. So, I thought ok, scale it back to just ONE domain, (my local one) I deleted all other domains and started the service again, it cached for about 2 minutes and died. Again, I tried to stop the service and it would not allow me to, so I had to reboot the NT server. This happened on a domain with around 2500 entries. I scaled it back to only 500 entries and tried again. This time the services started, ran with no errors. I then went to a unix box and tried nslookup on hosts I new were in the DNS files on the NT server, I got absolutely NO responses from the NT server, and timed out on every attempt I tried to query on. was able to use the nslookup client on the NT box and query EVERYTHING in the NT's domain files. I even configured the WINS entry in the zone file and that worked, but ONLY from the NT client. I never got nslookup on unix boxes (hpux, solaris, interactive, bsdi, sco) to work. My 2 problems are does NT service other clients than just NT, and second, how much can you cache? If you can't cache secondary servers then I don't see NT DNS as doing anything worth wile in DNS. BTW the server had 64 mg of ram, and was not doing anything, it was pretty much just idling. Is this what you were talking about? thanks steve > > Thanks > > Richard > > > > From firewalls-owner Thu Jun 6 12:16:28 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA16876 for firewalls-outgoing; Thu, 6 Jun 1996 11:41:18 -0700 (PDT) Received: from hosaka.smallworks.com (hosaka.SmallWorks.COM [192.207.126.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id LAA16695 for ; Thu, 6 Jun 1996 11:40:29 -0700 (PDT) From: jim@SmallWorks.COM Received: from butthead.SmallWorks.COM by hosaka.smallworks.com (5.x/SMI-SVR4) Received: by butthead.SmallWorks.COM (4.1/SPARCbook_POP1.3) Date: Thu, 6 Jun 96 13:33:55 CDT Message-Id: <9606061833.AA15356@butthead.SmallWorks.COM> To: firewalls@GreatCircle.COM, rlanders@sware.com Subject: Re: cisco docs, user access Sender: firewalls-owner@GreatCircle.COM Precedence: bulk 1) Load at least 10.3, preferably 11.0 or 11.1. 2) Configure TACACS+. From firewalls-owner Thu Jun 6 12:26:45 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA17020 for firewalls-outgoing; Thu, 6 Jun 1996 11:41:56 -0700 (PDT) Received: from gjones.inhouse.compuserve.com (gjones.inhouse.compuserve.com [149.174.150.20]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id LAA16779 for ; Thu, 6 Jun 1996 11:40:49 -0700 (PDT) Received: from gjones.inhouse.compuserve.com (gjones@gjones.inhouse.compuserve.com [149.174.150.20]) by gjones.inhouse.compuserve.com (8.6.12/8.6.9) with SMTP id OAA03760; Thu, 6 Jun 1996 14:37:33 -0400 Date: Thu, 6 Jun 1996 14:37:33 -0400 (EDT) From: "George M. Jones" Reply-To: "George M. Jones" Subject: Re: Compuserve -Reply To: Bob Allison cc: firewalls@GreatCircle.COM In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Quick reminder to everyone using the Internet to get to Compu$erve and AOL: > > Last I heard, your account/password information was transmitted in the > clear, which means, of course, that a snooper has access to your CS or AOL > account. (If this info is outdated, I'm sure someone will be kind enough to > tell me.) Passwords have been encrypted for about a year, starting with WinCIM 2.0. It is also in the Wow product. ---George Jones Internet Technologist, CompuServe, Inc., Columbus, Ohio, USA Email: gjones@csi.compuserve.com, Voice: +1 614 538 4052, Fax: +1 614 457 0348 "He is no fool who gives what he can not keep, to gain what he can not loose" ---Jim Elliot From firewalls-owner Thu Jun 6 12:35:39 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA15748 for firewalls-outgoing; Thu, 6 Jun 1996 11:34:46 -0700 (PDT) Received: from icarus.nodewarrior.net ([206.117.97.4]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id LAA15611 for ; Thu, 6 Jun 1996 11:34:10 -0700 (PDT) Received: from bubba.earthlink.net ([192.237.125.153]) Message-ID: <31B72402.6F4@nodewarrior.net> Date: Thu, 06 Jun 1996 11:31:30 -0700 From: hoff@nodewarrior.net (Christofer Hoff) Organization: NodeWarrior NetWorks, Inc. X-Mailer: Mozilla 2.01Gold (Win95; I) MIME-Version: 1.0 To: Dzung Tran CC: Firewalls-Digest@GreatCircle.COM Subject: Re: Subject: Re: IANA private network numbers .. References: <9606061720.AA24039@rise_2.rise_2.uucp.netcom.COM> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Dzung Tran wrote: > > > > > On Wed, 5 Jun 1996, Mike Jones wrote: > > > > > In fact, FireWall-1 offers NAT and it's not a proxy firewall. Michael, > > > you're completely off base on this one. > > > > The please explain why Checkpoint advertises Firewall -1 as an > > application gateway ? > > > > > > > > According to Network Computing Magazine (4/1/96): > > ".. CheckPoint FireWall-1 uses a powerful scripting language called > Inspect, which dynamically tracks and examines packets up through the > application layer. Even though it does not implement proxies in the > traditional sense, like Gauntlet and CyberGuard, its ability to > analyze the applicatin data allows CheckPoint to implement many of > the same capabilities without sacrificing performance.." Also, FW-1 DOES have FTP, Telnet, and HTTP proxies (which are considered application-level.) Chris From firewalls-owner Thu Jun 6 12:42:15 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA18737 for firewalls-outgoing; Thu, 6 Jun 1996 11:52:28 -0700 (PDT) Received: from gjones.inhouse.compuserve.com (gjones.inhouse.compuserve.com [149.174.150.20]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id LAA18730 for ; Thu, 6 Jun 1996 11:52:19 -0700 (PDT) Received: from gjones.inhouse.compuserve.com (gjones@gjones.inhouse.compuserve.com [149.174.150.20]) by gjones.inhouse.compuserve.com (8.6.12/8.6.9) with SMTP id OAA03778; Thu, 6 Jun 1996 14:47:55 -0400 Date: Thu, 6 Jun 1996 14:47:55 -0400 (EDT) From: "George M. Jones" Reply-To: "George M. Jones" Subject: Re: Compuserve To: Michael Dillon cc: Hugh Fraser In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > On Wed, 5 Jun 1996, Hugh Fraser wrote: > > > expected. Performance, though, doesn't seem much faster that through one > > of their dial-in ports. > > I found it faster on the net, but then, I also set the speed in the > Settings dialog to 38400 bps. I remember when I used to telnet directly to > COmpuserve that they would ask what speed you wanted to "simulate" > because, of course, there were different fees for different speeds. Maybe > WinCIM still negotiates the simulated speed? The rate throttling stuff is gone. The only limits now are your line speed, the speed of the net between where you are and the hosts that pick up compuserve.com:{23,4144}. Once you get to the gateway hosts the limit will the bandwidth from the gateway machines divided by the number of users (actually  the sum of the load generated by all the users). ---George Jones Internet Technologist, CompuServe, Inc., Columbus, Ohio, USA Email: gjones@csi.compuserve.com, Voice: +1 614 538 4052, Fax: +1 614 457 0348 "He is no fool who gives what he can not keep, to gain what he can not loose" ---Jim Elliot From firewalls-owner Thu Jun 6 12:50:46 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA20059 for firewalls-outgoing; Thu, 6 Jun 1996 12:03:57 -0700 (PDT) Received: from trex.netrex.com (trex.netrex.com [205.254.178.3]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id MAA20052 for ; Thu, 6 Jun 1996 12:03:48 -0700 (PDT) Received: from foghorn (foghorn [205.254.178.10]) by trex.netrex.com (8.7.5/8.7.3) with SMTP id OAA06684; Thu, 6 Jun 1996 14:47:09 -0400 (EDT) Message-Id: <2.2.32.19960606184328.00ad0ae4@trex.netrex.com> X-Sender: richards@trex.netrex.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Thu, 06 Jun 1996 14:43:28 -0400 To: rise_2!dzung@netcom.com (Dzung Tran) From: "Richard D. Stiennon" Subject: Re: Subject: Re: IANA private network numbers .. Cc: Firewalls-Digest@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 10:20 AM 6/6/96 PDT, Dzung Tran wrote: > > >> On Wed, 5 Jun 1996, Mike Jones wrote: >> >> > In fact, FireWall-1 offers NAT and it's not a proxy firewall. Michael, >> > you're completely off base on this one. >> >> The please explain why Checkpoint advertises Firewall -1 as an >> application gateway ? >> >According to Network Computing Magazine (4/1/96): > >".. CheckPoint FireWall-1 uses a powerful scripting language called >Inspect, which dynamically tracks and examines packets up through the >application layer. Even though it does not implement proxies in the >traditional sense, like Gauntlet and CyberGuard, its ability to >analyze the applicatin data allows CheckPoint to implement many of >the same capabilities without sacrificing performance.." Good summary. Firewall-1 uses a Statefull Multilayered Inspection (SMLI) technique. Inspect is a language that allows quick modifications. The SMLI engine is a virtual machine that resides within the kernal and examines packets and makes allow/dis-allow decisions based on the rule set and the state table. Very kewl. Richard Stiennon richards@netrex.com Director, Business Development www.netrex.com/richard Netrex, Inc. Voice: 810-352-9643 3000 Town Center, Suite 1100 Fax: 810-352-2375 Southfield, MI 48075 From firewalls-owner Thu Jun 6 13:20:42 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA26328 for firewalls-outgoing; Thu, 6 Jun 1996 13:04:02 -0700 (PDT) Received: from ftp.com (ftp.com [128.127.2.122]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id NAA26301 for ; Thu, 6 Jun 1996 13:03:45 -0700 (PDT) Received: from ftp.com by ftp.com ; Thu, 6 Jun 1996 16:01:21 -0400 Received: from mailserv-2high.ftp.com by ftp.com ; Thu, 6 Jun 1996 16:01:21 -0400 Received: by MAILSERV-2HIGH.FTP.COM (SMI-8.6/SMI-SVR4) Date: Thu, 6 Jun 1996 16:01:19 -0400 Message-Id: <199606062001.QAA00167@MAILSERV-2HIGH.FTP.COM> To: Firewalls-Digest@GreatCircle.COM Subject: How to Connect WINS and DNS in NT 4.02 b2 ? From: shishir@ftp.com Reply-To: shishir@ftp.com Repository: mailserv-2high.ftp.com, [message accepted at Thu Jun 6 16:01:15 1996] Originating-Client: everest Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ..so that DNS checks the WINS database before returning a non existent machine's ip-address/hostname. Thank you. shishir From firewalls-owner Thu Jun 6 13:35:36 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA26197 for firewalls-outgoing; Thu, 6 Jun 1996 13:03:10 -0700 (PDT) Received: from schwab.com (s0052dev.schwab.com [162.93.15.188]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id NAA26132 for ; Thu, 6 Jun 1996 13:02:52 -0700 (PDT) Received: from s0043dev.schwab.com by schwab.com (8.6.9/SMI-4.1(950622rm)) Received: from w0102dev.schwab.com by s0043dev.schwab.com (4.1/SMI-4.1(950622rm)) Received: by w0102dev.schwab.com (5.x/SMI-SVR4) Date: Thu, 6 Jun 1996 12:57:42 -0700 From: rricardo@schwab.com (ray ricardo) Message-Id: <9606061957.AA01826@w0102dev.schwab.com> To: firewalls@greatcircle.com Subject: Gauntlet & Glance Plus Cc: geraldine.martin@schwab.com X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Are any Gauntlet 3.1 (sun/os) users using the performance measuring tool Glance Plus from HP on the firewall machine to measure its performance? If so, any adverse affects or install problems? Any better tools for this application? From firewalls-owner Thu Jun 6 13:50:43 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA27541 for firewalls-outgoing; Thu, 6 Jun 1996 13:12:11 -0700 (PDT) Received: from anchorsteam (anchorsteam.unifiedtech.com [38.251.136.100]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id NAA27516 for ; Thu, 6 Jun 1996 13:11:58 -0700 (PDT) Received: from bass.unifiedtech.com by anchorsteam (5.x/SMI-SVR4) Received: by bass.unifiedtech.com (5.x/SMI-SVR4) Date: Thu, 6 Jun 1996 15:57:18 -0400 From: Mike.Jones@unifiedtech.com (Mike Jones) Message-Id: <9606061957.AA06584@bass.unifiedtech.com> To: Firewalls-Digest@GreatCircle.COM, ntolstoy@pco.gc.ca Subject: Re: Subject: Re: IANA private network numbers .. X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > On Wed, 5 Jun 1996, Mike Jones wrote: > > In fact, FireWall-1 offers NAT and it's not a proxy firewall. Michael, > > you're completely off base on this one. > The please explain why Checkpoint advertises Firewall -1 as an > application gateway ? I've never seen it advertised that way. They usually feature the phrase "advanced packet filter". -- Mike.Jones@unifiedtech.com August 24, 1945: After serving nearly 44 months in the navy, Bob Feller four-hits the Tigers in his first start. From firewalls-owner Thu Jun 6 14:05:45 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA01875 for firewalls-outgoing; Thu, 6 Jun 1996 13:47:46 -0700 (PDT) Received: from jalisco.optimum.net (jalisco.optimum.net [198.81.218.66]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id NAA01834 for ; Thu, 6 Jun 1996 13:47:17 -0700 (PDT) Received: by jalisco.optimum.net (5.67a/94071801) Received: from GATEWAY by jalisco with netnews To: firewalls@greatcircle.com Date: Thu, 06 Jun 1996 16:44:48 -0400 Message-Id: Organization: Optimum Group From: list.firewalls@optimum.net (optimum.net newsgate) Subject: Virus detection for http proxy servers Sender: firewalls-owner@GreatCircle.COM Precedence: bulk One of our users has been asking about virus protection against software he has downloaded through the Netscape proxy server. He was asking about something that would scan the software as it was being download I didn't think there was anything to do this, given all of the file formats, compression methods, and hardware platforms that could be using the proxy server, but I thought I'd look into it anyway. Does anyone know of a solution or partial solution to this question? Thank you! Steve Pfister // Optimum Group srp336@optimum.com From firewalls-owner Thu Jun 6 14:50:44 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA04576 for firewalls-outgoing; Thu, 6 Jun 1996 14:09:30 -0700 (PDT) Received: from hosaka.smallworks.com (hosaka.SmallWorks.COM [192.207.126.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id OAA04511 for ; Thu, 6 Jun 1996 14:09:06 -0700 (PDT) From: jim@SmallWorks.COM Received: from butthead.SmallWorks.COM by hosaka.smallworks.com (5.x/SMI-SVR4) Received: by butthead.SmallWorks.COM (4.1/SPARCbook_POP1.3) Date: Thu, 6 Jun 96 16:02:51 CDT Message-Id: <9606062102.AA16224@butthead.SmallWorks.COM> To: epperson@vak12ed.edu Subject: Re: cisco docs, user access Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > BTW, according to Product Bulletin #367, 10.2(9) is still the highest GD. And doesn't actually run on some of the newer hardware. This has wandered far enough off-topic, no? From firewalls-owner Thu Jun 6 14:55:22 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA04722 for firewalls-outgoing; Thu, 6 Jun 1996 14:10:37 -0700 (PDT) Received: from apollo.intermind.com (apollo.intermind.com [206.40.151.25]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id OAA04683 for ; Thu, 6 Jun 1996 14:10:16 -0700 (PDT) Received: from malkav.intermind.com ([206.40.150.122]) Message-Id: <2.2.32.19960606210744.00adf5d4@intermind.com> X-Sender: jnoetzel@intermind.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Thu, 06 Jun 1996 14:07:44 -0700 To: firewalls@greatcircle.com From: jnoetzel@intermind.com (Jeremy Noetzelman) Subject: Firewalls and DNS Sender: firewalls-owner@GreatCircle.COM Precedence: bulk We'd like to have a split DNS with a public server and a private server. We've initially started with two servers, one of which has dummy DNS entries, one of them has the real entries. The one with the real entries is behind the firewall, and is set up as a slave/forwarder to the external one with the dummy DNS entries. So far so good, but the problem is incredibly slow DNS lookups, which timeout regularly. For example, with Netscape if you click on a link, it times out the first time, but the answer is available immediately on the second try. I'm completely uncertain what the problem is. while this may not be a strict firewalls question, I'm sure it's one that is of interest to many. Any help would be much appreciated. Jeremy Noetzelman --- Jeremy Noetzelman jnoetzel@intermind.com Operations Specialist Intermind Corporation From firewalls-owner Thu Jun 6 15:08:03 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA01660 for firewalls-outgoing; Thu, 6 Jun 1996 13:46:00 -0700 (PDT) Received: from aspen3.aspensys.com (aspensys3.aspensys.com [198.77.70.84]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id NAA01568 for ; Thu, 6 Jun 1996 13:45:01 -0700 (PDT) Received: from smtpinet.aspensys.com by aspen3.aspensys.com (SMI-8.6/SMI-SVR4) Received: from ccMail by smtpinet.aspensys.com (SMTPLINK V2.10.08) Date: Thu, 06 Jun 96 16:40:12 EST From: "Jim Meritt" Message-Id: <9605068341.AA834104815@smtpinet.aspensys.com> To: firewalls@greatcircle.com, John Mulligan Subject: Re: REQ:rshd command logging Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Since you have the wrapper, and presumably are proficient in its use, why not just wrap the r* in the inetd.conf? Jim Meritt ______________________________ Reply Separator _________________________________ Subject: REQ:rshd command logging Author: John Mulligan at SMTPINET Date: 6/6/96 1:31 PM -----BEGIN PGP SIGNED MESSAGE----- Does anyone know of an rsh daemon replacement that will allow command logging? We have TCP_Wrappers 7.4 installed, if anything could be used in conjuction with that. Systems include: SunSparcs running Soalris 2.5 and SunOS 4.1.3 Please reply via direct email to mulligan@stupid.lafayette.edu Thanks! John John P. Mulligan Lafayette College ACS PGP Public Key available at http://www.lafayette.edu/~mulligaj -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQB1AwUBMbb/rX+KnP1k0ErJAQHtggMAjSZg4zInApXBda35pC4v1+0+XjXqCaH2 h8sbAVG2f9WYihuuqKPw6FnTMVwwySfOomQroTyfIVK6g9zFVkCUJVCNJXQeE2F2 W7NmZ/I57Nm92iR+7eQXZM9/bdQ2HbDG =zpbe -----END PGP SIGNATURE----- From firewalls-owner Thu Jun 6 15:22:54 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA01484 for firewalls-outgoing; Thu, 6 Jun 1996 13:44:17 -0700 (PDT) Received: from hidata.com ([205.158.61.34]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id NAA01347; Thu, 6 Jun 1996 13:43:40 -0700 (PDT) Received: by hidata.com; id AA20768; Thu, 6 Jun 96 13:41:13 PDT Received: from osc.hidata.com(205.158.62.10) by hds-gw.hidata.com via smap (V3.1) Received: from enterprise by osc.osc.hidata.com (SMI-8.6/SMI-SVR4) Date: Thu, 6 Jun 1996 13:41:04 -0700 Message-Id: <199606062041.NAA16267@osc.osc.hidata.com> X-Sender: bstout@osc.hidata.com X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: Firewalls@GreatCircle.COM, rruda@osti.com (Richard Ruda) From: Bill Stout Subject: Re: NT-DNS Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Umm, let's take this offline before we freak the list out... BTW - Also reference comp.os.ms-windows.nt.pre-release comp.os.ms-windows.nt.admin.networking and majordomo@iss.net (NT Security) Bill At 02:05 PM 6/6/96 EDT, Steven C. Payne wrote: >> >> >> On Tue, 4 Jun 1996 13:30:15 -0700 >> Bill Stout >> Wrote Subject: NT DNS in 4.0b2 >> "The only drawback I've seen is not being able to connect to non-NT DNS server properties." >> Can you explain exactly what you mean. >> Will an internal DNS running on NT4.0b2 not be able to say talk to a Unix firewall?? > >Hi, >I setup an older version of DNS and in my testing, I ran into >2 problems which maybe you can elaborate on in this new version. > >First, I could not just "move" my zone and revs to the NT server >because we do secondary DNS for 50 domains. This equates to 50 zone >files and 50 rev files. Well When I set up the dns boot file on the >NT box, I started the service it ran for maybe 5 mins caching and then died, >no errors, nothing. I also could not stop the service, I had to reboot >the NT server. > >So, I thought ok, scale it back to just ONE domain, (my local one) >I deleted all other domains and started the service again, it cached for >about 2 minutes and died. Again, I tried to stop the service and >it would not allow me to, so I had to reboot the NT server. >This happened on a domain with around 2500 entries. > >I scaled it back to only 500 entries and tried again. This >time the services started, ran with no errors. > >I then went to a unix box and tried nslookup on hosts I new >were in the DNS files on the NT server, I got absolutely >NO responses from the NT server, and timed out on every >attempt I tried to query on. > >was able to use the nslookup client on the NT box and query EVERYTHING >in the NT's domain files. I even configured the WINS entry in the >zone file and that worked, but ONLY from the NT client. >I never got nslookup on unix boxes (hpux, solaris, interactive, bsdi, sco) >to work. > > >My 2 problems are does NT service other clients than just NT, >and second, how much can you cache? If you can't cache secondary >servers then I don't see NT DNS as doing anything worth wile in DNS. >BTW the server had 64 mg of ram, and was not doing anything, it was >pretty much just idling. > >Is this what you were talking about? >thanks >steve >> >> Thanks >> >> Richard >> >> >> >> > > > <=======10========20====Ruler for Eudora users==50========60========70========80 William B. Stout | "Stop socialism in America!" Senior Systems Admin | "Dilbert for President." Hitachi Data Systems | "Police power today=police state tomorrow." Open Systems Center | "The secret of life - being part of the process of Santa Clara, California | creation." 408-970-4822 | #include <=======10========20========30========40========50========60========70========80 From firewalls-owner Thu Jun 6 15:27:09 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA29573 for firewalls-outgoing; Thu, 6 Jun 1996 13:31:31 -0700 (PDT) Received: from wpg-01.escape.ca (wpg-01.escape.ca [198.163.232.254]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id NAA29555 for ; Thu, 6 Jun 1996 13:31:18 -0700 (PDT) Received: from wpg-01.escape.ca (ts2dl17.escape.ca [198.163.232.132]) by wpg-01.escape.ca (8.6.11/8.6.11) with SMTP id PAA10910 for ; Thu, 6 Jun 1996 15:32:27 -0500 Message-Id: <199606062032.PAA10910@wpg-01.escape.ca> Comments: Authenticated sender is From: "Ratak" Organization: Classified To: Firewalls-Digest@GreatCircle.COM Date: Thu, 6 Jun 1996 15:22:21 +0000 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Firewall for NT X-mailer: Pegasus Mail for Win32 (v2.31) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello I saw a post a little while ago about a Freeware or cheap NT firewall, but I didn't pay much attention. I wanted to put up this firewall while we wait for Firewall-1 NT... Can someone repost that message? Thankyou GarGoyle Securities Network Intrussion Assessment Systems Voice/Data/Fax: (204)878 2190 Email: ratak@escape.ca PGP Key available via Keyserver nearest you. . . Key Fingerprint= 25 03 97 D1 1E 9C 2D 98 D1 2F 8D EC 49 C2 64 12 From firewalls-owner Thu Jun 6 15:31:43 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA29180 for firewalls-outgoing; Thu, 6 Jun 1996 13:27:53 -0700 (PDT) Received: from hp01.vak12ed.edu (hp01.vak12ed.edu [141.104.150.251]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id NAA29139 for ; Thu, 6 Jun 1996 13:27:39 -0700 (PDT) Message-Id: <199606062027.NAA29139@miles.greatcircle.com> Received: by hp01.vak12ed.edu From: "W.C. Epperson" Subject: Re: cisco docs, user access To: jim@SmallWorks.COM Date: Thu, 06 Jun 1996 16:25:05 EDT Cc: firewalls@greatcircle.com In-Reply-To: <9606061833.AA15356@butthead.SmallWorks.COM>; from "jim@SmallWorks.COM" at Jun 6, 96 1:33 pm X-Mailer: Elm [revision: 109.17] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Jim appears to have advised: > > 1) Load at least 10.3, preferably 11.0 or 11.1. > 2) Configure TACACS+. > And bear in mind that none of those releases are in General Deployment (GD), which is, according to Cisco, "The software version which has achieved a level of stability appropriate for general use in customers' networks". Their official policy is that only GD releases are appropriate for critical infrastructure use, although my experience is that their support engineers routinely recommend higher releases until confronted with the official policy. My position is that if it ain't stable enough for general use, it ain't ready for use in access control. I know, I know, lots of folks use FCS and LD releases without problems (that they know of), but if the guys who own the source code won't put their deployment policy behind it, due care principles prevent me from using it for security. My $.02. BTW, according to Product Bulletin #367, 10.2(9) is still the highest GD. -- W.C. Epperson "I have great faith in fools. Senior SE Self-confidence, my friends call it." Information Security Officer --Edgar Allan Poe-- DBA Emeritus Curmudgeon-for-Life Virginia Dept. of Education epperson@pen.k12.va.us From firewalls-owner Thu Jun 6 16:13:32 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id PAA11188 for firewalls-outgoing; Thu, 6 Jun 1996 15:17:52 -0700 (PDT) Received: from antares.cica.indiana.edu (antares.cica.indiana.edu [129.79.20.24]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id PAA11144 for ; Thu, 6 Jun 1996 15:17:33 -0700 (PDT) From: emo@antares.cica.indiana.edu Message-Id: <199606062217.PAA11144@miles.greatcircle.com> Received: by antares.cica.indiana.edu Date: Thu, 6 Jun 96 17:15:09 -0500 To: firewalls@greatcircle.com Subject: Re: Virus detection for http proxy servers Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >He was asking about something that would >scan the software as it was being download check out the products from McAfee Associates, http://www.mcafee.com. good luck, eric From firewalls-owner Thu Jun 6 16:20:47 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id PAA12087 for firewalls-outgoing; Thu, 6 Jun 1996 15:25:00 -0700 (PDT) Received: from salsa.gv.ssi1.com (salsa.gv.ssi1.com [146.252.44.194]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id PAA12038 for ; Thu, 6 Jun 1996 15:24:40 -0700 (PDT) Received: (from gdonl@localhost) by salsa.gv.ssi1.com (8.7.4/8.7.3) id PAA25075; Thu, 6 Jun 1996 15:22:12 -0700 (PDT) Message-Id: <199606062222.PAA25075@salsa.gv.ssi1.com> From: gdonl@gv.ssi1.com (Don Lewis) Date: Thu, 6 Jun 1996 15:22:11 -0700 In-Reply-To: N D Ghaznavi X-Mailer: Mail User's Shell (7.2.6 alpha(3) 7/19/95) To: N D Ghaznavi Subject: Re: unknown in tcpwrappers? Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Jun 6, 9:59am, N D Ghaznavi wrote: } Subject: Re: unknown in tcpwrappers? } I'm having a similar experience from named, which leads me to think that } you're probably having DNS problems. I *think* this might be related to } the version of BIND running, but that's really only a guess. } } This is from syslogd's `daemon' facility: } } Jun 5 18:36:06 Cee-Jay named[75]: recvfrom: Connection refused Looks like you're running and early 4.9.3 Beta version of BIND on a Linux box. You should upgrade to 4.9.3-REL + Patch1 from http://www.isc.org/ --- Truck From firewalls-owner Thu Jun 6 20:05:35 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id UAA03910 for firewalls-outgoing; Thu, 6 Jun 1996 20:02:22 -0700 (PDT) Received: from puli.cisco.com (puli.cisco.com [171.69.1.174]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id UAA03903 for ; Thu, 6 Jun 1996 20:02:15 -0700 (PDT) Received: from localhost.cisco.com (localhost.cisco.com [127.0.0.1]) by puli.cisco.com (8.6.8+c/8.6.5) with SMTP id TAA28047; Thu, 6 Jun 1996 19:59:41 -0700 Message-Id: <199606070259.TAA28047@puli.cisco.com> To: firewalls@greatcircle.com Cc: cs-ipsecurity@cisco.com Subject: "how-to" scripts for configuring cisco routers as good packet-screeners Date: Thu, 06 Jun 1996 19:59:41 -0700 From: Paul Traina Sender: firewalls-owner@GreatCircle.COM Precedence: bulk A number of years ago, I wrote a bunch of scripts to help me maintain part of cisco's firewalling system. I just recently updated those scripts to match some of the nasty new tricks that have come up through the years and also address new "fad" services like WWW :-) The scripts in question include an ACL generator that takes a fairly readable syntax and converts it into raw cisco ACLs (including doing DNS translation) and a commentary about why certain holes were opened, why they might be dangerous, what the trade-offs are, et al. (no, I didn't document anything useful for bad guys...sorry.) These scripts are based upon real-life operational experience, however they have been sanitized to protect the guilty and avoid causing temptation to would-be bad-guys. (e.g. the name of the machintosh that allows non-passive FTP is not called "dickhead-bigshot-mac" :-)). As before, these scripts are being offered "AS-IS" -- do not sic your lawyers on myself or cisco if you use them and some nasty clod messes you up. They're only intended for reference and educational use. Cisco will not answer questions about these scripts, they are not a supported product. Caveat emptor. ftp://ftp-eng.cisco.com/pub/acl-examples.tar.gz Paul From firewalls-owner Thu Jun 6 21:50:39 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id VAA07618 for firewalls-outgoing; Thu, 6 Jun 1996 21:43:45 -0700 (PDT) Received: from po.pacific.net.sg (po.pacific.net.sg [203.120.88.11]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id VAA07611 for ; Thu, 6 Jun 1996 21:43:39 -0700 (PDT) Received: from GM.compex.com.sg ([203.120.12.4]) by po.pacific.net.sg Date: Fri, 7 Jun 1996 12:36:50 From: berkelec@pacific.net.sg (Tey Wei Ming) Message-Id: <19960607123650berkelec@GM.compex.com.sg> To: firewalls@GreatCircle.com Subject: nt firewall X-Mailer: Pronto E-Mail [version 2.0] MIME-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >From: Martin Marshall[SMTP:marshall@ebrd.com] >Sent: Thursday, June 06, 1996 1:18 AM >To: Firewalls Mailing list >Subject: NT Firewalls > >We currently have a Unix Firewall solution, we would like to move to a >NT Firewall (If Possible). > >Could anyone let me know where to jump, if a jump is to be made at all ! > there is one nt firewall available from netguard (www.netguard.com). i heard checkpoint and ibm will also be releasing an nt version soon. to me nt is easier to administer than unix, and unix also have lots of security risks - just look at the list on cert! and unix hardware are still too costly. william tey berkeley electronics From firewalls-owner Fri Jun 7 00:05:39 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id XAA13140 for firewalls-outgoing; Thu, 6 Jun 1996 23:55:47 -0700 (PDT) Received: from mail2.digital.com (mail2.digital.com [204.123.2.56]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id XAA13133 for ; Thu, 6 Jun 1996 23:55:42 -0700 (PDT) Received: from osftag.geo.dec.com by mail2.digital.com (5.65 EXP 4/12/95 for V3.2/1.0/WV) Received: from osftag.geo.dec.com (osftag.geo.dec.com [16.184.80.100]) by osftag.geo.dec.com (8.7.1/8.6.10) with SMTP id IAA12244; Fri, 7 Jun 1996 08:49:32 +0200 (MET DST) Message-Id: <31B7D0FC.41C6@osftag.geo.dec.com> Date: Fri, 07 Jun 1996 08:49:32 +0200 From: thierry agassis Organization: Multivendor Customers Services - Digital X-Mailer: Mozilla 2.0 (X11; I; OSF1 V3.2 alpha) Mime-Version: 1.0 To: shishir@ftp.com Cc: Firewalls-Digest@GreatCircle.COM Subject: Re: How to Connect WINS and DNS in NT 4.02 b2 ? References: <199606062001.QAA00167@MAILSERV-2HIGH.FTP.COM> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi Shishir, If I remember well, you just have to put the $WINS directive in the respective ZONE file(s) (not boot file). Best regards ! -- Thierry AGASSIS Mail address : UNIX and Internet Support thierry@osftag.geo.dec.com DEC-TEP 16 Partner URL : (from inside dec.com ): http://www-mcs.geo.dec.com From firewalls-owner Fri Jun 7 00:35:42 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id AAA15318 for firewalls-outgoing; Fri, 7 Jun 1996 00:31:41 -0700 (PDT) Received: from gatekeeper.marben.be (gatekeeper.marben.be [194.78.27.10]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id AAA15293 for ; Fri, 7 Jun 1996 00:31:30 -0700 (PDT) Received: (from smap@localhost) by gatekeeper.marben.be (8.6.12/8.6.9) id JAA26210; Fri, 7 Jun 1996 09:41:59 +0200 Received: from tarifa.marben.be(172.20.0.254) by gatekeeper.marben.be via smap (V1.3) Received: from tarifa.marben.be by tarifa via SMTP (940816.SGI.8.6.9/940406.SGI.AUTO) Message-ID: <31B7D893.15FB@marben.be> Date: Fri, 07 Jun 1996 09:21:55 +0200 From: Jean-Pierre Morant Organization: Marben SA-NV X-Mailer: Mozilla 3.0b3 (X11; I; IRIX 5.3 IP22) MIME-Version: 1.0 To: "MR. JOHN K MOLNAR" CC: firewalls@GreatCircle.COM Subject: Re: cisco docs, user access References: <199606061453.KAA21600@mime3.prodigy.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I've got a paper copy of the manuals - it's a whole wallet, anyway. It's probably not cheap .... but EXTREMELY useable. Check also the "comp.dcom.cisco" newsgroup (or something close to this name) - they may have a FAQ. -- Jean-Pierre Morant c/o MARBEN S.A./N.V. La vie serait tellement Boulevard du Souverain,400, Vorstlaan plus facile 1160 Bruxelles Si seulement Belgium nous avions les sources.... + 32 2 663 1130 (phone) + 32 2 663 1199 (fax) http://www.marben.be jpm@marben.be From firewalls-owner Fri Jun 7 01:20:37 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id AAA17077 for firewalls-outgoing; Fri, 7 Jun 1996 00:53:56 -0700 (PDT) Received: from rara.kotel.co.kr (rara.kotel.co.kr [147.6.15.64]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id AAA17056 for ; Fri, 7 Jun 1996 00:53:45 -0700 (PDT) Received: by rara.kotel.co.kr (8.6.9H1/8.6.4) From: Kim Message-Id: <199606070755.RAA00931@rara.kotel.co.kr> Subject: firewall rule for traceroute ? To: firewalls@GreatCircle.COM Date: Fri, 7 Jun 1996 17:55:21 +0900 (GMT+9:00) X-Mailer: ELM [version 2.4 PL21-h4] MIME-Version: 1.0 Content-Type: text/plain; charset=iso-2022-kr Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'd like to permit traceroute internal to external and block external to internal traceroute. Any experiances ? TIA - Kim choonkyu From firewalls-owner Fri Jun 7 01:50:48 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id BAA22384 for firewalls-outgoing; Fri, 7 Jun 1996 01:42:52 -0700 (PDT) Received: from edelweb.fr (edelweb.fr [193.51.12.16]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id BAA22364 for ; Fri, 7 Jun 1996 01:42:39 -0700 (PDT) Received: from champagne.edelweb.fr (champagne.edelweb.fr [193.51.14.161]) by edelweb.fr (8.7.1/8.6.9) with ESMTP id KAA01808; Fri, 7 Jun 1996 10:40:12 +0200 (MET DST) Received: from localhost (touvet@localhost) by champagne.edelweb.fr (8.6.10/8.6.6) with SMTP id KAA18443; Fri, 7 Jun 1996 10:40:11 +0200 Message-Id: <199606070840.KAA18443@champagne.edelweb.fr> To: Kim Cc: firewalls@greatcircle.com Subject: Re: firewall rule for traceroute ? In-reply-to: <199606070755.RAA00931@rara.kotel.co.kr> Mime-Version: 1.0 Content-Type: text/plain; charset="ISO-8859-1" Content-Transfer-Encoding: 8bit Date: Fri, 07 Jun 1996 10:40:11 +0200 From: Jean-Christophe Touvet Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > I'd like to permit traceroute internal to external and > block external to internal traceroute. > Any experiances ? Outbound: permit udp >= 33434 Inbound: permit icmp unreachable -JCT- From firewalls-owner Fri Jun 7 02:20:55 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id CAA25051 for firewalls-outgoing; Fri, 7 Jun 1996 02:07:13 -0700 (PDT) Received: from Grosses-Raetsel-Tor.GeNUA.DE (Grosses-Raetsel-Tor.GeNUA.DE [193.141.169.26]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id CAA25041 for ; Fri, 7 Jun 1996 02:06:53 -0700 (PDT) Received: (from smap@localhost) by Grosses-Raetsel-Tor.GeNUA.DE (8.6.12/8.6.12) id LAA14344 for ; Fri, 7 Jun 1996 11:04:25 +0200 Received: from grizzly.genua.de(192.109.217.33) by Grosses-Raetsel-Tor.GeNUA.DE via smap (V1.3) Received: from auryn.genua.de (auryn.genua.de [192.109.217.42]) by grizzly.genua.de (8.6.12/8.6.12/bs01) with ESMTP id LAA03334 for ; Fri, 7 Jun 1996 11:04:23 +0200 Received: from auryn.genua.de (localhost [127.0.0.1]) by auryn.genua.de (8.7.4/8.6.12) with ESMTP id LAA13085 for ; Fri, 7 Jun 1996 11:04:23 +0200 (MET DST) Message-Id: <199606070904.LAA13085@auryn.genua.de> To: Firewalls@greatcircle.com Subject: Re: Compuserve In-reply-to: Your message of Thu, 06 Jun 1996 15:32:11 -0700. MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-ID: <13082.834138262.1@auryn.genua.de> Date: Fri, 07 Jun 1996 11:04:23 +0200 From: Bernhard Schneck Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 6 Jun 96 11:36:49 +0200, Martin Hauser wrote: > OK - this seems to work, but how secure is it? Are there any specs available > for this compuserve protocol (Compuserve has not been responsive for such > requests in the past)? Before opening a hole in the wall it would be nice to > know more about the protocol. Not as far as I know. This is a problem with any protocol for which no specifications are available and/or for which no application gateway with fine grain controls exist (this holds even for standard protocols -- I would like to see a stateful packet filter check for ~ escapes in nntp control messages which INN likes to send via /bin/mail ...!) Most online services use proprietary data streams which can not be verified, no matter which way they are accessed (via modem/isdn lines or via the internet). Some risks using them over the Internet are not much different as when using dialup lines: Can it up (or down) load arbitrary files? Does the MSN client have a built in scanner to find software from competitors or unlicensed copies of Microsoft products? Does/can anyone (outside the vendor) know for *sure*?? Other risks may be higher when using the Internet: sniffing, traffic analysis, session hijacking and server spoofing come to mind. This may be more prominent on the Internet, but then remember that modern telephone switches are only computers, too ... You'll have to consider the risks and decide if it is secure enuff. \Bernhard. From firewalls-owner Fri Jun 7 02:50:45 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id CAA27684 for firewalls-outgoing; Fri, 7 Jun 1996 02:44:52 -0700 (PDT) Received: from typhoon.dial.pipex.net (typhoon.dial.pipex.net [158.43.128.46]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id CAA27661 for ; Fri, 7 Jun 1996 02:44:34 -0700 (PDT) Received: from unknown by typhoon.dial.pipex.net (8.7.4/) Message-ID: To: Firewall List MIME-Version: 1.0 From: Ian Johnstone-Bryden Subject: Virus scanning Date: Fri, 07 Jun 96 10:54:26 GMT Content-Type: text/plain; charset=US-ASCII; X-MAPIextension=".TXT" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Sorry to whoever's posting I deleted before responding. There are some solutions available which scan incoming traffic for hostile code including virus agents and worms. I think you will find information of one approach to this on: http://www.universe.digex.net/~mbr/armadillo/ Ian J-B. From firewalls-owner Fri Jun 7 03:05:39 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id CAA26905 for firewalls-outgoing; Fri, 7 Jun 1996 02:30:55 -0700 (PDT) Received: from pegase.total.fr (pegase.total.fr [146.249.152.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id CAA26794 for ; Fri, 7 Jun 1996 02:30:00 -0700 (PDT) Received: from tidtest.total.fr (tidtest.total.fr [146.249.165.73]) by pegase.total.fr (8.6.8/8.6.6) with SMTP id LAA17703; Fri, 7 Jun 1996 11:26:46 +0200 Received: by tidtest.total.fr (4.1/SMI-4.1) Message-Id: <9606070926.AA08367@tidtest.total.fr> To: Jean-Christophe Touvet Cc: Kim , firewalls@greatcircle.com Subject: Re: firewall rule for traceroute ? In-Reply-To: Your message of "Fri, 07 Jun 1996 10:40:11 +0200." X-Cuse: "The dog ate my network" Date: Fri, 07 Jun 1996 11:26:22 +0100 From: Michel Lavondes Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In message <199606070840.KAA18443@champagne.edelweb.fr>, Jean-Christophe Touvet writes: > > I'd like to permit traceroute internal to external and > > block external to internal traceroute. > > Any experiances ? > > Outbound: > > permit udp >= 33434 > > Inbound: > > permit icmp unreachable > You also should permit ICMP TTL expired inbound (unless it's an unreachable - don't remember OTTOMH whether it is) Michel Lavondes (lavondes@tidtest.total.fr) #include Governments are guilty until proved innocent From firewalls-owner Fri Jun 7 03:17:35 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id CAA26400 for firewalls-outgoing; Fri, 7 Jun 1996 02:26:48 -0700 (PDT) Received: from mail.swip.net (mail.swip.net [192.71.180.65]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id CAA26282 for ; Fri, 7 Jun 1996 02:25:52 -0700 (PDT) From: axel.skough@scb.se Received: by mail.swip.net with UUCP (8.6.8/3.01) Message-ID: <199606070924.LAA02410@mail.swip.net> Date: Fri, 7 Jun 1996 11:17:15 +0200 To: Firewalls-Digest@GreatCircle.COM, shishir@ftp.com Subject: RE: How to Connect WINS and DNS in NT 4. MIME-version: 1.0 (Created by TFS) Content-Type: text/plain ; charset=ISO-8859-1 Content-transfer-encoding: quoted-printable X-Mailer: TFS Gateway V210U0808M Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I don't understand that! I have myselft tried this with no problems at all, you should use the=20 Microsoft DNS directive $WINS! Usage: $WINS .... where the ist the address of the WINS server, you can use at most=20= 4=20 addresses here. also, check that your WINS servers are reachable from your=20 DNS server. But this does work! What's wrong?? Axel Skough Statistics Sweden ---------- From: shishir@ftp.com To: Firewalls-Digest@GreatCircle.C; SCB/S1POST/SCBAXLS Subject: How to Connect WINS and DNS in NT 4.02 b Date: den 6 June 1996 22:49 <> ..so that DNS checks the WINS database before returning a non existent machine's ip-address/hostname. Thank you. shishir From firewalls-owner Fri Jun 7 03:35:49 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id DAA00894 for firewalls-outgoing; Fri, 7 Jun 1996 03:19:08 -0700 (PDT) Received: from edelweb.fr (edelweb.fr [193.51.12.16]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id DAA00803 for ; Fri, 7 Jun 1996 03:18:35 -0700 (PDT) Received: from champagne.edelweb.fr (champagne.edelweb.fr [193.51.14.161]) by edelweb.fr (8.7.1/8.6.9) with ESMTP id MAA04333; Fri, 7 Jun 1996 12:16:13 +0200 (MET DST) Received: from localhost (touvet@localhost) by champagne.edelweb.fr (8.6.10/8.6.6) with SMTP id MAA19367; Fri, 7 Jun 1996 12:15:12 +0200 Message-Id: <199606071015.MAA19367@champagne.edelweb.fr> To: Michel Lavondes Cc: Kim , firewalls@greatcircle.com Subject: Re: firewall rule for traceroute ? In-reply-to: <9606070926.AA08367@tidtest.total.fr> Mime-Version: 1.0 Content-Type: text/plain; charset="ISO-8859-1" Content-Transfer-Encoding: 8bit Date: Fri, 07 Jun 1996 12:15:10 +0200 From: Jean-Christophe Touvet Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > > I'd like to permit traceroute internal to external and > > > block external to internal traceroute. > > > Any experiances ? > > > > Outbound: > > > > permit udp >= 33434 > > > > Inbound: > > > > permit icmp unreachable > > > You also should permit ICMP TTL expired inbound (unless it's an > unreachable - don't remember OTTOMH whether it is) Oops, sorry, you're right (I forgot that it isn't an unreachable code). Inbound: permit icmp unreachable permit icmp time-exceeded -JCT- From firewalls-owner Fri Jun 7 05:35:43 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA10797 for firewalls-outgoing; Fri, 7 Jun 1996 05:31:58 -0700 (PDT) Received: from mail.Clark.Net (mail.clark.net [168.143.0.10]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id FAA10779 for ; Fri, 7 Jun 1996 05:31:49 -0700 (PDT) Received: from clark.net (proberts@clark.net [168.143.0.7]) by mail.Clark.Net (8.7.3/8.6.5) with ESMTP id IAA27846; Fri, 7 Jun 1996 08:28:32 -0400 (EDT) Received: from localhost (proberts@localhost) by clark.net (8.7.1/8.7.1) with SMTP id IAA08347; Fri, 7 Jun 1996 08:28:29 -0400 (EDT) X-Authentication-Warning: clark.net: proberts owned process doing -bs Date: Fri, 7 Jun 1996 08:28:29 -0400 (EDT) From: "Paul D. Robertson" To: Kim cc: firewalls@greatcircle.com Subject: Re: firewall rule for traceroute ? In-Reply-To: <199606070755.RAA00931@rara.kotel.co.kr> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 7 Jun 1996, Kim wrote: > I'd like to permit traceroute internal to external and > block external to internal traceroute. > Any experiances ? > TIA > - Kim choonkyu > You'd have to allow both UDP and ICMP into your network, UDP on a range of ports. This is generally not a good idea _at all_. A much better idea would to be to set up a CGI program to do traceroutes on a web server external to your network, and give your users access to that. Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts@clark.net which may have no basis whatsoever in fact." PSB#9280 From firewalls-owner Fri Jun 7 05:50:42 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA11039 for firewalls-outgoing; Fri, 7 Jun 1996 05:39:26 -0700 (PDT) Received: from trex.netrex.com (trex.netrex.com [205.254.178.3]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id FAA11032 for ; Fri, 7 Jun 1996 05:39:20 -0700 (PDT) Received: from foghorn (foghorn [205.254.178.10]) by trex.netrex.com (8.7.5/8.7.3) with SMTP id IAA13332 for ; Fri, 7 Jun 1996 08:37:25 -0400 (EDT) Message-Id: <2.2.32.19960607123346.0076d058@trex.netrex.com> X-Sender: richards@trex.netrex.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Fri, 07 Jun 1996 08:33:46 -0400 To: Firewalls@GreatCircle.COM From: "Richard D. Stiennon" Subject: Re: Firewall for NT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Warning: Flame Bait below. At03:22 PM 6/6/96 +0000,Ratak doth say: > > > Hello > > I saw a post a little while ago about a Freeware or cheap NT >firewall, but I didn't pay much attention. > > I wanted to put up this firewall while we wait for Firewall-1 NT... Why not just buy a cheap Unix server and run Firewall-1 on it now? It may be a better solution than a cheap firewall on an expensive NT server. Sorry, I had to say it. :-) Richard Stiennon richards@netrex.com Director, Business Development www.netrex.com/richard Netrex, Inc. Voice: 810-352-9643 3000 Town Center, Suite 1100 Fax: 810-352-2375 Southfield, MI 48075 From firewalls-owner Fri Jun 7 06:05:49 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA12011 for firewalls-outgoing; Fri, 7 Jun 1996 05:58:42 -0700 (PDT) Received: from nutspgw.nutec.com.br ([200.246.248.99]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id FAA11993 for ; Fri, 7 Jun 1996 05:58:26 -0700 (PDT) Received: (uucp@localhost) by nutspgw.nutec.com.br (8.6.9/8.6.5) id KAA26708 for ; Fri, 7 Jun 1996 10:03:16 -0300 Received: from unknown(200.246.247.2) by nutspgw.nutec.com.br via smap (g3.0.3) Received: from dodo.nutec.com.br by canario.nutec.com.br id aa02918; Comments: Authenticated sender is From: Fernando da Silveira Montenegro Organization: =?ISO-8859-1?Q?Nutec_Inform=DFtica?= To: firewalls@greatcircle.com Date: Fri, 7 Jun 1996 09:58:28 -0300 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: NAT option on routers? Reply-to: silveira@nutpagw.nutec.com.br X-mailer: Pegasus Mail for Windows (v2.33) Message-ID: <9606071046.aa02918@canario.nutec.com.br> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello! (I would search the archives before asking the list directly, but is seems the searchable archive is down for some reason) Are the people of this list familiar with any router that would include a NAT option? By this I mean some option where the internal network would have illegal (non-registered, non-RFC1918) addresses and the external interface would have a registered address. I know there are software solutions for this (both commercial and public domain, such as IPfilter). What I was looking for is this functionality in a router (Cisco, Livingston, whatever). Thanks in advance! Regards, Fernando -- Fernando da Silveira Montenegro E-mail: silveira@nutec.com.br Nutec Informatica S.A. Phone.: +55-11-505-5728 Rua Florida, 1821/11th floor Fax...: +55-11-505-1918 Sao Paulo, SP BRAZIL 04565-001 WWW: http://www.nutec.com.br From firewalls-owner Fri Jun 7 06:36:05 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA16136 for firewalls-outgoing; Fri, 7 Jun 1996 06:28:38 -0700 (PDT) Received: from cohiba.predictive.com (cohiba.predictive.com [204.243.240.5]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id GAA16124 for ; Fri, 7 Jun 1996 06:28:31 -0700 (PDT) Received: from jtb-m75 ([192.168.1.21]) by cohiba.predictive.com (8.6.11/8.6.12) with SMTP id IAA18706 for ; Fri, 7 Jun 1996 08:36:35 -0400 Message-Id: <2.2.32.19960607132429.006778fc@204.243.240.5> X-Sender: jtb@204.243.240.5 X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Fri, 07 Jun 1996 09:24:29 -0400 To: firewalls@greatcircle.com From: John Burgess Subject: Is a NAT invisible? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'd like to understand a bit more about how Network Address Translation (NAT) works... Say I have one of the 192.168.x.0 private networks that I'd like to connect through a pure NAT to the internet (pure in the sense that I don't care about any firewall stuff). I'll call this box a gateway. Can the NAT gateway operate purely at the network layer, i.e., by just changing my address in the IP header? Does this break any applications? I have a nagging suspicion that there are applications that put the source IP address in the "data". What are they? I guess the worst case would be a user who telnets to a host through the gateway, and fires off an X client back to his/her Xserver. e.g., DISPLAY=192.168.x.y:0 ; Xsomething-or-other But with a suitable DNS implementation and user training, I think this can be solved. What other issues are there? Even better, is there a white paper explaining how a NAT works and answers these and other NAY-related issues? I tried checking the FAQ for this list, but foudn nothing. If such a doc exists, please send me the URL! Thanks, ------------ John Burgess Predictive Systems, Inc. jtburgess@predictive.com 201-644-3019 x2057 From firewalls-owner Fri Jun 7 06:51:28 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA17864 for firewalls-outgoing; Fri, 7 Jun 1996 06:40:25 -0700 (PDT) Received: from gizmo.lut.ac.uk (gizmo.lut.ac.uk [158.125.96.46]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id GAA17855 for ; Fri, 7 Jun 1996 06:40:16 -0700 (PDT) Received: from mrrl.lut.ac.uk (martin@localhost.mrrl.lut.ac.uk [127.0.0.1]) by gizmo.lut.ac.uk (8.7.5/8.6.9) with ESMTP id OAA04799; Fri, 7 Jun 1996 14:37:35 +0100 (BST) Message-Id: <199606071337.OAA04799@gizmo.lut.ac.uk> X-Mailer: exmh version 1.6.7 5/3/96 To: John Mulligan cc: firewalls@greatcircle.com Subject: Re: REQ:rshd command logging X-URI: In-reply-to: Your message of "Thu, 06 Jun 1996 11:56:23 EDT." Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Fri, 07 Jun 1996 14:37:34 +0100 From: Martin Hamilton Sender: firewalls-owner@GreatCircle.COM Precedence: bulk John Mulligan writes: | Does anyone know of an rsh daemon replacement that will allow command | logging? We have TCP_Wrappers 7.4 installed, if anything could be used in | conjuction with that. Get the rshd replacement which comes with the logdaemon package - NB: you need to compile with -DLOG_COMMANDS uncommented in the Makefile Marstin From firewalls-owner Fri Jun 7 07:05:56 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA18755 for firewalls-outgoing; Fri, 7 Jun 1996 06:52:58 -0700 (PDT) Received: from nsco.network.com (nsco.network.com [129.191.1.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id GAA18736 for ; Fri, 7 Jun 1996 06:52:45 -0700 (PDT) Received: from anubis.network.com by nsco.network.com (4.1/1.34) Received: from blefscu.network.com by anubis.network.com (4.1/SMI-4.1) Date: Fri, 7 Jun 96 08:52:39 CDT From: amolitor@anubis.network.com (Andrew Molitor) Message-Id: <9606071352.AA05355@anubis.network.com> To: firewalls@greatcircle.com Subject: Re: cisco docs, user access Sender: firewalls-owner@GreatCircle.COM Precedence: bulk "W.C. Epperson" wrote: [ regarding various cisco software releases that have been recommended ] > And bear in mind that none of those releases are in General Deployment (GD), > which is, according to Cisco, "The software version which has achieved > a level of stability appropriate for general use in customers' networks". ... > My position is that if it ain't stable enough for general use, > it ain't ready for use in access control. Much as I hate to defend a competitor, especially a successful one, I feel the need to chip in here. I suspect strongly that GD is a label that is *very* expensive to apply, since it means that the test people have signed off on the software working right with every protocol and every feature on every media, etc etc. Quite possibly, this badge requires a couple engineering years to verify, assuming everything works right straight off. 11.x is quite likely to have rock solid IP on ethernet and ppp-over-v35. It's the weird SNA encapsulated in something else shoveled over an x.25 link on a HSSI board that might be a little iffy. That said, I agree that it's scary not to know for sure. I assume you run Zero lines whatsoever of free software in mission critical spots? Andrew From firewalls-owner Fri Jun 7 07:40:51 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA22041 for firewalls-outgoing; Fri, 7 Jun 1996 07:21:59 -0700 (PDT) Received: from gemsgw.med.ge.com (gemsgw.med.ge.com [192.88.230.10]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id HAA22004 for ; Fri, 7 Jun 1996 07:21:48 -0700 (PDT) From: sameer@wiproge.med.ge.com Received: from gemed.med.ge.com (gemed.med.ge.com [3.7.12.4]) by gemsgw.med.ge.com (8.6.12/8.6.12) with ESMTP id JAA27119 for ; Fri, 7 Jun 1996 09:17:36 -0500 Received: from wiproge.med.ge.com (jogin [3.70.200.53]) by gemed.med.ge.com (8.6.12/8.6.12) with SMTP id JAA13631; Fri, 7 Jun 1996 09:19:57 -0500 Received: from everest.wiproge.med.ge.com (nilgiri) by wiproge.med.ge.com (4.1/SMI-4.1) Received: by wiproge.med.ge.com (5.0/SMI-SVR4) Date: Fri, 7 Jun 1996 19:54:39 +0500 Message-Id: <9606080054.AA00162@wiproge.med.ge.com> To: firewalls@GreatCircle.COM Subject: Netscape Port X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, I know that Netscape uses port 80 to connect from the proxy server.What is the port that it connects to on the local host. I have a HP machine running HP-UX and is sitting in a network connecting to the proxy through a router. I want to capture the packets sent by Netscape and read them.Curious about it and thinking of implementing it as a check .Can somebody tell me how the scenario works/ How could I read those packets.. .TIA...sam E-Mail : sameer@wiproge.med.ge.com Wipro GE Medical Systems - Bangalore sameer@wiproge.gemse.fr Name : Sameer [Sam] Wipro GE Medical Systems Ltd.,GPDC, A-1,Corporate Towers,Golden Enclave, Airport Road,Bangalore- 560017, INDIA ------------------------------------------------------------------------- "Opinions expressed are my own and may not confirm to my Employers" ********************THOUGHT FOR THE DAY************************** Diplomacy is the art of saying "GOOD DOGGY" till you find a very BIG stick. ***************************************************************** You may delegate AUTHORITY but not RESPONSIBILITY -------------------------------------------------------------------------- From firewalls-owner Fri Jun 7 07:55:40 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA23006 for firewalls-outgoing; Fri, 7 Jun 1996 07:28:18 -0700 (PDT) Received: from servant ([205.172.10.40]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id HAA22999 for ; Fri, 7 Jun 1996 07:28:13 -0700 (PDT) Received: from radiatore.mccaw-stg.com by servant (SMI-8.6/SMI-SVR4) Received: by radiatore.mccaw-stg.com (5.x/SMI-SVR4) Date: Fri, 7 Jun 1996 07:25:37 -0700 From: peterg@mccaw-stg.com (Peter Gregory) Message-Id: <9606071425.AA28170@radiatore.mccaw-stg.com> To: firewalls@GreatCircle.com, berkelec@pacific.net.sg Subject: Re: nt firewall X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > [...] unix also have lots of security risks - just look at the list on cert! apples and oranges. the CERT list exists because the UNIX system manufacturers are forthright about security problems and have no shame in publishing them. i doubt that Microsquish has the same mindset. IMHO, admitting one's weaknesses makes one stronger. -Pg From firewalls-owner Fri Jun 7 08:09:07 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA26192 for firewalls-outgoing; Fri, 7 Jun 1996 07:58:51 -0700 (PDT) Received: from baldy.worldbit.com (baldy.worldbit.com [199.4.115.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id HAA26139 for ; Fri, 7 Jun 1996 07:58:37 -0700 (PDT) Received: from localhost (blast@localhost) by baldy.worldbit.com (8.7.5/8.7.3) with SMTP id HAA25456; Fri, 7 Jun 1996 07:54:05 -0700 (PDT) Date: Fri, 7 Jun 1996 07:54:05 -0700 (PDT) From: Blast To: John Burgess cc: firewalls@GreatCircle.COM Subject: Re: Is a NAT invisible? In-Reply-To: <2.2.32.19960607132429.006778fc@204.243.240.5> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 7 Jun 1996, John Burgess wrote: > I'd like to understand a bit more about how Network Address Translation > (NAT) works... > > Say I have one of the 192.168.x.0 private networks that I'd like to connect > through a pure NAT to the internet (pure in the sense that I don't care > about any firewall stuff). I'll call this box a gateway. > What other issues are there? There is very little information on the Cisco/NAT's PIX offering. The rep told me that I can borrow one for a day or so to bash so I will report back soon. I have 2 ether's on my laptop so I can straddle the puppy and test. Thank god for 'nc', 'ipsend', 'strobe', etc.etc. I will report back soon. Over and out. -blast ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \ Tim Keanini | "The limits of my language, / / aka blast | are the limits of my world." \ \ | --Ludwig Wittgenstein / \ +================================================/ / PUB KEY: http://www-swiss.ai.mit.edu/~bal/pks-commands.html \ \ / ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From firewalls-owner Fri Jun 7 08:20:47 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA28674 for firewalls-outgoing; Fri, 7 Jun 1996 08:16:22 -0700 (PDT) Received: from lexicon.ins.com (lexicon.ins.com [199.0.193.11]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id IAA28610 for ; Fri, 7 Jun 1996 08:16:07 -0700 (PDT) Received: from lexicon.ins.com (atl-dynamic11.ins.com [199.0.194.11]) by lexicon.ins.com (8.7.5/8.7.3) with SMTP id IAA11909; Fri, 7 Jun 1996 08:13:09 -0700 (PDT) Date: Fri, 7 Jun 1996 08:13:09 -0700 (PDT) Message-Id: <2.2.16.19960607023151.390fabda@lexicon.ins.com> X-Sender: matovu_g@lexicon.ins.com X-Mailer: Windows Eudora Pro Version 2.2 (16) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: jnoetzel@intermind.com (Jeremy Noetzelman) From: George Matovu Subject: Re: Firewalls and DNS Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Jeremy, It seems like the forwarder doesn't respond to the query within a certain time. Normally the internal firewall would perform the query itself after a timeout. But since you have included the slave option the internal firewall would not query any other DNS server. Try specifying the external DNS address more than once on the "forwarders" directive in the named.boot file on the internal DNS to force it to do multiple queries. eg. suppose the address of the external DNS is 128.123.23.22, try forwarders 128.123.23.22 128.123.23.22 128.123.23.22 Otherwise try using a sniffer to determine where the problem is. I hope this helps, George. At 02:07 PM 6/6/96 -0700, you wrote: >We'd like to have a split DNS with a public server and a private server. >We've initially started with two servers, one of which has dummy DNS >entries, one of them has the real entries. The one with the real entries is >behind the firewall, and is set up as a slave/forwarder to the external one >with the dummy DNS entries. > >So far so good, but the problem is incredibly slow DNS lookups, which >timeout regularly. For example, with Netscape if you click on a link, it >times out the first time, but the answer is available immediately on the >second try. > >I'm completely uncertain what the problem is. while this may not be a strict >firewalls question, I'm sure it's one that is of interest to many. > >Any help would be much appreciated. > >Jeremy Noetzelman > >--- >Jeremy Noetzelman >jnoetzel@intermind.com >Operations Specialist >Intermind Corporation > > > ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ George F. Matovu International Network Services Network Systems Engineer 8391 Old Courthouse Rd., Ste. 215 PH. 703-550-1151 Vienna, VA 22182 Pager 800-789-3604 ___________________________________________________________________________ From firewalls-owner Fri Jun 7 08:21:25 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA24171 for firewalls-outgoing; Fri, 7 Jun 1996 07:41:08 -0700 (PDT) Received: from pozarica.pr.uv.mx (pozarica.pr.uv.mx [148.226.210.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id HAA24079 for ; Fri, 7 Jun 1996 07:40:26 -0700 (PDT) Received: from pozarica by pozarica.pr.uv.mx (5.0/SMI-SVR4) Date: Fri, 7 Jun 1996 09:41:31 -0600 (CST) From: higueron Subject: DMZ with Firewall-1 To: firewalls@GreatCircle.COM Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Content-Transfer-Encoding: QUOTED-PRINTABLE Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi friends. Does anybody have a De-Militarized Zone using firewall-1 ? I=B4d like to know about it, the number of network interfaces, routers, etc. What would be the configuration to do this ? Thanks in advance. =09=09Marco A. Higueron=20 =09=09Universidad Veracruzana =09=09Poza Rica Ver. Mexico From firewalls-owner Fri Jun 7 08:54:50 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA02243 for firewalls-outgoing; Fri, 7 Jun 1996 08:42:59 -0700 (PDT) Received: from okjunc.junction.net (okjunc.junction.net [199.166.227.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id IAA02235 for ; Fri, 7 Jun 1996 08:42:53 -0700 (PDT) Received: from sidhe.memra.com (sidhe.memra.com [199.166.227.105]) by okjunc.junction.net (8.6.11/8.6.11) with SMTP id HAA28189; Fri, 7 Jun 1996 07:56:18 -0700 Date: Fri, 7 Jun 1996 08:39:43 -0700 (PDT) From: Michael Dillon To: sameer@wiproge.med.ge.com cc: firewalls@GreatCircle.COM Subject: Re: Netscape Port In-Reply-To: <9606080054.AA00162@wiproge.med.ge.com> Message-ID: Organization: Memra Software Inc. - Internet consulting MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 7 Jun 1996 sameer@wiproge.med.ge.com wrote: > I know that Netscape uses port 80 to connect from the proxy > server.What is the port that it connects to on the local host. Go into Netscape Navigator and look at Options, Network Preferences, Proxies and click on the "View" button. Of course this only works if the "Manual Configuration" is selected. If it's automatic I assume that the port used needs to be found on the proxy server. This isn't standard, you can use any port you want to. Michael Dillon ISP & Internet Consulting Memra Software Inc. Fax: +1-604-546-3049 http://www.memra.com E-mail: michael@memra.com From firewalls-owner Fri Jun 7 09:16:32 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA02847 for firewalls-outgoing; Fri, 7 Jun 1996 08:48:45 -0700 (PDT) Received: from halon.sybase.com (halon.sybase.com [192.138.151.33]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id IAA02811 for ; Fri, 7 Jun 1996 08:48:32 -0700 (PDT) Received: from smtp1.sybase.com (sybgate) by halon.sybase.com (5.x/SMI-SVR4/SybFW4.0) Received: from notesgw2.sybase.com by smtp1.sybase.com (4.1/SMI-4.1/SybH3.5-030896) Received: by notesgw2.sybase.com (5.x/SMI-4.1/SybEGW3.3) Message-Id: <9606071546.AA25274@notesgw2.sybase.com> Received: by SybaseNotes (Lotus Notes Mail Gateway for SMTP V1.1) id To: Jeremy Noetzelman Cc: firewalls From: Ryan.Russell/SYBASE Date: 7 Jun 96 8:46:42 EDT Subject: Re: Firewalls and DNS X-Lotus-Type: Reply All Mime-Version: 1.0 Content-Type: Text/Plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Why forward to the external DNS host? I assume that your internal DNS list is a superset of the external one? Configure your internal DNS server to skip the external DNS server when it's forwarding requests. Ryan ---------- Previous Message ---------- To: firewalls cc: From: jnoetzel @ intermind.com (Jeremy Noetzelman) @ smtp Date: 06/06/96 02:07:44 PM Subject: Firewalls and DNS We'd like to have a split DNS with a public server and a private server. We've initially started with two servers, one of which has dummy DNS entries, one of them has the real entries. The one with the real entries is behind the firewall, and is set up as a slave/forwarder to the external one with the dummy DNS entries. So far so good, but the problem is incredibly slow DNS lookups, which timeout regularly. For example, with Netscape if you click on a link, it times out the first time, but the answer is available immediately on the second try. I'm completely uncertain what the problem is. while this may not be a strict firewalls question, I'm sure it's one that is of interest to many. Any help would be much appreciated. Jeremy Noetzelman --- Jeremy Noetzelman jnoetzel@intermind.com Operations Specialist Intermind Corporation From firewalls-owner Fri Jun 7 09:24:36 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA05426 for firewalls-outgoing; Fri, 7 Jun 1996 09:07:14 -0700 (PDT) Received: from uio ([200.31.8.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id JAA05373 for ; Fri, 7 Jun 1996 09:07:00 -0700 (PDT) From: xmerino@uio.satnet.net Received: from nt by uio (SMI-8.6/SMI-SVR4) Message-Id: <199606071507.LAA18619@uio> Organization: satnet To: firewalls@greatcircle.com Date: Fri, 7 Jun 1996 11:08:36 +0000 Subject: TACACS SERVER Reply-to: uio.satnet.net@satnet.net X-mailer: Pegasus Mail/Windows (v1.22) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello List.. I am working with CISCO 2511 Access Servers, CIsco Works' Tacacs verifying the users on a Solaris 2.5 System. Do you know if there is a possibility to verify the users on the same /etc/passwd and shadow as a normal session ? How do you analise the tacacs.wtmp, because who or last does not work. Regards, Xavier Merino From firewalls-owner Fri Jun 7 09:51:01 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA08625 for firewalls-outgoing; Fri, 7 Jun 1996 09:28:01 -0700 (PDT) Received: from lint.cisco.com (lint.cisco.com [171.68.223.44]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id JAA08565 for ; Fri, 7 Jun 1996 09:27:43 -0700 (PDT) Received: from pferguso-pc.cisco.com (c1robo10.cisco.com [171.68.13.10]) by lint.cisco.com (8.6.10/CISCO.SERVER.1.1) with SMTP id JAA18222; Fri, 7 Jun 1996 09:26:04 -0700 Message-Id: <199606071626.JAA18222@lint.cisco.com> X-Sender: pferguso@lint.cisco.com X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Fri, 07 Jun 1996 12:25:15 -0400 To: amolitor@anubis.network.com (Andrew Molitor) From: Paul Ferguson Subject: Re: cisco docs, user access Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 08:52 AM 6/7/96 CDT, Andrew Molitor wrote: > I suspect strongly that GD is a label that is *very* expensive to >apply, since it means that the test people have signed off on the software >working right with every protocol and every feature on every media, etc etc. >Quite possibly, this badge requires a couple engineering years to verify, >assuming everything works right straight off. 11.x is quite likely to have >rock solid IP on ethernet and ppp-over-v35. It's the weird SNA encapsulated >in something else shoveled over an x.25 link on a HSSI board that might be a >little iffy. > That is an exactly correct assumption. :-) - paul -- Paul Ferguson || || Consulting Engineering || || Reston, Virginia USA |||| |||| tel: +1.703.716.9538 ..:||||||:..:||||||:.. e-mail: pferguso@cisco.com c i s c o S y s t e m s From firewalls-owner Fri Jun 7 10:05:47 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA08022 for firewalls-outgoing; Fri, 7 Jun 1996 09:24:51 -0700 (PDT) Received: from lint.cisco.com (lint.cisco.com [171.68.223.44]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id JAA07983 for ; Fri, 7 Jun 1996 09:24:36 -0700 (PDT) Received: from pferguso-pc.cisco.com (c1robo10.cisco.com [171.68.13.10]) by lint.cisco.com (8.6.10/CISCO.SERVER.1.1) with SMTP id JAA17194; Fri, 7 Jun 1996 09:22:58 -0700 Message-Id: <199606071622.JAA17194@lint.cisco.com> X-Sender: pferguso@lint.cisco.com X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Fri, 07 Jun 1996 12:22:10 -0400 To: John Burgess From: Paul Ferguson Subject: Re: Is a NAT invisible? Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk There's a couple of decent white-papers located at: http://www.translation.com - paul At 09:24 AM 6/7/96 -0400, John Burgess wrote: >I'd like to understand a bit more about how Network Address Translation >(NAT) works... > >Say I have one of the 192.168.x.0 private networks that I'd like to connect >through a pure NAT to the internet (pure in the sense that I don't care >about any firewall stuff). I'll call this box a gateway. > >Can the NAT gateway operate purely at the network layer, i.e., by just >changing my address in the IP header? >Does this break any applications? >I have a nagging suspicion that there are applications that put the source >IP address in the "data". What are they? > >I guess the worst case would be a user who telnets to a host through the >gateway, and fires off an X client back to his/her Xserver. > >e.g., DISPLAY=192.168.x.y:0 ; Xsomething-or-other > >But with a suitable DNS implementation and user training, I think this can >be solved. > >What other issues are there? > >Even better, is there a white paper explaining how a NAT works and answers >these and other NAY-related issues? >I tried checking the FAQ for this list, but foudn nothing. >If such a doc exists, please send me the URL! > >Thanks, >------------ >John Burgess >Predictive Systems, Inc. >jtburgess@predictive.com >201-644-3019 x2057 > -- Paul Ferguson || || Consulting Engineering || || Reston, Virginia USA |||| |||| tel: +1.703.716.9538 ..:||||||:..:||||||:.. e-mail: pferguso@cisco.com c i s c o S y s t e m s From firewalls-owner Fri Jun 7 10:21:26 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA13826 for firewalls-outgoing; Fri, 7 Jun 1996 10:07:36 -0700 (PDT) Received: from trex.netrex.com (trex.netrex.com [205.254.178.3]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id KAA13734 for ; Fri, 7 Jun 1996 10:07:09 -0700 (PDT) Received: from foghorn (foghorn [205.254.178.10]) by trex.netrex.com (8.7.5/8.7.3) with SMTP id NAA17179; Fri, 7 Jun 1996 13:04:47 -0400 (EDT) Message-Id: <2.2.32.19960607170114.009b0ce4@trex.netrex.com> X-Sender: richards@trex.netrex.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Date: Fri, 07 Jun 1996 13:01:14 -0400 To: higueron From: "Richard D. Stiennon" Subject: Re: DMZ with Firewall-1 Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 09:41 AM 6/7/96 -0600, higueron wrote: >Hi friends. >Does anybody have a De-Militarized Zone using firewall-1 ? I=B4d like >to know about it, the number of network interfaces, routers, etc. >What would be the configuration to do this ? > Firewall-1 supports up to 32 network interfaces. A simple setup would be three ethernet ports on your Firewall-1 machine: One to the Outside, one to your internal network, one to your DMZ. This is much more powerfull than the typical DMZ since you can set restrictions on access to all three= segments. =20 Richard Stiennon richards@netrex.com Director, Business Development www.netrex.com/richard Netrex, Inc. Voice: 810-352-9643 3000 Town Center, Suite 1100 Fax: 810-352-2375 Southfield, MI 48075 From firewalls-owner Fri Jun 7 10:36:25 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA16113 for firewalls-outgoing; Fri, 7 Jun 1996 10:25:40 -0700 (PDT) Received: from gatekeeper.qualix.com (gatekeeper.qualix.com [192.91.182.105]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id KAA16087 for ; Fri, 7 Jun 1996 10:25:30 -0700 (PDT) Received: from qualix.qualix by gatekeeper.qualix.com (8.6.9/Q940531.1) Received: from qualix20.qualix by qualix.qualix (4.1/SMI-4.1-Q931113.1) Received: from spirit.qualix by qualix20.qualix (SMI-8.6/SMI-SVR4) Received: by spirit.qualix (5.x/SMI-SVR4) From: security@qualix.com (Nik D. Knoth) Message-Id: <9606071720.AA01066@spirit.qualix> Subject: DMZ with Firewall-1 (fwd) To: firewalls@GreatCircle.COM Date: Fri, 7 Jun 1996 10:20:06 -0700 (PDT) X-Mailer: ELM [version 2.4 PL24] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Marco, Most of my firewall-1 customers use a dmz. I tend to recommend it strongly for any publ;ic access or highly vulnerable services (i.e. anon ftp, http, mail). FW-1 will handle multiple network interfaces. If you operate on a platform with at least three interfaces (say default plus 2 fsbe cards or a single quad card), that's all you need. No extra "routers, etc." Other questions, let me know -nik -- Nik D. Knoth Email: nik@qualix.com Qualix Support Team Office: 415.638.4106 The Qualix Group, Inc. Fax: 415.572.1300 Forwarded message: > From: higueron > Subject: DMZ with Firewall-1 > To: firewalls@GreatCircle.COM > > Hi friends. > Does anybody have a De-Militarized Zone using firewall-1 ? I=B4d like > to know about it, the number of network interfaces, routers, etc. > What would be the configuration to do this ? > > Thanks in advance. > > =09=09Marco A. Higueron=20 > =09=09Universidad Veracruzana > =09=09Poza Rica Ver. Mexico > > > > From firewalls-owner Fri Jun 7 10:50:54 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA17051 for firewalls-outgoing; Fri, 7 Jun 1996 10:33:13 -0700 (PDT) Received: from jaring.my (jaring.my [192.228.128.20]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id KAA17041 for ; Fri, 7 Jun 1996 10:33:05 -0700 (PDT) Received: from extol.extol.my (j12.ptl6.jaring.my [161.142.1.218]) by jaring.my (8.7.5/8.7.1) with SMTP id BAA19303; Sat, 8 Jun 1996 01:30:31 +0800 (MYT) Message-ID: <31B876D2.561B@pc.jaring.my> Date: Sat, 08 Jun 1996 01:37:06 +0700 From: peng-chiew low X-Mailer: Mozilla 2.01 (Win95; I) MIME-Version: 1.0 To: Tey Wei Ming CC: firewalls@greatcircle.com Subject: Re: nt firewall References: <19960607123650berkelec@GM.compex.com.sg> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Tey Wei Ming wrote: > to me nt is easier to administer than unix, and unix also have lots of > security risks - just look at the list on cert! Ah! Another "security by obscurity" believer :) > and unix hardware are still too costly.Please repeat the above statement in the context of BSDi, Linux, SCO, and Solaris X86. From firewalls-owner Fri Jun 7 11:12:34 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA21758 for firewalls-outgoing; Fri, 7 Jun 1996 11:02:10 -0700 (PDT) Received: from wpg-01.escape.ca (wpg-01.escape.ca [198.163.232.254]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id LAA21737 for ; Fri, 7 Jun 1996 11:02:01 -0700 (PDT) Received: from wpg-01.escape.ca (ts1dl34.escape.ca [198.163.232.94]) by wpg-01.escape.ca (8.6.11/8.6.11) with SMTP id NAA05001; Fri, 7 Jun 1996 13:03:02 -0500 Message-Id: <199606071803.NAA05001@wpg-01.escape.ca> Comments: Authenticated sender is From: "Ratak" Organization: Classified To: "Richard D. Stiennon" Date: Fri, 7 Jun 1996 12:52:44 +0000 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Re: Firewall for NT CC: Firewalls-Digest@GreatCircle.COM X-mailer: Pegasus Mail for Win32 (v2.31) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > > I wanted to put up this firewall while we wait for Firewall-1 > >NT... > > Why not just buy a cheap Unix server and run Firewall-1 on it now? > It may be a better solution than a cheap firewall on an expensive NT > server. > Well we already have the expensive NT servers, and figured hey! Might as well use'em... > Sorry, I had to say it. :-) > Of course... Unix freaks always do... GarGoyle Securities Network Intrussion Assessment Systems Voice/Data/Fax: (204)878 2190 Email: ratak@escape.ca PGP Key available via Keyserver nearest you. . . Key Fingerprint= 25 03 97 D1 1E 9C 2D 98 D1 2F 8D EC 49 C2 64 12 From firewalls-owner Fri Jun 7 11:58:44 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA26372 for firewalls-outgoing; Fri, 7 Jun 1996 11:39:25 -0700 (PDT) Received: from magneto.acquion.com (magneto.acquion.com [206.154.17.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id LAA26354 for ; Fri, 7 Jun 1996 11:39:18 -0700 (PDT) Received: from wolverine.acquion.com ([206.154.17.12]) Message-Id: <2.2.32.19960607183650.006c50ec@mail.acquion.com> X-Sender: moll5029@mail.acquion.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Fri, 07 Jun 1996 14:36:50 -0400 To: firewalls@greatcircle.com From: "Joseph L. Moll" Subject: Re: nt firewall Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 01:37 AM 6/8/96 +0700, peng-chiew low apparently wrote: >Ah! Another "security by obscurity" believer :) Speaking of "security by obscurity," is anyone pooling a list of known NT security problems other than that is being posted on the ntsec list since MicroScrotum is not releasing anything publicly? --- Joseph L. (Joe) Moll -- Network and Communications Engineering mailto:jmoll@acquion.com http://www.acquion.com phone:864-281-4108 ACQUION, Inc. Greenville, SC USA -- Specialists in Electronic Commerce disclaimer: This email is not to be considered official correspondence --- From firewalls-owner Fri Jun 7 13:35:41 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA04068 for firewalls-outgoing; Fri, 7 Jun 1996 13:23:12 -0700 (PDT) Received: from toadflax.cs.ucdavis.edu (toadflax.cs.ucdavis.edu [128.120.56.188]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id NAA04061 for ; Fri, 7 Jun 1996 13:22:48 -0700 (PDT) Received: from nob (nob.cs.ucdavis.edu) by toadflax.cs.ucdavis.edu (4.1/UCD.CS.2.6) Received: by nob (5.x/UCDCS.SECLAB.Solaris2-2.0) Date: Fri, 7 Jun 1996 13:20:14 -0700 From: bishop@cs.ucdavis.edu (Matt Bishop) Message-Id: <9606072020.AA10077@nob> To: firewalls@greatcircle.com Subject: CFP: 1997 Symposium on Network and Distributed System Security Sender: firewalls-owner@GreatCircle.COM Precedence: bulk CALL FOR PAPERS The Internet Society Symposium on Network and Distributed System Security February 10-11, 1997, San Diego Princess Resort, San Diego, California Submissions due: August 1, 1996 Notification to Authors: October 1, 1996 Camera-Ready Copy due: November 1, 1996 GOAL: The symposium will bring together people who are building hardware and software to provide network and distributed system security services. The symposium is intended for those interested in the practical aspects of network and distributed system security, focusing on actual system design and implementation, rather than theory. We hope to foster the exchange of technical information that will encourage and enable the Internet community to apply, deploy, and advance the state of available security technology. Symposium proceedings will be published by the IEEE Computer Society Press. Topics for the symposium include, but are not limited to, the following: * Design and implementation of communication security services: authentication, integrity, confidentiality, authorization, non-repudiation, and availability. * Design and implementation of security mechanisms, services, and APIs to support communication security services, key management and certification infrastructures, audit, and intrusion detection. * Requirements and designs for securing network information resources and tools -- WorldWide Web (WWW), Gopher, archie, and WAIS. * Requirements and designs for systems supporting electronic commerce -- payment services, fee-for-access, EDI, notary -- endorsement, licensing, bonding, and other forms of assurance. * Design and implementation of measures for controlling network communication -- firewalls, packet filters, application gateways, and user/host authentication schemes. * Requirements and designs for telecommunications security especially for emerging technologies -- very large systems like the Internet, high-speed systems like the gigabit testbeds, wireless systems, and personal communication systems. * Special issues and problems in security architecture, such as interplay between security goals and other goals -- efficiency, reliability, interoperability, resource sharing, and cost. * Integration of security services with system and application security facilities, and application protocols -- including but not limited to message handling, file transport, remote file access, directories, time synchronization, data base management, routing, voice and video multicast, network management, boot services, and mobile computing. GENERAL CHAIR: David Balenson, Trusted Information Systems PROGRAM CHAIRS: Clifford Neuman, University of Southern California Matt Bishop, University of California at Davis PROGRAM COMMITTEE: Steve Bellovin, AT&T Research Tom Berson, Anagram Laboratories Doug Engert, Argonne National Laboratory Warwick Ford, Bell Northern Research Richard Graveman, Bellcore Li Gong, SRI Burt Kaliski, RSA Laboratories Steve Kent, BBN Tom Longstaff, CERT Doug Maughan, National Security Agency Dan Nessett, Sun Microsystems Hilarie Orman, DARPA Michael Roe, Cambridge University Christoph Schuba, Purdue University Jonathan Trostle, CyberSafe Theodore Ts'o, Massachusetts Institute of Technology Doug Tygar, Carnegie Mellon University Vijay Varadharajan, University of W. Sydney Roberto Zamparo, Telia Research LOCAL ARRANGEMENTS CHAIR: Thomas Hutton, San Diego Supercomputer Center PUBLICATIONS CHAIR: Steve Welke, Institute for Defense Analyses REGISTRATIONS CHAIR: Donna Leggett, Internet Society SUBMISSIONS: The committee invites technical papers and panel proposals for topics of technical and general interest. Technical papers should be 10-20 pages in length. Panel proposals should be two pages and should describe the topic, identify the panel chair, explain the format of the panel, and list three to four potential panelists. Technical papers will appear in the proceedings. A description of each panel will appear in the proceedings, and may at the discretion of the panel chair, include written position statements from each panelist. Each submission must contain a separate title page with the type of submission (paper or panel), the title or topic, the names of the author(s), organizational affiliation(s), telephone and FAX numbers, postal addresses, Internet electronic mail addresses, and must list a single point of contact if more than one author. The names of authors, affiliations, and other identifying information should appear only on the separate title page. Submissions must be received by 1 August 1996, and should be made via electronic mail in either PostScript or ASCII format. If the committee is unable to print a PostScript submission, it will be returned and hardcopy requested. Therefore, PostScript submissions should arrive well before 1 August. If electronic submission is difficult, submissions should be sent via postal mail. All submissions and program related correspondence (only) should be directed to the program chair: Clifford Neuman, University of Southern California, Information Sciences Institute, 4676 Admiralty Way, Marina del Rey, California 90292-6695, Phone: +1 (310) 822-1511, FAX: +1 (310) 823-6714, Email: sndss97-submissions@isi.edu. Dates, final call for papers, advance program, and registration information will be available at the URL: http://www.isoc.org/conferences/ndss97. Each submission will be acknowledged by e-mail. If acknowledgment is not received within seven days, please contact the program chair as indicated above. Authors and panelists will be notified of acceptance by 1 October 1996. Instructions for preparing camera-ready copy for the proceedings will be sent at that time. The camera-ready copy must be received by 1 November 1996. From firewalls-owner Fri Jun 7 14:25:03 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA07022 for firewalls-outgoing; Fri, 7 Jun 1996 14:12:00 -0700 (PDT) Received: from uu3.psi.com (uu3.psi.com [38.145.250.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id OAA07015 for ; Fri, 7 Jun 1996 14:11:54 -0700 (PDT) Received: from forty-two.ejv.com by uu3.psi.com (5.65b/4.0.940727-PSI/PSINet) via SMTP; Received: from nymailhost (ejvnis) by ejv.com (4.1/SMI-4.1) Received: from ops2.ejv.com by nymailhost (4.1/SMI-4.1) Date: Fri, 7 Jun 96 17:09:26 EDT From: micky@ejv.com (Micky Liu) Message-Id: <9606072109.AA25365@nymailhost> Received: by ops2.ejv.com (4.1/SMI-4.1) To: firewalls@GreatCircle.COM Cc: micky@ejv.com Subject: Re: Freeware firewalls comparasion Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Date: Wed, 22 May 1996 23:12:16 -0500 (CDT) >From: Ken Hardy >To: Alessandro Coelho Ribeiro >Cc: Leonardo Bentes , firewalls@GreatCircle.COM >Subject: Re: Freeware firewalls comparasion > >> Which are the freeware firewalls ? >> 1 - proxy servers - TIS and Socks (URL?) >> 2 - screening routers - router capabilities embebbed in freeware Unixes >> for PCs (Linux,*BSD,...) and, I think, KarlBridge (for DOS) can can >> be configured as a bridge or as a router. > >There's Freestone, by the makers of Brimstone. You don't hear much >about it; it would be interesting to hear any first-hand accounts >of using it to implement a firewall, or other assessments. > >- - KH I've been looking at a number of firewall providers too and have found some meaningful features in Brimstone: - ability to handle multiple secure interfaces - central management of distributed firewall devices - ready for IPSP I haven't come to any conclusions yet, but have bought software from them. Their company was able to respond to a specific requirement that I had -- namely they sold me a supported version of VIF (virtual interface) code that would run on my SunOS4.x machines. The guys are smart, and the company was very responsive to my request... Micky From firewalls-owner Fri Jun 7 16:35:51 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id QAA17740 for firewalls-outgoing; Fri, 7 Jun 1996 16:24:21 -0700 (PDT) Received: from puli.cisco.com (puli.cisco.com [171.69.1.174]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id QAA17716 for ; Fri, 7 Jun 1996 16:24:13 -0700 (PDT) Received: from localhost.cisco.com (localhost.cisco.com [127.0.0.1]) by puli.cisco.com (8.6.8+c/8.6.5) with SMTP id QAA14838 for ; Fri, 7 Jun 1996 16:21:52 -0700 Message-Id: <199606072321.QAA14838@puli.cisco.com> To: firewalls@greatcircle.com Subject: "how-to" scripts for configuring cisco routers as good packet-screeners Date: Fri, 07 Jun 1996 16:21:52 -0700 From: Paul Traina Sender: firewalls-owner@GreatCircle.COM Precedence: bulk [I'm resending this, since it looks like it never made it to the list last time.] ------- Forwarded Message A number of years ago, I wrote a bunch of scripts to help me maintain part of cisco's firewalling system. I just recently updated those scripts to match some of the nasty new tricks that have come up through the years and also address new "fad" services like WWW :-) The scripts in question include an ACL generator that takes a fairly readable syntax and converts it into raw cisco ACLs (including doing DNS translation) and a commentary about why certain holes were opened, why they might be dangerous, what the trade-offs are, et al. (no, I didn't document anything useful for bad guys...sorry.) These scripts are based upon real-life operational experience, however they have been sanitized to protect the guilty and avoid causing temptation to would-be bad-guys. (e.g. the name of the macintosh that allows non-passive FTP is not called "obnoxious-bigshot-mac" :-)). As before, these scripts are being offered "AS-IS" -- do not sic your lawyers on myself or cisco if you use them and some nasty clod messes you up. They're only intended for reference and educational use. Cisco will not answer questions about these scripts, they are not a supported product. Caveat emptor. ftp://ftp-eng.cisco.com/pub/acl-examples.tar.gz Paul ------- End of Forwarded Message From firewalls-owner Fri Jun 7 18:05:57 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA22473 for firewalls-outgoing; Fri, 7 Jun 1996 17:49:28 -0700 (PDT) Received: from jaring.my (jaring.my [192.228.128.20]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id RAA22466 for ; Fri, 7 Jun 1996 17:49:21 -0700 (PDT) Received: from extol.extol.my (j5.ptl6.jaring.my [161.142.1.211]) by jaring.my (8.7.5/8.7.1) with SMTP id IAA27227; Sat, 8 Jun 1996 08:46:53 +0800 (MYT) Message-ID: <31B8DD18.18E9@pc.jaring.my> Date: Sat, 08 Jun 1996 08:53:28 +0700 From: peng-chiew low X-Mailer: Mozilla 2.01 (Win95; I) MIME-Version: 1.0 To: "Joseph L. Moll" CC: firewalls@GreatCircle.COM Subject: Re: nt firewall References: <2.2.32.19960607183650.006c50ec@mail.acquion.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Joseph L. Moll wrote: > Speaking of "security by obscurity," is anyone pooling a list of known NT > security problems other than that is being posted on the ntsec list since > MicroScrotum is not releasing anything publicly? Try the "ntsec" mailing list. From firewalls-owner Fri Jun 7 19:20:46 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id TAA28453 for firewalls-outgoing; Fri, 7 Jun 1996 19:12:42 -0700 (PDT) Received: from nsco.network.com (nsco.network.com [129.191.1.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id TAA28437 for ; Fri, 7 Jun 1996 19:12:33 -0700 (PDT) Received: from anubis.network.com by nsco.network.com (4.1/1.34) Received: from blefscu.network.com by anubis.network.com (4.1/SMI-4.1) Date: Fri, 7 Jun 96 21:12:52 CDT From: amolitor@anubis.network.com (Andrew Molitor) Message-Id: <9606080212.AA17450@anubis.network.com> To: firewalls@greatcircle.com Subject: MCI 'monitoring'? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I heard a rumor that MCI does some sort of traffic monitoring at some major interchange points. Does anyone know: - if this is in any sense true - if so, what sort of monitoring they do - if it's any sort of interesting monitoring (not just some aggregate statistics of some sort), how do they so it? Thanks, Andrew From firewalls-owner Fri Jun 7 20:50:45 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id UAA04328 for firewalls-outgoing; Fri, 7 Jun 1996 20:39:13 -0700 (PDT) Received: from baldy.worldbit.com (baldy.worldbit.com [199.4.115.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id UAA04319 for ; Fri, 7 Jun 1996 20:39:06 -0700 (PDT) Received: from localhost (blast@localhost) by baldy.worldbit.com (8.7.5/8.7.3) with SMTP id UAA27264; Fri, 7 Jun 1996 20:34:34 -0700 (PDT) Date: Fri, 7 Jun 1996 20:34:33 -0700 (PDT) From: Blast To: Andrew Molitor cc: firewalls@GreatCircle.COM Subject: Re: MCI 'monitoring'? In-Reply-To: <9606080212.AA17450@anubis.network.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 7 Jun 1996, Andrew Molitor wrote: > I heard a rumor that MCI does some sort of traffic monitoring > at some major interchange points. Does anyone know: > > - if this is in any sense true > - if so, what sort of monitoring they do > - if it's any sort of interesting monitoring (not just some > aggregate statistics of some sort), how do they so it? I don't know if this is what you are looking for but if you are interested in statistics from the NAP's, check out: http://www.ra.net/statistics/rs.html I hope this helps. --blast ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \ Tim Keanini | "The limits of my language, / / aka blast | are the limits of my world." \ \ | --Ludwig Wittgenstein / \ +================================================/ / PUB KEY: http://www-swiss.ai.mit.edu/~bal/pks-commands.html \ \ / ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From firewalls-owner Fri Jun 7 21:05:58 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id VAA05578 for firewalls-outgoing; Fri, 7 Jun 1996 21:01:16 -0700 (PDT) Received: from gccs-fw.cpf.navy.mil (gccs-fw.cpf.navy.mil [198.55.6.40]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id VAA05571 for ; Fri, 7 Jun 1996 21:01:09 -0700 (PDT) Received: (from uucp@localhost) by gccs-fw.cpf.navy.mil (8.6.12/8.6.9) id SAA23156 for ; Fri, 7 Jun 1996 18:02:36 -1000 Received: from gccs.cpf.navy.mil(204.34.183.2) by gccs-fw.cpf.navy.mil via smap (V1.3) Received: from gccs125.gccs.cpf.navy.mil (gccs125.gccs.cpf.navy.mil [204.34.183.125]) by gccs.cpf.navy.mil (8.7.5/8.6.9) with SMTP id SAA14618 for ; Fri, 7 Jun 1996 18:01:11 -1000 Received: by gccs125.gccs.cpf.navy.mil with Microsoft Mail Message-ID: <01BB5499.63E98B40@gccs125.gccs.cpf.navy.mil> From: "Danny L. Shadix" To: "'Firewalls list'" Subject: RE: Firewalls-Digest V5 #347 Date: Fri, 7 Jun 1996 15:58:48 -1000 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Just got back from COMDEX and Novell was having great fun showing off = the Windows NT C2 configuration tool. One of the steps pops up a box = stating that (in short) you have networking installed and that you can = not have any networking components installed to be C2 compliant. Then = if offers to help you remove them. ---------- From: Danny Cox[SMTP:dannyc@gmap.leeds.ac.uk] Sent: Sunday, June 02, 1996 10:22 PM To: Firewalls@GreatCircle.COM Subject: Re: Firewalls-Digest V5 #347 > Date: Wed, 29 May 1996 23:03:31 -0400 > From: Russ > Subject: What do you want to know about Windows NT? >=20 > - - There is a C2 configuration guide (manual), maybe it should be = included Russ, nothing really to do with your recent posting although I wonder = whether you'd be good enough to clarify this bit for me. My understanding is = that NT has only been C2 accredited for a couple of hardware platforms and only = for stand-alone versions, rather than networked ones. =20 The implication behind having a C2 configuration guide would be, to me = at=20 least, that NT is C2 certified. This seems misleading to me, although = I'd like to here other comments. It seems to me that there is a load of = baloney around regarding C2 and NT and MS are happily using this confusion to = claim without claiming that NT=3D=3DC2. Would you agree with me here or have = I the=20 wrong end of the stick altogether ? Thanks for your thoughts .. Danny From firewalls-owner Fri Jun 7 21:41:52 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id VAA06448 for firewalls-outgoing; Fri, 7 Jun 1996 21:13:03 -0700 (PDT) Received: from lint.cisco.com (lint.cisco.com [171.68.223.44]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id VAA06434 for ; Fri, 7 Jun 1996 21:12:56 -0700 (PDT) Received: from pferguso-pc.cisco.com (c1robo8.cisco.com [171.68.13.8]) by lint.cisco.com (8.6.10/CISCO.SERVER.1.1) with SMTP id VAA18112; Fri, 7 Jun 1996 21:10:39 -0700 Message-Id: <199606080410.VAA18112@lint.cisco.com> X-Sender: pferguso@lint.cisco.com X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Sat, 08 Jun 1996 00:09:51 -0400 To: Blast From: Paul Ferguson Subject: Re: MCI 'monitoring'? Cc: Andrew Molitor , firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 08:34 PM 6/7/96 -0700, Blast wrote: > >I don't know if this is what you are looking for but if you are >interested in statistics from the NAP's, check out: >http://www.ra.net/statistics/rs.html > Also, see: http://www.isi.edu:80/div7/ra/naps.html Some of the links lead to decent statistics on traffic volumes (for example, follow the links to MFS/MAE-East) for the various interconnect media. Now back to your regularly scheduled firewalls discussions. :-) - paul -- Paul Ferguson || || Consulting Engineering || || Reston, Virginia USA |||| |||| tel: +1.703.716.9538 ..:||||||:..:||||||:.. e-mail: pferguso@cisco.com c i s c o S y s t e m s From firewalls-owner Fri Jun 7 22:05:47 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id VAA09831 for firewalls-outgoing; Fri, 7 Jun 1996 21:40:17 -0700 (PDT) Received: from po.pacific.net.sg (po.pacific.net.sg [203.120.88.11]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id VAA09806 for ; Fri, 7 Jun 1996 21:40:05 -0700 (PDT) Received: from GM.compex.com.sg ([203.120.12.4]) by po.pacific.net.sg Date: Sat, 8 Jun 1996 12:33:07 From: berkelec@pacific.net.sg (Tey Wei Ming) Message-Id: <19960608123307berkelec@GM.compex.com.sg> To: firewalls@GreatCircle.com Subject: Re: nt firewall Cc: dana@nowell.mv.com X-Mailer: Pronto E-Mail [version 2.0] MIME-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > See inline comments ... > > > > First, reporting bugs to CERT is on a volunteer basis. exactly, on volunteer basis. Most UNIX vendors > report problems to CERT, in general Microsoft (MS) has NOT (see the list of > MS problems at CERT and compare to the knowledge base list at MS). So the > list length at CERT is probably more indicative of MS not reporting > problems > than of MS having fewer problems. Personally I prefer people that admit > their mistakes ;-). well, my experience with vendors (unix or not) don't seem to show many are willing to admit mistakes. chances are problems are reported by the users rather than vendors. without digging into the history, i wonder who started cert ot 8lgm? perhaps you could enlighten me. > > Second, the hardware for my UNIX firewall cost me $500 (Used 486/66 with 8 > meg RAM and 250 meg drive, runs FreeBSD), what did your NT box cost :-)?? > (admittedly, 16 meg would have been better, but it works OK on a 56K line, > I > bet your NT box would need AT LEAST 32 meg). fair enough, but if we look at most of the commercial unix firewalls (not freeware!) in the market, they are trying to sell you a relatively expensive piece of hardware like sun, hp etc etc. > > Third, FreeBSD/Linux security related incidents are usually fixed (via a > Internet patch download) within hours, what has MS's MTTR (mean time to > repair) been recently??? Again admittedly, I have an advantage that I can > and will apply OS level patches as source, but advantages are what the > security game is all about. > > So while we can have a religious war over 'easier to administer', I think > you might be mistaken on the other issues. well i am glad you realise that not everyone around are as an unix guru as some might be! you sure have an advantage! > > > > > > >william tey > >berkeley electronics > > > > > Dana Nowell Voice (603) 595-7480 EXT 28 > Cornerstone Software Inc. FAX (603) 882-7313 > Work: DanaNowell@corsof.com Home: dana@nowell.mv.com > MIME attachments prefered, BINHEX and uuencode acceptable. > Veni, Vidi, et in machina posui. As usual, I speak only for myself. > > > wm tey berkeley electronics pte ltd your answer to performance enhancement tel: (65)7429392 fax: (65)7456377 email: wm_tey@compex.com.sg berkelec@pacific.net.sg address: blk 2 joo chiat rd#02-1129 joo chiat complex singapore 420002 From firewalls-owner Fri Jun 7 22:50:41 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id WAA17659 for firewalls-outgoing; Fri, 7 Jun 1996 22:43:01 -0700 (PDT) Received: from salsa.gv.ssi1.com (salsa.gv.ssi1.com [146.252.44.194]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id WAA17637 for ; Fri, 7 Jun 1996 22:42:51 -0700 (PDT) Received: (from gdonl@localhost) by salsa.gv.ssi1.com (8.7.4/8.7.3) id WAA29768; Fri, 7 Jun 1996 22:40:21 -0700 (PDT) Message-Id: <199606080540.WAA29768@salsa.gv.ssi1.com> From: gdonl@gv.ssi1.com (Don Lewis) Date: Fri, 7 Jun 1996 22:40:21 -0700 In-Reply-To: berkelec@pacific.net.sg (Tey Wei Ming) X-Mailer: Mail User's Shell (7.2.6 alpha(3) 7/19/95) To: berkelec@pacific.net.sg (Tey Wei Ming), firewalls@GreatCircle.COM Subject: Re: nt firewall Cc: dana@nowell.mv.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Jun 8, 12:33pm, Tey Wei Ming wrote: } Subject: Re: nt firewall } > See inline comments ... } well, my experience with vendors (unix or not) don't seem to show many are } willing to admit mistakes. chances are problems are reported by the users } rather than vendors. In general, CERT doesn't issue an advisory until the vendor(s) have a patch or workaround that CERT can publish in the advisory, so that owners of the affected machines can take steps to protect themselves. Otherwise, the advisory would only increase the number of people who could exploit the problem without giving most machine owners (the non-experts and those without access to the necessary source code) the means to protect themselves. Since I consider myself an "expert", I'm not always well served by this policy, since there have been cases where security holes have become fairly widely known and my vendors have not released patches in a timely manner, but there were still steps I would be able to take to protect myself if I knew there was a problem. I do take steps beyond just following CERT advisories to keep myself informed. I suspect that most of these problems have been uncovered by third parties and reported to either CERT or the vendor(s) instead of being first discovered by the vendors. --- Truck From firewalls-owner Sat Jun 8 11:20:46 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA13673 for firewalls-outgoing; Sat, 8 Jun 1996 11:09:19 -0700 (PDT) Received: from halon.sybase.com (halon.sybase.com [192.138.151.33]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id LAA13664 for ; Sat, 8 Jun 1996 11:09:13 -0700 (PDT) Received: from smtp1.sybase.com (sybgate) by halon.sybase.com (5.x/SMI-SVR4/SybFW4.0) Received: from notesgw2.sybase.com by smtp1.sybase.com (4.1/SMI-4.1/SybH3.5-030896) Received: by notesgw2.sybase.com (5.x/SMI-4.1/SybEGW3.3) Message-Id: <9606081806.AA11275@notesgw2.sybase.com> Received: by SybaseNotes (Lotus Notes Mail Gateway for SMTP V1.1) id To: Andrew Molitor Cc: firewalls From: Ryan.Russell/SYBASE Date: 8 Jun 96 11:07:01 EDT Subject: Re: MCI 'monitoring'? X-Lotus-Type: Reply All Mime-Version: 1.0 Content-Type: Text/Plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Of course they do. They're probably the largest backbone carrier for the US portion of the Internet. They would be, at a minimum, measuring bandwidth utilization. I had found a point in their network not too long ago that was "full" most of the time, and asked about it. They naturally already knew about it, and we in the process of upgrading their lines. I suspect that you are more interested in whether they monitor the content of the traffic... they certainly could do so if they chose, and if I, as a customer asked for detailed information about the types of traffic relating to my lines, I'm sure they could provide something. I suppose it would become unethical at the point where they monitored without request and beyond what was needed to perform operation tasks, or needed to track down a problem or hack attempt. I hope you weren't under the assumption that the Internet, regardless of the carrier, is in any way private... Ryan ---------- Previous Message ---------- To: firewalls cc: From: amolitor @ anubis.network.com (Andrew Molitor) @ smtp Date: 06/07/96 09:12:52 PM Subject: MCI 'monitoring'? I heard a rumor that MCI does some sort of traffic monitoring at some major interchange points. Does anyone know: - if this is in any sense true - if so, what sort of monitoring they do - if it's any sort of interesting monitoring (not just some aggregate statistics of some sort), how do they so it? Thanks, Andrew From firewalls-owner Sat Jun 8 12:06:49 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA15198 for firewalls-outgoing; Sat, 8 Jun 1996 11:49:43 -0700 (PDT) Received: from ucsu.Colorado.EDU (ucsu.Colorado.EDU [128.138.129.83]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id LAA15182 for ; Sat, 8 Jun 1996 11:49:37 -0700 (PDT) Received: from localhost (sieber@localhost) by ucsu.Colorado.EDU (8.7.5/8.7.3/CNS-4.0p) with SMTP id MAA06063 for ; Sat, 8 Jun 1996 12:47:09 -0600 (MDT) Date: Sat, 8 Jun 1996 12:47:09 -0600 (MDT) From: chris sieber To: firewalls@greatcircle.com Subject: UDP filter tests Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk What are some good methods to test UDP filters port by port? Thanks, Chris From firewalls-owner Sat Jun 8 14:05:52 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA21349 for firewalls-outgoing; Sat, 8 Jun 1996 13:52:21 -0700 (PDT) Received: from dns.eng.auburn.edu (dns.eng.auburn.edu [131.204.10.13]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id NAA21335 for ; Sat, 8 Jun 1996 13:52:15 -0700 (PDT) Received: from netman.eng.auburn.edu (netman.eng.auburn.edu [131.204.12.24]) by dns.eng.auburn.edu (8.7.4/8.6.4) with ESMTP id PAA05336; Sat, 8 Jun 1996 15:49:25 -0500 (CDT) From: Doug Hughes Received: (doug@localhost) by netman.eng.auburn.edu (SMI-8.6/8.6.4) id PAA08704; Sat, 8 Jun 1996 15:49:24 -0500 Date: Sat, 8 Jun 1996 15:49:24 -0500 Subject: Re: UDP filter tests To: sieber@Colorado.EDU Cc: firewalls@greatcircle.com Message-Id: In-Reply-To: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk What about something like 'strobe' or 'netcat' ? -- ____________________________________________________________________________ Doug Hughes Engineering Network Services System/Net Admin Auburn University doug@eng.auburn.edu Pro is to Con as progress is to congress From firewalls-owner Sat Jun 8 18:05:44 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA00344 for firewalls-outgoing; Sat, 8 Jun 1996 17:42:09 -0700 (PDT) Received: (mcb@localhost) by miles.greatcircle.com (8.7.4/Miles-951221-1) id RAA00336 for firewalls@greatcircle.com; Sat, 8 Jun 1996 17:42:05 -0700 (PDT) Received: from uio (uio.uio.satnet.net [200.31.8.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id KAA11861 for ; Sat, 8 Jun 1996 10:10:23 -0700 (PDT) Received: from nt by uio (SMI-8.6/SMI-SVR4) Message-Id: <199606081610.MAA00933@uio> From: xmerino@q.ecua.net.ec Organization: satnet To: firewalls@greatcircle.com Date: Fri, 7 Jun 1996 19:35:36 +0000 Subject: help tacacs Reply-to: uio.satnet.net@satnet.net X-mailer: Pegasus Mail/Windows (v1.22) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello List.. I am working with CISCO 2511 Access Servers, CIsco Works' Tacacs verifying the users on a Solaris 2.5 System. Do you know if there is a possibility to verify the users on the same /etc/passwd and shadow as a normal session ? How do you analise the tacacs.wtmp, because who or last does not work. Regards, Xavier Merino From firewalls-owner Sun Jun 9 07:05:44 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA24615 for firewalls-outgoing; Sun, 9 Jun 1996 06:56:16 -0700 (PDT) Received: from mercury.st.rim.or.jp (mercury.st.rim.or.jp [202.255.181.17]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id GAA24592 for ; Sun, 9 Jun 1996 06:56:05 -0700 (PDT) Received: (from shio@localhost) by mercury.st.rim.or.jp (8.7.1/3.4Wbeta6-rim1.1) id WAA24061; Sun, 9 Jun 1996 22:53:06 +0900 (JST) Date: Sun, 9 Jun 1996 22:53:06 +0900 (JST) From: Makoto Shiotsuki Message-Id: <199606091353.WAA24061@mercury.st.rim.or.jp> To: Firewalls@GreatCircle.COM Subject: Re: Firewall for NT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > I saw a post a little while ago about a Freeware or cheap NT >firewall, but I didn't pay much attention. > > I wanted to put up this firewall while we wait for Firewall-1 NT... Cheap firewall solutions for NT: WinGate(Qbik Software) http://nz.com/NZ/Commerce/creative-cgi/special/qbik/wingate.htm iWay-One(BateTech Software Inc.) http://www.batetech.com/iWay-one/default.htm FireDoor(Equivalence) http://www.ozemail.com.au/~equival/firedoor/info.html From firewalls-owner Sun Jun 9 07:35:45 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA25649 for firewalls-outgoing; Sun, 9 Jun 1996 07:23:44 -0700 (PDT) Received: from madison.tdsnet.com (mail.tds.net [204.246.1.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id HAA25615 for ; Sun, 9 Jun 1996 07:23:32 -0700 (PDT) Received: from thoreau (conc0-a15.conc.tdsnet.com [204.246.2.208]) by madison.tdsnet.com (8.6.12/CICNet) with SMTP id JAA21640 for ; Sun, 9 Jun 1996 09:19:43 -0500 Message-Id: <2.2.16.19960609142250.19673134@conc.tdsnet.com> X-Sender: lmarlow@conc.tdsnet.com X-Mailer: Windows Eudora Pro Version 2.2 (16) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Sun, 09 Jun 1996 10:22:50 -0400 To: firewalls@GreatCircle.COM From: Lenny Marlow Subject: Frame Relay, Cisco 2501, and packet filtering Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I have a client who is using Cisco 2501 routers with Frame Relay to build their company's Intranet. Only TCP/IP traffic is routed. This traffic presently consists of 3270 emulation over Telnet and some Netbios over TCP/IP. We are looking at establishing a connection to the Internet via a new PVC (Permanent Virtual Circuit) on the existing Frame Relay Interface of one of the routers. This connection to the Internet would only be installed at one site participating in the Intranet. The Frame Relay Service Provider will also be the Internet Service Provider. Each router in the Intranet has only one of the serial ports in use (the other is disabled). These routers currently have the Frame Relay interfaces configured with two DLCIs (Data Link Connection Identifiers. One for each PVC.) The addition of the Internet link on one of the routers would be as an additional DLCI on the Frame Relay interface. If my understanding of how the routers are (or should) work is correct then the data coming from the Frame Relay interface are "stripped" of the Frame Relay protocol by the router and then routed to either the Ethernet interface as a TCP/IP packet or "re-packaged" into Frame Relay for routing to another site across the Frame Relay interface using a different DLCI. If my interpretation of operations is correct then packet filtering of the IP packets would be implemented as described in the literature. The questions are: (1) Is my understanding of the routing algorithm of the Frame Relay data correct (for the Cisco 2501 & IOS?) (2) Has anyone implemented this particular configuration? (3) Would firewalls be useful in this installation and if so, how would one implement one? Have all the Internet source packets that are "passed" by the filter rules always forwarded on to a firewall machine? Should all outbound traffic TO the Internet from the Intranet be required to pass through the firewall before being sent on to the Internet? (4) Does anyone see any security "gotchas" in using a single Frame Relay interface for Intranet and Internet connections that would invalidate this as a secure access method? Thanks for you input on this! Lenny Marlow The Tsali Group From firewalls-owner Sun Jun 9 08:50:45 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA01072 for firewalls-outgoing; Sun, 9 Jun 1996 08:44:52 -0700 (PDT) Received: from Grosses-Raetsel-Tor.GeNUA.DE (Grosses-Raetsel-Tor.GeNUA.DE [193.141.169.26]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id IAA01064 for ; Sun, 9 Jun 1996 08:44:45 -0700 (PDT) Received: (from smap@localhost) by Grosses-Raetsel-Tor.GeNUA.DE (8.6.12/8.6.12) id RAA17571 for ; Sun, 9 Jun 1996 17:42:22 +0200 Received: from grizzly.genua.de(192.109.217.33) by Grosses-Raetsel-Tor.GeNUA.DE via smap (V1.3) Received: from grizzly.genua.de (localhost [127.0.0.1]) by grizzly.genua.de (8.6.12/8.6.12/bs01) with ESMTP id RAA11198 for ; Sun, 9 Jun 1996 17:41:51 +0200 Message-Id: <199606091541.RAA11198@grizzly.genua.de> To: Firewalls@greatcircle.com Subject: Re: UDP filter tests MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-ID: <11194.834334909.1@grizzly.genua.de> Date: Sun, 09 Jun 1996 17:41:50 +0200 From: Bernhard Schneck Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > What are some good methods to test UDP filters port by port? > > What about something like 'strobe' or 'netcat' ? Well ... you often won't get back too much: there's no such thing as a RST packet in UDP ... maybe you'll get ICMP port unreachable but these may be supressed. Best bet would be to put up a sniffer before and after the filter element, hit it with the packets and see what's getting through (or sent back to the source). BTW, this is useful for TCP, too, especially when sending non-standard format packets (like etcp and friends). \Bernhard. From firewalls-owner Sun Jun 9 09:05:56 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA02069 for firewalls-outgoing; Sun, 9 Jun 1996 09:01:08 -0700 (PDT) Received: from relay.ashton.csc.com (relay.ashton.csc.com [20.2.54.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id JAA02042 for ; Sun, 9 Jun 1996 09:00:56 -0700 (PDT) Received: by relay.ashton.csc.com; id LAA00952; Sun, 9 Jun 1996 11:59:22 -0400 Received: from mccoy.ashton.csc.com(20.2.51.2) by relay.ashton.csc.com via smap (g3.0.1) Received: (from jhkerr@localhost) by mccoy.ashton.csc.com (8.6.12/8.6.9) id MAA04259; Sun, 9 Jun 1996 12:01:28 -0400 Date: Sun, 9 Jun 1996 12:01:27 -0400 (EDT) From: "John H. Kerr" To: firewalls@GreatCircle.COM Subject: Central Management Station FW-1 Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Has anyone implemented multiple FW-1 firewalls and managed them centrally from one work station. What if any are the security implications of doing this? What if any problems did you encounter? From firewalls-owner Sun Jun 9 18:20:45 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id SAA24991 for firewalls-outgoing; Sun, 9 Jun 1996 18:15:31 -0700 (PDT) Received: from psyche.the-wire.com (psyche.the-wire.com [198.53.192.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id SAA24984 for ; Sun, 9 Jun 1996 18:15:25 -0700 (PDT) Received: from anton.the-wire.com (anton.the-wire.com [198.53.192.186]) by psyche.the-wire.com (8.6.10/8.6.12) with SMTP id VAA24462; Sun, 9 Jun 1996 21:10:31 -0400 Date: Sun, 9 Jun 1996 21:10:31 -0400 Message-Id: <199606100110.VAA24462@psyche.the-wire.com> X-Sender: anton@the-wire.com X-Mailer: Windows Eudora Light Version 1.5.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: Jason Matthews , Anton J Aylward From: Anton J Aylward Subject: Re: Re[2]: US Justice Dept (Not really) Cc: Rolf Weber , firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 05:16 3/6/96 -0700, Jason Matthews wrote: >On Mon, 3 Jun 1996, Anton J Aylward wrote: > >> That mail _transmission_ is insecure is a bit of a myth. >> Its _easy_ to read mail sitting in a box on the server, its diffucult to >> read packets in transit. > >Your joking right? It's no harder to read a piece of email in transit >than it is read a plaintext password. Sites are compromised every day by >sniffing network traffic. What makes you think those interested in your >daily affairs will stop with passwords? We are talking relatives here. Its easier to read a file than it is to sniff a WAN connection. If the CIA/NSA are out to get you all this discussion is pretty accademic anyway. Given enough time, money and resources..... But why make it easier for them? >> >my main point was that you can avoid email-server-bugs which can >> >compromise your *whole* security by placing it outside. >> >> No. You're placing undue emphasis on "bugs" in the E-Mail server. There >> are servers which are - at this level - bug free. But you would still have >> a firewall. > >I am not sure I am willing to make that assumption. History shows us that >email services are the most insecure of all. To place this service on >any machine intended to filter, restrict, or otherwise alter network >connections from foriegn networks is a mistake. Are you talking about using a SMTP server to take over a machine - as in the Morris Worm (which by the way never got into Canada (as I read the reports) becuase of the particular machines and SMTP MTAs in use) or reading the mail? Lumping something like s/mail (or surrmail or smail3 or zmailer) in with Sendmail and its bug-of-the-month isn't comparing apples to apples. I'll always grant you a client-server mode of operation on an open channel is going to be insecure compared to an absolute anal retentive store and forward. But if you're going to leave your 'nuucp' account sitting with the factory password of 'uucp' (or whatever) you're inviting someone to try an attack. Which gets back to how hard it is to configure things properly. Which is pretty high on my list of complaints about sendmail. Perhaps things would be better if smtp daemons required a password as well? Does yours do a reverse IP lookup? /anton ---------------------------------------------------------------------------- Anton J Aylward | Security is not something that comes in The Strahn and Strachan Group Inc | a self-contained box. It is an attribute Information Security Consultants | of how you do business and as such Voice: (416) 494-8661 | needs to be managed carefully. Fax: (416) 494-8803 | - Karen Goertzel, Wang Federal Inc. From firewalls-owner Sun Jun 9 21:05:45 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id UAA00894 for firewalls-outgoing; Sun, 9 Jun 1996 20:52:47 -0700 (PDT) Received: from connectnet1.connectnet.com (connectnet1.connectnet.com [207.110.0.50]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id UAA00866 for ; Sun, 9 Jun 1996 20:52:38 -0700 (PDT) Received: from it.is.my.broken.net (it.is.my.broken.net [204.252.2.92]) by connectnet1.connectnet.com (15.9/Connectnet-2.2) with SMTP id UAA03277; Sun, 9 Jun 1996 20:47:19 -0700 (PDT) Received: by it.is.my.broken.net (4.1/SMI-4.1) Date: Sun, 9 Jun 1996 20:47:01 -0700 (PDT) From: Jason Matthews X-Sender: jason@it.is.my.broken.net To: Anton J Aylward Cc: Anton J Aylward , Rolf Weber Subject: Re: Re[2]: US Justice Dept (Not really) In-Reply-To: <199606100110.VAA24462@psyche.the-wire.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Sun, 9 Jun 1996, Anton J Aylward wrote: > At 05:16 3/6/96 -0700, Jason Matthews wrote: > >Your joking right? It's no harder to read a piece of email in transit > >than it is read a plaintext password. Sites are compromised every day by > >sniffing network traffic. What makes you think those interested in your > >daily affairs will stop with passwords? > > We are talking relatives here. > Its easier to read a file than it is to sniff a WAN connection. Sniffing a network is more a by chance thing...a file is a bit more static but reading the data is reading the data. Sniffing is much harding then reading the from the file... > If the CIA/NSA are out to get you all this discussion is pretty > accademic anyway. You mean you don't have a STU-III in series with a cipher blocked chained tripple DES implmentation with RSA negociated public keys? Well, I guess you better watch out for the NSA then. >Given enough time, money and resources..... I am suffiecently satisfied that key lengths >= 1024 will provide sufficent security for the foreseable future. > But why make it easier for them? I'm seriously not too concerned about the NSA breaking into my systems and taking my DNS zone files or anything (especially since all non OS stuff is on matt blaze's cfs). > >I am not sure I am willing to make that assumption. History shows us that > >email services are the most insecure of all. To place this service on > >any machine intended to filter, restrict, or otherwise alter network > >connections from foriegn networks is a mistake. > > Are you talking about using a SMTP server to take over a machine - > as in the Morris Worm (which by the way never got into Canada > (as I read the reports) becuase of the particular machines and > SMTP MTAs in use) or reading the mail? The worm did not only use SMTP services. It also used holes in fingerd. > > Lumping something like s/mail (or surrmail or smail3 or zmailer) in > with Sendmail and its bug-of-the-month isn't comparing apples to apples. > I'll always grant you a client-server mode of operation on an open channel > is going to be insecure compared to an absolute anal retentive store and > forward. But if you're going to leave your 'nuucp' account sitting with > the factory password of 'uucp' (or whatever) you're inviting someone to try > an attack. > > Which gets back to how hard it is to configure things properly. > Which is pretty high on my list of complaints about sendmail. Read the O'Reilly book. > > Perhaps things would be better if smtp daemons required a password as well? I'd be happy if no passwords were used but instead have user authentication embedded into the kernel instead of a user process. > Does yours do a reverse IP lookup? forward and reverse, compares the two, and records any descripencies. What does yours do? j. From firewalls-owner Mon Jun 10 01:20:53 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id BAA08427 for firewalls-outgoing; Mon, 10 Jun 1996 01:00:50 -0700 (PDT) Received: from gemsgw.med.ge.com (gemsgw.med.ge.com [192.88.230.10]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id BAA08420 for ; Mon, 10 Jun 1996 01:00:40 -0700 (PDT) From: sameer@wiproge.med.ge.com Received: from gemed.med.ge.com (gemed.med.ge.com [3.7.12.4]) by gemsgw.med.ge.com (8.6.12/8.6.12) with ESMTP id CAA26537 for ; Mon, 10 Jun 1996 02:56:28 -0500 Received: from wiproge.med.ge.com (jogin [3.70.200.53]) by gemed.med.ge.com (8.6.12/8.6.12) with SMTP id CAA04038; Mon, 10 Jun 1996 02:58:55 -0500 Received: from everest.wiproge.med.ge.com (nilgiri) by wiproge.med.ge.com (4.1/SMI-4.1) Received: by wiproge.med.ge.com (5.0/SMI-SVR4) Date: Mon, 10 Jun 1996 13:33:28 +0500 Message-Id: <9606101833.AA13905@wiproge.med.ge.com> To: firewalls@GreatCircle.COM Subject: UDP filter tests X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, Even I need an answer to that ... ...sam ----- Begin Included Message ----- What are some good methods to test UDP filters port by port? Thanks, Chris ----- End Included Message ----- E-Mail : sameer@wiproge.med.ge.com Wipro GE Medical Systems - Bangalore sameer@wiproge.gemse.fr Name : Sameer [Sam] Wipro GE Medical Systems Ltd.,GPDC, A-1,Corporate Towers,Golden Enclave, Airport Road,Bangalore- 560017, INDIA ------------------------------------------------------------------------- "Opinions expressed are my own and may not confirm to my Employers" ********************THOUGHT FOR THE DAY************************** Diplomacy is the art of saying "GOOD DOGGY" till you find a very BIG stick. ***************************************************************** You may delegate AUTHORITY but not RESPONSIBILITY -------------------------------------------------------------------------- From firewalls-owner Mon Jun 10 01:35:47 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id BAA10795 for firewalls-outgoing; Mon, 10 Jun 1996 01:28:29 -0700 (PDT) Received: from sapa.inka.de (sapa.inka.de [193.197.84.6]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id BAA10709 for ; Mon, 10 Jun 1996 01:27:57 -0700 (PDT) Received: from uu.inka.de (root@[193.197.84.8]) by sapa.inka.de Received: from lina.inka.de (ecki@lina.inka.de) by uu.inka.de Received: by lina.inka.de Message-Id: Subject: Re: unknown in tcpwrappers? To: ndg@Ghaznavi.com (N D Ghaznavi) Date: Mon, 10 Jun 1996 10:14:39 +0200 (MET DST) Cc: scanner@webspan.net, firewalls@GreatCircle.COM In-Reply-To: from "N D Ghaznavi" at Jun 6, 96 09:59:41 am From: eckes Organisation: private Linux Site, Karlsruhe, Germany X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Jun 5 18:36:06 Cee-Jay named[75]: recvfrom: Connection refused This is usually caused on a named where another nameserver is faster. This has nothing to do with unknown from tcpd. The tcpd uses the IP Address if it cant resolv the name via DNS. UNKNOWN should only appaer if tcpd is called in a bad context like without connection to a socket. Greetings Bernd -- (OO) -- Bernd_Eckenfels@Wittumstrasse13.76646Bruchsal.de -- ( .. ) ecki@lina.{inka.de,ka.sub.org} http://home.pages.de/~eckes/ o--o *plush* 2048/A2C51749 eckes@irc +4972573817 *plush* (O____O) If privacy is outlawed only Outlaws have privacy From firewalls-owner Mon Jun 10 01:50:52 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id BAA11477 for firewalls-outgoing; Mon, 10 Jun 1996 01:35:14 -0700 (PDT) Received: from orion.webspan.net (orion.webspan.net [206.154.70.41]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id BAA11457 for ; Mon, 10 Jun 1996 01:35:05 -0700 (PDT) Received: from localhost (scanner@localhost) by orion.webspan.net (8.7.5/8.6.12) with SMTP id EAA09500; Mon, 10 Jun 1996 04:31:52 -0400 (EDT) Date: Mon, 10 Jun 1996 04:31:52 -0400 (EDT) From: Chris Watson To: eckes cc: N D Ghaznavi , firewalls@GreatCircle.COM Subject: Re: unknown in tcpwrappers? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 10 Jun 1996, eckes wrote: > > Jun 5 18:36:06 Cee-Jay named[75]: recvfrom: Connection refused > This is usually caused on a named where another nameserver is faster. This > has nothing to do with unknown from tcpd. The tcpd uses the IP Address if it > cant resolv the name via DNS. UNKNOWN should only appaer if tcpd is called > in a bad context like without connection to a socket. Right, I found out that what i think is happening is that im being SYN scanned. Thats why I cant get an IP the connection is dropping after the syn packet. Why the moron is syn scanning me i have no idea. its getting refused but he keeps scanning me over and over non stop. Oh well im not to worried he obviously has no brains or he would ahve stopped after about the 400000th time he syn scanned my telnet port and got refused. Man some of them are not to bright out there. Chris -- ===================================| Webspan Inc., ISP Division. FreeBSD 2.1.0 is available now! | Phone: 908-367-8030 ext. 126 -----------------------------------| 500 West Kennedy Blvd., Lakewood, NJ-08701 Turning PCs into Workstations | E-Mail: scanner@webspan.net http://www.freebsd.org | SysAdmin / Network Engineer / Security ===================================| Member BSDNET team! http://www.bsdnet.org From firewalls-owner Mon Jun 10 03:51:52 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id DAA20321 for firewalls-outgoing; Mon, 10 Jun 1996 03:45:29 -0700 (PDT) Received: from pegase.total.fr (pegase.total.fr [146.249.152.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id DAA20303 for ; Mon, 10 Jun 1996 03:45:18 -0700 (PDT) Received: from tidtest.total.fr (tidtest.total.fr [146.249.165.73]) by pegase.total.fr (8.6.8/8.6.6) with SMTP id MAA20206; Mon, 10 Jun 1996 12:42:18 +0200 Received: by tidtest.total.fr (4.1/SMI-4.1) Message-Id: <9606101042.AA04620@tidtest.total.fr> To: Bernhard Schneck Cc: Firewalls@greatcircle.com Subject: Re: UDP filter tests In-Reply-To: Your message of "Sun, 09 Jun 1996 17:41:50 +0200." X-Cuse: "The dog ate my network" Date: Mon, 10 Jun 1996 12:42:21 +0100 From: Michel Lavondes Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In message <199606091541.RAA11198@grizzly.genua.de>, Bernhard Schneck writes: > > [...] > > BTW, this is useful for TCP, too, especially when sending > non-standard format packets (like etcp and friends). ^^^^ Is that the Long, Fat Pipe extension ? The one with SEQ, ACK and WIN having a high-bits extension in the TCP options ? Michel Lavondes (lavondes@tidtest.total.fr) #include Governments are guilty until proved innocent From firewalls-owner Mon Jun 10 04:06:04 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id DAA20557 for firewalls-outgoing; Mon, 10 Jun 1996 03:51:02 -0700 (PDT) Received: from mail.transpac.net (nic.transpac.net [194.52.1.10]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id DAA20537 for ; Mon, 10 Jun 1996 03:50:48 -0700 (PDT) Received: from alf.ihc.se (alf.ihc.se [194.52.187.254]) by mail.transpac.net (8.7.3/8.7.3) with SMTP id MAA23364 for ; Mon, 10 Jun 1996 12:48:13 +0200 (MET DST) Received: by alf.ihc.se; (5.65v3.2/1.3/10May95) id AA22733; Mon, 10 Jun 1996 12:48:22 +0200 Message-Id: <31BBFDA7.7D86@ihc.se> Date: Mon, 10 Jun 1996 12:49:11 +0200 From: Mattias Lindstr=?iso-8859-1?Q?=F6?=m Reply-To: mattias.lindstrom@ihc.se Organization: IHC AB X-Mailer: Mozilla 3.0B2 (WinNT; I) Mime-Version: 1.0 To: Firewalls@GreatCircle.COM Subject: Firewall functionallity Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi. Is there any firewall that has the following features: 1. permit/deny emails based on size (like allow only email smaller than 4= 00 kb)? 2. permit/deny emails based on attachments and the size of attachments (l= ike if attachment =3D exe deny or attachment > 40 kb deny)? 3. check ftp sessions and permit/deny based on size (like allow ftp if < = 300 kb)? all of these q:s is of course applied on a user/group basis. I know that 1 and 2 isn=B4t really the firewalls "thing" but I was curiou= s if anyone had the functions. -- = ______________________________ Mattias Lindstr=F6m Systems integrator Information Highway Center AB voice: +46 (0)8 445 18 00 fax: +46 (0)8 445 18 01 ______________________________ From firewalls-owner Mon Jun 10 04:39:11 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id EAA21819 for firewalls-outgoing; Mon, 10 Jun 1996 04:18:09 -0700 (PDT) Received: from server (server.versa.co.id [202.154.15.210]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id EAA21769 for ; Mon, 10 Jun 1996 04:17:48 -0700 (PDT) Received: by server with Microsoft Mail Message-ID: From: ANT-Antony To: "'FireWalls@GreatCircle.com'" Subject: Firewall Solution. Date: Fri, 7 Jun 1996 13:58:51 -0000 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, One of my customer asked me about firewalls. They are currently using NT = 3.51. They already have a Telebit PN2 router. But since they don't have any sec= urity protection, they haven't make any connection from their network to = the internet yet. My question is : - Should I use the NT or set up a Linux box for the firewalls ? - Or can I set up a firewalls on the Telebit PN2. - If I use the firewalls for multiplying IP addresses (the ISP want to gi= ve only 16 IP#, but they have about 100 workstation), will there be any p= erformance issue ? - I'm kinda new in this, can anyone point me a good place to start? Thanks a lot. Any comment will be greatly appreciated. Antony. From firewalls-owner Mon Jun 10 04:54:36 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id EAA23714 for firewalls-outgoing; Mon, 10 Jun 1996 04:36:19 -0700 (PDT) Received: from aoife.indigo.ie (aoife.indigo.ie [199.186.52.9]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id EAA23666 for ; Mon, 10 Jun 1996 04:36:04 -0700 (PDT) Received: from dublin-ts3-87.indigo.ie (dublin-ts3-87.indigo.ie [194.125.133.87]) by aoife.indigo.ie (8.7.5/8.7.5) with SMTP id LAA14010; Mon, 10 Jun 1996 11:33:35 GMT Message-ID: <31BC05B4.40D5@indigo.ie> Date: Mon, 10 Jun 1996 12:23:32 +0100 From: Michael Ryan Organization: I.T. NetworX X-Mailer: Mozilla 2.0 (Win16; I) MIME-Version: 1.0 To: Jeremy Noetzelman CC: firewalls@greatcircle.com Subject: Re: Firewalls and DNS References: <2.2.32.19960606210744.00adf5d4@intermind.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Jeremy Noetzelman wrote: > > We'd like to have a split DNS with a public server and a private server. > ---8<---snip---8<--- > So far so good, but the problem is incredibly slow DNS lookups, which > timeout regularly. For example, with Netscape if you click on a link, it > times out the first time, but the answer is available immediately on the > second try. Hello Jeremy, The solution from George Matovu in his posting of 6/7/96 sounds good. Another solution (which works for me) is to include a list of servers in the client's DNS resolver file (/etc/resolv.conf under Unix). The problem is that the resolver library has a very weird algorithm for determining the timeout value. If you specify only one nameserver in /etc/resolv.conf, the timeout is four seconds - flat. If you specify more than one nameserver, the timeout for *each* is four seconds but when it reaches the end of the list, it cycles round and tries all the nameservers again, this time with a timeout derived from a formula that depends on the number of servers you've listed in the /etc/resolv.conf file. The upshot of all this is that, if you list two or three nameservers (the same nameserver listed multiple times should work), then your client application will wait much longer for the answer to come back -- exactly what you want. You'll get all the details in "TCP/IP Administration" by Craig Hunt, O'Reilly & Associates Nutshell handbook. I'm not in the office right now, so I can't put my hand on the book to give you the ISBN or to double-check the accuracy of my description above. Hope this helps, Mike --- From firewalls-owner Mon Jun 10 06:12:59 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA00613 for firewalls-outgoing; Mon, 10 Jun 1996 05:49:40 -0700 (PDT) Received: from mail.transpac.net (nic.transpac.net [194.52.1.10]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id FAA00598 for ; Mon, 10 Jun 1996 05:49:34 -0700 (PDT) Received: from alf.ihc.se (alf.ihc.se [194.52.187.254]) by mail.transpac.net (8.7.3/8.7.3) with SMTP id OAA25122 for ; Mon, 10 Jun 1996 14:47:15 +0200 (MET DST) Received: by alf.ihc.se; (5.65v3.2/1.3/10May95) id AA03236; Mon, 10 Jun 1996 14:47:24 +0200 Message-Id: <31BC198D.53B7@ihc.se> Date: Mon, 10 Jun 1996 14:48:13 +0200 From: Mattias Lindstr=?iso-8859-1?Q?=F6?=m Reply-To: mattias.lindstrom@ihc.se Organization: IHC AB X-Mailer: Mozilla 3.0B2 (WinNT; I) Mime-Version: 1.0 To: firewalls-digest@GreatCircle.COM Subject: Firewall functionallity Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Is there any firewall that has the following features: 1. permit/deny emails based on size (like allow only email smaller than 4= =3D 00 kb)? 2. permit/deny emails based on attachments and the size of attachments (l= =3D ike if attachment =3D3D exe deny or attachment > 40 kb deny)? 3. check ftp sessions and permit/deny based on size (like allow ftp if < = =3D 300 kb)? All of these q:s is of course applied on a user/group basis. I know that 1 and 2 isn=3DB4t really the firewalls "thing" but I was curi= ou=3D s if anyone had the functions. Regards, -- = ______________________________ Mattias Lindstr=F6m Systems integrator Information Highway Center AB voice: +46 (0)8 445 18 00 fax: +46 (0)8 445 18 01 ______________________________ From firewalls-owner Mon Jun 10 06:21:04 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA01124 for firewalls-outgoing; Mon, 10 Jun 1996 06:05:10 -0700 (PDT) Received: from ns.ipm.net (ns.ipm.net [194.77.84.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id GAA01108 for ; Mon, 10 Jun 1996 06:04:54 -0700 (PDT) Received: from iez.com (mail.iez.com [194.218.38.3]) by ns.ipm.net (8.6.11/8.6.11) with SMTP id OAA10114; Mon, 10 Jun 1996 14:03:33 +0200 Received: by iez.com (AIX 3.2/UCB 5.64/4.03) Received: from spibm02(172.16.13.62) by iez.com via smap (V1.3) Received: from iez.com by spibm02 (AIX 3.2/UCB 5.64/4.03) Message-Id: <9606101240.AA12335@spibm02> Received: from inhps-a by iez.com with SMTP Received: by inhps-a From: Rolf Weber Subject: Re: Re[2]: US Justice Dept (Not really) To: jason@broken.net (Jason Matthews) Date: Mon, 10 Jun 1996 14:40:02 +0200 (MESZ) Cc: anton@the-wire.com, firewalls@greatcircle.com (firewalls) In-Reply-To: from "Jason Matthews" at Jun 9, 96 08:47:01 pm X-Mailer: ELM [version 2.4 PL24] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > > >Your joking right? It's no harder to read a piece of email in transit > > >than it is read a plaintext password. Sites are compromised every day by > > >sniffing network traffic. What makes you think those interested in your > > >daily affairs will stop with passwords? > > > > We are talking relatives here. > > Its easier to read a file than it is to sniff a WAN connection. > > Sniffing a network is more a by chance thing...a file is a bit more static > but reading the data is reading the data. Sniffing is much harding then > reading the from the file... > reading a file requires that you first did break into this machine. eavesdropping doesn't require to break into the target, only in one of the machines lying in the subnets between the 2 endpoints. > > > >I am not sure I am willing to make that assumption. History shows us that > > >email services are the most insecure of all. To place this service on > > >any machine intended to filter, restrict, or otherwise alter network > > >connections from foriegn networks is a mistake. > > > > Are you talking about using a SMTP server to take over a machine - > > as in the Morris Worm (which by the way never got into Canada > > (as I read the reports) becuase of the particular machines and > > SMTP MTAs in use) or reading the mail? > > The worm did not only use SMTP services. It also used holes in fingerd. > it also exploited poor passwords. > > > Does yours do a reverse IP lookup? > yes, but there is no action besides to syslog it. most of the irregularities are only temporarily DNS problems. rolf -- ----------------------------------------- Rolf Weber | All I ask is a chance IEZ AG D-64625 Bensheim | to prove that money ++49-6251-1309-109 | can't make me happy. From firewalls-owner Mon Jun 10 06:35:57 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA02793 for firewalls-outgoing; Mon, 10 Jun 1996 06:30:20 -0700 (PDT) Received: from portal.east.saic.com (PORTAL.EAST.SAIC.COM [198.151.13.15]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id GAA02765 for ; Mon, 10 Jun 1996 06:29:56 -0700 (PDT) Received: from willow.c3i.saic.com ([149.8.69.68]) by portal.east.saic.com Received: from [149.8.69.93] (bodhi.ait.saic.com) by willow.c3i.saic.com (4.1/SMI-4.1) X-Sender: marcus@willow.c3i.saic.com Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Mon, 10 Jun 1996 09:27:25 -0400 To: Firewalls@GreatCircle.com From: marcus@c3i.saic.com (Mark R. Jenkins) Subject: Re: Compuserve (and AOL) through Internet Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I recently (about 1 month ago) surveyed connecting to Compuserve and AOL through the Internet. Most of what I have seen appear on the list matches what I know, so I have not jumped in yet. However, there were a few things left out. I'm sending this summary to test what I know against what others might know to be different: AOL through the Internet: The Windows and Mac version of the AOL client can both be used to connect to AOL through the Internet (others, if they exist, may also work, I did not test them). They make a TCP connection from the local machine to AMERICAONLINE.AOL.COM port 5190 (AMERICAONLINE.AOL.COM was CNAMEed to AMERICA2.AOL.COM, which itself had 3 "A" records in the DNS). All communications, including credit card info (if you sign up over the net) are in the clear. Each time you log in over the net, your AOL username and password are passed in the clear. Compuserve through the Internet: My initial testing was on a Macintosh. I followed up with the Windows client, but did not have a sniffer so was not able to verify whether the Windows client data stream is 'encrypted' or not. The Macintosh client worked differently from the Windows client in respect to the port it used, however. The Windows client makes a TCP connection to port 4144 at domain name COMPUSERVE.COM. The Macintosh client makes a TCP connection to port 23 at domain name COMPUSERVE.COM. From the Macintosh I observed all communications to Compuserve taking place in the clear (ie, no encryption), exposing username and password info. Of course, since the Mac used port 23, it went right through the local firewall. It is my understanding that you can also just TELNET directly to COMPUSERVE.COM and get a text-only connection, although that is changing as Compuserve moves from '36-bit hosts' (DECsystem-10, DECsystem-20??) to a 'client-server architecture' (Windows NT Servers?). Performance... It is not directly germaine to Firewalls, but in terms of performance the AOL client functioned very smoothly and seemed reasonably quick. The Compuserve client FROM THE MACINTOSH did not perform well. Not enough testing was made to Compuserve from the PC to establish performance. The Compuserve client would disconnect automatically from the server (saving connect time fees) after inactivity, then connect right back up when required. Both AOL and CSERVE had an annoying habit of downloading various graphics and such whenever you went to a 'new' area for which you did not have graphics yet. If I was on a modem I would probably not be happy with the delays. ---- Mark Jenkins:Marcus@AIT.SAIC.COM | My opinions aren't perforce SAIC's. Senior Network Systems Engineer | Sometimes you're the Louisville slugger, SAIC/AIT Annapolis 410.571.0438 | sometimes you're the ball. From firewalls-owner Mon Jun 10 07:36:06 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA08829 for firewalls-outgoing; Mon, 10 Jun 1996 07:28:45 -0700 (PDT) Received: from ns.csg.stercomm.com (ns.csg.stercomm.com [204.214.3.7]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id HAA08760 for ; Mon, 10 Jun 1996 07:28:24 -0700 (PDT) Received: from smtplink.csg.stercomm.com by ns.csg.stercomm.com Received: from ccMail by smtplink.csg.stercomm.com (SMTPLINK V2.11.01) Date: Mon, 10 Jun 96 09:22:39 CST From: "Out-Of-Office" Message-Id: <9605108344.AA834423985@smtplink.csg.stercomm.com> To: Firewalls@GreatCircle.COM Subject: John Cathey is out of the office. Sender: firewalls-owner@GreatCircle.COM Precedence: bulk John Cathey is out of the office until Sunday, June 16, 1996 and will not be reading email. A copy of your message will be left in John Cathey's inbox. John Cathey left this message: John Cathey is on vacation. John will not be reading email until he returns on June 17th. From firewalls-owner Mon Jun 10 07:53:50 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA08843 for firewalls-outgoing; Mon, 10 Jun 1996 07:28:53 -0700 (PDT) Received: from ns.csg.stercomm.com (ns.csg.stercomm.com [204.214.3.7]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id HAA08794 for ; Mon, 10 Jun 1996 07:28:32 -0700 (PDT) Received: from smtplink.csg.stercomm.com by ns.csg.stercomm.com Received: from ccMail by smtplink.csg.stercomm.com (SMTPLINK V2.11.01) Date: Mon, 10 Jun 96 09:22:50 CST From: "Out-Of-Office" Message-Id: <9605108344.AA834423997@smtplink.csg.stercomm.com> To: Firewalls@GreatCircle.COM Subject: John Cathey is out of the office. Sender: firewalls-owner@GreatCircle.COM Precedence: bulk John Cathey is out of the office until Sunday, June 16, 1996 and will not be reading email. A copy of your message will be left in John Cathey's inbox. John Cathey left this message: John Cathey is on vacation. John will not be reading email until he returns on June 17th. From firewalls-owner Mon Jun 10 08:00:00 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA08825 for firewalls-outgoing; Mon, 10 Jun 1996 07:28:42 -0700 (PDT) Received: from ns.csg.stercomm.com (ns.csg.stercomm.com [204.214.3.7]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id HAA08754 for ; Mon, 10 Jun 1996 07:28:23 -0700 (PDT) Received: from smtplink.csg.stercomm.com by ns.csg.stercomm.com Received: from ccMail by smtplink.csg.stercomm.com (SMTPLINK V2.11.01) Date: Mon, 10 Jun 96 09:22:34 CST From: "Out-Of-Office" Message-Id: <9605108344.AA834423979@smtplink.csg.stercomm.com> To: Firewalls@GreatCircle.COM Subject: John Cathey is out of the office. Sender: firewalls-owner@GreatCircle.COM Precedence: bulk John Cathey is out of the office until Sunday, June 16, 1996 and will not be reading email. A copy of your message will be left in John Cathey's inbox. John Cathey left this message: John Cathey is on vacation. John will not be reading email until he returns on June 17th. From firewalls-owner Mon Jun 10 08:10:07 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA09067 for firewalls-outgoing; Mon, 10 Jun 1996 07:32:13 -0700 (PDT) Received: from ns.csg.stercomm.com (ns.csg.stercomm.com [204.214.3.7]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id HAA09060 for ; Mon, 10 Jun 1996 07:32:01 -0700 (PDT) Received: from smtplink.csg.stercomm.com by ns.csg.stercomm.com Received: from ccMail by smtplink.csg.stercomm.com (SMTPLINK V2.11.01) Date: Mon, 10 Jun 96 09:22:32 CST From: "Out-Of-Office" Message-Id: <9605108344.AA834423953@smtplink.csg.stercomm.com> To: Firewalls@GreatCircle.COM Subject: John Cathey is out of the office. Sender: firewalls-owner@GreatCircle.COM Precedence: bulk John Cathey is out of the office until Sunday, June 16, 1996 and will not be reading email. A copy of your message will be left in John Cathey's inbox. John Cathey left this message: John Cathey is on vacation. John will not be reading email until he returns on June 17th. From firewalls-owner Mon Jun 10 08:52:44 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA17242 for firewalls-outgoing; Mon, 10 Jun 1996 08:42:57 -0700 (PDT) Received: from sprocket.nis.newscorp.com (sprocket.nis.newscorp.com [206.15.111.87]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id IAA17192 for ; Mon, 10 Jun 1996 08:42:46 -0700 (PDT) Received: (from mtc@localhost) by sprocket.nis.newscorp.com (8.7.3/8.7.2) id LAA03374 for firewalls@greatcircle.com; Mon, 10 Jun 1996 11:40:27 -0400 (EDT) From: mtc@ie.nis.newscorp.com Message-Id: <199606101540.LAA03374@sprocket.nis.newscorp.com> Subject: Here goes another one (was John Cathey is out of the office.) To: firewalls@greatcircle.com Date: Mon, 10 Jun 1996 11:40:27 -0400 (EDT) In-Reply-To: <9605108344.AA834423997@smtplink.csg.stercomm.com> from "Out-Of-Office" at Jun 10, 96 09:22:50 am Reply-to: mtc@ie.nis.newscorp.com X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk That's it; Time for PROCMAIL.... %^/ Matt > >John Cathey is out of the office until Sunday, June 16, 1996 >and will not be reading email. A copy of your message will be left >in John Cathey's inbox. > > > > John Cathey left this message: > > > > > John Cathey is on vacation. John will not be reading email > until he returns on June 17th. > From firewalls-owner Mon Jun 10 09:07:45 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA17687 for firewalls-outgoing; Mon, 10 Jun 1996 08:45:06 -0700 (PDT) Received: from www.webgalaxy.net (www.allensysgroup.com [205.245.8.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id IAA17531 for ; Mon, 10 Jun 1996 08:44:29 -0700 (PDT) Received: from www ([205.245.8.2]) by www.webgalaxy.net X-Sender: bbrown@allensysgroup.com X-Mailer: Windows Eudora Light Version 1.5.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: Firewalls@GreatCircle.COM From: bbrown@allensysgroup.com (Bobby Brown) Subject: Re: John Cathey is out of the office. Date: Mon, 10 Jun 1996 11:43:47 -0400 Message-ID: <19960610154347890.AAA265@www> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk When Mr. Cathey returns, I hope he realizes the annoyances he is producing. Bobby At 09:22 AM 6/10/96 CST, you wrote: >John Cathey is out of the office until Sunday, June 16, 1996 >and will not be reading email. A copy of your message will be left >in John Cathey's inbox. > > > > John Cathey left this message: > > > > > John Cathey is on vacation. John will not be reading email > until he returns on June 17th. > > ---------------------------------------------------------------- Bobby Brown Systems Administrator Allen Systems Group, INC. Naples, FL 1-941-435-2299 FAX -1-800-325-2555 Comments may not be that of my employer. From firewalls-owner Mon Jun 10 09:21:08 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA16419 for firewalls-outgoing; Mon, 10 Jun 1996 08:36:10 -0700 (PDT) Received: from wormhole (wormhole.nav.cc.tx.us [205.165.189.130]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id IAA16375 for ; Mon, 10 Jun 1996 08:35:51 -0700 (PDT) Received: by wormhole (AIX 3.2/UCB 5.64/4.03) Received: from dilbert.nav.cc.tx.us(205.165.188.145) by wormhole via smap (V1.3) Received: from localhost by dilbert.nav.cc.tx.us (AIX 3.2/UCB 5.64/4.03) Date: Mon, 10 Jun 1996 10:38:02 -0500 (CDT) From: Dana Brewer To: firewalls@greatcircle.com Subject: Re: Compuserve (and AOL) through Internet In-Reply-To: Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I was able to easily setup AOL to work through the firewall. I still haven't had any luck with Compuserve, though. Someone mentioned that you should modify the CIS.INI. Are there anymore specific details you can give? ************************************************************************** Dana Brewer Director, Computer Center Internet: dana@nav.cc.tx.us Navarro College Phone : 903-874-6501 3200 W. 7th Ave. FAX : 903-874-4636 Corsicana, TX 75110 All opinions stated are my own, and probably don't even vaguely resemble those of Navarro College. :) ************************************************************************** From firewalls-owner Mon Jun 10 09:35:49 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA19226 for firewalls-outgoing; Mon, 10 Jun 1996 08:56:11 -0700 (PDT) Received: from tera.bctel.net (tera.bctel.net [204.174.64.252]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id IAA19218 for ; Mon, 10 Jun 1996 08:56:03 -0700 (PDT) Received: (from nobody@localhost) by tera.bctel.net (8.7.4/8.7.1) id IAA26024; Mon, 10 Jun 1996 08:51:18 -0700 (PDT) Received: from unknown(192.197.176.142) by tera via smap (V1.3) Message-ID: <31BC45BC.4867@bctel.net> Date: Mon, 10 Jun 1996 08:56:44 -0700 From: Peter Chow Reply-To: peter_chow@bctel.net Organization: BC Tel Advanced Communications X-Mailer: Mozilla 3.0b4 (Win95; I) MIME-Version: 1.0 To: "optimum.net newsgate" CC: firewalls@GreatCircle.COM Subject: Re: Virus detection for http proxy servers References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Try the Norton AntiVirus Internet Scanner as well. Not sure where it is though. optimum.net newsgate wrote: > > One of our users has been asking about virus protection > against software he has downloaded through the Netscape > proxy server. He was asking about something that would > scan the software as it was being download > I didn't think there was anything to do this, given all of the > file formats, compression methods, and hardware > platforms that could be using the proxy server, but I thought > I'd look into it anyway. Does anyone know > of a solution or partial solution to this question? > -- -------------------------------------------------------------------- Peter Chow Tel: (604)454-5269 BC Tel Advanced Communications Fax: (604)454-5113 2600-4720 Kingsway e-mail: peter_chow@bctel.net Burnaby, BC, Canada WWW: http://www.bctel.net V5H 4N2 -------------------------------------------------------------------- From firewalls-owner Mon Jun 10 09:50:52 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA20312 for firewalls-outgoing; Mon, 10 Jun 1996 09:08:55 -0700 (PDT) Received: from mandela.apic.net (apic.net [203.21.18.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id JAA20297 for ; Mon, 10 Jun 1996 09:08:41 -0700 (PDT) Received: (from chris@localhost) by mandela.apic.net (2.0/Skeeve) id CAA28935; Tue, 11 Jun 1996 02:03:55 +1000 Date: Tue, 11 Jun 1996 02:03:55 +1000 X-org: Proudly transported by The Asia Pacific Internet Company Pty Ltd X-url: http://www.apic.net/ X-phone: (+612) 417 1998 X-beware: return-loop-detector From: Chris Drake Message-Id: <199606101603.CAA28935@mandela.apic.net> To: bishop@cs.ucdavis.edu, firewalls@greatcircle.com Subject: Re: BoS: CFP: 1997 Symposium on Network and Distributed System Security Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I believe your Symposium is overlooking a massive security problem which has for some reason never made it into popular discussion. "Client Security" - the ability of a security product/package/software to operate in a secure mannor in an unsecure environment (eg: DOS or Windows). For example, a stealth key-press-password-recorder will by-pass practiaclly *every* security system that is discussed at your Symposium, since ultimately, they all rely upon keyboard input of passwords from a PC. Could this be included as a topic of discussion please? Chris Drake. From firewalls-owner Mon Jun 10 10:36:05 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA00152 for firewalls-outgoing; Mon, 10 Jun 1996 10:25:41 -0700 (PDT) Received: from phoenix.iss.net (phoenix.iss.net [204.241.60.5]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id KAA00144 for ; Mon, 10 Jun 1996 10:25:35 -0700 (PDT) Received: (from cklaus@localhost) by phoenix.iss.net (8.6.13/8.6.12) id NAA18942 for firewalls@greatcircle.com; Mon, 10 Jun 1996 13:23:07 -0400 From: Christopher Klaus Message-Id: <199606101723.NAA18942@phoenix.iss.net> Subject: Vulnerability Database To: firewalls@greatcircle.com Date: Mon, 10 Jun 1996 13:23:04 -0400 (EDT) Reply-To: cklaus@iss.net X-Mailer: ELM [version 2.4 PL24 PGP2] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Vulnerability Database: We have begun putting together a vulnerability database on our web site at www.iss.net. This is still under construction, but we have started with network vulnerabilities and we will be expanding to include more system level vulnerabilities. Each vulnerability has information regarding: 1) What the exploit vulnerability is? 2) How to fix the vulnerability? 3) Other references for more information, ie CERT advisories, CIAC, etc. This database has just begun and does not contain complete information about all vulnerabilities. If you see a mistake or a suggestion, please email webmaster@iss.net. -- Christopher William Klaus Voice: (404)252-7270. Fax: (404)252-2427 Internet Security Systems, Inc. "Internet Scanner finds Ste. 115, 5871 Glenridge Dr, Atlanta, GA 30328 your network security holes Web: http://iss.net/ Email: cklaus@iss.net before the hackers do." From firewalls-owner Mon Jun 10 11:20:42 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA02179 for firewalls-outgoing; Mon, 10 Jun 1996 10:51:56 -0700 (PDT) Received: from lafcol.lafayette.edu (lafcol.lafayette.edu [139.147.8.5]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id KAA02168 for ; Mon, 10 Jun 1996 10:51:51 -0700 (PDT) Received: by lafcol.lafayette.edu (4.1/SMI-4.1) Date: Mon, 10 Jun 96 13:49:13 EDT From: mulligan@lafcol.lafayette.edu (Dogbert) Message-Id: <9606101749.AA26380@lafcol.lafayette.edu> To: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk TCP Wrappers 7.4 logged this to syslog the other day. Does this necessarily show an attempted spoofing attack or could it just be a poorly configured site? Jun 9 03:07:52 lafcol in.fingerd[18050]: warning: host name/name mismatch: CS1.CC.Lehigh.EDU != cs1 Jun 9 03:07:52 lafcol in.fingerd[18050]: refused connect from 128.180.1.27 From firewalls-owner Mon Jun 10 11:22:20 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA03813 for firewalls-outgoing; Mon, 10 Jun 1996 11:16:49 -0700 (PDT) Received: from tigger.dir.texas.gov (tigger.dir.STATE.TX.US [141.198.192.97]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id LAA03804 for ; Mon, 10 Jun 1996 11:16:38 -0700 (PDT) Received: from DIR-Message_Server by tigger.dir.texas.gov Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Mon, 10 Jun 1996 13:09:58 -0500 From: William Tompkins To: firewalls@GreatCircle.COM Subject: Information Security Symposium; Greater Southwest Regional Sender: firewalls-owner@GreatCircle.COM Precedence: bulk SUBJECT: Information Security Symposium (9/23-26, 1996) I am distributing this announcement to multiple lists which may be interested in attending this type of symposium. I apologize in advance to those of you, like myself, who will receive multiple copies of this announcement. William Tompkins (william.tompkins@dir.state.tx.us) Texas Dept. of Info. Resources P.O.Box 13564 Austin, TX 78711-3564 512.475.3335 ------------------------------------------------- SECURING TODAY & THE FUTURE The Greater Southwest Regional Information Security Symposium SEPTEMBER 23 - 26, 1996 J.J.PICKLE RESEARCH CAMPUS, UNIV OF TEXAS AT AUSTIN AUSTIN, TEXAS Co-Sponsored by Capital of Texas Chapter of ISSA, and, Texas Department of Information Resources The symposium will feature two one-day workshops and a one-and-one-half-day conference. Information security, disaster recovery, audit and legal professionals from around the U.S. are scheduled to speak at this event. The symposium will provide a wide variety of useful, real-world solutions for the protection of your information resources. It will present the more practical aspects of developing, implementing, and managing security systems in today#s diverse environments. WHO SHOULD ATTEND? The symposium will interest CIOs, MIS Directors, Information Resource Managers, Information Security Officers, Security Administrators, system and network administrators, disaster recovery planners, auditors, and legal professionals. The entire symposium is open to the public and to all levels of government. The symposium will be held in the Commons Building of the J.J. Pickle Research Campus, the University of Texas at Austin. The campus is located at 10100 Burnet Road (FM 1325) north of Highway 183. Enter at the main gate on Braker Lane and stop at the guard station to obtain a parking pass. ------------------------------------------------------------ SECURING TODAY AND THE FUTURE - SYMPOSIUM AGENDA (Symposium details are subject to change) -- Monday 9/23: (One-day Workshop) LAN Security and Internet Security; Speaker - Ken Cutler, Vice-President, Information Security Institute. (LUNCH included with registration) -- Tuesday 9/24: (One-day Workshop) Risk Assessment: Comparing Information Security Assessment and Business Continuity/Disaster Recovery Planning -&- Awareness Training for Security and Disaster Recovery Awareness; Moderator - Ralph Spencer Poore, Coopers & Lybrand; Speakers - Jeffrey Reich, CISSP, Dell Computer Corp., & Ed Kelly, Dell Computer Corp. (LUNCH included with registration) ----- ----- ----- ----- CONFERENCE OPENS - Wednesday 9/25 This two-track conference has a 'Technical' track and a 'Management & Administrative' track. SECURING TODAY AND THE FUTURE - CONFERENCE AGENDA 8:00 Opening & Welcome 8:15 Keynote Address - Electronic Commerce Speaker - William H. Murray, CISSP, Deloitte and Touche 9:45(Tech Trk) Windows NT Security (speaker TBA) 9:45(Mgt/Adm Trk) Data Classification Methodology Speaker - Ralph Spencer Poore, CISSP, Coopers & Lybrand 11:00 (General Session #1) Internet Security Speaker - William H. Murray, CISSP, Deloitte and Touche 12 Noon LUNCH (included in Conf. Registration) 1:00(Tech Trk) UNIX Security Speaker - Ken Cutler, Vice-President, Information Security Institute 1:00(Mgt/Adm Trk) Security Awareness: Foundation of a Security Program Speakers - Marsha Smith, Tx Dept of Transportation, & Charles Byrd, Tx Dept of Mental Health and Mental Retardation 2:45(Tech Trk) Encryption Speaker - Ralph Spencer Poore, CISSP, Coopers and Lybrand 2:45(Mgt/Adm Trk) Legal Liabilities & Requirements Panel Speakers - C.J.Brandt, Tx Dept of Information Resources, Cheryl Burtzel, Tx Attorney General#s Office, Michael S. Morris, Special Agent, FBI, Dallas 4:00(Tech Trk) Detecting Unauthorized Access Speaker - Steve Smaha, Haystack Labs 4:00(Mgt/Adm Trk) Risk Mngmnt: Compare Security & Disaster Recovery Planning Speakers - Buddy Jenkins, Norman Data Defense Systems, & Jim MacMicking, SunGard Planning Solutions CONFERENCE DAY 2 - Thursday (September 26) 8:15(Tech Trk) NOVELL NetWare Security Speaker - NOVELL representative 8:15(Mgt/Adm Trk) Providing Access To Public Information Speaker - Clyde Poole, Tx Dept of Information Resources 9:45(Tech Trk) Telecommunications and Toll Fraud Speaker - Lonnie Moore, C.T.F. Specialists, Inc. 9:45(Mgt/Adm Trk) Auditing an Information Security Program Speaker - Robert Shultz, Tx State Audit Office 11:00 (Gen. Session #2) Case Study of an Internet Break-In Panel Speakers (and Topic) - ~ Affect on Mngmnt and Admin; Ms. Almaree Owens, IRM, Tx Dept of Commerce ~ Technical Recovery & Subsequent Safeguards; Wayne McDilda, Elecom ~ Reporting Violators & Evidence; Richard Owen, CISSP, Dell Computer Corp. This session takes you completely through a successful hacker attack: impact, detection, recovery, and properly maintaining evidence for prosecution. 12 noon Conference/Symposium Ends ---------------------------------------- REGISTRATION INQUIRIES ------------ To inquire about registration and payment or other logistics, contact Dept of Information Resources Training & Education Section at 512.475.3330. Onsite registration is subject to space availability. Registration fee: >> ISSA members, Texas State Agencies and Universities ___ One workshop only ------- $110 ___ Two Workshops only ------- $170 ___ Conference only ------- $175 ___ Entire Symposium ------- $330 >> Other Government, Private Sector ___ One workshop only ------- $125 ___ Two Workshops only ------- $200 ___ Conference only ------- $195 ___ Entire Symposium ------- $380 SORRY...NO REGISTRATION BY EMAIL Registration CONFIRMATION Registrations should be confirmed within two working days of receipt. Confirmations of prepaying attendees will be marked paid. Call DIR at 512.475.3330 if you do not receive prompt confirmation. ----------------------------- SPECIAL ACCOMMODATIONS Persons requiring special accommodations should notify DIR Training & Education in writing by September 13, 1996, (P.O.Box 13564, Austin, TX 78711) ----------------------------- LODGING There is no lodging available at the site of the symposium. For information on area hotel accommodations, call DIR Training & Education at 512.475.3330 ------------------------------ FOR MORE INFORMATION For more information contact William Tompkins: 512.475.3335 or by Internet mail at: william.tompkins@dir.state.tx.us or call DIR Training & Education at 512.445.3330. ------------------------------ SORRY...NO REGISTRATION BY EMAIL From firewalls-owner Mon Jun 10 12:08:34 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA09326 for firewalls-outgoing; Mon, 10 Jun 1996 12:03:40 -0700 (PDT) Received: from connectnet1.connectnet.com (connectnet1.connectnet.com [207.110.0.50]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id MAA09302 for ; Mon, 10 Jun 1996 12:03:32 -0700 (PDT) Received: from it.is.my.broken.net (it.is.my.broken.net [204.252.2.92]) by connectnet1.connectnet.com (15.9/Connectnet-2.2) with SMTP id MAA17223; Mon, 10 Jun 1996 12:01:09 -0700 (PDT) Received: by it.is.my.broken.net (4.1/SMI-4.1) Date: Mon, 10 Jun 1996 12:01:06 -0700 (PDT) From: Jason Matthews X-Sender: jason@it.is.my.broken.net To: Dogbert Cc: firewalls@greatcircle.com Subject: Re: your mail In-Reply-To: <9606101749.AA26380@lafcol.lafayette.edu> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk poor dns configuration Jason http://livingcam.broken.net On Mon, 10 Jun 1996, Dogbert wrote: > TCP Wrappers 7.4 logged this to syslog the other day. Does this > necessarily show an attempted spoofing attack or could it just be a > poorly configured site? > > Jun 9 03:07:52 lafcol in.fingerd[18050]: warning: host name/name mismatch: > CS1.CC.Lehigh.EDU != cs1 > Jun 9 03:07:52 lafcol in.fingerd[18050]: refused connect from 128.180.1.27 > From firewalls-owner Mon Jun 10 12:21:00 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA10480 for firewalls-outgoing; Mon, 10 Jun 1996 12:17:24 -0700 (PDT) Received: from spot1.fvcc.cc.mt.us (spot1.fvcc.cc.mt.us [150.131.64.209]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id MAA10470 for ; Mon, 10 Jun 1996 12:17:13 -0700 (PDT) Received: from aerie.fvcc.cc.mt.us (aerie.fvcc.cc.mt.us [150.131.64.210]) by spot1.fvcc.cc.mt.us (8.6.12/8.6.9) with SMTP id NAA05033 for ; Mon, 10 Jun 1996 13:14:48 -0600 Message-Id: <199606101914.NAA05033@spot1.fvcc.cc.mt.us> Comments: Authenticated sender is From: rowens@fvcc.cc.mt.us Organization: Flathead Valley Community College To: firewalls@GreatCircle.COM Date: Mon, 10 Jun 1996 13:14:47 -0700 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Re: X-mailer: Pegasus Mail for Windows (v2.31) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On 10 Jun 96 at 13:49, Dogbert wrote: > TCP Wrappers 7.4 logged this to syslog the other day. Does this > necessarily show an attempted spoofing attack or could it just be a > poorly configured site? > > Jun 9 03:07:52 lafcol in.fingerd[18050]: warning: host name/name mismatch: > CS1.CC.Lehigh.EDU != cs1 > Jun 9 03:07:52 lafcol in.fingerd[18050]: refused connect from 128.180.1.27 It's _probably_ just a DNS goof; we had the same problem with some machines here if the PTR and A records didn't match (before we automated the DNS database creation). ------------------------------------------------------------------ Rick Owens | This message delivered Comp. Op. Tech (aka admin. sysop) | courtesy of the ESAE Flathead Valley Community College | (Electronic Sled-dog Kalispell, MT | Association of Earth). #include | Woof! ------------------------------------------------------------------ From firewalls-owner Mon Jun 10 12:51:01 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA12263 for firewalls-outgoing; Mon, 10 Jun 1996 12:36:28 -0700 (PDT) Received: from jabular.webster.com (jabular.webster.com [205.245.42.3]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id MAA12230 for ; Mon, 10 Jun 1996 12:36:17 -0700 (PDT) Received: from jabular.webster.com ([205.245.42.16]) by jabular.webster.com (8.6.12/8.6.12) with SMTP id PAA05753 for ; Mon, 10 Jun 1996 15:32:32 -0400 Received: by jabular.webster.com with Microsoft Mail Message-ID: <01BB56E2.295ED8E0@jabular.webster.com> From: "Patrick D. Fischer" To: "'firewalls@GreatCircle.COM'" Subject: Internet Filtering Date: Mon, 10 Jun 1996 15:33:22 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I apologize in advance if this is an inproper posting - but I've had = many inquiries asking about this type of product & that a quick post may = let people know this capability is available. WebTrack is an internet software & filtering software tool that: =20 - Ensures that your organization's overall productivity is enhanced by = the Internet, not reduced by non-business "surfing." - Provides reporting and analysis tools to measure, manage and improve enterprise Internet use. - Preserves valuable bandwidth and server space. - Prevents people from downloading pornography and other sex-related = data that is offense and could result in liability issues. WebTrack's control list contains tens of thousands of sites, sub-sites, = and URLs, each identified as belonging to one or more of 16 non-business categories. You decide which of those categories are unwanted (sex, gambling, hate speech, etc.) or unproductive (sports, entertainment, = humor, etc.) for your business users. WebTrack installs on a proxy server behind your firewall. Configure = your firewall to require all ftp, www, gopher and usenet news bound for = the Internet pass through WebTrack proxy. Again, I apologize if this is an inapporpriate posting. Thanks, Patrick D. Fischer Webster Network Strategies - www.webster.com 1100 5th Avenue S. Naples, Florida 33940 Phone: 941-261-5503 Fax: 941-263-4960 email: patrick@webster.com From firewalls-owner Mon Jun 10 13:05:59 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA12335 for firewalls-outgoing; Mon, 10 Jun 1996 12:37:44 -0700 (PDT) Received: from uu7.psi.com (uu7.psi.com [38.8.39.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id MAA12314 for ; Mon, 10 Jun 1996 12:37:32 -0700 (PDT) Received: from carsongroup.com by uu7.psi.com (5.65b/4.0.940727-PSI/PSINet) via UUCP; From: araver@carsongroup.com (Andrew Raver) Reply-To: araver@carsongroup.com To: bbrown@allensysgroup.com Cc: Firewalls@GreatCircle.COM Subject: Re: Re: John Cathey is out of the office. Date: 10 Jun 1996 15:13:13 GMT Message-Id: <3440697245.218324818@carsongroup.com> Organization: Carson Group Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I can't wait to tell him when I am out of the office! There must be a interesting explanation why he would tell a e-mail distribution list why he is out? I am sure he is logical and therefore await his explanation. Andrew From firewalls-owner Mon Jun 10 13:20:52 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA15759 for firewalls-outgoing; Mon, 10 Jun 1996 13:10:57 -0700 (PDT) Received: from okjunc.junction.net (okjunc.junction.net [199.166.227.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id NAA15741 for ; Mon, 10 Jun 1996 13:10:49 -0700 (PDT) Received: from sidhe.memra.com (sidhe.memra.com [199.166.227.105]) by okjunc.junction.net (8.6.11/8.6.11) with SMTP id MAA18710; Mon, 10 Jun 1996 12:11:14 -0700 Date: Mon, 10 Jun 1996 12:54:44 -0700 (PDT) From: Michael Dillon To: Dana Brewer cc: firewalls@GreatCircle.COM Subject: Re: Compuserve (and AOL) through Internet In-Reply-To: Message-ID: Organization: Memra Software Inc. - Internet consulting MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 10 Jun 1996, Dana Brewer wrote: > I was able to easily setup AOL to work through the firewall. I still > haven't had any luck with Compuserve, though. Someone mentioned that you > should modify the CIS.INI. Are there anymore specific details you can > give? http://www.greatcircle.com/firewalls/ Read June's archive or use the search engine... Michael Dillon ISP & Internet Consulting Memra Software Inc. Fax: +1-604-546-3049 http://www.memra.com E-mail: michael@memra.com From firewalls-owner Mon Jun 10 13:34:55 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA14255 for firewalls-outgoing; Mon, 10 Jun 1996 12:56:12 -0700 (PDT) Received: from okjunc.junction.net (okjunc.junction.net [199.166.227.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id MAA14246 for ; Mon, 10 Jun 1996 12:56:06 -0700 (PDT) Received: from sidhe.memra.com (sidhe.memra.com [199.166.227.105]) by okjunc.junction.net (8.6.11/8.6.11) with SMTP id MAA18655 for ; Mon, 10 Jun 1996 12:09:44 -0700 Date: Mon, 10 Jun 1996 12:53:13 -0700 (PDT) From: Michael Dillon To: firewalls@GreatCircle.COM Subject: Email irregularities In-Reply-To: <199606101540.LAA03374@sprocket.nis.newscorp.com> Message-ID: Organization: Memra Software Inc. - Internet consulting MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 10 Jun 1996 mtc@ie.nis.newscorp.com wrote: > That's it; Time for PROCMAIL.... %^/ > Matt > > > >John Cathey is out of the office until Sunday, June 16, 1996 No! Time to install your own vacation program and then set up procmail... *evil grin* I must say that this list appears to have more clueless people on it than any other list I've been on. This isn't the first person to set up a vacation program without filtering list addresses. And as anyone who posts to the list knows, there are a rather large number of people who subscribed with broken email addresses or who let their mailboxes grow beyond their sites quota. Somehow they always seem to be running some PC LAN email package too... Any theories as to why this is the case? Michael Dillon ISP & Internet Consulting Memra Software Inc. Fax: +1-604-546-3049 http://www.memra.com E-mail: michael@memra.com From firewalls-owner Mon Jun 10 13:56:24 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA19806 for firewalls-outgoing; Mon, 10 Jun 1996 13:37:06 -0700 (PDT) Received: from Farstar (Farstar.secapl.com [192.131.69.9]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id NAA19648 for ; Mon, 10 Jun 1996 13:36:27 -0700 (PDT) Received: from Cookie.secapl.com (Cookie.secapl.com [192.108.247.19]) by Farstar (8.6.12/8.6.12) with SMTP id PAA338922; Mon, 10 Jun 1996 15:28:24 -0500 Received: from Fred.secapl.com by Cookie.secapl.com (AIX 3.2/UCB 5.64/4.03) Received: by fred.secapl.com (AIX 3.2/UCB 5.64/4.03) Date: Mon, 10 Jun 1996 16:32:52 -0400 (EDT) From: Tony Iannotti To: Andrew Raver Cc: bbrown@allensysgroup.com, Firewalls@GreatCircle.COM Subject: Re: Re: John Cathey is out of the office. In-Reply-To: <3440697245.218324818@carsongroup.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On 10 Jun 1996, Andrew Raver wrote: > I can't wait to tell him when I am out of the office! > There must be a interesting explanation why he would > tell a e-mail distribution list why he is out? > > I am sure he is logical and therefore await his explanation. He's probably trying to see how many break-in attempts on his firewalls he gets while he can't watch the logs..... ;-) From firewalls-owner Mon Jun 10 14:13:30 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA22705 for firewalls-outgoing; Mon, 10 Jun 1996 13:58:11 -0700 (PDT) Received: from tera.bctel.net (tera.bctel.net [204.174.64.252]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id NAA22624 for ; Mon, 10 Jun 1996 13:57:51 -0700 (PDT) Received: (from nobody@localhost) by tera.bctel.net (8.7.4/8.7.1) id NAA29026; Mon, 10 Jun 1996 13:53:10 -0700 (PDT) Received: from mocha.bctel.net(204.174.66.5) by tera via smap (V1.3) Received: (from murrell@localhost) by mocha.bctel.net (8.7.5/8.7.3) id NAA24488; Mon, 10 Jun 1996 13:54:54 -0700 (PDT) From: Brian Murrell Message-Id: <199606102054.NAA24488@mocha.bctel.net> Date: Mon, 10 Jun 1996 13:54:52 -0700 (PDT) To: michael@memra.com Cc: firewalls@GreatCircle.COM Subject: Re: Email irregularities In-Reply-To: X-Mailer: Ishmail 1.2.1-960404-sol24 MIME-Version: 1.0 Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk from the quill of Michael Dillon on scroll > I must say that this list appears to have more clueless people on it than > any other list I've been on. > > Any theories as to why this is the case? Sheer volume. The last estimate I heard was the firewalls mailing list serves an estimated 15,000 people. Any new guesses Brent?? b. -- Brian J. Murrell Brian_Murrell@bctel.net BCTel Advanced Communications brian@ilinx.com Vancouver, B.C. brian@wimsey.com 604 454 5279 From firewalls-owner Mon Jun 10 14:20:56 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA20690 for firewalls-outgoing; Mon, 10 Jun 1996 13:41:47 -0700 (PDT) Received: from nutspgw.nutec.com.br ([200.246.248.99]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id NAA20057 for ; Mon, 10 Jun 1996 13:38:52 -0700 (PDT) Received: (uucp@localhost) by nutspgw.nutec.com.br (8.6.9/8.6.5) id RAA27464 for ; Mon, 10 Jun 1996 17:45:24 -0300 Received: from unknown(200.246.247.2) by nutspgw.nutec.com.br via smap (g3.0.3) Received: from dodo.nutec.com.br by canario.nutec.com.br id aa25444; Comments: Authenticated sender is From: Fernando da Silveira Montenegro Organization: =?ISO-8859-1?Q?Nutec_Inform=DFtica?= To: firewalls@greatcircle.com Date: Mon, 10 Jun 1996 17:38:54 -0300 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Round-robin DNS? Reply-to: silveira@nutpagw.nutec.com.br X-mailer: Pegasus Mail for Windows (v2.33) Message-ID: <9606101826.aa25444@canario.nutec.com.br> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi! Once again, another question I would ask only after searching the archives, but they seem to be off-line... How are people out there implementing round-robin DNS? I have "n" servers acting as www.wherever.com and I want to split the traffic bewteen them. Of course, if I could do a proper load balancing that would be great, but a simple "n" way split is a big help already. How does it relate to firewalls? A firewall system will act as the primary server for .wherever.com, and will have to perform this tricks... Please reference any information on the Web if this is a FAQ. Thanks in advance. Fernando -- Fernando da Silveira Montenegro E-mail: silveira@nutec.com.br Nutec Informatica S.A. Phone.: +55-11-505-5728 Rua Florida, 1821/11th floor Fax...: +55-11-505-1918 Sao Paulo, SP BRAZIL 04565-001 WWW: http://www.nutec.com.br From firewalls-owner Mon Jun 10 15:22:16 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id PAA02977 for firewalls-outgoing; Mon, 10 Jun 1996 15:10:55 -0700 (PDT) Received: from mail.marben.com (losgatos.marben.com [206.86.34.51]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id PAA02949 for ; Mon, 10 Jun 1996 15:10:42 -0700 (PDT) Received: (from girsch@localhost) From: girsch@marben.com (Arnaud Girsch) Message-Id: <199606102207.PAA25441@mail.marben.com> Subject: Re: Round-robin DNS? To: silveira@nutpagw.nutec.com.br Date: Mon, 10 Jun 1996 15:07:53 -0700 (PDT) Cc: firewalls@greatcircle.com In-Reply-To: <9606101826.aa25444@canario.nutec.com.br> from "Fernando da Silveira Montenegro" at Jun 10, 96 05:38:54 pm X-Organization: Marben Products, Inc. X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > How are people out there implementing round-robin DNS? I have "n" > servers acting as www.wherever.com and I want to split the traffic > bewteen them. Of course, if I could do a proper load balancing that > would be great, but a simple "n" way split is a big help already. This is the default behaviour of DNSes ... If www.foo.com refers several hosts, every DNS query to the server will give you a different address. Arnaud. -- Arnaud Girsch -+- agirsch@marben.com -+- Marben Products, Inc. - San Jose, CA From firewalls-owner Mon Jun 10 15:37:35 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id PAA03441 for firewalls-outgoing; Mon, 10 Jun 1996 15:17:22 -0700 (PDT) Received: from www10.clever.net ([208.5.13.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id PAA03423 for ; Mon, 10 Jun 1996 15:17:15 -0700 (PDT) Received: from jv.fr.actane.com (ppp15.mm-soft.fr [194.51.39.206]) by www10.clever.net (8.7.1/8.6.9) with SMTP id SAA14524 for ; Mon, 10 Jun 1996 18:12:55 -0400 (EDT) Message-ID: <31BC9D9D.7409@actane.com> Date: Tue, 11 Jun 1996 00:11:41 +0200 From: Jean Vincent Organization: ACTANE X-Mailer: Mozilla 2.01Gold (Win95; I) MIME-Version: 1.0 To: firewalls@greatcircle.com Subject: New Firewall Announcement Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I hope this is the right place for a new firewall announcement, if not I apologize to the list. ACTANE launches ACTANE Controller, the First Firewall entirely manageable with SNMP. If you want more information, visit us at http://www.actane.com or e-mail directly at info@actane.com unless it is useful for the whole list. Jean Vincent. --------------------------------------------------------------------- ACTANE Tel : +33 42 93 16 76 Le California Bat D2 Fax : +33 42 93 16 75 2, Rue Jean Andreani Email : info@actane.com 13084 Aix-En-Provence CEDEX 2 http://www.actane.com FRANCE --------------------------------------------------------------------- From firewalls-owner Mon Jun 10 16:36:03 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id QAA09266 for firewalls-outgoing; Mon, 10 Jun 1996 16:29:09 -0700 (PDT) Received: from servant ([205.172.10.40]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id QAA09236 for ; Mon, 10 Jun 1996 16:29:00 -0700 (PDT) Received: from radiatore.mccaw-stg.com by servant (SMI-8.6/SMI-SVR4) Received: by radiatore.mccaw-stg.com (5.x/SMI-SVR4) Date: Mon, 10 Jun 1996 16:26:34 -0700 From: peterg@mccaw-stg.com (Peter Gregory) Message-Id: <9606102326.AA02001@radiatore.mccaw-stg.com> To: silveira@nutpagw.nutec.com.br, girsch@marben.com Subject: Re: Round-robin DNS? X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > How are people out there implementing round-robin DNS? I have "n" > > servers acting as www.wherever.com and I want to split the traffic > > bewteen them. Of course, if I could do a proper load balancing that > > would be great, but a simple "n" way split is a big help already. > > This is the default behaviour of DNSes ... > If www.foo.com refers several hosts, every DNS query to the server will give > you a different address. Untrue. Perhaps a few implementations of DNS do this, but MOST do not behave in this manner. [Nearly] any off-the-shelf DNS will give 'A record' results in the same order every time. -- Peter Gregory [NICname PG11] peter.gregory@attws.com Systems/Network Architect, AT&T Wireless Services, Strategic Technologies Group From firewalls-owner Mon Jun 10 17:06:07 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id QAA10735 for firewalls-outgoing; Mon, 10 Jun 1996 16:47:32 -0700 (PDT) Received: from gatekeeper.qualix.com (gatekeeper.qualix.com [192.91.182.105]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id QAA10708 for ; Mon, 10 Jun 1996 16:47:20 -0700 (PDT) Received: from qualix.qualix by gatekeeper.qualix.com (8.6.9/Q940531.1) Received: from qualix20.qualix by qualix.qualix (4.1/SMI-4.1-Q931113.1) Received: from spirit.qualix by qualix20.qualix (SMI-8.6/SMI-SVR4) Received: by spirit.qualix (5.x/SMI-SVR4) From: security@qualix.com (Nik D. Knoth) Message-Id: <9606102341.AA05495@spirit.qualix> Subject: Re: Maintenance of firewall-1 2.0 To: ugb@socrates.helvetiapatria.ch (Bortoluzzi) Date: Mon, 10 Jun 1996 16:41:58 -0700 (PDT) Cc: firewalls@GreatCircle.com In-Reply-To: <199604160643.IAA27951@helvetiapatria.ch> from "Bortoluzzi" at Apr 16, 96 08:43:42 am X-Mailer: ELM [version 2.4 PL24] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Assume practically none. Periodic examination to see if anything has changed or your understanding has improved to the point where it seems reasonable to change something. Upgrades when they come out. Optionally (a good idea but often skipped), regular monitoring of the logs. FW-1 v2.0 should require essentially no maintenance, tho. -nik -- Nik D. Knoth Email: nik@qualix.com Qualix Support Team Office: 415.638.4106 The Qualix Group, Inc. Fax: 415.572.1300 > > Hi! > > We are planning to install Firewall-1 Version 2.0. > Only HTTP and SMTP shall pass through. > Can somebody tell me how much manpower we will need to maintain the installation > after the first implementation? > > Thanks > Giulio Bortoluzzi > > > From firewalls-owner Mon Jun 10 17:21:18 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id QAA10431 for firewalls-outgoing; Mon, 10 Jun 1996 16:43:16 -0700 (PDT) Received: from mail.marben.com (losgatos.marben.com [206.86.34.51]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id QAA10418 for ; Mon, 10 Jun 1996 16:43:09 -0700 (PDT) Received: (from girsch@localhost) From: girsch@marben.com (Arnaud Girsch) Message-Id: <199606102340.QAA25620@mail.marben.com> Subject: Re: Round-robin DNS? To: peterg@mccaw-stg.com (Peter Gregory) Date: Mon, 10 Jun 1996 16:40:49 -0700 (PDT) Cc: firewalls@greatcircle.com In-Reply-To: <9606102326.AA02001@radiatore.mccaw-stg.com> from "Peter Gregory" at Jun 10, 96 04:26:34 pm X-Organization: Marben Products, Inc. X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >>> How are people out there implementing round-robin DNS? I have "n" >>> servers acting as www.wherever.com and I want to split the traffic >>> bewteen them. Of course, if I could do a proper load balancing that >>> would be great, but a simple "n" way split is a big help already. >> >> This is the default behaviour of DNSes ... >> If www.foo.com refers several hosts, every DNS query to the server will give >> you a different address. > > Untrue. Perhaps a few implementations of DNS do this, but MOST do not > behave in this manner. err ... I'd say, perhaps a few implementations of DNS don't do this, but MOST (AFAIK) do behave in this manner ... (Bind named, which is on all Unix boxen do that, DNS NT servers do that, etc ..) > [Nearly] any off-the-shelf DNS will give 'A record' results in the same order > every time. I disagree.... but it's maybe going off topic. 'just show me some DNS implementation that doesn't round robin .. ? Probably few of them are not round robin'ing, but I have to disagree when you say that "any off-the-shelf" doesn't. Arnaud. -- Arnaud Girsch -+- agirsch@marben.com -+- Marben Products, Inc. - San Jose, CA From firewalls-owner Mon Jun 10 17:51:51 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA16185 for firewalls-outgoing; Mon, 10 Jun 1996 17:26:21 -0700 (PDT) Received: from absolut-zero.winternet.com (absolut-zero.winternet.com [198.174.169.4]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id RAA16148 for ; Mon, 10 Jun 1996 17:26:07 -0700 (PDT) Received: from parka (dufresne@parka.winternet.com [198.174.169.9]) by absolut-zero.winternet.com (8.7.5/8.7.5) with ESMTP id TAA22406 for ; Mon, 10 Jun 1996 19:23:33 -0500 (CDT) Received: (from dufresne@localhost) by parka (8.7.4/8.6.12) id TAA24561; Mon, 10 Jun 1996 19:23:32 -0500 (CDT) Posted-Date: Mon, 10 Jun 1996 19:23:32 -0500 (CDT) Date: Mon, 10 Jun 1996 19:23:31 -0500 (CDT) From: Ron DuFresne To: "'Firewalls List'" Subject: Active-X and/or Java? Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Et. al., There's been alot of discussion here about java, yet considering that at least 90% of all netowrks are running micro$oft or apple based workstations, I'm surprised of the total lack of mention of Active-X! Let's face it, like it or not, most of us are going to be confronted with this version of appletizing the web... Later, Ron DuFresne ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything. From firewalls-owner Mon Jun 10 18:05:49 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA17779 for firewalls-outgoing; Mon, 10 Jun 1996 17:37:26 -0700 (PDT) Received: from toadflax.cs.ucdavis.edu (toadflax.cs.ucdavis.edu [128.120.56.188]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id RAA17442 for ; Mon, 10 Jun 1996 17:36:17 -0700 (PDT) Received: from nob (nob.cs.ucdavis.edu) by toadflax.cs.ucdavis.edu (4.1/UCD.CS.2.6) Received: from nob.cs.ucdavis.edu (localhost) by nob (5.x/UCDCS.SECLAB.Solaris2-2.0) Message-Id: <9606110033.AA16217@nob> To: Chris Drake Cc: firewalls@greatcircle.com Cc: bishop@cs.ucdavis.edu Reply-To: Matt Bishop Subject: Re: BoS: CFP: 1997 Symposium on Network and Distributed System Security In-Reply-To: Your message of Tue, 11 Jun 1996 02:03:55 +1000. Date: Mon, 10 Jun 1996 17:33:51 -0700 From: Matt Bishop Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Chris, This topic is implicitly included in the topic * Requirements and designs for securing network information resources and tools -- WorldWide Web (WWW), Gopher, archie, and WAIS. as it is relevant to securing network information resources and tools (which includes clients). We'd certainly welcome a good strong submission on the topic, and encourage you to submit one! Sincerely, Matt Bishop From firewalls-owner Mon Jun 10 18:20:59 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA18426 for firewalls-outgoing; Mon, 10 Jun 1996 17:42:58 -0700 (PDT) Received: from hidata.com ([205.158.61.34]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id RAA18419 for ; Mon, 10 Jun 1996 17:42:51 -0700 (PDT) Received: by hidata.com; id AA03482; Mon, 10 Jun 96 17:40:35 PDT Received: from osc.hidata.com(205.158.62.10) by hds-gw.hidata.com via smap (V3.1) Received: from enterprise by osc.osc.hidata.com (SMI-8.6/SMI-SVR4) Date: Mon, 10 Jun 1996 17:40:25 -0700 Message-Id: <199606110040.RAA03275@osc.osc.hidata.com> X-Sender: bstout@osc.hidata.com X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: Firewalls@GreatCircle.COM From: Bill Stout Subject: Re: Round-robin DNS? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Sounds like 'lbnamed' (load balancing name daemon) is what you're looking for. See: http://www-leland.stanford.edu/~schemers/docs/lbnamed/lbnamed.html Bill Stout At 04:26 PM 6/10/96 -0700, Peter Gregory wrote: >> > How are people out there implementing round-robin DNS? I have "n" >> > servers acting as www.wherever.com and I want to split the traffic >> > bewteen them. Of course, if I could do a proper load balancing that >> > would be great, but a simple "n" way split is a big help already. >> >> This is the default behaviour of DNSes ... >> If www.foo.com refers several hosts, every DNS query to the server will give >> you a different address. > >Untrue. Perhaps a few implementations of DNS do this, but MOST do not >behave in this manner. > >[Nearly] any off-the-shelf DNS will give 'A record' results in the same order >every time. > >-- > >Peter Gregory [NICname PG11] peter.gregory@attws.com >Systems/Network Architect, AT&T Wireless Services, Strategic Technologies Group > > <=======10========20====Ruler for Eudora users==50========60========70========80 William B. Stout | "Stop socialism in America!" Senior Systems Admin | "Dilbert for President." Hitachi Data Systems | "Police power today=police state tomorrow." Open Systems Center | "The secret of life - being part of the process of Santa Clara, California | creation." 408-970-4822 | #include <=======10========20========30========40========50========60========70========80 From firewalls-owner Mon Jun 10 18:44:41 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id SAA22819 for firewalls-outgoing; Mon, 10 Jun 1996 18:20:04 -0700 (PDT) Received: from relay6.UU.NET (relay6.UU.NET [192.48.96.16]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id SAA22792 for ; Mon, 10 Jun 1996 18:19:53 -0700 (PDT) Received: from ford.gbnet.org by relay6.UU.NET with ESMTP Received: (from steve@localhost) by ford.gbnet.org (8.7.1/8.6.12) id CAA05736; Tue, 11 Jun 1996 02:11:44 +0100 (BST) From: Steve Kennedy Message-Id: <199606110111.CAA05736@ford.gbnet.org> Subject: Re: New Firewall Announcement To: jvincent@actane.com (Jean Vincent) Date: Tue, 11 Jun 1996 02:11:43 +0100 (BST) Cc: firewalls@greatcircle.com In-Reply-To: <31BC9D9D.7409@actane.com> from "Jean Vincent" at Jun 11, 96 00:11:41 am X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk According to Jean Vincent > I hope this is the right place for a new firewall announcement, if not > I apologize to the list. > ACTANE launches ACTANE Controller, the First Firewall entirely > manageable with SNMP. This is blatantly untrue. The commercial KarlBridge/KarlBrouter has been entirely manageable via SNMP for at least a year if not longer !!! Steve -- home steve@gbnet.org * Flat 2, 43 Howitt Road, Belsize Pk, London NW3 4LU work steve@demon.net * tel +44-(0)171 483 1169 FAX +44-(0)181 444 6103 www http://www.gbnet.net/ * bits steve@gbnet.net * Orange mobile +44-(0)973 600050 Euro firewall info - send mail to majordomo@gbnet.net (subscribe firewalls-uk) From firewalls-owner Mon Jun 10 20:24:29 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id UAA03742 for firewalls-outgoing; Mon, 10 Jun 1996 20:13:22 -0700 (PDT) Received: from myall.awadi.com.au ([150.207.2.65]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id UAA03732 for ; Mon, 10 Jun 1996 20:13:13 -0700 (PDT) Received: from bunya.awadi ([150.207.2.63]) by myall.awadi.com.au (8.7.5/8.7.5) with SMTP id MAA26993; Tue, 11 Jun 1996 12:40:16 +0930 (CST) Received: from mallee.awadi by bunya.awadi (5.x/SMI-SVR4) Received: by mallee.awadi (SMI-8.6/SMI-SVR4) From: blymn@awadi.com.au (Brett Lymn) Message-Id: <199606110310.MAA01593@mallee.awadi> Subject: Re: Active-X and/or Java? To: dufresne@winternet.com (Ron DuFresne) Date: Tue, 11 Jun 1996 12:40:09 +0930 (CST) Cc: firewalls@greatcircle.com In-Reply-To: from "Ron DuFresne" at Jun 10, 96 07:23:31 pm X-Mailer: ELM [version 2.4 PL23] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk According to Ron DuFresne: > >Let's face it, like it or not, most of us are going to be confronted with >this version of appletizing the web... > Hmmm assuming that the M$ Internet Explorer is actually used... From what I know it seems that very very few people use IE. The point may well become moot, remember blackbird, os/2????? -- Brett Lymn, Computer Systems Administrator, AWA Defence Industries =============================================================================== "Upgrading your memory gives you MORE RAM!" - ad in MacWAREHOUSE catalogue. From firewalls-owner Mon Jun 10 20:35:51 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id UAA04180 for firewalls-outgoing; Mon, 10 Jun 1996 20:25:08 -0700 (PDT) Received: from salsa.gv.ssi1.com (salsa.gv.ssi1.com [146.252.44.194]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id UAA04173 for ; Mon, 10 Jun 1996 20:25:00 -0700 (PDT) Received: (from gdonl@localhost) by salsa.gv.ssi1.com (8.7.4/8.7.3) id UAA03126; Mon, 10 Jun 1996 20:22:32 -0700 (PDT) Message-Id: <199606110322.UAA03126@salsa.gv.ssi1.com> From: gdonl@gv.ssi1.com (Don Lewis) Date: Mon, 10 Jun 1996 20:22:32 -0700 In-Reply-To: eckes X-Mailer: Mail User's Shell (7.2.6 alpha(3) 7/19/95) To: eckes , ndg@Ghaznavi.com (N D Ghaznavi) Subject: Re: unknown in tcpwrappers? Cc: scanner@webspan.net, firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Jun 10, 10:14am, eckes wrote: } Subject: Re: unknown in tcpwrappers? } > Jun 5 18:36:06 Cee-Jay named[75]: recvfrom: Connection refused } This is usually caused on a named where another nameserver is faster. Nope, this is caused by running an old BIND 4.9.3 Beta release under Linux. You should install 4.9.3-REL and Patch1 or the latest Beta release of 4.9.4. I'd recommend upgrading to the official 4.9.4 release when it becomes available. --- Truck From firewalls-owner Mon Jun 10 20:50:47 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id UAA04101 for firewalls-outgoing; Mon, 10 Jun 1996 20:22:15 -0700 (PDT) Received: from absolut-zero.winternet.com (absolut-zero.winternet.com [198.174.169.4]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id UAA04087 for ; Mon, 10 Jun 1996 20:22:08 -0700 (PDT) Received: from parka (dufresne@parka.winternet.com [198.174.169.9]) by absolut-zero.winternet.com (8.7.5/8.7.5) with ESMTP id WAA09979; Mon, 10 Jun 1996 22:19:52 -0500 (CDT) Received: (from dufresne@localhost) by parka (8.7.4/8.6.12) id WAA29669; Mon, 10 Jun 1996 22:19:51 -0500 (CDT) Posted-Date: Mon, 10 Jun 1996 22:19:51 -0500 (CDT) Date: Mon, 10 Jun 1996 22:19:50 -0500 (CDT) From: Ron DuFresne To: Brett Lymn cc: firewalls@greatcircle.com Subject: Re: Active-X and/or Java? In-Reply-To: <199606110310.MAA01593@mallee.awadi> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 11 Jun 1996, Brett Lymn wrote: > According to Ron DuFresne: > > > >Let's face it, like it or not, most of us are going to be confronted with > >this version of appletizing the web... > > > > Hmmm assuming that the M$ Internet Explorer is actually used... From > what I know it seems that very very few people use IE. The point may > well become moot, remember blackbird, os/2????? But, a recent network world claims that both the micro$oft and the netscape browzers will handle Active-X tags, and m$ has been very aggressive in it's approach to the net as of late... My best, Ron DuFresne ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything. From firewalls-owner Mon Jun 10 21:24:34 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id VAA07753 for firewalls-outgoing; Mon, 10 Jun 1996 21:03:07 -0700 (PDT) Received: from mailhost.onramp.net (mailhost.onramp.net [199.1.11.3]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id VAA07730 for ; Mon, 10 Jun 1996 21:02:59 -0700 (PDT) Received: from www.doogie.com (www.doogie.com [206.50.5.106]) by mailhost.onramp.net (8.7.3/8.6.5) with SMTP id WAA29232; Mon, 10 Jun 1996 22:59:08 -0500 (CDT) Received: by www.doogie.com with Microsoft Mail Message-ID: <01BB5720.86BFB020@www.doogie.com> From: Jerry McKane To: Ron DuFresne Cc: "firewalls@GreatCircle.COM" Subject: RE: Active-X and/or Java? Date: Mon, 10 Jun 1996 22:59:47 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk we will see rember Windows everybody hates it but everybody uses it ps IE is free and never expires :-] Jerry McKane OnRamp Technologies http://rampages.onramp.net/~jerrym Network Operations Lan Support ph. 214-672-7233 fax. 214-746-7275 ---------- From: Brett Lymn[SMTP:blymn@awadi.com.au] Sent: Tuesday, June 11, 1996 7:40 AM To: Ron DuFresne Cc: firewalls@GreatCircle.COM Subject: Re: Active-X and/or Java? According to Ron DuFresne: > >Let's face it, like it or not, most of us are going to be confronted with >this version of appletizing the web... > Hmmm assuming that the M$ Internet Explorer is actually used... From what I know it seems that very very few people use IE. The point may well become moot, remember blackbird, os/2????? -- Brett Lymn, Computer Systems Administrator, AWA Defence Industries =============================================================================== "Upgrading your memory gives you MORE RAM!" - ad in MacWAREHOUSE catalogue. From firewalls-owner Mon Jun 10 21:36:02 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id VAA10696 for firewalls-outgoing; Mon, 10 Jun 1996 21:26:21 -0700 (PDT) Received: from hephaestus.icorp.net (hephaestus.icorp.net [206.104.128.226]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id VAA10673 for ; Mon, 10 Jun 1996 21:25:58 -0700 (PDT) Received: (from ewieling@localhost) by hephaestus.icorp.net (8.7.4/8.7.3) id XAA02591; Mon, 10 Jun 1996 23:23:28 -0500 (CDT) From: Eric Wieling Message-Id: <199606110423.XAA02591@hephaestus.icorp.net> Subject: Re: John Cathey is out of the office. To: bbrown@allensysgroup.com (Bobby Brown) Date: Mon, 10 Jun 1996 23:23:28 -0500 (CDT) Cc: Firewalls@GreatCircle.COM In-Reply-To: <19960610154347890.AAA265@www> from "Bobby Brown" at Jun 10, 96 11:43:47 am X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk When I was asked to place a vacation message on one of our salespeople's accounts I used 'vacation' which at least tries to keep from sending the vacation message over and over again to the same address. I also made sure to put my pager number at the bottom of the message with instructions to call me if there was a problem with being flooded with vacation messages. *grumble* Some common sense would be helpfull for these people. --Eric Some time ago Bobby Brown said: > > When Mr. Cathey returns, I hope he realizes the annoyances he is > producing. > Bobby > > > > At 09:22 AM 6/10/96 CST, you wrote: > >John Cathey is out of the office until Sunday, June 16, 1996 > >and will not be reading email. A copy of your message will be left > >in John Cathey's inbox. > > > > -- Eric Wieling Advanced Network Research InterCommerce Corporation Pager: 800-758-3680 If you consistently take an antagonistic approach, however, people are going to start thinking you're from New York. :-) --Larry Wall to Dan Bernstein From firewalls-owner Mon Jun 10 22:10:47 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id VAA12962 for firewalls-outgoing; Mon, 10 Jun 1996 21:55:35 -0700 (PDT) Received: from salsa.gv.ssi1.com (salsa.gv.ssi1.com [146.252.44.194]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id VAA12953 for ; Mon, 10 Jun 1996 21:55:28 -0700 (PDT) Received: (from gdonl@localhost) by salsa.gv.ssi1.com (8.7.4/8.7.3) id VAA03300; Mon, 10 Jun 1996 21:52:49 -0700 (PDT) Message-Id: <199606110452.VAA03300@salsa.gv.ssi1.com> From: gdonl@gv.ssi1.com (Don Lewis) Date: Mon, 10 Jun 1996 21:52:49 -0700 In-Reply-To: Eric Wieling X-Mailer: Mail User's Shell (7.2.6 alpha(3) 7/19/95) To: Eric Wieling Subject: Re: John Cathey is out of the office. Cc: Firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Jun 10, 11:23pm, Eric Wieling wrote: } Subject: Re: John Cathey is out of the office. } When I was asked to place a vacation message on one of our } salespeople's accounts I used 'vacation' which at least tries to keep } from sending the vacation message over and over again to the same } address. Any decent vacation program is even smarter than that. Here's what the man page from the SunOS 4.1.x vacation program sez: No message is sent if the `To:' or the `Cc:' line does not list the user to whom the original message was sent or one of a number of aliases for them, if the initial From line includes the string -REQUEST@, or if a `Precedence: bulk' or `Precedence: junk' line is included in the header. which would prevent vacation from replying even once to messages forwarded from 99% of all mail lists. This isn't exactly new or earthshaking technology. Whenever someone re-invents the wheel, do they always have to repeat the same mistakes? Hmn, I wonder what would happen if someone forged a message to Mr. Cathey using his return address ;-) --- Truck From firewalls-owner Mon Jun 10 23:54:29 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id XAA20108 for firewalls-outgoing; Mon, 10 Jun 1996 23:37:45 -0700 (PDT) Received: from genie.genuity.net (genie.genuity.net [204.74.125.90]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id XAA20072 for ; Mon, 10 Jun 1996 23:37:35 -0700 (PDT) Received: by genie.genuity.net with Microsoft Exchange (IMC 4.0.838.14) Message-ID: From: Brett Watson To: "'peterg@mccaw-stg.com'" Cc: "'firewalls@greatcircle.com'" Subject: RE: Round-robin DNS? Date: Mon, 10 Jun 1996 23:35:07 -0700 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.838.14 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Monday, June 10, 1996 4:40 PM, girsch@marben.com wrote: >> >>>>> How are people out there implementing round-robin DNS? I have "n" >>>>> servers acting as www.wherever.com and I want to split the traffic >>>>> bewteen them. Of course, if I could do a proper load balancing that >>>>> would be great, but a simple "n" way split is a big help already. >>>> >>>> This is the default behaviour of DNSes ... >>>> If www.foo.com refers several hosts, every DNS query to the server >>>>will give >>>> you a different address. >>> >>> Untrue. Perhaps a few implementations of DNS do this, but MOST do not >>> behave in this manner. >>err ... >>I'd say, perhaps a few implementations of DNS don't do this, but MOST >>(AFAIK) >>do behave in this manner ... >>(Bind named, which is on all Unix boxen do that, DNS NT servers do >>that, etc ..) >> >>> [Nearly] any off-the-shelf DNS will give 'A record' results in the >>>same order >>> every time. >>I disagree.... but it's maybe going off topic. >> >>'just show me some DNS implementation that doesn't round robin .. ? >>Probably few of them are not round robin'ing, but I have to disagree >>when you >>say that "any off-the-shelf" doesn't. i think *maybe* what he means is: 1. when you use a tool to query dns you get all address records listed in the same order every time (the output that we see) i think *maybe* what you mean is: 1. most versions of bind do round robin when they select an address record to return to the resolver for a particular host you're both right. what we see as output for human consumption with dig/host/nslookup is not necessarily what the operating system "sees" when queries are made through the resolver. no? semantics? :) -brett From firewalls-owner Tue Jun 11 00:11:41 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id XAA20799 for firewalls-outgoing; Mon, 10 Jun 1996 23:52:55 -0700 (PDT) Received: from alcatel.fr (gatekeeper.alcatel.fr [194.133.58.131]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id XAA20792 for ; Mon, 10 Jun 1996 23:52:47 -0700 (PDT) Received: from alcatel.fr (gatekeeper-ssn.alcatel.fr [155.132.180.244]) by mailgate.alcatel.fr (8.7.3/8.7.3) with ESMTP id IAA14728 for ; Tue, 11 Jun 1996 08:50:02 +0200 Received: from AHQH01.ahqps.alcatel.fr (AHQH01.ahqps.alcatel.fr [155.132.120.40]) Message-Id: <199606110650.IAA15528@nsfhh5.alcatel.fr> Received: from AHQP?? (ahqp30.ahqps.alcatel.fr) by AHQH01.ahqps.alcatel.fr with SMTP Comments: Authenticated sender is From: "JEAN-FRANCOIS BONHOMME" To: firewalls@greatcircle.com Date: Tue, 11 Jun 1996 08:56:55 +0000 Subject: suscribe X-Mailer: Pegasus Mail for Windows (v2.01) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk suscribe Jean-Francois Bonhomme Snail mail: Alcatel Telecom. 33 rue Emeriau. 75015 Paris. Phone : 40 58 51 44 Fax: 40 58 59 02 Any opinions expressed are mine only and not necessarily those of any other entity. They may not even be mine. From firewalls-owner Tue Jun 11 01:21:02 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id AAA25368 for firewalls-outgoing; Tue, 11 Jun 1996 00:52:10 -0700 (PDT) Received: from po.pacific.net.sg (po.pacific.net.sg [203.120.88.11]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id AAA25353 for ; Tue, 11 Jun 1996 00:52:04 -0700 (PDT) Received: from GM.compex.com.sg ([203.120.12.4]) by po.pacific.net.sg Date: Tue, 11 Jun 1996 15:44:54 From: berkelec@pacific.net.sg (Tey Wei Ming) Message-Id: <19960611154454berkelec@GM.compex.com.sg> To: matt@firstpac.com.au, Firewalls@GreatCircle.com Subject: Re: nt firewall X-Mailer: Pronto E-Mail [version 2.0] MIME-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Tey Wei Ming wrote this... > > >> From: Martin Marshall[SMTP:marshall@ebrd.com] > >> Sent: Thursday, June 06, 1996 1:18 AM > >> To: Firewalls Mailing list > >> Subject: NT Firewalls > > >> We currently have a Unix Firewall solution, we would like to move to a > >> NT Firewall (If Possible). > > >> Could anyone let me know where to jump, if a jump is to be made at all ! > > > there is one nt firewall available from netguard (www.netguard.com). i > > heard checkpoint and ibm will also be releasing an nt version soon. > > > to me nt is easier to administer than unix, and unix also have lots of > > security risks - just look at the list on cert! and unix hardware are > still > > too costly. > > a) unix has benn around longer, and has had more people look at it, > the fact that people _know_ where the bugs are makes it _more_ secure > not less, do you know where the holes in nt are? or are you claiming > that nt is "bug free"?? i did not make that claim! > > b) administration is a matter of what you are used to, i find unix > much much easier to administer. agree, that's why i said in my original posting "to me nt is easier...". you need not find it easier than unix but i just can't get use to the unix command and switches etc. > > c) you can run unix on PC's and they have support for a wider range of > peripherals than nt. do you have any numbers on what percentage of unix running on pc's versus workstations like sun or hp? > > Matt > -- > Matthew Keenan Network Administrator First Pacific Stockbrokers > Sydney, Australia > wm tey berkeley electronics pte ltd your answer to performance enhancement tel: (65)7429392 fax: (65)7456377 email: wm_tey@compex.com.sg berkelec@pacific.net.sg address: blk 2 joo chiat rd#02-1129 joo chiat complex singapore 420002 From firewalls-owner Tue Jun 11 01:51:16 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id BAA27782 for firewalls-outgoing; Tue, 11 Jun 1996 01:25:23 -0700 (PDT) Received: from Grosses-Raetsel-Tor.GeNUA.DE (Grosses-Raetsel-Tor.GeNUA.DE [193.141.169.26]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id BAA27766 for ; Tue, 11 Jun 1996 01:25:10 -0700 (PDT) Received: (from smap@localhost) by Grosses-Raetsel-Tor.GeNUA.DE (8.6.12/8.6.12) id KAA19892 for ; Tue, 11 Jun 1996 10:22:05 +0200 Received: from grizzly.genua.de(192.109.217.33) by Grosses-Raetsel-Tor.GeNUA.DE via smap (V1.3) Received: from auryn.genua.de (auryn.genua.de [192.109.217.42]) by grizzly.genua.de (8.6.12/8.6.12/bs01) with ESMTP id KAA20072 for ; Tue, 11 Jun 1996 10:21:59 +0200 Received: from auryn.genua.de (localhost [127.0.0.1]) by auryn.genua.de (8.7.4/8.6.12) with ESMTP id KAA18587 for ; Tue, 11 Jun 1996 10:21:58 +0200 (MET DST) Message-Id: <199606110821.KAA18587@auryn.genua.de> To: Firewalls@greatcircle.com Subject: Re: Round-robin DNS? MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-ID: <18584.834481317.1@auryn.genua.de> Date: Tue, 11 Jun 1996 10:21:58 +0200 From: Bernhard Schneck Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > If www.foo.com refers several hosts, every DNS query to the server will give > > you a different address. > > Untrue. Perhaps a few implementations of DNS do this, but MOST do not > behave in this manner. > > [Nearly] any off-the-shelf DNS will give 'A record' results in the same order > every time. BIND has been doing this for quite some time now. If your DNS server doesn't, either get a reasonable one yourself or complain to your verndor. For more information see http://www.isc.org/isc/ \Bernhard. From firewalls-owner Tue Jun 11 02:21:24 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id CAA00700 for firewalls-outgoing; Tue, 11 Jun 1996 02:02:36 -0700 (PDT) Received: from perseus.ultra.net (perseus.ultra.net [199.232.56.6]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id CAA00570 for ; Tue, 11 Jun 1996 02:01:28 -0700 (PDT) From: rwells@Trellisnet.com Received: from tns.trellisnet.com ([199.92.204.51]) by perseus.ultra.net (8.7.4/dae0.6) with SMTP id EAA13690 for ; Tue, 11 Jun 1996 04:58:35 -0400 (EDT) Received: by tns.trellisnet.com; Tue, 11 Jun 96 5:02:02 EDT Date: Mon, 10 Jun 96 20:22:53 PDT Message-ID: X-Priority: 3 (Normal) To: Cc: Subject: re:Re: Virus detection for http proxy servers Sender: firewalls-owner@GreatCircle.COM Precedence: bulk optimum.net newsgate wrote: > > One of our users has been asking about virus protection > against software he has downloaded through the Netscape > proxy server. He was asking about something that would > scan the software as it was being download > I didn't think there was anything to do this, given all of the > file formats, compression methods, and hardware > platforms that could be using the proxy server, but I thought > I'd look into it anyway. Does anyone know > of a solution or partial solution to this question? McAfee is coming out with a product that will run on FW-1, to scan http, smtp, and ftp inbound and outbound when they hit the firewall. Mcafee's product is called Webshield, it will be released in mid Aug. I saw an article about it. I think you can get it at http://techweb.cmp.com/iw, it's the may 20, 1996 issue. Hope this helps.. Rex Wells Netwok Engineer Trellis Network Services web: http://www.trellisnet.com email: rwells@trellisnet.com From firewalls-owner Tue Jun 11 02:35:52 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id CAA00858 for firewalls-outgoing; Tue, 11 Jun 1996 02:04:20 -0700 (PDT) Received: from po.pacific.net.sg (po.pacific.net.sg [203.120.88.11]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id CAA00804 for ; Tue, 11 Jun 1996 02:03:45 -0700 (PDT) Received: from GM.compex.com.sg ([203.120.12.4]) by po.pacific.net.sg Date: Tue, 11 Jun 1996 16:56:34 From: berkelec@pacific.net.sg (Tey Wei Ming) Message-Id: <19960611165634berkelec@GM.compex.com.sg> To: Firewalls@GreatCircle.com Subject: firewall and emails X-Mailer: Pronto E-Mail [version 2.0] MIME-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk this may not be a relevant topic to firewall (my apology), but i am curious if there is anyway to ensure that all emails going out carry a valid user email address? can this be a function of the firewall, or strictly the function of the smtp server (which one has this?)? wm tey berkeley electronics pte ltd your answer to performance enhancement tel: (65)7429392 fax: (65)7456377 email: wm_tey@compex.com.sg berkelec@pacific.net.sg address: blk 2 joo chiat rd#02-1129 joo chiat complex singapore 420002 From firewalls-owner Tue Jun 11 03:06:04 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id CAA03781 for firewalls-outgoing; Tue, 11 Jun 1996 02:48:30 -0700 (PDT) Received: from europa.lif.icnet.uk (europa.lif.icnet.uk [143.65.1.4]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id CAA03701 for ; Tue, 11 Jun 1996 02:47:53 -0700 (PDT) From: harley@icrf.icnet.uk Message-Id: <199606110947.CAA03701@miles.greatcircle.com> Received: by europa.lif.icnet.uk; Tue, 11 Jun 1996 10:45:39 +0100 Subject: Re: Virus detection for http proxy servers To: firewalls@GreatCircle.COM Date: Tue, 11 Jun 1996 10:45:39 +0100 (BST) X-Mailer: ELM [version 2.4 PL23] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > Try the Norton AntiVirus Internet Scanner as well. Not sure > where it is though. > http://www.symantec.com/press/n960411.html McAfee's Webscan works somewhat similarly, as I recall. I have some reservations on this approach, but this isn't perhaps the place to discuss it. You might also like to check out MIMEsweeper (Integralis) and InterScan VirusWall by Trend. -- David Harley From firewalls-owner Tue Jun 11 03:21:09 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id CAA03882 for firewalls-outgoing; Tue, 11 Jun 1996 02:49:55 -0700 (PDT) Received: from www10.clever.net ([208.5.13.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id CAA03856 for ; Tue, 11 Jun 1996 02:49:27 -0700 (PDT) Received: from jv.fr.actane.com (ppp15.mm-soft.fr [194.51.39.206]) by www10.clever.net (8.7.1/8.6.9) with SMTP id FAA01847; Tue, 11 Jun 1996 05:42:20 -0400 (EDT) Message-ID: <31BD3F1A.479C@actane.com> Date: Tue, 11 Jun 1996 11:40:42 +0200 From: Jean Vincent Organization: ACTANE X-Mailer: Mozilla 2.01Gold (Win95; I) MIME-Version: 1.0 To: Steve Kennedy CC: firewalls@greatcircle.com Subject: Re: New Firewall Announcement References: <199606110111.CAA05736@ford.gbnet.org> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Steve Kennedy wrote: > > This is blatantly untrue. The commercial KarlBridge/KarlBrouter has > been entirely manageable via SNMP for at least a year if not longer !!! > > Steve Steve, are you sure that the firewall features are manageable by SNMP ? Many people have been asking in this list for such a feature (SNMP management of firewalls) for a while - more than one year - and nobody answered until now ! To build an entirely SNMP manageable firewall it is necessary to design a private MIB for filtering, circuit-level gateway a proxy management because there is no standard MIB available for this features. Our aim is to promote SNMP management of all the firewall features. Jean Vincent. --------------------------------------------------------------------- ACTANE Tel : +33 42 93 16 76 Le California Bat D2 Fax : +33 42 93 16 75 2, Rue Jean Andreani Email : info@actane.com 13084 Aix-En-Provence CEDEX 2 http://www.actane.com FRANCE --------------------------------------------------------------------- From firewalls-owner Tue Jun 11 03:36:37 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id DAA07760 for firewalls-outgoing; Tue, 11 Jun 1996 03:25:16 -0700 (PDT) Received: from s2.asianet.net.hk (s2.asianet.net.hk [202.70.255.18]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id DAA07724 for ; Tue, 11 Jun 1996 03:24:57 -0700 (PDT) Received: from berlin.asianet.net.hk ([202.70.254.44]) by s2.asianet.net.hk (8.7.5/8.7.3) with SMTP id SAA28827 for ; Tue, 11 Jun 1996 18:21:50 +0800 (HKT) Received: (from root@localhost) by berlin.asianet.net.hk (8.6.9/8.6.9) id SAA00279 for ; Tue, 11 Jun 1996 18:22:26 +0800 Received: from pc51.asianet.net.hk(202.70.254.51) by berlin.asianet.net.hk via smap (V1.3) Message-Id: <2.2.32.19960611102130.007432bc@202.70.254.44> X-Sender: katson@202.70.254.44 X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Tue, 11 Jun 1996 18:21:30 +0800 To: Firewalls@GreatCircle.COM From: Katson PN Yeung Subject: Incorrect HTTP-GW log time. Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Dear all, Eventually, I have made the tis things work. But, I have a problem which is related to http-gw and it's logging. What I have done is to change the firewall.h and http-gw.c code a little bit so that the log event will be recognized by syslogd and save in a separate file. I have done the similar things to smap, netacl, ftp-gw and blah blah blah. However, I discovered that the log time for the http-gw is incorrect. It is 8 hours behind (My time zone is GMT+8). I don't have any similar problem with other gateway log, it only happen with http-gw.log Any hint to solve this? Rgds, K a t s o n ----------------------------------------------------------------------->8---- Customer Service Consultant AsiaNet (Hong Kong) Limited From firewalls-owner Tue Jun 11 03:50:55 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id DAA06316 for firewalls-outgoing; Tue, 11 Jun 1996 03:09:19 -0700 (PDT) Received: from mail.swip.net (mail.swip.net [192.71.180.65]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id DAA06307 for ; Tue, 11 Jun 1996 03:09:02 -0700 (PDT) From: axel.skough@scb.se Received: by mail.swip.net with UUCP (8.6.8/3.01) Message-ID: <199606111008.MAA21648@mail.swip.net> Date: Tue, 11 Jun 1996 12:05:21 +0200 To: firewalls@greatcircle.com, silveira@canario.nutec.com.br Subject: RE: Round-robin DNS? MIME-version: 1.0 (Created by TFS) Content-Type: text/plain ; charset=ISO-8859-1 Content-transfer-encoding: quoted-printable X-Mailer: TFS Gateway V210U0808M Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, I am looking at the upcoming Windows NT 4.0 DNS, currently at the beta 2=20 stage. The DNS contained herein currently changes frequently between beta releases= ,=20 but one could point out that the beta 1 release was explicitly told to=20 support round robin for multihomed A records. This was a beta test goal as=20 the Crickett/Liu "BIND and DNS" reference states that when a multihomed=20 reference appears the IP address to return should be the one most close to=20 the caller's IP address. Instead the round robin priciple should be used,=20 myself, I do not see any obvious disadvantages here, it should distribute=20 the access among the resources offered. I wonder if someone knows if this i= s=20 still true for this DNS? I am very interested in it due to the promising=20 administrative tools equipped with it - it would be a low-resource consumin= g=20 task to manage the DNS with these tools even on an enterprise installation. Also, the Microsoft says that zone transfer is not properly implemented=20 among the Unix BIND versions which caused some trouble. Due to this certain= =20 DNS/BIND versions on some implementations will be incompatible. I wonder if= =20 this is true? If so, the obvious conclusion should be that one has to avoi= d=20 intermixing DNS/BIND from different vendors and/or platforms (indeed, a goo= d=20 principle regardless product, anyhow). Any comments? Axel Skough Statistics Sweden ---------- From: silveira@canario.nutec.com.br To: firewalls@greatcircle.com; SCB/S1POST/SCBAXLS Subject: Round-robin DNS? Date: den 11 June 1996 06:59 <> Hi! Once again, another question I would ask only after searching the archives, but they seem to be off-line... How are people out there implementing round-robin DNS? I have "n" servers acting as www.wherever.com and I want to split the traffic bewteen them. Of course, if I could do a proper load balancing that would be great, but a simple "n" way split is a big help already. How does it relate to firewalls? A firewall system will act as the primary server for .wherever.com, and will have to perform this tricks... Please reference any information on the Web if this is a FAQ. Thanks in advance. Fernando -- Fernando da Silveira Montenegro E-mail: silveira@nutec.com.br Nutec Informatica S.A. Phone.: +55-11-505-5728 Rua Florida, 1821/11th floor Fax...: +55-11-505-1918 Sao Paulo, SP BRAZIL 04565-001 WWW: http://www.nutec.com.br From firewalls-owner Tue Jun 11 04:21:06 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id EAA12948 for firewalls-outgoing; Tue, 11 Jun 1996 04:11:07 -0700 (PDT) Received: from lexicon.ins.com (lexicon.ins.com [199.0.193.11]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id EAA12926 for ; Tue, 11 Jun 1996 04:10:54 -0700 (PDT) Received: from user_ins.ins.com ([206.98.131.200]) by lexicon.ins.com (8.7.5/8.7.3) with SMTP id EAA27672 for ; Tue, 11 Jun 1996 04:08:32 -0700 (PDT) Message-Id: <2.2.32.19960611230714.00677c2c@ins.com> X-Sender: martin_d@ins.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Tue, 11 Jun 1996 19:07:14 -0400 To: firewalls@greatcircle.com From: Darwin Martinez Subject: Attack? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk All: I'm consistently seeing the following message on my FW-1. netbios_dgm 17.x.x.122 17.255.255.255 upd and netbios_ns 17.x.x.121 17.255.255.255 upd Both of these appear on the "secure" side of the firewall's interface, yet my client has NO Class A 17 addresses, only network 10 addresses which I'm fwxlconf'ing to their appropriate CLass C for the internet. When I try to ping the above network 17 address, no luck. When I do a traceroute to it, the route goes through our external router, our ISP router, an additional 5 routers of the same ISP then ends up with at least 24 entries (my ttl is 30) such as shown below for the netbios dgm: 192.42.249.52 192.42.249.42 192.42.249.52 192.42.249.42 etc., etc., etc. For the netbios_ns traceroute, it resembles this: Same path including our ISP's 5 routers, and: 192.42.249.51 192,42.249.42 192.42.249.51 192.42.249.42 etc., etc., etc. When I ping the 17.x.x.x address, the FW-1 log shows that address 192.42.249.52 responds, but passes rule 5 (any,any,any,accept (test rules only), when rule 4 is allowing all of the ICMP options listed in the services screen. Is this some sort of attack? Any ideas would be greatly appreciated. ------------------------------------------------------------------------ Darwin L. Martinez Email: darwin_martinez@ins.com Network Systems Engineer Site #: 404-843-5954 International Network Services Pager: 800-INS-1-INS Atlanta Office ------------------------------------------------------------------------ From firewalls-owner Tue Jun 11 04:36:04 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id EAA14240 for firewalls-outgoing; Tue, 11 Jun 1996 04:24:15 -0700 (PDT) Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.76.24]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id EAA14198 for ; Tue, 11 Jun 1996 04:23:59 -0700 (PDT) Message-Id: <199606111123.EAA14198@miles.greatcircle.com> Received: by cheops.anu.edu.au From: Darren Reed Subject: Re: New Firewall Announcement To: jvincent@actane.com (Jean Vincent) Date: Tue, 11 Jun 1996 21:21:27 +1000 (EST) Cc: firewalls@GreatCircle.COM In-Reply-To: <31BC9D9D.7409@actane.com> from "Jean Vincent" at Jun 11, 96 00:11:41 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In some mail from Jean Vincent, sie said: > > I hope this is the right place for a new firewall announcement, if not > I apologize to the list. > > ACTANE launches ACTANE Controller, the First Firewall entirely > manageable with SNMP. Hmmm, an oxy-moron too. ("Security Not My Problem") Sounds too much like a flamable substance that goes "boom". From firewalls-owner Tue Jun 11 05:41:40 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA19924 for firewalls-outgoing; Tue, 11 Jun 1996 05:34:38 -0700 (PDT) Received: from pluto.mscc.huji.ac.il (pluto.mscc.huji.ac.il [132.64.178.45]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id FAA19885 for ; Tue, 11 Jun 1996 05:33:03 -0700 (PDT) Received: by pluto.mscc.huji.ac.il (AIX 3.2/UCB 5.64/4.03) Date: Tue, 11 Jun 1996 15:29:41 +0300 (WET) From: Isaac Labaton To: Out-Of-Office Cc: Firewalls@GreatCircle.COM Subject: Re: John Cathey is out of the office. In-Reply-To: <9605108344.AA834423997@smtplink.csg.stercomm.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Let's all send him a message telling him we got his message... Out-Of-Office On Mon, 10 Jun 1996, Out-Of-Office wrote: > John Cathey is out of the office until Sunday, June 16, 1996 > and will not be reading email. A copy of your message will be left > in John Cathey's inbox. > > > > John Cathey left this message: > > > > > John Cathey is on vacation. John will not be reading email > until he returns on June 17th. > > From firewalls-owner Tue Jun 11 05:54:06 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA20203 for firewalls-outgoing; Tue, 11 Jun 1996 05:39:44 -0700 (PDT) Received: from ibmser01.ncdc.noaa.gov (ibmser01.ncdc.noaa.gov [192.67.134.133]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id FAA20196 for ; Tue, 11 Jun 1996 05:39:39 -0700 (PDT) Received: from zephyr.ncdc.noaa.gov by ibmser01.ncdc.noaa.gov (AIX 3.2/UCB 5.64/4.03) Received: by zephyr.noaa.gov (SMI-8.6/SMI-SVR4) Date: Tue, 11 Jun 1996 08:37:13 -0400 From: jklein@ncdc.noaa.gov (Jody Klein) Message-Id: <199606111237.IAA24674@zephyr.noaa.gov> To: Firewalls@GreatCircle.COM Subject: Re: Active-X and/or Java? X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Date: Mon, 10 Jun 1996 22:59:47 -0500 > From: Jerry McKane > Subject: RE: Active-X and/or Java? > > we will see rember Windows everybody hates it but everybody uses it > > ps > > IE is free and never expires :-] > nothing Microsloth ever does is *free* jk From firewalls-owner Tue Jun 11 06:14:02 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA20992 for firewalls-outgoing; Tue, 11 Jun 1996 05:53:30 -0700 (PDT) Received: from firewall.apogee-com.fr (oleane-gw.apogee-com.fr [194.2.187.93]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id FAA20901 for ; Tue, 11 Jun 1996 05:53:08 -0700 (PDT) Received: by firewall.apogee-com.fr; id AA16958; Tue, 11 Jun 96 14:48:24 +0200 Received: from apogee1.apogee-com.fr(194.2.187.1) by oleane-gw.apogee-com.fr via smap (g3.0.3) Received: from ING02PC.APOGEE-COM.FR (inter090.apogee-com.fr) by Apogee1.apogee-com.fr.apogee-com.fr (4.1/SMI-4.1) Message-Id: <31BDE99E.5535@apogee-com.fr> Date: Tue, 11 Jun 1996 14:48:14 -0700 From: Jean-Francois Zwobada Reply-To: gauntlet-tech@apogee-com.fr Organization: APOGEE Communications X-Mailer: Mozilla 2.01I [fr] (Win95; I; 16bit) Mime-Version: 1.0 To: firewalls@greatcircle.com Cc: gauntlet-tech@apogee-com.fr Subject: split-brain DNS Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, The split-brain DNS is a problem when you have a domain and subdomains behind the firewall. The solution we know is to declare the DNS server of the parent domain as a secondary server for every existing subdomain. This solution is not really great since we can't resolve Internet names from a subdomain. We are currently using the 4.9.3-REV and testing the 4.9.4 of BIND but no improvement seems to be done... Does someone have a better solution ? Some hints ? Thanks in advance, Jean-Francois -- ______________________ Jean-Francois Zwobada ____________________ Apogee Communications Tel : +33 (1) 69 85 56 47 Parc Club Universite Fax : +33 (1) 69 85 56 48 28, rue Jean Rostand 91893 ORSAY Cedex e-mail : zwobada@apogee-com.fr __________________________________________________________________ From firewalls-owner Tue Jun 11 06:21:00 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA22232 for firewalls-outgoing; Tue, 11 Jun 1996 06:05:18 -0700 (PDT) Received: from sidewinder.entex.com (gw.entex-is.com [155.45.249.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id GAA22225 for ; Tue, 11 Jun 1996 06:05:12 -0700 (PDT) From: Anthony.Passaniti@entex.com Received: from sidewinder.entex.com (daemon@localhost) by sidewinder.entex.com (8.7.2/8.7.2) with ESMTP id JAA03032 for ; Tue, 11 Jun 1996 09:02:55 -0400 (EDT) Received: from smtpgate.entex.com (smtpgate.entex.com [155.45.7.20]) by sidewinder.entex.com (8.7.2/8.7.2) with SMTP id JAA03022 for ; Tue, 11 Jun 1996 09:02:53 -0400 (EDT) Received: from ccMail by smtpgate.entex.com Mime-Version: 1.0 Date: Tue, 11 Jun 1996 08:58:15 -0400 Message-ID: <1BD6CB10.1744@entex.com> Subject: Secure Telnet to External Sites. To: Firewalls@GreatCircle.com Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Description: cc:Mail note part Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Greetings: This is my first question to this forum so please pardon my ignorance. I have a requirement to access external sites, via Telnet/TN3270 and FTP. (FTP access would be a direct FTP request, not via Netscape). We have a Firewall (Sidewinder) setup to allow for specific IP addresses. The sites I need to get to are: IBMLINK.ADVANTIS.COM Gateway.compuserve.com (there may be additional sites in the future). We currently have LANs connected together through frame relays to form a WAN. We connect to the Internet via our firewall (T1 through an ISP). Is there a solution for this request which would be both secure and feasible? Thank you, Tony Passaniti Security Director ENTEX Information Services, Inc. From firewalls-owner Tue Jun 11 06:36:00 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA25240 for firewalls-outgoing; Tue, 11 Jun 1996 06:29:12 -0700 (PDT) Received: from gauntlet-1.trusted.com (gauntlet-1.trusted.com [204.254.155.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id GAA25199 for ; Tue, 11 Jun 1996 06:29:01 -0700 (PDT) Received: by gauntlet-1.trusted.com; id JAA05713; Tue, 11 Jun 1996 09:41:45 -0400 Received: from hilo.trusted.com(10.0.1.126) by gauntlet-1.trusted.com via smap (V3.1.1) Received: from localhost by hilo.trusted.com with SMTP Message-Id: <9606111328.AA11406@hilo.trusted.com> X-Mailer: exmh version 1.6.4 10/10/95 To: Katson PN Yeung Cc: Firewalls@greatcircle.com Subject: Re: Incorrect HTTP-GW log time. In-Reply-To: Your message of "Tue, 11 Jun 1996 18:21:30 EDT." Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Tue, 11 Jun 1996 09:28:47 EDT From: "Rick Murphy" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This question should really be taken to the "fwtk-users@tis.com" mailing list; however: This is a normal problem in a chroot environment - there's a link missing in the chroot environment that specifies what time zone you're in. Missing that means you're defaulting to GMT. On BSD systems, there's a file called /etc/localtime that's a symlink to the correct time zone file; putting that in the chroot area will fix it. The fix will vary depending on your OS. -Rick From firewalls-owner Tue Jun 11 06:55:37 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA25281 for firewalls-outgoing; Tue, 11 Jun 1996 06:29:26 -0700 (PDT) Received: from camelot.netmarket.com (camelot.netmarket.com [199.79.247.247]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id GAA25238 for ; Tue, 11 Jun 1996 06:29:12 -0700 (PDT) Received: from tannis.netmarket.com (tannis.netmarket.com [172.16.1.10]) by camelot.netmarket.com (8.7.3/8.7.3) with ESMTP id JAA10571; Tue, 11 Jun 1996 09:26:53 -0400 (EDT) Received: from brigadoon.netmarket.com (brigadoon.netmarket.com [172.16.1.236]) by tannis.netmarket.com (8.6.10/8.6.10) with ESMTP id JAA11449; Tue, 11 Jun 1996 09:26:14 -0400 Received: by brigadoon.netmarket.com (SMI-8.6/client-1.5) Message-Id: <199606111323.JAA00441@brigadoon.netmarket.com> From: hal@netmarket.com (Hal Pomeranz) Date: Tue, 11 Jun 1996 09:23:09 -0400 X-Mailer: Mail User's Shell (7.2.5 10/14/92) To: bblisa@bblisa.org, firewalls@greatcircle.com, sage-members@usenix.ORG Subject: BBLISA Meeting: Securing Your (Solaris) Web Server Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ---------------------------------------------------------------------- ======== ======== ======== BackBayLISA Calendar of Events ======== ======== ======== ---------------------------------------------------------------------- June: Securing Your (Solaris) Web Server Date: June 12, 1996 Time: 7:00-9:00pm Location: MIT Building E51 Room 372 70 Memorial Drive Cambridge, MA Speaker: Peter Galvin, Chief Technologist, Corporate Technologies Coordinator: Hal Pomeranz Description: Web servers are among those odd beasts that need to be accessible from insecure sites. That does not mean that they should be free for the taking by hackers, however. This talk will discuss the specifics of securing a web server, including software installation and management and useful tools. The talk is based on the SunWorld Online April and May security column written by Peter Galvin and Hal Pomeranz. Although the talk is Solaris specific, the general techniques and some specific information is applicable to other Unix boxes. Want to find out more about BackBayLISA? the monthly meetings? the mailing lists? Send mail to Need directions to the meeting? ftp them from, ftp.bblisa.org:/pub/bblisa/directions From firewalls-owner Tue Jun 11 07:06:12 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA29928 for firewalls-outgoing; Tue, 11 Jun 1996 07:02:13 -0700 (PDT) Received: from mail1.digital.com (mail1.digital.com [204.123.2.50]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id HAA29879 for ; Tue, 11 Jun 1996 07:01:55 -0700 (PDT) Received: from osftag.geo.dec.com by mail1.digital.com (5.65 EXP 4/12/95 for V3.2/1.0/WV) Received: from osftag.geo.dec.com (osftag.geo.dec.com [16.184.80.100]) by osftag.geo.dec.com (8.7.1/8.6.10) with SMTP id PAA01352; Tue, 11 Jun 1996 15:54:07 +0200 (MET DST) Message-Id: <31BD7A7E.15FB@osftag.geo.dec.com> Date: Tue, 11 Jun 1996 15:54:06 +0200 From: thierry agassis Organization: Multivendor Customers Services - Digital X-Mailer: Mozilla 2.0 (X11; I; OSF1 V3.2 alpha) Mime-Version: 1.0 To: gauntlet-tech@apogee-com.fr, zwobada@apogee-com.fr Cc: firewalls@GreatCircle.COM Subject: Re: split-brain DNS References: <31BDE99E.5535@apogee-com.fr> Content-Type: multipart/mixed; boundary="------------59E21CFB3F54" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This is a multi-part message in MIME format. --------------59E21CFB3F54 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Hi Jean-Fran=E7ois, You will find a patch in contrib/noforward directory which is supposed to fix the forwarding problem with internal delegated domains. I've just included the README file. I hope it helps and works. Cheers ! --=20 Thierry AGASSIS Mail address :=20 UNIX and Internet Support thierry@osftag.geo.dec.com DEC-TEP 16 Partner URL : (from inside dec.com ): =20 http://www-mcs.geo.dec.com --------------59E21CFB3F54 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline; filename="README" Content-Transfer-Encoding: 7bit Here are the patches to bind-4.9.3-REL to support the 'noforward' directive and instructions for building and using a modified bind. 1. You must '#define NOFORWARD' for the modifications to be enabled. The best way to do this is to add it to conf/options.h, but you have to do that yourself, by hand. 2. Apply the patches to the files in the 'named' sub- directory. The syntax should probably be: patch -i xxx.patch 3. Move to the top level directory and run make. After it builds correctly, do a 'make install' or whatever you need to do to get the modified 'named' executable activated. 4. Add one or more 'noforward' directives to named.boot as required. For instance, if you wanted to prevent forwarding for domain 'nutsnbolts.com' (and everything under it), add the following line to named.boot: noforward nutsnbolts.com You might also want to exclude address->name maps. For example, if nutsnbolts.com corresponds to network 192.168.0.0, you might add the following: noforward 168.192.in-addr.arpa Note that you can list multiple domains in a single 'noforward' directive: noforward nutsnbolts.com 168.192.in-addr.arpa 5. Restart your server to load the new config. That's all there is to it (in a perfect world)! Todd.Aven@BankersTrust.Com 8 January 1996 --------------59E21CFB3F54-- From firewalls-owner Tue Jun 11 07:23:19 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA02188 for firewalls-outgoing; Tue, 11 Jun 1996 07:18:05 -0700 (PDT) Received: from nfinity.com (nfinity.nfinity.com [206.101.78.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id HAA02177 for ; Tue, 11 Jun 1996 07:17:59 -0700 (PDT) Received: from vsgjtm (theon.nfinity.com [206.101.78.20]) by nfinity.com (8.7.4/8.6.9) with SMTP id JAA27297; Tue, 11 Jun 1996 09:31:46 -0500 (CDT) Message-ID: <31BD7E46.733B@nfinity.com> Date: Tue, 11 Jun 1996 08:10:15 -0600 From: Jim Martin Organization: ViaServices Group X-Mailer: Mozilla 3.0b4Gold (Win95; I) MIME-Version: 1.0 To: Katson PN Yeung CC: Firewalls@GreatCircle.COM Subject: Re: Incorrect HTTP-GW log time. References: <2.2.32.19960611102130.007432bc@202.70.254.44> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Katson PN Yeung wrote: > > Dear all, > > Eventually, I have made the tis things work. But, I have a problem > which is related to http-gw and it's logging. > > What I have done is to change the firewall.h and http-gw.c code a > little bit so that the log event will be recognized by syslogd and save in a > separate file. I have done the similar things to smap, netacl, ftp-gw and > blah blah blah. > > However, I discovered that the log time for the http-gw is > incorrect. It is 8 hours behind (My time zone is GMT+8). I don't have any > similar problem with other gateway log, it only happen with http-gw.log > > Any hint to solve this? > > Rgds, > K a t s o n > ----------------------------------------------------------------------->8---- > Customer Service Consultant > AsiaNet (Hong Kong) Limited Only thing I can think of is you are making a call to gmtime instead of localtime in http-gw.c?? Jim From firewalls-owner Tue Jun 11 07:43:34 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA03369 for firewalls-outgoing; Tue, 11 Jun 1996 07:28:44 -0700 (PDT) Received: from baldy.worldbit.com (baldy.worldbit.com [199.4.115.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id HAA03359 for ; Tue, 11 Jun 1996 07:28:35 -0700 (PDT) Received: from localhost (blast@localhost) by baldy.worldbit.com (8.7.5/8.7.3) with SMTP id HAA14177; Tue, 11 Jun 1996 07:23:32 -0700 (PDT) Date: Tue, 11 Jun 1996 07:23:32 -0700 (PDT) From: Blast To: gauntlet-tech@apogee-com.fr cc: firewalls@GreatCircle.COM Subject: Re: split-brain DNS In-Reply-To: <31BDE99E.5535@apogee-com.fr> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 11 Jun 1996, Jean-Francois Zwobada wrote: > Hi, > > The split-brain DNS is a problem when you have a domain and > subdomains behind the firewall. The solution we know is to declare > the DNS server of the parent domain as a secondary server for every > existing subdomain. This solution is not really great since we can't > resolve Internet names from a subdomain. > We are currently using the 4.9.3-REV and testing the 4.9.4 of BIND > but no improvement seems to be done... > > Does someone have a better solution ? Some hints ? When 4.9.3-Rel was released, someone put in the contrib dir a patch called noforward.tar. It addressed this problem you have having. I just went to ftp.vix.com and was unable to find it but I have it so I can send it to you directly. My guess is that it was removed from the contrib dir because they are working it into the 4.9.4 source tree. I will check with Paul on this matter. --blast ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \ Tim Keanini | "The limits of my language, / / aka blast | are the limits of my world." \ \ | --Ludwig Wittgenstein / \ +================================================/ / PUB KEY: http://www-swiss.ai.mit.edu/~bal/pks-commands.html \ \ / ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From firewalls-owner Tue Jun 11 08:36:42 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA08736 for firewalls-outgoing; Tue, 11 Jun 1996 08:19:43 -0700 (PDT) Received: from fionn.lbl.gov (fionn.lbl.gov [128.3.128.60]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id IAA08723 for ; Tue, 11 Jun 1996 08:19:37 -0700 (PDT) Received: (mike@localhost) by fionn.lbl.gov (LBNLMWH3/LBNLCF) id IAA09289; Tue, 11 Jun 1996 08:17:21 -0700 (PDT) Message-Id: <199606111517.IAA09289@fionn.lbl.gov> From: mike@fionn.lbl.gov (Michael Helm) Date: Tue, 11 Jun 1996 08:17:21 PDT In-Reply-To: Bernhard Schneck Reply-To: mike@fionn.lbl.gov X-Mailer: Mail User's Shell (7.2.3 5/22/91) To: Firewalls@GreatCircle.COM Subject: Re: Round-robin DNS? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Jun 11, 10:21am, Bernhard Schneck wrote: > > [Nearly] any off-the-shelf DNS will give 'A record' results in the same order > > every time. > > BIND has been doing this for quite some time now. If your DNS server > For more information see http://www.isc.org/isc/ Good advice. Probably the best place to find out information about bind would be from the archives of the bind mailing list (do they exist?). When I first encountered round-robin behavior (& complained about the side effects), it was pointed out to me on that list that address return fell into 2 classes: before bind-49x : undefined bind-49x : round-robin [The round-robin effect can still be turned off by changing a compilation option.] The practical effect of 'undefined' was typically that the addresses would be returned in the same order until their ttl in the cache expired. The change in the order could be seen once round-robining nameservers were deployed as authoritative nameservers in an environment with many older versions of bind. Older bind nameservers would also follow implicit & explicit address sorting rules; some of this is gone in versions of bind that do round-robining. These sorting rules could also have had the effect of making the order of addresses returned appear constant. From firewalls-owner Tue Jun 11 08:57:26 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA09186 for firewalls-outgoing; Tue, 11 Jun 1996 08:25:21 -0700 (PDT) Received: from [198.102.244.42] (pb520.greatcircle.com [198.102.244.42]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id IAA09168; Tue, 11 Jun 1996 08:25:10 -0700 (PDT) X-Sender: brent@miles.greatcircle.com Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Tue, 11 Jun 1996 08:24:24 -0700 To: Brian Murrell , michael@memra.com From: Brent@GreatCircle.COM (Brent Chapman) Subject: Re: Email irregularities Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 1:54 PM 6/10/96, Brian Murrell wrote: >from the quill of Michael Dillon on scroll > >> I must say that this list appears to have more clueless people on it than >> any other list I've been on. >> >> Any theories as to why this is the case? > >Sheer volume. The last estimate I heard was the firewalls mailing list >serves an estimated 15,000 people. Any new guesses Brent?? There are a little over 4000 addresses on the main Firewalls mailing list, and just under 4000 on the Firewalls-Digest mailing list, for a total of a little over 8000. Many of these addresses are redistribution aliases that serve multiple people, so 15,000 probably isn't a bad estimate of the readership. Another factor in the funky-mail-problems situation is that many of the subscribers to Firewalls are here _because_ their organizations are new to the Internet. At the same time they're struggling with firewall issues, they're also stuck with whatever pre-existing mail system they have, and the gateways are seldom perfect. -Brent ----------------------+----------------------------+------------------------ Brent Chapman | Great Circle Associates | 1057 West Dana Street Brent@GreatCircle.COM | http://www.greatcircle.com | Mountain View, CA 94041 ----------------------+----------------------------+------------------------ Internet Tutorials from the Experts! From firewalls-owner Tue Jun 11 09:06:23 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA10662 for firewalls-outgoing; Tue, 11 Jun 1996 08:46:04 -0700 (PDT) Received: from dsacg1.dsac.dla.mil (dsacg1.dsac.dla.mil [131.78.1.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id IAA10608 for ; Tue, 11 Jun 1996 08:45:49 -0700 (PDT) Received: by dsacg1.dsac.dla.mil (1.38.193.5/1.40 (DSDC Columbus DSDCG1)) From: nto2584@dsacg1.dsac.dla.mil (Steven C. Payne) Message-Id: <9606111543.AA07378@dsacg1.dsac.dla.mil> Subject: buildin the tis toolkit under bsdi 2.1 To: firewalls@greatcircle.com Date: Tue, 11 Jun 96 11:43:24 EDT Mailer: Elm [revision: 70.85.2.1] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, subject pretty much says it all. I have built everything except the x-gw. I have linked everything, and I constantly get errors about _shmat, _shmdt. I sent mail to bsdi about it and they just said my maintenance ran out (which is interesting, we just bought the upgrade to 2.1, I am in the process of getting that resolved). I built all of this on the 2.0 release and just thought I would recompile instead of running the older shared libs. I can't believe they broke it and give me that kind of crap. in the meantime, I built all the products with some minor tweaking, the only one I can't build is x-gw. Anybody got any ideas? ******************************* tear here stevep# make for a in lib auth smap smapd netacl plug-gw ftp-gw tn-gw rlogin-gw http-gw x-gw; do ( cd $a; echo all: `pwd`; make all ); done all: /src/fwtk/lib all: /src/fwtk/auth all: /src/fwtk/smap all: /src/fwtk/smapd all: /src/fwtk/netacl all: /src/fwtk/plug-gw all: /src/fwtk/ftp-gw all: /src/fwtk/tn-gw all: /src/fwtk/rlogin-gw all: /src/fwtk/http-gw all: /src/fwtk/x-gw gcc -g -o x-gw x-gw.o ../libfwall.a ulib.a X11.a Xaw.a Xmu.a Xt.a Xext.a SM.a ICE.a -L/usr/X11R6/lib -lX11 -lXaw -lXmu -lXt -lXext -lSM -lICE -lresolv OpenDis.o: Undefined symbol _shmat referenced from text segment OpenDis.o: Undefined symbol _shmdt referenced from text segment OpenDis.o: Undefined symbol _shmdt referenced from text segment *** Error code 1 Stop. *** Error code 1 Stop. stevep# strings /usr/X11R6/lib/libX11.a | grep _shm _shmat _shmdt _shmAllocate ************* I checked the X11 libs and the _shm's are there. Has anybody built the toolkit under 2.1? thanks steve From firewalls-owner Tue Jun 11 09:43:12 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA13988 for firewalls-outgoing; Tue, 11 Jun 1996 09:22:52 -0700 (PDT) Received: from sapa.inka.de (sapa.inka.de [193.197.84.6]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id JAA13889 for ; Tue, 11 Jun 1996 09:21:36 -0700 (PDT) Received: from uu.inka.de (root@[193.197.84.8]) by sapa.inka.de Received: from lina.inka.de (ecki@lina.inka.de) by uu.inka.de Received: by lina.inka.de Message-Id: Subject: Re: Round-robin DNS? To: axel.skough@scb.se Date: Tue, 11 Jun 1996 18:08:26 +0200 (MET DST) Cc: firewalls@greatcircle.com, silveira@canario.nutec.com.br In-Reply-To: <199606111008.MAA21648@mail.swip.net> from "axel.skough@scb.se" at Jun 11, 96 12:05:21 pm From: eckes Organisation: private Linux Site, Karlsruhe, Germany X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, > The DNS contained herein currently changes frequently between beta releases= > ,=20 > but one could point out that the beta 1 release was explicitly told to=20 > support round robin for multihomed A records. This was a beta test goal as=20 > the Crickett/Liu "BIND and DNS" reference states that when a multihomed=20 > reference appears the IP address to return should be the one most close to=20 > the caller's IP address. Instead the round robin priciple should be used,=20 > myself, I do not see any obvious disadvantages here, it should distribute=20 > the access among the resources offered. I wonder if someone knows if this i= > s=20 > still true for this DNS? I think a usual method is to use the A record of a adress of a locally attached net, and a Round-Robin otherwise. This is done AFAIK in the resolv lib (for localnet detection) and in the BIND named (for roundrobinshuffling). > Also, the Microsoft says that zone transfer is not properly implemented=20 > among the Unix BIND versions which caused some trouble. Due to this certain= > =20 > DNS/BIND versions on some implementations will be incompatible. I wonder if= > =20 > this is true? If so, the obvious conclusion should be that one has to avoi= > d=20 > intermixing DNS/BIND from different vendors and/or platforms (indeed, a goo= > d=20 > principle regardless product, anyhow). A Problem with this is, that zone-transfer are very commen betwewen different administrative zones (cause its never a good idea to place your secondary nameserver too close to your primary). And dont see many gains from GUI based Zone-Maangement. Especially if you have very big Zones Makefile and Perl are more powerfull then Windows Cut+Waste. Otherwise its fairly trivial to write a X frontend to generate Zone files... Greetings Bernd -- (OO) -- Bernd_Eckenfels@Wittumstrasse13.76646Bruchsal.de -- ( .. ) ecki@lina.{inka.de,ka.sub.org} http://home.pages.de/~eckes/ o--o *plush* 2048/A2C51749 eckes@irc +4972573817 *plush* (O____O) If privacy is outlawed only Outlaws have privacy From firewalls-owner Tue Jun 11 09:51:29 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA15593 for firewalls-outgoing; Tue, 11 Jun 1996 09:45:40 -0700 (PDT) Received: from absolut-zero.winternet.com (absolut-zero.winternet.com [198.174.169.4]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id JAA15552 for ; Tue, 11 Jun 1996 09:45:27 -0700 (PDT) Received: from parka (dufresne@parka.winternet.com [198.174.169.9]) by absolut-zero.winternet.com (8.7.5/8.7.5) with ESMTP id LAA07924; Tue, 11 Jun 1996 11:43:10 -0500 (CDT) Received: (from dufresne@localhost) by parka (8.7.4/8.6.12) id LAA13975; Tue, 11 Jun 1996 11:43:09 -0500 (CDT) Posted-Date: Tue, 11 Jun 1996 11:43:09 -0500 (CDT) Date: Tue, 11 Jun 1996 11:43:09 -0500 (CDT) From: Ron DuFresne To: Jody Klein cc: Firewalls@GreatCircle.COM Subject: Re: Active-X and/or Java? In-Reply-To: <199606111237.IAA24674@zephyr.noaa.gov> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 11 Jun 1996, Jody Klein wrote: > > Date: Mon, 10 Jun 1996 22:59:47 -0500 > > From: Jerry McKane > > Subject: RE: Active-X and/or Java? > > > > we will see rember Windows everybody hates it but everybody uses it > > > > ps > > > > IE is free and never expires :-] > > > > nothing Microsloth ever does is *free* Ah, yes 'free' is a relative term ! Later, Ron DuFresne ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything. From firewalls-owner Tue Jun 11 10:06:02 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA17579 for firewalls-outgoing; Tue, 11 Jun 1996 10:02:15 -0700 (PDT) Received: from dns.eng.auburn.edu (dns.eng.auburn.edu [131.204.10.13]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id KAA17526 for ; Tue, 11 Jun 1996 10:01:52 -0700 (PDT) Received: from netman.eng.auburn.edu (netman.eng.auburn.edu [131.204.12.24]) by dns.eng.auburn.edu (8.7.4/8.6.4) with ESMTP id LAA06553; Tue, 11 Jun 1996 11:59:30 -0500 (CDT) From: Doug Hughes Received: (doug@localhost) by netman.eng.auburn.edu (SMI-8.6/8.6.4) id LAA16172; Tue, 11 Jun 1996 11:59:28 -0500 Date: Tue, 11 Jun 1996 11:59:28 -0500 Subject: Re: Secure Telnet to External Sites. To: Anthony.Passaniti@entex.com Cc: firewalls@greatcircle.com Message-Id: In-Reply-To: <1BD6CB10.1744@entex.com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > Greetings: > > This is my first question to this forum so please pardon my ignorance. I > have a requirement to access external sites, via Telnet/TN3270 and FTP. > (FTP access would be a direct FTP request, not via Netscape). We have a > Firewall (Sidewinder) setup to allow for specific IP addresses. The sites > I need to get to are: > > IBMLINK.ADVANTIS.COM > Gateway.compuserve.com > > (there may be additional sites in the future). > > We currently have LANs connected together through frame relays to form a > WAN. We connect to the Internet via our firewall (T1 through an ISP). > > Is there a solution for this request which would be both secure and > feasible? > > Thank you, > Tony Passaniti > Security Director > ENTEX Information Services, Inc. > > > Two possible solutions (one is a partial) Stel - availabel from CERT-IT, currently in Beta5 release. It is a secure telnet replacment that has the following capabilities: IDEA, DES, 3DES, RC4, encryption Diffie-Hellman Key exchange Interlock protocol preventing active man in the middle attacks Support for SecureID, S/Key, and reusable passwords Client/server available for nearly all Unix systems, most build out of the box Ssh - available at http://www.cs.hut.fi/ssh rlogin, rsh, telnet, rcp, rdist replacement Supports IDEA, DES, 3DES encryption RSA public key key exchange Forwarding of X11 and other arbitrary sockets through the secure channel several different authentication modes (host based, user based, password based - host and user based use RSA for authentication of host/user without password) has Unix and Windows (alpha/beta) clients available. We have both installed since they have different capabilities. Stel is much faster starting up from inetd (ssh is as fast when started as standalone daemon, but we use tcp_wrappers on our servers so inetd is preferable in this case - on the gateway machine it runs as a daemon) ssh has a PC/Windows client, stel does not. ssh has X11 forwarding through the encrypted channel. Stel has good S/Key and Securid support. ssh has some support for SecurID, but not as well integrated as Stel. Neither will do FTP, as was your original need, but ssh will do an rcp like thing which may be just as good as FTP in your circumstances. Also you may want to look at the tcpwrappers+logdaemon. There is a replacement ftpd in this package that supports S/Key for one time passwords. ssh would probably allow you to forward a 3270 connection through an arbitrary socket, but I have not tested this. Another solution would be to use link level encryption of some kind, either via a hardware box, or if they are both Suns running Solaris via SKIP. -- ____________________________________________________________________________ Doug Hughes Engineering Network Services System/Net Admin Auburn University doug@eng.auburn.edu Pro is to Con as progress is to congress From firewalls-owner Tue Jun 11 10:54:58 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA24622 for firewalls-outgoing; Tue, 11 Jun 1996 10:49:25 -0700 (PDT) Received: from okjunc.junction.net (okjunc.junction.net [199.166.227.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id KAA24606 for ; Tue, 11 Jun 1996 10:49:15 -0700 (PDT) Received: from sidhe.memra.com (sidhe.memra.com [199.166.227.105]) by okjunc.junction.net (8.6.11/8.6.11) with SMTP id KAA14111; Tue, 11 Jun 1996 10:02:47 -0700 Date: Tue, 11 Jun 1996 10:46:18 -0700 (PDT) From: Michael Dillon To: gauntlet-tech@apogee-com.fr cc: firewalls@GreatCircle.COM Subject: Re: split-brain DNS In-Reply-To: <31BDE99E.5535@apogee-com.fr> Message-ID: Organization: Memra Software Inc. - Internet consulting MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 11 Jun 1996, Jean-Francois Zwobada wrote: > The split-brain DNS is a problem when you have a domain and > subdomains behind the firewall. The solution we know is to declare > the DNS server of the parent domain as a secondary server for every > existing subdomain. This solution is not really great since we can't > resolve Internet names from a subdomain. > We are currently using the 4.9.3-REV and testing the 4.9.4 of BIND > but no improvement seems to be done... > > Does someone have a better solution ? Some hints ? I don't know how this is normally done but with my site, the externally visible DNS is unlikely to ever change since it has only two IP addresses in it for a virtual WWW server site and for the firewall gatewy. So the primary and secondary both run on my ISP's machine and are registered that way with the Internic. On the firewall gateway I have the same domain with RFC1918 addresses for all internal hosts. Any internal requests for DNS will get directed here and resolved here if it is the internal domain. Only for external machines will it attempt to look at other DNS servers. On the internal machine I have duplicated the records for the WWW machine and the gateway has a different, RFC1918 address. Michael Dillon ISP & Internet Consulting Memra Software Inc. Fax: +1-604-546-3049 http://www.memra.com E-mail: michael@memra.com From firewalls-owner Tue Jun 11 11:55:57 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA27584 for firewalls-outgoing; Tue, 11 Jun 1996 11:38:22 -0700 (PDT) Received: from fionn.lbl.gov (fionn.lbl.gov [128.3.128.60]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id LAA27577 for ; Tue, 11 Jun 1996 11:38:17 -0700 (PDT) Received: (mike@localhost) by fionn.lbl.gov (LBNLMWH3/LBNLCF) id LAA11506; Tue, 11 Jun 1996 11:35:57 -0700 (PDT) Message-Id: <199606111835.LAA11506@fionn.lbl.gov> From: mike@fionn.lbl.gov (Michael Helm) Date: Tue, 11 Jun 1996 11:35:56 PDT In-Reply-To: Doug Hughes Reply-To: mike@fionn.lbl.gov X-Mailer: Mail User's Shell (7.2.3 5/22/91) To: Doug Hughes , Anthony.Passaniti@entex.com Subject: Re: Secure Telnet to External Sites. Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk sshd can be built against libwrap.a, the tcp wrappers library, & can then be managed in the same fashion as tcpd-managed or logdaemon daemons. See the ssh distribution for details. From firewalls-owner Tue Jun 11 12:21:04 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA27863 for firewalls-outgoing; Tue, 11 Jun 1996 11:41:45 -0700 (PDT) Received: from mhinside.hcl.com (mhoutside.hcl.com [205.211.178.117]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id LAA27832 for ; Tue, 11 Jun 1996 11:41:21 -0700 (PDT) Received: from rudy.hcl.com (rudy.hcl.com [198.231.99.165]) by mhinside.hcl.com (8.7.4/8.7.3) with SMTP id OAA06348; Tue, 11 Jun 1996 14:42:07 -0400 (EDT) Message-Id: <199606111842.OAA06348@mhinside.hcl.com> From: "Rudy Amid" To: "Katson PN Yeung" Cc: Subject: Re: Incorrect HTTP-GW log time. Date: Tue, 11 Jun 1996 14:40:01 -0400 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1085 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Note that in a chroot environment, a symlink will not help either. The best way is to reproduce the same directory structure as the root (not copying everything, of course). So in BSD/OS example, you copy /etc/localtime to /usr/http/etc/ or whatever your httpd root may be. -- Rudy Amid (rudy@hcl.com) [Home URL] http://www.warped.com/~radix Systems Administrator #include Hummingbird Communications, Ltd. "We're IT!" -MIS Dept. 1 Sparks Ave. Toronto, Canada. M2H 2W1. 416-496-2200 [URL] http://www.hcl.com ---------- > From: Rick Murphy > To: Katson PN Yeung > Cc: Firewalls@GreatCircle.COM > Subject: Re: Incorrect HTTP-GW log time. > Date: Tuesday, June 11, 1996 9:28 AM > > This question should really be taken to the "fwtk-users@tis.com" mailing list; > however: > This is a normal problem in a chroot environment - there's a link missing > in the chroot environment that specifies what time zone you're in. Missing > that means you're defaulting to GMT. > On BSD systems, there's a file called /etc/localtime that's a symlink to > the correct time zone file; putting that in the chroot area will fix it. > The fix will vary depending on your OS. > -Rick > From firewalls-owner Tue Jun 11 12:36:07 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA00580 for firewalls-outgoing; Tue, 11 Jun 1996 12:21:45 -0700 (PDT) Received: from lexicon.ins.com (lexicon.ins.com [199.0.193.11]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id MAA00548 for ; Tue, 11 Jun 1996 12:21:33 -0700 (PDT) Received: from ragans-laptop (mtv-dynamic237.ins.com [199.0.193.237]) by lexicon.ins.com (8.7.5/8.7.3) with SMTP id MAA12393; Tue, 11 Jun 1996 12:18:46 -0700 (PDT) Message-Id: <2.2.32.19960611183256.00935640@lexicon.ins.com> X-Sender: ragan@lexicon.ins.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Tue, 11 Jun 1996 13:32:56 -0500 To: rwells@Trellisnet.com From: Charles Ragan Subject: re:Re: Virus detection for http proxy servers Cc: , Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Any idea on the added latency associated with this? Charles At 08:22 PM 6/10/96 PDT, rwells@Trellisnet.com wrote: >optimum.net newsgate wrote: >> >> One of our users has been asking about virus protection >> against software he has downloaded through the Netscape >> proxy server. He was asking about something that would >> scan the software as it was being download >> I didn't think there was anything to do this, given all of the >> file formats, compression methods, and hardware >> platforms that could be using the proxy server, but I thought >> I'd look into it anyway. Does anyone know >> of a solution or partial solution to this question? > >McAfee is coming out with a product that will run on FW-1, to scan http, smtp, >and ftp inbound and outbound when they hit the firewall. Mcafee's product is >called Webshield, it will be released in mid Aug. I saw an article about it. >I think you can get it at http://techweb.cmp.com/iw, it's the may 20, 1996 >issue. > >Hope this helps.. > >Rex Wells >Netwok Engineer >Trellis Network Services >web: http://www.trellisnet.com >email: rwells@trellisnet.com > > > ============================================================== =Charles Ragan, Jr. = =International Network Services / Dallas, TX= =CCIE #1764, MCSE, MCNE, CBE = =Pager - 1-800-INS-1-INS = = = =Using NT Server 4.0 Beta2 & Eudora 2.2(32) = ============================================================== From firewalls-owner Tue Jun 11 13:06:08 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA02803 for firewalls-outgoing; Tue, 11 Jun 1996 12:46:35 -0700 (PDT) Received: from apollo.intermind.com (apollo.intermind.com [206.40.151.25]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id MAA02788 for ; Tue, 11 Jun 1996 12:46:28 -0700 (PDT) Received: from malkav.intermind.com ([206.40.150.122]) Message-Id: <2.2.32.19960611194403.00eb4cc4@intermind.com> X-Sender: jnoetzel@intermind.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Tue, 11 Jun 1996 12:44:03 -0700 To: axel.skough@scb.se, firewalls@greatcircle.com From: jnoetzel@intermind.com (Jeremy Noetzelman) Subject: RE: Round-robin DNS? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 12:05 PM 6/11/96 +0200, axel.skough@scb.se wrote: >Also, the Microsoft says that zone transfer is not properly implemented >among the Unix BIND versions which caused some trouble. Due to this certain >DNS/BIND versions on some implementations will be incompatible. I wonder if >this is true? If so, the obvious conclusion should be that one has to avoid >intermixing DNS/BIND from different vendors and/or platforms (indeed, a good >principle regardless product, anyhow). > >Any comments? I wonder whether this is yet another case of MS insisting that they're the standard, regardless of what's in practice. Now they want to rewrite the DNS rules and say that everything that's been in production on a Unix platform is a bogus implementation... Tends to reinforce the anti-ms sentiments around, IMO. J. --- Jeremy Noetzelman jnoetzel@intermind.com Operations Specialist Intermind Corporation From firewalls-owner Tue Jun 11 13:20:53 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA02553 for firewalls-outgoing; Tue, 11 Jun 1996 12:43:37 -0700 (PDT) Received: from apollo.intermind.com (apollo.intermind.com [206.40.151.25]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id MAA02540 for ; Tue, 11 Jun 1996 12:43:30 -0700 (PDT) Received: from malkav.intermind.com ([206.40.150.122]) Message-Id: <2.2.32.19960611194108.00b2d8dc@intermind.com> X-Sender: jnoetzel@intermind.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Tue, 11 Jun 1996 12:41:08 -0700 To: Jean Vincent , Steve Kennedy From: jnoetzel@intermind.com (Jeremy Noetzelman) Subject: Re: New Firewall Announcement Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 11:40 AM 6/11/96 +0200, Jean Vincent wrote: >Steve, are you sure that the firewall features are manageable by SNMP ? > >Many people have been asking in this list for such a feature (SNMP >management of firewalls) for a while - more than one year - and >nobody answered until now ! > >To build an entirely SNMP manageable firewall it is necessary to >design a private MIB for filtering, circuit-level gateway a proxy >management because there is no standard MIB available for this >features. > >Our aim is to promote SNMP management of all the firewall >features. > Am I the only one who doesnt like the idea of my firewall being managed by SNMP? Seems to me to be a step backwards in security. Why not just toss an Xserver up there and let everyone use it? J. --- Jeremy Noetzelman jnoetzel@intermind.com Operations Specialist Intermind Corporation From firewalls-owner Tue Jun 11 14:21:09 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA12821 for firewalls-outgoing; Tue, 11 Jun 1996 14:14:43 -0700 (PDT) Received: from mailhub.stratus.com (mailhub.stratus.com [134.111.1.14]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id OAA12811 for ; Tue, 11 Jun 1996 14:14:35 -0700 (PDT) Received: from zen (zen.cac.stratus.com [134.111.40.11]) by mailhub.stratus.com (8.7.5/8.7.3) with SMTP id RAA15963; Tue, 11 Jun 1996 17:10:56 -0400 (EDT) Received: from rigatoni.cac.stratus.com by zen (SMI-8.6/SMI-SVR4) Received: by rigatoni.cac.stratus.com (NX5.67g/NX3.0S) Message-Id: <9606112105.AA04648@rigatoni.cac.stratus.com> Content-Type: text/plain Mime-Version: 1.0 (NeXT Mail 4.0 v146.2) In-Reply-To: <2.2.32.19960611194403.00eb4cc4@intermind.com> X-Nextstep-Mailer: Mail 3.3 (Enhance 1.0) Received: by NeXT.Mailer (1.146.2) From: William Brown Date: Tue, 11 Jun 96 17:04:59 -0400 To: jnoetzel@intermind.com (Jeremy Noetzelman) Subject: Re: Round-robin DNS? Cc: axel.skough@scb.se, firewalls@greatcircle.com References: <2.2.32.19960611194403.00eb4cc4@intermind.com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Also, the Microsoft says that zone transfer is not properly implemented >among the Unix BIND versions which caused some trouble. Due to this certain >DNS/BIND versions on some implementations will be incompatible. I wonder if >this is true? If so, the obvious conclusion should be that one has to avoid >intermixing DNS/BIND from different vendors and/or platforms (indeed, a good >principle regardless product, anyhow). > >Any comments? If the MS version of DNS/BIND does not work with the standard UNIX DNS/BIND then MS has bugs to fix. MS cannot decide that what has been in production for years is wrong simply because they interpret the spec differently. To be honest, there were several times during my DNS hacking days when I said to myself while reading the code, "Ah, so that's how it really works". This was especially true in the zone transfer arena. At the time, I could find no reference in the spec to the exact manner in which zone transfers should occur. I suspect this situation has not changed. Bill Brown From firewalls-owner Tue Jun 11 14:45:30 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA14102 for firewalls-outgoing; Tue, 11 Jun 1996 14:35:04 -0700 (PDT) Received: from mail.marben.com (losgatos.marben.com [206.86.34.51]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id OAA14093 for ; Tue, 11 Jun 1996 14:34:57 -0700 (PDT) Received: (from girsch@localhost) From: girsch@marben.com (Arnaud Girsch) Message-Id: <199606112124.OAA27841@mail.marben.com> Subject: MS DNS (was: Re: Round-robin DNS?) To: axel.skough@scb.se Date: Tue, 11 Jun 1996 14:24:07 -0700 (PDT) Cc: firewalls@greatcircle.com In-Reply-To: <199606111008.MAA21648@mail.swip.net> from "axel.skough@scb.se" at Jun 11, 96 12:05:21 pm X-Organization: Marben Products, Inc. X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Also, the Microsoft says that zone transfer is not properly implemented=20 > among the Unix BIND versions which caused some trouble. Due to this certain= > DNS/BIND versions on some implementations will be incompatible. I wonder if= > this is true? If so, the obvious conclusion should be that one has to avoid > intermixing DNS/BIND from different vendors and/or platforms (indeed, a good > principle regardless product, anyhow). > > Any comments? As Jeremy already said ... might be an attempt to reinvent everything, but in a way that suits them, instead of being compatible with all other implementations. Arnaud. -- Arnaud Girsch -+- agirsch@marben.com -+- Marben Products, Inc. - San Jose, CA From firewalls-owner Tue Jun 11 14:51:15 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA14927 for firewalls-outgoing; Tue, 11 Jun 1996 14:43:51 -0700 (PDT) Received: from omsk.yourtown.com (omsk.yourtown.com [205.246.66.7]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id OAA14896 for ; Tue, 11 Jun 1996 14:43:41 -0700 (PDT) Received: by omsk.yourtown.com (4.1/SMI-4.1) Date: Tue, 11 Jun 96 17:47:18 EDT From: bve@yourtown.com (BVE) Message-Id: <9606112147.AA10393@omsk.yourtown.com> To: firewalls@greatcircle.com Subject: split-brain DNS Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > From: Jean-Francois Zwobada > > The split-brain DNS is a problem when you have a domain and > subdomains behind the firewall. The solution we know is to declare > the DNS server of the parent domain as a secondary server for every > existing subdomain. This solution is not really great since we can't > resolve Internet names from a subdomain. > We are currently using the 4.9.3-REV and testing the 4.9.4 of BIND > but no improvement seems to be done... > > Does someone have a better solution ? Some hints ? > > Thanks in advance, > > Jean-Francois For my last client's needs, we did a very straightforward solution. We set up an internal and external DNS server. The internal server has all info on the internal network. The external server has just the WWW server, and the mail server. The internal server uses the "forwarders" directive (pointing to the external server). The net effect is that all queries about internal machines are answered by the internal server (the one with all the private info). When an internal machine queries about the outside world, the request gets forwarded to the external DNS server, as an iterative query. All queries from the outside world are answered by the external server, giving them only the bare minimum info. I don't have to maintain internal root servers, or any other such strangeness. Very simple. The only wierdness of this arrangement is that you have to set up a db.cache file, but its information is never used to find the root nameservers. BIND won't run unless this file exists with an entry in it, but it *will* ignore what it finds there, in favor of forwarding the request.... -BVE From firewalls-owner Tue Jun 11 15:16:02 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA16346 for firewalls-outgoing; Tue, 11 Jun 1996 14:57:11 -0700 (PDT) Received: from firewall.telecom.co.nz ([146.171.254.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id OAA16326 for ; Tue, 11 Jun 1996 14:57:02 -0700 (PDT) Received: by firewall.telecom.co.nz (940816.SGI.8.6.9/940406.SGI.AUTO) Received: from ish.telecom.co.nz(146.171.1.1) by firewall.telecom.co.nz via smap (v3.0.1) Received: from groupwise.telecom.co.nz ([146.171.43.252]) Received: from DOM#u#AKGATE-Message_Server by groupwise.telecom.co.nz Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Wed, 12 Jun 1996 09:55:29 +1200 From: Richard Price To: Firewalls@GreatCircle.com Subject: Seeking example Internet Policy Mime-Version: 1.0 Content-Type: text/plain Content-Disposition: inline Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello, Is anyone able to advise me where to find an example Internet Policy on the Net? I am looking for something I can use as a basis for a corporate policy. Thanks Richard Price From firewalls-owner Tue Jun 11 15:51:01 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id PAA20171 for firewalls-outgoing; Tue, 11 Jun 1996 15:38:08 -0700 (PDT) Received: from ngedns.northgrum.com (ngedns.northgrum.com [192.86.71.10]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id PAA20145 for ; Tue, 11 Jun 1996 15:37:59 -0700 (PDT) From: Michael_Beeler@ccmail.northgrum.com Received: from puff.northgrum.com (puff.northgrum.com [157.127.103.139]) by ngedns.northgrum.com (8.7.1/8.6.12) with ESMTP id SAA27511; Tue, 11 Jun 1996 18:34:20 -0400 (EDT) Received: from dns.masd (masd.northgrum.com [157.127.103.140]) by puff.northgrum.com (8.7.1/8.7.1) with ESMTP id PAA00397; Tue, 11 Jun 1996 15:34:14 -0700 (PDT) Received: from ccmail.northgrum.com ([157.127.82.207]) by dns.masd (8.7.1/8.7.1) with SMTP id PAA00513; Tue, 11 Jun 1996 15:34:17 -0700 (PDT) Received: from ccMail by ccmail.northgrum.com Mime-Version: 1.0 Date: Tue, 11 Jun 1996 14:37:38 -0700 Message-ID: <1BDF82A0.1557@ccmail.northgrum.com> Subject: Re[2]: Active-X and/or Java? To: Jody Klein , Ron DuFresne Cc: Firewalls@greatcircle.com Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Description: cc:Mail note part Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Just a thought, but does anyone know if Active-X is any more secure than JAVA? MB ______________________________ Reply Separator _________________________________ Subject: Re: Active-X and/or Java? Author: Ron DuFresne at INTERNET Date: 6/11/96 11:43 AM On Tue, 11 Jun 1996, Jody Klein wrote: > > Date: Mon, 10 Jun 1996 22:59:47 -0500 > > From: Jerry McKane > > Subject: RE: Active-X and/or Java? > > > > we will see rember Windows everybody hates it but everybody uses it > > > > ps > > > > IE is free and never expires :-] > > > > nothing Microsloth ever does is *free* Ah, yes 'free' is a relative term ! Later, Ron DuFresne ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything. From firewalls-owner Tue Jun 11 16:35:56 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id QAA24135 for firewalls-outgoing; Tue, 11 Jun 1996 16:23:37 -0700 (PDT) Received: from absolut-zero.winternet.com (absolut-zero.winternet.com [198.174.169.4]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id QAA24117 for ; Tue, 11 Jun 1996 16:23:29 -0700 (PDT) Received: from parka (dufresne@parka.winternet.com [198.174.169.9]) by absolut-zero.winternet.com (8.7.5/8.7.5) with ESMTP id SAA22444; Tue, 11 Jun 1996 18:21:03 -0500 (CDT) Received: (from dufresne@localhost) by parka (8.7.4/8.6.12) id SAA24688; Tue, 11 Jun 1996 18:21:02 -0500 (CDT) Posted-Date: Tue, 11 Jun 1996 18:21:02 -0500 (CDT) Date: Tue, 11 Jun 1996 18:21:02 -0500 (CDT) From: Ron DuFresne To: Michael_Beeler@ccmail.northgrum.com cc: Jody Klein , Firewalls@greatcircle.com Subject: Re: Re[2]: Active-X and/or Java? In-Reply-To: <1BDF82A0.1557@ccmail.northgrum.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 11 Jun 1996 Michael_Beeler@ccmail.northgrum.com wrote: > Just a thought, but does anyone know if Active-X is any more secure > than JAVA? > >From what little I've read so far, much less secure than java at this time. Later, Ron DuFresne ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything. From firewalls-owner Tue Jun 11 18:05:55 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA28284 for firewalls-outgoing; Tue, 11 Jun 1996 17:54:10 -0700 (PDT) Received: from gccs-fw.cpf.navy.mil (gccs-fw.cpf.navy.mil [198.55.6.40]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id RAA28270 for ; Tue, 11 Jun 1996 17:54:02 -0700 (PDT) Received: (from uucp@localhost) by gccs-fw.cpf.navy.mil (8.6.12/8.6.9) id OAA18159 for ; Tue, 11 Jun 1996 14:57:50 -1000 Received: from gccs.cpf.navy.mil(204.34.183.2) by gccs-fw.cpf.navy.mil via smap (V1.3) Received: from gccs25.gccs.cpf.navy.mil (gccs25.gccs.cpf.navy.mil [204.34.183.25]) by gccs.cpf.navy.mil (8.7.5/8.6.9) with SMTP id OAA19395 for ; Tue, 11 Jun 1996 14:53:27 -1000 Received: by gccs25.gccs.cpf.navy.mil with Microsoft Mail Message-ID: <01BB57A6.0A5BDA00@gccs25.gccs.cpf.navy.mil> From: "Danny L. Shadix" To: "'firewalls@GreatCircle.COM'" Subject: RE: Re[2]: Active-X and/or Java? Date: Tue, 11 Jun 1996 14:55:31 -1000 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk MS doesn't purport that Active-X is in any way secure. What they = propose is that everyone will use certificates to verify that the = Active-X component is actually the one written by the person it claims = to have written it. Then you will "trust" that that person didn't write = anything that is dangerous to you. So, you'd decide who you trust, then = only accept code written by those persons. I can't see using in = anywhere but on an Intranet, or maybe from a very few trusted hosts = (maybe your corporate headquarters). I'm trying to figure out how this = certificate server is supposed to work. I'd like to be able to block = this stuff at the firewall and then only stuff that exists on the inside = will ever be executed. DP1 Dan Shadix ISSO, GCCS Support Facility ---------- From: = Michael_Beeler@ccmail.northgrum.com[SMTP:Michael_Beeler@ccmail.northgrum.= com] Sent: Tuesday, June 11, 1996 11:38 AM To: Jody Klein; Ron DuFresne Cc: Firewalls@GreatCircle.COM Subject: Re[2]: Active-X and/or Java? Just a thought, but does anyone know if Active-X is any more secure = than JAVA? =20 MB ______________________________ Reply Separator = _________________________________ Subject: Re: Active-X and/or Java? Author: Ron DuFresne at INTERNET Date: 6/11/96 11:43 AM On Tue, 11 Jun 1996, Jody Klein wrote: =20 > > Date: Mon, 10 Jun 1996 22:59:47 -0500=20 > > From: Jerry McKane =20 > > Subject: RE: Active-X and/or Java? > >=20 > > we will see rember Windows everybody hates it but everybody uses it=20 > >=20 > > ps=20 > >=20 > > IE is free and never expires :-]=20 > >=20 >=20 > nothing Microsloth ever does is *free* =20 =20 Ah, yes 'free' is a relative term ! =20 Later, =20 Ron DuFresne ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "Cutting the space budget really restores my faith in humanity. It=20 eliminates dreams, goals, and ideals and lets us get straight to the=20 business of hate, debauchery, and self-annihilation." -- Johnny Hart ***testing, only testing, and damn good at it too!*** =20 OK, so you're a Ph.D. Just don't touch anything. =20 From firewalls-owner Tue Jun 11 19:05:58 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id TAA01527 for firewalls-outgoing; Tue, 11 Jun 1996 19:02:08 -0700 (PDT) Received: from translation.com (paoglobal.translation.com [204.30.204.3]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id TAA01510 for ; Tue, 11 Jun 1996 19:02:01 -0700 (PDT) Received: (from audit@localhost) by translation.com (8.6.12/8.6.12) id TAA07680; Tue, 11 Jun 1996 19:00:20 -0700 Received: from camaro(192.168.88.99) by pao via smap (V1.3mjr) Received: by camaro.translation.com.translation.com (4.1/SMI-4.1) Date: Tue, 11 Jun 96 18:59:16 PDT From: dwh@translation.com (David Hawkins) Message-Id: <9606120159.AA18203@camaro.translation.com.translation.com> To: silveira@nutpagw.nutec.com.br Subject: Re: Round-robin DNS? Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Sounds like your trying to avoid round-robin DNS!? If so, check out http://www.translation.com/ld.html It's not a firewall, but it does do real-time load ballancing across "n" servers. Provides some fault-tollerance and makes good use of you IP addresses too. David Hawkins Software Engineer Cisco Systems dwh@cisco.com ----------------------- flames > /dev/h2o > From: Fernando da Silveira Montenegro > To: firewalls@GreatCircle.COM > Date: Mon, 10 Jun 1996 13:38:54 -0700 > Subject: Round-robin DNS? > > Hi! > > Once again, another question I would ask only after searching the > archives, but they seem to be off-line... > > How are people out there implementing round-robin DNS? I have "n" > servers acting as www.wherever.com and I want to split the traffic > bewteen them. Of course, if I could do a proper load balancing that > would be great, but a simple "n" way split is a big help already. > > How does it relate to firewalls? A firewall system will act as the > primary server for .wherever.com, and will have to perform this > tricks... > > Please reference any information on the Web if this is a FAQ. > > Thanks in advance. > > Fernando > -- > Fernando da Silveira Montenegro E-mail: silveira@nutec.com.br > Nutec Informatica S.A. Phone.: +55-11-505-5728 > Rua Florida, 1821/11th floor Fax...: +55-11-505-1918 > Sao Paulo, SP BRAZIL 04565-001 WWW: http://www.nutec.com.br From firewalls-owner Tue Jun 11 19:36:01 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id TAA03393 for firewalls-outgoing; Tue, 11 Jun 1996 19:33:04 -0700 (PDT) Received: from absolut-zero.winternet.com (absolut-zero.winternet.com [198.174.169.4]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id TAA03384 for ; Tue, 11 Jun 1996 19:32:58 -0700 (PDT) Received: from parka (dufresne@parka.winternet.com [198.174.169.9]) by absolut-zero.winternet.com (8.7.5/8.7.5) with ESMTP id VAA04971; Tue, 11 Jun 1996 21:30:43 -0500 (CDT) Received: (from dufresne@localhost) by parka (8.7.4/8.6.12) id VAA28501; Tue, 11 Jun 1996 21:30:42 -0500 (CDT) Posted-Date: Tue, 11 Jun 1996 21:30:42 -0500 (CDT) Date: Tue, 11 Jun 1996 21:30:42 -0500 (CDT) From: Ron DuFresne To: "Danny L. Shadix" cc: "'firewalls@GreatCircle.COM'" Subject: RE: Re[2]: Active-X and/or Java? In-Reply-To: <01BB57A6.0A5BDA00@gccs25.gccs.cpf.navy.mil> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 11 Jun 1996, Danny L. Shadix wrote: > MS doesn't purport that Active-X is in any way secure. What they propose is that everyone will use certificates to verify that the Active-X component is actually the one written by the person it claims to have written it. Then you will "trust" that that person didn't write anything that is dangerous to you. So, you'd decide who you trust, then only accept code written by those persons. I can't see using in anywhere but on an Intranet, or maybe from a very few trusted hosts (maybe your corporate headquarters). I'm trying to figure out how this certificate server is supposed to work. I'd like to be able to block this stuff at the firewall and then only stuff that exists on the inside will ever be executed. Exactly. My understanding of certificates per se, is that they would most likely be something on the order of pgp signatures, if not pgp signatures themselves. Again, netscape is supposed to be implemtneing, or trying to implement this sort of authentication scheme as well... Later, Ron DuFresne ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything. From firewalls-owner Tue Jun 11 20:21:32 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id UAA05964 for firewalls-outgoing; Tue, 11 Jun 1996 20:16:39 -0700 (PDT) Received: from hal-pc.org (hal-pc.org [204.52.135.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id UAA05957 for ; Tue, 11 Jun 1996 20:16:33 -0700 (PDT) Received: from pm1-78.hal-pc.org (pm1-78.hal-pc.org [206.66.129.78]) by hal-pc.org (8.7.5/8.6.9) with SMTP id WAA19164; Tue, 11 Jun 1996 22:14:17 -0459 (CDT) Message-Id: <199606120313.WAA19164@hal-pc.org> Comments: Authenticated sender is From: "robertp@hal-pc.org" Organization: hal-pc.org To: Firewalls@GreatCircle.COM, Richard Price Date: Tue, 11 Jun 1996 22:08:41 +0000 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Re: Seeking example Internet Policy X-mailer: Pegasus Mail for Windows (v2.01) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Try RFC 1244 - That was the initial document in 1991. There are now other RFC's in a similar vein. I don't have the URL handy for the IETF. Perhaps one of the other readers can supply that. > Is anyone able to advise me where to find an example Internet Policy on > the Net? > I am looking for something I can use as a basis for a corporate policy. > Thanks > Richard Price > > Bob Plaumann It is difficult to say what is impossible for the dream of yesterday is the reality of tomorrow - Dr. Robert H. Goddard From firewalls-owner Tue Jun 11 20:35:53 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id UAA06070 for firewalls-outgoing; Tue, 11 Jun 1996 20:22:00 -0700 (PDT) Received: from ecua.net.ec (ecua.net.ec [157.100.1.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id UAA06063 for ; Tue, 11 Jun 1996 20:21:45 -0700 (PDT) Received: from [157.100.1.56] by ecua.net.ec (AIX 4.1/UCB 5.64/4.04) X-Sender: jvelasco@gu.pro.ec (Unverified) Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Tue, 11 Jun 1996 22:25:22 -0500 To: firewalls@Greatcircle.com From: jvelasco@gu.pro.ec (Martin Velasco) Subject: RealAudio Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Could someone point me the packet filter characteristics of RealAudio? What are the possible risks of allowing this service through a firewall? TIA -Martin TIA for the reply. /***************************************/ U niversidad /* Martin Velasco */ C atolica de /* Guayaquil - Ecuador - South America */ S antiago de /* e-mail: jvelasco@gu.pro.ec */ G uayaquil /***************************************/ From firewalls-owner Tue Jun 11 20:50:52 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id UAA06866 for firewalls-outgoing; Tue, 11 Jun 1996 20:42:34 -0700 (PDT) Received: from salsa.gv.ssi1.com (salsa.gv.ssi1.com [146.252.44.194]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id UAA06843 for ; Tue, 11 Jun 1996 20:42:25 -0700 (PDT) Received: (from gdonl@localhost) by salsa.gv.ssi1.com (8.7.4/8.7.3) id UAA04879; Tue, 11 Jun 1996 20:38:45 -0700 (PDT) Message-Id: <199606120338.UAA04879@salsa.gv.ssi1.com> From: gdonl@gv.ssi1.com (Don Lewis) Date: Tue, 11 Jun 1996 20:38:45 -0700 In-Reply-To: Darwin Martinez X-Mailer: Mail User's Shell (7.2.6 alpha(3) 7/19/95) To: Darwin Martinez , firewalls@GreatCircle.COM Subject: Re: Attack? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Jun 11, 7:07pm, Darwin Martinez wrote: } Subject: Attack? } All: } } I'm consistently seeing the following message on my FW-1. } } netbios_dgm 17.x.x.122 17.255.255.255 upd } and } netbios_ns 17.x.x.121 17.255.255.255 upd } } } Both of these appear on the "secure" side of the firewall's interface, yet } my client has NO Class A 17 addresses, only network 10 addresses which I'm } fwxlconf'ing to their appropriate CLass C for the internet. Looks like your client has a misconfigured device(s) on their network that thinks it's address is 17.x.x.x and is sending out broadcasts on the local network. Time to break out the network sniffer tools. } When I try to ping the above network 17 address, no luck. Because the host you're using to send the ping packets thinks the route to network 17 is out through the firewall. If you configure another host on your client's network with a network 17 address, then it should be able to talk to the misconfigured device(s). Maybe you'll get lucky and it will respond to a telnet or ftp connection with a login banner that contains its name. --- Truck From firewalls-owner Tue Jun 11 21:35:58 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id VAA11278 for firewalls-outgoing; Tue, 11 Jun 1996 21:27:57 -0700 (PDT) Received: from okjunc.junction.net (okjunc.junction.net [199.166.227.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id VAA11261 for ; Tue, 11 Jun 1996 21:27:51 -0700 (PDT) Received: from sidhe.memra.com (sidhe.memra.com [199.166.227.105]) by okjunc.junction.net (8.6.11/8.6.11) with SMTP id UAA31505; Tue, 11 Jun 1996 20:41:03 -0700 Date: Tue, 11 Jun 1996 21:24:35 -0700 (PDT) From: Michael Dillon To: Martin Velasco cc: firewalls@GreatCircle.COM Subject: Re: RealAudio In-Reply-To: Message-ID: Organization: Memra Software Inc. - Internet consulting MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 11 Jun 1996, Martin Velasco wrote: > Could someone point me the packet filter characteristics of RealAudio? What > are the possible risks of allowing this service through a firewall? There is a RealAudio proxy server available so you don't need to open any holes in the firewall. http://www.realaudio.com/firewall.html has all the details you need including info regarding packet filtering if you choose not to use a proxy. Michael Dillon ISP & Internet Consulting Memra Software Inc. Fax: +1-604-546-3049 http://www.memra.com E-mail: michael@memra.com From firewalls-owner Tue Jun 11 22:06:00 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id WAA13215 for firewalls-outgoing; Tue, 11 Jun 1996 22:00:31 -0700 (PDT) Received: from bayflash.stpt.usf.edu (bayflash.stpt.usf.edu [131.247.140.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id WAA13205 for ; Tue, 11 Jun 1996 22:00:24 -0700 (PDT) Received: from localhost (johnson@localhost) by bayflash.stpt.usf.edu (8.6.11/8.6.5) with SMTP id AAA07433 for ; Wed, 12 Jun 1996 00:53:24 -0400 Date: Wed, 12 Jun 1996 00:53:24 -0400 (EDT) From: "Steven Johnson (BUS)" X-Sender: johnson@bayflash To: firewalls@greatcircle.com Subject: Re: Attack? In-Reply-To: <199606120338.UAA04879@salsa.gv.ssi1.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 11 Jun 1996, Don Lewis wrote: > On Jun 11, 7:07pm, Darwin Martinez wrote: > } I'm consistently seeing the following message on my FW-1. > } > } netbios_dgm 17.x.x.122 17.255.255.255 upd > } and > } netbios_ns 17.x.x.121 17.255.255.255 upd > If you configure another host on your client's network with a network > 17 address, then it should be able to talk to the misconfigured device(s). > Maybe you'll get lucky and it will respond to a telnet or ftp connection > with a login banner that contains its name. Telnet or ftp may not work since this is a windows client broadcasting. I am making this assumption due to netbios being used. However, you may get just as lucky using the same principle on a windows client and typing "net view" at the DOS prompt :^) From firewalls-owner Tue Jun 11 23:05:53 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id XAA17890 for firewalls-outgoing; Tue, 11 Jun 1996 23:01:59 -0700 (PDT) Received: from thoth.mch.sni.de (thoth.mch.sni.de [192.35.17.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id XAA17882 for ; Tue, 11 Jun 1996 23:01:46 -0700 (PDT) Received: from moloch.mch.sni.de (moloch.mch.sni.de [139.21.21.4]) by thoth.mch.sni.de (8.7.5/8.7.3) with SMTP id HAA18799 for <@mail.mch.sni.de:Firewalls@GreatCircle.COM>; Wed, 12 Jun 1996 07:59:29 +0200 (MDT) Received: by moloch.mch.sni.de (940816.SGI.8.6.9/930416.SGI.AUTO) From: "eike" Message-Id: <9606120759.ZM11411@moloch> Date: Wed, 12 Jun 1996 07:59:10 -0600 In-Reply-To: firewalls-digest-owner@GreatCircle.COM (Firewalls-Digest) References: <199606111938.MAA01945@miles.greatcircle.com> X-Mailer: Z-Mail (3.2.0 26oct94 MediaMail) To: Firewalls@GreatCircle.COM Subject: Problem with x-gw on Linux system Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, I have a problem with the x-gw (TIS fwtk) running on a linux system (1.2.9). The version of fwtk is 1.3 The problem is, that each process, which is spawn for a X-connection, eats up all the cpu time it will get, even if there is no action over the connection. I watched the behaviour with a debugger and saw, that a select() is called (I believe with filedescriptors of the open connection), which returns immediately. Then read() is called, which says, that 0 bytes where read. Then the select() is called again, returning immediately, and so on... So the performance drops down very heavily... :-( Does anybody know something about it? Do I need a newer release of Linux or do i need fwtk2.0alpha? Thanks in advance, Eike -- Eike Reinel ---------------------- SBS DS 83 --------------------- Raum: LZ 3255 SNI : eike.reinel@mch.sni.de ConSol* : eike.reinel@consol.de Tel.: 089-45841-105 =============================== No risk - no fun! ============================== From firewalls-owner Wed Jun 12 02:21:22 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id BAA26320 for firewalls-outgoing; Wed, 12 Jun 1996 01:56:39 -0700 (PDT) Received: from mail.transpac.net (nic.transpac.net [194.52.1.10]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id BAA26309 for ; Wed, 12 Jun 1996 01:56:28 -0700 (PDT) Received: from alf.ihc.se (alf.ihc.se [194.52.187.254]) by mail.transpac.net (8.7.3/8.7.3) with SMTP id KAA25599 for ; Wed, 12 Jun 1996 10:54:12 +0200 (MET DST) Received: by alf.ihc.se; (5.65v3.2/1.3/10May95) id AA31956; Wed, 12 Jun 1996 10:54:27 +0200 Message-Id: <31BE85F0.1626@ihc.se> Date: Wed, 12 Jun 1996 10:55:12 +0200 From: Mattias Lindstr=?iso-8859-1?Q?=F6?=m Reply-To: mattias.lindstrom@ihc.se Organization: IHC AB X-Mailer: Mozilla 3.0B2 (WinNT; I) Mime-Version: 1.0 To: Firewalls@GreatCircle.COM Subject: Firewalls and MS SQL Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi. I am going to implement two MS SQL servers with a firewall (almost = anyway, its a Livingston IRX :-)) in the middle. Now I have a question, How is the traffic going between the MS SQL servers? Yep, I know about port 1433 (as specified in the MS SQL setup) = but that can=B4t be all thats needed... On what ports except 1433 is MS SQL "talking"? -- = ______________________________ Mattias Lindstr=F6m Systems integrator Information Highway Center AB voice: +46 (0)8 445 18 00 fax: +46 (0)8 445 18 01 ______________________________ From firewalls-owner Wed Jun 12 02:36:14 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id CAA26780 for firewalls-outgoing; Wed, 12 Jun 1996 02:03:27 -0700 (PDT) Received: from relay.cryptonet.it ([194.185.79.195]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id CAA26760 for ; Wed, 12 Jun 1996 02:03:03 -0700 (PDT) Message-Id: <199606120919.LAA20631@relay.cryptonet.it> Received: from enigma.cryptonet.it(192.168.1.1) by relay.cryptonet.it via smap (V1.3) From: David Vincenzetti Subject: Re: Secure Telnet to External Sites. To: Doug.Hughes@Eng.Auburn.EDU Date: Wed, 12 Jun 1996 11:04:06 +0200 (METDST) Cc: firewalls@greatcircle.com X-Name: David Vincenzetti X-Organization: CryptoNet srl X-Phone: +39 2 7533205 X-Fax: +39 2 7533220 X-Private: +39 2 7530600 X-Pgp-Key-Fingerprint: 8C E2 40 6F 5C FB F9 B9 D7 0D AB F5 91 2F 66 E8 X-Dogma1: You can have Cheap, Easy, or Secure. Pick two. X-Dogma2: Testing can reveal the presence of bugs, but not their absence. X-Mailer: ELM [version 2.4 PL24 PGP5a] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > We have both installed since they have different capabilities. > Stel is much faster starting up from inetd (ssh is as fast when started as > standalone daemon, but we use tcp_wrappers on our servers so inetd is > preferable in this case - on the gateway machine it runs as a daemon) > ssh has a PC/Windows client, stel does not. ssh has X11 forwarding through > the encrypted channel. Stel has good S/Key and Securid support. ssh > has some support for SecurID, but not as well integrated as Stel. > > Neither will do FTP, as was your original need, but ssh will do an rcp like > thing which may be just as good as FTP in your circumstances. Also you may > want to look at the tcpwrappers+logdaemon. There is a replacement ftpd in > this package that supports S/Key for one time passwords. > ssh would probably allow you to forward a 3270 connection through an arbitrary > socket, but I have not tested this. Actually, STEL supports experimental file transfer, by means of the -a option. When the -a option is turned on you get two things: protection from active attacks and FTP-like PUT & GET commands. Yes, the -a option makes the connection slower, expecially for highty interactive sessions (i.e., when editing a file), but you can not get everything:-) >From stel's manual: -a Protect from active attacks. This is one of the most advanced features of stel. When using this option, the data stream which is transmitted from client to server and vice versa is ``packetized'' and sanity checks are performed on each data packet. Sanity checks include CRC32 encrypted MACs, to foil garbage injection, and encrypted sequence numbers, to foil replay attacks. When using this option, file transfer facilities are also available. From firewalls-owner Wed Jun 12 02:56:11 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id CAA28261 for firewalls-outgoing; Wed, 12 Jun 1996 02:45:28 -0700 (PDT) Received: from pegase.total.fr (pegase.total.fr [146.249.152.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id CAA28182 for ; Wed, 12 Jun 1996 02:44:54 -0700 (PDT) Received: from tidtest.total.fr (tidtest.total.fr [146.249.165.73]) by pegase.total.fr (8.6.8/8.6.6) with SMTP id LAA06435; Wed, 12 Jun 1996 11:41:47 +0200 Received: by tidtest.total.fr (4.1/SMI-4.1) Message-Id: <9606120941.AA15208@tidtest.total.fr> To: Ron DuFresne Cc: Michael_Beeler@ccmail.northgrum.com, Jody Klein Subject: Re: Re[2]: Active-X and/or Java? In-Reply-To: Your message of "Tue, 11 Jun 1996 18:21:02 CDT." X-Cuse: "The dog ate my network" Date: Wed, 12 Jun 1996 11:41:42 +0100 From: Michel Lavondes Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In message , Ron DuFresne writes: > On Tue, 11 Jun 1996 Michael_Beeler@ccmail.northgrum.com wrote: > > > Just a thought, but does anyone know if Active-X is any more secure > > than JAVA? > > > > From what little I've read so far, much less secure than java at this time. > Does anyone have a (pointer to a) description of active-X ? Michel Lavondes (lavondes@tidtest.total.fr) #include Governments are guilty until proved innocent From firewalls-owner Wed Jun 12 03:06:05 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id CAA27854 for firewalls-outgoing; Wed, 12 Jun 1996 02:37:42 -0700 (PDT) Received: from pegase.total.fr (pegase.total.fr [146.249.152.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id CAA27830 for ; Wed, 12 Jun 1996 02:37:21 -0700 (PDT) Received: from tidtest.total.fr (tidtest.total.fr [146.249.165.73]) by pegase.total.fr (8.6.8/8.6.6) with SMTP id LAA06386; Wed, 12 Jun 1996 11:34:17 +0200 Received: by tidtest.total.fr (4.1/SMI-4.1) Message-Id: <9606120934.AA15135@tidtest.total.fr> To: jnoetzel@intermind.com (Jeremy Noetzelman) Cc: Jean Vincent , Steve Kennedy Subject: Re: New Firewall Announcement In-Reply-To: Your message of "Tue, 11 Jun 1996 12:41:08 PDT." X-Cuse: "The dog ate my network" Date: Wed, 12 Jun 1996 11:34:13 +0100 From: Michel Lavondes Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In message <2.2.32.19960611194108.00b2d8dc@intermind.com>, Jeremy Noetzelman wr ites: > > [...] > > Am I the only one who doesnt like the idea of my firewall being managed by > SNMP? Seems to me to be a step backwards in security. Why not just toss an > Xserver up there and let everyone use it? > Don't worry, you're not alone. There was some lively discussion a few months ago on comp.dcom.sys.cisco (aka cisco@spot.colorado.edu) regarding what cisco calls "customer-linkable images" (basically, a way for customers to pick the exact features they need, link the required object files, and get a custom image, instead of being stuck with whatever feature sets cisco consider right for us :-). If done the right way, this could help a lot with securing the firewall (eg, IP routing, static routes only, no telnet, no SNMP). AFAIK, though, cisco didn't commit as to whether/when this will come out. Michel Lavondes (lavondes@tidtest.total.fr) #include Governments are guilty until proved innocent From firewalls-owner Wed Jun 12 05:06:04 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id EAA06618 for firewalls-outgoing; Wed, 12 Jun 1996 04:56:34 -0700 (PDT) Received: from trex.netrex.com (trex.netrex.com [205.254.178.3]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id EAA06609 for ; Wed, 12 Jun 1996 04:56:28 -0700 (PDT) Received: from foghorn (foghorn [205.254.178.10]) by trex.netrex.com (8.7.5/8.7.3) with SMTP id HAA25288 for ; Wed, 12 Jun 1996 07:54:38 -0400 (EDT) Message-Id: <2.2.32.19960612115059.00a6b09c@trex.netrex.com> X-Sender: richards@trex.netrex.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 12 Jun 1996 07:50:59 -0400 To: firewalls@GreatCircle.COM From: "Richard D. Stiennon" Subject: Re: Maintenance of firewall-1 2.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 04:41 PM 6/10/96 -0700, Nik D. Knoth wrote: >Assume practically none. Periodic examination to >see if anything has changed or your understanding >has improved to the point where it seems reasonable >to change something. Upgrades when they come out. >Optionally (a good idea but often skipped), regular >monitoring of the logs. FW-1 v2.0 should require >essentially no maintenance, tho. > Yipes! What about reading the logs *every* day and taking appropriate action based on what you find there? *Any* firewall system is a full time job. Richard Stiennon richards@netrex.com Director, Business Development www.netrex.com/richard Netrex, Inc. Voice: 810-352-9643 3000 Town Center, Suite 1100 Fax: 810-352-2375 Southfield, MI 48075 From firewalls-owner Wed Jun 12 05:24:21 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id EAA06731 for firewalls-outgoing; Wed, 12 Jun 1996 04:59:31 -0700 (PDT) Received: from nutspgw.nutec.com.br ([200.246.248.99]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id EAA06715 for ; Wed, 12 Jun 1996 04:59:18 -0700 (PDT) Received: (uucp@localhost) by nutspgw.nutec.com.br (8.6.9/8.6.5) id JAA06475 for ; Wed, 12 Jun 1996 09:06:14 -0300 Received: from unknown(200.246.247.2) by nutspgw.nutec.com.br via smap (g3.0.3) Received: from dodo.nutec.com.br by canario.nutec.com.br id aa08790; Comments: Authenticated sender is From: Fernando da Silveira Montenegro Organization: =?ISO-8859-1?Q?Nutec_Inform=DFtica?= To: firewalls@greatcircle.com Date: Wed, 12 Jun 1996 08:58:37 -0300 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Management stations for firewall architecture? Reply-to: silveira@nutpagw.nutec.com.br X-mailer: Pegasus Mail for Windows (v2.33) Message-ID: <9606120946.aa08790@canario.nutec.com.br> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello! There was some comment recently on using SNMP to manage a firewall. While I think that maybe *configuring* the firewall through SNMP (v2,of course) is still a bit too much for me, I am interested in *watching* the firewall through SNMP. This leads me to my question: in a setup with a firewall machine (UNIX, NT, whatever) and a few routers here and there, is it common to have an SNMP management station dedicated to this architecture? What I'm considering doing is adding a PC with SNMP management software to watch traps from the FW and the routers. What's the general feeling towards this idea? Also, which software is being used out there (OpenView, NetView, ...) Thanks in advance! Fernando -- Fernando da Silveira Montenegro E-mail: silveira@nutec.com.br Nutec Informatica S.A. Phone.: +55-11-505-5728 Rua Florida, 1821/11th floor Fax...: +55-11-505-1918 Sao Paulo, SP BRAZIL 04565-001 WWW: http://www.nutec.com.br From firewalls-owner Wed Jun 12 05:51:09 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA09253 for firewalls-outgoing; Wed, 12 Jun 1996 05:36:31 -0700 (PDT) Received: from alta.cs.diebold.com (ALTA.CS.DIEBOLD.COM [192.135.174.153]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id FAA09094 for ; Wed, 12 Jun 1996 05:35:52 -0700 (PDT) Received: from pl8sam.diebold.com by ALTA.CS.DIEBOLD.COM (PMDF V5.0-3 #10219) Received: from heagart.diebold.com ([10.9.36.19]) by pl8sam.diebold.com with Received: by heagart.diebold.com with Microsoft Mail id Date: Wed, 12 Jun 1996 08:35:05 -0400 From: Tim Heagarty Subject: RE: Round-robin DNS? To: "'firewalls@greatcircle.com'" Message-id: <01BB583A.0F0EDB80@heagart.diebold.com> MIME-version: 1.0 Content-type: text/plain; charset="us-ascii" Content-transfer-encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk OK, I'm a little new at this but I think this previous e-mail = conversation is appropriate to this thread. If you have more than one = DNS in your tcp/ip config shouldn't the OS ask each of them to resolve = until you run out of DNS's regardless of whether the first one is there = or not. I haven't tried this under beta 2 yet. I didn't know enough to = challenge MS's answer before but I'm learning thanks to all of you. Tim NT bug. ---------- Forwarded message ---------- Date: Mon, 13 May 1996 19:37:46 -0700 From: Paul Donnelly To: "'heagarty@Linus.jbic.com'" Subject: DNS Server Search Order. Tim, I was just reviewing the following bug you reported and I'd thought I'd clarify the resolution, since our behavior appears correct (really) at this time. The list of DNS's listed are searched only if the primary can't be reached. If the name is not resolved by the first one, then the name resolution will fail. Only in the case of a DNS being unreachable would we attempt to check another one. I just verified that we are doing the same thing as my Unix box, and we are. Hopefully that clarifies the DNS search list a bit. Thanks. Paul Donnelly WIndows NT Test Team ___________________ -- Original bug report to MS -- Group, I apologize if I have not followed the proper channels while providing this bug report. =20 I have noticed that NT 4.0 does not seem to use secondary DNS's setup in its TCP/IP. For example, I have a local DNS which handles the machines on my LAN and I have a global DNS that handles full internet name resolution. If I have the local DNS first in 4.0's list I can see all the local machines but can't get to anything in the outside world. =20 If I reverse the order of the list by putting the global DNS first and the local one second then I can see the internet hosts just fine but not the PCs on my LAN. =20 I have the same order in my Windows '95 that is installed on a different partition and it works fine for both groups of hosts regardless of the order of DNS's in the tcp/ip configuration. Shouldn't the stack continue searching DNS's until it finds the host name or runs out of places to look. I'm a little new at this so I'm not willing to completely blame 4.0 (beta or not). Thanks for all your hard work. Tim Heagarty Diebold Inc. * End of bug report - -- beginning of thread that made me think of this -- ---------- From: Jeremy Noetzelman[SMTP:jnoetzel@intermind.com] Sent: Tuesday, June 11, 1996 3:44 PM To: axel.skough@scb.se; firewalls@greatcircle.com Subject: RE: Round-robin DNS? At 12:05 PM 6/11/96 +0200, axel.skough@scb.se wrote: >Also, the Microsoft says that zone transfer is not properly implemented = >among the Unix BIND versions which caused some trouble. Due to this = certain=20 >DNS/BIND versions on some implementations will be incompatible. I = wonder if=20 >this is true? If so, the obvious conclusion should be that one has to = avoid=20 >intermixing DNS/BIND from different vendors and/or platforms (indeed, a = good=20 >principle regardless product, anyhow). > >Any comments? I wonder whether this is yet another case of MS insisting that they're = the standard, regardless of what's in practice. Now they want to rewrite the = DNS rules and say that everything that's been in production on a Unix = platform is a bogus implementation... Tends to reinforce the anti-ms sentiments around, IMO. J. --- Jeremy Noetzelman jnoetzel@intermind.com Operations Specialist Intermind Corporation From firewalls-owner Wed Jun 12 06:06:15 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA12152 for firewalls-outgoing; Wed, 12 Jun 1996 06:04:08 -0700 (PDT) Received: from hprofsdv.nwscc.sea06.navy.mil ([130.163.113.128]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id GAA12128 for ; Wed, 12 Jun 1996 06:04:00 -0700 (PDT) Received: from JB4061CACI by hprofsdv.nwscc.sea06.navy.mil with SMTP Message-Id: <31BEDB13.4299@hprofsdv.nwscc.sea06.navy.mil> Date: Wed, 12 Jun 1996 07:58:27 -0700 From: John Bell Organization: CACI Inc (Federal) X-Mailer: Mozilla 2.02 (Win16; I) Mime-Version: 1.0 To: "Richard D. Stiennon" Cc: firewalls@greatcircle.com Subject: Re: Maintenance of firewall-1 2.0 References: <2.2.32.19960612115059.00a6b09c@trex.netrex.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Richard D. Stiennon wrote: > > At 04:41 PM 6/10/96 -0700, Nik D. Knoth wrote: [snip] > > FW-1 v2.0 should require > > essentially no maintenance, tho. > > > > Yipes! What about reading the logs *every* day and taking appropriate > action based on what you find there? > > *Any* firewall system is a full time job. > ^^^^^^^^^^^^^ Full Time Job -> Having to budget for another salaried position. Management does not like to hear that. They like to hear phrases such as "self-managing" and "turn-key system". Too bad the hacker types aren't willing to use the same old attack methods every time. We know that reality is different :-). Still waiting for that "magic" attack that "turn-key systems" are unable to detect and react to... -- John Bell, CACI Inc (Federal) Bloomington, Indiana (Midwest RE-Engineering Division) job@hprofsdv.nwscc.sea06.navy.mil -OR- jbii@mama.indstate.edu "Hi ho! Yow! I'm surfing ARPANET!" - anagram for "The Information Superhighway" From firewalls-owner Wed Jun 12 06:51:07 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA15291 for firewalls-outgoing; Wed, 12 Jun 1996 06:40:35 -0700 (PDT) Received: from magneto.acquion.com (magneto.acquion.com [206.154.17.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id GAA15284 for ; Wed, 12 Jun 1996 06:40:29 -0700 (PDT) Received: from wolverine.acquion.com ([206.154.17.12]) Message-Id: <2.2.32.19960612133812.0069c664@mail.acquion.com> X-Sender: oolid@mail.acquion.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 12 Jun 1996 09:38:12 -0400 To: firewalls@greatcircle.com From: oolid@acqic.org (Joseph L. Moll) Subject: Cisco 2500's and BGP Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Sorry for the off topic question, please respond via private email. Can anyone comment on the use of Cisco 2500's for border routers running BGP4 and limited access lists? Can they handle the load? Best Regards, --- Joseph L. (Joe) Moll, Greenville, SC USA mailto:oolid@acqic.org --- From firewalls-owner Wed Jun 12 07:10:54 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA16201 for firewalls-outgoing; Wed, 12 Jun 1996 06:55:07 -0700 (PDT) Received: from tera.bctel.net (tera.bctel.net [204.174.64.252]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id GAA16192 for ; Wed, 12 Jun 1996 06:55:01 -0700 (PDT) Received: (from nobody@localhost) by tera.bctel.net (8.7.4/8.7.1) id GAA15198; Wed, 12 Jun 1996 06:50:09 -0700 (PDT) Received: from mocha.bctel.net(204.174.66.5) by tera via smap (V1.3) Received: (from murrell@localhost) by mocha.bctel.net (8.7.5/8.7.3) id GAA02728; Wed, 12 Jun 1996 06:52:04 -0700 (PDT) From: Brian Murrell Message-Id: <199606121352.GAA02728@mocha.bctel.net> Date: Wed, 12 Jun 1996 06:52:03 -0700 (PDT) To: job@hprofsdv.nwscc.sea06.navy.mil Cc: richards@netrex.com, firewalls@GreatCircle.COM Subject: Re[2]: Maintenance of firewall-1 2.0 In-Reply-To: <31BEDB13.4299@hprofsdv.nwscc.sea06.navy.mil> X-Mailer: Ishmail 1.2.1-960404-sol24 MIME-Version: 1.0 Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk from the quill of John Bell on scroll <31BEDB13.4299@hprofsdv.nwscc.sea06.navy.mil> > Full Time Job -> Having to budget for another salaried position. > > Management does not like to hear that. If management can't afford to pay for somebody to "guard" their assets, then management can't afford an Internet connection. The connection to the Internet goes beyond simply the service providers' fee and the cost of the telecommunications line/gear to bring the Internet into your premises. It includes the cost of managing that resource, just as there is a cost with managing a company pool of vehicles. When the costing for an Internet connection is done, it should include the cost of managing the security. Maybe the network that the firewall is guarding is of no value. b. -- Brian J. Murrell Brian_Murrell@bctel.net BCTel Advanced Communications brian@ilinx.com Vancouver, B.C. brian@wimsey.com 604 454 5279 From firewalls-owner Wed Jun 12 07:21:14 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA17584 for firewalls-outgoing; Wed, 12 Jun 1996 07:09:35 -0700 (PDT) Received: from acme.nug.net ([192.124.132.14]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id HAA17566 for ; Wed, 12 Jun 1996 07:09:28 -0700 (PDT) Received: from joe.ican.net (cal1-137.ican.net [205.207.252.137]) by acme.nug.net (8.6.9/8.6.9) with SMTP id KAA15093; Wed, 12 Jun 1996 10:24:05 -0400 Message-ID: <31BECE68.6103@acme.nug.net> Date: Wed, 12 Jun 1996 08:04:24 -0600 From: "J. Stroup" Reply-To: joe@acme.nug.net Organization: Tiny Bubbles Inc. X-Mailer: Mozilla 3.0b3Gold (Win95; I) MIME-Version: 1.0 To: "Joseph L. Moll" CC: firewalls@GreatCircle.COM Subject: Re: Cisco 2500's and BGP References: <2.2.32.19960612133812.0069c664@mail.acquion.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The answer is no. From firewalls-owner Wed Jun 12 07:55:15 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA20561 for firewalls-outgoing; Wed, 12 Jun 1996 07:43:55 -0700 (PDT) Received: from E-MAIL.COM (e-mail.com [199.171.26.5]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id HAA20540 for ; Wed, 12 Jun 1996 07:43:48 -0700 (PDT) Message-Id: <199606121443.HAA20540@miles.greatcircle.com> Received: from usfg.e-mail.com by E-MAIL.COM (IBM VM SMTP V2R3) Date: Wed, 12 Jun 1996 10:41:12 EDT From: dgnatows@usfg.e-mail.com To: firewalls@greatcircle.com X-Sender-Info: MTWCCM.DGNATOWS@MTWCCM.SNADS MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: Web server updates and secure ac Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ------------------------------------------------------------------------------ I am looking for solutions or ideas on how to securely update a Web server that is located on the outside of a firewall from a host or workstation on the inside. Also, what security methods exist for passing queries from the external Web server through the firewall to an SQL server on the inside? TIA. -Dennis Gnatowski USF&G dgnatows@usfg.e-mail.com From firewalls-owner Wed Jun 12 08:12:12 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA20994 for firewalls-outgoing; Wed, 12 Jun 1996 07:48:47 -0700 (PDT) Received: from vines.efdswest.navfac.navy.mil (vines.efdswest.navfac.navy.mil [204.4.100.34]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id HAA20946 for ; Wed, 12 Jun 1996 07:48:33 -0700 (PDT) Received: by vines.efdswest.navfac.navy.mil; Wed, 12 Jun 96 7:45:46 PDT Date: Wed, 12 Jun 96 7:41:28 PDT Message-ID: From: "George A Glickman" To: Firewalls@GreatCircle.COM Subject: Seeking example Internet Policy X-Incognito-SN: 405 X-Incognito-Format: VERSION=1.71 ENCRYPTED=NO Sender: firewalls-owner@GreatCircle.COM Precedence: bulk From: nolwg@ncts.navy.mil Date: 9/7/95 1:26 PM To: nolwg@ncts.navy.mil Cc: 76all@nosc.mil,execboard@nosc.mil Subject: Navy Internet Guidelines Text: Here is a more readable version of the official Navy administrative message providing guidelines for Naval use of the internet: ----------------------------------------------------------------------- Date: 21 July 1995 From: CNO Washington, DC //N6// To: All Commanding Officers Subj: Guidelines for Naval Use of the Internet Ref a is SecNavInst 5720.44a U.S. Navy Public Affairs Regulations. Ref b is SecNavInst 5211.5d Department of the Navy Privacy Act Program. Ref c is OpNavInst 5510.1h Department of the Navy Information and Personnel Security Program Regulation. Ref d is OpNavInst 2710 Navy Local Area Networks Policies. Ref e is OpNavInst 5239.1a ADP Security Policy. 1. The DoD and DoN are currently in the midst of what is commonly called the information explosion. The exponential growth of the internet and the world wide web (www or web) is in part due to the ease of the use and popularity of hypertext browsing applications. Hypertext internet applications may improve many facets of our operations, and provide an efficient and effective means of communication and information distribution. The National Information Infrastructure (NII) and the Defense Information Infrastructure (DII) have as a goal to increase the ease and availability of information, both within the government and to information approved for public release and accessibility by the public. 2. Easy to use web browsers and software tools to ease the development of documents written in hypertext markup language (HTML) have given rise to a proliferation of www home pages on the internet, including many by numerous Navy commands operating in the domain name navy.mil. Coupled with their promised benefits however, services such as www, hypertext transfer protocol (HTTP), gopher, anonymous file transfer protocol (FTP), and other open anonymous information servers present potential problems: (a) Depending on the size of their information files and the external demand for these files, such services can consume significant network bandwidth, and seriously degrade network performance for other systems sharing the same network components, and potentially degrade or deny access to required information by internal users. (b) To be useful, such servers must accept outside users without requiring either a local user account or password. Providing such service clearly entails security risks, risks to which the DoN must be especially sensitive because military computer systems are traditionally high profile targets. The connection of Naval information systems and networks to unclassified publicly accessible computer networks and information systems poses a potential threat to Naval operations. We cannot view these connections as risk-free. The potential exists not only for unauthorized persons to gain access to Naval information systems, but for the inadvertent disclosure of classified, unclassified but sensitive, and privacy information, and the compromise of Naval operations and activities as well. Requiring a local user account or password prior to accessing data available on the internet is not in itself a sufficient safeguard. It is imperative that the Department of the Navy endeavor to evaluate the risk and ensure that due care is taken to minimize the chance of compromise. 3. It is fully appropriate for Naval commands to establish and maintain information servers and services on the internet, including world wide web home pages with links to other pages, provided they support legitimate, mission-related activities of the Navy and Marine Corps, and are consistent with prudent operational and security considerations. One type of link that must be avoided is the link to a specific vendor who is selling services and products to the government, as that type of link may give the appearance that the DoN is endorsing the product or service, or showing favor to a particular vendor. Information placed on the internet, without controls to eliminate or prevent public access, must be cleared in a manner consistent with the procedures already in place for clearing "hard" copy information. (See Refs (a), (b), and +). In most cases, material proposed to be made available electronically to the publicly accessible internet must be submitted through the same public affairs channels as "hard" copy material proposed for publication, (for national release). (a) Commanders/Commanding Officers must ensure that information provided on any of their information servers connected to the internet, does not contain classified, unclassified sensitive, or privacy information, or information that could enable the recipient to infer classified or unclassified sensitive information, either from individual segments of the information, or from the aggregate of all the information available. (b) Any information provide through internet services must be professionally presented, current, accurate and factual, and related to the Command's mission. Commands may choose to produce periodic written general guidelines and parameters for their authorized users of unclassified publicly accessible computer networks such as the internet. This guidance will indicate those topics (such as sensitive information associated with the Command's mission or fleet operations, or other sensitive DoN business), which may be restricted or prohibited from being discussed publicly over networks. (c) Each web home page will have a designated author or maintainer who will be responsible for the content and appearance of that page. The individual's name, organizational code, organizational phone number, email address, and date of last revision will be included in the source code for that page. The originators of any material proposed for distribution or posting to a web home page, are responsible for obtaining approval release, prior to submitting the material to the web server administrator. (d) Publicly accessible newsgroups, bulletin boards, and email mailing lists that are operated by a command should also reflect a high level of professionalism. Individual users who submit email postings to these Navy and Marine Corps operated and maintained publicly accessible newsgroups and bulletin boards, are not authorized to submit classified, unclassified sensitive, or privacy information. Commanders/Commanding Officers should establish procedures for periodic review of the content of postings that have been made to these newsgroups and bulletin boards operated by their command to ensure the postings do not bring discredit to the command and the DoN. All Navy and Marine Corps email users should strive to ensure that the content of email messages reflect a high level of professionalism and personal integrity. 4. Information systems security guidelines: (a) All Naval information systems with servers (including web servers) which are connected to unclassified publicly accessible computer networks such as the internet, will employ appropriate security safeguards (such as firewalls) as necessary to ensure the integrity, authenticity, privacy, and availability of a command's information system and its data. (b) All information systems with servers connected to the internet must have a formal Commander/Commanding Officer, or designated approving authority (DAA) authorization to operate. In accordance with OpNavInst 5239.1 (Ref (e)), all systems must receive security accreditation and authorization to operate by the DAA prior to being put into operation. A network risk analysis must be conducted as a part of the overall network security plan to determine the appropriate level of security. DoN WAN/LAN systems security accreditations must be updated to reflect the addition of, or existence of, a web server or other internet information server. 5. Since the internet is open and legally accessed by the world-wide public, information presented by Naval commands in their home pages on the internet will reflect on the Department of the Navy's professional standards and credibility. Regardless of how or by whom these pages are actually developed, the appearance of, and the accuracy, currency, and relevance of this information will reflect directly, or indirectly, on the Department of the Navy's image. Information residing on a server with a navy.mil domain or usmc.mil domain, or any other Navy or Marine Corps owned and operated server, may be interpreted by the worldwide public, including the American taxpayer and media, as reflecting official Department of the Navy, or Department of Defense policies or positions. There is no such thing as a personal or unofficial home page on a ".mil" server because these servers and the information they contain are properly used only for official business, and in an official capacity. Commanding Officers should review all web home pages or other internet information servers being operated by personnel at their commands, to ensure compliance with the guidelines noted in this message. 6. Additional more-detailed technical and InfoSec guidelines pertaining to DoN use of the internet will be published in future revisions to Refs (d) and (e). 7. This message has been coordinated with CMC, ChInfo, Navy JAG, and ComNavSecGru. The N6 point of contact is Cdr D. Galik, N643g. Phone 703 697-7755, or email: cnon643g@smtp-gw.spawar.navy.mil. The Marine Corps point of contact is Marine Corps Combat Development Command, Architecture and Standards Division phone 703 784-4720. 8. Released by VAdm Davis, USN. ------------------------------------------------------------------------ Thanks George A. Glickman Southwest Div. NavFacEngCom From firewalls-owner Wed Jun 12 08:14:06 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA22189 for firewalls-outgoing; Wed, 12 Jun 1996 08:01:50 -0700 (PDT) Received: from mhinside.hcl.com (mhoutside.hcl.com [205.211.178.117]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id IAA22151 for ; Wed, 12 Jun 1996 08:01:32 -0700 (PDT) Received: from rudy.hcl.com (rudy.hcl.com [198.231.99.165]) by mhinside.hcl.com (8.7.4/8.7.3) with SMTP id LAA29207 for ; Wed, 12 Jun 1996 11:04:57 -0400 (EDT) Message-Id: <199606121504.LAA29207@mhinside.hcl.com> From: "Rudy Amid" To: Subject: Re: New Firewall Announcement Date: Wed, 12 Jun 1996 11:02:49 -0400 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1085 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ---------- > From: Michel Lavondes > To: Jeremy Noetzelman > Cc: Jean Vincent ; Steve Kennedy > Subject: Re: New Firewall Announcement > Date: Wednesday, June 12, 1996 6:34 AM > > > In message <2.2.32.19960611194108.00b2d8dc@intermind.com>, Jeremy Noetzelman wr > ites: > > > > [...] > > > > Am I the only one who doesnt like the idea of my firewall being managed by > > SNMP? Seems to me to be a step backwards in security. Why not just toss an > > Xserver up there and let everyone use it? > > > Don't worry, you're not alone. Not alone indeed. Milkway's "BlackHole" is an X based firewall, but console only mind you. -- Rudy Amid (rudy@hcl.com) [Home URL] http://www.warped.com/~radix Systems Administrator #include Hummingbird Communications, Ltd. "We're IT!" -MIS Dept. 1 Sparks Ave. Toronto, Canada. M2H 2W1. 416-496-2200 [URL] http://www.hcl.com From firewalls-owner Wed Jun 12 08:16:16 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA22130 for firewalls-outgoing; Wed, 12 Jun 1996 08:01:10 -0700 (PDT) Received: from potlatch.esd112.wednet.edu (potlatch.esd112.wednet.edu [164.116.2.3]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id IAA22077 for ; Wed, 12 Jun 1996 08:00:58 -0700 (PDT) Received: from localhost by potlatch.esd112.wednet.edu (5.x/SMI-SVR4) Date: Wed, 12 Jun 1996 07:57:00 -0700 (PDT) From: Brian Andrew To: firewalls@GreatCircle.com Subject: [Fwd: chain thing-heather] (fwd) Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ---------- Forwarded message ---------- Date: Tue, 11 Jun 1996 14:05:57 -0500 From: Sarah J Kosmach To: Toasty Subject: [Fwd: chain thing-heather] >Return-Path: holden8@ix.netcom.com >Date: Tue, 11 Jun 1996 12:41:14 -0700 >From: holden caulfield >Reply-To: holden8@ix.netcom.com >Organization: debaser skateboards and products >To: tierney@occ-uky.campus.mci.net, kara0193@aol.com, skosmach@cei.net, > msmith07@lausd.k12.ca.us, leneso@nando.net >Subject: [Fwd: chain thing-heather] >X-UIDL: 7c5b2866f517706a2129ee2c3a004836 > >remember me? sorry, I hate chain letters but..... > >roland >Return-Path: >Received: from intellinet.com (root@sibyl.intellinet.com [199.2.240.10]) by ixmail3.ix.netcom.com (8.7.5/SMI-4.1/Netcom) > id JAA12978; Tue, 11 Jun 1996 09:54:58 -0700 (PDT) >Received: from rlhome19.intellinet.com (md-015.fyv.intellinet.com [199.2.240.81]) by intellinet.com (8.6.12/8.6.9) with SMTP id LAA17299 for ; Tue, 11 Jun 1996 11:56:20 -0500 >Message-ID: <31BDC11D.5D5@intellinet.com> >Date: Tue, 11 Jun 1996 11:55:25 -0700 >From: Rick Long >X-Mailer: Mozilla 2.01 (Win95; I; 16bit) >MIME-Version: 1.0 >To: holden8@ix.netcom.com >Subject: chain thing-heather >References: <199605121901.PAA01918@post.QueensU.CA> >Content-Type: text/plain; charset=us-ascii >Content-Transfer-Encoding: 7bit > >> >>>Make a wish: >> >>>This is just for future readers. This began in 1996, not much of a past, >> >>>but it works. So here are the rules: >> >>> *If you read this on a Sunday, wish for a really fun week >> >>> *If you read this on a Monday, wish for money >> >>> *If you read this on a Tuesday, wish for love >> >>> *If you read this on a Wednesday, wish for success >> >>> *If you read this on a Thursday, wish for anything you want >> >>> *If you read this on a Friday, wish for a really hot date >> >>> *If you read this on a Saturday, wish for an important phone call >> >>> >> >>> Send this to seven people (after you make a wish). Make sure it is >> >>>mailed as soon as you read it or your wish won't come true. And check >> >>>your horoscope, it could be very useful. REMEMBER, make a WISH, send this >> >>>letter (and hope it happens). BYE-tell me if it comes true > > From firewalls-owner Wed Jun 12 08:36:21 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA23817 for firewalls-outgoing; Wed, 12 Jun 1996 08:20:26 -0700 (PDT) Received: from genie.genuity.net (genie.genuity.net [204.74.125.90]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id IAA23787 for ; Wed, 12 Jun 1996 08:20:17 -0700 (PDT) Received: by genie.genuity.net with Microsoft Exchange (IMC 4.0.838.14) Message-ID: From: Brett Watson To: "'Joseph L. Moll'" Cc: "'firewalls@GreatCircle.COM'" Subject: RE: Cisco 2500's and BGP Date: Wed, 12 Jun 1996 08:18:02 -0700 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.838.14 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wednesday, June 12, 1996 7:04 AM, J. Stroup[SMTP:joe@acme.nug.net] wrote: >>The answer is no. gee, that's news to me. why can't he run bgp4 on a 2500? -brett From firewalls-owner Wed Jun 12 09:06:19 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA26882 for firewalls-outgoing; Wed, 12 Jun 1996 08:53:43 -0700 (PDT) Received: from aoife.indigo.ie (aoife.indigo.ie [199.186.52.9]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id IAA26829 for ; Wed, 12 Jun 1996 08:53:30 -0700 (PDT) Received: from dublin-ts15-89.indigo.ie (dublin-ts15-89.indigo.ie [194.125.134.89]) by aoife.indigo.ie (8.7.5/8.7.5) with SMTP id QAA24069 for ; Wed, 12 Jun 1996 16:51:00 +0100 (BST) Message-ID: <31BEE625.6CE6@indigo.ie> Date: Wed, 12 Jun 1996 16:45:41 +0100 From: Michael Ryan Organization: I.T. NetworX X-Mailer: Mozilla 2.0 (Win16; I) MIME-Version: 1.0 To: firewalls@greatcircle.com Subject: Apology Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Everybody, I a m s o r r y ! While testing a new POP client I wrote, I mistakenly caused mail coming from this list to be resent to the list. You'll notice some duplicate messages -- it's my fault. Some people registered with the list will also get duplicate mail. Thankfully, the total number of messages resent was around five, so at least I didn't cause a storm. My sincerest apologies. Mike --- From firewalls-owner Wed Jun 12 09:21:04 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA27902 for firewalls-outgoing; Wed, 12 Jun 1996 09:03:29 -0700 (PDT) Received: from westie.gi.net (westie.gi.net [198.247.250.16]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id JAA27839 for ; Wed, 12 Jun 1996 09:02:59 -0700 (PDT) Received: (from alan@localhost) by westie.gi.net (8.7.1/8.7.1) id LAA13003; Wed, 12 Jun 1996 11:00:22 -0500 (CDT) From: Alan Hannan Message-Id: <199606121600.LAA13003@westie.gi.net> Subject: Re: Cisco 2500's and BGP To: bwatson@genuity.net (Brett Watson) Date: Wed, 12 Jun 1996 11:00:22 -0500 (CDT) Cc: oolid@acqic.org, firewalls@GreatCircle.COM In-Reply-To: from "Brett Watson" at Jun 12, 96 08:18:02 am X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk It's not politically correct. :) -alan ......... Brett Watson is rumored to have said: ] ] On Wednesday, June 12, 1996 7:04 AM, J. Stroup[SMTP:joe@acme.nug.net] ] wrote: ] >>The answer is no. ] ] gee, that's news to me. why can't he run bgp4 on a 2500? ] ] -brett ] ] From firewalls-owner Wed Jun 12 09:35:59 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA29077 for firewalls-outgoing; Wed, 12 Jun 1996 09:13:33 -0700 (PDT) Received: from pegase.total.fr (pegase.total.fr [146.249.152.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id JAA29019 for ; Wed, 12 Jun 1996 09:13:12 -0700 (PDT) Received: from tidtest.total.fr (tidtest.total.fr [146.249.165.73]) by pegase.total.fr (8.6.8/8.6.6) with SMTP id SAA09530; Wed, 12 Jun 1996 18:10:01 +0200 Received: by tidtest.total.fr (4.1/SMI-4.1) Message-Id: <9606121610.AA17004@tidtest.total.fr> To: Brett Watson Cc: "'Joseph L. Moll'" Subject: Re: Cisco 2500's and BGP In-Reply-To: Your message of "Wed, 12 Jun 1996 08:18:02 PDT." X-Cuse: "The dog ate my network" Date: Wed, 12 Jun 1996 18:09:56 +0100 From: Michel Lavondes Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In message , B rett Watson writes: > On Wednesday, June 12, 1996 7:04 AM, J. Stroup[SMTP:joe@acme.nug.net] > wrote: > >>The answer is no. > > gee, that's news to me. why can't he run bgp4 on a 2500? > [this probably belongs on cisco@spot.colorado.edu. Oh well] He can, but IMHO he shouldn't. Michel Lavondes (lavondes@tidtest.total.fr) #include Governments are guilty until proved innocent From firewalls-owner Wed Jun 12 09:54:40 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA28599 for firewalls-outgoing; Wed, 12 Jun 1996 09:09:17 -0700 (PDT) Received: from garrison.com. (garrison.garrison.com [199.1.78.14]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id JAA28573 for ; Wed, 12 Jun 1996 09:09:05 -0700 (PDT) Received: by garrison.com. (4.1/Nutered Mailer) Date: Wed, 12 Jun 96 11:03:19 CDT From: jeromie@garrison.com (Jeromie Jackson) Message-Id: <9606121603.AA25358@garrison.com.> To: firewalls@greatcircle.com Subject: Tech support response times from firewall vendors Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am very interested in hearing from organizations who are using commercial firewall packages about their tech support satisfaction. We do alot of firewall evals, but it's quite obvious you can't ask the manufactuer how fast/accurate they respond to technical support. How is the response times? How competent is the technical support staff? Do you go through a reseller, or straight to the manufacturer? How is the upgrade process? Smooth? Do you get adequate support? How is the documentation? Is it easy to read & reference? Many of the products we have seen have documentation that is either very incomplete, or not well referencable (IE:Index, good table of contents) Many vendors, due to the rapid growth in the industry, are finding it very difficult to find qualified technical staff, and it shows in their operations. It is obviously quite critical customers get adequate response times, and no matter how good the firewall is, if you can't get decent support it may not be worth your purchase. Jeromie Jackson Garrison Technologies jeromie@garrison.com From firewalls-owner Wed Jun 12 09:55:47 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA02667 for firewalls-outgoing; Wed, 12 Jun 1996 09:35:01 -0700 (PDT) Received: from acme.nug.net ([192.124.132.14]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id JAA02647 for ; Wed, 12 Jun 1996 09:34:53 -0700 (PDT) Received: from joe.ican.net (cal1-149.ican.net [205.207.252.149]) by acme.nug.net (8.6.9/8.6.9) with SMTP id MAA15592; Wed, 12 Jun 1996 12:50:13 -0400 Message-ID: <31BEF0A2.6B43@acme.nug.net> Date: Wed, 12 Jun 1996 10:30:26 -0600 From: "J. Stroup" Reply-To: joe@acme.nug.net Organization: Tiny Bubbles Inc. X-Mailer: Mozilla 3.0b3Gold (Win95; I) MIME-Version: 1.0 To: Alan Hannan CC: Brett Watson , oolid@acqic.org Subject: Re: Cisco 2500's and BGP References: <199606121600.LAA13003@westie.gi.net> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I like Alan's answer. Its very true. However, I might add. I never did what was politically correct. :) From firewalls-owner Wed Jun 12 10:06:14 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA04963 for firewalls-outgoing; Wed, 12 Jun 1996 09:46:51 -0700 (PDT) Received: from novell.com (nj-ums.fpk.novell.com [147.2.128.54]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id JAA04855 for ; Wed, 12 Jun 1996 09:46:24 -0700 (PDT) Received: from plasma (localhost) by plasma.novell.com ; 12 JUN 96 12:41:36 EDT Message-ID: <31BEF340.5CCE@novell.com> Date: Wed, 12 Jun 1996 12:41:36 -0400 From: cjc@novell.com (Chris Calabrese) Organization: Novell IS&T Global Technical Architecture X-Mailer: Mozilla 3.0b4 (X11; I; UNIX_SV 4.2MP i386) Mime-Version: 1.0 To: dgnatows@usfg.e-mail.com Cc: firewalls@greatcircle.com Subject: Re: Web server updates and secure ac References: <199606121443.HAA20540@miles.greatcircle.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk dgnatows@usfg.e-mail.com wrote: > I am looking for solutions or ideas on how to securely update a Web > server that is located on the outside of a firewall from a host or > workstation on the inside. Since you didn't specify, I'm assuming you're talking about Unix here. One good way is to use FTP mirroring with an internal machine. If the internal machine executes the FTP and the external machine uses TCP Wrappers to restrict what machines can FTP to it, it can be pretty secure. This can also work if the outside machine is running the NetWare web server. You might have a bit of programming to do to get the FTP mirror to run on a NetWare machine. Don't know about NT. > Also, what security methods exist for passing > queries from the external Web server through the firewall to an SQL > server on the inside? Around here, we assume that external machines are sacrificial lambs that can be broken into. Therefore, we don't allow them to directly access internal databases. Instead we're working with CGI proxies that have the actual CGI code run on an internal machine (of course, your CGI programs better be damn secure, and we have some tools to help that out but that's a different thread). There are two CGI proxies we're using. One is home-built (and not freely available). The other is a commercial FastCGI implementation from OpenMarket. -- Christopher J. Calabrese Security Architect Novell IS&T Global Technical Architecture cjc@novell.com From firewalls-owner Wed Jun 12 10:36:37 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA10884 for firewalls-outgoing; Wed, 12 Jun 1996 10:20:58 -0700 (PDT) Received: from mvision.com (nismaster.eng.mvision.com [165.7.1.6]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id KAA10876 for ; Wed, 12 Jun 1996 10:20:48 -0700 (PDT) Received: from marc.eng.mvision.com by mvision.com (4.1/SMI-4.1) Reply-To: marc@mvision.com Received: by marc.eng.mvision.com (5.0/SMI-SVR4) Date: Wed, 12 Jun 1996 13:18:25 +0500 From: marc@mvision.com (Marc Albert (603) 529-1820) Message-Id: <9606121718.AA01143@marc.eng.mvision.com> To: firewalls@greatcircle.com Subject: Re: Cisco 2500's and BGP X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk What would be the matter with running BGP and not getting the full routing table. His upstream person could simply send him default route. For a small ISP this should work just fine and would easily work on a 2500 series box. What do you think? ============================================================================== _/ _/_/ Marc Albert Market Vision _/_/ _/_/ High E-Mail marc@mvision.com _/ _/ Score US Mail RR1, Driscoll Farm Road _/_/_/_/ _/ _/_/ 17,159,810 Address Deering, New Hampshire 03244 _/_/_/_/_/_/_/ _/_/ Phone (603) 529-1820, Fax (603) 529-1830 ============================================================================== From firewalls-owner Wed Jun 12 11:02:55 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA13880 for firewalls-outgoing; Wed, 12 Jun 1996 10:41:00 -0700 (PDT) Received: from aspen3.aspensys.com (aspensys3.aspensys.com [198.77.70.84]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id KAA13870 for ; Wed, 12 Jun 1996 10:40:53 -0700 (PDT) Received: from smtpinet.aspensys.com by aspen3.aspensys.com (SMI-8.6/SMI-SVR4) Received: from ccMail by smtpinet.aspensys.com (SMTPLINK V2.10.08) Date: Wed, 12 Jun 96 13:38:10 EST From: "Jim Meritt" Message-Id: <9605128346.AA834612015@smtpinet.aspensys.com> Cc: firewalls@greatcircle.com Subject: periodicity Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At SANS96, as we went over risk assessment, there was a hypothetical section on the frequency of various risks. At the time it was mentioned that the figures given were guestimates for presentation purposes (well, extreme values for demonstration). What have you observed as real frequency-of-occurrences? Jim Meritt From firewalls-owner Wed Jun 12 11:36:11 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA19268 for firewalls-outgoing; Wed, 12 Jun 1996 11:27:55 -0700 (PDT) Received: from mprgate.mpr.ca (mprgate.mpr.ca [134.87.131.13]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id LAA19252 for ; Wed, 12 Jun 1996 11:27:47 -0700 (PDT) Received: from netman-pc (netman-pc.mpr.ca) by mprgate.mpr.ca with SMTP id AA26990 Message-Id: <3072B22B.1DF4@sierrasys.com> Date: Wed, 04 Oct 1995 09:11:23 -0700 From: Dean Tizzard Organization: Sierra Systems X-Mailer: Mozilla 2.02 (Win16; I) Mime-Version: 1.0 To: firewalls@Greatcircle.com Subject: Backups and Lotus Notes Through FW1 X-Url: http://www.eecs.nwu.edu/cgi-bin/info/tar.info,Basic%20tar%20Operations Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, I have just replaced a cisco router in our WAN with FW1. We are migrating to seperate NIS domains etc. Two immediate problems came up. My Lotus Notes clients lost connection to the Lotus Notes Server on the other side of the firewall. We dug up the port the Lotus Notes server listens on and thought we would get a fix by opening a hole in the FW until we could physically move those systems. Didn't work. Also, the perl script we had written to open a socket on servers for backup is failing as well. In the cisco days, I had an permit statment in place for a port number over 1024 to allow the backup over the router. It worked, but what seems to be happening is this case is the FW is remapping the ports and hence loosing the connections. We go out of the FW on port XXXX but come back on YYYY. I have no experience setting up these types of services over a firewall. It would appear that the FW is doing what it was designed to do. We are still setting up service for this FW from Sun. Has anyone setup a Lotus Notes Server and Lotus Notes Client with a FW inbetween the two systems? Is anyone backing up servers through a firewall? Regards Dean Tizzard Sierra Systems From firewalls-owner Wed Jun 12 12:55:47 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA26031 for firewalls-outgoing; Wed, 12 Jun 1996 12:40:32 -0700 (PDT) Received: from ford.gbnet.org (ford.gbnet.org [192.188.96.10]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id MAA26013 for ; Wed, 12 Jun 1996 12:40:07 -0700 (PDT) Received: (from steve@localhost) by ford.gbnet.org (8.7.1/8.6.12) id UAA10097; Wed, 12 Jun 1996 20:37:47 +0100 (BST) From: Steve Kennedy Message-Id: <199606121937.UAA10097@ford.gbnet.org> Subject: Re: Cisco 2500's and BGP To: oolid@acqic.org (Joseph L. Moll) Date: Wed, 12 Jun 1996 20:37:47 +0100 (BST) Cc: firewalls@greatcircle.com In-Reply-To: <2.2.32.19960612133812.0069c664@mail.acquion.com> from "Joseph L. Moll" at Jun 12, 96 09:38:12 am X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk According to Joseph L. Moll > Sorry for the off topic question, please respond via private email. > Can anyone comment on the use of Cisco 2500's for border routers running > BGP4 and limited access lists? Can they handle the load? I believe that Cisco 2500's cant hold a full Internet BGP4 routing table, therefore they're pretty useless :) Steve -- home steve@gbnet.org * Flat 2, 43 Howitt Road, Belsize Pk, London NW3 4LU work steve@demon.net * tel +44-(0)171 483 1169 FAX +44-(0)181 444 6103 www http://www.gbnet.net/ * bits steve@gbnet.net * Orange mobile +44-(0)973 600050 Euro firewall info - send mail to majordomo@gbnet.net (subscribe firewalls-uk) From firewalls-owner Wed Jun 12 13:05:59 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA26069 for firewalls-outgoing; Wed, 12 Jun 1996 12:41:46 -0700 (PDT) Received: from nsco.network.com (nsco.network.com [129.191.1.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id MAA26062 for ; Wed, 12 Jun 1996 12:41:29 -0700 (PDT) Received: from mnbp.network.com (ushub.network.com) by nsco.network.com (4.1/1.34) Received: by mnbp.network.com with Microsoft Mail From: Greg Brennan To: firewalls mailing list Subject: FW: Web server updates and secure ac Date: Wed, 12 Jun 96 14:36:00 CDT Message-Id: <31BF1C49@mnbp.network.com> X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Around here, we assume that external machines are sacrificial lambs >that can be broken into. Therefore, we don't allow them to directly >access internal databases. Instead we're working with CGI proxies >that have the actual CGI code run on an internal machine (of course, >your CGI programs better be damn secure, and we have some tools to >help that out but that's a different thread). If you want to secure a Web server, you should check out Haystack Labs (the IDS folks) new "WebStalker" product. According to their literature, WebStalker watches all processess on the entire Web server, cuts off abusive connections as they happen, and sends immediate alarms with details of suspicious activities. It watches for things like: Illegal startup or termination of Seb server Illegal process created by Web server Illegal access to server application files Illegal privilege escalation Illegal lgoin Illegal jumper (network interloper) >From the documentation, and my conversations with their folks, it seems ideally positioned for those companies that want to connect their external web platforms to internal databases. Its available for Solaris for Sparc or Intel (with other platforms supposedly coming to a server near you :-) I have not seen this product in action yet (nor do I work for the company). Just thought this might be appreciated by the folks following this thread. You can check out their products at http://www.haystack.com - Greg Brennan Network Systems ---------- From: firewalls-owner To: dgnatows Cc: firewalls Subject: Re: Web server updates and secure ac Date: June 12, 1996 12:41PM dgnatows@usfg.e-mail.com wrote: > I am looking for solutions or ideas on how to securely update a Web > server that is located on the outside of a firewall from a host or > workstation on the inside. Since you didn't specify, I'm assuming you're talking about Unix here. One good way is to use FTP mirroring with an internal machine. If the internal machine executes the FTP and the external machine uses TCP Wrappers to restrict what machines can FTP to it, it can be pretty secure. This can also work if the outside machine is running the NetWare web server. You might have a bit of programming to do to get the FTP mirror to run on a NetWare machine. Don't know about NT. > Also, what security methods exist for passing > queries from the external Web server through the firewall to an SQL > server on the inside? Around here, we assume that external machines are sacrificial lambs that can be broken into. Therefore, we don't allow them to directly access internal databases. Instead we're working with CGI proxies that have the actual CGI code run on an internal machine (of course, your CGI programs better be damn secure, and we have some tools to help that out but that's a different thread). There are two CGI proxies we're using. One is home-built (and not freely available). The other is a commercial FastCGI implementation from OpenMarket. -- Christopher J. Calabrese Security Architect Novell IS&T Global Technical Architecture cjc@novell.com From firewalls-owner Wed Jun 12 14:06:24 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA29548 for firewalls-outgoing; Wed, 12 Jun 1996 13:42:48 -0700 (PDT) Received: from magneto.acquion.com (magneto.acquion.com [206.154.17.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id NAA29541 for ; Wed, 12 Jun 1996 13:42:41 -0700 (PDT) Received: from wolverine.acquion.com ([206.154.17.12]) Message-Id: <2.2.32.19960612204022.00696080@mail.acquion.com> X-Sender: oolid@mail.acquion.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 12 Jun 1996 16:40:22 -0400 To: firewalls@greatcircle.com From: oolid@acqic.org (Joseph L. Moll) Subject: Re: Cisco 2500's and BGP Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >> > >While the above answers are good enough for me, they are not good >enough for the people that sign the checks at the company I work for. >I am trying to convince them to buy something else to run BGP4 on, >such as a Cisco 4500. Are there any good technical documents on >exactly why it is a bad idea to run BGP4 on a 2501? > >Thanks. > >--Eric Exactly why I am posing this question. They are a good bit cheaper than the 4x00's... Looks like from the majority of my reponses the real reason is that even the 2500's with 16MB RAM will run out of memory with all the routes learned from BGP. A couple of responses suggested at least a 4500 with 32MB RAM. Thanx to all who have responded, --- Joseph L. (Joe) Moll, Greenville, SC USA mailto:oolid@acqic.org --- From firewalls-owner Wed Jun 12 14:21:12 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA01922 for firewalls-outgoing; Wed, 12 Jun 1996 14:17:13 -0700 (PDT) Received: from rbit.co.za (rbit.co.za [196.7.71.94]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id OAA01915 for ; Wed, 12 Jun 1996 14:17:05 -0700 (PDT) Received: (from johnb@localhost) by rbit.co.za (8.7.3/8.7.3) id XAA08527; Wed, 12 Jun 1996 23:14:43 +0200 From: John Betts Message-Id: <199606122114.XAA08527@rbit.co.za> Subject: Re: Cisco 2500's and BGP To: bwatson@genuity.net (Brett Watson) Date: Wed, 12 Jun 1996 23:14:43 +0200 (SAT) Cc: firewalls@greatcircle.com In-Reply-To: from "Brett Watson" at Jun 12, 96 08:18:02 am Reply-to: johnb@aztec.co.za Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk % % On Wednesday, June 12, 1996 7:04 AM, J. Stroup[SMTP:joe@acme.nug.net] % wrote: % >>The answer is no. % % gee, that's news to me. why can't he run bgp4 on a 2500? % yeh, me too... specially since the fact that alot of the routers at one of the .za naps are 2500's (with 64k links being our comparative to T1's...anything bigger is an overkill) all you need is 32mb ram for a full table, or 16mb ram for a half table ciao -- john -- John Betts, Aztec Internet Services Port Elizabeth, South Africa johnb@aztec.co.za, Tel. +27(0)41 303 475, Fax. +27(0)41 301 052 The world is complex. The Sendmail configuration reflects this. From firewalls-owner Wed Jun 12 15:21:06 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA03589 for firewalls-outgoing; Wed, 12 Jun 1996 14:59:48 -0700 (PDT) Received: from desiree.teleport.com (desiree.teleport.com [192.108.254.21]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id OAA03582 for ; Wed, 12 Jun 1996 14:59:42 -0700 (PDT) Received: from claudia.teleport.com (claudia-0.teleport.com [192.108.254.4]) by desiree.teleport.com (8.7.5/8.7.3) with ESMTP id OAA01898; Wed, 12 Jun 1996 14:57:28 -0700 (PDT) Received: (from darrell@localhost) by claudia.teleport.com (8.7.5/8.7.3) id OAA16954; Wed, 12 Jun 1996 14:57:27 -0700 (PDT) Date: Wed, 12 Jun 1996 14:57:26 -0700 (PDT) From: Darrell Fuhriman To: Steve Kennedy cc: firewalls@greatcircle.com Subject: Re: Cisco 2500's and BGP Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > I believe that Cisco 2500's cant hold a full Internet BGP4 routing table, > therefore they're pretty useless :) Bzzzztt... try again. We were running a dual homed 2501 (2 t1's) for several months it was an often maxed out little thing, but it worked. We had to keep the access lists to a minimum though.. Darrell Fuhriman Teleport System Administration From firewalls-owner Wed Jun 12 15:36:11 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id PAA04662 for firewalls-outgoing; Wed, 12 Jun 1996 15:25:07 -0700 (PDT) Received: from gatekeeper.Bridge.COM (gatekeeper.bridge.com [167.76.159.11]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id PAA04643 for ; Wed, 12 Jun 1996 15:24:53 -0700 (PDT) Received: (from mailproxy@localhost) by gatekeeper.Bridge.COM (8.6.12/8.6.9) id RAA09020 for ; Wed, 12 Jun 1996 17:19:31 -0500 Received: from ignatz.bridge.com(167.76.24.6) by gatekeeper.Bridge.COM via smap (V1.0mjr) Received: from ernie.bridge.com by ignatz.bridge.com with SMTP id AA27785 Date: Wed, 12 Jun 1996 17:21:08 -0500 (CDT) From: Ken Hardy To: firewalls@GreatCircle.COM Subject: Re: Netscape Port In-Reply-To: Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 7 Jun 1996, Michael Dillon wrote: > Go into Netscape Navigator and look at Options, Network Preferences, > Proxies and click on the "View" button. Of course this only works if the > "Manual Configuration" is selected. If it's automatic I assume that the > port used needs to be found on the proxy server. Today I finally dug up the doco on the automatic configuration option: http://search.netscape.com/eng/mozilla/2.0/relnotes/demo/proxy-live.html It downloads a javascript function from the url you give in the setup dialog box. What port and machine that points you to (and how intelligently) depends on who wrote that script. Potentially makes it a lot more flexible (& intelligent) when dealing with firewalls and caches; automatic failover, selection of different caches/proxies for different requesters & requestees (useful on the in-house WAN), etc. I like it, but it only works for Netscape, of course, and requires a little more brainpower to set up (but makes it easier to setup hundreds or thousands of browsers thereafter, or to change their proxy configuration afterwards.) - KH From firewalls-owner Wed Jun 12 17:36:21 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA15545 for firewalls-outgoing; Wed, 12 Jun 1996 17:27:34 -0700 (PDT) Received: from ni.net (ni1.ni.net [192.215.247.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id RAA15531 for ; Wed, 12 Jun 1996 17:27:25 -0700 (PDT) Received: from win96_12.ns.nycits.com by ni.net (SMI-8.6/SMI-SVR4) Message-Id: <2.2.32.19960612232711.00694058@ni.net> X-Sender: stephen@ni.net X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 12 Jun 1996 19:27:11 -0400 To: firewalls@GreatCircle.COM From: stephen white Subject: 2501 firewall Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Date: Wed, 12 Jun 1996 18:40:32 -0400 >To: firewall-1@applicom.co.il >From: stephen white >Subject: Cisco 2501 protecting unix from telnet ftp > >We are installing a BSDI 2.1 server on a t1 here is the setup > >14 windows 95 pc's, 1 windows NT server 3.51, one unix motorola 88k system, >and one BSDI 2.1 box. >These are all going into a 24 port 3com hub and the cisco 2501 is pluged into >it. > > > * * * * * >95 >>>>>>>>>>>>>>>>>>>>* * >95 >>>>>>>>>>>>>>>>>>>>* 3 * >95 >>>>>>>>>>>>>>>>>>>>* C * ( 2 } > * O * ( 5 } > * M *******{ 0 } >NT3.51 >>>>>>>>>>>>>>>>* 2 * { 1 }******DSU/CSU +++++FULL T1 > * 4 *******( C } >UNIX MOTOROLA>>>>>>>>>>* H * ( I } > * U * { S } >BSDI >>>>>>>>>>>>>>>>>>* B * { C } > * * { O } > * * * * * >What is the best way to build a firewall to protect >the Motorola Unix / 14 x windows 95, 1 NT 3.51 Server, >and BSDI. > > >We have a T1 with a class C and the main area we want to protect >is the telneting to the unix BSDI, UNIX MOTOROLA, & NT. >We also want to protect ftp. > >The main people who will be Telneting & Ftping the systems is >on a few ranges of ip all else we want refused access. >Ive been told by out T1 provider this can all be done on the >cisco router using ip access-group 101. >Could someone tell me what i would need to set up the router ?. > >For example surpose our class C is 203.70.70.xxx and we only want >class C 195.186.96.xx 195.186.96.xx and one IP >address 204.192.145.30 to be able to Telnet and Ftp to any of >our 203.70.70.xxx. >But all other DNS's, HTTP's, PING's, and email to go with non of >these filtering rules. > >What would be the 2501 router settings ?. > >Any information would be great thanks . . . . > > From firewalls-owner Wed Jun 12 18:09:55 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id SAA17881 for firewalls-outgoing; Wed, 12 Jun 1996 18:03:12 -0700 (PDT) Received: from trex.centroin.com.br (trex.centroin.com.br [200.255.215.253]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id SAA17858 for ; Wed, 12 Jun 1996 18:02:58 -0700 (PDT) Received: from centroin.com.br (du26.centroin.com.br [200.255.215.26]) by trex.centroin.com.br (8.6.12/8.6.12) with SMTP id WAA07066 for ; Wed, 12 Jun 1996 22:00:37 -0300 Message-ID: <31BF65C7.2623@cos.ufrj.br> Date: Wed, 12 Jun 1996 21:50:15 -0300 From: Alessandro Coelho Ribeiro X-Mailer: Mozilla 3.0b4Gold (Win95; I) MIME-Version: 1.0 To: Firewalls@GreatCircle.COM Subject: Ftp-gw fails to connect Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, I'm using TIS FWTK 2.0 with http-gw,ftp-gw and tn-gw. The servers are placed in a Linux box and the clients are Netscape 2.0 and Explorer 2.0 for W4WG and Win95. Http-gw and tn-gw work Ok. But Ftp-gw only work with ftp clients that input user login and password, like Win95's ftp. With Netscape and Explorer, it will never connect. Alessandro Coelho Ribeiro Banco Central do Brasil (sandro@centroin.com.br) From firewalls-owner Thu Jun 13 18:21:50 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id SAA02452 for firewalls-outgoing; Thu, 13 Jun 1996 18:14:56 -0700 (PDT) Received: from minotaur.labyrinth.net.au (minotaur.labyrinth.net.au [203.9.148.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id SAA02445 for ; Thu, 13 Jun 1996 18:14:28 -0700 (PDT) Received: (from mail@localhost) by minotaur.labyrinth.net.au (8.7.2/8.7.2) id LAA12870; Fri, 14 Jun 1996 11:12:53 +1000 (EST) X-Authentication-Warning: minotaur.labyrinth.net.au: mail set sender to using -f Received: from gate.quick.com.au(203.12.250.130) by minotaur.labyrinth.net.au via smap (V1.3) Received: (from sjg@localhost) by zen.void.oz.au (8.7.3/8.6.9) id LAA12717; Fri, 14 Jun 1996 11:12:18 +1000 (EST) Date: Fri, 14 Jun 1996 11:12:18 +1000 (EST) From: "Simon J. Gerraty" Message-Id: <199606140112.LAA12717@zen.void.oz.au> To: girsch@marben.com Cc: firewalls@GreatCircle.COM Subject: Re: Round-robin DNS? Newsgroups: lists.firewalls References: <199606102340.QAA25620@mail.marben.com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Arnaud Girsch writes: >>>> How are people out there implementing round-robin DNS? I have "n" >>>> servers acting as www.wherever.com and I want to split the traffic >>>> bewteen them. Of course, if I could do a proper load balancing that >>>> would be great, but a simple "n" way split is a big help already. Firstly an answer... you can use bind-4.9.3 if you compile it with ROUND_ROBIN defined. I actually modified bind-4.9.3beta17 so that a round_robin=N directive in named.boot could be used to turn it on. The N is the max number of addresses to return - several PC TCP stacks corrupt answers that contain more than 4 addresses. I delegate a sub-domain rr to a couple of round-robin servers which play this game with TTL=0, and the normal servers contain cname records for say www which point at www.rr. For real load balancing, I like the perl lbnamed which was in a LISA paper a couple of years ago. It uses a client/server deal to determine which serevrs are least loaded... I did a new module for it so that you could give it a fixed config that would deal out A 90% of the time and B and C 5% each. This suited my needs well. >'just show me some DNS implementation that doesn't round robin .. ? bind-4.9.3 (well beta17 at least) does not _unless_ you define ROUND_ROBIN. >Probably few of them are not round robin'ing, but I have to disagree when you >say that "any off-the-shelf" doesn't. Just about every DNS should be running bind-4.9.3 and without ROUND_ROBIN it _will_ return the address list the same every time. I've tested it - I have sites that rely on it. --sjg -- Simon J. Gerraty #include /* imagine something _very_ witty here */ From firewalls-owner Thu Jun 13 19:54:32 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id TAA12316 for firewalls-outgoing; Thu, 13 Jun 1996 19:51:03 -0700 (PDT) Received: from relay-2.mail.demon.net (disperse.demon.co.uk [158.152.1.77]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id TAA12308 for ; Thu, 13 Jun 1996 19:50:47 -0700 (PDT) Received: from post.demon.co.uk ([158.152.1.72]) by relay-2.mail.demon.net Received: from martel.demon.co.uk ([158.152.221.102]) by relay-3.mail.demon.net Message-ID: Date: Thu, 13 Jun 1996 14:15:40 +0100 To: Gene Lee , firewalls@greatcircle.com Cc: "'Adam Shostack'" From: Ian Gresley-Jones Subject: Re: IBM Firewall In-Reply-To: <01BB4EFE.A40A0380@ts47-15.tor.iSTAR.ca> MIME-Version: 1.0 X-Mailer: Turnpike Version 1.12 <5FNnYA8I4VwTBuCT6k+JdR66Mo> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In reply to Adam's comments below - there is an integrity checker in AIX v3.??? (3.2.5 and some earlier) called tcbck. It is possible without too much trouble to make it use md5 (forgotten the details - if anyone is interested I'll dig out some notes) so it can be useful, even if not as flexible as Tripwire. I don't know how much this is used is SNG by default, but I've set it up in a variety of ways (varying from once every 10 seconds for a short list of critical files, to once daily for a full filesystem check ....). < Gene said...> >If there anyone out there has experience with SNG, any criticisms of the product are >more than welcome (either via the mailing list or direct e-mail to me). I'm creating a >"To Do" list for the developers in Raleigh for subsequent versions of the Firewall. That's good news Gene - Hey OtherSuppliers - take note !!! > >genelee@vnet.ibm.com > >Something like tripwire or L5 would be nice. I know thers an >integrity checker in /etc/security/? (Been a while since I used AIX), >but theres no docs for it, and I dont think it supports MD5 or SHA1. The docs are there in 'info', but as seems standard for IBM they are not as complete, consistent or even in some cases correct as they might be - here's one for the Raleigh boys to improve on Gene ! > >Most of the other shortcomings I saw were in the manual; not talking >about stripping out un-needed services, not talking about reducing >permission levels on sendmail & rdist, and the rest of them. Agreed, AIX is a monstrous beast and needs a bare bones installation with very careful configuration. IBM should provide some details of the lengths they go to in stripping out or switching off the nasties, and what they do with things like sendmail (very old version as standard in 3.2.5). What about monitoring (the audit subsystem is useful - what use is made of it), intrusion detection etc. I admit I only saw some basic info on an early version of the product, maybe more info is available, but they do keep it quiet. Tell us more Gene.... Regards Ian ******************************************************************** Ian Gresley-Jones * Protek Warrington (UK) 01925 240340 * or Maidenhead (UK) 01628 75959 or * -- speaking for myself only -- * ZZR600 ******************************************************************** From firewalls-owner Fri Jun 14 05:07:05 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA04380 for firewalls-outgoing; Fri, 14 Jun 1996 05:00:58 -0700 (PDT) Received: from smtpgate.saa-cons.co.uk (haddock.demon.co.uk [158.152.16.191]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id FAA04354 for ; Fri, 14 Jun 1996 05:00:42 -0700 (PDT) Received: from haddock.saa-cons.co.uk by smtpgate.saa-cons.co.uk with SMTP (5.65/1.3-eef) Received: by haddock.saa-cons.co.uk (AIX 3.2/UCB 5.64/5.00) Date: Fri, 14 Jun 1996 12:27:58 +0100 (BST) From: Dave Roberts To: Ian Gresley-Jones Cc: firewalls@greatcircle.com Subject: Re: IBM Firewall In-Reply-To: Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 13 Jun 1996, Ian Gresley-Jones wrote: > Agreed, AIX is a monstrous beast and needs a bare bones installation > with very careful configuration. IBM should provide some details of the > lengths they go to in stripping out or switching off the nasties, and > what they do with things like sendmail (very old version as standard in > 3.2.5). And things didn't improve much with AIX 4.1, it uses v5.something of sendmail. Finally they caught up (a little) with the recent AIX 4.2, it actually uses sendmail v8.7 - although the AIX Systems Specialist that I spoke to at IBM the other day couldn't tell me how much tweaking they had done to get it running on AIX. I was kinda hoping for a "just hit make" kind of answer. Interestingly enough, AIX 4.2 now offers 2 modes of behaviour - just to confuse everyone. There is the default, and then there is the Unix 95 (SPEC 1170) mode, providing you have XPG_SUS_ENV=ON set. -- Dave Roberts, Unix Systems Administrator, SAA Consultants Ltd, Plymouth, UK. "smap has the advantage [over bare sendmail] that it was written by somone who is almost certifiably paranoid" - Brent Chapman, London, 19 Oct 95. -=[ For PGP 2.6.3i public key, send mail with subject of "get pgp" ]=- From firewalls-owner Fri Jun 14 06:06:53 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA07418 for firewalls-outgoing; Fri, 14 Jun 1996 05:57:13 -0700 (PDT) Received: from relay7.UU.NET (relay7.UU.NET [192.48.96.17]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id FAA07401 for ; Fri, 14 Jun 1996 05:57:04 -0700 (PDT) Received: from True.Net by relay7.UU.NET with ESMTP Received: from fw.true.net (fw-1.true.net [200.11.130.1]) by True.Net (8.7.4/8.6.12) with ESMTP id JAA08907; Fri, 14 Jun 1996 09:23:34 +0400 (GMT-4) Received: (smap@localhost) by fw.true.net (8.7.4/8.6.12) id JAA22432; Fri, 14 Jun 1996 09:23:34 +0400 (GMT-4) Received: from ws3.true.net(200.11.134.12) by fw.true.net via smap (V1.3) Message-ID: <31C0F747.41C67EA6@true.net> Date: Fri, 14 Jun 1996 09:23:19 +0400 From: "Luis E. Munoz" Organization: TRUEnet Red Internacional de Informacion X-Mailer: Mozilla 2.0 (X11; I; BSD/OS 2.0 i386) MIME-Version: 1.0 To: firewalls-digest@GreatCircle.COM Subject: Re: Cisco 2500's and BGP Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I just wanted to add my little grain of salt to this topic. I've a 2501 w/16Mb RAM, and we've tried a few providers. From our experience, the routing table sizes (full routing) are: AlterNet: ~10Mb Sprint: ~24Mb MCI: ~24Mb Using BGP4 on your multihomed 2501 will allow you to quite effectively load-balance the _incoming_ traffic, however, with a 2501, the routing tables won't fit, forcing you to use a subset. If you want to load balance the output traffic, just add two static routes with the same cost. This will probably not achieve the optimum load balance, but will provide redundancy in case one of your local loops fail. The problem is that if some part of one of your providers fail, you'll see a part of the Internet that seems to vanish at times and behaves with extremely bad performance, as packets routed to the `bad' provider will not reach their destinations while packets sent over to the `good' one arrive flawlessly. I think this is a good argument to decide if you want a larger unit (for full BGP routing, which will eliminate this problem) or can use a single low-end router. In any case, I would recomend at least 64Mb RAM on anything running BGP4. Very few network admins are thinking (or even care) about CIDR. Just keep in mind that the routing tables are growing in a similar proportion to the net growth. Best regards. -- -------------------------------------------------------------- Luis E. Mu#oz R. Tel/Phone: +582 2392544 Network Manager Fax: +582 2375048 TRUEnet Red Internacional de Informacion Email: lem@true.net From firewalls-owner Fri Jun 14 06:36:53 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA08504 for firewalls-outgoing; Fri, 14 Jun 1996 06:22:40 -0700 (PDT) Received: from netop3.harvard.edu (netop3.harvard.edu [128.103.205.103]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id GAA08497 for ; Fri, 14 Jun 1996 06:22:34 -0700 (PDT) From: equaad@nedhmail.nedh.harvard.edu Received: from nedhmail.nedh.harvard.edu (nedhmail.nedh.harvard.edu [134.174.212.33]) by netop3.harvard.edu (8.6.12/8.6.12) with SMTP id JAA17121 for ; Fri, 14 Jun 1996 09:18:36 -0400 Received: from ccMail by nedhmail.nedh.harvard.edu (SMTPLINK V2.11 PreRelease 4) Date: Fri, 14 Jun 96 09:15:38 EST Message-Id: <9605148347.AA834769271@nedhmail.nedh.harvard.edu> To: firewalls@greatcircle.com Subject: Decent tech support Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I second the request for info on tech support quality -- right now we have Firewall-1 software from Checkpoint and can't seem to get decent support to save our lives. Anyone else have this product and have a reseller that provides good support??? I'm in the New England area but don't see why I would need a reseller in this area to provide good support (since it's 99% phone support anyway). Anyone know a reseller with a good, *quick* technical support?? Ellen Quaadgras Systems Administrator equaad@indigo.mit.edu From firewalls-owner Fri Jun 14 07:36:52 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA13072 for firewalls-outgoing; Fri, 14 Jun 1996 07:23:19 -0700 (PDT) Received: from trex.netrex.com (trex.netrex.com [205.254.178.3]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id HAA13065 for ; Fri, 14 Jun 1996 07:23:13 -0700 (PDT) Received: from foghorn (foghorn [205.254.178.10]) by trex.netrex.com (8.7.5/8.7.3) with SMTP id KAA26786; Fri, 14 Jun 1996 10:19:53 -0400 (EDT) Message-Id: <2.2.32.19960614141621.00a122d8@trex.netrex.com> X-Sender: richards@trex.netrex.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Fri, 14 Jun 1996 10:16:21 -0400 To: equaad@nedhmail.nedh.harvard.edu From: "Richard D. Stiennon" Subject: Re: Decent tech support Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I would like to direct your attention to Netrex. We are a reseller in Michigan and are the only certified FW-1 training facility in the Midwest. We have a 2-day seminar that involves hands-on training in setting up and maintaining FW-1 in our class room with 12 Sun workstations. The course is offered every two weeks. Email Niki (nikie@netrex.com) for schedule information. We offer *quick* support to our customers. We are lucky enough to have a local Checkpoint technical support person that spends a lot of time in our office so we can escalate problems to the next level easily. We consider ourselves the experts. Please feel free to contact me. Cheers! At 09:15 AM 6/14/96 EST, equaad@nedhmail.nedh.harvard.edu wrote: > I second the request for info on tech support quality -- right now we > have Firewall-1 software from Checkpoint and can't seem to get decent > support to save our lives. Anyone else have this product and have a > reseller that provides good support??? I'm in the New England area but > don't see why I would need a reseller in this area to provide good > support (since it's 99% phone support anyway). Anyone know a reseller > with a good, *quick* technical support?? > Richard Stiennon richards@netrex.com Director, Business Development www.netrex.com/richard Netrex, Inc. Voice: 810-352-9643 3000 Town Center, Suite 1100 Fax: 810-352-2375 Southfield, MI 48075 From firewalls-owner Fri Jun 14 08:07:46 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA14423 for firewalls-outgoing; Fri, 14 Jun 1996 07:53:46 -0700 (PDT) Received: from mailbox.neosoft.com (mailbox.neosoft.com [206.109.1.16]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id HAA14416 for ; Fri, 14 Jun 1996 07:53:35 -0700 (PDT) Received: from fw.nmti.com (fw.baileynm.com [206.109.159.11]) by mailbox.neosoft.com (8.7.5/8.7.3) with SMTP id JAA26254; Fri, 14 Jun 1996 09:50:21 -0500 (CDT) Received: from web.nmti.com(198.178.0.201) by fw.nmti.com via smap (V1.3) Received: from sonic.nmti.com (peter@sonic.nmti.com [198.178.0.2]) by web.nmti.com (8.6.12/8.6.9) with SMTP id JAA22256; Fri, 14 Jun 1996 09:45:17 -0500 Received: by sonic.nmti.com; id AA06392; Fri, 14 Jun 1996 09:45:16 -0500 From: peter@baileynm.com (Peter da Silva) Message-Id: <9606141445.AA06392@sonic.nmti.com.nmti.com> Subject: Re: Re[2]: Active-X and/or Java? To: Michael_Beeler@ccmail.northgrum.com Date: Fri, 14 Jun 1996 09:45:16 -0500 (CDT) Cc: jklein@ncdc.noaa.gov, dufresne@winternet.com, Firewalls@GreatCircle.COM In-Reply-To: <1BDF82A0.1557@ccmail.northgrum.com> from "Michael_Beeler@ccmail.northgrum.com" at Jun 11, 96 02:37:38 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Just a thought, but does anyone know if Active-X is any more secure > than JAVA? Yes. It's not. From firewalls-owner Fri Jun 14 08:22:11 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA14394 for firewalls-outgoing; Fri, 14 Jun 1996 07:53:02 -0700 (PDT) Received: from mailbox.neosoft.com (mailbox.neosoft.com [206.109.1.16]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id HAA14384 for ; Fri, 14 Jun 1996 07:52:53 -0700 (PDT) Received: from fw.nmti.com (fw.baileynm.com [206.109.159.11]) by mailbox.neosoft.com (8.7.5/8.7.3) with SMTP id JAA26205; Fri, 14 Jun 1996 09:49:57 -0500 (CDT) Received: from web.nmti.com(198.178.0.201) by fw.nmti.com via smap (V1.3) Received: from sonic.nmti.com (peter@sonic.nmti.com [198.178.0.2]) by web.nmti.com (8.6.12/8.6.9) with SMTP id JAA22180; Fri, 14 Jun 1996 09:40:00 -0500 Received: by sonic.nmti.com; id AA07391; Fri, 14 Jun 1996 09:39:59 -0500 From: peter@baileynm.com (Peter da Silva) Message-Id: <9606141439.AA07391@sonic.nmti.com.nmti.com> Subject: Re: New Firewall Announcement To: jnoetzel@intermind.com (Jeremy Noetzelman) Date: Fri, 14 Jun 1996 09:39:59 -0500 (CDT) Cc: jvincent@actane.com, steve@gbnet.org, firewalls@GreatCircle.COM In-Reply-To: <2.2.32.19960611194108.00b2d8dc@intermind.com> from "Jeremy Noetzelman" at Jun 11, 96 12:41:08 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Am I the only one who doesnt like the idea of my firewall being managed by > SNMP? No. I'm as leery of SNMP management of the firewall as I am of that bloke who was pushing WWW-based administration. From firewalls-owner Fri Jun 14 08:40:39 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA17201 for firewalls-outgoing; Fri, 14 Jun 1996 08:30:49 -0700 (PDT) Received: from c2smtp.on.com (c2smtp.on.com [207.18.216.5]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id IAA17169 for ; Fri, 14 Jun 1996 08:30:40 -0700 (PDT) Received: from Connect2 Message Router by c2smtp.on.com Message-ID: <2F5FC14101D40000@c2smtp.on.com> Date: Fri, 14 Jun 1996 11:26:00 -0500 From: David Tate Organization: On Technology To: firewalls@greatcircle.com Subject: Re: Decent tech support MIME-Version: 1.0 Content-type: text/plain; charset="US-ASCII" Content-transfer-encoding: 7BIT X-Mailer: Connect2-SMTP 4.01.b32G MHS to SMTP Gateway Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ======== Original Message ======== I would like to direct your attention to Netrex. We are a reseller in Michigan and are the only certified FW-1 training facility in the Midwest. We have a 2-day seminar that involves hands-on training in setting up and maintaining FW-1 in our class room with 12 Sun workstations. The course is offered every two weeks. Email Niki (nikie@netrex.com) for schedule information. We offer *quick* support to our customers. We are lucky enough to have a local Checkpoint technical support person that spends a lot of time in our office so we can escalate problems to the next level easily. We consider ourselves the experts. Please feel free to contact me. Cheers! At 09:15 AM 6/14/96 EST, equaad@nedhmail.nedh.harvard.edu wrote: > I second the request for info on tech support quality -- right now we > have Firewall-1 software from Checkpoint and can't seem to get decent > support to save our lives. Anyone else have this product and have a > reseller that provides good support??? I'm in the New England area but > don't see why I would need a reseller in this area to provide good > support (since it's 99% phone support anyway). Anyone know a reseller > with a good, *quick* technical support?? > Richard Stiennon richards@netrex.com Director, Business Development www.netrex.com/richard Netrex, Inc. Voice: 810-352-9643 3000 Town Center, Suite 1100 Fax: 810-352-2375 Southfield, MI 48075 ======== Fwd by: David Tate ======== I guess now we will see how many resellers are part of the {firewalls@GreatCircle.COM} ..... Potts :) From firewalls-owner Fri Jun 14 08:51:53 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA18514 for firewalls-outgoing; Fri, 14 Jun 1996 08:49:04 -0700 (PDT) Received: from maddie.atlantic.com (maddie.atlantic.com [198.252.200.3]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id IAA18500 for ; Fri, 14 Jun 1996 08:48:57 -0700 (PDT) Received: (pokey@localhost) by maddie.atlantic.com (8.6.10/8.6.11) id LAA22722; Fri, 14 Jun 1996 11:44:10 -0400 From: Rick Romkey Message-Id: <199606141544.LAA22722@maddie.atlantic.com> Subject: Re: Decent tech support To: richards@netrex.com (Richard D. Stiennon) Date: Fri, 14 Jun 1996 11:44:10 -0400 (EDT) Cc: equaad@nedhmail.nedh.harvard.edu, firewalls@GreatCircle.COM In-Reply-To: <2.2.32.19960614141621.00a122d8@trex.netrex.com> from "Richard D. Stiennon" at Jun 14, 96 10:16:21 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Not to knock whatever kind of support Netrex offers, but before anyone runs off to Netrex to buy support for Firewall-1, I'd really recommend contacting CheckPoint directly about less than desirable support. Perhaps they can offer you a local solution or take up the issue with your current reseller. When a person selects a vendor for a firewall, they really should check for more than the best price. These things require maintenance and support, and sometimes the people that sell them may not necessarily know all the ins and outs about how to support them. I mean you don't count on a car salesman to fix your car, you make sure they have a half decent garage and more than a part-time mechanic. Just my opinion. -Rick ---------------------------------------------------------------------------- Rick E Romkey | A T L A N T I C | Internet pokey@atlantic.com | Computing Technology Corporation | Specialists (860) 667-9596 | http://www.atlantic.com/ | ----------------------------------------------------------------------------- From firewalls-owner Fri Jun 14 09:04:21 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA15075 for firewalls-outgoing; Fri, 14 Jun 1996 08:04:26 -0700 (PDT) Received: from homeport.org (lighthouse.homeport.org [205.136.65.198]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id IAA15061 for ; Fri, 14 Jun 1996 08:04:18 -0700 (PDT) Received: (adam@localhost) by homeport.org (8.6.9/8.6.9) id LAA14057; Fri, 14 Jun 1996 11:02:52 -0500 From: Adam Shostack Message-Id: <199606141602.LAA14057@homeport.org> Subject: Re: IBM Firewall To: ian@martel.demon.co.uk (Ian Gresley-Jones) Date: Fri, 14 Jun 1996 11:02:52 -0500 (EST) Cc: firewalls@greatcircle.com (Firewalls mailing list) In-Reply-To: from "Ian Gresley-Jones" at Jun 13, 96 02:15:40 pm X-Mailer: ELM [version 2.4 PL24 ME8b] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Are you talking about sysck? sysck is configurable to use md5; however, I wasn't able to find documentation on doing so. IBM'ers here did offer to provide me with help (Thanks again, Andreas!), but not everyone who buys an SNG has access to this list, and as such, how to provide integrity checking on the firewall should be part of the manual. Adam Ian Gresley-Jones wrote: | In reply to Adam's comments below - there is an integrity checker in AIX | v3.??? (3.2.5 and some earlier) called tcbck. It is possible without too | much trouble to make it use md5 (forgotten the details - if anyone is | interested I'll dig out some notes) so it can be useful, even if not as | flexible as Tripwire. I don't know how much this is used is SNG by | default, but I've set it up in a variety of ways (varying from once | every 10 seconds for a short list of critical files, to once daily for a | full filesystem check ....). | | < Gene said...> | >If there anyone out there has experience with SNG, any criticisms of the product are | >more than welcome (either via the mailing list or direct e-mail to me). I'm creating a | >"To Do" list for the developers in Raleigh for subsequent versions of the Firewall. | | That's good news Gene - Hey OtherSuppliers - take note !!! | > | >genelee@vnet.ibm.com | > | | >Something like tripwire or L5 would be nice. I know thers an | >integrity checker in /etc/security/? (Been a while since I used AIX), | >but theres no docs for it, and I dont think it supports MD5 or SHA1. | | The docs are there in 'info', but as seems standard for IBM they are | not as complete, consistent or even in some cases correct as they might | be - here's one for the Raleigh boys to improve on Gene ! | | > | >Most of the other shortcomings I saw were in the manual; not talking | >about stripping out un-needed services, not talking about reducing | >permission levels on sendmail & rdist, and the rest of them. | | Agreed, AIX is a monstrous beast and needs a bare bones installation | with very careful configuration. IBM should provide some details of the | lengths they go to in stripping out or switching off the nasties, and | what they do with things like sendmail (very old version as standard in | 3.2.5). | What about monitoring (the audit subsystem is useful - what use is made | of it), intrusion detection etc. | | I admit I only saw some basic info on an early version of the product, | maybe more info is available, but they do keep it quiet. Tell us more | Gene.... | | Regards | | Ian | ******************************************************************** | Ian Gresley-Jones * Protek Warrington (UK) 01925 240340 | * or Maidenhead (UK) 01628 75959 | or * | -- speaking for myself only -- * ZZR600 | ******************************************************************** | -- "It is seldom that liberty of any kind is lost all at once." -Hume From firewalls-owner Fri Jun 14 09:47:50 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA23470 for firewalls-outgoing; Fri, 14 Jun 1996 09:24:34 -0700 (PDT) Received: from pegase.total.fr (pegase.total.fr [146.249.152.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id JAA23444 for ; Fri, 14 Jun 1996 09:24:23 -0700 (PDT) Received: from tidtest.total.fr (tidtest.total.fr [146.249.165.73]) by pegase.total.fr (8.6.8/8.6.6) with SMTP id SAA28550; Fri, 14 Jun 1996 18:20:30 +0200 Received: by tidtest.total.fr (4.1/SMI-4.1) Message-Id: <9606141620.AA25728@tidtest.total.fr> To: peter@baileynm.com (Peter da Silva) Cc: jnoetzel@intermind.com (Jeremy Noetzelman), jvincent@actane.com Subject: Re: New Firewall Announcement In-Reply-To: Your message of "Fri, 14 Jun 1996 09:39:59 CDT." X-Cuse: "The dog ate my network" Date: Fri, 14 Jun 1996 18:20:09 +0100 From: Michel Lavondes Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In message <9606141439.AA07391@sonic.nmti.com.nmti.com>, Peter da Silva writes: > > No. I'm as leery of SNMP management of the firewall as I am of that bloke > who was pushing WWW-based administration. > Hmm, yes, I know who you mean ... whuzzisname ... I've got it on the tip of my tongue ... Oh, yes, John Chambers [Sorry, couldn't resist] Michel Lavondes (lavondes@tidtest.total.fr) #include Governments are guilty until proved innocent From firewalls-owner Fri Jun 14 09:51:51 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA22796 for firewalls-outgoing; Fri, 14 Jun 1996 09:21:22 -0700 (PDT) Received: from netcomsv.netcom.com (uucp4.netcom.com [163.179.3.4]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id JAA22687 for ; Fri, 14 Jun 1996 09:21:01 -0700 (PDT) Received: from rise_2.UUCP by netcomsv.netcom.com with UUCP (8.6.12/SMI-4.1) Received: from viper.rise.com by rise_2.rise_2.uucp.netcom.COM (4.1/SMI-4.1) Date: Fri, 14 Jun 96 09:02:35 PDT From: rise_2!dzung@netcom.com (Dzung Tran) Message-Id: <9606141602.AA09112@rise_2.rise_2.uucp.netcom.COM> To: nedhmail.nedh.harvard.edu!equaad@netcom.com Subject: Re: Decent tech support Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > From GreatCircle.COM!firewalls-owner@netcomsv.netcom.com Fri Jun 14 08:48:07 1996 > From: nedhmail.nedh.harvard.edu!equaad@netcomsv.netcom.com > Date: Fri, 14 Jun 96 09:15:38 EST > To: firewalls@greatcircle.com > Subject: Decent tech support > Sender: GreatCircle.COM!firewalls-owner@netcomsv.netcom.com > Content-Length: 580 > > I second the request for info on tech support quality -- right now we > have Firewall-1 software from Checkpoint and can't seem to get decent > support to save our lives. Anyone else have this product and have a > reseller that provides good support??? I'm in the New England area but > don't see why I would need a reseller in this area to provide good > support (since it's 99% phone support anyway). Anyone know a reseller > with a good, *quick* technical support?? > > Ellen Quaadgras > Systems Administrator > equaad@indigo.mit.edu > > Sun resells the same software as Solstice Firewall-1. I would expect good tech support from Sun. From firewalls-owner Fri Jun 14 10:15:44 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA24074 for firewalls-outgoing; Fri, 14 Jun 1996 09:27:25 -0700 (PDT) Received: from csc.com (explorer.csc.com [20.1.10.27]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id JAA23959 for ; Fri, 14 Jun 1996 09:26:53 -0700 (PDT) Received: by csc.com (Smail3.1.29.1 #1) Message-ID: <31C1BC83.DD3@csc.com> Date: Fri, 14 Jun 1996 12:24:51 -0700 From: Adam Safier Reply-To: asafier@csc.com Organization: Computer Sciences Corp. X-Mailer: Mozilla 3.0b4 (Win16; I) MIME-Version: 1.0 To: Firewalls@greatcircle.com Subject: Remote firewall management Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk FYI for those concerned with remote management. Seems firewalls would fall into this category -------------------------------------------- Subject: WG ACTION: Distributed Management (disman) Date: Tue, 11 Jun 96 16:06:25 -0400 From: Cynthia Clark To: IETF-Announce: ; CC: ietf-123@CNRI.Reston.VA.US A new working group has been formed in the Network Management Area of the IETF. For more information, please contact the working group chairs or the Area Directors. Distributed Management (disman) ------------------------------- Chair(s): Maria Greene Network Management Area Director(s): Deirdre Kostick Mailing lists: General Discussion:disman@nexen.com To Subscribe: majordomo@nexen.com In Body: subscribe disman your_email_address Archive: Description of Working Group: The Distributed Management Working Group is chartered to define an initial set of managed objects for specific distributed network management applications and a framework in which these applications and others can be consistently developed and deployed. A distributed network manager is an application that acts in a manager role to perform management functions and in an agent role so that it can be remotely controlled and observed. Distributed network management is widely recognized as a requirement for dealing with today's growing internets. A manager application is a good candidate for distribution if it requires minimal user interaction, it would potentially consume a significant amount of network resources due to frequent polling or large data retrieval, or it requires close association with the device(s) being managed. The working group will limit its work to distributed network management applications where the communication mechanism used between managers (or the components of the management application) is SNMP. Future work (and other working groups) may be chartered to investigate other distribution techniques such as CORBA or HTTP. The objects defined by the working group will be consistent with the SNMP framework. The working group will especially keep security considerations in mind when defining the interface to distributed management. The working group will complete these tasks: o Define a Threshold Monitoring MIB o Define a Script MIB o Define a Distribution Management Framework and MIB This last MIB is required in order to keep distributed managers from adding to the management problem. This MIB will allow distributed managers of many types to be controlled in a consistent way including controlling their "management domain" (the set of devices upon which they act), the relationships between the management applications or components, and to some extent the scheduling of their operation. The working group will consider existing definitions, including: o RFC1451, The Manager to Manager MIB which was being considered by the SNMPv2 working group o the RMON working group's work in this area o the SNMP Mid-Level-Manager MIB which is now an expired Internet-Draft o the work of the Application MIB working group It is recognized that the scope of this working group is narrow relative to the potential in the area of distributed network management. This is intentional in order to increase the likelihood of producing useful, quality specifications in a timely manner. However, we will keep in mind and account for potential related or future work when developing the framework including: o Event and alarm logging and distribution o Historical data collection/summarization o Topology discovery Goals and Milestones: May 96 Post Internet-Draft for Threshold Monitoring MIB. Jun 96 Meet at the Montreal IETF meeting to discuss charter and review the Threshold Monitoring MIB Internet-Draft. Jul 96 Post Internet-Draft for Framework document. Aug 96 Post Internet-Draft for Script MIB. Sep 96 Hold an interim meeting to discuss Internet-Drafts and issues that come up on the mailing list. Nov 96 Submit final version of Threshold Monitor MIB Internet-Draft for consideration as a Proposed Standard. Submit updated versions of Internet-Drafts for Script MIB and the Framework document. Dec 96 Meet at the IETF meeting to discuss Internet-Drafts and issues that come up on the mailing list. Feb 97 Submit final versions of Internet-Drafts for Script MIB and Framework document for consideration as Proposed Standards. -- Adam Safier CSC-SED-Infosec asafier@csc.com "Oh No! You did exactly what I told you to do!" - Cartoon caption, author unknown (but I'm looking. :) The above are my own opinions, and I'm proud to live in a country where I'm free to express them! From firewalls-owner Fri Jun 14 10:22:10 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA24834 for firewalls-outgoing; Fri, 14 Jun 1996 09:33:05 -0700 (PDT) Received: from anchorsteam (anchorsteam.unifiedtech.com [38.251.136.100]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id JAA24801 for ; Fri, 14 Jun 1996 09:32:52 -0700 (PDT) Received: from bass.unifiedtech.com by anchorsteam (5.x/SMI-SVR4) Received: by bass.unifiedtech.com (5.x/SMI-SVR4) Date: Fri, 14 Jun 1996 12:29:51 -0400 From: Mike.Jones@unifiedtech.com (Mike Jones) Message-Id: <9606141629.AA13684@bass.unifiedtech.com> To: firewalls@greatcircle.com Subject: FireWall-1 and token ring X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Has anyone ever set up a FW-1 firewall where one network interface was a token ring? The best answer I've been able to get from Sun so far is "it ought to work", but the documentation doesn't specifically say. Mike Jones Sr. Network Computing Advisor Unified Technologies From firewalls-owner Fri Jun 14 10:35:24 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA25479 for firewalls-outgoing; Fri, 14 Jun 1996 09:38:23 -0700 (PDT) Received: from booz.bah.com (booz.bah.com [156.80.3.3]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id JAA25452 for ; Fri, 14 Jun 1996 09:38:13 -0700 (PDT) Received: from booz.bah.com (booz.bah.com [156.80.3.3]) by booz.bah.com (8.7.5/8.7.3) with SMTP id MAA29593 for ; Fri, 14 Jun 1996 12:35:22 -0400 (EDT) Date: Fri, 14 Jun 1996 12:35:21 -0400 (EDT) From: Chris Carlson To: firewalls@greatcircle.com Subject: Re: New Firewall Announcement In-Reply-To: <9606141439.AA07391@sonic.nmti.com.nmti.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 14 Jun 1996, Peter da Silva wrote: > > Am I the only one who doesnt like the idea of my firewall being managed by > > SNMP? > > No. I'm as leery of SNMP management of the firewall as I am of that bloke > who was pushing WWW-based administration. > > Any why are you leery of WWW-based administration? I think with user authentication and encryption, a Web front-end would be a good administration tool. Cross platform, location independent. (None of this "console only" or "X the GUI back to you" management). Any thoughts? Chris From firewalls-owner Fri Jun 14 10:41:25 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA28627 for firewalls-outgoing; Fri, 14 Jun 1996 10:14:52 -0700 (PDT) Received: from sierra.zyzzyva.com (ppp0.zyzzyva.com [198.183.2.50]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id KAA28620 for ; Fri, 14 Jun 1996 10:14:44 -0700 (PDT) Received: from zyzzyva.com (localhost [127.0.0.1]) by sierra.zyzzyva.com (8.7.5/8.6.11) with ESMTP id MAA26515; Fri, 14 Jun 1996 12:10:02 -0500 (CDT) Message-Id: <199606141710.MAA26515@sierra.zyzzyva.com> To: peter@baileynm.com (Peter da Silva) cc: jnoetzel@intermind.com (Jeremy Noetzelman), jvincent@actane.com Subject: Re: New Firewall Announcement In-reply-to: peter's message of Fri, 14 Jun 1996 09:39:59 -0500. X-uri: http://www.zyzzyva.com/ Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Fri, 14 Jun 1996 12:09:51 -0500 From: Randy Terbush Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > Am I the only one who doesnt like the idea of my firewall being managed by > > SNMP? > > No. I'm as leery of SNMP management of the firewall as I am of that bloke > who was pushing WWW-based administration. Hmmm. Since I haven't poked my head up yet on the WWW-based admin topic, I'm probably classified as "Yet Another" bloke. http://www.zyzzyva.com/iron/ I think an acceptable level of security can be provided by an SSL encrypted connection to an HTTP config server offering connections only to an internal net. -- Randy Terbush ----------------------------------- Zyzzyva Enterprises randy@zyzzyva.com ------------------------------- 1549 South 23rd http://www.zyzzyva.com/ ------------------------- Lincoln, NE 68502 ------------------------------------------------- 402.438.1848 From firewalls-owner Fri Jun 14 11:56:42 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA10113 for firewalls-outgoing; Fri, 14 Jun 1996 11:43:30 -0700 (PDT) Received: from hidata.com ([205.158.61.34]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id LAA10105 for ; Fri, 14 Jun 1996 11:43:24 -0700 (PDT) Received: by hidata.com; id AA02809; Fri, 14 Jun 96 11:40:24 PDT Received: from osc.hidata.com(205.158.62.10) by hds-gw.hidata.com via smap (V3.1.1) Received: from enterprise by osc.osc.hidata.com (SMI-8.6/SMI-SVR4) Date: Fri, 14 Jun 1996 11:39:53 -0700 Message-Id: <199606141839.LAA19172@osc.osc.hidata.com> X-Sender: bstout@osc.hidata.com X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: Firewalls@GreatCircle.COM From: Bill Stout Subject: Re: New Firewall Announcement Cc: jnoetzel@intermind.com (Jeremy Noetzelman), jvincent@actane.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >> No. I'm as leery of SNMP management of the firewall as I am of that bloke >> who was pushing WWW-based administration. > >Hmmm. Since I haven't poked my head up yet on the WWW-based admin topic, >I'm probably classified as "Yet Another" bloke. http://www.zyzzyva.com/iron/ > >I think an acceptable level of security can be provided by an SSL >encrypted connection to an HTTP config server offering connections >only to an internal net. > With SSL the username/password is still passed in clear text. Anyone know a way to send encrypted username/password to start an SSL session? Bill <=======10========20========30========40========50========60========70========80 William B. Stout | Major revelations: Senior Systems Admin | "All objects are part of a larger object." Hitachi Data Systems | "3 aware beings comprise a person; mind, body, spirit." NT/UNIX/I-net/Routers | "The secret of life: To be involved with 'creation'." 408-970-4822 | Disclaimer: I speak for no one but us three people. ;) -------------------------------------------------------------------------------- From firewalls-owner Fri Jun 14 12:07:10 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA10325 for firewalls-outgoing; Fri, 14 Jun 1996 11:50:59 -0700 (PDT) Received: from pegase.total.fr (pegase.total.fr [146.249.152.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id LAA10318 for ; Fri, 14 Jun 1996 11:50:53 -0700 (PDT) Received: from tidtest.total.fr (tidtest.total.fr [146.249.165.73]) by pegase.total.fr (8.6.8/8.6.6) with SMTP id UAA29515; Fri, 14 Jun 1996 20:47:19 +0200 Received: by tidtest.total.fr (4.1/SMI-4.1) Message-Id: <9606141847.AA26377@tidtest.total.fr> To: Mike.Jones@unifiedtech.com (Mike Jones) Cc: firewalls@greatcircle.com Subject: Re: FireWall-1 and token ring In-Reply-To: Your message of "Fri, 14 Jun 1996 12:29:51 EDT." X-Cuse: "The dog ate my network" Date: Fri, 14 Jun 1996 20:47:22 +0100 From: Michel Lavondes Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In message <9606141629.AA13684@bass.unifiedtech.com>, Mike Jones writes: > Has anyone ever set up a FW-1 firewall where one network interface > was a token ring? The best answer I've been able to get from Sun so > far is "it ought to work", but the documentation doesn't specifically > say. > I don't know about FW-1, but I've had unpleasant experiences with TR interfaces under 4.1.4. Michel Lavondes (lavondes@tidtest.total.fr) #include Governments are guilty until proved innocent From firewalls-owner Fri Jun 14 12:23:16 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA10057 for firewalls-outgoing; Fri, 14 Jun 1996 11:40:48 -0700 (PDT) Received: from hidata.com ([205.158.61.34]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id LAA10050 for ; Fri, 14 Jun 1996 11:40:42 -0700 (PDT) Received: by hidata.com; id AA02804; Fri, 14 Jun 96 11:37:54 PDT Received: from osc.hidata.com(205.158.62.10) by hds-gw.hidata.com via smap (V3.1.1) Received: from enterprise by osc.osc.hidata.com (SMI-8.6/SMI-SVR4) Date: Fri, 14 Jun 1996 11:37:29 -0700 Message-Id: <199606141837.LAA19160@osc.osc.hidata.com> X-Sender: bstout@osc.hidata.com X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@greatcircle.com From: Bill Stout Subject: Re: New Firewall Announcement Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >... >Any why are you leery of WWW-based administration? > >I think with user authentication and encryption, a Web front-end would >be a good administration tool. Cross platform, location independent. >(None of this "console only" or "X the GUI back to you" management). > >Any thoughts? > >Chris TIS does it with their Gauntlet 3.1. However you need to start the 'gauntlet-gui' daemon on the firewall, connect in to the port you configured the infoserver on, and you end up connecting with the 'port number of the session'. Each session into the firewall is a different port number. I would feel more comfortable about it if a username/password was asked for, it were https instead of http, and the session could be started from the firewall, targeting a specific client. All via a secure telnet session, of course. Bill <=======10========20========30========40========50========60========70========80 William B. Stout | Major revelations: Senior Systems Admin | "All objects are part of a larger object." Hitachi Data Systems | "3 aware beings comprise a person; mind, body, spirit." NT/UNIX/I-net/Routers | "The secret of life: To be involved with 'creation'." 408-970-4822 | Disclaimer: I speak for no one but us three people. ;) -------------------------------------------------------------------------------- From firewalls-owner Fri Jun 14 12:40:58 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA11886 for firewalls-outgoing; Fri, 14 Jun 1996 12:25:07 -0700 (PDT) Received: from maddie.atlantic.com (maddie.atlantic.com [198.252.200.3]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id MAA11860 for ; Fri, 14 Jun 1996 12:24:55 -0700 (PDT) Received: (pokey@localhost) by maddie.atlantic.com (8.6.10/8.6.11) id PAA23459; Fri, 14 Jun 1996 15:16:08 -0400 From: Rick Romkey Message-Id: <199606141916.PAA23459@maddie.atlantic.com> Subject: Re: FireWall-1 and token ring To: lavondes@tidtest.total.fr (Michel Lavondes) Date: Fri, 14 Jun 1996 15:16:08 -0400 (EDT) Cc: Mike.Jones@unifiedtech.com, firewalls@GreatCircle.COM In-Reply-To: <9606141847.AA26377@tidtest.total.fr> from "Michel Lavondes" at Jun 14, 96 08:47:22 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > In message <9606141629.AA13684@bass.unifiedtech.com>, Mike Jones writes: > > Has anyone ever set up a FW-1 firewall where one network interface > > was a token ring? The best answer I've been able to get from Sun so > > far is "it ought to work", but the documentation doesn't specifically > > say. > > > I don't know about FW-1, but I've had unpleasant experiences with > TR interfaces under 4.1.4. I've gotten FW-1 to work with 2 token ring interfaces running on a Sparc 1000. I imagine that it should work with 1 token ring and an ethernet. However, the token ring cards did generate a few odd errors every once and a while, but it runs pretty stable. -Rick ---------------------------------------------------------------------------- Rick E Romkey | A T L A N T I C | Internet pokey@atlantic.com | Computing Technology Corporation | Specialists (860) 667-9596 | http://www.atlantic.com/ | ----------------------------------------------------------------------------- From firewalls-owner Fri Jun 14 13:12:12 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA15311 for firewalls-outgoing; Fri, 14 Jun 1996 12:50:52 -0700 (PDT) Received: from neon.ingenia.com (neon.ingenia.com [205.207.219.29]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id MAA15277 for ; Fri, 14 Jun 1996 12:50:40 -0700 (PDT) Received: (from shaver@localhost) by neon.ingenia.com (8.8.Alpha.2/8.6.9) id PAA05942; Fri, 14 Jun 1996 15:47:38 -0400 From: Mike Shaver Message-Id: <199606141947.PAA05942@neon.ingenia.com> Subject: Re: New Firewall Announcement To: bill.stout@hidata.com (Bill Stout) Date: Fri, 14 Jun 1996 15:47:37 -0400 (EDT) Cc: firewalls@greatcircle.com In-Reply-To: <199606141839.LAA19172@osc.osc.hidata.com> from "Bill Stout" at Jun 14, 96 11:39:53 am X-Mailer: ELM [version 2.4 PL24 PGP3 *ALPHA*] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Thus spake Bill Stout: > With SSL the username/password is still passed in clear text. Not true. The SSL handshake is the _first_ part of any HTTPS transaction, and any part of the HTTP stream (including authentication info, etc.) is encrypted. Mike -- #> Mike Shaver (shaver@ingenia.com) Ingenia Communications Corporation <# #> Chief System Architect -- Head geek -- System exorcist <# #> <# #> "Have you considered a life? I hear they're quite affordable <# #> these days." --- shields@tembel.org <# From firewalls-owner Fri Jun 14 13:46:21 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA16918 for firewalls-outgoing; Fri, 14 Jun 1996 13:01:40 -0700 (PDT) Received: from mm1 (mm1.sprynet.com [165.121.2.50]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id NAA16889 for ; Fri, 14 Jun 1996 13:01:28 -0700 (PDT) Received: from stoico.metlife.com ([204.146.159.223]) by mm1.sprynet.com with SMTP id <148205-27126>; Fri, 14 Jun 1996 12:55:50 -0700 Received: by stoico.metlife.com with Microsoft Mail Message-ID: <01BB5A0A.4F1B90C0@stoico.metlife.com> From: Mike Stoico To: "Firewalls@GreatCircle.COM" Cc: Jeremy Noetzelman Subject: RE: New Firewall Announcement Date: Fri, 14 Jun 1996 15:58:08 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ---------- From: Bill Stout[SMTP:bill.stout@hidata.com] Sent: Friday, June 14, 1996 2:40 PM To: Firewalls@GreatCircle.COM Cc: Jeremy Noetzelman; jvincent@actane.com Subject: Re: New Firewall Announcement With SSL the username/password is still passed in clear text. Anyone know a way to send encrypted username/password to start an SSL session? The best way that I know of is to use secure tokens instead of passwords. ========================================================================= Mike Stoico, I/S Security Consultant * Phone: (518)285-2567 MetLife * Fax: (518)285-2542 500 Jordan Rd * E-Mail: mstoico@metlife.com Troy, NY 12180 * URL: www.metlife.com ========================================================================= The opinions expressed here are my own and may not be those of my employer. ========================================================================= From firewalls-owner Fri Jun 14 14:02:45 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA17448 for firewalls-outgoing; Fri, 14 Jun 1996 13:07:22 -0700 (PDT) Received: from gatekeeper.qualix.com (gatekeeper.qualix.com [192.91.182.105]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id NAA17434 for ; Fri, 14 Jun 1996 13:07:11 -0700 (PDT) Received: from qualix.qualix by gatekeeper.qualix.com (8.6.9/Q940531.1) Received: from qualix20.qualix by qualix.qualix (4.1/SMI-4.1-Q931113.1) Received: from spirit.qualix by qualix20.qualix (SMI-8.6/SMI-SVR4) Received: by spirit.qualix (5.x/SMI-SVR4) From: security@qualix.com (Nik D. Knoth) Message-Id: <9606142001.AA08565@spirit.qualix> Subject: Re: FireWall-1 and token ring To: Mike.Jones@unifiedtech.com (Mike Jones) Date: Fri, 14 Jun 1996 13:01:06 -0700 (PDT) Cc: firewalls@greatcircle.com In-Reply-To: <9606141629.AA13684@bass.unifiedtech.com> from "Mike Jones" at Jun 14, 96 12:29:51 pm X-Mailer: ELM [version 2.4 PL24] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Mike, I've set up several firewall-1 situations with one or more token ring adaptors. It does, in fact, work. The one gotcha you will want to consider is this: You will likely get a number of "Magic Cookie" errors from fw-1 2.0c. CP has a patch which will fix this. -nik -- Nik D. Knoth Email: nik@qualix.com Qualix Support Team Office: 415.638.4106 The Qualix Group, Inc. Fax: 415.572.1300 > > Has anyone ever set up a FW-1 firewall where one network interface > was a token ring? The best answer I've been able to get from Sun so > far is "it ought to work", but the documentation doesn't specifically > say. > > Mike Jones > Sr. Network Computing Advisor > Unified Technologies > From firewalls-owner Fri Jun 14 14:04:24 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA20497 for firewalls-outgoing; Fri, 14 Jun 1996 13:33:00 -0700 (PDT) Received: (mcb@localhost) by miles.greatcircle.com (8.7.4/Miles-951221-1) id NAA20487 for firewalls@greatcircle.com; Fri, 14 Jun 1996 13:32:54 -0700 (PDT) Received: from h51.networx.ie (dublin-ts1-53.indigo.ie [194.125.133.53]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id IAA25460 for ; Wed, 12 Jun 1996 08:39:57 -0700 (PDT) Received: (from root@localhost) by h51.networx.ie (8.6.12/8.6.12) id RAA00441 for firewalls@GreatCircle.COM; Wed, 12 Jun 1996 17:35:55 +0100 Received: from relay6.UU.NET (relay6.UU.NET [192.48.96.16]) by aoife.indigo.ie (8.7.5/8.7.5) with ESMTP id PAA16111 for ; Wed, 12 Jun 1996 15:28:27 +0100 (BST) Received: from miles.greatcircle.com by relay6.UU.NET with ESMTP Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA15291 for firewalls-outgoing; Wed, 12 Jun 1996 06:40:35 -0700 (PDT) Received: from magneto.acquion.com (magneto.acquion.com [206.154.17.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id GAA15284 for ; Wed, 12 Jun 1996 06:40:29 -0700 (PDT) Received: from wolverine.acquion.com ([206.154.17.12]) Message-Id: <2.2.32.19960612133812.0069c664@mail.acquion.com> X-Sender: oolid@mail.acquion.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 12 Jun 1996 09:38:12 -0400 To: firewalls@GreatCircle.COM From: oolid@acqic.org (Joseph L. Moll) Subject: Cisco 2500's and BGP Status: U Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Sorry for the off topic question, please respond via private email. Can anyone comment on the use of Cisco 2500's for border routers running BGP4 and limited access lists? Can they handle the load? Best Regards, --- Joseph L. (Joe) Moll, Greenville, SC USA mailto:oolid@acqic.org --- From firewalls-owner Fri Jun 14 14:06:02 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA19776 for firewalls-outgoing; Fri, 14 Jun 1996 13:25:31 -0700 (PDT) Received: from hidata.com ([205.158.61.34]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id NAA19762; Fri, 14 Jun 1996 13:25:18 -0700 (PDT) Received: by hidata.com; id AA03229; Fri, 14 Jun 96 13:22:29 PDT Received: from osc.hidata.com(205.158.62.10) by hds-gw.hidata.com via smap (V3.1.1) Received: from enterprise by osc.osc.hidata.com (SMI-8.6/SMI-SVR4) Date: Fri, 14 Jun 1996 13:22:08 -0700 Message-Id: <199606142022.NAA19655@osc.osc.hidata.com> X-Sender: bstout@osc.hidata.com X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: Firewalls@GreatCircle.COM From: Bill Stout Subject: Re: New Firewall Announcement Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Really? I must've Been Misled. Could you point me to a detailed SSL reference? >From what I've seen, SSL requires username/password before the encrypted link starts. Bill At 03:47 PM 6/14/96 -0400, Mike Shaver wrote: >Thus spake Bill Stout: >> With SSL the username/password is still passed in clear text. > >Not true. >The SSL handshake is the _first_ part of any HTTPS transaction, and >any part of the HTTP stream (including authentication info, etc.) is >encrypted. > >Mike > >-- >#> Mike Shaver (shaver@ingenia.com) Ingenia Communications Corporation <# >#> Chief System Architect -- Head geek -- System exorcist <# >#> <# >#> "Have you considered a life? I hear they're quite affordable <# >#> these days." --- shields@tembel.org <# > > From firewalls-owner Fri Jun 14 14:08:26 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA20225 for firewalls-outgoing; Fri, 14 Jun 1996 13:29:16 -0700 (PDT) Received: (mcb@localhost) by miles.greatcircle.com (8.7.4/Miles-951221-1) id NAA20200 for firewalls@greatcircle.com; Fri, 14 Jun 1996 13:29:02 -0700 (PDT) Received: from dsacg1.dsac.dla.mil (dsacg1.dsac.dla.mil [131.78.1.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id EAA06541 for ; Wed, 12 Jun 1996 04:53:19 -0700 (PDT) Received: by dsacg1.dsac.dla.mil (1.38.193.5/1.40 (DSDC Columbus DSDCG1)) From: nto2584@dsacg1.dsac.dla.mil (Steven C. Payne) Message-Id: <9606121151.AA16688@dsacg1.dsac.dla.mil> Subject: Re: buildin the tis toolkit under bsdi 2.1 To: rromine@nsf.gov Date: Wed, 12 Jun 96 7:51:07 EDT Cc: firewalls@greatcircle.com In-Reply-To: <23500.834537188@nsf.gov>; from "rromine@nsf.gov" at Jun 11, 96 7:53 pm Mailer: Elm [revision: 70.85.2.1] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Thanks, I did subscribe to the users list. and I used the ipc libs and got a clean compile. thanks a bunch. steve > > Are you subscribed to the bsdi-users mailing list? You should at least > check the archives, to wit: > > Date: Thu, 9 May 1996 19:52:26 -0500 (CDT) > To: Randy Moore , bsdi-users@BSDI.COM > From: Paul Borman > Sender: owner-bsdi-users@lists.gateway.com > Subject: Re: Undefined symbol _shmat when compiling/linking X11 stuff under 2.1 > > Due to a very late change in BSD/OS 2.1, we did not notice that X11 library > requires the shmat and shmdt library functions. To work around this issue > please include -lipc after -lX11. > > -Paul Borman > prb@bsdi.com > From firewalls-owner Fri Jun 14 14:13:22 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA19655 for firewalls-outgoing; Fri, 14 Jun 1996 13:24:27 -0700 (PDT) Received: (mcb@localhost) by miles.greatcircle.com (8.7.4/Miles-951221-1) id NAA19645 for firewalls@greatcircle.com; Fri, 14 Jun 1996 13:24:21 -0700 (PDT) Received: from thor.lglass.com (thor.lglass.com [206.35.48.10]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id FAA18598 for ; Tue, 11 Jun 1996 05:12:57 -0700 (PDT) Received: from mailgw.lglass.com (mailgw.lglass.com [206.35.50.11]) by thor.lglass.com (8.7.1/8.7.1) with SMTP id IAA03757; Tue, 11 Jun 1996 08:05:49 -0400 Received: from Microsoft Mail (PU Serial #1654) From: CBrenton@lglass.com (Brenton, Chris) To: Darwin_Martinez@INS.COM (Darwin Martinez) Message-ID: <1996Jun11.081300.1654.28425@mailgw.lglass.com> X-Mailer: Microsoft Mail via PostalUnion/SMTP for Windows NT Mime-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Date: Tue, 11 Jun 1996 08:12:58 -0400 Subject: RE: Attack? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ---------- From: Darwin Martinez[SMTP:Darwin_Martinez@INS.COM] >I'm consistently seeing the following message on my FW-1. > >netbios_dgm 17.x.x.122 17.255.255.255 upd >and >netbios_ns 17.x.x.121 17.255.255.255 upd Are you running SAMBA, NT or Win95 on an internal system perhaps? Could one of your users incorrectly configured their IP address? Can you get an ARP entry off of the firewall on this address so you know what MAC address is generating it? >When I try to ping the above network 17 address, no luck. When I do a >traceroute to it, the route goes through our external router, our ISP >router, an additional 5 routers of the same ISP then ends up with at least >24 entries (my ttl is 30) such as shown below for the netbios dgm: This is normal. What's happening is that your internal router does not know where to find this network (it has no routing table entry) so it is being forwarded to your default route. ***************************************** "I don't have a life...I have a program" --Voyager's Emergency Holographic Doctor ***************************************** From firewalls-owner Fri Jun 14 14:18:16 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA19697 for firewalls-outgoing; Fri, 14 Jun 1996 13:24:43 -0700 (PDT) Received: (mcb@localhost) by miles.greatcircle.com (8.7.4/Miles-951221-1) id NAA19664 for firewalls@greatcircle.com; Fri, 14 Jun 1996 13:24:33 -0700 (PDT) Received: from thor.lglass.com (thor.lglass.com [206.35.48.10]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id FAA19317 for ; Tue, 11 Jun 1996 05:21:47 -0700 (PDT) Received: from mailgw.lglass.com (mailgw.lglass.com [206.35.50.11]) by thor.lglass.com (8.7.1/8.7.1) with SMTP id IAA03778; Tue, 11 Jun 1996 08:14:29 -0400 Received: from Microsoft Mail (PU Serial #1654) From: CBrenton@lglass.com (Brenton, Chris) To: jvincent@actane.com (Jean Vincent), steve@gbnet.org (Steve Kennedy) Cc: firewalls@greatcircle.com (firewalls) Message-ID: <1996Jun11.082100.1654.28427@mailgw.lglass.com> X-Mailer: Microsoft Mail via PostalUnion/SMTP for Windows NT Mime-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Date: Tue, 11 Jun 1996 08:21:48 -0400 Subject: RE: New Firewall Announcement Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ---------- From: Jean Vincent[SMTP:jvincent@actane.com] >Steve Kennedy wrote: >> >> This is blatantly untrue. The commercial KarlBridge/KarlBrouter has >> been entirely manageable via SNMP for at least a year if not longer !!! >> >> Steve > >Steve, are you sure that the firewall features are manageable by SNMP ? Yup, Steve's right. FW-1 does this as well. Not sure if there are others but the functionality has been available for a while. (not that I would _want_ my Firewall managed by SNMP :) >Many people have been asking in this list for such a feature (SNMP >management of firewalls) for a while - more than one year - and >nobody answered until now ! So let me get this straight, you've been monitoring this list for a year and in your last post you said you where not sure if this was the proper forum to make a product announcement?????? I really hate "forked tongue" marketing people! :( ***************************************** "I don't have a life...I have a program" --Voyager's Emergency Holographic Doctor ***************************************** From firewalls-owner Fri Jun 14 16:15:30 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id QAA04856 for firewalls-outgoing; Fri, 14 Jun 1996 16:00:37 -0700 (PDT) Received: from sierra.zyzzyva.com (ppp0.zyzzyva.com [198.183.2.50]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id QAA04813 for ; Fri, 14 Jun 1996 16:00:21 -0700 (PDT) Received: from zyzzyva.com (localhost [127.0.0.1]) by sierra.zyzzyva.com (8.7.5/8.6.11) with ESMTP id RAA05005; Fri, 14 Jun 1996 17:57:23 -0500 (CDT) Message-Id: <199606142257.RAA05005@sierra.zyzzyva.com> To: Bill Stout cc: Firewalls@greatcircle.com Subject: Re: New Firewall Announcement In-reply-to: bill.stout's message of Fri, 14 Jun 1996 13:22:08 -0700. X-uri: http://www.zyzzyva.com/ Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Fri, 14 Jun 1996 17:57:23 -0500 From: Randy Terbush Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Really? I must've Been Misled. Could you point me to a detailed > SSL reference? How about the source? http://arachnet.algroup.co.uk/Apache-SSL/ If you take a look at the source where the TCP socket is established you will see that _any_ connection to the SSL equipped server sets up the encrypted pipe to the client before exchanging further information. I would include the relavent portion here, but unfortunately, our government makes it a questionable practice. -- Randy Terbush ----------------------------------- Zyzzyva Enterprises randy@zyzzyva.com ------------------------------- 1549 South 23rd http://www.zyzzyva.com/ ------------------------- Lincoln, NE 68502 ------------------------------------------------- 402.438.1848 > >From what I've seen, SSL requires username/password before the > encrypted link starts. > > Bill > > At 03:47 PM 6/14/96 -0400, Mike Shaver wrote: > >Thus spake Bill Stout: > >> With SSL the username/password is still passed in clear text. > > > >Not true. > >The SSL handshake is the _first_ part of any HTTPS transaction, and > >any part of the HTTP stream (including authentication info, etc.) is > >encrypted. > > > >Mike > > > >-- > >#> Mike Shaver (shaver@ingenia.com) Ingenia Communications Corporation <# > >#> Chief System Architect -- Head geek -- System exorcist <# > >#> <# > >#> "Have you considered a life? I hear they're quite affordable <# > >#> these days." --- shields@tembel.org <# > > > > From firewalls-owner Fri Jun 14 16:41:44 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id PAA04158 for firewalls-outgoing; Fri, 14 Jun 1996 15:56:31 -0700 (PDT) Received: from okjunc.junction.net (okjunc.junction.net [199.166.227.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id PAA04148 for ; Fri, 14 Jun 1996 15:56:25 -0700 (PDT) Received: from sidhe.memra.com (sidhe.memra.com [199.166.227.105]) by okjunc.junction.net (8.6.11/8.6.11) with SMTP id PAA18120; Fri, 14 Jun 1996 15:09:31 -0700 Date: Fri, 14 Jun 1996 15:52:00 -0700 (PDT) From: Michael Dillon To: Peter da Silva cc: Michael_Beeler@ccmail.northgrum.com, jklein@ncdc.noaa.gov Subject: Re: Re[2]: Active-X and/or Java? In-Reply-To: <9606141445.AA06392@sonic.nmti.com.nmti.com> Message-ID: Organization: Memra Software Inc. - Internet consulting MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 14 Jun 1996, Peter da Silva wrote: > > Just a thought, but does anyone know if Active-X is any more secure > > than JAVA? > > Yes. It's not. Is that the same thing as: No. It isn't. ??? Michael Dillon ISP & Internet Consulting Memra Software Inc. Fax: +1-604-546-3049 http://www.memra.com E-mail: michael@memra.com From firewalls-owner Fri Jun 14 16:49:20 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id PAA02117 for firewalls-outgoing; Fri, 14 Jun 1996 15:46:21 -0700 (PDT) Received: from okjunc.junction.net (okjunc.junction.net [199.166.227.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id PAA02079 for ; Fri, 14 Jun 1996 15:46:05 -0700 (PDT) Received: from sidhe.memra.com (sidhe.memra.com [199.166.227.105]) by okjunc.junction.net (8.6.11/8.6.11) with SMTP id OAA17834; Fri, 14 Jun 1996 14:59:00 -0700 Date: Fri, 14 Jun 1996 15:41:28 -0700 (PDT) From: Michael Dillon To: Peter da Silva cc: Jeremy Noetzelman , jvincent@actane.com Subject: Re: New Firewall Announcement In-Reply-To: <9606141439.AA07391@sonic.nmti.com.nmti.com> Message-ID: Organization: Memra Software Inc. - Internet consulting MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 14 Jun 1996, Peter da Silva wrote: > > Am I the only one who doesnt like the idea of my firewall being managed by > > SNMP? > > No. I'm as leery of SNMP management of the firewall as I am of that bloke > who was pushing WWW-based administration. What if the SNMP management is carried out entirely inside the firewall on an ethernet segment that only contains the firewall and a couple of admin workstations with no routing between that subnet and others? And what if the WWW management was secured in the same way? Good? Bad? Crazy? Michael Dillon ISP & Internet Consulting Memra Software Inc. Fax: +1-604-546-3049 http://www.memra.com E-mail: michael@memra.com From firewalls-owner Fri Jun 14 17:37:07 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA15893 for firewalls-outgoing; Fri, 14 Jun 1996 17:27:50 -0700 (PDT) Received: from inreach.com (inreach.com [205.138.224.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id RAA15886 for ; Fri, 14 Jun 1996 17:27:45 -0700 (PDT) Received: from LOCALNAME (ppp075.inreach.com [205.138.224.75]) by inreach.com (8.7.5/8.7.1) with SMTP id RAA22099; Fri, 14 Jun 1996 17:30:25 -0700 (PDT) Message-ID: <31C1E44C.7AE5@inreach.com> Date: Fri, 14 Jun 1996 15:14:36 -0700 From: john dias Organization: TopShelf X-Mailer: Mozilla 2.01KIT (Win16; U) MIME-Version: 1.0 To: Mike Jones CC: firewalls@GreatCircle.COM Subject: Re: FireWall-1 and token ring References: <9606141629.AA13684@bass.unifiedtech.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Mike Jones wrote: > > Has anyone ever set up a FW-1 firewall where one network interface > was a token ring? The best answer I've been able to get from Sun so > far is "it ought to work", but the documentation doesn't specifically > say. > > Mike Jones > Sr. Network Computing Advisor > Unified Technologies Yes, I have sucessfully configured Firewall-1 to filter on a token ring. However this is not a "straight" install and configuration. Sun's phone support may not be able to help you. Their standard "fix" for token ring and Firewall-1 problems is to disable source-routing. But, there will be more gotcha's. We have solved this problem for our clients by obtaining Firewall-1's "new released filter for token rings" ( yes Beta!!!!! ). The new filter was obtained with the help of Sun Customer Services. IF AT ALL POSSIBLE AVOID THIS CONFIGURATION ( fw-1 & tr ) UNTIL FIREWALL-1's NEXT RELEASE. However, the early release version has been successful, but the configuration is minimal ( air-gaps, it is beta ). We will implement be implementing Firewall-1 on token rings at the next release. John Dias Sr engineer TopShelf Systems Technology 209-239-5402 From firewalls-owner Fri Jun 14 17:54:25 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA16501 for firewalls-outgoing; Fri, 14 Jun 1996 17:35:23 -0700 (PDT) Received: from diane.inforamp.net (Diane.InfoRamp.Net [198.53.144.7]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id RAA16494 for ; Fri, 14 Jun 1996 17:35:17 -0700 (PDT) Received: from ts39-03.tor.iSTAR.ca (ts39-03.tor.iSTAR.ca [204.191.140.183]) by diane.inforamp.net (8.7/8.7) with SMTP id UAA17970 for ; Fri, 14 Jun 1996 20:32:28 -0400 (EDT) Received: by ts39-03.tor.iSTAR.ca with Microsoft Mail Message-ID: <01BB5A30.377A1BA0@ts39-03.tor.iSTAR.ca> From: Gene Lee To: "'Firewalls@GreatCircle.COM'" Subject: Re: IBM Firewall Date: Fri, 14 Jun 1996 20:29:40 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk With regards to some of the messages concerning SNG, there is a new beta = of the FW available for download on http://www.ics.raleigh.ibm.com. If = you have a spare RS/6000 kicking around, feel free to try it out (and = send me comments, criticism and/or hate-mail). Among some of the new features are Network Address Translation, a = less-complicated interface for creating filtering rules, support under = AIX 4.1 and 4.2 (note 4.2 has the new Sendmail 8.7 - as Dave Roberts has = already mentioned), support for VPNs with compliance to RFCs 1825-1829, = pager support, and inbound ftp proxying. There was some talk of the integrity checking of FW files, and AIX does = come with the Trusted Computing Base which keeps and compares checksums = of all critical system files (using tcbck). The FW files can be added to = the TCB. Although not in the current beta, the developers are working on = MD5 hashing of FW system files. -- Gene Lee genel@inforamp.net genelee@vnet.ibm.com From firewalls-owner Fri Jun 14 18:22:01 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA17490 for firewalls-outgoing; Fri, 14 Jun 1996 17:55:11 -0700 (PDT) Received: from halon.sybase.com (halon.sybase.com [192.138.151.33]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id RAA17479 for ; Fri, 14 Jun 1996 17:55:00 -0700 (PDT) Received: from smtp1.sybase.com (sybgate) by halon.sybase.com (5.x/SMI-SVR4/SybFW4.0) Received: from notesgw2.sybase.com by smtp1.sybase.com (4.1/SMI-4.1/SybH3.5-030896) Received: by notesgw2.sybase.com (5.x/SMI-4.1/SybEGW3.3) Message-Id: <9606150052.AA11504@notesgw2.sybase.com> Received: by SybaseNotes (Lotus Notes Mail Gateway for SMTP V1.1) id To: equaad Cc: firewalls From: Ryan.Russell/SYBASE Date: 14 Jun 96 17:51:56 EDT Subject: Re: Decent tech support X-Lotus-Type: Reply All Mime-Version: 1.0 Content-Type: Text/Plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk www.qualix.com I used them for my initial setup. I am pleased with it. Ryan ---------- Previous Message ---------- To: firewalls cc: From: equaad @ nedhmail.nedh.harvard.edu @ smtp Date: 06/14/96 09:15:38 AM Subject: Decent tech support I second the request for info on tech support quality -- right now we have Firewall-1 software from Checkpoint and can't seem to get decent support to save our lives. Anyone else have this product and have a reseller that provides good support??? I'm in the New England area but don't see why I would need a reseller in this area to provide good support (since it's 99% phone support anyway). Anyone know a reseller with a good, *quick* technical support?? Ellen Quaadgras Systems Administrator equaad@indigo.mit.edu From firewalls-owner Fri Jun 14 18:38:09 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id SAA21229 for firewalls-outgoing; Fri, 14 Jun 1996 18:35:46 -0700 (PDT) Received: from vger.Tripcom.COM (vger.Tripcom.COM [207.70.68.33]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id SAA21207 for ; Fri, 14 Jun 1996 18:35:36 -0700 (PDT) Received: (from adam@localhost) by vger.Tripcom.COM From: Adam Horwitz Message-Id: <199606150132.UAA21875@vger.Tripcom.COM> Subject: Re: Decent tech support To: firewalls@GreatCircle.COM (firewalls) Date: Fri, 14 Jun 1996 20:32:46 -0500 (CDT) In-Reply-To: <2.2.32.19960614141621.00a122d8@trex.netrex.com> from "Richard D. Stiennon" at Jun 14, 96 10:16:21 am X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > At 09:15 AM 6/14/96 EST, equaad@nedhmail.nedh.harvard.edu wrote: > > I second the request for info on tech support quality -- right now we > > have Firewall-1 software from Checkpoint and can't seem to get decent > > support to save our lives. Anyone else have this product and have a > > reseller that provides good support??? I'm in the New England area but > > don't see why I would need a reseller in this area to provide good > > support (since it's 99% phone support anyway). Anyone know a reseller > > with a good, *quick* technical support?? > > ======== Fwd by: David Tate ======== > > I guess now we will see how many resellers are part of the > > {firewalls@GreatCircle.COM} ..... Well, I guess this is an appropriate time for some self-promotion. As someone with many years experience as an I.S. customer and several as a vendor, I thought all I ever needed was telephone support. I can not speak for every potential customer, but the on-site support that my firm provides is desired. I have been selling FireWall-1 solutions since 1994, the year it was released. This is longer than most companies have known about it (and the Internet). As for technical support quality, it is not always so easy to quantify. I provide many references and let potential clients draw their own conclusions. My client base and focus is in Chicago. I refer out of state businesses to CheckPoint to find a local reseller. -- Adam Horwitz (708) 778-9531 Tripcom Systems Inc. adam@tripcom.COM Secure Internet Integration for LANs, WANs, & E-Mail From firewalls-owner Sat Jun 15 08:51:55 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA25725 for firewalls-outgoing; Sat, 15 Jun 1996 08:43:59 -0700 (PDT) Received: from relay-2.mail.demon.net (disperse.demon.co.uk [158.152.1.77]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id IAA25718 for ; Sat, 15 Jun 1996 08:43:51 -0700 (PDT) Received: from post.demon.co.uk ([158.152.1.72]) by relay-2.mail.demon.net Received: from martel.demon.co.uk ([158.152.221.102]) by relay-3.mail.demon.net Message-ID: <11EYaMA3KewxEwZQ@martel.demon.co.uk> Date: Fri, 14 Jun 1996 23:07:51 +0100 To: firewalls@greatcircle.com, adam@homeport.org From: Ian Gresley-Jones Subject: Re: IBM Firewall In-Reply-To: <199606141602.LAA14057@homeport.org> MIME-Version: 1.0 X-Mailer: Turnpike Version 1.12 <5FNnYA8I4VwTBuCT6k+JdR66Mo> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In article <199606141602.LAA14057@homeport.org>, Adam Shostack writes >Are you talking about sysck? > tcbck and sysck seem to be virtually the same, I think sysck was the earlier version, retained for compatibility with pre 3.2.5. >sysck is configurable to use md5; however, I wasn't able to find >documentation on doing so. There is a means to specify an alternative checksum algorithm, for which you specify md5, then set up a sysck.cfg file with md5 checksums in the correct stanza of the file. > IBM'ers here did offer to provide me with >help (Thanks again, Andreas!), but not everyone who buys an SNG has >access to this list, and as such, how to provide integrity checking on >the firewall should be part of the manual. > >Adam > ******************************************************************** Ian Gresley-Jones * Protek Warrington (UK) 01925 240340 * or Maidenhead (UK) 01628 75959 or * -- speaking for myself only -- * ******************************************************************** From firewalls-owner Sat Jun 15 12:06:57 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA04617 for firewalls-outgoing; Sat, 15 Jun 1996 11:59:51 -0700 (PDT) Received: from dcc.com (ns [204.147.95.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id LAA04610 for ; Sat, 15 Jun 1996 11:59:45 -0700 (PDT) Received: from smtp.dcc.com ([204.147.93.69]) by gateway.perigee.com with SMTP id <71425>; Sat, 15 Jun 1996 14:24:55 -0500 Received: by smtp.dcc.com with Microsoft Mail From: "Moubray, Steve" To: "'firewalls@greatcircle.com'" Subject: RE: Decent Tech Support Date: Sat, 15 Jun 1996 15:56:00 -0500 Message-ID: <31C32394@smtp.dcc.com> X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk < SNIP > I haven't worked with Firewall-1 much but what I have done is because a large customer came to me and stated that they could not find anyone in town to help them implement the firewall or offer any support. We have a bunch of authorized resellers in the Twin Cities and my customer called all of them for help. Many of them are SUN resellers. If we can provide better support and services for our customers than the authorized resellers, then Checkpoint should take a very careful look at the World. Just because a local company can supply a product doesn't mean that they can support it or help with the implementation issues. I think that you should always try to pursue a relationship with a reseller that can provide you with support. They will know your network, your people and your needs. Then they can provide some real help. Just my 2 cents. From firewalls-owner Sat Jun 15 12:26:44 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA04524 for firewalls-outgoing; Sat, 15 Jun 1996 11:53:37 -0700 (PDT) Received: from dcc.com (gateway.dcc.com [204.147.95.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id LAA04499 for ; Sat, 15 Jun 1996 11:53:27 -0700 (PDT) Received: from smtp.dcc.com ([204.147.93.69]) by gateway.perigee.com with SMTP id <71425>; Sat, 15 Jun 1996 14:18:39 -0500 Received: by smtp.dcc.com with Microsoft Mail From: "Moubray, Steve" To: "'firewalls@greatcircle.com'" Subject: RE: New Firewall Announcement (WWW Management) Date: Sat, 15 Jun 1996 15:49:00 -0500 Message-ID: <31C3221B@smtp.dcc.com> X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Friday, June 14, 1996 8:14 PM, firewalls-digest-owner wrote: > > >>... >>Any why are you leery of WWW-based administration? >> >>I think with user authentication and encryption, a Web front-end would >>be a good administration tool. Cross platform, location independent. >>(None of this "console only" or "X the GUI back to you" management). >> Have you heard of V-ONE SmartWall? It does exactly that. >>Any thoughts? >> >>Chris > >TIS does it with their Gauntlet 3.1. However you need to start the >'gauntlet-gui' daemon on the firewall, connect in to the port you configured >the infoserver on, and you end up connecting with the 'port number of the >session'. Each session into the firewall is a different port number. > >I would feel more comfortable about it if a username/password was asked for, >it were https instead of http, and the session could be started from the >firewall, targeting a specific client. All via a secure telnet session, >of course. > >Bill > V-ONE takes this a step further by requiring high quality authentication from the firewall and the client and you can use it with a variety of different password schemes. From firewalls-owner Sat Jun 15 16:51:57 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id QAA16555 for firewalls-outgoing; Sat, 15 Jun 1996 16:46:41 -0700 (PDT) Received: from interlock.mgh.com (interlock.mgh.com [152.159.1.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id QAA16539 for ; Sat, 15 Jun 1996 16:46:35 -0700 (PDT) From: dnewman@mcgraw-hill.com Received: by interlock.mgh.com id AA11088 Message-Id: <199606152343.AA11088@interlock.mgh.com> Received: by interlock.mgh.com (Protected-side Proxy Mail Agent-1); Date: Sat, 15 Jun 96 19:37:42 edt To: firewalls@greatcircle.com Subject: NCSA firewall certification Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This week's Infoworld reports on page 16 that 15 firewall vendors have had their products certified after testing by the National Computer Security Association (NCSA). Sponsoring vendors (I'm presuming tests were paid for by vendors) get to cite the NCSA certification in hawking their wares. NCSA's Web site summarizes the tests performed. The URL is: http://www.ncsa.com/fpfs/whatfire.html I'm very curious to hear members of this list comment on these tests--are they sufficiently rigorous and complete? Disclaimer: I too test firewalls, for Data Communications magazine. We do not compete with NCSA. David Newman Data Communications magazine 212-512-6182 From firewalls-owner Sat Jun 15 17:37:01 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA18503 for firewalls-outgoing; Sat, 15 Jun 1996 17:29:57 -0700 (PDT) Received: from lint.cisco.com (lint.cisco.com [171.68.223.44]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id RAA18485 for ; Sat, 15 Jun 1996 17:29:50 -0700 (PDT) Received: from pferguso-pc.cisco.com (c1robo2.cisco.com [171.68.13.2]) by lint.cisco.com (8.6.10/CISCO.SERVER.1.1) with SMTP id RAA23903; Sat, 15 Jun 1996 17:27:49 -0700 Message-Id: <199606160027.RAA23903@lint.cisco.com> X-Sender: pferguso@lint.cisco.com X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Sat, 15 Jun 1996 20:27:01 -0400 To: oolid@acqic.org (Joseph L. Moll) From: Paul Ferguson Subject: Re: Cisco 2500's and BGP Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The answer is 'It depends'. I don't normally recommend using a 2500 for BGP peering, since any [interior|exterior] instability could cause the router to melt. It simply wasn't designed with heavy-duty route recalculation in mind. However, if you have two exterior peers and are taking partial routing from one provider, and are pointing default to another, it can handle it with 16Mb DRAM [perhaps less, although I wouldn't recommend it either]. Again, I would be hesitant to use a 2500 in an environment where there is any type of recurring instability. - paul At 09:38 AM 6/12/96 -0400, Joseph L. Moll wrote: >Sorry for the off topic question, please respond via private email. > >Can anyone comment on the use of Cisco 2500's for border routers running >BGP4 and limited access lists? Can they handle the load? > > >Best Regards, >--- >Joseph L. (Joe) Moll, Greenville, SC USA mailto:oolid@acqic.org >--- > -- Paul Ferguson || || Consulting Engineering || || Reston, Virginia USA |||| |||| tel: +1.703.716.9538 ..:||||||:..:||||||:.. e-mail: pferguso@cisco.com c i s c o S y s t e m s From firewalls-owner Sat Jun 15 21:06:55 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id UAA24555 for firewalls-outgoing; Sat, 15 Jun 1996 20:57:42 -0700 (PDT) Received: from su1.in.net (su1.in.net [199.0.62.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id UAA24544 for ; Sat, 15 Jun 1996 20:57:35 -0700 (PDT) Received: from pm4-10.in.net by su1.in.net with SMTP (5.65/1.2-eef) Date: Sat, 15 Jun 96 22:53:23 -0400 Message-Id: <9606160253.AA15436@su1.in.net> X-Sender: frankw@in.net X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@GreatCircle.com From: Frank Willoughby Subject: Re: NCSA firewall certification Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 07:37 PM 6/15/96 edt, dnewman@mcgraw-hill.com allegedly wrote: > > This week's Infoworld reports on page 16 that 15 firewall vendors have > had their products certified after testing by the National Computer > Security Association (NCSA). Sponsoring vendors (I'm presuming tests > were paid for by vendors) get to cite the NCSA certification in > hawking their wares. > > NCSA's Web site summarizes the tests performed. The URL is: > > http://www.ncsa.com/fpfs/whatfire.html > > I'm very curious to hear members of this list comment on these > tests--are they sufficiently rigorous and complete? I very seriously doubt it. (BTW, thanks for including the pointer to the URL). Today, there are @70+ firewall vendors on the market. Of these, only a handful (and I'm being generous here) are adequate enough to protect a company against the hazards of the Internet, IMHO. A determined hacker wouldn't find it very difficult to blast through almost all of the firewalls on their "NCSA Certified" list. Hmmmm. Perhaps our company should start certifying firewalls. If we did, the list of certified firewalls would be considerably shorter than the ones we have seen so far. BTW, we have taken out a firewall or two. When we do take out a firewall, we contact the vendor's engineering department and explain the test conditions (h/w & s/w of the systems involved), the type of attack, etc. and also make recommendations regarding how the problem can be resolved. > Disclaimer: I too test firewalls, for Data Communications magazine. We > do not compete with NCSA. > > David Newman > Data Communications magazine > 212-512-6182 Disclaimer: We are vendor-neutral (well, sort of - we must admit that we aren't really wild about firewalls which are not very secure.). We don't distribute or resell any firewall vendor's products. This gives us a certain amount of freedom to call things like we see them. We test firewalls for our customers (and we write policies, perform risk assessments, design network security strategies, etc., etc. In a nutshell, we help them achieve high levels of Information Security which are user-friendly & virtually non-intrusive to business operations (and as inexpensive as possible). >From the for-what-it's-worth-department, here are some common mistakes that we usually see - listed in no certain order: o No firewall exists for the connection to the Internet o Firewall is misconfigured o Firewall is the wrong type o Firewall permits insecure applications/services through the firewall o Firewall is managed remotely via insecure Telnet o Firewall is managed by an ISP or other 3rd party o Firewall is managed by unqualified personnel o Firewall is managed by other than Information Security personnel o No policy is in place regarding PCs with modems connecting to the Internet (effectively bypassing the firewall) o Etc., Etc., Etc. If your organization happens to have a firewall, it probably wouldn't hurt to double-check the above items. Best Regards, Frank Any sufficiently advanced bug is indistinguishable from a feature. -- Rich Kulawiec The opinions expressed above are of the author and may not necessarily be representative of Fortified Networks Inc. Fortified Networks Inc. - Information Security Consulting http://www.fortified.com Phone: (317) 573-0800 FAX: (317) 573-0817 Home of the Free Internet Firewall Evaluation Checklist From firewalls-owner Sun Jun 16 00:21:53 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id AAA00513 for firewalls-outgoing; Sun, 16 Jun 1996 00:06:49 -0700 (PDT) Received: from www.ddddf.com (www.ddddf.com [199.203.68.10]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id AAA00499 for ; Sun, 16 Jun 1996 00:06:40 -0700 (PDT) Received: from romeo (gatekeeper.ddddf.com [199.203.68.2]) by www.ddddf.com (8.6.9/8.6.9) with SMTP id JAA09872 for ; Sun, 16 Jun 1996 09:42:54 +0400 Received: from sunserver.ddddf.com by romeo (4.1/SMI-4.1) Received: from sunserver by sunserver.ddddf.com (SMI-8.6/SMI-SVR4) Date: Sun, 16 Jun 1996 10:03:17 +0300 (IDT) From: Yossi Goltz To: Firewalls@GreatCircle.COM Subject: Checkpoint FW-1 support. In-Reply-To: <199606150800.BAA08830@miles.greatcircle.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi! I'm another user of FW1 with problems! I'm in Israel (~10 minutes drive from checkpoint's HQ and labs!) and I have a problem tickket open for 4 months! Their support is even worse then my worst dreams and I already told them so. I does not seem to help. I'm still waiting for them to call me and say they have fixed the BUG we found in the product! Until then.... I guess they will not use me as a reference site! -Yossi. Yossi Goltz Telephone: 972-3-6451111 Unix Network Manager Fax: 972-3-6451100 New Dimension Software LTD. Email: yossi@ddddf.com formerly P.O.B. 58168 4th Dimension Software Ltd. 61581 Tel Aviv ISRAEL > ---------------------------------------------------------------------- > > Date: 14 Jun 96 17:51:56 EDT > From: Ryan.Russell/SYBASE > Subject: Re: Decent tech support > > www.qualix.com > > I used them for my initial setup. I am pleased with it. > > Ryan > > - ---------- Previous Message ---------- > To: firewalls > cc: > From: equaad @ nedhmail.nedh.harvard.edu @ smtp > Date: 06/14/96 09:15:38 AM > Subject: Decent tech support > > I second the request for info on tech support quality -- right now we > have Firewall-1 software from Checkpoint and can't seem to get decent > support to save our lives. Anyone else have this product and have a > reseller that provides good support??? I'm in the New England area but > don't see why I would need a reseller in this area to provide good > support (since it's 99% phone support anyway). Anyone know a reseller > with a good, *quick* technical support?? > > Ellen Quaadgras > Systems Administrator > equaad@indigo.mit.edu > > ------------------------------ > > Date: Fri, 14 Jun 1996 20:32:46 -0500 (CDT) > From: Adam Horwitz > Subject: Re: Decent tech support > > > At 09:15 AM 6/14/96 EST, equaad@nedhmail.nedh.harvard.edu wrote: > > > I second the request for info on tech support quality -- right now we > > > have Firewall-1 software from Checkpoint and can't seem to get decent > > > support to save our lives. Anyone else have this product and have a > > > reseller that provides good support??? I'm in the New England area but > > > don't see why I would need a reseller in this area to provide good > > > support (since it's 99% phone support anyway). Anyone know a reseller > > > with a good, *quick* technical support?? > > > > ======== Fwd by: David Tate ======== > > > I guess now we will see how many resellers are part of the > > > {firewalls@GreatCircle.COM} ..... > > Well, I guess this is an appropriate time for some self-promotion. > > As someone with many years experience as an I.S. customer and several > as a vendor, I thought all I ever needed was telephone support. I can > not speak for every potential customer, but the on-site support that > my firm provides is desired. I have been selling FireWall-1 > solutions since 1994, the year it was released. This is longer than > most companies have known about it (and the Internet). > > As for technical support quality, it is not always so easy to > quantify. I provide many references and let potential clients draw > their own conclusions. My client base and focus is in Chicago. I > refer out of state businesses to CheckPoint to find a local reseller. > > - -- > Adam Horwitz (708) 778-9531 > Tripcom Systems Inc. adam@tripcom.COM > Secure Internet Integration for LANs, WANs, & E-Mail > > ------------------------------ > > End of Firewalls-Digest V5 #372 > ******************************* > > To unsubscribe from Firewalls-Digest, send the following command > in the body of a message to "Majordomo@GreatCircle.COM": > > unsubscribe firewalls-digest > > If you want to subscribe or unsubscribe an address other than the > account the mail is coming from, such as a local redistribution list, > then append that address to the command; for example, to subscribe > "local-firewalls": > > subscribe firewalls-digest local-firewalls@your.domain.net > > A non-digest (direct mail) version of this list is also available; to > subscribe to that instead, replace all instances of "firewalls-digest" > in the commands above with "firewalls". > > Compressed back issues are available for anonymous FTP from > FTP.GreatCircle.COM, in pub/firewalls/digest/vNN.nMMM.Z (where "NN" > is the volume number, and "MMM" is the issue number). > From firewalls-owner Sun Jun 16 02:06:55 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id BAA06692 for firewalls-outgoing; Sun, 16 Jun 1996 01:59:29 -0700 (PDT) Received: from simtel.Coast.NET (simtel.coast.net [205.149.128.6]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id BAA06663 for ; Sun, 16 Jun 1996 01:59:20 -0700 (PDT) Received: by simtel.Coast.NET (Smail3.1.28.1 #12) Date: Sun, 16 Jun 1996 04:56:27 -0400 (EDT) To: firewalls@greatcircle.com (Firewalls Mailing List) Subject: Re: NCSA firewall certification From: "Mike O'Connor" Reply-To: "Mike O'Connor" X-Organization: :noitazinagrO-X Message-Id: <960616045627.mjo@dojo> Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk :From: Frank Willoughby [...] :Today, there are @70+ firewall vendors on the market. Of these, :only a handful (and I'm being generous here) are adequate enough :to protect a company against the hazards of the Internet, IMHO. [...] :>From the for-what-it's-worth-department, here are some common mistakes :that we usually see - listed in no certain order: [some technical stuff, and] :o Firewall is managed by an ISP or other 3rd party :o Firewall is managed by unqualified personnel :o Firewall is managed by other than Information Security personnel :o No policy is in place regarding PCs with modems connecting to the : Internet (effectively bypassing the firewall) :o Etc., Etc., Etc. Much of your mistakes depend on your definition of a "firewall". To what extent can/should someone selling a particular piece of hardware dig into your policy for purposes of deploying it in any sane way. I think you're going too far in your expectations in terms of what firewall technology vendors are actually capable of vs. what you think they should be doing for you. The only time I'd take a firewall vendor to task on this is if they purport to actually sell a "firewall", making claims that take into account factors like policy and sensible configuration which they may have zero control over. Tools for building a firewall ought to be better distinguished from the end product itself, but I'm sure that's old news to a lot of folks on this list. -- Michael J. O'Connor Internet: mjo@dojo.mi.org InterNIC WHOIS: MJO http://www.coast.net/~mjo "I propose we leave math to the machines and go play outside." -Calvin From firewalls-owner Sun Jun 16 09:36:58 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA18438 for firewalls-outgoing; Sun, 16 Jun 1996 09:31:13 -0700 (PDT) Received: from su1.in.net (su1.in.net [199.0.62.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id JAA18429 for ; Sun, 16 Jun 1996 09:31:05 -0700 (PDT) Received: from pm3-26.in.net by su1.in.net with SMTP (5.65/1.2-eef) Date: Sun, 16 Jun 96 11:26:54 -0400 Message-Id: <9606161526.AA09158@su1.in.net> X-Sender: frankw@in.net X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@GreatCircle.com From: Frank Willoughby Subject: Re: NCSA firewall certification Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 04:56 AM 6/16/96 -0400, "Mike O'Connor" wrote: >:From: Frank Willoughby >[...] >:Today, there are @70+ firewall vendors on the market. Of these, >:only a handful (and I'm being generous here) are adequate enough >:to protect a company against the hazards of the Internet, IMHO. >[...] >:>From the for-what-it's-worth-department, here are some common mistakes >:that we usually see - listed in no certain order: >[some technical stuff, and] >:o Firewall is managed by an ISP or other 3rd party >:o Firewall is managed by unqualified personnel >:o Firewall is managed by other than Information Security personnel >:o No policy is in place regarding PCs with modems connecting to the >: Internet (effectively bypassing the firewall) >:o Etc., Etc., Etc. > You are taking my statements out of context. Both paragraphs mentioned above have nothing to do with each other. The first paragraph deals with the fact that almost all firewalls are grossly inadequate to block/prevent certain types of known attacks. The second paragraph deals with typical problems we have encountered when performing firewall evaluations/penetration tests. >Much of your mistakes depend on your definition of a "firewall". To what >extent can/should someone selling a particular piece of hardware dig into >your policy for purposes of deploying it in any sane way. I think you're >going too far in your expectations in terms of what firewall technology >vendors are actually capable of vs. what you think they should be doing >for you. The only time I'd take a firewall vendor to task on this is if >they purport to actually sell a "firewall", making claims that take into >account factors like policy and sensible configuration which they may >have zero control over. Tools for building a firewall ought to be better >distinguished from the end product itself, but I'm sure that's old news >to a lot of folks on this list. I disagree. A firewall should be able to block/prevent known types of attacks if possible. While some attacks (such as a Denial-of-Service attack by sending a stream of Resets) can't be prevented due to the nature of the beast of TCP/IP & the Internet). Firewall vendors are in the business of selling security products. A customer who buys a firewall which can't stop attacks which are currently known to exist AND which other vendors can prevent, has wasted his money, IMHO. The sad part is that the personnel in many companies are simply too inexperienced in this field - forgetting Frank's Lemming Rule # 1 - "If everyone else is doing it, it must be OK (ie - there's safety in numbers)". The firewalls which provide the best protection aren't the most expensive, nor the ones with the biggest advertising budgets, nor the ones which are the most popular. Many are good. Few provide adequate protection. While vendors will continue to leapfrog each other in terms of protection, cost, support, etc, currently, most firewalls would not make our certification list (if we were to start one). For most people, this is a new field. To get accurate results, they need to do their *own* homework. Their research should include (as a minimum): the book "Firewalls and Internet Security" by Cheswick & Bellovin, and the paper "Security Problems in the TCP/IP Protocol Suite" available via ftp from: ftp.research.att.com in the directory /pub/dist/internet_security. The file is called ipext.ps.Z. The research is easy. Line up the security problems on one side & the vendors on the other. Simply ask the question "Can your firewall prevent this type of attack for *each* of the attacks listed in the book or the paper. If the vendor answers "NO", then drop it from your short list. BTW, if their answer is "YES", get it in writing. Some vendors have been known to mis-represent their products (the word "fraud" comes to mind). Caveat Emptor. Do your homework first, kick the tires, take it out for a test drive, and then write the check. Also, if a functionality doesn't exist when you are test drive the firewall, there are no guarantees that it will ever exist - in spite of what the vendor may promise. The best ways to ensure the promised vaporware will turn into a delivered product is to: o Get the promise in writing in a legal document signed by an officer of the (firewall vendor's) company. o Make the promised feature a part of your acceptance criteria. o Get them to let you keep the firewall as an "Evaluation system" until the vaporware turns into a delivered feature/product. VERY IMPORTANT - Withold most (if not all) payment until the desired feature is delivered - after all, it is part of your acceptance test, right? >-- > Michael J. O'Connor Internet: mjo@dojo.mi.org > InterNIC WHOIS: MJO http://www.coast.net/~mjo > >"I propose we leave math to the machines and go play outside." -Calvin Best Regards, Frank Any sufficiently advanced bug is indistinguishable from a feature. -- Rich Kulawiec The opinions expressed above are of the author and may not necessarily be representative of Fortified Networks Inc. Fortified Networks Inc. - Information Security Consulting http://www.fortified.com Phone: (317) 573-0800 FAX: (317) 573-0817 Home of the Free Internet Firewall Evaluation Checklist From firewalls-owner Sun Jun 16 09:51:54 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA18986 for firewalls-outgoing; Sun, 16 Jun 1996 09:49:00 -0700 (PDT) Received: from mail.Clark.Net (mail.clark.net [168.143.0.10]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id JAA18979 for ; Sun, 16 Jun 1996 09:48:51 -0700 (PDT) Received: from clark.net (mjr@clark.net [168.143.0.7]) by mail.Clark.Net (8.7.3/8.6.5) with ESMTP id MAA16340 for ; Sun, 16 Jun 1996 12:45:53 -0400 (EDT) From: "Marcus J. Ranum" Received: (from mjr@localhost) by clark.net (8.7.1/8.7.1) id MAA03968 for firewalls@greatcircle.com; Sun, 16 Jun 1996 12:45:51 -0400 (EDT) Message-Id: <199606161645.MAA03968@clark.net> Subject: firewall testing redux To: firewalls@greatcircle.com Date: Sun, 16 Jun 1996 12:45:50 -0400 (EDT) Reply-To: mjr@v-one.com Organization: V-One Corporation, Baltimore, MD Office Phone: 410-889-8569 X-Mailer: ELM [version 2.4 PL24alpha3] MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk dnewman@mcgraw-hill.com writes: > This week's Infoworld reports on page 16 that 15 firewall vendors have > had their products certified after testing by the National Computer > Security Association (NCSA). Sponsoring vendors (I'm presuming tests > were paid for by vendors) get to cite the NCSA certification in > hawking their wares. NCSA is a for-profit venture. This is not a criticism (some of my best friends work for a living!) but it's worth noting, as always, when trying to understand an organization's actions. > NCSA's Web site summarizes the tests performed. The URL is: > I'm very curious to hear members of this list comment on these > tests--are they sufficiently rigorous and complete? [...] This is a tricky question. *NO* test can be sufficiently rigorous and complete. A better question to ask, perhaps, is whether the testing has some value. I looked at the list of tests that are performed and all of them are, basically, trivial. No firewall should fall prey to any of those tests, under any circumstances. On the other hand, for example, you might get "false positives." I remember that pingware used to choke on smap(from the toolkit) output when it attempted a sendmail debug. Smap sent a reply reading: 220 Debug set - NOT! and pingware would raise the roof. Programmed testing is not a substitute for intelligence. That being said, it's better than nothing. Implicit in NCSA's action is the assumption that there are firewall vendors so irresponsible or clueless that they'd sell a fireall with rexd running on it, reachable from the outside. I suppose it is possible that someone might do that, and I suppose that the test would detect it. So I suppose that the test will act as a very low bar to keep out the complete lamers. From looking at the NCSA test checklist, I believe that a router could be configured to pass it, with a minimum of effort. The test also specifies (correctly) that: -> The internal machines will not be configured in a `secure' -> manner - it is the job of the vendor's firewall to maintain -> the security of the inside network. Here is where things get interesting. There's no mention of the O/S (or mix) on the inside network, because that is significant. What about firewalls that are transparent packet-screening type firewalls? They permit certain forms of traffic to certain services on the inside. THE SECURITY OF THE SOFTWARE ON SELECTED SYSTEMS BEHIND THE FIREWALL MAY BE IMPORTANT. Unless NCSA's intent is to argue that all packet-screening type firewalls, no matter how powerful they may be, are invalid technologies. I have a lot of reservations about any form of firewall testing programme, because of the configurability of the systems in question. Here's where I have to admit that the orange book guys had it right: 1) Ensure the system's design has some basic properties 2) Then test it in its deployed configuration When I was consulting I went to a number of sites to check out firewalls, and in several cases I saw firewalls that had been configured with big gaps in them for some service or other to some internal system or other, and no attention had been paid to the security of the software on that system. A cold-lab test of a firewall isn't going to be able to help with that kind of thing -- it shouldn't, since it's not the firewall's problem. The firewall vendor can't take that sort of thing into account. So - where does that leave us? Back to the orange book's idea of making sure the basic design makes sense, and then making sure the deployed configuration is correct. Doing a design review is something NCSA can't touch because a design review will require a LOT of effort, cost a lot, and design reviews inherently will introduce bias - for some purposes, some designs simply are better. For other purposes, the same design may not be so good. That's why there are both Ferraris and Humvees. A design review has to start from "it depends" and work from there, whereas NCSA's effort has to start with what their participating vendors already have, and make some sense of it. Orange book style design review only works if you already have a notion of the One True Correct Design. Which doesn't work in an evolving commercial marketplace. The other approach remaining to us is to do onsite testing of every firewall in its deployed configuration. That works, but it's extremely expensive and it requires a lot of expertise. It also doesn't work because, frequently, it runs counter to the business reason for installing the firewall in the first place: if the tests *say* that the hole in the firewall is a bad idea, and the hole in the firewall is "necessary" then what do you do? Ignore the test. Do you re-test it whenever the firewall changes or the systems behind it change? You should. There are a lot of consultants making a lot of money testing and re-testing firewalls right now. Is it money well spent? I am not sure it really is. I used to be in that business and discovered that at almost every site I visitted, the firewall was about the only part of the network that was "right"; everything else was broken. Lastly, I am concerned that product testing is going to lull people into making the wrong assumption: that a firewall, once "tested" is OK from then on. Security is a *PROCESS* not a simple thing you implement once, test, and then forget about. The idea that you can buy a pre-tested firewall, install it, and never worry, is dangerously naive. Marketing that as a "feature" is irresponsible. Using a test as a barrier to market entry or sales leverage is sleazy. Unless the test is something rigidly quantifiable, which I believe firewalls are not, by virtue of their extreme flexibility. Six months or so ago, I wrote a lengthy polemic on this topic, which I had on my (then) web page at iwi.com. It is now and still on the V-ONE publications area as: http://www.v-one.com/pubs/testing/fwtest.htm it does not represent V-ONE corporation's official views on the topic, but I hope it can help provoke some thoughts and discussion on the topic. I've known the NCSA guys for a while, and I've even contributed work (pro bono) to the goal of improving the state of the firewall market. They have, bless their hearts, been pushing forward with the firewall product functional summaries effort which I started; that's good. Clearly, NCSA is trying to provide value in this area. I'm not sure I agree 100% (or even 30%) with the firewall testing concept, and I guess it's really more about marketing and perception than it is about security. The problem is that, in an environment where some folks are trying to push Lotus Notes as a "firewall" it's hard to criticize any organization that tries to certify firewalls as "apparently OK." I just don't think that a certification sticker means a whole lot more than that someone paid some $$ and had some basic tests run, and passed them. That doesn't impress me a whole lot but I guess it's a start. mjr. -- Chief Scientist, V-ONE Corporation -- "Security for a connected world" work http://www.v-one.com personal http://www.clark.net/pub/mjr/mjr-top.html From firewalls-owner Sun Jun 16 18:06:53 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA05315 for firewalls-outgoing; Sun, 16 Jun 1996 17:44:10 -0700 (PDT) Received: (mcb@localhost) by miles.greatcircle.com (8.7.4/Miles-951221-1) id RAA05291 for firewalls@greatcircle.com; Sun, 16 Jun 1996 17:43:59 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id TAA06988 for ; Thu, 13 Jun 1996 19:04:58 -0700 (PDT) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) Received: from lykos.netpart.com(206.0.20.2) by mycroft via smap (V1.3mjr) Received: (phil@localhost) by lykos.netpart.com (8.6.12/8.6.12) id TAA21873; Wed, 12 Jun 1996 19:24:01 -0700 Date: Wed, 12 Jun 1996 19:24:01 -0700 From: Phil Trubey Message-Id: <199606130224.TAA21873@lykos.netpart.com> To: amillar@lifeguard.COM Subject: Re: Strange mail Sender: problem with Borderware? In-Reply-To: <96Jun3.131347pdt.36865@firewall.lifeguard.com> Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In article <96Jun3.131347pdt.36865@firewall.lifeguard.com> you write: >I've just inherited a Borderware Firewall Server and I'm having a >strange mail problem with it. You might want to ask the BorderWare user's mailing list located at firewall@netpart.com. Subscribe by sending a message to firewall-request@netpart.com with a subject line of 'subscribe'. From firewalls-owner Sun Jun 16 18:07:00 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA05347 for firewalls-outgoing; Sun, 16 Jun 1996 17:44:27 -0700 (PDT) Received: (mcb@localhost) by miles.greatcircle.com (8.7.4/Miles-951221-1) id RAA05318 for firewalls@greatcircle.com; Sun, 16 Jun 1996 17:44:12 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id SAA05411 for ; Thu, 13 Jun 1996 18:58:42 -0700 (PDT) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) Received: from nic.transpac.net(194.52.1.10) by mycroft via smap (V1.3mjr) Received: from alf.ihc.se (alf.ihc.se [194.52.187.254]) by mail.transpac.net (8.7.3/8.7.3) with SMTP id IAA10948 for ; Thu, 13 Jun 1996 08:49:03 +0200 (MET DST) Received: by alf.ihc.se; (5.65v3.2/1.3/10May95) id AA32064; Thu, 13 Jun 1996 08:49:20 +0200 Message-Id: <31BFBA18.32C@ihc.se> Date: Thu, 13 Jun 1996 08:50:00 +0200 From: Mattias Lindstr=?iso-8859-1?Q?=F6?=m Reply-To: mattias.lindstrom@ihc.se Organization: IHC AB X-Mailer: Mozilla 3.0B2 (WinNT; I) Mime-Version: 1.0 To: firewalls-digest@GreatCircle.COM Subject: Firewalls and MS SQL server Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi. I am going to implement two MS SQL servers with a firewall (almost anyway, its a Livingston IRX :-)) in the middle. Now I have a question, How is the traffic going between the MS SQL servers? Yep, I know about port 1433 (as specified in the MS SQL setup) but that can=B4t be all thats needed... On what ports except 1433 is MS SQL "talking"? -- = ______________________________ Mattias Lindstr=F6m Systems integrator Information Highway Center AB voice: +46 (0)8 445 18 00 fax: +46 (0)8 445 18 01 ______________________________ From firewalls-owner Sun Jun 16 18:52:00 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id SAA09522 for firewalls-outgoing; Sun, 16 Jun 1996 18:40:59 -0700 (PDT) Received: from relay.ashton.csc.com (relay.ashton.csc.com [20.2.54.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id SAA09493 for ; Sun, 16 Jun 1996 18:40:50 -0700 (PDT) Received: by relay.ashton.csc.com; id VAA09577; Sun, 16 Jun 1996 21:38:59 -0400 Received: from mccoy.ashton.csc.com(20.2.51.2) by relay.ashton.csc.com via smap (g3.0.1) Received: (from ckostick@localhost) by mccoy.ashton.csc.com (8.6.12/8.6.9) id VAA03252; Sun, 16 Jun 1996 21:39:58 -0400 From: Chris Kostick Message-Id: <199606170139.VAA03252@mccoy.ashton.csc.com> Subject: Re: NCSA firewall certification To: frankw@in.net (Frank Willoughby) Date: Sun, 16 Jun 1996 21:39:58 -0400 (EDT) Cc: firewalls@greatcircle.com In-Reply-To: <9606160253.AA15436@su1.in.net> from "Frank Willoughby" at Jun 15, 96 10:53:23 pm X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > http://www.ncsa.com/fpfs/whatfire.html > > > > I'm very curious to hear members of this list comment on these > > tests--are they sufficiently rigorous and complete? > > I very seriously doubt it. > (BTW, thanks for including the pointer to the URL). > > Today, there are @70+ firewall vendors on the market. Of these, > only a handful (and I'm being generous here) are adequate enough > to protect a company against the hazards of the Internet, IMHO. > A determined hacker wouldn't find it very difficult to blast > through almost all of the firewalls on their "NCSA Certified" > list. remember this thought... > > Hmmmm. Perhaps our company should start certifying firewalls. > If we did, the list of certified firewalls would be considerably > shorter than the ones we have seen so far. BTW, we have taken > out a firewall or two. > > When we do take out a firewall, we contact the vendor's engineering > department and explain the test conditions (h/w & s/w of the systems > involved), the type of attack, etc. and also make recommendations > regarding how the problem can be resolved. > > Disclaimer: > We are vendor-neutral (well, sort of - we must admit that we aren't > really wild about firewalls which are not very secure.). We don't and this one... > distribute or resell any firewall vendor's products. This gives us > a certain amount of freedom to call things like we see them. > > We test firewalls for our customers (and we write policies, perform > risk assessments, design network security strategies, etc., etc. > In a nutshell, we help them achieve high levels of Information > Security which are user-friendly & virtually non-intrusive to > business operations (and as inexpensive as possible). > > >From the for-what-it's-worth-department, here are some common mistakes > that we usually see - listed in no certain order: > > o No firewall exists for the connection to the Internet > o Firewall is misconfigured > o Firewall is the wrong type > o Firewall permits insecure applications/services through the firewall > o Firewall is managed remotely via insecure Telnet > o Firewall is managed by an ISP or other 3rd party > o Firewall is managed by unqualified personnel > o Firewall is managed by other than Information Security personnel > o No policy is in place regarding PCs with modems connecting to the > Internet (effectively bypassing the firewall) > o Etc., Etc., Etc. Alright here's where I start typing. In the previous comments you seem to imply more than once that firewalls are insecure, bogus pieces of useless hardware that you just plain don't recommend (okay, okay I read too much into it but we both know what I mean). Yet, the above list addresses nothing along the lines of the technical capabilities of firewalls. Your entire list has to basically do with people problems. I test firewalls also, and while not all are good, and some implementations dictate the proper environment, it's definitely not as bleak as you seem to make out. In summary, firewalls are not the only items needed in an overall network security architecture; more components are needed. But certainly do *not* disregard a firewall as being an integral part of that solution. > > If your organization happens to have a firewall, it probably wouldn't > hurt to double-check the above items. -- Chris Kostick CSC From firewalls-owner Mon Jun 17 02:07:04 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id BAA22617 for firewalls-outgoing; Mon, 17 Jun 1996 01:50:56 -0700 (PDT) Received: from sycgate.sycomore.fr (sycgate.sycomore.fr [192.134.92.10]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id BAA22610 for ; Mon, 17 Jun 1996 01:50:50 -0700 (PDT) Received: from [192.134.92.34] (unknown.sycomore.fr [192.134.92.34]) by sycgate.sycomore.fr (8.6.3/8.5) with SMTP id KAA24491; Mon, 17 Jun 1996 10:29:05 +0200 X-Sender: berenguier@192.134.92.10 Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" X-Mailer: Eudora F1.5.3 Date: Mon, 17 Jun 1996 10:48:25 +0200 To: Firewalls@GreatCircle.COM From: Eric.Berenguier@sycomore.fr (Eric Berenguier) Subject: need packet generator Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello, I'm setting up a packet filtering router, and i would like to fully test it. So, i'm looking for a packet generator that could run on HP-UX or PC (Win3.1/95/dos). only free software please. It would be nice if it could be run from a shell script. i have got ipsend, but it runs only on the router itself (a FreeBSD box) and i have to test the router from another host. Thank you, -- Eric Berenguier SYCOMORE 31, place des Corolles - 92098 PARIS LA DEFENSE http://www.sycomore.fr From firewalls-owner Mon Jun 17 03:52:01 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id DAA27067 for firewalls-outgoing; Mon, 17 Jun 1996 03:35:59 -0700 (PDT) Received: from mail.ee.net (mail.ee.net [206.31.38.3]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id DAA27060 for ; Mon, 17 Jun 1996 03:35:45 -0700 (PDT) Received: from goffer.ee.net (digital80.ee.net [206.230.35.80]) by mail.ee.net (8.7.4/8.7.3) with SMTP id GAA15604; Mon, 17 Jun 1996 06:31:58 -0400 (EDT) Received: by goffer.ee.net (SMI-8.6/SMI-SVR4) Date: Mon, 17 Jun 1996 06:29:41 -0400 Message-Id: <199606171029.GAA18671@goffer.ee.net> From: C Matthew Curtin To: mjr@v-one.com Cc: firewalls@GreatCircle.COM Subject: Re: firewall testing redux In-Reply-To: <199606161645.MAA03968@clark.net> References: <199606161645.MAA03968@clark.net> Reply-To: cmcurtin@fahlgren.com X-Attribution: Matt Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >>>>> "mjr" == Marcus J Ranum writes: mjr> Lastly, I am concerned that product testing is going to lull mjr> people into making the wrong assumption: that a firewall, once mjr> "tested" is OK from then on. Security is a *PROCESS* not a simple mjr> thing you implement once, test, and then forget about. The idea mjr> that you can buy a pre-tested firewall, install it, and never mjr> worry, is dangerously naive. Marketing that as a "feature" is mjr> irresponsible. Using a test as a barrier to market entry or sales mjr> leverage is sleazy. Unless the test is something rigidly mjr> quantifiable, which I believe firewalls are not, by virtue of mjr> their extreme flexibility. Unfortunately, as the number of organizations "buying firewalls" increases, the demographics continue to change. A few years back, you would acquire the components you need, and in the process if a sales type heard you mention you were building a firewall, you were usually assumed that you are among the clued (and often, one would hope, rightly so). Now, you get more MIS manager types buying these things with very little real knowledge about the still-very-technical area of firewalls. They read magazine articles in trade rags, and rely on that. They can be swayed by vendors and such. This really hit me last week when I called Cisco to order some routers for a firewall I designed. I got all them all spec'd out and such, and then I was handed to someone to give me price quotes and such. She asked if I had tried the PIX "firewall" they're reselling. Earlier this year, in my previous job, we had one and did testing on it. I told her that PIX was inappropriate for my application, and that I opted for the Gauntlet. She told me: * Gauntlet is Unix-based [shucks, I was hoping it would run on Win95] * Unix is insecure * Unix is unstable * All the trade rags say Unix is bad for firewalls * All the experts say Unix is bad for firewalls I found myself arguing with facts against nonsense without foundation. I said trade rags are insignificant, they are put out by writers and publishers, not by firewall experts. She couldn't name any firewall experts who said Unix was bad. And I asked her how uptime of several months on Unix-based bastion hosts is unstable. I have been studying security longer than most people have heard about the Internet (which, at ~5 years, isn't long compared to lots of others who have a few more gray hairs than I :-) and have been on this list since sometime in '92. I am really annoyed that someone at a reputable vendor like Cisco would spew nonsense at me. (This isn't a slam against Cisco, but they, like every big vendor, apparantly have some overzealous sales drones.) mjr> Six months or so ago, I wrote a lengthy polemic on this topic, mjr> which I had on my (then) web page at iwi.com. It is now and still mjr> on the V-ONE publications area as: mjr> http://www.v-one.com/pubs/testing/fwtest.htm it does not mjr> represent V-ONE corporation's official views on the topic, but I mjr> hope it can help provoke some thoughts and discussion on the mjr> topic. It's a great discussion of the subject (love your certification logo, BTW, hehe). This should be a must read, not only for anyone certifying firewalls, but also, no, especially for MIS management-types who need to see what's going on behind all of the asinine (worse, asiten!) marketing hooey and hooplah that grabs all of the attention of the trade rags, and these days, the mainstream press. Unfortunately, it doesn't benefit the vendors who want some kind of simple sticker they can slap on their product that says they're "secure." So I doubt that you'll be getting too many requests from vendors to reproduce the paper in quantity. It's a shame that the business of firewalls has degenerated to marketing smoke, mirrors, and snake oil. C Matthew Curtin Chief Hacker Fahlgren, Inc. 655 Metro Pl S, Ste 700, Box 7159 Dublin OH 43017-7159 http://www.local.com/~cmcurtin/ cmcurtin@fahlgren.com PGP Mail Preferred From firewalls-owner Mon Jun 17 04:52:02 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id EAA29999 for firewalls-outgoing; Mon, 17 Jun 1996 04:42:19 -0700 (PDT) Received: from lint.cisco.com (lint.cisco.com [171.68.223.44]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id EAA29992 for ; Mon, 17 Jun 1996 04:42:13 -0700 (PDT) Received: from pferguso-pc.cisco.com (c1robo2.cisco.com [171.68.13.2]) by lint.cisco.com (8.6.10/CISCO.SERVER.1.1) with SMTP id EAA27705; Mon, 17 Jun 1996 04:39:44 -0700 Message-Id: <199606171139.EAA27705@lint.cisco.com> X-Sender: pferguso@lint.cisco.com X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Mon, 17 Jun 1996 07:38:52 -0400 To: cmcurtin@fahlgren.com From: Paul Ferguson Subject: Re: firewall testing redux Cc: mjr@v-one.com, firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk For what its worth, some of us are working to improve the product, educate the sales droids, and inject some sanity into this. *sigh* - paul At 06:29 AM 6/17/96 -0400, C Matthew Curtin wrote: > >This really hit me last week when I called Cisco to order some routers >for a firewall I designed. I got all them all spec'd out and such, and >then I was handed to someone to give me price quotes and such. She >asked if I had tried the PIX "firewall" they're reselling. Earlier >this year, in my previous job, we had one and did testing on it. I >told her that PIX was inappropriate for my application, and that I >opted for the Gauntlet. > >She told me: > * Gauntlet is Unix-based [shucks, I was hoping it would run on > Win95] > * Unix is insecure > * Unix is unstable > * All the trade rags say Unix is bad for firewalls > * All the experts say Unix is bad for firewalls > >I found myself arguing with facts against nonsense without >foundation. I said trade rags are insignificant, they are put out by >writers and publishers, not by firewall experts. She couldn't name any >firewall experts who said Unix was bad. And I asked her how uptime of >several months on Unix-based bastion hosts is unstable. I have been >studying security longer than most people have heard about the >Internet (which, at ~5 years, isn't long compared to lots of others >who have a few more gray hairs than I :-) and have been on this list >since sometime in '92. I am really annoyed that someone at a reputable >vendor like Cisco would spew nonsense at me. > >(This isn't a slam against Cisco, but they, like every big vendor, >apparantly have some overzealous sales drones.) > -- Paul Ferguson || || Consulting Engineering || || Reston, Virginia USA |||| |||| tel: +1.703.716.9538 ..:||||||:..:||||||:.. e-mail: pferguso@cisco.com c i s c o S y s t e m s From firewalls-owner Mon Jun 17 05:37:00 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA02192 for firewalls-outgoing; Mon, 17 Jun 1996 05:25:06 -0700 (PDT) Received: from sarswati.mindware.soft.net (sarswati.mindware.soft.net [164.164.52.3]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id FAA02172 for ; Mon, 17 Jun 1996 05:24:51 -0700 (PDT) Received: from gangotri.mindware.soft.net by sarswati.mindware.soft.net Received: by gangotri.mindware.soft.net with Microsoft Mail From: Prakash N Purushotham To: "'smtp:firewalls@greatcircle.com'" Subject: FW: IP addresses for Screened Subnet Architeture. Date: Mon, 17 Jun 96 16:53:00 PDT Message-ID: <31C5F011@gangotri.mindware.soft.net> X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi , I need advice on designing a firewall architecture for my company. I have read about, and understood both Screened Host and Screened Subnet architectures. The screened subnet arcitecture is better, and also adapts well in the future. Any comments about that ? I'm sure ,most of you know what a screened subnet architecture is. At this point it is not important what actual software I use for the firewall or bastion hosts. What is more significant is the right physical and TCP/IP architecture. Our environment is a mix of UNIX and Windows machines. We currently have only one valid assigned class B IP address range with subnet mask of 255.255.255.0. From what I know, in order to implement a screened subnet architecture with a DMZ, we need atleast two subnets. There are three ways I can do this : 1. I can subnet my network but then I am not left with enough IP addresses for my internal network, so that is ruled out. 2. The other alternative would be to use a private IP addresses according to RFC1597 for the internal network. The disadvantage of this method is that I can never enable any direct access to the Internet from any of the internal network machines. Though this is a good way of enforcing the security policy, some times it will be needed that an internal machine be given special direct internet access. 3. Get a new registered IP subnet from our provider to use on the internal network.(Not easy) The questions that arise are : ---------------------------- 1. Any comments about screened subnet v/s screened host architecture. 2. What do you recommend we should do ? Try to get another IP subnet (not easily available ) ,or use RFC1597 addresses for the internal network ? 3. So that it is easy to maintain and schedule the IP filtering rules, for the internal router, we intend to use a free UNIX like FreeBSD or Linux with a IP filter, instead of a CISCO. Has anyone had any experience with some free IP filters for Linux/FreeBSD/NetBSD ? If yes, then what is the minimum resource requirement ? How would a 486 DX with 24 MB perform for a load of about 200 clients perform ? Where can I find more info ? Thanks a ton in advance. Regards Harpreet harpreet@mindware.soft.net From firewalls-owner Mon Jun 17 06:07:38 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA04446 for firewalls-outgoing; Mon, 17 Jun 1996 06:02:44 -0700 (PDT) Received: from trex.netrex.com (trex.netrex.com [205.254.178.3]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id FAA04147 for ; Mon, 17 Jun 1996 05:59:48 -0700 (PDT) Received: from foghorn (foghorn [205.254.178.10]) by trex.netrex.com (8.7.5/8.7.3) with SMTP id IAA19120 for ; Mon, 17 Jun 1996 08:57:24 -0400 (EDT) Message-Id: <2.2.32.19960617125345.00a61fb0@trex.netrex.com> X-Sender: richards@trex.netrex.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Mon, 17 Jun 1996 08:53:45 -0400 To: firewalls@GreatCircle.COM From: "Richard D. Stiennon" Subject: Cost of management Was: Maintenance of firewall-1 2.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At06:52 AM 6/12/96 -0700,Brian Murrell doth say: >If management can't afford to pay for somebody to "guard" their assets, >then management can't afford an Internet connection. > >When the costing for an Internet connection is done, it should include the >cost of managing the security. I often build a case for Security Management and use salary figures from $45K to $90K for a Security Engineer. The type of person I have in mind is a UNIX guru, has extensive PC experience and has 2 to 3 years of firewall background. Does anyone have any thoughts on these salary ranges? Richard Stiennon richards@netrex.com Director, Business Development www.netrex.com/richard Netrex, Inc. Voice: 810-352-9643 3000 Town Center, Suite 1100 Fax: 810-352-2375 Southfield, MI 48075 From firewalls-owner Mon Jun 17 06:37:34 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA03842 for firewalls-outgoing; Mon, 17 Jun 1996 05:55:12 -0700 (PDT) Received: from su1.in.net (su1.in.net [199.0.62.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id FAA03834 for ; Mon, 17 Jun 1996 05:55:05 -0700 (PDT) Received: from pm4-22.in.net by su1.in.net with SMTP (5.65/1.2-eef) Date: Mon, 17 Jun 96 07:50:55 -0400 Message-Id: <9606171150.AA12408@su1.in.net> X-Sender: frankw@in.net X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@GreatCircle.com From: Frank Willoughby Subject: Re: NCSA firewall certification Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 09:39 PM 6/16/96 -0400, Chris Kostick alegedly wrote: 8< [snip] >Alright here's where I start typing. In the previous comments you >seem to imply more than once that firewalls are insecure, bogus >pieces of useless hardware that you just plain don't recommend (okay, >okay I read too much into it but we both know what I mean). Actually, IMHO, most firewalls are relatively secure (themselves). However, MOST do not offer adequate protection from the hazards of the Internet. >Yet, the above list addresses nothing along the lines of the technical >capabilities of firewalls. Your entire list has to basically do with >people problems. The two issues (NCSA certification & common firewall problems) are completely separate and have nothing to do with each other. (See previous mail from me to the firewalls mailing list). I should have put the FWIW info in a separate thread. I thought people would be able to see that they were 2 separate issues. My mistake. >I test firewalls also, and while not all are good, and some implementations >dictate the proper environment, it's definitely not as bleak as you >seem to make out. We disagree, but that's OK. As mentioned earlier, I would say that almost all are inadequate to protect a company from the hazards of the Internet. >In summary, firewalls are not the only items needed in an overall network >security architecture; more components are needed. But certainly do >*not* disregard a firewall as being an integral part of that solution. I agree 200%. Many companies think that by throwing a firewall at the Internet problem that their worries are over. (Actually, they have only taken their first step toward protecting their company's data and business. In a nutshell, they need to implement an Information Security Infrastructure in their company. As this digresses from the topic at hand, I'll cover this in another mail - to be seen in your inbox shortly. >> If your organization happens to have a firewall, it probably wouldn't >> hurt to double-check the above items. > > >-- >Chris Kostick >CSC Best Regards, Frank Any sufficiently advanced bug is indistinguishable from a feature. -- Rich Kulawiec The opinions expressed above are of the author and may not necessarily be representative of Fortified Networks Inc. Fortified Networks Inc. - Information Security Consulting http://www.fortified.com Phone: (317) 573-0800 FAX: (317) 573-0817 Home of the Free Internet Firewall Evaluation Checklist From firewalls-owner Mon Jun 17 07:07:01 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA09809 for firewalls-outgoing; Mon, 17 Jun 1996 07:04:02 -0700 (PDT) Received: from ngedns.northgrum.com (ngedns.northgrum.com [192.86.71.10]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id HAA09802 for ; Mon, 17 Jun 1996 07:03:55 -0700 (PDT) From: Michael_Beeler@ccmail.northgrum.com Received: from puff.northgrum.com (puff.northgrum.com [157.127.103.139]) by ngedns.northgrum.com (8.7.1/8.6.12) with ESMTP id KAA09147; Mon, 17 Jun 1996 10:00:24 -0400 (EDT) Received: from dns.masd (masd.northgrum.com [157.127.103.140]) by puff.northgrum.com (8.7.1/8.7.1) with ESMTP id HAA01315; Mon, 17 Jun 1996 07:00:14 -0700 (PDT) Received: from ccmail.northgrum.com ([157.127.82.207]) by dns.masd (8.7.1/8.7.1) with SMTP id HAA07804; Mon, 17 Jun 1996 07:00:26 -0700 (PDT) Received: from ccMail by ccmail.northgrum.com Mime-Version: 1.0 Date: Mon, 17 Jun 1996 06:58:29 -0700 Message-ID: <1C566220.1557@ccmail.northgrum.com> Subject: Re: Checkpoint FW-1 support. To: Firewalls@greatcircle.com, Yossi Goltz Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Description: cc:Mail note part Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Whats the problem you found? MB ______________________________ Reply Separator _________________________________ Subject: Checkpoint FW-1 support. Author: Yossi Goltz at INTERNET Date: 6/16/96 10:03 AM Hi! I'm another user of FW1 with problems! I'm in Israel (~10 minutes drive from checkpoint's HQ and labs!) and I have a problem tickket open for 4 months! Their support is even worse then my worst dreams and I already told them so. I does not seem to help. I'm still waiting for them to call me and say they have fixed the BUG we found in the product! Until then.... I guess they will not use me as a reference site! -Yossi. Yossi Goltz Telephone: 972-3-6451111 Unix Network Manager Fax: 972-3-6451100 New Dimension Software LTD. Email: yossi@ddddf.com formerly P.O.B. 58168 4th Dimension Software Ltd. 61581 Tel Aviv ISRAEL > ---------------------------------------------------------------------- > > Date: 14 Jun 96 17:51:56 EDT > From: Ryan.Russell/SYBASE > Subject: Re: Decent tech support > > www.qualix.com > > I used them for my initial setup. I am pleased with it. > > Ryan > > - ---------- Previous Message ---------- > To: firewalls > cc: > From: equaad @ nedhmail.nedh.harvard.edu @ smtp > Date: 06/14/96 09:15:38 AM > Subject: Decent tech support > > I second the request for info on tech support quality -- right now we > have Firewall-1 software from Checkpoint and can't seem to get decent > support to save our lives. Anyone else have this product and have a > reseller that provides good support??? I'm in the New England area but > don't see why I would need a reseller in this area to provide good > support (since it's 99% phone support anyway). Anyone know a reseller > with a good, *quick* technical support?? > > Ellen Quaadgras > Systems Administrator > equaad@indigo.mit.edu > > ------------------------------ > > Date: Fri, 14 Jun 1996 20:32:46 -0500 (CDT) > From: Adam Horwitz > Subject: Re: Decent tech support > > > At 09:15 AM 6/14/96 EST, equaad@nedhmail.nedh.harvard.edu wrote: > > > I second the request for info on tech support quality -- right now we > > > have Firewall-1 software from Checkpoint and can't seem to get decent > > > support to save our lives. Anyone else have this product and have a > > > reseller that provides good support??? I'm in the New England area but > > > don't see why I would need a reseller in this area to provide good > > > support (since it's 99% phone support anyway). Anyone know a reseller > > > with a good, *quick* technical support?? > > > > ======== Fwd by: David Tate ======== > > > I guess now we will see how many resellers are part of the > > > {firewalls@GreatCircle.COM} ..... > >