From firewalls-owner Sat Jun 1 01:33:42 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id BAA02460 for firewalls-outgoing; Sat, 1 Jun 1996 01:13:36 -0700 (PDT) Received: from artemis.rus.uni-stuttgart.de (artemis.rus.uni-stuttgart.de [129.69.18.28]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id BAA02453 for ; Sat, 1 Jun 1996 01:13:26 -0700 (PDT) Received: from visbl.rus.uni-stuttgart.de (visbl.rus.uni-stuttgart.de [129.69.50.72]) by artemis.rus.uni-stuttgart.de with ESMTP id KAA17349 Received: by visbl.rus.uni-stuttgart.de (951211.SGI.8.6.12.PATCH1042/930416.SGI/BelWue-1.1) From: Bernd.Lehle@RUS.Uni-Stuttgart.DE (Bernd Lehle) Message-Id: <199606010808.KAA12275@visbl.rus.uni-stuttgart.de> Subject: Re: FTP Encryption To: adam@homeport.org (Adam Shostack) Date: Sat, 1 Jun 1996 10:08:25 +0200 (DST) Cc: Bernd.Lehle@RUS.Uni-Stuttgart.DE, CWSTAFFORD@deserthosp.org In-Reply-To: <199605311614.LAA16235@homeport.org> from "Adam Shostack" at May 31, 96 11:14:47 am X-pgp-fingerprint: 3E B0 35 8D 59 D5 AE AA 5A F9 60 80 9E E0 55 48 X-Joke: If cryptography is outlawed, only #%8fd 26(@^($$ Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > I like ssh, but if you use FTP + pgp, anyone can download & decrypt. > With ssh, Mac users, VMS users, IBM mainframe users, fidonet users, > and the like are all out of luck. If You are trying to set up an ftp server for many people, then this is a better solution. The original question reffered to transfer within a company though. > If you use scp, you get link encryption, but not file encryption, > which may be more important. Are you trying to let anyone download > your files, and only those who give you money read what they've > downloaded? This would be a nice idea to charge for information supplied over Internet. Here in Stuttgart we use secure shell for administrative logins and file transfers across the campus network, which is considered insecure. -- > Bernd Lehle - Stuttgart University Computer Center * A supercomputer < > Visualization / Security / Astrophysics * is a machine < > lehle@rus.uni-stuttgart.de Tel:+49-711-685-5531 * that runs an < > http://www.tat.physik.uni-tuebingen.de/~lehle * endless loop < > pgp? -> finger bernd@visbl.rus.uni-stuttgart.de * in 2 seconds < From firewalls-owner Sat Jun 1 06:18:48 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA11081 for firewalls-outgoing; Sat, 1 Jun 1996 06:14:27 -0700 (PDT) Received: from gateway.gallup.com (gateway.gallup.com [206.158.235.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id GAA11022 for ; Sat, 1 Jun 1996 06:14:10 -0700 (PDT) Received: (from uucp@localhost) by gateway.gallup.com (8.7.4/8.6.11) id IAA12830; Sat, 1 Jun 1996 08:11:32 -0500 (CDT) Received: from internet.gallup.com(198.247.195.180) by gateway.gallup.com via smap (V3.1.1) Received: from ccMail by internet.gallup.com (SMTPLINK V2.11 PreRelease 4) Date: Sat, 01 Jun 96 08:11:04 CST From: "Todd Beebe" Message-Id: <9605018336.AA833641884@internet.gallup.com> To: kotler@pcta00.bamimpr.inpr.br, Russ Cc: Firewalls@GreatCircle.COM Subject: Re[2]: Windows/NT as a Comm. Server Sender: firewalls-owner@GreatCircle.COM Precedence: bulk What are "all NT wholes"? I am trying to defend using UNIX over NT as our firewall and since I know little on NT I can't make a strong case. (except the obvious, NT hasn't been subject to being outside a protected network as long as UNIX so its impossible to know its vulnerabilities until its open to hackers). Thanks. ______________________________ Reply Separator _________________________________ Subject: RE: Windows/NT as a Comm. Server Author: Russ at Internet Date: 5/31/96 5:49 PM % % Does anybody uses Windows/NT (RAS) as a front-end communication server for remote access? Yeh, some crazy people do. Actually, lots of crazy people do...;-] % (instead of traditional communication servers like Shiva or Livingston) but why? Each RAS connection uses 2MHz of CPU (continously, so a loaded server will effect comms speed) and 1MB of ram..... Well, this is not exactly true. If you use a ChiliPort, or Digiboard, comm port, there is no directly load on the CPU or RAM for handling the users. With these types of boards, NT becomes nothing more than a router. % THEY claim that it is so secure that we do not even need a firewall... % What about that? aahahaha If they can make a network connection to your NT box, then they can exploit all NT's wholes remotely...... Dont see why making it a RAS server makes it more secure...... I have to agree here, RAS doesn't make NT more secure by any means. In fact, it could be argued that RAS makes NT a little less secure because when it is implemented NT automatically enables IP Forwarding between all its adapters. If your NT box is multi-homed, and forwarding had not previously been enabled, it would be after RAS was installed. That said, RAS can be set to follow the same rules for user authentication as clients on the LAN have to follow. Its possible to establish encrypted sessions between RAS users who are running NT. As for being able to exploit all of NT's holes, well, if you can establish a network connection with an NT box, whether you are local or remote, there are things that can be exploited. But you have to establish that network connection first. I wouldn't be more afraid of someone exploiting my NT box remote than someone exploiting it locally. Of course, providing dial-up access to any network is a risk unto itself. Your NT RAS server can be set up as part of an untrusted domain, forcing authentication to take place on a third machine, which does help somewhat in ensuring proper authentication. Out of curiosity, what "firewall" is not needed because of RAS? Might you be talking about using RAS to connect to the Internet providing a gateway between your LAN and the Internet? Cheers, Russ From firewalls-owner Sat Jun 1 07:18:44 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA12980 for firewalls-outgoing; Sat, 1 Jun 1996 07:02:43 -0700 (PDT) Received: from mailbox.neosoft.com (mailbox.neosoft.com [206.109.1.16]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id HAA12972 for ; Sat, 1 Jun 1996 07:02:34 -0700 (PDT) Received: from fw.nmti.com (fw.baileynm.com [206.109.159.11]) by mailbox.neosoft.com (8.7.5/8.7.3) with SMTP id JAA11058 for ; Sat, 1 Jun 1996 09:00:00 -0500 (CDT) Received: from web.nmti.com(198.178.0.201) by fw.nmti.com via smap (V1.3) Received: from sonic.nmti.com (peter@sonic.nmti.com [198.178.0.2]) by web.nmti.com (8.6.12/8.6.9) with SMTP id IAA04407 for ; Sat, 1 Jun 1996 08:55:15 -0500 Received: by sonic.nmti.com; id AA30718; Sat, 1 Jun 1996 08:55:14 -0500 From: peter@baileynm.com (Peter da Silva) Message-Id: <9606011355.AA30718@sonic.nmti.com.nmti.com> Subject: Re: Raptor's Eagle Firewall To: firewalls@greatcircle.com Date: Sat, 1 Jun 1996 08:55:14 -0500 (CDT) In-Reply-To: from "Chris Pugrud" at May 30, 96 04:59:28 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > The biggest complaint that I have about the Eagle NT product is that it is > not an NT firewall. It doesn't use NT as anything more than a "boot > loader". It is still not complete yet for NT, they cut back on features to > rush it out the door. It seems like a good product, but I won't cut a PO > until it can take advantage of the NT user database, network login, etc... *jaw drops* Why would you put your firewall into the same authentication domain as your users? Maybe I'm missing something, but that seems like you're putting an awful lot of trust in the NT security model. From firewalls-owner Sat Jun 1 09:03:51 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA15858 for firewalls-outgoing; Sat, 1 Jun 1996 08:58:00 -0700 (PDT) Received: from mail.ee.net (mail.ee.net [206.31.38.3]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id IAA15842 for ; Sat, 1 Jun 1996 08:57:49 -0700 (PDT) Received: from goffer.ee.net (digital60.ee.net [206.230.35.60]) by mail.ee.net (8.7.4/8.7.3) with SMTP id LAA11973; Sat, 1 Jun 1996 11:53:49 -0400 (EDT) Received: by goffer.ee.net (SMI-8.6/SMI-SVR4) Date: Sat, 1 Jun 1996 11:51:35 -0400 Message-Id: <199606011551.LAA14217@goffer.ee.net> From: C Matthew Curtin To: Duan Zhenhai Cc: firewalls@GreatCircle.COM Subject: Re: packet filter In-Reply-To: <199605280117.KAA01384@shoukui.pku.edu.cn> References: <199605280117.KAA01384@shoukui.pku.edu.cn> Reply-To: cmcurtin@fahlgren.com X-Attribution: Matt Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >>>>> "Duan" == Duan Zhenhai writes: Duan> the second question is what can we do and what should we Duan> consider when we want to antispoofing,does controling the source Duan> route enough? (Warning added after I got done composing this: I kinda went off onto a tangent about packet filtering options, etc., so I'm sure that I'm inundating poor Duan with more information than he ever wanted, but there's probably a fair bit of useful information here about packet filtering considerations... at least I hope so :-) Well, there are certain things that you can do to limit the boundaries of IP address spoofing. This might prove to be sufficient for what you're doing, but it is important to understand the limits of such a mechanism. Let's draw a connection to the Internet that will allow connection to the Internet, and provide a space for a web site, dns server, or whatever... | Big bad Internet | /\ packet filtering router (1) \/ one that logs what it rejects, and what it allows | ___|_____________ | _|_ _|_ "DMZ" | |WWW| |DNS| | |___| |___| some machines (accessible to the Internet) _|_ |PF | another packet filter |___| (maybe a commercial packet filtering "firewall," or a | packet filtering router that will LOG everything) | __|___________ | | /\ packet filtering router (2) \/ same deal with logging, blah, blah, blah | ___|________ corporate private network backbone OK, the packet filtering router (1) that connects our DMZ network(s) to the Internet can be configured such that it will deny any packets that claim to originate from either the DMZ or our private network's address space. Additionally, we'll want to weed out ridiculous things like 127.* (loopback); 10.*, 172.16.0.0 - 172.31.255.255, 192.168.0.0 - 192.168.255.255 (used for private internets (dare I even say "intranets" :) only, as per RFC 1918); anything else you can think of that makes sense to weed out should go here ... this is off of the top of my head. Now, what we've done is ensured by rules (note, we're not guaranteeing, because if someone breaks into our router and changes the rules, then this changes things... so, lock the router down by only allowing physical console access - NO REMOTE LOGINS TO YOUR ROUTERS! ... do some other common sense things to keep anyone from being able to mess with it.) that any packets that real our DMZ networks are from the Internet. Anyone can spoof something to look like it's from some OTHER Internet address, but if you group ALL Internet (i.e., not yours) IP addresses into one category: "untrusted," this is OK. Now, the "PF" packet filter ("firewall," another router, or whatever) is critical, because it provides a level of redundancy here. Put the same ACLs that you put on packet filtering router (1) on there, JUST IN CASE someone does something "impossible" and breaks through your first router. Again, LOG EVERYTHING that you allow and deny. Also, put the same ACLs that you have on packet filtering router (2) on there, just in case something screwy is going on from the inside (perhaps a bad guy has broken into a terminal server, and is trying to attack your firewall from the inside out!) that has gotten through your internal packet filtering router... Now, your packet filtering router (2) should be configured just as (1) was, with the exception that it's the reverse: don't allow things from teh inside the claim to be from anywhere but your own IP address space. Dont' allow loopback, RFC 1918 addresses, etc. through. Log everything that you accept or reject. Logging is a big deal, especially in a packet filtering type of firewall environment, for several reasons: (1) logging rejects serve as alarms that will tell you when you're actively under attack. Don't panic if you get one poke from a site, but if someone is attempting a portscan of your web server, for example, this is something you'll definitely want to know, and the logs will show this attempt. (2) Logging what you're allowing will tell you if your rules are working. Don't just audit the reject logs. Take a look at what you're allowing, and make sure that no stupid things are going on. Test them once in a while (not once a year, I'd say monthly at the worst, depending on your paranoia.) Also, make sure that the place your logs go (perhaps you're using a machine somewhere in your DMZ to accept all of the log data from all of your packet filters via syslogd) is (1) protected, so that someone from outside the DMZ (i.e., anything but your packet filters, and whatever else that's YOURS that is logging to it via syslog) can't write to it, and (2) it has BOATLOADS of free disk space. If someone IS able to start writing crap to your log machine's syslogd, they'll try to fill up your disk space before commencing the attack. If you've got, say, 10GB of free space at any given time, the liklihood of success is significantly lower than if you're down to 14k of free space :-) Another note, which is depending on your needs and paranoia, is where to put the publicly accessable servers (like WWW, DNS, etc.) I've drawn them as part of the DMZ, which might be OK, but might not be. There is an additional level of security if you subnet them off of your outside packet filtering router (1), becaues if someone breaks through your router, and then breaks into one of those machines, an attack can't commense from the same LAN: it has to attack your firewall from a LAN that can be labeled "untrusted" by the firewall. Perhaps they can break through there, too. So you've got ACLs redundant to what your outside packet filter and "firewall" packet filter have on your inside packet filter. Again, now they've got ANOTHER layer to break through. (By this time, your alarms have been going nuts and have paged everyone from your sysadmins to the CIO to look into this, right?) All of this really boils down to a few simple maxims: * know exactly what it is that you need to do * don't allow anything to go on that you don't have defined as being absolutely necessary * understand the technology you're dealing with: its limits, its features, and what other people are doing with it * decide HOW MUCH protection you want, and understand what your tradeoffs are. (For example, I've shown the above network to have three packet filtering mechanisms. You could increase security by adding a fourth, fifth, etc., but are you spending $1,000,000 to protect $1,000? Also, the more ACLs you have on a router, the more you're going to slow it down. Are all of those redundant ACLs going to kill your network performance? Not if you can afford faster routers, but what if you can only afford Cisco 4500-Ms? Do you have so many ACLs that to get the same level of performance that the 4500 offers that you'd need to get into a 7000 series?) I personally a bit leery of using purely packet filtering for building firewalls, but perhaps that's because I don't understand all of the details of packet filtering technology as it exists right at this moment. There might be some newfangled ways of doing things that I don't know about. Perhaps it's because I'm paranoid. Perhaps it's because there really are significant limitations to what packet filters can do at this very moment and there is good reason to doubt them. However, I *do* think that packet filtering is very important. There is a definite layer of security that is provided there, and something as simple as adding some common sense ACLs to a router in front of (and behind) a good application-layer firewall can provide very useful logs and additional security. Of course, in really huge environments, application layer firewalls tend to be problematic from performance standpoints, although there are ways to solve that problem. I guess I went off a little more than I intended, but in any event, I hope the information is useful. Also, if you haven't done so already, I highly recommend getting ahold of Cheswick & Bellovin's "Firewalls and Internet Security: Repelling the Wily Hacker," Addison-Wesley Professional Computing Series 0-201-63357-4 * Paperback * 320 pages * ©1994 (See http://www.aw.com/cp/Ches.html for more info.) This is a more theoretical approach to security in general, and will leave you with a much better understanding of the kinds of things to think about when dealing with security, especially firewalls. Also, also, I recommend Building Internet Firewalls by D. Brent Chapman and Elizabeth D. Zwicky. Published by O'Reilly & Associates, 1st Edition September 1995, 517 Pages, ISBN 1-56592-124-0, List price $29.95. (See http://www.greatcircle.com/firewalls-book/ for more info.) This is the hands-on approach of HOW to build a firewall: you'll also get a good appreciation for the kinds of things to think about, etc., but this is structured for the specific purpose of showing you how to do it. This book and the C&B book compliment each other very well. C Matthew Curtin Chief Hacker Fahlgren, Inc. 655 Metro Pl S, Ste 700, Box 7159 Dublin OH 43017-7159 http://users1.ee.net/cmcurtin/ cmcurtin@fahlgren.com PGP Mail Preferred From firewalls-owner Sat Jun 1 10:03:49 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA19825 for firewalls-outgoing; Sat, 1 Jun 1996 09:51:06 -0700 (PDT) Received: from mail.ee.net (mail.ee.net [206.31.38.3]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id JAA19818 for ; Sat, 1 Jun 1996 09:50:56 -0700 (PDT) Received: from goffer.ee.net (digital60.ee.net [206.230.35.60]) by mail.ee.net (8.7.4/8.7.3) with SMTP id MAA14071; Sat, 1 Jun 1996 12:47:21 -0400 (EDT) Received: by goffer.ee.net (SMI-8.6/SMI-SVR4) Date: Sat, 1 Jun 1996 12:45:01 -0400 Message-Id: <199606011645.MAA14340@goffer.ee.net> From: C Matthew Curtin To: eckes Cc: nmorgan@smtp.dgs.ca.gov (Morgan, Noel), Firewalls@GreatCircle.COM Subject: Re: Countermeasures ? In-Reply-To: References: <9604288332.AA833297486@smtp.dgs.ca.gov> Reply-To: cmcurtin@fahlgren.com X-Attribution: Matt Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >>>>> "Bernd" == eckes writes: Bernd> Automated responses are Bernd> simply too easy to be used for deny of service. And X-Bombs are Bernd> very unsocial on the already overloaded Internet. Agreed. At a previous place of employment, our highly visible web server underwent a denial of service attack. We traced it back to a dialup account from a small ISP in another state. It was kind of interesting, because they were pretty uncooperative until we started getting threatening, wich is exactly what we were trying to avoid: * we had our SA call the ISP's technical contact, but she didn't get to talk to him directly: a message was taken by the receptionist. * after about 15 minutes of nonresponse, our webmaster called and explained AGAIN that this is so-and-so from a big company's R&D org, and one of your users is attacking one of our machines. Not terribly useful, because it was left in another message to the contact, who was in the privy :) * the webmaster called 10 minutes later and finally talked directly with the contact, who explained that he wouldn't be able to get around to dealing with it anytime soon, because he was real busy. It was on the speaker, so the four of us in the room just kinda looked at each other and grinned while the webmaster roasted his butt. * the attack stopped about two minutes after he got off the horn, so the webmaster called back to thank the guy for dealing with it so quickly. Turns out that the attack was coming from a rogue account, and that they suspect it was an ex-employee who was an admin there. They've had their stuff broken into several times, but didn't even do as much as advise their customers to change their passwords. Very strange. We gave him some advice (after prefacing it by saying 'we really can't tell you what to do, but...') and I can only hope that he took it. The story is more than mildly amusing: it helps to underscore a very serious problem with mismanaged (or undermanaged ... or perhaps we should say [mis|under]-administered :) sites, such as ISPs who really ought not be ISPs. I suppose this is another Bad Thing(tm) that has come about because of the explosive growth and popularity of the 'net. It was nice to be able to (until about '93 or early '94) be able to quickly talk to someone clued whenever there was a problem like that and have it immediately dealt with. But I've digressed beyond the scope of firewalls... C Matthew Curtin Chief Hacker Fahlgren, Inc. 655 Metro Pl S, Ste 700, Box 7159 Dublin OH 43017-7159 http://users1.ee.net/cmcurtin/ cmcurtin@fahlgren.com PGP Mail Preferred From firewalls-owner Sat Jun 1 11:48:50 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA23414 for firewalls-outgoing; Sat, 1 Jun 1996 11:44:27 -0700 (PDT) Received: from mail.ee.net (mail.ee.net [206.31.38.3]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id LAA23407 for ; Sat, 1 Jun 1996 11:44:16 -0700 (PDT) Received: from goffer.ee.net (digital60.ee.net [206.230.35.60]) by mail.ee.net (8.7.4/8.7.3) with SMTP id OAA18023; Sat, 1 Jun 1996 14:40:26 -0400 (EDT) Received: by goffer.ee.net (SMI-8.6/SMI-SVR4) Date: Sat, 1 Jun 1996 14:38:16 -0400 Message-Id: <199606011838.OAA14650@goffer.ee.net> From: C Matthew Curtin To: Brian Murrell Cc: bill.stout@hidata.com, Firewalls@GreatCircle.COM Subject: Re: Re[2]: Encryption Technology In-Reply-To: <199605282145.OAA23262@mocha.bctel.net> References: <199605281703.KAA22787@osc.osc.hidata.com> Reply-To: cmcurtin@fahlgren.com X-Attribution: Matt Sender: firewalls-owner@GreatCircle.COM Precedence: bulk (I apologize in advance, but I've followed up on a thread of questionable relevance to firewalls, and taken it further from the charter of the list with my comments. However, it is an issue that is likely of interest to at least a significant number of subscribers. If you are not among these, or you're tired of me rambling, please read no further, and delete this message. :-) >>>>> "Brian" == Brian Murrell writes: Brian> Great story. Agreed :-) Brian> That's what scares me. How does one know it's DES-3 without Brian> successfully decrypting the datastream?? Does DES-3 (and other Brian> encryption) have a "signature" that identifies it without Brian> decrypting it?? Yes, triple-DES does have a signature identifying what it is. Brian> I'm not quite grasping how any of the above lead you to believe Brian> that DES-1 is crackable in near real-time. I don't necessarily Brian> disagree with that statement however. Doing so in software certainly isn't here today, but an MP DES-cracking machine (i.e., built specifically for that purpose, everything in silicon) that can do so in real- or near-real-time isn't terribly infeasible, given the size of a 56-bit key... >> 5. If above=true, then Feds dropping the Zimmerman PGP case >> probably also points to it also being crackable in a similar >> manner. Brian> 128 bit keys. Yeah probably. Or you mean they have broken Brian> RSA?? I think that this might be grasping a bit. I tend to think that the reasons for dropping the Zimmermann case were more political than technical: the persecution (sic :-) had pretty shaky ground, in the opinion of lots of lawyers (and while I'm at it, a lawyer I am not) and legal analyst types. Additionally, these laws that they were using to base their case on have been untried, and there is the risk of having them declared unconstitutional by a court. The liklihood of that happening on such a tremendously high publicity (and weak) case seems even higher. Rather than taking the risk of having those laws challanged, I tend to agree with the folks that think the DoJ was simply choosing its fights, actually throwing a punch only when it is reasonably sure that it can win. Zimmermann had (has?) quite the posse behind him, and the DoJ might have determined that it was too outnumbered (or outgunned :-) to fight that day. Now, the security of DES is well known, with weak keys, and the small key size being its only known serious problems. IDEA is also widely believed to be secure, however, it has not had the same amount of time to be studied by as many folks as DES, and it's certainly possible that the NSA has figured a way to efficiently cryptanalyse the cipher. I, for probably no good reasons, tend to doubt this postulation: IDEA *has* been studied quite a bit, simply not as much as DES. Successful cryptanalysis (that's a tough word to type) of RSA would be a Really Big Deal, indeed. I wonder if the NSA would quietly stop opposing efforts to allow its export, or if it would continue the facade of allowing its export being a National Security Threat(tm). Again, as far as anyone in academic or published corporate research circles knows, RSA's problems are limited to key size (and weak keys? probably, but don't remember for sure.) >> 6. Using encryption only flags traffic for capture and decryption, >> using strong encryption makes you all that more interesting. Brian> I made the point a couple of weeks ago that everybody should Brian> encrypt everything - then interested parties won't necessarily Brian> know what to go after. Agreed, of course, this was the general theory behind the use of Emacs' "spook" function. One of my favorite things to do is encrypt a message, and then append the output of "spook" to my message. I'm sure that more than one of my messages has found its way into a message collection machine of sorts. :-) For the unenlightened, spook simply attaches three lines of random(ish) words and phrases that are likely to be caught by scanners of Internet traffic, like this: Clinton Qaddafi Ft. Meade KGB NSA FSF explosion CIA quiche Khaddafi bomb Treasury cryptographic $400 million in gold bullion [Hello to all my fans in domestic surveillance] C Matthew Curtin Chief Hacker Fahlgren, Inc. 655 Metro Pl S, Ste 700, Box 7159 Dublin OH 43017-7159 http://users1.ee.net/cmcurtin/ cmcurtin@fahlgren.com PGP Mail Preferred From firewalls-owner Sat Jun 1 12:03:45 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA23700 for firewalls-outgoing; Sat, 1 Jun 1996 11:56:56 -0700 (PDT) Received: from mail.ee.net (mail.ee.net [206.31.38.3]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id LAA23692 for ; Sat, 1 Jun 1996 11:56:45 -0700 (PDT) Received: from goffer.ee.net (digital60.ee.net [206.230.35.60]) by mail.ee.net (8.7.4/8.7.3) with SMTP id OAA18507; Sat, 1 Jun 1996 14:53:13 -0400 (EDT) Received: by goffer.ee.net (SMI-8.6/SMI-SVR4) Date: Sat, 1 Jun 1996 14:50:57 -0400 Message-Id: <199606011850.OAA14727@goffer.ee.net> From: C Matthew Curtin To: Kyle_Amon@jabil.com Cc: Brad.Aikins@internetmci.com, Michael Ryan Subject: Re: Re[2]: Sprayd In-Reply-To: <1ab33b80@jabil.com> References: <1ab33b80@jabil.com> Reply-To: cmcurtin@fahlgren.com X-Attribution: Matt Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > (a) sprayd used RPC/UDP/IP; ping uses IP. Actually, ping uses the ICMP protocol's ECHO_REQUEST, trying to get an ICMP ECHO_RESPONSE from the target, not raw IP. Check your man pages or a good bok like TCP/IP Illustrated (published by Addison-Wesley) for more detailed discussion of how it works... C Matthew Curtin Chief Hacker Fahlgren, Inc. 655 Metro Pl S, Ste 700, Box 7159 Dublin OH 43017-7159 http://users1.ee.net/cmcurtin/ cmcurtin@fahlgren.com PGP Mail Preferred From firewalls-owner Sat Jun 1 12:33:47 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA25342 for firewalls-outgoing; Sat, 1 Jun 1996 12:18:02 -0700 (PDT) Received: from mail.ee.net (mail.ee.net [206.31.38.3]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id MAA25326 for ; Sat, 1 Jun 1996 12:17:52 -0700 (PDT) Received: from goffer.ee.net (digital60.ee.net [206.230.35.60]) by mail.ee.net (8.7.4/8.7.3) with SMTP id PAA19403; Sat, 1 Jun 1996 15:14:22 -0400 (EDT) Received: by goffer.ee.net (SMI-8.6/SMI-SVR4) Date: Sat, 1 Jun 1996 15:12:03 -0400 Message-Id: <199606011912.PAA14787@goffer.ee.net> From: C Matthew Curtin To: Luis Cesar Maiaru Cc: firewalls@GreatCircle.COM Subject: Re: Solaris and SCO Firewalls In-Reply-To: <9605291125.ab11033@indec.mecon.ar> References: <9605291125.ab11033@indec.mecon.ar> Reply-To: cmcurtin@fahlgren.com X-Attribution: Matt Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >>>>> "Luis" == Luis Cesar Maiaru writes: Luis> Hi, I'm looking for information about the firewalls (FireWall-1, Luis> TIS, etc.) for Solaris and SCO. In particular, I would like to Luis> hear opinions about the FireWall-1 for Solaris: Solstice Luis> FireWall-1. I haven't testing of Firewall-1 on Solaris, but I have done a fair bit with using Solaris as the basis for a home-grown application-layer firewall. There are some good things about using Solaris for a firewall, which might be interesting for you, regardless of whether you choose Firewall-1 or something else which has the option to be Solaris-based. * its modular nature (packages) makes it really easy to pull stuff that you don't want out of there. If you go to a little bit of extra effort to create packages for everything that you put on the firewall, like tcp_wrappers, tripwire, configuration files, etc., then you can eliminate a lot of other things (like editors, tar, etc., that will make things tough for a bad guy who manages to break into your machine) AND simplify the management of your firewall: it simply does its thing, while all of your testing, and messing with things takes place on a similarly configured machine, where you build your packages. The production firewall machine just gets the packages moved over (via tape?), and then you can pkgadd your stuff. Great for revision control, too. For managing multiple machine-firewall environments, this is REALLY useful. The procedures for managing, creating, and installing packages are both simple and very well documented. I think Sun should be commended for really good work in this area. * Its TCP/IP implementation seems pretty good. I haven't done much quantatative analysis of it vs. other stacks that interest me (such as BSDI's and IRIX's), but I have done that analysis vs. SunOS 4.1.3_U1 and 4.1.4, and found huge improvements. (Using patched-and-stripped- out-the-wazoo Solaris 2.4, as well as the first two releases of 2.5 (which *seemed* even better than 2.4.)) * Because of its current availability on SPARC and Intel platforms (and RSN availability for the PowerPC), you've got a choice of hardware: going the all-Sun route might make things a bit easier (and you have a higher top-end), although using commodity Intel stuff, if you're willing to fight some potential headaches of a multivendor system and don't need to be right on the cutting edge, you can get more horsepower for less money. Also, some of the PowerPC-based servers that folks are working on (especially Motorola's headless server that was featured a few months back in Unix Today or something) look pretty cool. (Although until Solaris/PowerPC is available, that thing only runs strange-but-sometimes-nifty AIX.) C Matthew Curtin Chief Hacker Fahlgren, Inc. 655 Metro Pl S, Ste 700, Box 7159 Dublin OH 43017-7159 http://users1.ee.net/cmcurtin/ cmcurtin@fahlgren.com PGP Mail Preferred From firewalls-owner Sat Jun 1 13:04:00 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA27312 for firewalls-outgoing; Sat, 1 Jun 1996 12:45:57 -0700 (PDT) Received: from rbit.co.za (rbit.co.za [196.7.71.94]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id MAA27305 for ; Sat, 1 Jun 1996 12:45:47 -0700 (PDT) Received: (from johnb@localhost) by rbit.co.za (8.7.3/8.7.3) id VAA22371; Sat, 1 Jun 1996 21:43:15 +0200 From: John Betts Message-Id: <199606011943.VAA22371@rbit.co.za> Subject: Re: Re[2]: Windows/NT as a Comm. Server To: Todd_Beebe@internet.gallup.com (Todd Beebe) Date: Sat, 1 Jun 1996 21:43:14 +0200 (SAT) Cc: firewalls@greatcircle.com In-Reply-To: <9605018336.AA833641884@internet.gallup.com> from "Todd Beebe" at Jun 1, 96 08:11:04 am Reply-to: johnb@aztec.co.za Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk % % What are "all NT wholes"? I am trying to defend using UNIX over NT % as our firewall and since I know little on NT I can't make a strong case. % If you know more about Unix than you do NT, I'd recommend sticking with the platform you know best. ciao -- John -- John Betts, Aztec Internet Services Port Elizabeth, South Africa johnb@aztec.co.za, Tel. +27(0)41 303 475, Fax. +27(0)41 301 052 The world is complex. The Sendmail configuration reflects this. From firewalls-owner Sat Jun 1 13:33:45 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA00580 for firewalls-outgoing; Sat, 1 Jun 1996 13:29:37 -0700 (PDT) Received: from mail.ee.net (mail.ee.net [206.31.38.3]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id NAA00541 for ; Sat, 1 Jun 1996 13:29:21 -0700 (PDT) Received: from goffer.ee.net (digital60.ee.net [206.230.35.60]) by mail.ee.net (8.7.4/8.7.3) with SMTP id QAA23220; Sat, 1 Jun 1996 16:25:38 -0400 (EDT) Received: by goffer.ee.net (SMI-8.6/SMI-SVR4) Date: Sat, 1 Jun 1996 16:23:14 -0400 Message-Id: <199606012023.QAA14941@goffer.ee.net> From: C Matthew Curtin To: Russ Cc: Subject: Re: What do you want to know about Windows NT? In-Reply-To: <01BB4DB7.9D7EAFE0@ts1-13.vcr.iSTAR.ca> References: <01BB4DB7.9D7EAFE0@ts1-13.vcr.iSTAR.ca> Reply-To: cmcurtin@fahlgren.com X-Attribution: Matt Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >>>>> "Russ" == Russ writes: Russ> I have an offer to you all. I have been working very hard for Russ> the past 6 months or so to try and raise the level of awareness Russ> about Windows NT and the Internet. My motivation was selfish, of Russ> course, in that I hope to gain knowledge about where the Russ> obstacles are in getting NT accepted by you, the security Russ> administrators. (I'm not particularly venomous toward Microsoft, although I loathe the promotion of computer "business" over computer science, proprietary "black box" solutions, and anticompetetive business practices. I resist any product or company where this is the case: Microsoft is merely the biggest perpetrator of these crimes.) I refuse to allow NT in my organization for several reasons (relevance to firewalls follows in several points, and is absent in others): * Microsoft's business practices are clearly anti-competitive and just downright ridiculous (packaging inferior products with alreday popular packages, then claiming huge amounts of market share with the inferior crap, causing more managers who only read trade rags to buy the servers to drive the crappy clients (i.e., MS-Mail) ... that's just plain obscene.) * NT, regardless of what version number they slap on it, or claim how far its ancestry goes back (to the VMS, of which NT is merely a rehash with a new and nasty GUI front end), is a very new operating system. It has yet to be proven in any kind of significant environments, which must be the case before it can be trusted in secure ones. * I don't trust Microsoft (as an outgrowth of my distrust of any software where I can't read and understand the code)...otherwise, we simply don't have anything on which to base the complexity of what's going on underneath. Further, Microsoft has proven that it's simply market-driven, not in the business for anything but the business (perhaps as opposed to the science?). As such, I don't believe that it has any reason to worry about security until forced to do so by the marketplace, which is much too late when talking about deploying firwalls today. Particularly worrysome, mjr posted last week or so that he sent some folks to Microsoft for some NT training. He related that the Microsoft employed(?), Microsoft certified trainer asserted that Microsoft has "administrative hooks" into the operating system. That isn't the kind of crap that I need on a secure system. How long will it take before someone (either a malicious Microsoft (ex?-)employee, or a bad guy with the ability to reverse-engineer the object code) writes something to exploit those hooks, successfully breaking every NT box that can be touched by the 'net? * NT is severely lacking in very important tools. For example, how does NT know if it's being port scanned? How does it know if someone has broken in? How does it know if files have been modified? (Some of this can no doubt be answered by the NT auditing tools, and some add-on solutions, but they certainly can't address everything, and in my admittedly limited experience, many of these NT type tools are less functional and stable than their Unix counterparts.) * All of this third-party software to make NT even usable (like, oh, as something as basic and trivial as a DNS server) cost money. Why would I want to spend money on software that's not as functional or stable as the free stuff that I can easily get for Unix - in source form? * All of NT's vapor promises and current deliverables, will at best, provide me with the same level of stability as a reasonably good (not stellar) Unix implementation. So, what's it offering me? * NT, being a black box solution, is not tweakable at a low level, cannot be stripped to provide a minimal level of functionality, or have insecurities removed or replaced, etc., etc., etc. So, why do I want to run this thing in an environment where some bad guys are banging on this on a regular basis? Or any other environment where anyone cares about security? * On a more philosophical note, I don't think Microsoft even gets it. Bill Gates and his stormtroopers have been marketing the crap out of their proprietary MSN, again in corporating it into their latest OS, Windoze 95 (shall we even address the ridiculously stupid security issues there?), until it became apparant that there was more money to be made getting into this "Internet thing." Less than six months ago, the Internet was the "frothiest thing [Bill Gates] has ever seen." Unix vendors not only get the Internet, they're some of the folks who have helped define what it is, technically, and provided the foundation that made it possible. I have observed that a fair number of consultant-types have a serious agenda to get NT everywhere they possibly can, pushing it where it even clearly doesn't make sense. I'm curious as to your motivations (if you do follow up, please do so to me directly... I don't know that the rest of the list is interested. If enough folks ask, I'll post your response to the list, if you would allow me to) for desiring wide deployment of NT. Haven't the lessons of the closed IBM machines and proprietary DEC boxes gotten through? Openness in architecture provides so many advantages that I'm nearly dumbfounded by the number of people who insist on following their black-box solutions, happily paying for every little component, without the foggiest idea of what's happening. This is silliness, and anything BUT computer science. (Maybe the older guys who can remember aren't speaking loud enough, and maybe the younger folks need to spend a little less time writing code, in favor of doing a bit more study of the history of their industry...) C Matthew Curtin Chief Hacker Fahlgren, Inc. 655 Metro Pl S, Ste 700, Box 7159 Dublin OH 43017-7159 http://users1.ee.net/cmcurtin/ cmcurtin@fahlgren.com PGP Mail Preferred From firewalls-owner Sat Jun 1 14:18:53 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA02880 for firewalls-outgoing; Sat, 1 Jun 1996 14:01:45 -0700 (PDT) Received: from homeport.org (lighthouse.homeport.org [205.136.65.198]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id OAA02844 for ; Sat, 1 Jun 1996 14:01:31 -0700 (PDT) Received: (adam@localhost) by homeport.org (8.6.9/8.6.9) id RAA20132; Sat, 1 Jun 1996 17:03:56 -0500 From: Adam Shostack Message-Id: <199606012203.RAA20132@homeport.org> Subject: Re: Re[2]: Encryption Technology To: cmcurtin@fahlgren.com Date: Sat, 1 Jun 1996 17:03:56 -0500 (EST) Cc: firewalls@greatcircle.com (Firewalls mailing list) In-Reply-To: <199606011838.OAA14650@goffer.ee.net> from "C Matthew Curtin" at Jun 1, 96 02:38:16 pm X-Mailer: ELM [version 2.4 PL24 ME8b] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk C Matthew Curtin wrote: | >>>>> "Brian" == Brian Murrell writes: [...] | Brian> That's what scares me. How does one know it's DES-3 without | Brian> successfully decrypting the datastream?? Does DES-3 (and other | Brian> encryption) have a "signature" that identifies it without | Brian> decrypting it?? | | Yes, triple-DES does have a signature identifying what it is. Thats a rather tall assertion. Can you back it up? I'll claim that some instance of 3des might have a signature that identifies it, (------ Begin PGP 3.0 Message -----), but that 3des does not have a signature that distinguishes its ciphertext from des or IDEA. Actually, I'll take it a step further, and argue that without substantial analysis, 3des can not be distinguished from DES, since the output of the final round of 3des is the output of a des encryption, albeit one with apparently random input. Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume From firewalls-owner Sat Jun 1 14:33:51 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA03500 for firewalls-outgoing; Sat, 1 Jun 1996 14:24:28 -0700 (PDT) Received: from mail.ee.net (mail.ee.net [206.31.38.3]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id OAA03489 for ; Sat, 1 Jun 1996 14:24:19 -0700 (PDT) Received: from goffer.ee.net (digital60.ee.net [206.230.35.60]) by mail.ee.net (8.7.4/8.7.3) with SMTP id RAA25597; Sat, 1 Jun 1996 17:20:52 -0400 (EDT) Received: by goffer.ee.net (SMI-8.6/SMI-SVR4) Date: Sat, 1 Jun 1996 17:18:49 -0400 Message-Id: <199606012118.RAA15092@goffer.ee.net> From: C Matthew Curtin To: Adam Shostack Cc: firewalls@greatcircle.com (Firewalls mailing list) Subject: Re: Re[2]: Encryption Technology In-Reply-To: <199606012203.RAA20132@homeport.org> References: <199606011838.OAA14650@goffer.ee.net> Reply-To: cmcurtin@fahlgren.com X-Attribution: Matt Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >>>>> "Adam" == Adam Shostack writes: Me> Yes, triple-DES does have Me> a signature identifying what it is. Adam> Thats a rather tall assertion. Can you back it up? Actually, I took a look since you raised the qustion, and it would appear that I suffered a brainfart. (I think I was confused by a particular product that used triple-DES that identified itself (much like the PGP 3.0 example you cited.) Adam> Actually, I'll take it a step further, and argue that without Adam> substantial analysis, 3des can not be distinguished from DES, Adam> since the output of the final round of 3des is the output of a Adam> des encryption, albeit one with apparently random input. After re-evaluating several flavors of triple-DES since getting your message, I'll agree with this assertion. Sorry for the error, thank you for catching it and bringing it to my attention. C Matthew Curtin Chief Hacker Fahlgren, Inc. 655 Metro Pl S, Ste 700, Box 7159 Dublin OH 43017-7159 http://users1.ee.net/cmcurtin/ cmcurtin@fahlgren.com PGP Mail Preferred From firewalls-owner Sat Jun 1 15:18:45 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id PAA06925 for firewalls-outgoing; Sat, 1 Jun 1996 15:09:46 -0700 (PDT) Received: from world.net (sydney2.world.net [198.142.12.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id PAA06916 for ; Sat, 1 Jun 1996 15:09:37 -0700 (PDT) Received: from suburbia.net (suburbia.net [203.4.184.1]) by world.net (8.7.4/8.6.6) with ESMTP id IAA16563 for ; Sun, 2 Jun 1996 08:05:43 +1000 (EST) Received: (proff@localhost) by suburbia.net (8.7.4/Proff-950810) id IAA29465 for firewalls@greatcircle.com; Sun, 2 Jun 1996 08:06:58 +1000 From: Julian Assange Message-Id: <199606012206.IAA29465@suburbia.net> Subject: NNTPCACHE-0.87.9 (fast nntp cache/proxy) To: firewalls@greatcircle.com Date: Sun, 2 Jun 1996 08:06:58 +1000 (EST) X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk NNTPCACHE 0.87.9UL (BETA #2) (nntpcache-users@nntpcache.org) [...] Theory of operation: nntpcache (efficiently) executes on the localhost pretending to be an NNRP news reading server. In fact, what it does is pass certain NNTP commands through to real (remote and possibly local) news-servers based on various pattern matching rules. nntpcache then takes the output from those servers and caches & indexes it in funky ways (much specific case magic goes into this). The next time such information is asked for, or other information which can be logically inferred from the previously collated information, it is sent directly from the cache, without consulting the remote servers. [...] nntpcache can also act selectively as an intelligent firewall NNTP application proxy and supports full RFC931/ident & source address and newsgroup access controls with quite a reasonable degree of granularity. Presently nntpcache caches the active, active.times, newsgroups and overview.fmt files, article, head, body, group, listgroup, xover and xhdr commands. nntpcache cross-posts seeds its cache and also maintains a database of message-id -> group/article_number tuples. [...] Archive: ftp://ftp.nntpcache.org/pub/nntpcache/nntpcache.tgz Mailinglist: Send a message with "Subject: subscribe" to: nntpcache-users-request@nntpcache.org -- "Of all tyrannies a tyranny sincerely exercised for the good of its victims may be the most oppressive. It may be better to live under robber barons than under omnipotent moral busybodies, The robber baron's cruelty may sometimes sleep, his cupidity may at some point be satiated; but those who torment us for own good will torment us without end, for they do so with the approval of their own conscience." - C.S. Lewis, _God in the Dock_ +---------------------+--------------------+----------------------------------+ |Julian Assange RSO | PO Box 2031 BARKER | Secret Analytic Guy Union | |proff@suburbia.net | VIC 3122 AUSTRALIA | finger for PGP key hash ID = | |proff@gnu.ai.mit.edu | FAX +61-3-98199066 | 0619737CCC143F6DEA73E27378933690 | +---------------------+--------------------+----------------------------------+ From firewalls-owner Sat Jun 1 17:18:45 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA10660 for firewalls-outgoing; Sat, 1 Jun 1996 17:10:09 -0700 (PDT) Received: from su1.in.net (su1.in.net [199.0.62.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id RAA10632 for ; Sat, 1 Jun 1996 17:09:58 -0700 (PDT) Received: from pm2-10.in.net by su1.in.net with SMTP (5.65/1.2-eef) Date: Sat, 1 Jun 96 19:06:45 -0400 Message-Id: <9606012306.AA28038@su1.in.net> X-Sender: frankw@in.net X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@GreatCircle.com From: Frank Willoughby Subject: RE: Raptor's Eagle Firewall Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 04:59 PM 5/30/96 -0600, Chris Pugrud allegedly wrote: Your points are well taken. A few caveats, if I may. >The biggest complaint that I have about the Eagle NT product is that it is >not an NT firewall. It doesn't use NT as anything more than a "boot >loader". I wouldn't quite go as far to say that it is a "boot loader". It does load Windows NT & then disables services and features which are not firewall related or have been deemed to be insecure. >It is still not complete yet for NT, they cut back on features to >rush it out the door. Granted, however, the first release of any product is always missing some features. >It seems like a good product, but I won't cut a PO >until it can take advantage of the NT user database, network login, etc... Personally, I see this as an advantage rather than a disadvantage. I wouldn't want to use any NT features which may be critical to the use of the firewall for two main reasons: 1) You can't be sure that the software will be stable. Micro$oft could accidently let a bug creep into their software which could render the firewall insecure or inoperable - requiring that the vendor "freeze" their version of Windows NT ("We will only support NT version X.Y.") - leaving them in a strategically vulnerable position. Also, if the software is written internally, then you have full control of the s/w development, you can provide better support, and you can provide a quicker response to problems/bugs. 2) Security Pretty much the same rasons as in #1. Further, it is never a good idea to outsource Information Security. Relying on Micro$oft's security mechanisms would place the vendor's product & reputation at the mercy of Micro$oft's ability to write tight secure code. >Chris Best Regards, Frank Any sufficiently advanced bug is indistinguishable from a feature. -- Rich Kulawiec The opinions expressed above are of the author and may not necessarily be representative of Fortified Networks Inc. Fortified Networks Inc. - Information Security Consulting http://www.fortified.com Phone: (317) 573-0800 FAX: (317) 573-0817 Home of the Free Internet Firewall Evaluation Checklist From firewalls-owner Sat Jun 1 18:03:46 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA13526 for firewalls-outgoing; Sat, 1 Jun 1996 17:54:08 -0700 (PDT) Received: from mail.rc.toronto.on.ca ([207.6.29.231]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id RAA13458 for ; Sat, 1 Jun 1996 17:53:49 -0700 (PDT) Received: from rwcooper.rc.toronto.on.ca ([207.6.29.232]) Received: by rwcooper.rc.toronto.on.ca with Microsoft Mail Message-ID: <01BB4FFB.C1CC5500@rwcooper.rc.toronto.on.ca> From: Russ To: "'Peter da Silva'" Cc: "'Firewalls'" Subject: RE: Raptor's Eagle Firewall Date: Sat, 1 Jun 1996 20:48:57 -0400 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk jaw drops* Why would you put your firewall into the same authentication domain as your users? Maybe I'm missing something, but that seems like you're putting an awful lot of trust in the NT security model. Actually, its possible to establish a trust relationship between two seperate NT domains such that attempts to log onto the Firewall Domain would be validated against an internal Administrative Domain, but accounts on the Firewall Domain would not be permitted to log into the Administrative Domain. So even if the Firewall were compromised, none of its accounts would be permitted to access the resources protected internally by the Administrative Domain security, and remember, neither the user ID or the password are transmitted across the network between the two. Cheers, Russ From firewalls-owner Sat Jun 1 19:03:46 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id SAA17079 for firewalls-outgoing; Sat, 1 Jun 1996 18:47:29 -0700 (PDT) Received: from mail.rc.toronto.on.ca ([207.6.29.231]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id SAA17019 for ; Sat, 1 Jun 1996 18:47:12 -0700 (PDT) Received: from rwcooper.rc.toronto.on.ca ([207.6.29.232]) Received: by rwcooper.rc.toronto.on.ca with Microsoft Mail Message-ID: <01BB5003.3BD59E40@rwcooper.rc.toronto.on.ca> From: Russ To: "'Frank Willoughby'" Cc: "'Firewalls'" Subject: RE: Raptor's Eagle Firewall Date: Sat, 1 Jun 1996 21:42:28 -0400 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk "I wouldn't quite go as far to say that it is a "boot loader". It does load Windows NT & then disables services and features which are not firewall related or have been deemed to be insecure." If it did that, and, integrated with the NT Security subsystems, I might not agree with Chris. However, what I have seen are systems that implement their own drivers and then link to them once NT has completed loading, effectively by-passing much of NT's own code to get to the packets early enough to work the Firewall's magic. For the vendor, this has the advantage of making them less dependent on code changes by Microsoft, but has the side-effect of making it more difficult to integrate into an existing NT environment. If its not integrating to the NT environment, then why would I be thinking of NT. The only reason left, IMO, is that I want the familiarity of the NT environment when it comes to administration of the Firewall. Once again, however, I haven't seen one yet that truly looks like NT or provides me any real leverage of my existing NT Administration skills. Until both of these things are done well, then NT is just a boot loader. "Personally, I see this as an advantage rather than a disadvantage. I wouldn't want to use any NT features which may be critical to the use of the firewall for two main reasons:" Its an NT-based Firewall!!! Using this logic, I'm far better off with one of their UNIX implementations. I'm paying an extra $600 bucks for an NT Server license, why shouldn't I expect them to make some use of it? If it doesn't make use of NT for its critical features, then its not an NT Firewall, plain and simple. Hey, I like the guys at Raptor as much as the next guy, but I've told them, and I'm telling you, its not NT until it uses NT. If its not NT, then get their UNIX version. 1) You can't be sure that the software will be stable. Micro$oft could accidently let a bug creep into their software which could render the firewall insecure or inoperable - requiring that the vendor "freeze" their version of Windows NT ("We will only support NT version X.Y.") - leaving them in a strategically vulnerable position. True, and this is why its important to have a strong relationship with Microsoft for these products. Microsoft does not go blindly off changing code to suit their needs, despite what anyone thinks. There are quite a number of vendors who reject changes as a result of the impact they will have on their code. As we all know, there are many ways to skin a cat. That said, Microsoft is also not going to prevent a code change just because a vendor has too few programmers put into their NT efforts. Many small vendors, Executive Software (Diskkeeper) for example, replace the NT HAL with their own code, no small task. Yet these guys are able to release NT service packs about 60 days behind Microsoft, consistently. This is pretty good testimony to how bound and tied vendors really are to Microsoft's changes. Also, if the software is written internally, then you have full control of the s/w development, you can provide better support, and you can provide a quicker response to problems/bugs. 2) Security Pretty much the same rasons as in #1. Further, it is never a good idea to outsource Information Security. Relying on Micro$oft's security mechanisms would place the vendor's product & reputation at the mercy of Micro$oft's ability to write tight secure code. I agree here, but you always have the ability to go the driver route should your "real" implementation be found susceptible to a bug. Many people have written work-arounds to accommodate problems that Microsoft either deny, or have problems dealing with. Bob Denny wrote defensive code into Website for 3 service pack releases of NT, finally getting the problems resolved in NT 3.51 service pack 4. This is not good testimony to Microsoft's responsiveness to problems, but it may also have been a matter of a transient problem that was difficult to isolate. It caused server crashes, so it was important, but it only affected a small number of machines, so its importance was diminished. Bob found it made more sense to code around the problem, and accept a performance hit in the process, than to wait for MS to fix it. It was detrimental to his product, but he was the only one that bothered to implement a patch, shows you where the market is. Website was able to be more reliable than anybody else, with a cost of slower performance. This kind of problem is not a small one, and it has to be addressed properly by Microsoft. I'm not privy to what was said between the two parties in the above example, so who knows why it wasn't fixed sooner. Would a stronger relationship between the two have been better? I doubt it. Has Microsoft realized that these types of problems need to be fixed faster, I think so. If the issue was one of security, would Microsoft deal with it differently, the unqualified answer I have received is yes, and believe me, I've been very vocal with them about this possibility. Raptor have, in my opinion, taken an aggressive stance with respect to Windows NT. The first NT implementation of their Firewall has its limitations, and is more designed to keep customers demanding an NT solution from buying into some other vendor's futures. Global Internet's Centri has its own legs because of its TIS background, but the fact that they are selling evaluation copies, rather than giving them away, will make their story something less heard. It will be very interesting to see where PPTP takes either of these products in the future. Do you buy into VPN, or do you use PPP encryption? VPN offers the flexibility of being accessible by most clients, whereas PPTP is limited, for now, to a select few clients. As the deployment of FEPs ramp up in Telco's, I suspect that PPTP is going to have greater widespread use than VPN. Because of the way its implemented on NT, it offers a pretty good security story, but that's for NDA and not for here...Sorry Bill...;-] Cheers, Russ From firewalls-owner Sun Jun 2 02:04:04 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id BAA00818 for firewalls-outgoing; Sun, 2 Jun 1996 01:53:05 -0700 (PDT) Received: from halon.sybase.com (halon.sybase.com [192.138.151.33]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id BAA00811 for ; Sun, 2 Jun 1996 01:52:54 -0700 (PDT) Received: from smtp1.sybase.com (sybgate) by halon.sybase.com (5.x/SMI-SVR4/SybFW4.0) Received: from notesgw3.sybase.com by smtp1.sybase.com (4.1/SMI-4.1/SybH3.5-030896) Received: by notesgw3.sybase.com (5.x/SMI-4.1/SybEGW3.3) Message-Id: <9606020850.AA05547@notesgw3.sybase.com> Received: by SybaseNotes (Lotus Notes Mail Gateway for SMTP V1.1) id To: Chris Watson Cc: "Wojno Jim" From: Ryan.Russell/SYBASE Date: 30 May 96 9:19:48 EDT Subject: Re: Email Virus Scanner X-Lotus-Type: Reply All Mime-Version: 1.0 Content-Type: Text/Plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I think people often forget that a recognizable virus signature may often be encoded in such a way (uuencode, zip, zip w/encryption, mime etc..) that any scanner will always miss some method, besides the ones that can't be scanned (any strong encryption.) That's why I think it more useful to spend one's time picking the antivirus package for your desktop that best meets your needs, that can do its job when the virus etc... is unencoded/unpacked/ unencrypted etc.. Ryan ---------- Previous Message ---------- To: jwojn cc: firewalls From: scanner @ webspan.net (Chris Watson) @ smtp Date: 05/29/96 06:10:19 PM Subject: Re: Email Virus Scanner On Wed, 29 May 1996, Wojno, Jim wrote: > 2.4), that could scan all incoming mail for any virus code. So far, we > haven't come up with much. Anyone else ROFL as hard as i am? -- ===================================| Webspan Inc., ISP Division. FreeBSD 2.1.0 is available now! | Phone: 908-367-8030 ext. 126 -----------------------------------| 500 West Kennedy Blvd., Lakewood, NJ-08701 Turning PCs into Workstations | E-Mail: scanner@webspan.net http://www.freebsd.org | SysAdmin / Network Engineer / Security ===================================| Member BSDNET team! http://www.bsdnet.org From firewalls-owner Sun Jun 2 02:18:49 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id BAA00669 for firewalls-outgoing; Sun, 2 Jun 1996 01:48:21 -0700 (PDT) Received: from halon.sybase.com (halon.sybase.com [192.138.151.33]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id BAA00662 for ; Sun, 2 Jun 1996 01:48:12 -0700 (PDT) Received: from smtp1.sybase.com (sybgate) by halon.sybase.com (5.x/SMI-SVR4/SybFW4.0) Received: from notesgw3.sybase.com by smtp1.sybase.com (4.1/SMI-4.1/SybH3.5-030896) Received: by notesgw3.sybase.com (5.x/SMI-4.1/SybEGW3.3) Message-Id: <9606020845.AA04931@notesgw3.sybase.com> Received: by SybaseNotes (Lotus Notes Mail Gateway for SMTP V1.1) id To: "KABERNARD) kabernard @ techsoft.com (KABERNARD" Cc: kaberna , firewalls From: Ryan.Russell/SYBASE Date: 30 May 96 9:42:50 EDT Subject: Re: Extra Social Engineering X-Lotus-Type: Reply All Mime-Version: 1.0 Content-Type: Text/Plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Yes look for a CERT advisory regarding an increase in the use of psychics to "crack" passwords. Until patches are available from the various vendors (Sun has announced that they will have a jumbo patch available for Solaris 2.x ready withing 3 weeks.) Currently, the CERT team advises that users should think about their passwords as little as possible. ------------------------------------------------------------------------------ Where do people get this stuff? Is this a troll? Ryan ---------- Previous Message ---------- To: kaberna, firewalls cc: From: kabernard @ techsoft.com (KABERNARD) kabernard@techsoft.com (KABERNARD) @ smtp Date: 05/30/96 08:40:15 AM Subject: Extra Social Engineering by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id FAA29281 for ; Thu, 30 May 1996 05:41:04 -0700 (PDT) Received: from cc:Mail (PU Serial #1520) From: kabernard@techsoft.com (KABERNARD) To: firewalls@greatcircle.com Message-ID: <1996May30.073934.1520.3754@abyss.techsoft.com> X-Conversion-ID: X-Mailer: cc:Mail via PostalUnion/SMTP for Windows NT Mime-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Date: Thu, 30 May 1996 07:41:01 -0500 Subject: Extra Social Engineering Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Has anyone experienced an attack where you were unable to determine how the system was cracked? Recently an overzealous employee who was "Just trying to help" attained root access on several of my UNIX boxes. She stated that she got the passwords from her "Psychic Friend". Is that possible? I've seen the commercials but never imagined there was anything to it.....does anyone out there think that there are alot of attacks as a the result of this type of "Extra Social Engineering".....couldn't this be disasterous for the entire industry? I bet I haven't heard about this before because the "Big Companies" know that if word of this got out, there would be a mass exodus from the INTERNET.... tks.....kurt From firewalls-owner Sun Jun 2 03:48:46 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id DAA05329 for firewalls-outgoing; Sun, 2 Jun 1996 03:33:51 -0700 (PDT) Received: from rbit.co.za (rbit.co.za [196.7.71.94]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id DAA05321 for ; Sun, 2 Jun 1996 03:33:35 -0700 (PDT) Received: (from johnb@localhost) by rbit.co.za (8.7.3/8.7.3) id MAA26566; Sun, 2 Jun 1996 12:31:03 +0200 From: John Betts Message-Id: <199606021031.MAA26566@rbit.co.za> Subject: Re: Raptor's Eagle Firewall To: Russ.Cooper@RC.Toronto.on.ca (Russ) Date: Sun, 2 Jun 1996 12:31:03 +0200 (SAT) Cc: firewalls@greatcircle.com In-Reply-To: <01BB4FFB.C1CC5500@rwcooper.rc.toronto.on.ca> from "Russ" at Jun 1, 96 08:48:57 pm Reply-to: johnb@aztec.co.za Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk % So even if the Firewall were compromised, none of its accounts would be % permitted to access the resources protected internally by the % Administrative Domain security, and remember, neither the user ID or the % password are transmitted across the network between the two. % Uhm, what we mean is, that if your _PRIMARY NT DOMAIN CONTROLLER_ got compromised, your firewall would be useless....... ciao -- John -- John Betts, Aztec Internet Services Port Elizabeth, South Africa johnb@aztec.co.za, Tel. +27(0)41 303 475, Fax. +27(0)41 301 052 The world is complex. The Sendmail configuration reflects this. From firewalls-owner Sun Jun 2 09:03:48 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA14415 for firewalls-outgoing; Sun, 2 Jun 1996 08:48:17 -0700 (PDT) Received: from mail.rc.toronto.on.ca ([207.6.29.231]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id IAA14408 for ; Sun, 2 Jun 1996 08:48:07 -0700 (PDT) Received: from rwcooper.rc.toronto.on.ca ([207.6.29.232]) Received: by rwcooper.rc.toronto.on.ca with Microsoft Mail Message-ID: <01BB5078.AC30D680@rwcooper.rc.toronto.on.ca> From: Russ To: "'johnb@aztec.co.za'" Cc: "firewalls@greatcircle.com" Subject: RE: Raptor's Eagle Firewall Date: Sun, 2 Jun 1996 11:43:08 -0400 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk % So even if the Firewall were compromised, none of its accounts would be % permitted to access the resources protected internally by the % Administrative Domain security, and remember, neither the user ID or the % password are transmitted across the network between the two. % "Uhm, what we mean is, that if your _PRIMARY NT DOMAIN CONTROLLER_ got compromised, your firewall would be useless......." Yes, and that's also true if you are using an ACE Server, or Radius, or any other authentication server for your firewall. So what's your point, that its too easy to compromise a Windows NT Primary Domain Controller? I don't happen to agree. In any site that is already using NT for security of networked resources, extending the security model to the firewall is logical, for them, if they desire to focus their attention on a single authentication scheme. I see no reason why this is not perfectly viable providing that their security policy addresses it properly, as it would have to do with any source of ACL's. It means, from an administrative perspective, that they fewer sources of security audits to monitor, which can make detection easier. In addition, management of a single set of accounts can streamline a security policy, making its adoption, adherence, and proper usage more likely. In my book, these are two of the most important issues relating to an effective security policy. Let me restate a premise: I am not suggesting that an organization, whose security personnel are already familiar with brand X UNIX, or brand Y firewall, dump their equipment and go out and buy some Windows NT Firewall. I am suggesting that there are a lot of organizations who are in the process of implementing a firewall who do not have such personnel, but instead, have people who already understand and/or manage Windows NT resources. It does not make sense to say that the only way these organizations can safely connect themselves to the Internet is through a UNIX flavored fir ewall. As X.500 is more widely adopted, the need to provide a single user administration database becomes more apparent. NT offers this capability today, through the use of Exchange Server, which supports multiple name spaces for a single account, single logon, bulk imports from other systems, etc... As more Directory Structure vendors, like Banyan, write products to the ODSI specification which allow them to integrate their naming systems into NT, there will be even great adoption of NT as a centralized authentication server. We already have Radius and TACACS support, and I doubt that ACE is very far away. NT cannot just be ignored, but if its unsafe for Enterprise Authentication, let's not find that out after you've been tasked with implementing it. Cheers, Russ From firewalls-owner Sun Jun 2 09:48:52 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA16275 for firewalls-outgoing; Sun, 2 Jun 1996 09:35:09 -0700 (PDT) Received: from homeport.org (lighthouse.homeport.org [205.136.65.198]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id JAA16245 for ; Sun, 2 Jun 1996 09:34:58 -0700 (PDT) Received: (adam@localhost) by homeport.org (8.6.9/8.6.9) id MAA21956; Sun, 2 Jun 1996 12:37:26 -0500 From: Adam Shostack Message-Id: <199606021737.MAA21956@homeport.org> Subject: Re: Raptor's Eagle Firewall To: Russ.Cooper@RC.Toronto.on.ca (Russ) Date: Sun, 2 Jun 1996 12:37:26 -0500 (EST) Cc: peter@baileynm.com, firewalls@GreatCircle.COM In-Reply-To: <01BB4FFB.C1CC5500@rwcooper.rc.toronto.on.ca> from "Russ" at Jun 1, 96 08:48:57 pm X-Mailer: ELM [version 2.4 PL24 ME8b] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Russ wrote: (Responding, I think, to Peter Da Silva) | >Why would you put your firewall into the same authentication domain as | >your users? | | >Maybe I'm missing something, but that seems like you're putting an awful | >lot of trust in the NT security model. | | Actually, its possible to establish a trust relationship between two | seperate NT domains such that attempts to log onto the Firewall Domain | would be validated against an internal Administrative Domain, but accounts | on the Firewall Domain would not be permitted to log into the | Administrative Domain. Could you expand on this? How is the trust maintained? How is information moved between the two systems? Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume From firewalls-owner Sun Jun 2 17:48:48 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA02338 for firewalls-outgoing; Sun, 2 Jun 1996 17:45:25 -0700 (PDT) Received: from okjunc.junction.net (okjunc.junction.net [199.166.227.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id RAA02329 for ; Sun, 2 Jun 1996 17:45:17 -0700 (PDT) Received: from sidhe.memra.com (sidhe.memra.com [199.166.227.105]) by okjunc.junction.net (8.6.11/8.6.11) with SMTP id QAA06788 for ; Sun, 2 Jun 1996 16:58:36 -0700 Date: Sun, 2 Jun 1996 17:41:51 -0700 (PDT) From: Michael Dillon To: firewalls@GreatCircle.COM Subject: Re: packet filter In-Reply-To: <199606011551.LAA14217@goffer.ee.net> Message-ID: Organization: Memra Software Inc. - Internet consulting MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Sat, 1 Jun 1996, C Matthew Curtin wrote: > the rules, then this changes things... so, lock the router down by > only allowing physical console access - NO REMOTE LOGINS TO YOUR > ROUTERS! Or out-of-band remote logins via a secure channel. Basically hook up the router's serial port to some magic box that is more secure than the network itself. Maybe a serial MUX connected to a private frame relay network. Or attach it to some machine inside the firewall so that an outsider would have to break through all your defenses in order to get to the serial port that attaches to the border router. But this should not be used from outside the firewall, only for convenient administration within the protected network, say if the router is on a different floor in your building. The frame-relay scenario would be used in a situation where head-office must administer a firewall at a branch office site. A dial-up modem could be used here but is inherently less secure than a connection to a private frame relay network. Just make sure you put your "devious devil" cap on and review your plans before implementation because this ain't a "one-size-fits-all" theatre of operations here. > Also, make sure that the place your logs go (perhaps you're using a > machine somewhere in your DMZ to accept all of the log data from all > of your packet filters via syslogd) is (1) protected, so that someone > from outside the DMZ (i.e., anything but your packet filters, and > whatever else that's YOURS that is logging to it via syslog) can't > write to it, and (2) it has BOATLOADS of free disk space. If someone > IS able to start writing crap to your log machine's syslogd, they'll > try to fill up your disk space before commencing the attack. If you've > got, say, 10GB of free space at any given time, the liklihood of > success is significantly lower than if you're down to 14k of free > space :-) Some people set up a separate Ethernet segment for the log host and connect the filtering machines to it using a 10baseT card that allows you to cut the receive pair so that it is impossible to establish TCP sessions of any sort with the loghost, therefore crackers cannot erase or modify logs if they do manage to get in somehow. > However, I *do* think that packet filtering is very important. There > is a definite layer of security that is provided there, Agreed. Just about everyone has a border router that is capable of packet filtering so you may as well use it. But adding a proxy layer is a good idea too. Like NASA's design for onboard spacecraft computer system, they install 3 systems using at least two independent designs under the theory that a failure due to design flaws is unlikely to knock out more than two systems of the three. Michael Dillon ISP & Internet Consulting Memra Software Inc. Fax: +1-604-546-3049 http://www.memra.com E-mail: michael@memra.com From firewalls-owner Sun Jun 2 18:03:48 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA02435 for firewalls-outgoing; Sun, 2 Jun 1996 17:51:05 -0700 (PDT) Received: from okjunc.junction.net (okjunc.junction.net [199.166.227.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id RAA02428 for ; Sun, 2 Jun 1996 17:50:56 -0700 (PDT) Received: from sidhe.memra.com (sidhe.memra.com [199.166.227.105]) by okjunc.junction.net (8.6.11/8.6.11) with SMTP id RAA06846 for ; Sun, 2 Jun 1996 17:04:15 -0700 Date: Sun, 2 Jun 1996 17:47:31 -0700 (PDT) From: Michael Dillon To: Firewalls@GreatCircle.COM Subject: Re: Countermeasures ? In-Reply-To: <199606011645.MAA14340@goffer.ee.net> Message-ID: Organization: Memra Software Inc. - Internet consulting MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Sat, 1 Jun 1996, C Matthew Curtin wrote: > The story is more than mildly amusing: it helps to underscore a very > serious problem with mismanaged (or undermanaged ... or perhaps we > should say [mis|under]-administered :) sites, such as ISPs who really > ought not be ISPs. I suppose this is another Bad Thing(tm) that has > come about because of the explosive growth and popularity of the > 'net. It was nice to be able to (until about '93 or early '94) be able > to quickly talk to someone clued whenever there was a problem like > that and have it immediately dealt with. And now a bunch of those ISP's are a bit more clued in since I just forwarded your nice case-study to 5 ISP mailing lists. Fortunately, the ISP's who do subscribe to the mailing lists are eager to learn more and the existence of these mailing lists contributes to getting them clued in much more quickly than any other means I can think of. Michael Dillon ISP & Internet Consulting Memra Software Inc. Fax: +1-604-546-3049 http://www.memra.com E-mail: michael@memra.com From firewalls-owner Sun Jun 2 19:03:49 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id SAA07935 for firewalls-outgoing; Sun, 2 Jun 1996 18:57:36 -0700 (PDT) Received: from okjunc.junction.net (okjunc.junction.net [199.166.227.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id SAA07917 for ; Sun, 2 Jun 1996 18:57:26 -0700 (PDT) Received: from sidhe.memra.com (sidhe.memra.com [199.166.227.105]) by okjunc.junction.net (8.6.11/8.6.11) with SMTP id SAA07610; Sun, 2 Jun 1996 18:10:42 -0700 Date: Sun, 2 Jun 1996 18:53:57 -0700 (PDT) From: Michael Dillon To: C Matthew Curtin cc: firewalls@GreatCircle.COM Subject: Re: What do you want to know about Windows NT? In-Reply-To: <199606012023.QAA14941@goffer.ee.net> Message-ID: Organization: Memra Software Inc. - Internet consulting MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Sat, 1 Jun 1996, C Matthew Curtin wrote: > Haven't the lessons of the closed IBM machines and proprietary DEC > boxes gotten through? Openness in architecture provides so many > advantages that I'm nearly dumbfounded by the number of people who > insist on following their black-box solutions, happily paying for > every little component, without the foggiest idea of what's happening. > This is silliness, and anything BUT computer science. > > (Maybe the older guys who can remember aren't speaking loud enough, > and maybe the younger folks need to spend a little less time writing > code, in favor of doing a bit more study of the history of their > industry...) I remember in the mid-70's when we all hated monolithic mainframe punch-card batch-processing IBM and we gravitated to the Honeywell time sharing system with neat Bell Labs tools like the QED editor, ROFF and the B programming language. Then when they came out with their own programming language, life was good. When the DOS PC came on the scene lots of us gravitated to it because it was cheap enough to own our very own computer and if you stuck a 10-meg drive on an XT those babies really screamed. I remember getting large program compiles in only 5 minutes! A quarter of the time it took on a minicomputer. And Microsoft made wonderful tools like the Multiplan spreadsheet and MS Word with a consistent user interface (ESC, T, L) to load your file, (ESC, T, S). And when they announced MS-DOS 2.0 with subdirectories and their plans to grow DOS and XENIX into a single merged OS, life was better. But then things turned ugly, Microsoft changed, IBM changed, the world changed, a new generation grew up, the Internet was born. There's a story I once read about two high-school buddies who grew up and went to the same college. The first one became active in a Marxist organization, the other joined the Young Republicans. They ceased to speak with each other, graduated and went their separate ways. Many years later, they encountered one another again. The first one said, you know, after years of working for the people's revolution, I've come to realize that you were right after all and I'm now the campaign manager for the Republican Congressional candidate in my district. The other fellow's smile dropped off his face. Oh, he said, it happens that I'm leaving next week for Nicaragua to help train teachers in the Sandanista's literacy program. The moral of this story is that you really cannot judge a company on past glories, you are foolish to attach your company's well-being to the fickleness of another company, and don't believe what Microsoft says they are gonna do next year because they may change their minds yet again. I still think firewalls should be chosen based on security criteria and the OS platform used is 100% irrelevant to the decision. Remember the old advice, determine your system requirements, find the software that will meet those requirements, buy the platform that runs this software best. Why do people always insist on doing it the other way around? Michael Dillon ISP & Internet Consulting Memra Software Inc. Fax: +1-604-546-3049 http://www.memra.com E-mail: michael@memra.com From firewalls-owner Sun Jun 2 19:18:47 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id TAA08477 for firewalls-outgoing; Sun, 2 Jun 1996 19:08:52 -0700 (PDT) Received: from okjunc.junction.net (okjunc.junction.net [199.166.227.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id TAA08465 for ; Sun, 2 Jun 1996 19:08:43 -0700 (PDT) Received: from sidhe.memra.com (sidhe.memra.com [199.166.227.105]) by okjunc.junction.net (8.6.11/8.6.11) with SMTP id SAA07789 for ; Sun, 2 Jun 1996 18:22:03 -0700 Date: Sun, 2 Jun 1996 19:05:18 -0700 (PDT) From: Michael Dillon To: "'Firewalls'" Subject: RE: Raptor's Eagle Firewall In-Reply-To: <01BB5003.3BD59E40@rwcooper.rc.toronto.on.ca> Message-ID: Organization: Memra Software Inc. - Internet consulting MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Sat, 1 Jun 1996, Russ wrote: > when it comes to administration of the Firewall. Once again, however, I > haven't seen one yet that truly looks like NT or provides me any real > leverage of my existing NT Administration skills. Maybe that's because it's not NT and it's not an operating system. It's a firewall. Why should a firewall look like an operating system? > Its an NT-based Firewall!!! Using this logic, I'm far better off with one > of their UNIX implementations. I'm paying an extra $600 bucks for an NT > Server license, why shouldn't I expect them to make some use of it? If it > doesn't make use of NT for its critical features, then its not an NT > Firewall, plain and simple. One of the goals in designing a firewall is to strip away unnecessary functionality. This accomplishes two things. It minimizes the possibility of buggy code because the code is so simple it can easily be checked for correctness. And it minimizes the profile that outsiders can attack. These are good things. Michael Dillon ISP & Internet Consulting Memra Software Inc. Fax: +1-604-546-3049 http://www.memra.com E-mail: michael@memra.com From firewalls-owner Sun Jun 2 20:18:54 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id UAA12605 for firewalls-outgoing; Sun, 2 Jun 1996 20:08:33 -0700 (PDT) Received: from mail.rc.toronto.on.ca ([207.6.29.231]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id UAA12598 for ; Sun, 2 Jun 1996 20:08:22 -0700 (PDT) Received: from rwcooper.rc.toronto.on.ca ([207.6.29.232]) Received: by rwcooper.rc.toronto.on.ca with Microsoft Mail Message-ID: <01BB50D7.BFA9FD40@rwcooper.rc.toronto.on.ca> From: Russ To: "'Firewalls'" Subject: RE: Raptor's Eagle Firewall Date: Sun, 2 Jun 1996 23:03:43 -0400 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk "Maybe that's because it's not NT and it's not an operating system. It's a firewall. Why should a firewall look like an operating system?" What if I don't want a Firewall Administrator, what if I want to use my NOS Administrator? What if I have a small company who cannot afford a dedicated Firewall, or a dedicated Firewall Administrator? Anyway, you've made my point again. If its going to be an NT-based Firewall, it should incorporate NT into its functionality, otherwise, we shouldn't be looking at the NT version and instead should be considering the original UNIX version. Both Raptor and Centri are ports of UNIX products to NT. The point is, if the objective of the port was merely to duplicate the Firewall environment running on top of NT, its ill conceived. "One of the goals in designing a firewall is to strip away unnecessary functionality. This accomplishes two things. It minimizes the possibility of buggy code because the code is so simple it can easily be checked for correctness. And it minimizes the profile that outsiders can attack. These are good things." Fine, I agree. Account Administration, however, is not unnecessary functionality. Neither is interface commonality. If the program is going to present a window with menus, and its going to run on NT, then why not use the NT routines to create the windows and the menus? Anyway, I suspect that people have gotten my point by now, so I'll stop repeating it...;-] Cheers, Russ From firewalls-owner Sun Jun 2 20:48:47 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id UAA13697 for firewalls-outgoing; Sun, 2 Jun 1996 20:40:14 -0700 (PDT) Received: from po-external.FCNBD.COM (po-external.FCNBD.COM [147.113.146.4]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id UAA13681 for ; Sun, 2 Jun 1996 20:40:02 -0700 (PDT) Received: from po-internal.FCNBD.COM (internalhost.FCNBD.COM [147.113.104.10]) by po-external.FCNBD.COM (8.7.2/fcnbd/domain/1.5) with ESMTP id WAA23411; Sun, 2 Jun 1996 22:39:57 -0500 (CDT) Received: from abacab.cmg.FCNBD.COM (abacab.cmg.FCNBD.COM [147.113.112.11]) by po-internal.FCNBD.COM (8.7.2/fcnbd/internal-domain/1.4) with ESMTP id WAA17935; Sun, 2 Jun 1996 22:38:10 -0500 (CDT) Received: from abernathy.fnbc.com (pmarc@abernathy.FNBC.COM [147.113.112.83]) by abacab.cmg.FCNBD.COM (8.7.2/fcnbd/server-subdomain/2.1) with ESMTP id WAA27006; Sun, 2 Jun 1996 22:35:42 -0500 (CDT) Received: (from pmarc@localhost) by abernathy.fnbc.com (8.7.3/8.7.1) id WAA00332; Sun, 2 Jun 1996 22:37:03 -0500 (CDT) Message-Id: <199606030337.WAA00332@abernathy.fnbc.com> MIME-Version: 1.0 (NeXT Mail 3.3risc v118.3) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable In-Reply-To: <199605301428.HAA11329@miles.greatcircle.com> X-Nextstep-Mailer: Mail 3.3 (Enhance X) Received: by NeXT.Mailer (1.118.3) From: "Paul M. Cardon" Date: Sun, 2 Jun 96 22:36:55 -0500 To: Darren Reed Subject: Re: Firewall-1 and Gauntlet cc: jct@edelweb.fr (Jean-Christophe Touvet), Leif.Gyllenberg@sweden.sun.com Reply-To: pmarc@fnbc.com References: <199605301428.HAA11329@miles.greatcircle.com> X-Warners: Yakko, Wakko, and Dot Sender: firewalls-owner@GreatCircle.COM Precedence: bulk We noticed some strangeness in this area when running the fwtk ftp = proxy with Firewall-1 1.2 (both running on Solaris 2.5). We = tracked it down to the following function that is common to all of = the proxies: sayn(fd,s,n) int fd; char *s; int n; { if(write(fd,s,n) !=3D n) return(1); return(write(fd,"\r\n",2) !=3D 2); } For whatever reason, the two writes were always being sent in = separate packets. We had our network analyzer looking at it and = verified this behavior. I hacked the ftp-gw code to fix this = problem. The behavior disappeared when we upgraded to version 2 = of Firewall-1 so there must have been something wrong there. = However, the new Firewall-1 then made some other assumptions about = port numbers that caused ftp-gw to fail. I will share details = when I have a chance. --- Paul M. Cardon - System Officer Capital Markets Systems - First Chicago NBD Corporation pmarc@cmg.fcnbd.com - (312) 732-7392 I never give them hell. I just tell the truth and they think it's = hell. - H. Truman MD5 (/dev/null) =3D d41d8cd98f00b204e9800998ecf8427e From firewalls-owner Sun Jun 2 21:33:54 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id VAA17081 for firewalls-outgoing; Sun, 2 Jun 1996 21:22:54 -0700 (PDT) Received: from okjunc.junction.net (okjunc.junction.net [199.166.227.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id VAA17074 for ; Sun, 2 Jun 1996 21:22:47 -0700 (PDT) Received: from sidhe.memra.com (sidhe.memra.com [199.166.227.105]) by okjunc.junction.net (8.6.11/8.6.11) with SMTP id UAA09943; Sun, 2 Jun 1996 20:36:00 -0700 Date: Sun, 2 Jun 1996 21:19:15 -0700 (PDT) From: Michael Dillon To: Russ cc: "'Firewalls'" Subject: RE: Raptor's Eagle Firewall In-Reply-To: <01BB50D7.BFA9FD40@rwcooper.rc.toronto.on.ca> Message-ID: Organization: Memra Software Inc. - Internet consulting MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Sun, 2 Jun 1996, Russ wrote: > "Maybe that's because it's not NT and it's not an operating system. It's a > firewall. Why should a firewall look like an operating system?" > > What if I don't want a Firewall Administrator, what if I want to use my NOS > Administrator? What if I have a small company who cannot afford a dedicated > Firewall, or a dedicated Firewall Administrator? Buy a pair of wirecutters! ;-) > Anyway, you've made my point again. If its going to be an NT-based > Firewall, it should incorporate NT into its functionality, otherwise, we > shouldn't be looking at the NT version and instead should be considering > the original UNIX version. Both Raptor and Centri are ports of UNIX > products to NT. The point is, if the objective of the port was merely to > duplicate the Firewall environment running on top of NT, its ill conceived. IMHO these vendors should be selling their firewalls just the way they originally built them, running on top of UNIX. No doubt they could build a black box with Pentium CPU, RAM and UNIX on ROM *AND* include an NT GUI for administering the thing. Then you could have your cake and eat it too. So could the MAC sites by simply including a Mac admin tool. So could the UNIX sites by supplying an X-Windows admin tool. And so on. Whatever happened to object-oriented design??? > Fine, I agree. Account Administration, however, is not unnecessary > functionality. Neither is interface commonality. If the program is going to > present a window with menus, and its going to run on NT, then why not use > the NT routines to create the windows and the menus? Just subtract the part about "run on NT". Does a Livingston Portmaster terminal server run on NT? No. Does it have an NT GUI admin tool. Yes. Michael Dillon ISP & Internet Consulting Memra Software Inc. Fax: +1-604-546-3049 http://www.memra.com E-mail: michael@memra.com From firewalls-owner Sun Jun 2 23:18:48 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id XAA21183 for firewalls-outgoing; Sun, 2 Jun 1996 23:08:03 -0700 (PDT) Received: from SDG.DRA.COM (sdg.dra.com [192.65.218.29]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id XAA21169 for ; Sun, 2 Jun 1996 23:07:53 -0700 (PDT) Date: Mon, 3 Jun 1996 1:05:23 -0500 (CDT) From: Sean Donelan To: firewalls@greatcircle.com Message-Id: <960603010523.926e@SDG.DRA.COM> Subject: Re: Countermeasures ? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Agreed. At a previous place of employment, our highly visible web >server underwent a denial of service attack. We traced it back to a >dialup account from a small ISP in another state. 27 minutes from first attempted contact until the problem was stopped, not that bad of a response. Even Domino's Pizza gave its drivers a full 30 minutes. Contacting someone at a small ISP is fairly easy (as evidence by the previous example, even given the slight delay caused by the restroom). There just aren't that many people to pass the buck at a small ISP. Trying to reach a person at a Big & Important company can be much more difficult. In 27 minutes you'd still be listening to muzak waiting for a generic customer service representative, because no human is listed as a contact, at Big & Important to pick up the phone. Or, heaven forbid, you try to report a security problem with the Really Big & Important, e.g. a US government computer. Did the General Accounting Office ask how many people tried to tell the US Military about computer security breakins, but got the run around? Yes, I know the US Military has lots, and lots of computer security teams. Some of them actually know what they are doing. But I didn't know I needed the correct telephone extension to report an attack against the USA. As the net has grown, it has gotten much harder to reach a cluefull person at every type of site; big, small, important, or not. Even the CERT says they can't handle calls from everyone. The flip-side is it discourages the few people who used to report problems from even trying. One thing I find missing from many companies' computer security procedures is what to do when Joe Q. Public calls up and tells your receptionist someone broke into your computers. Does your receptionist know who to send the information to if someone called your company? -- Sean Donelan, Data Research Associates, Inc, St. Louis, MO Affiliation given for identification not representation From firewalls-owner Sun Jun 2 23:33:57 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id XAA21528 for firewalls-outgoing; Sun, 2 Jun 1996 23:22:30 -0700 (PDT) Received: from whirlwind.momentum.com.au (whirlwind.momentum.com.au [203.2.238.131]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id XAA21514 for ; Sun, 2 Jun 1996 23:22:20 -0700 (PDT) Received: (from uucp@localhost) by whirlwind.momentum.com.au (8.6.12/8.6.12) id OAA01097 for ; Mon, 3 Jun 1996 14:17:30 +0800 Received: from snowcrash.momentum.com.au(203.2.238.134) by whirlwind via smap (V1.3mjr) X-Sender: todd@mailhost.momentum.com.au Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Mon, 3 Jun 1996 14:19:24 +0800 To: Firewalls@GreatCircle.COM From: todd@momentum.com.au (Todd Hooper) Subject: Re: Firewall-1 and Gauntlet Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Jean-Christophe Touvet writes: > As far as I know, this is a Firewall-1 bug. The reason is that Gauntlet used >to split its PORT commands in two packets (two write() system calls). Since >Firewall-1's filtering code works only with one packet at once, it fails. TIS >guys wrote some patches to solve this problem (contact your Gauntlet reseller), >but IMHO that's really a packet filtering design problem: how do you inspect >data when it doesn't fit in the same packet ? Of course, you could keep data >in your sate machine, but in that case you've just written a proxy. Any >comments ? Isn't that one of the issues (specifically, the problems with TIS and Gauntlet ftp) that Checkpoint fixed in Firewall-1 version 2.0d? Regards, Todd -- Todd Hooper Internet : todd@momentum.com.au Internet and Open Systems Division Phone : 09 429 6000 AlphaWest Pty Ltd Fax : 09 429 6030 From firewalls-owner Mon Jun 3 00:33:48 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id AAA25403 for firewalls-outgoing; Mon, 3 Jun 1996 00:28:37 -0700 (PDT) Received: from gemsgw.med.ge.com (gemsgw.med.ge.com [192.88.230.10]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id AAA25396 for ; Mon, 3 Jun 1996 00:28:28 -0700 (PDT) Received: from gemed.med.ge.com (gemed.med.ge.com [3.7.12.4]) by gemsgw.med.ge.com (8.6.12/8.6.12) with ESMTP id CAA21787; Mon, 3 Jun 1996 02:24:05 -0500 Received: from wiproge.med.ge.com (jogin [3.70.200.53]) by gemed.med.ge.com (8.6.12/8.6.12) with SMTP id CAA26918; Mon, 3 Jun 1996 02:26:32 -0500 Received: from ashwini.wiproge.med.ge.com by wiproge.med.ge.com (4.1/SMI-4.1) Received: by ashwini.wiproge.med.ge.com (SMI-8.6/SMI-SVR4) Date: Mon, 3 Jun 1996 12:58:30 -0500 From: sameer@wiproge.med.ge.com (Sameer ) Message-Id: <199606031758.MAA20152@wiproge.med.ge.com> To: adam@homeport.org, firewalls@GreatCircle.COM Subject: Re: Raptor's Eagle Firewall X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk hi, Even i would like an answer to that....trust relationship.... .....sam E-Mail : sameer@wiproge.med.ge.com Wipro GE Medical Systems - Bangalore sameer@wiproge.gemse.fr Name : Sameer [Sam] Wipro GE Medical Systems Ltd.,GPDC, A-1,Corporate Towers,Golden Enclave, Airport Road,Bangalore- 560017, INDIA ------------------------------------------------------------------------- "Opinions expressed are my own and may not confirm to my Employers" ********************THOUGHT FOR THE DAY************************** Diplomacy is the art of saying "GOOD DOGGY" till you find a very BIG stick. ***************************************************************** You may delegate AUTHORITY but not RESPONSIBILITY -------------------------------------------------------------------------- *SAM*From firewalls-owner@GreatCircle.COM Mon Jun 3 09:14:52 1996 *SAM*From: Adam Shostack *SAM*Subject: Re: Raptor's Eagle Firewall *SAM*To: Russ.Cooper@RC.Toronto.on.ca (Russ) *SAM*Date: Sun, 2 Jun 1996 12:37:26 -0500 (EST) *SAM*Cc: peter@baileynm.com, firewalls@GreatCircle.COM *SAM* *SAM*Russ wrote: *SAM*(Responding, I think, to Peter Da Silva) *SAM*| >Why would you put your firewall into the same authentication domain as *SAM*| >your users? *SAM*| *SAM*| >Maybe I'm missing something, but that seems like you're putting an awful *SAM*| >lot of trust in the NT security model. *SAM*| *SAM*| Actually, its possible to establish a trust relationship between two *SAM*| seperate NT domains such that attempts to log onto the Firewall Domain *SAM*| would be validated against an internal Administrative Domain, but accounts *SAM*| on the Firewall Domain would not be permitted to log into the *SAM*| Administrative Domain. *SAM* *SAM* Could you expand on this? How is the trust maintained? How *SAM*is information moved between the two systems? *SAM* *SAM*Adam *SAM* *SAM*-- *SAM*"It is seldom that liberty of any kind is lost all at once." *SAM* -Hume *SAM* *SAM* From firewalls-owner Mon Jun 3 01:19:25 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id AAA26039 for firewalls-outgoing; Mon, 3 Jun 1996 00:47:57 -0700 (PDT) Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.76.24]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id AAA26010 for ; Mon, 3 Jun 1996 00:47:45 -0700 (PDT) Message-Id: <199606030747.AAA26010@miles.greatcircle.com> Received: by cheops.anu.edu.au From: Darren Reed Subject: Re: Firewall-1 and Gauntlet To: todd@momentum.com.au (Todd Hooper) Date: Mon, 3 Jun 1996 17:45:02 +1000 (EST) Cc: Firewalls@GreatCircle.COM In-Reply-To: from "Todd Hooper" at Jun 3, 96 02:19:24 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In some mail from Todd Hooper, sie said: > > Jean-Christophe Touvet writes: > > > As far as I know, this is a Firewall-1 bug. The reason is that Gauntlet used > >to split its PORT commands in two packets (two write() system calls). Since > >Firewall-1's filtering code works only with one packet at once, it fails. TIS > >guys wrote some patches to solve this problem (contact your Gauntlet reseller), > >but IMHO that's really a packet filtering design problem: how do you inspect > >data when it doesn't fit in the same packet ? Of course, you could keep data > >in your sate machine, but in that case you've just written a proxy. Any > >comments ? > > Isn't that one of the issues (specifically, the problems with TIS and Gauntlet > ftp) that Checkpoint fixed in Firewall-1 version 2.0d? Do you know if they fixed the problem in general or just patched their ftp proxy code to do the "PORT" command correctly ? darren From firewalls-owner Mon Jun 3 01:33:48 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id BAA29415 for firewalls-outgoing; Mon, 3 Jun 1996 01:25:18 -0700 (PDT) Received: from gmap-gw.gmap.leeds.ac.uk (gmap15.leeds.ac.uk [129.11.84.200]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id BAA29394 for ; Mon, 3 Jun 1996 01:25:05 -0700 (PDT) Received: (from root@localhost) by gmap-gw.gmap.leeds.ac.uk (8.7.3/8.6.9) id IAA21111 for ; Mon, 3 Jun 1996 08:27:24 +0100 (BST) Received: from gmap3.gmap.leeds.ac.uk(129.11.200.3) by gmap-gw via smap (V1.3) Received: from gmap.leeds.ac.uk (gmap124 [129.11.200.124]) by gmap3 (8.6.12/8.6.9) with SMTP id JAA16306 for ; Mon, 3 Jun 1996 09:22:58 +0100 From: Danny Cox Date: Mon, 3 Jun 1996 09:22:18 +0100 Message-Id: <5263.9606030822@gmap.leeds.ac.uk> X-Planation: X-Faces images can be viewed with the XFaces program To: Firewalls@GreatCircle.COM Subject: Re: Firewalls-Digest V5 #347 X-Sun-Charset: US-ASCII X-Face: (:_YnQcTM$q\Nl0.mYy:C'Y|(;&7.2m~Rc%xt Date: Wed, 29 May 1996 23:03:31 -0400 > From: Russ > Subject: What do you want to know about Windows NT? > > - - There is a C2 configuration guide (manual), maybe it should be included Russ, nothing really to do with your recent posting although I wonder whether you'd be good enough to clarify this bit for me. My understanding is that NT has only been C2 accredited for a couple of hardware platforms and only for stand-alone versions, rather than networked ones. The implication behind having a C2 configuration guide would be, to me at least, that NT is C2 certified. This seems misleading to me, although I'd like to here other comments. It seems to me that there is a load of baloney around regarding C2 and NT and MS are happily using this confusion to claim without claiming that NT==C2. Would you agree with me here or have I the wrong end of the stick altogether ? Thanks for your thoughts .. Danny From firewalls-owner Mon Jun 3 03:33:51 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id DAA05952 for firewalls-outgoing; Mon, 3 Jun 1996 03:28:30 -0700 (PDT) Received: from psyche.the-wire.com (psyche.the-wire.com [198.53.192.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id DAA05945 for ; Mon, 3 Jun 1996 03:28:22 -0700 (PDT) Received: from anton.the-wire.com (anton.the-wire.com [198.53.192.186]) by psyche.the-wire.com (8.6.10/8.6.12) with SMTP id GAA05728; Mon, 3 Jun 1996 06:23:30 -0400 Date: Mon, 3 Jun 1996 06:23:30 -0400 Message-Id: <199606031023.GAA05728@psyche.the-wire.com> X-Sender: anton@the-wire.com X-Mailer: Windows Eudora Light Version 1.5.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: Rolf Weber From: Anton J Aylward Subject: Re: Re[2]: US Justice Dept (Not really) Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 11:40 3/6/96 +0200, you wrote: >> >> >> >> Yes. That requires a (vulnerable) server to be visible on >> >> the Internet. >> >> >> 1. Lets assume that mail isn't (what the American's term) mission >> critical to you. Then none of this matters. >> >not true. >if email isn't mission critical, but a bug in it can be used to attack >mission critical services or data - then it's mission critical. This is a key point which I think you fail to understand. Which is why I refer to the Americanism. Does any aspect of your business depend on the mail? If the mail failed would it impact you? Would it cost money due to delays? Never mind BUGS. That's not relevant here. Never mind penetration. We are talking "Denial of service". If something prevented you or one of your managers from getting to work or comunicating with the office, would that impact the business. DENIAL OF SERVICE only counts if that service is key. Denying you that ability to finger my site doesn't impact your business. If all you're in this for is mail, then you could be using UUCP not IP. In that case the denial of service attack still applies, even though the store and forward nature of UUCP make penetration of your site completely impossible. >> 2. Somewhere there has to be a server which contains your mail, either >> inside or outside some arbitrry boundary of your control. The mail is >> 'delivered' - that is sits in mailboxes (aka /var/spool/mail/ - >> on that box. >> >> 3. It that server is down you cannot get the service. DENIAL OF SERVICE. >> >1. denial-of-service is (almost) better as break-in. Meaningless sentence, I don't know if its your poor English or if you're missing the point. I suspect from other things you say its the latter. >2. how could you prevent denial-of-service with a firewall? No short answer. But basically its an issue of who controls the server. >> >> 4. See 1 >> >> 5. If that server is compromised, someone is reading your mail. >you have to assume email to be insecure - in every case. >OTOH, you're surely right. this is the main reason why i wish to have >my email server under my control. That mail _transmission_ is insecure is a bit of a myth. Its _easy_ to read mail sitting in a box on the server, its diffucult to read packets in transit. >> 6. See 1. >> >i think we both spoke of different things. >at the beginning of this threat, there was something said like "if i >don't offer any services inside, why should i use a firewall?". >rick answered "So you're not doing e-mail.", with which a disagreed. >(i don't say i wouldn't use a firewall. i just say if a site is *sure* >they don't have *any* services inside (which is, of course, quite >unrealistic), it *could* be adeaquate not to use a firewall. security >policies are different.) >my main point was that you can avoid email-server-bugs which can >compromise your *whole* security by placing it outside. No. You're placing undue emphasis on "bugs" in the E-Mail server. There are servers which are - at this level - bug free. But you would still have a firewall. STOP THINKING OF A FIREWALL as a single machine. Its not, its a whole seiries of technigues, a way of orgainizing your networks and a way of doing business. /anton ---------------------------------------------------------------------------- Anton J Aylward | Security is not something that comes in The Strahn and Strachan Group Inc | a self-contained box. It is an attribute Information Security Consultants | of how you do business and as such Voice: (416) 494-8661 | needs to be managed carefully. Fax: (416) 494-8803 | - Karen Goertzel, Wang Federal Inc. From firewalls-owner Mon Jun 3 04:33:55 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id EAA08544 for firewalls-outgoing; Mon, 3 Jun 1996 04:19:10 -0700 (PDT) Received: from iez.com (mail.iez.com [194.218.38.3]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id EAA08537 for ; Mon, 3 Jun 1996 04:18:52 -0700 (PDT) Received: by iez.com (AIX 3.2/UCB 5.64/4.03) Received: from spibm02(172.16.13.62) by iez.com via smap (V1.3) Received: from iez.com by spibm02 (AIX 3.2/UCB 5.64/4.03) Message-Id: <9606031115.AA12594@spibm02> Received: from inhps-a by iez.com with SMTP Received: by inhps-a From: Rolf Weber Subject: Re: Re[2]: US Justice Dept (Not really) To: anton@the-wire.com (Anton J Aylward) Date: Mon, 3 Jun 1996 13:15:27 +0200 (MESZ) Cc: firewalls@greatcircle.com (firewalls) In-Reply-To: <199606031023.GAA05728@psyche.the-wire.com> from "Anton J Aylward" at Jun 3, 96 06:23:30 am X-Mailer: ELM [version 2.4 PL24] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk [this morning, i had two *private* mails from you in my mailbox. in the first, you asked me why "Why are you sending two copies to me/" (BTW, you can as well use the headers to check). i answered to both mails *privatly*. now you choosed to reply again, but with CC to firewalls. it's not that anything a said couldn't go to the list. but you *tried* to use my private mail to flame me in the list. you mentioned my poor english. i never denied this, but this is *much* better as to have a bad behaviour as you.] > > At 11:40 3/6/96 +0200, you wrote: > >> >> > >> >> Yes. That requires a (vulnerable) server to be visible on > >> >> the Internet. > >> >> > > >> 1. Lets assume that mail isn't (what the American's term) mission > >> critical to you. Then none of this matters. > >> > >not true. > >if email isn't mission critical, but a bug in it can be used to attack > >mission critical services or data - then it's mission critical. > > This is a key point which I think you fail to understand. > Which is why I refer to the Americanism. > Does any aspect of your business depend on the mail? > If the mail failed would it impact you? Would it cost money > due to delays? Never mind BUGS. That's not relevant here. Never mind > penetration. We are talking "Denial of service". If something prevented > you or one of your managers from getting to work or comunicating with the > office, would that impact the business. DENIAL OF SERVICE only counts if > that service is key. Denying you that ability to finger my site doesn't > impact your business. > maybe you're right, but you changed the topic to "denial-of-service". please re-read the thread from the beginning. > > If all you're in this for is mail, then you could be using UUCP not IP. > In that case the denial of service attack still applies, even though the > store and forward nature of UUCP make penetration of your site completely > impossible. > you really know what you're speaking about? smtp as itself is "store and forward". UUCP has a great flaw history. > > >> 2. Somewhere there has to be a server which contains your mail, either > >> inside or outside some arbitrry boundary of your control. The mail is > >> 'delivered' - that is sits in mailboxes (aka /var/spool/mail/ - > >> on that box. > >> > >> 3. It that server is down you cannot get the service. DENIAL OF SERVICE. > >> > >1. denial-of-service is (almost) better as break-in. > > Meaningless sentence, I don't know if its your poor English or if you're > missing the point. I suspect from other things you say its the latter. > thanx, i like you, too. > > >2. how could you prevent denial-of-service with a firewall? > > No short answer. But basically its an issue of who controls the server. > if the server is outside the firewall but inside your net, you still have it under control. > > >> > >> 4. See 1 > >> > >> 5. If that server is compromised, someone is reading your mail. > > >you have to assume email to be insecure - in every case. > >OTOH, you're surely right. this is the main reason why i wish to have > >my email server under my control. > > That mail _transmission_ is insecure is a bit of a myth. > Its _easy_ to read mail sitting in a box on the server, its diffucult to > read packets in transit. > huh??? if i'd take this for real, i could also say "don't encrypt telnet, because it's difficult to hijack a session." sorry, this is not the way i see security. > > >> 6. See 1. > >> > >i think we both spoke of different things. > >at the beginning of this threat, there was something said like "if i > >don't offer any services inside, why should i use a firewall?". > >rick answered "So you're not doing e-mail.", with which a disagreed. > >(i don't say i wouldn't use a firewall. i just say if a site is *sure* > >they don't have *any* services inside (which is, of course, quite > >unrealistic), it *could* be adeaquate not to use a firewall. security > >policies are different.) > >my main point was that you can avoid email-server-bugs which can > >compromise your *whole* security by placing it outside. > > No. You're placing undue emphasis on "bugs" in the E-Mail server. There > are servers which are - at this level - bug free. But you would still have > a firewall. > today, probably all *latest* servers are bug free. one important reason (besides others) why i use a firewall is that you can't know what's tomorrow. > > STOP THINKING OF A FIREWALL as a single machine. Its not, its a whole > seiries of technigues, a way of orgainizing your networks and a way of doing > business. > yes, i agree. this was my view before your mail and it will be after. rolf -- ----------------------------------------- Rolf Weber | All I ask is a chance IEZ AG D-64625 Bensheim | to prove that money ++49-6251-1309-109 | can't make me happy. From firewalls-owner Mon Jun 3 05:33:54 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA11403 for firewalls-outgoing; Mon, 3 Jun 1996 05:25:55 -0700 (PDT) Received: from habanero.jmu.edu (habanero.jmu.edu [134.126.70.210]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id FAA11396; Mon, 3 Jun 1996 05:25:48 -0700 (PDT) Message-Id: <199606031225.FAA11396@miles.greatcircle.com> Received: by habanero.jmu.edu Date: Mon, 3 Jun 1996 08:23:20 -0400 From: gary flynn To: firewalls-owner@GreatCircle.COM, firewalls@GreatCircle.COM Subject: RE: Raptor's Eagle Firewall Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > From: Russ > Subject: RE: Raptor's Eagle Firewall > > What if I don't want a Firewall Administrator, what if I want to use my NOS > Administrator? What if I have a small company who cannot afford a dedicated > Firewall, or a dedicated Firewall Administrator? You get what you pay for. > Anyway, you've made my point again. If its going to be an NT-based > Firewall, it should incorporate NT into its functionality, otherwise, we > shouldn't be looking at the NT version and instead should be considering > the original UNIX version. Both Raptor and Centri are ports of UNIX > products to NT. The point is, if the objective of the port was merely to > duplicate the Firewall environment running on top of NT, its ill conceived. NT is a marketing reality to all applications vendors. Current firewall design minimizes dependance on operating system security. The whole idea behind firewalls is to have tightly controlled code. It is the instability and poor security design of present operating systems that necessitate firewalls in the first place. > Fine, I agree. Account Administration, however, is not unnecessary > functionality. Neither is interface commonality. If the program is going to > present a window with menus, and its going to run on NT, then why not use > the NT routines to create the windows and the menus? 1. Because they might have bugs? 2. Because they might change resulting in an undiscovered change in reliability and security. I agree with you that it would be nice if a firewall application could be written and administered like any other application. But I don't think its realistic or advisable. Gary Flynn Network Manager James Madison University From firewalls-owner Mon Jun 3 05:48:48 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA11301 for firewalls-outgoing; Mon, 3 Jun 1996 05:19:30 -0700 (PDT) Received: from connectnet1.connectnet.com (connectnet1.connectnet.com [207.110.0.50]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id FAA11293 for ; Mon, 3 Jun 1996 05:19:21 -0700 (PDT) Received: from it.is.my.broken.net (it.is.my.broken.net [204.252.2.92]) by connectnet1.connectnet.com (15.9/Connectnet-2.2) with SMTP id FAA25240; Mon, 3 Jun 1996 05:16:31 -0700 (PDT) Received: by it.is.my.broken.net (4.1/SMI-4.1) Date: Mon, 3 Jun 1996 05:16:25 -0700 (PDT) From: Jason Matthews X-Sender: jason@it.is.my.broken.net To: Anton J Aylward Cc: Rolf Weber , firewalls@greatcircle.com Subject: Re: Re[2]: US Justice Dept (Not really) In-Reply-To: <199606031023.GAA05728@psyche.the-wire.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 3 Jun 1996, Anton J Aylward wrote: [snip] > In that case the denial of service attack still applies, even though the > store and forward nature of UUCP make penetration of your site completely > impossible. Nothing is for sure in this world and hacking into machines via UUCP accounts is not unheard of. You would surprised how many open UUCP accounts one could find if one looked for them. [snip] > >you have to assume email to be insecure - in every case. > >OTOH, you're surely right. this is the main reason why i wish to have > >my email server under my control. > > That mail _transmission_ is insecure is a bit of a myth. > Its _easy_ to read mail sitting in a box on the server, its diffucult to > read packets in transit. Your joking right? It's no harder to read a piece of email in transit than it is read a plaintext password. Sites are compromised every day by sniffing network traffic. What makes you think those interested in your daily affairs will stop with passwords? [snip] > >my main point was that you can avoid email-server-bugs which can > >compromise your *whole* security by placing it outside. > > No. You're placing undue emphasis on "bugs" in the E-Mail server. There > are servers which are - at this level - bug free. But you would still have > a firewall. I am not sure I am willing to make that assumption. History shows us that email services are the most insecure of all. To place this service on any machine intended to filter, restrict, or otherwise alter network connections from foriegn networks is a mistake. Jason From firewalls-owner Mon Jun 3 06:04:07 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA12716 for firewalls-outgoing; Mon, 3 Jun 1996 05:56:03 -0700 (PDT) Received: from hermes.hurwitz.com (hermes.hurwitz.com [206.234.77.20]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id FAA12641 for ; Mon, 3 Jun 1996 05:55:42 -0700 (PDT) Received: from pheonix.hurwitz.com (desktop_21.hurwitz.com [206.234.77.41]) by hermes.hurwitz.com (8.7.4/8.7.3) with SMTP id IAA02335 for ; Mon, 3 Jun 1996 08:56:09 -0400 Message-Id: <1.5.4.32.19960603125128.0069f378@smtp.hurwitz.com> X-Sender: abrenton@smtp.hurwitz.com X-Mailer: Windows Eudora Light Version 1.5.4 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Mon, 03 Jun 1996 08:51:28 -0400 To: Firewalls@GreatCircle.COM From: Andrea Brenton Subject: filter packets on MicroRouter 900i Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I've been having some serious problems with getting a packet filter set working on the Micro Router 900i that we have from Compatible Systems. I have spent quite a bit of time with tech support, but we still can't figure out the problem. Someone had setup a filter set long before I was working here. No gaping holes or anything, but now I want to improve on this set to tighten things up. The problem I keep running into is basically, no other filter sets we come up with will work! I want to allow the people here on the inside to be able to pretty much do anything outbound. I want to handle it all on the incoming side by preventing all but the absolute necessities- DNS, SMTP, and replies to initiated sessions of web access to the outside, ftp, telnet, ping, etc. I want to specifically deny access to all of the processes running on my server. I don't seem to be able to create the deny statements and then do a permit of all else; or do permit statements of only the things I want coming in (harder for me to determine), and then deny all else. No matter what I do to change these filters, I always end up with no access at all outbound (or at least no replies come back). Anyone have experience with these routers? Any ideas? I would greatly appreciate any help that can be given, as I've been working on this for some time, and Compatible Systems hasn't been able to come up with an answer. TIA! xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Disclaimer: Any errors in spelling, tact, or fact are transmission errors. Andrea Brenton abrenton@hurwitz.com From firewalls-owner Mon Jun 3 06:18:55 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA13399 for firewalls-outgoing; Mon, 3 Jun 1996 06:02:26 -0700 (PDT) Received: from zen.com (zen.com [156.70.135.251]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id GAA13383 for ; Mon, 3 Jun 1996 06:02:15 -0700 (PDT) Received: from by zen.com (4.1/SMI-4.1) Received: by usuwphmsx03.zen.con with Microsoft Exchange (IMC 4.0.837.3) Message-Id: From: Miller Robert RC To: "'Peter da Silva'" Cc: "'Firewalls'" Subject: RE: Raptor's Eagle Firewall Date: Mon, 3 Jun 1996 09:01:47 -0400 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.837.3 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >> Why would you put your firewall into the same authentication domain >> as your users? >> Maybe I'm missing something, but that seems like you're putting an >> awful lot of trust in the NT security model. There are two reasons that come immediately to mind for wanting to do that: 1 - So that users have the same usernames and passwords going out to the Internet as they do for internal network file and print services (i.e., the never-ending struggle to minimize the number of user account people have to deal with). 2 - Similarly, it would be nice to gain the same benefit for proxied WWW access to the 'net. While Netscape's Proxy servers have their own separate user databases (for the time-being, at least), the Microsoft "Catapult" WWW Proxy Server is expected to integrate its access security with the NT accounts. (Note that this is not an endoresment or promotion of an MS product - just a comment on an expected feature!) As to what security risks are involved with doing so ... I'm sure there are some concerns - the NT "security wholes" discussed recently on this list, and other firewall design issues - but I guess it boils down to the old question of how far you want to go, and to which side, in the pervasive compromise between strength of security measure and ease of use. Each to their own, I guess... From firewalls-owner Mon Jun 3 07:36:45 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA20183 for firewalls-outgoing; Mon, 3 Jun 1996 07:22:52 -0700 (PDT) Received: from mailbox.neosoft.com (mailbox.neosoft.com [206.109.1.16]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id HAA20152 for ; Mon, 3 Jun 1996 07:22:33 -0700 (PDT) Received: from fw.nmti.com (fw.baileynm.com [206.109.159.11]) by mailbox.neosoft.com (8.7.5/8.7.3) with SMTP id JAA21546; Mon, 3 Jun 1996 09:20:01 -0500 (CDT) Received: from web.nmti.com(198.178.0.201) by fw.nmti.com via smap (V1.3) Received: from sonic.nmti.com (peter@sonic.nmti.com [198.178.0.2]) by web.nmti.com (8.6.12/8.6.9) with SMTP id JAA24412; Mon, 3 Jun 1996 09:12:53 -0500 Received: by sonic.nmti.com; id AA12987; Mon, 3 Jun 1996 09:12:52 -0500 From: peter@baileynm.com (Peter da Silva) Message-Id: <9606031412.AA12987@sonic.nmti.com.nmti.com> Subject: Re: Raptor's Eagle Firewall To: Russ.Cooper@RC.Toronto.on.ca (Russ) Date: Mon, 3 Jun 1996 09:12:52 -0500 (CDT) Cc: peter@baileynm.com, firewalls@GreatCircle.COM In-Reply-To: <01BB4FFB.C1CC5500@rwcooper.rc.toronto.on.ca> from "Russ" at Jun 1, 96 08:48:57 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I wrote: > Why would you put your firewall into the same authentication domain as > your users? > > Maybe I'm missing something, but that seems like you're putting an awful > lot of trust in the NT security model. Russ responds: > Actually, its possible to establish a trust relationship between two > seperate NT domains such that attempts to log onto the Firewall Domain > would be validated against an internal Administrative Domain, but accounts > on the Firewall Domain would not be permitted to log into the > Administrative Domain. Like I said, you're putting an awful lot of trust in the NT security model. And in any case that doesn't even begin to address my concerns. That reduces the security of the firewall to the security of your administrative domain. My firewall doesn't trust any other host... all administration has to be done from the console. Users even have to go through challenge-response to change their passphrases, or request a new one from me if they forget them. > So even if the Firewall were compromised, none of its accounts would be > permitted to access the resources protected internally by the > Administrative Domain security, And if the Administrative Domain is compromised (say by an ActiveX trapdoor), the firewall is wide open to whatever additional holes the malicious code is capable of installing. And... I've mentioned this before, but the biggest invasion of a system I know of was the result of a cracker stumbling across a trapdoor left by a naive insider. I'd prefer it if this sort of compromise of internal security didn't leave a company open to a secondary infection. From firewalls-owner Mon Jun 3 07:48:56 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA21091 for firewalls-outgoing; Mon, 3 Jun 1996 07:37:35 -0700 (PDT) Received: from typhoon.dial.pipex.net (typhoon.dial.pipex.net [158.43.128.46]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id HAA21060 for ; Mon, 3 Jun 1996 07:37:16 -0700 (PDT) Received: from unknown by typhoon.dial.pipex.net (8.7.4/) Message-ID: In-Reply-To: <5263.9606030822@gmap.leeds.ac.uk> References: Conversation <5263.9606030822@gmap.leeds.ac.uk> with last message <5263.9606030822@gmap.leeds.ac.uk> To: Danny Cox , firewalls@GreatCircle.COM MIME-Version: 1.0 From: Ian Johnstone-Bryden Subject: Re: Firewalls-Digest V5 #347 Date: Mon, 03 Jun 96 15:24:24 GMT Content-Type: text/plain; charset=US-ASCII; X-MAPIextension=".TXT" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > > Date: Wed, 29 May 1996 23:03:31 -0400 > > From: Russ > > Subject: What do you want to know about Windows NT? > > > > - - There is a C2 configuration guide (manual), maybe it should be included > > Russ, nothing really to do with your recent posting although I wonder whether > you'd be good enough to clarify this bit for me. My understanding is that NT > has only been C2 accredited for a couple of hardware platforms and only for > stand-alone versions, rather than networked ones. > > The implication behind having a C2 configuration guide would be, to me at > least, that NT is C2 certified. This seems misleading to me, although I'd > like to here other comments. It seems to me that there is a load of baloney > around regarding C2 and NT and MS are happily using this confusion to claim > without claiming that NT==C2. Would you agree with me here or have I the > wrong end of the stick altogether ? > > Thanks for your thoughts .. > Danny Doesnt this come down to terminology? NCSC said a long while back that they really didnt want to devote US government money on evaluating products which could only make a trivial C2 when their time could be spent on looking at serious products. NCSC has always been in the business of evaluating "in the national interest" and their manpower has always been very limited. As the national interest was *US* national interest, other countries were motivated to establish their own systems and Europe eventually moved to develop the ITSEC criteria. In the US this created several problems. US G had made public statements that it would mandate C2 as a *MINIMUM REQUIREMENT FOR ALL* US Federal procurements of information systems. That, together with NCSC saying they wouldnt spend time on C2 evaluations, implied that really US G was mandating B1 by default because vendors were moving to B1 for OS and RDBMS products. Therefore the lowest *CERTIFIED* level was likely to become B1. That suggested that the cost of Federal purchases would rise astronomically although it overlooked the fact that B1 product was costly largely because very few people even knew it existed much less had any intention to purchase it ( one reason for this was the US G desire to control technology in the same way that it persists with encryption controls). This resulted in USG wobbling on C2 mandates. The establishment of ITSEC should have created a new opportunity but political dogma in the US denied this option to Federal procurement teams. Since then we have spent a lot of time fudging about with FC-FIPS and now the Common Criteria when it might have been better to adopt ITSEC and then work to improve it. All this government level confusion makes it very easy for a marketeer to confuse customers to obtain an order. ITSEC has established a system where any vendor or user who wants to pay for an evaluation of a product can do so at whatever security target they desire. The system is not perfect and most evaluations are still funded largely by government customers, but it does measure Functionality and Integrity as well as Assurance. The major weakness is that a vendor can demand a product listing as 'under evaluation' from the moment he signs a contract with a CLEF to evaluate his product. That has meant that a product might not actually be available for evaluation for months or more and once available might never see the evaluation completed. ITSEC Scheme Bodies are now planning to list product only when the CLEF starts evaluation but its unclear where that leaves all the products already listed as under evaluation but still have to become available for evaluation. At present, MS appear to be claiming, or encouraging others to claim, that they have the most secure OS in NT because they have a US C2 Certificate and are listed at F-C2/E3 under ITSEC. There have been claims that the ITSEC listing is the same as a US B1 certificate and other claims that NT is really a B2 product. Its entirely logical that as the inheritor of the IBM proprietary mantel, MS would also make maximum use of FUD. Without carefull study of the NT TOE, it is difficult to know how successfull the product will be in meeting the Assurance level of E3. As a new product under exclusive control of the vendor and with very few versions/patches/layers, it should present no difficulty to provide the documentation necessary for the Assurance. However, it would appear that the products functionality achievement (in Integrity and Availability) is strictly limited to a hope to achieve C2. We wont of course know until either MS publish their TOE or they receive a certificate and that could be years away. Obviously MS does have a major problem in marketing. Security is now becoming headline interest and virtually every flavour of UNIX is available in a B1 or B1+ certified form. This year, most UNIX OS flavours will be certified under ITSEC at F-B1/E3 and a few will achieve a certified F-B2/E4. That can not be unrestrained joy for MS marketeers. Why would anyone want to make a strategic decision on an OS which not only makes them captive of MS, but is also unable to satisfy emerging security requirements? The only thing to fall back on is the claim that "everyone" is moving to NT, NT is the cheapest product available, NT is the most secure OS known to man. Thats fine provided no one asks for proof and, fortunately, history has shown that the capacity for mankind to fool itself is almost unlimited, or as someone else put it "no one ever went broke by underestimating the customer". OTOH, a C2 accreditation means something. Provided that your situation and requirements are *EXACTLY* the same as those of someone who has accredited, it means much more than a criteria certificate. NOW BEFORE MS enthusiasts start claiming that this means that NT is now far more secure than anything else, and under a more meaningfull method of assessment because its been accredited on a couple of sites, the KEYWORD is EXACTLY. The chances of it being the case that 2 organizations are EXACTLY the same is pretty remote. Thats why evaluation criteria and certification schemes have never been a total answer and any serious user will run accreditation on the implemented system (that includes all the unique things like risk policies, system administration etc.). The two values of evaluation criteria are that they make a vendor think more carefully about the product and they do eventually provide an independent assessment of the product's performance against the claims in the security target. However, whatever the merits or demerits of NT as an Operating System, the security situation today appears fairly clear cut. If you want an operating system which can achieve C2 provided you implement an exact hardware platform and provided that you dont want to connect it to any networks, NT might be exactly what you are looking for. OTOH you could be an unfashionable fuddy duddy and buy a UNIX OS with a B1 ticket that can be used in a networking environment. You might even buy one with a B2 ticket. Or you might buy a UNIX-like OS with an A1 ticket. You would of course have the problem of multiple choice which can sometimes be a terrible burden. Its so much easier to just do what someone like MS tells you than to go out and select from a range of choices - and take responsibility for making decisions. Some subscribers to this list may not remember the odd statement "no ever got fired for buying IBM" - well odd today but not so odd 20 years back. In the pre-UNIX days it was a familiar cry and IBM grew fat on the back of it. Equally, many people lost many opportunities and also spent vast sums of money which they did not need to spend. Ian J-B. From firewalls-owner Mon Jun 3 08:04:06 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA20515 for firewalls-outgoing; Mon, 3 Jun 1996 07:31:10 -0700 (PDT) Received: from aurora.cdev.com ([160.207.114.200]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id HAA20477 for ; Mon, 3 Jun 1996 07:30:58 -0700 (PDT) Message-Id: <199606031430.HAA20477@miles.greatcircle.com> Received: from cdi1p10.cdev.com by aurora.cdev.com id SMTP-00131b2f6f5009817; Mon, 3 Jun 96 09:30:15 -0500 X-Sender: djs3wn39@aurora.cdev.com X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Mon, 03 Jun 1996 06:06:52 -0700 To: firewalls@greatcircle.com From: Donald.J.Smith@cdev.com (Donald J Smith) Cc: Blast@worldbit.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk My mailer believes Blast said: > >Hello, > >I am looking for information on anyone who has working knowledge of >modems that use strong cryptography for authentication and data >confidentiality. > >Please email direct (blast@worldbit.com). > >- --blast Blast, there was a big list compiled several months ago. It started with a question like yours. I thought I kept a copy so far I haven't found it. It was a long thread (more than 2 msgs). So I recommend looking at the archives around feb96. Donald J Smith Network Security Engineer @Computing Devices International design in security @ the begining & ease_of_use != A*(1/Data_Security) (my opinions are mine and so are the spelling errors ;-) From firewalls-owner Mon Jun 3 08:34:11 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA24484 for firewalls-outgoing; Mon, 3 Jun 1996 08:22:00 -0700 (PDT) Received: from typhoon.dial.pipex.net (typhoon.dial.pipex.net [158.43.128.46]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id IAA24463 for ; Mon, 3 Jun 1996 08:21:47 -0700 (PDT) Received: from unknown by typhoon.dial.pipex.net (8.7.4/) Message-ID: In-Reply-To: <199606031225.FAA11396@miles.greatcircle.com> References: Conversation <199606031225.FAA11396@miles.greatcircle.com> with last message <199606031225.FAA11396@miles.greatcircle.com> To: Firewall List MIME-Version: 1.0 From: Ian Johnstone-Bryden Subject: Re: RE: Raptor's Eagle Firewall Date: Mon, 03 Jun 96 16:16:24 GMT Content-Type: text/plain; charset=US-ASCII; X-MAPIextension=".TXT" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk gary flynn wrote in part: > The whole idea > behind > firewalls is to have tightly controlled code. It is the instability > and > poor security design of present operating systems that necessitate > firewalls > in the first place. > ?????????????????????????Really!! The firewall exists most commonly as a placebo to allow people who poorly specify, procure, implement, maintain, manage untrusted informtion systems, to feel comfortable and secure from the fear of attack via public networks. Like marriage it is a triumph of hope over experience, which doesnt mean it cant work for some people. That doesnt of course mean that a firewall cannot reduce risks, just that its a costly way of doing so in many cases and no substitute for implementing and running reliable information systems. Even if all internal networks were well specified, procured, implemented and operated, there would still be a need for a guard at the gateways to public systems (at least for most people) because there would still be the potential risk of attack from outside. OTOH some internal networks could be traditional poor design and require no firewall because there was nothing worth attacking or protecting. BTST a firewall built on an untrusted OS has itself got a number of exploitable vulnerabilities. As many firewalls are built in the same careless fashion, as the internal networks they are supposed to protect, it is no great surprise to find that they are largely ineffective in most things other than consuming corporate funding. There really is no substitute for enterprise planning to ensure achievement by objective. That means identifying the objectives and risks and then building the policies necessary to sustain achievement. In the short term this could mean that internal networks cannot be connected directly to the public networks until adequate reconstruction has taken place internally. While this is in progress, an air-gapped, or sneakernet, service may be provided. This could be described as a firewall but not in the sense that many would understand as a firewall. The inner and outer machines would be typical untrusted systems. The 'firewall' would be the person in the sneakers running between the two machine. Ian J-B. From firewalls-owner Mon Jun 3 08:49:03 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA26566 for firewalls-outgoing; Mon, 3 Jun 1996 08:37:47 -0700 (PDT) Received: from gw.genre.com (gw.genre.com [204.149.79.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id IAA26489 for ; Mon, 3 Jun 1996 08:37:25 -0700 (PDT) Received: by gw.genre.com id AA09212 Received: by gw.genre.com (Internal Mail Agent-2); Message-Id: <9606031534.AA0078@grcstm-nx02.genre.com> Received: by gw.genre.com (Internal Mail Agent-1); To: Firewalls From: ygerman Date: 3 Jun 96 11:32:41 Subject: Ability To Track Logs Mime-Version: 1.0 Content-Type: Text/Plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am in a bind on how to accomplish something on our firewall. I would like to check the logs on the firewall continuosly looking for certain fields and based on the fields initiate an action. The action will be mail to a different address depending on the field found. Currently I am seting this up via a c shell script and doing a grep for certain things every hour. The problem is I would like not to have to wait an hour. Has anyone had any experience with this. Is there a way to accomplish this easier? Please respond as soon as possible, thanks! From firewalls-owner Mon Jun 3 09:04:00 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA27807 for firewalls-outgoing; Mon, 3 Jun 1996 08:49:37 -0700 (PDT) Received: from dub-img-7.compuserve.com (dub-img-7.compuserve.com [198.4.9.8]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id IAA27756 for ; Mon, 3 Jun 1996 08:49:09 -0700 (PDT) Received: by dub-img-7.compuserve.com (8.6.10/5.950515) Date: 03 Jun 96 11:44:27 EDT From: "Patrick M. Bartkus" <102557.3370@CompuServe.COM> To: Firewalls List Subject: Re: Sidewinder: Re: FW: MISSI- and DMS- compliancy Message-ID: <960603154427_102557.3370_HHU82-1@CompuServe.COM> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk AT Fri, 31 May 96 08:15:18 -0400 Frank Willoughby wrote: >At 11:09 AM 5/30/96 -0500, Rick Smith allegedly wrote: >>If Frank Willoughby wishes to carry on a public discussion >about how >user to firewall encryption might acheive various >security objectives >or be effective against various threats, >then I'm all in favor of it. >I thought I mentioned some of them in one of my last couple of >postings. Probably, the easiest thing for someone doing their >research is to grab a copy of Steve Bellovin's paper entitled >"Security Problems in the TCP/IP Protocol Suite". List out >the vulnerabilities & ask the vendor's engineers (not the >salespeople) if their firewall can protect against these >vulnerabilities. I was going to ask Frank where I could find this paper. I decided to check out my favorite web search machine, Meta Crawler (http://metacrawler.cs.washington.edu:8080/index.html), and low and behold it pointed me to: http://www.cs.wisc.edu/~cs740-1/740.poon/paper.html Enjoy! Patrick --- Patrick M. Bartkus Fleet Mortgage Group Sr. Network Support Anal. 102557.3370@CompuServe.COM If truth were not absolute, how could there be justice? From firewalls-owner Mon Jun 3 09:49:17 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA01401 for firewalls-outgoing; Mon, 3 Jun 1996 09:24:07 -0700 (PDT) Received: from route1.france3.fr (route1.france3.fr [194.51.91.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id JAA01257 for ; Mon, 3 Jun 1996 09:23:05 -0700 (PDT) Received: by route1.france3.fr (8.7.1/SMI-4.1) Received: from miles.greatcircle.com by relay6.UU.NET with ESMTP Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id JAA02670 for firewalls-outgoing; Tue, 9 Apr 1996 09:00:16 -0700 (PDT) Received: from www.ddddf.com (www.ddddf.com [199.203.68.10]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id IAA02575 for ; Tue, 9 Apr 1996 09:00:00 -0700 (PDT) Received: from sunserver (gatekeeper.ddddf.com [199.203.68.2]) by www.ddddf.com (8.6.9/8.6.9) with ESMTP id SAA04969 for ; Tue, 9 Apr 1996 18:19:04 +0300 Received: from sunserver by sunserver (SMI-8.6/SMI-SVR4) Date: Tue, 9 Apr 1996 18:57:50 +0300 (IDT) From: Yossi Goltz To: Firewalls@GreatCircle.COM Subject: WWW proxy to cut off Java. In-Reply-To: <199604052113.NAA19679@miles.greatcircle.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi! Could a nice sole advice me how to set up a proxy http server that can cut off java applets on their way in to our site. I'm becoming more and more concerned about Java (after reading the last messages from Netscape and Sun), and would like to keep off Java and Javascript until they become more safe. Best regards, Yossi. From firewalls-owner Mon Jun 3 12:56:02 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA01246 for firewalls-outgoing; Mon, 3 Jun 1996 09:22:40 -0700 (PDT) Received: from route1.france3.fr (ms-paris.france3.fr [194.51.91.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id JAA01172 for ; Mon, 3 Jun 1996 09:21:59 -0700 (PDT) Received: by route1.france3.fr (8.7.1/SMI-4.1) Received: from miles.greatcircle.com by relay6.UU.NET with ESMTP Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id XAA02036 for firewalls-outgoing; Tue, 9 Apr 1996 23:17:41 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id XAA00421 for ; Tue, 9 Apr 1996 23:02:10 -0700 (PDT) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) Received: from p192.iwl.net(204.177.208.192) by mycroft via smap (V1.3mjr) Received: (from dennis@localhost) by SterCtl.com (8.6.12/8.6.12) id WAA08510; Tue, 9 Apr 1996 22:03:04 -0600 From: Dennis Moroney Message-Id: <199604100403.WAA08510@SterCtl.com> Subject: Re: Interesting packets fron the net To: epperson@vak12ed.edu (W.C. Epperson) Date: Tue, 9 Apr 1996 22:03:02 -0600 (CST) Cc: firewalls@greatcircle.com (firewalls) In-Reply-To: from "W.C. Epperson" at Apr 9, 96 09:39:16 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk According to W.C. Epperson: > > Not on mine _anywhere_, nor does it appear in _anything_ regarding 10.3 > on CIO. Curious they'd burn it on your CD but not put it on their website. Mea culpa. Only IOS 11.0 currently supports logging. Here is where the information is found: UniverCD Vol 2, No. 12, Rev. E0, PN: 80-0283-01, data/doc/software/11_0/rpcs/sip.htm Router Products Release Note for Cisco IOS Release 11.0, Document No. 78-2115-04, Nov. 1995, New Software Features in Release 11.0(1) pp. 23-31 I really looked at my documentation this time. Geez, I could use some humble pie right about now. -- Dennis Moroney From firewalls-owner Mon Jun 3 13:04:18 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA01337 for firewalls-outgoing; Mon, 3 Jun 1996 09:23:43 -0700 (PDT) Received: from route1.france3.fr (ms-paris.france3.fr [194.51.91.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id JAA01248 for ; Mon, 3 Jun 1996 09:22:51 -0700 (PDT) Received: by route1.france3.fr (8.7.1/SMI-4.1) Received: from miles.greatcircle.com by relay6.UU.NET with ESMTP Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id LAA12423 for firewalls-outgoing; Tue, 9 Apr 1996 11:56:44 -0700 (PDT) Received: from tuna.wang.com (tuna.wang.com [150.124.136.4]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id LAA12417 for ; Tue, 9 Apr 1996 11:56:37 -0700 (PDT) Received: from mail.wangfed.com (ns.wangfed.com [159.94.10.19]) Received: from hfsi.hfsi.com by mail.wangfed.com (1.37.109.4/A.09.00a) Received: from [159.94.14.48] by hfsi.hfsi.com (BULL 5.61++/B.O.S 02.01) Date: Tue, 9 Apr 96 14:47:53 -0400 Message-Id: <9604091847.AA19336@hfsi.hfsi.com> From: "KM" Reply-To: "KM" To: firewalls@GreatCircle.COM Subject: Re: complaining to the CEO Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In message 01435825702728@gsionline.com Mr. Nick Keenan writes: > > Just an FYI, for those of you who haven't been there: > >Complaining to the CEO of a company is not an effective strategy > >unless what you're trying to accomplish is a short-term reduction > >of your blood pressure. > > As a chronic complainer, I have to disagree. I have written letters of > complaint to CEO's, Congressmen and Governors, and virtually every time I > have gotten the action that I wanted and was unable to get through regular > channels. > > It helps to write a reasonable and reasoned letter, and regular mail is > better than email. I also helps when it's *not* the CEO of the company you work for. K.M. Goertzel Manager, International Programs and Special Projects Secure Systems and Services Operation WANG FEDERAL, Inc. 7900 Westpark Drive - MS 700 McLean, VA 22102-4299 USA TEL: 703-827 3914 FAX: 703-827 3161 EMAIL: goertzek@wangfed.com WEB: http://www.wangfed.com +------------------------------------------+ | Never put off until Tomorrow what should | | have been Done early in the Seventies. | | - George Ade | +------------------------------------------+ From firewalls-owner Mon Jun 3 16:19:13 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA01256 for firewalls-outgoing; Mon, 3 Jun 1996 09:23:02 -0700 (PDT) Received: from route1.france3.fr (route1.france3.fr [194.51.91.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id JAA01214 for ; Mon, 3 Jun 1996 09:22:21 -0700 (PDT) Received: by route1.france3.fr (8.7.1/SMI-4.1) Received: from miles.greatcircle.com by relay5.UU.NET with ESMTP Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id XAA09931 for firewalls-outgoing; Tue, 9 Apr 1996 23:50:02 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id XAA01176 for ; Tue, 9 Apr 1996 23:13:37 -0700 (PDT) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) Received: from quark.gmi.edu(192.138.137.39) by mycroft via smap (V1.3mjr) Received: (from chiner@localhost) by quark.gmi.edu (8.7.1/8.7.1) id TAA28075 for Firewalls@GreatCircle.COM; Tue, 9 Apr 1996 19:18:36 -0400 From: Chris Hiner Message-Id: <199604092318.TAA28075@quark.gmi.edu> Subject: Re: ICMP Loopback etc.. To: Firewalls@GreatCircle.COM Date: Tue, 9 Apr 1996 19:18:36 -0400 (EDT) In-Reply-To: <199604091745.KAA07981@miles.greatcircle.com> from "firewalls-digest-owner@GreatCircle.COM" at Apr 9, 96 10:45:55 am Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > From: Rob Sansom > Date: Mon, 08 Apr 1996 22:10:41 -0500 > Subject: ICMP Loopback etc.. > Here are some interesting logs I got from my router: > > Apr 9 15:23:03 gate247158.connectix.com 1275: %SEC-6-IPACCESSLOGDP: list > 191 denied icmp 127.0.0.1 -> 204.247.159.242 (11/0), 1 packet > Apr 9 15:42:03 gate247158.connectix.com 1276: %SEC-6-IPACCESSLOGDP: list > 191 denied icmp 127.0.0.1 -> 204.247.159.242 (11/0), 1 packet > Apr 9 15:47:03 gate247158.connectix.com 1277: %SEC-6-IPACCESSLOGDP: list > 191 denied icmp 127.0.0.1 -> 204.247.159.242 (11/0), 2 packets > Apr 9 15:53:03 gate247158.connectix.com 1278: %SEC-6-IPACCESSLOGDP: list > 191 denied icmp 127.0.0.1 -> 204.247.159.242 (11/0), 2 packets > > 204.247.159.242 is our mail hub. We have had some spoofing incidents here, > so I contacted CERT with this info, and they know of no way that ICMP TTL > exceeded messages have been used for preveious attacks. If this is indeed a > these packets over the past few weeks, and tend to come in bursts. Hmmm... the increasing port numbers, and the fact that they come in bursts... (and TTL exceeded) I think traceroute... not sure why it'd have the funny source address, but it does sound traceroutish... Just my guesses... Chris Hiner -- chiner@quark.gmi.edu From firewalls-owner Mon Jun 3 16:33:49 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA01905 for firewalls-outgoing; Mon, 3 Jun 1996 09:30:08 -0700 (PDT) Received: from route1.france3.fr (route1.france3.fr [194.51.91.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id JAA01745 for ; Mon, 3 Jun 1996 09:29:14 -0700 (PDT) Received: by route1.france3.fr (8.7.1/SMI-4.1) Received: from miles.greatcircle.com by relay6.UU.NET with ESMTP Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id NAA06156 for firewalls-outgoing; Wed, 10 Apr 1996 13:18:36 -0700 (PDT) Received: from csc.com (explorer.csc.com [20.1.10.27]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id NAA06142 for ; Wed, 10 Apr 1996 13:18:31 -0700 (PDT) Received: from @explorer.csc.com by csc.com with smtp Message-Id: Date: Wed, 10 Apr 96 16:16 EDT X-Sender: asafier@explorer.csc.com X-Mailer: Windows Eudora Light Version 1.5.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: Firewalls@GreatCircle.COM From: Adam Safier Subject: Re: Cross Realm Kerberos/DCE Proxy, NAT, UDP Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Talking to oneself is not all that uncommon nor considered impolite nor crazy in many countries. So I thought I'd do that.... Just in case anyone is interested. At 04:34 PM 4/8/96 EDT, Adam Safier wrote: >Can anyone relate war stories, gotchas and victories re: Cross Realm >Kerberos or DCE across firewalls and to another Kerberized realm? > >I want to make sure my understanding of Kerberos traffic isn't twisted. >Please make corrections if I'm missing things. I am correcting myself. >We need to talk to a different organization running Kerberos (actually some >are DCE - I already heard Kerberos and DCE are not 100% compatible but we >all agree to support the lowest common denominator.) so we need to do cross >realm authentication, ticket granting and encryption all working across a >firewall. Actually a kerberos vendor just informed me that the IP address of the delivery packet is NOT checked against the !optional! IP address included as part of the user identifier. We need some clarification from experts but this does not look like it would prevent NAT. However, I thought of another NAT killer. When a client inside the realm contacts a TGS in the other realm, I think the TGS will address the return packet to the firewall. How does the firewall know to which internal client to forward the returned UDP packet (containing the server ticket)? The rest is deleted since I have no additional comments on it. for anyone interested, RFC 1510 deals with Kerberos and there is another RFC (I don't know the number) that deals with a GSS API for security program calls. Kerberos comes from MIT but Cygnus (www.cynus.com) also distributes a popular (at NASA) version of it. I'm trying to read the RFC..zzz.zzz Adam Safier CSC-SED-Infosec asafier@csc.com "If you show me yours, I still won't show you mine." Expressed opinions are my own and might not be shared by my employer or anyone else. From firewalls-owner Mon Jun 3 16:51:06 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA00375 for firewalls-outgoing; Mon, 3 Jun 1996 09:17:05 -0700 (PDT) Received: from factset.com (sunscreen.factset.com [164.55.1.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id JAA00342 for ; Mon, 3 Jun 1996 09:16:51 -0700 (PDT) Received: by factset.com (4.1/SMI-4.1) Received: from unknown(164.55.4.71) by sunscreen.factset.com via smap (V1.3) Received: from overlord.factset.com by sundog.factset.com (4.1/SMI-4.1) From: scox@factset.com (Sean Cox) Message-Id: <9606031617.AA15785@sundog.factset.com> Subject: NT firewalls & NOS admins To: Firewalls@GreatCircle.COM Date: Mon, 3 Jun 1996 12:11:21 -0400 (EDT) In-Reply-To: <199606030800.BAA27474@miles.greatcircle.com> from "Firewalls-Digest" at Jun 3, 96 01:00:32 am Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >From: Russ [ Original poster deleted before I got here...] >"Maybe that's because it's not NT and it's not an operating system. It's a >firewall. Why should a firewall look like an operating system?" >What if I don't want a Firewall Administrator, what if I want to use my NOS >Administrator? What if I have a small company who cannot afford a dedicated >Firewall, or a dedicated Firewall Administrator? Then I'd be willing to bet you'll have problems. I've seen a variety of folks setting up "firewalls" for their networks that are to be run by people who don't understand the Internet. They may undestand Novell/IPX, or NT/NetBEUI/NbT, but they don't have a clue about how IP works on the 'net. Even if you have a nice happy NT firewall that gives you the same "comfortable" interface that you're used to when dealing with file services, you still need to understand the big picture. UNIX is useful because that's where the picture came from! If you have a decent UNIX geek on staff, then you likely have someone who understands how things work on the Internet (i.e. how the services are provided, how mail flows, etc). If you have some guy with a Microsoft Certification for NT, then you probably don't. If you choose not to supply yourself with the necessary people or capabilities to understand the problem, you are very unlikely to find a good solution! At this stage in the game, things are still very primitive WRT network security, and for that reason, anyone looking to protect something important needs to find someone with a clue. Perhaps soon the systems will be easy enough to be handled by unskilled (in that particular field) workers, but I don't think anyone outside a marketing department thinks that the tools are there now. If you choose to use an unskilled person as a pseudo-admin, then you'll probably get what you pay for. The Bad Guys (TM) know their stuff, do you? >Anyway, you've made my point again. If its going to be an NT-based >Firewall, it should incorporate NT into its functionality, otherwise, we >shouldn't be looking at the NT version and instead should be considering >the original UNIX version. Both Raptor and Centri are ports of UNIX >products to NT. The point is, if the objective of the port was merely to >duplicate the Firewall environment running on top of NT, its ill conceived. Isn't the whole idea "duplicating the firewall environment running on top of NT" the entire point? When Microsoft took "netstat" from BSD, did they give it a mongo GUI and lots of bitmaps? No, it's a command-line tool because it's useful that way (%System_Root%/SYSTEM32/NETSTAT.EXE, try it). Now I have not seen the NT Eagle, but we do use the UNIX version. Both the command line stuff & the Hawk GUI. I personally prefer the command line stuff, as it makes it real easy to config (in our particular circumstances) with a couple of perl scripts, but the Hawk is useful for some other config work. If I had to config the Eagle with something like User Manager and Control Panel applets, I'd go nuts, I prefer to let the computer (not my fingers/wrists) do all the repetitive stuff.... --Sean I apologize if seem like I'm attacking (I'm merely ranting some :) but it comtinues to fascinate me how so many people feel the need to setup a half-assed Internet attachment based on what they think want, rather than what makes sense. (My hammer is so cool, I want to drive screws with it!) _______________________________________________________ Sean Cox, Systems Engineer FactSet Research Systems scox@factset.com Greenwich, CT From firewalls-owner Mon Jun 3 17:03:51 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA00740 for firewalls-outgoing; Mon, 3 Jun 1996 09:19:28 -0700 (PDT) Received: from route1.france3.fr (ms-paris.france3.fr [194.51.91.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id JAA00363 for ; Mon, 3 Jun 1996 09:16:59 -0700 (PDT) Received: by route1.france3.fr (8.7.1/SMI-4.1) Received: from miles.greatcircle.com by relay6.UU.NET with ESMTP Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id NAA25586 for firewalls-outgoing; Mon, 8 Apr 1996 13:36:28 -0700 (PDT) Received: from csc.com (explorer.csc.com [20.1.10.27]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id NAA25580 for ; Mon, 8 Apr 1996 13:36:21 -0700 (PDT) Received: from @explorer.csc.com by csc.com with smtp Message-Id: Date: Mon, 8 Apr 96 16:34 EDT X-Sender: asafier@explorer.csc.com X-Mailer: Windows Eudora Light Version 1.5.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: Firewalls@GreatCircle.COM From: Adam Safier Subject: Cross Realm Kerberos/DCE Proxy, NAT, UDP Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Can anyone relate war stories, gotchas and victories re: Cross Realm Kerberos or DCE across firewalls and to another Kerberized realm? I want to make sure my understanding of Kerberos traffic isn't twisted. Please make corrections if I'm missing things. We need to talk to a different organization running Kerberos (actually some are DCE - I already heard Kerberos and DCE are not 100% compatible but we all agree to support the lowest common denominator.) so we need to do cross realm authentication, ticket granting and encryption all working across a firewall. We have a client that would like to run cross realm Kerberos across the Firewall for process to process communication (no live user). Why firewall if we use Kerberos? - some nodes on the inside might not be able to run Kerberos. - we don't want to do encryption on all the traffic. - we will have some internal X-traffic. (idle curiosity - kerberized X-terminals anyone?) In addition, we like to follow Internet standards and Best Practices so Network Address Translation (RFC 1918, 1597) is a desired architectural feature. (We could drop it if it's totally incompatible with kerberos so I don't call it a requirement but it's like birthday cake without decorations.) The NAT could be a real problem. Kerberos apparently packs the nodes network address as part of the authentication packet so if your IP address is hidden by the firewall I expect the authentication at the client/server to fail when source and encrypted address are compared. (are they?). The kerberos protocol uses UDP for the initial ticket request and delivery. Simply communicating with a single outside client registered with our TGS should not be a problem - all UDP traffic with Kerberos port numbers simply gets routed to the appropriate TGS/authenticator. What I'm having a hard time with is the Kerberos V5 Cross Realm. In that scenario the internal client must get ticket from the internal TGS (I) which lets him talk to the inter-realm TGS (1) which lets him talk to the remote realm TGS (R) to get a ticket for the final destination service (D). The result is UDP packets to and from all internal clients that want to talk to the other realms. X Dest(D) TGS(R) TGS(1) X TGS(I) Client | | | X | | | | | X |---1---| | | |-------2----------| | |----------------3-------------| |--------------------4------------------| 1, 2 and 3 are UDP. Only 4 is a TCP connection XXXX=firewall All UDP packets have a "well known" Kerberos port number but that still leaves a lot of UDP flying around. The firewall can have filter rules to restrict the Kerberos UDP packets to Kerberized nodes but that only works on a small internal net. What do people do with large mixed nets? (Luckily I'm dealing with a small net so we can have the filter rules for individual clients but since I'm learning I would like to understand the other options.) True, the Kerberos ports are well known and the non-kerberized clients should not be listening on them so attacks on those ports should not work. But how many applications might there be that simply listen on incorrect ports? (I don't know. If everyone was carefull and followed standards I would feel secure, but I've hacked code in a hurry (vs. leasurly programming in a "development enviornment") so I recognize the temptations during a rushed job...;) I guess I'll be joining the Kerberos mailing list or newsgroup, but I thought this might be an appropriate discussion for Firewalls as well. By the way, while some gurus are anouncing the death of RPC due to security holes and better CORBA tools I am under the distinct impression that DCE (which is RPC based) is growing rapidly, at least from my myopic view of some government entities and a growing list of vendors. Sorry for the length of the above - I can't believe I wrote all that! Adam Safier CSC-SED-Infosec asafier@csc.com - It's scary when people call me an "expert" in a subject just as I start to realize how little I know and how much I still need to learn. Expressed opinions are my own and might not be shared by my employer or anyone else. From firewalls-owner Mon Jun 3 17:04:08 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA10438 for firewalls-outgoing; Mon, 3 Jun 1996 10:39:23 -0700 (PDT) Received: from route1.france3.fr (ms-paris.france3.fr [194.51.91.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id KAA10354 for ; Mon, 3 Jun 1996 10:38:39 -0700 (PDT) Received: by route1.france3.fr (8.7.1/SMI-4.1) Received: from miles.greatcircle.com by relay5.UU.NET with ESMTP Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA10567 for firewalls-outgoing; Sun, 21 Apr 1996 05:59:22 -0700 (PDT) Received: from Piano.Opus1.COM (Piano.Opus1.COM [192.245.12.69]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id FAA10561 for ; Sun, 21 Apr 1996 05:59:18 -0700 (PDT) Received: from Opus1.COM by Opus1.COM (PMDF V5.0-5 #9830) Date: Sun, 21 Apr 1996 05:33:59 -0700 (MST) From: "Joel M Snyder, in absentia" Subject: RE: Stopping Fakemail To: firewalls@greatcircle.com Cc: mulligaj Message-id: <01I3SJW5DLXGDQGXSP@Opus1.COM> Organization: Opus One - +1 520 324 0494 MIME-version: 1.0 Content-type: MULTIPART/MIXED; BOUNDARY="Boundary (ID YA6Qi+v2v6QAXerBsRdolA)" Fruit-of-the-day: cashew Comments: Telecommunications and Information Technology Services Sender: firewalls-owner@GreatCircle.COM Precedence: bulk --Boundary (ID YA6Qi+v2v6QAXerBsRdolA)-- From firewalls-owner Mon Jun 3 17:18:51 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA08071 for firewalls-outgoing; Mon, 3 Jun 1996 10:12:06 -0700 (PDT) Received: from route1.france3.fr (route1.france3.fr [194.51.91.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id KAA07892 for ; Mon, 3 Jun 1996 10:10:42 -0700 (PDT) Received: by route1.france3.fr (8.7.1/SMI-4.1) Received: from miles.greatcircle.com by relay3.UU.NET with ESMTP Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id SAA06518 for firewalls-outgoing; Thu, 11 Apr 1996 18:16:32 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id RAA02922 for ; Thu, 11 Apr 1996 17:29:53 -0700 (PDT) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) Received: from uu5.psi.com(38.145.226.3) by mycroft via smap (V1.3mjr) Received: from SMTP.CHILTONCO.COM by uu5.psi.com (5.65b/4.0.071791-PSI/PSINet) via SMTP; Received: from Chilton_Radnor-Message_Server by chiltonco.com Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Thu, 11 Apr 1996 17:28:58 -0500 From: Tom James To: Firewalls@GreatCircle.COM Subject: Firewalls-Digest V5 #147 -Reply Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I will be out of the office from 4/12 thru 4/19. All mail wil be handled upon my return. Regards Tom James From firewalls-owner Mon Jun 3 17:24:32 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA07949 for firewalls-outgoing; Mon, 3 Jun 1996 10:11:10 -0700 (PDT) Received: from route1.france3.fr (route1.france3.fr [194.51.91.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id KAA07879 for ; Mon, 3 Jun 1996 10:10:29 -0700 (PDT) Received: by route1.france3.fr (8.7.1/SMI-4.1) Received: from miles.greatcircle.com by relay5.UU.NET with ESMTP Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id RAA04881 for firewalls-outgoing; Thu, 11 Apr 1996 17:46:00 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id RAA03001 for ; Thu, 11 Apr 1996 17:30:10 -0700 (PDT) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) Received: from uu5.psi.com(38.145.226.3) by mycroft via smap (V1.3mjr) Received: from SMTP.CHILTONCO.COM by uu5.psi.com (5.65b/4.0.071791-PSI/PSINet) via SMTP; Received: from Chilton_Radnor-Message_Server by chiltonco.com Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Thu, 11 Apr 1996 17:28:58 -0500 From: Tom James To: firewalls@GreatCircle.COM Subject: firewalls-digest V5 #162 -Reply Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I will be out of the office from 4/12 thru 4/19. All mail wil be handled upon my return. Regards Tom James From firewalls-owner Mon Jun 3 17:33:53 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA07936 for firewalls-outgoing; Mon, 3 Jun 1996 10:10:54 -0700 (PDT) Received: from route1.france3.fr (route1.france3.fr [194.51.91.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id KAA07762 for ; Mon, 3 Jun 1996 10:09:41 -0700 (PDT) Received: by route1.france3.fr (8.7.1/SMI-4.1) Received: from miles.greatcircle.com by relay5.UU.NET with ESMTP Received: from localhost (daemon@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) with SMTP id XAA23209; Mon, 15 Apr 1996 23:59:46 -0700 (PDT) Received: by miles.greatcircle.com (bulk_mailer v1.5); Mon, 15 Apr 1996 23:57:58 -0700 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id XAA22182 for firewalls-outgoing; Mon, 15 Apr 1996 23:50:36 -0700 (PDT) Received: from helvetiapatria.ch (socrates.helvetiapatria.ch [194.209.2.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id XAA22156 for ; Mon, 15 Apr 1996 23:50:24 -0700 (PDT) Received: by helvetiapatria.ch (SMI-8.6/SMI-SVR4) Date: Tue, 16 Apr 1996 08:43:42 +0200 From: ugb@socrates.helvetiapatria.ch (Bortoluzzi) Message-Id: <199604160643.IAA27951@helvetiapatria.ch> To: firewalls@GreatCircle.com Subject: Maintenance of firewall-1 2.0 Content-Type: text X-Sun-Charset: us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi! We are planning to install Firewall-1 Version 2.0. Only HTTP and SMTP shall pass through. Can somebody tell me how much manpower we will need to maintain the installation after the first implementation? Thanks Giulio Bortoluzzi From firewalls-owner Mon Jun 3 17:36:35 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA08103 for firewalls-outgoing; Mon, 3 Jun 1996 10:12:35 -0700 (PDT) Received: from route1.france3.fr (route1.france3.fr [194.51.91.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id KAA08005 for ; Mon, 3 Jun 1996 10:11:36 -0700 (PDT) Received: by route1.france3.fr (8.7.1/SMI-4.1) Received: from miles.greatcircle.com by relay6.UU.NET with ESMTP Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id DAA18264 for firewalls-outgoing; Thu, 25 Apr 1996 03:31:48 -0700 (PDT) Received: from relay-4.mail.demon.net (relay-4.mail.demon.net [158.152.1.108]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id DAA18220 for ; Thu, 25 Apr 1996 03:31:31 -0700 (PDT) Received: from post.demon.co.uk ([158.152.1.72]) by relay-4.mail.demon.net Received: from fishcons.demon.co.uk ([158.152.148.154]) Date: Thu, 25 Apr 96 11:24:43 PDT From: Chris Subject: location of public hosts To: firewalls@greatcircle.com X-Mailer: Chameleon - TCP/IP for Windows by NetManage, Inc. Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Please can someone give me some advice. I have a connection to the net through a Gauntlet firewall. I want to run a web server (NT) and have received conflicting advice as to where it should be located, internal or external to the firewall. In addition, what other risks need to be considered with using an NT server either internal or external. Thanks in advance for your help Chris From firewalls-owner Mon Jun 3 17:40:38 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA07048 for firewalls-outgoing; Mon, 3 Jun 1996 10:03:28 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id JAA02273 for ; Mon, 3 Jun 1996 09:33:10 -0700 (PDT) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) Received: from route1.france3.fr(194.51.91.1) by mycroft via smap (V1.3mjr) Received: by route1.france3.fr (8.7.1/SMI-4.1) Received: from miles.greatcircle.com by relay3.UU.NET with ESMTP Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id JAA00146 for firewalls-outgoing; Fri, 12 Apr 1996 09:10:51 -0700 (PDT) Received: from ibmmail.COM (ibmmail.com [199.171.26.3]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id EAA01557 for ; Fri, 12 Apr 1996 04:53:11 -0700 (PDT) From: gblolmxb@ibmmail.com Message-Id: <199604121153.EAA01557@miles.greatcircle.com> Received: from ibmmail by ibmmail.COM (IBM VM SMTP V2R3) with BSMTP id 1281; Date: Fri, 12 Apr 1996 07:50:59 EDT To: ac141@typhoon.dial.pipex.net, firewalls@greatcircle.com MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: Re Finding domain name from IP address Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Ben said: >We have a combination of registered and unregistered IP addresses on >our network (no Internet connection yet). >Is there a way I can find out who the unregistered ones are really >registered to? Try telnetting to rs.internic.net and run whois. or for European registrations, try info.ripe.net, or even ns.ripe.net. Mark. From firewalls-owner Mon Jun 3 17:48:51 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA08080 for firewalls-outgoing; Mon, 3 Jun 1996 10:12:12 -0700 (PDT) Received: from route1.france3.fr (route1.france3.fr [194.51.91.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id KAA07963 for ; Mon, 3 Jun 1996 10:11:18 -0700 (PDT) Received: by route1.france3.fr (8.7.1/SMI-4.1) Received: from miles.greatcircle.com by relay6.UU.NET with ESMTP Received: from localhost (daemon@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) with SMTP id HAA06560; Wed, 17 Apr 1996 07:30:57 -0700 (PDT) Received: by miles.greatcircle.com (bulk_mailer v1.5); Wed, 17 Apr 1996 07:28:44 -0700 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id HAA05688 for firewalls-outgoing; Wed, 17 Apr 1996 07:19:11 -0700 (PDT) Received: from emout06.mail.aol.com ([198.81.10.43]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id HAA05682 for ; Wed, 17 Apr 1996 07:19:07 -0700 (PDT) From: BARACCUS@aol.com Received: by emout06.mail.aol.com (8.6.12/8.6.12) id KAA00906 for firewalls@greatcircle.com; Wed, 17 Apr 1996 10:17:01 -0400 Date: Wed, 17 Apr 1996 10:17:01 -0400 Message-ID: <960417101701_377118038@emout06.mail.aol.com> To: firewalls@greatcircle.com Subject: Filtering by Source Port Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In Brent's book Building Internet Firewalls it says that the ability to filter by source port is very important. We have a Cisco 2501 which I just found out can't filter by source port. If Cisco routers can't do source port filtering then what routers can???? Thanks, Kevin ps. When I talked to Cisco Tech Support they couldn't understand why anyone would even want to filter by source port. From firewalls-owner Mon Jun 3 17:50:51 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA08093 for firewalls-outgoing; Mon, 3 Jun 1996 10:12:22 -0700 (PDT) Received: from route1.france3.fr (route1.france3.fr [194.51.91.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id KAA07995 for ; Mon, 3 Jun 1996 10:11:28 -0700 (PDT) Received: by route1.france3.fr (8.7.1/SMI-4.1) Received: from miles.greatcircle.com by relay6.UU.NET with ESMTP Received: from localhost (daemon@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) with SMTP id FAA24323; Wed, 17 Apr 1996 05:01:30 -0700 (PDT) Received: by miles.greatcircle.com (bulk_mailer v1.5); Wed, 17 Apr 1996 04:58:32 -0700 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id EAA23533 for firewalls-outgoing; Wed, 17 Apr 1996 04:47:20 -0700 (PDT) Received: from wombat.rmplc.co.uk (dns1.rmplc.co.uk [194.80.132.3]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id EAA23440 for ; Wed, 17 Apr 1996 04:44:53 -0700 (PDT) Received: from mailbox.rmplc.co.uk (dns0.rmplc.co.uk [194.80.132.2]) by wombat.rmplc.co.uk (8.6.12/8.6.12) with ESMTP id MAA00662 for ; Wed, 17 Apr 1996 12:52:26 +0100 Received: from brent-17.rmplc.co.uk (brent-17.rmplc.co.uk [194.36.84.177]) by mailbox.rmplc.co.uk (8.6.12/8.6.9) with SMTP id MAA10306 for ; Wed, 17 Apr 1996 12:42:18 +0100 Date: Wed, 17 Apr 1996 12:42:18 +0100 Message-Id: <199604171142.MAA10306@mailbox.rmplc.co.uk> X-Sender: hagstsch@mail.rmplc.co.uk X-Mailer: Windows Eudora Version 1.4.3 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@greatcircle.com From: hagstsch@rmplc.co.uk (MICHAEL ST HILAIRE) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk From firewalls-owner Mon Jun 3 17:51:47 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA08793 for firewalls-outgoing; Mon, 3 Jun 1996 10:26:21 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id KAA08622 for ; Mon, 3 Jun 1996 10:25:45 -0700 (PDT) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) Received: from route1.france3.fr(194.51.91.1) by mycroft via smap (V1.3mjr) Received: by route1.france3.fr (8.7.1/SMI-4.1) Received: from miles.greatcircle.com by relay6.UU.NET with ESMTP Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA10412 for firewalls-outgoing; Tue, 23 Apr 1996 13:19:59 -0700 (PDT) Received: from indigo.mit.edu (INDIGO.MIT.EDU [18.170.0.143]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id NAA10398 for ; Tue, 23 Apr 1996 13:19:53 -0700 (PDT) From: equaad@indigo.mit.edu Message-Id: <199604232019.NAA10398@miles.greatcircle.com> Received: by indigo.mit.edu Date: Tue, 23 Apr 96 16:14:14 -0400 To: firewalls@greatcircle.com Subject: suspicious packets in firewall logs?? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, I have a question for you firewall gurus about some packets that are arriving at my firewall's door. They look like this: proto udp src 555.555.555.555 dst 444.444.444.444 service 1064 s_port domain-udp len 378 rule 9 proto udp src 555.555.555.555 dst 444.444.444.444 service 1065 s_port domain-udp len 353 rule 9 proto udp src 555.555.555.555 dst 444.444.444.444 service 1066 s_port domain-udp len 371 rule 9 proto udp src 555.555.555.555 dst 444.444.444.444 service 1067 s_port domain-udp len 353 rule 9 where 555.555.555.555 is an address outside the firewall and 444.444.444.444 is an address inside. This is using checkpoint firewall-1 as a firewall. Notice how the service (which is just the destination port number I believe) increments by one each time. What kind of application would generate traffic like this?? Or is someone sending packets to a bunch of different ports on the system to see whether any of those might be running an unusual service that they can then use to break in? Any ideas would be helpful. Right now the firewall is set up to drop such packets. Thanks! -Ellen equaad@indigo.mit.edu From firewalls-owner Mon Jun 3 17:59:32 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA05821 for firewalls-outgoing; Mon, 3 Jun 1996 09:56:15 -0700 (PDT) Received: from arthur.crpht.lu (arthur.crpht.lu [158.64.4.8]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id JAA05768 for ; Mon, 3 Jun 1996 09:55:51 -0700 (PDT) Received: from cnsmac1.crpht.lu by arthur.crpht.lu with SMTP X-Sender: security@arthur.crpht.lu Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Mon, 3 Jun 1996 18:54:58 +0100 To: Firewalls@GreatCircle.COM From: security@crpht.lu (Security Responsible) Subject: FTPing with a GUI thru a fw Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello, Some time ago, david.black@e-mail.com launched the debate on using a GUI ftp client to connect thru FW1.... Now suppose this: (ftp) you ---------> FW1 (gateway) -------> host >From a UNIX station, ftping is no problem, * HOST: you connect to the gateway * USER: give your user name on the gateway * PASSWD: give your passwd on the gateway * INTERNAL HOST: give the host to which you want to connect and you get connected to that host. Now supposedly your should be able to do the same from a GUI client by giving out: * HOST: the name of the gateway * USER: when asked for your user name on the gateway, giving host_username@gateway_username@host * PASSWD: host_passwd@gateway_passwd But as said David Black, it doesn't work ! Now to test things, I tried to ftp from a unix box thru the gateway and act as if I came from a GUI client. That is: * HOST: gateway * USER: host_username@gateway_username@host .... STOP and there it doesn't work. The gateway says it doesn't know the user "host_username@gateway_username@host" which seems to indicate it doesn't interpret the @ in the username as it should, and looks in the database for the name as is! No need to go further and give the passwd... Has somebody worked this out ? Are there people from Checkpoint out there ? Bruno MAMER __________________________________________________________________ Bruno MAMER bruno.mamer@crpht.lu Centre de Recherche Public Henri Tudor - Computer Network Services Our local archive on security : http://www.crpht.lu/CNS/html/PubServ/Security/home.html --------------------------------------------------------------- From firewalls-owner Mon Jun 3 18:03:51 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA09797 for firewalls-outgoing; Mon, 3 Jun 1996 10:31:46 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id KAA09622 for ; Mon, 3 Jun 1996 10:30:46 -0700 (PDT) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) Received: from route1.france3.fr(194.51.91.1) by mycroft via smap (V1.3mjr) Received: by route1.france3.fr (8.7.1/SMI-4.1) Received: from miles.greatcircle.com by relay6.UU.NET with ESMTP Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id WAA07861 for firewalls-outgoing; Sun, 21 Apr 1996 22:39:49 -0700 (PDT) Received: from arnie.systems.sa.gov.au (arnie.systems.sa.gov.au [143.216.242.3]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id WAA07844 for ; Sun, 21 Apr 1996 22:39:38 -0700 (PDT) Received: from state.systems.sa.gov.au by arnie.systems.sa.gov.au Received: from dogbert.systems.sa.gov.au (dogbert.systems.sa.gov.au) Received: from jolt.systems.sa.gov.au (jolt.systems.sa.gov.au [143.216.237.8]) Date: Mon, 22 Apr 1996 15:08:50 +0930 From: Garth Kidd Subject: Re: Firewalls-Digest V5 #250 In-reply-to: firewalls-digest-owner@GreatCircle.COM "Firewalls-Digest V5 #250" To: Firewalls@GreatCircle.COM Message-id: <960422150853.ZM2871@jolt.systems.sa.gov.au> MIME-version: 1.0 X-Mailer: Z-Mail 4.0 (4.0.0 Aug 21 1995) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7BIT References: <199604210800.BAA19892@miles.greatcircle.com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Apr 21, 1:00, firewalls-digest-owner@GreatCircle.COM wrote: > As I too have seen, this does normally tend to be the case. Or a > comparable situation would be that we eventually do learn a good deal > about a hole, but months after the 'black hat' people do. This is due to > the perceived damage control that these organizations and individuals > believe they are doing by preventing the further spreading of info about > the hole. There's also the matter of liability -- nobody wants to be sued for revealing to the intruder community a security hole later exploited to . -- garth@dogbert.systems.sa.gov.au | Garth Kidd +61-8-207-7740 (voice) | Network Services Branch +61-8-207-7860 (fax) | Southern Systems | Adelaide, AUSTRALIA From firewalls-owner Mon Jun 3 18:08:36 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA10878 for firewalls-outgoing; Mon, 3 Jun 1996 10:46:37 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id KAA10761 for ; Mon, 3 Jun 1996 10:45:59 -0700 (PDT) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) Received: from ms-paris.france3.fr(194.51.91.1) by mycroft via smap (V1.3mjr) Received: by route1.france3.fr (8.7.1/SMI-4.1) Received: from miles.greatcircle.com by relay4.UU.NET with ESMTP Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id VAA18631 for firewalls-outgoing; Thu, 25 Apr 1996 21:24:06 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id VAA18439 for ; Thu, 25 Apr 1996 21:23:30 -0700 (PDT) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) Received: from walden.mo.net(199.250.196.5) by mycroft via smap (V1.3mjr) Received: from spiff.mo.net (pm0x23.dialip.mo.net [205.139.231.23]) by Walden.MO.NET (8.6.12/8.6.10) with SMTP id XAA27289; Thu, 25 Apr 1996 23:20:34 -0500 Date: Thu, 25 Apr 1996 23:20:34 -0500 Message-Id: <199604260420.XAA27289@Walden.MO.NET> X-Sender: rhicks@mail.mo.net X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: fwtk-users@tis.com From: rhicks@MO.NET (Rick Hicks) Subject: Sendmail with firewall relay - Update Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk First, thanks to all who have responded so far. I now have internal mail delivery working. I found the solution tucked away in one of the sendmail book's appedixes, and a few people mailed me the same advice shortly after (Thanks!). The solution was not to use the Fw macro as most replied - I needed mail delivered to other hosts once it hit the hub, I believe Fw only works if I wanted to keep the mail on the hub. The only problem left is to get the firewall to rewrite internal senders as user@my.domain instead of user@host.my.domain. I don't know that this can be done since the firewall just relays mail to the providers mail host or my internal hub and never gets to any rules other than rule set 0, which, as far as I know, only investigates recipient addresses. With this being the case is there any way to hack around it? TIA, Rick __________________________________ Rick Hicks System Specialist Hussmann Corporation From firewalls-owner Mon Jun 3 18:08:50 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA09786 for firewalls-outgoing; Mon, 3 Jun 1996 10:31:36 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id KAA09615 for ; Mon, 3 Jun 1996 10:30:45 -0700 (PDT) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) Received: from route1.france3.fr(194.51.91.1) by mycroft via smap (V1.3mjr) Received: by route1.france3.fr (8.7.1/SMI-4.1) Received: from miles.greatcircle.com by relay6.UU.NET with ESMTP Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA15940 for firewalls-outgoing; Sun, 28 Apr 1996 10:24:34 -0700 (PDT) Received: from so.scsnet.com (so.scsnet.com [146.126.86.241]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id KAA15908 for ; Sun, 28 Apr 1996 10:24:25 -0700 (PDT) Received: from smap@localhost by so.scsnet.com Received: from sa1.emss.com by so.scsnet.com Received: from chernobyl.emss.com (chernobyl.emss.com [154.2.16.115]) by Emss.Com (8.7.5/8.7.5) with ESMTP id MAA07827 for ; Sun, 28 Apr 1996 12:23:19 -0500 (CDT) Received: (from madderra@localhost) by chernobyl.emss.com (8.7.5/8.7.5) id MAA05074 for firewalls@greatcircle.com; Sun, 28 Apr 1996 12:21:32 -0500 (CDT) From: "Bob Madderra" Message-Id: <9604281221.ZM5072@chernobyl.emss.com> Date: Sun, 28 Apr 1996 12:21:31 -0500 X-Mailer: Z-Mail (3.2.1 10oct95) To: firewalls@greatcircle.com Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello, I'm looking for the best way to partition off a small, but sensative work area from our larger corporate WAN. Router filtering doesn't seem to do all I need (I need to log everything, and be able to make frequent changes to rule sets). Most traffic over this firewall is PC destined, like DHCP, SMB, and even IPX over IP (and speed is important), so I don't think a proxy based answer is there. We would usualy prefer a Sun based solution, since that's where our experience, service arangements, spare parts, etc. are, but I'm open to alternatives. Someone mentioned SunScreen, which I hadn't been considering. I don't need to create virtual networks -- but still may be something to consider. I need something that's as invisible as possible, but still come as close as is reasonable to matching the performance of a router (10MB/s on each side). Any pointers appreciated. Thanks, --Bob Madderra (madderra@emss.com) Southern Co. Services From firewalls-owner Mon Jun 3 18:18:52 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA11047 for firewalls-outgoing; Mon, 3 Jun 1996 10:47:41 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id KAA10968 for ; Mon, 3 Jun 1996 10:46:59 -0700 (PDT) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) Received: from route1.france3.fr(194.51.91.1) by mycroft via smap (V1.3mjr) Received: by route1.france3.fr (8.7.1/SMI-4.1) Received: from miles.greatcircle.com by relay6.UU.NET with ESMTP Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id VAA29706 for firewalls-outgoing; Sun, 21 Apr 1996 21:37:52 -0700 (PDT) Received: from natproxy.ferntree.com.au ([203.12.79.20]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id VAA29680 for ; Sun, 21 Apr 1996 21:37:39 -0700 (PDT) Received: by natproxy.ferntree.com.au; id OAA13241; Mon, 22 Apr 1996 14:36:24 +1000 Received: from unknown(172.16.128.20) by natproxy.ferntree.com.au via smap (V3.1) Received: by natmailnotes.ferntree.com.au (IBM OS/2 SENDMAIL VERSION 1.3.14/2.12um) id AA0325; Mon, 22 Apr 96 14:35:50 +1000 Message-Id: <9604220435.AA0325@natmailnotes.ferntree.com.au> Received: from Ferntree with "Lotus Notes Mail Gateway for SMTP" id To: firewalls Cc: Peter Court From: Colin Spence Date: 22 Apr 96 14:30:54 Subject: TIS Gauntlet 3.1 Log Enhancements Mime-Version: 1.0 Content-Type: Text/Plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, We are using Trusted Information Systems (TIS) Gauntlet Version 3.1 as our firewall. To date, we have been impressed with the functonality, logging and (perceived) security features. With respect to the logging features installed with Gauntlet, we receive: (1) hourly reports of events (warnings, errors, configuration issues etc) (2) daily summary reports of usage (mail, http, telnet, ftp etc) (3) weekly summary reports of usage (mail, http, telnet, ftp, etc) What are other Gauntlet sites doing for enhanced: (a) Control (b) Monitoring and Reporting of Internet access other than the standard 'reports'. For example, a report detailing IP address/name and HTTP sites visited would be of interest. WebTrack sounds nice, but seems to be another complete Proxy Firewall. Are there any addons for Gantlet out there - commercial or otherwise? Regards, Colin Spence Ferntree Computer Corporation Phone: +61 3 9622-8000 Fax: +61 3 9614-2009 Internet: colin_spence@ferntree.com.au From firewalls-owner Mon Jun 3 18:18:44 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA11077 for firewalls-outgoing; Mon, 3 Jun 1996 10:47:51 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id KAA10969 for ; Mon, 3 Jun 1996 10:46:59 -0700 (PDT) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) Received: from ms-paris.france3.fr(194.51.91.1) by mycroft via smap (V1.3mjr) Received: by route1.france3.fr (8.7.1/SMI-4.1) Received: from miles.greatcircle.com by relay4.UU.NET with ESMTP Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA07360 for firewalls-outgoing; Sat, 27 Apr 1996 09:05:48 -0700 (PDT) Received: from guarddog.ftc.gov (guarddog.ftc.gov [164.62.7.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id JAA07338 for ; Sat, 27 Apr 1996 09:05:39 -0700 (PDT) Received: by guarddog.ftc.gov; id MAA18754; Sat, 27 Apr 1996 12:03:18 -0400 Received: from watchdog.ftc.gov(164.62.3.2) by guarddog.ftc.gov via smap (g3.0.1) Received: by watchdog.ftc.gov (4.1/SMI-4.1-MHS-7.1) From: mfrank@ftc.gov (Mike Frank) Message-Id: <9604271602.AA12931@watchdog.ftc.gov> Subject: Re: Why am I getting these To: shadixdl@gccs.cpf.navy.mil (Danny L. Shadix) Date: Sat, 27 Apr 1996 12:02:56 -0400 (EDT) Cc: firewalls@greatcircle.com In-Reply-To: from "Danny L. Shadix" at Apr 26, 96 07:20:22 am Reply-To: mfrank@watchdog.ftc.gov X-Organization: Federal Trade Commission X-Mailer: ELM [version 2.4 PL21] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi: Max hops greater than 17. This is a sendmail configuration parameter, Oh 17. This is the default set when you build V8 sendmail. It is okay for debugging, but way too low for inbound mailing lists like firewalls. Set it up to about 35 or so, after you are sure that all mail gateway machine at you site are MX'ed correctly and not ping/ponging mail when, for instance, one box goes down for repair, etc. This MAX_HOP parameter is simply a count of the number of "received" headers in a message. When it reaches the limit, sendmail thinks something must be wrong. Mike -- +-------------------------------------------------------------------+ Mike Frank, Federal Trade Commission Voice: 202-326-2217 Fax: 202-326-2050 Email: mfrank@ftc.gov X.400: /pn=Michael.Frank/c=us/admd=telemail/prmd=gov+ftc/o=wpo/ +-------------------------------------------------------------------+ From firewalls-owner Mon Jun 3 18:24:23 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA10876 for firewalls-outgoing; Mon, 3 Jun 1996 10:46:33 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id KAA10762 for ; Mon, 3 Jun 1996 10:45:59 -0700 (PDT) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) Received: from route1.france3.fr(194.51.91.1) by mycroft via smap (V1.3mjr) Received: by route1.france3.fr (8.7.1/SMI-4.1) Received: from miles.greatcircle.com by relay5.UU.NET with ESMTP Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA06796 for firewalls-outgoing; Fri, 26 Apr 1996 13:12:54 -0700 (PDT) Received: from wolf.microserve.com (wolf.microserve.com [205.160.114.119]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id NAA06771 for ; Fri, 26 Apr 1996 13:12:43 -0700 (PDT) Received: (from root@localhost) by wolf.microserve.com (8.6.12/8.6.9) id QAA03680; Fri, 26 Apr 1996 16:09:59 -0400 From: "" Message-Id: <199604262009.QAA03680@wolf.microserve.com> Subject: Re: Cisco 11.0(7) bugs anyone? To: br966@freenet.toronto.on.ca (W.C. Epperson) Date: Fri, 26 Apr 1996 16:09:58 -0400 (EDT) Cc: firewalls@greatcircle.com Action: When it's over, maybe we'll be able to get some REAL work done! Reply-To: lonewolf@wolf.microserve.com In-Reply-To: from "W.C. Epperson" at Apr 26, 96 09:54:57 am X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In this Millenium, Epperson dreamt that he said: > > Bill sez: > > >I need to upgrade my Cisco. > > >Has anyone found bugs or security holes in IOS 11.0(7)? > > > No, WaY, d00d. tHEreZ n0 unDocUmENted feAturZ or buGs anyWhEre for > us^H^H thE bAd GuYz to eXpl0it. PaUl seZ iTs reAlLy GD buT thAtZ noT > In ThE reLeaSe dOcuMentZ yEt. > > Bes1dEz, the m3dia aRe yUr wUrst eNeMieZ. > > If YoU sEnd me yUr rOuter aDdress and enAbuL pAsSwurd, IlL be GLad to > chEcK yOur c0nf1gUrati0n for yoU. > > > W.Z. Epperson "You can't go in there: > SeNior $e There's a flashing red light." > InfUrmation SecUr1ty OfFicer --Firesign Theater-- > EPA AmeRiCus > PiNCusH10n-for-Life > VirginYa Dept. of EduCation > epp3rson@pen.kI2.va.u$ (yEs, I aM) > > hehehehehehhe, LOL! :) quipS? what quips? i'm holding my sides to keep my intestines inside instead of on the floor! (blame W.Z.!) thanks for the side-splitter! -brian lonewolf@wolf.microserve.com From firewalls-owner Mon Jun 3 18:28:01 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA09785 for firewalls-outgoing; Mon, 3 Jun 1996 10:31:36 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id KAA09614 for ; Mon, 3 Jun 1996 10:30:45 -0700 (PDT) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) Received: from route1.france3.fr(194.51.91.1) by mycroft via smap (V1.3mjr) Received: by route1.france3.fr (8.7.1/SMI-4.1) Received: from miles.greatcircle.com by relay6.UU.NET with ESMTP Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id AAA17588 for firewalls-outgoing; Mon, 22 Apr 1996 00:40:38 -0700 (PDT) Received: from okjunc.junction.net (okjunc.junction.net [199.166.227.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id AAA17582 for ; Mon, 22 Apr 1996 00:40:34 -0700 (PDT) Received: from sidhe.memra.com (sidhe.memra.com [199.166.227.105]) by okjunc.junction.net (8.6.11/8.6.11) with SMTP id AAA17674 for ; Mon, 22 Apr 1996 00:49:38 -0700 Date: Mon, 22 Apr 1996 01:36:39 -0700 (PDT) From: Michael Dillon To: firewalls@GreatCircle.COM Subject: RE: Stopping Fakemail In-Reply-To: Message-ID: Organization: Memra Software Inc. - Internet consulting MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Sun, 21 Apr 1996, Martin Cooper wrote: > Ident is pointless on insecure Windozes machines, and the IP address of > the sending machine is no use on a public access machine. With the IP address you can verify where the mail is coming from. If you have public access machines it woul make a lot of sense to insert that info into any mail messages originating there... From: president@whitehouse.gov To: dean@cs.your.edu Subject: Invitation to dinner Probably From: unknown@public07.cs.your.edu (Public Terminal User) Dear Dean, Hillary and I would like to have the pleasure of your company.... Even if you can't stop the attempt at spoofing, you can make give the recipient some info to help them make a judgement on whether or not the message is valid. But a real hacker could *STILL* spoof some people even with that kind of a header in the message body. As Abe Lincoln said "You can fool some of the people all of the time..." Michael Dillon Voice: +1-604-546-8022 Memra Software Inc. Fax: +1-604-546-3049 http://www.memra.com E-mail: michael@memra.com From firewalls-owner Mon Jun 3 18:33:51 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA07761 for firewalls-outgoing; Mon, 3 Jun 1996 10:09:36 -0700 (PDT) Received: from route1.france3.fr (ms-paris.france3.fr [194.51.91.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id JAA01809 for ; Mon, 3 Jun 1996 09:29:29 -0700 (PDT) Received: by route1.france3.fr (8.7.1/SMI-4.1) Received: from miles.greatcircle.com by relay7.UU.NET with ESMTP Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id GAA25577 for firewalls-outgoing; Tue, 9 Apr 1996 06:31:06 -0700 (PDT) Received: from lint.cisco.com (lint-ether.cisco.com [198.93.170.22]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id GAA25227 for ; Tue, 9 Apr 1996 06:23:04 -0700 (PDT) Received: from pferguso-pc.cisco.com (c2robo5.cisco.com [171.68.13.37]) by lint.cisco.com (8.6.10/CISCO.SERVER.1.1) with SMTP id GAA29770 for ; Tue, 9 Apr 1996 06:18:29 -0700 Message-Id: <199604091318.GAA29770@lint.cisco.com> X-Sender: pferguso@lint.cisco.com X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Tue, 09 Apr 1996 09:19:30 -0400 To: firewalls@GreatCircle.com From: Paul Ferguson Subject: Network Engineering Technologies Announces $10,000 Firewall Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Excerpt from: -(BUSINESS WIRE) via Individual Inc. [04-08-96 at 15:41 EDT, Business Wire] [snip] The Challenge To claim the $10,000 in NET's Firewall Challenge, individuals must first register with NET, then use a computer to break into NET's secure transaction server and retrieve information stored there about paper currency totaling $10,000, namely: (1) the number of notes, (2) the denomination of each note and (3) the serial number of each note. The first person to supply the correct information to NET between 12:01 a.m. May 1 and 12:01 a.m. May 31 will win the $10,000. In the case of multiple break-ins, the first person sending the correct information to NET's e-mail address will be declared the winner. Participants must be individuals over 18 years of age, not companies, and must also agree to surrender to NET all relevant information about the methods they used to break through the firewall. Further details on the Network Engineering Technologies' $10,000 Firewall Challenge available on the World-Wide Web at http://thefirewall.com or by writing NET at 1714 Ringwood Ave., San Jose, CA 95131. [snip] -- Paul Ferguson || || Consulting Engineering || || Reston, Virginia USA |||| |||| tel: +1.703.716.9538 ..:||||||:..:||||||:.. e-mail: pferguso@cisco.com c i s c o S y s t e m s From firewalls-owner Mon Jun 3 18:39:44 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA11483 for firewalls-outgoing; Mon, 3 Jun 1996 10:50:04 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id KAA11282 for ; Mon, 3 Jun 1996 10:48:59 -0700 (PDT) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) Received: from route1.france3.fr(194.51.91.1) by mycroft via smap (V1.3mjr) Received: by route1.france3.fr (8.7.1/SMI-4.1) Received: from miles.greatcircle.com by relay7.UU.NET with ESMTP Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA12234 for firewalls-outgoing; Sun, 28 Apr 1996 09:32:41 -0700 (PDT) Received: from Eng.Auburn.EDU (wilbur.eng.auburn.edu [131.204.110.10]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id JAA12228 for ; Sun, 28 Apr 1996 09:32:32 -0700 (PDT) Received: (from root@localhost) by Eng.Auburn.EDU (8.7.4/8.7.3) id LAA10942; Sun, 28 Apr 1996 11:28:54 -0500 (CDT) Received: from relay3.UU.NET (relay3.UU.NET [192.48.96.8]) by Eng.Auburn.EDU (8.7.4/8.7.3) with ESMTP id TAA11528 for ; Tue, 19 Mar 1996 19:59:07 -0600 (CST) Received: from miles.greatcircle.com by relay3.UU.NET with ESMTP Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id DAA20267 for firewalls-outgoing; Tue, 19 Mar 1996 03:12:06 -0800 (PST) Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.76.24]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id DAA20251 for ; Tue, 19 Mar 1996 03:11:57 -0800 (PST) Message-Id: <199603191111.DAA20251@miles.greatcircle.com> Received: by cheops.anu.edu.au From: Darren Reed Subject: Re: NAT vs trad FW? To: Petter.Haggman@lule.frontec.se (Petter H{ggman) Date: Tue, 19 Mar 1996 22:10:39 +1100 (EDT) Cc: firewalls@GreatCircle.COM In-Reply-To: <199603181611.RAA01045@goozer.arctic> from "Petter H{ggman" at Mar 18, 96 05:11:40 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In some mail from Petter H{ggman, sie said: > > > Hi there! > > I'm interested in opinions/facts about using NAT as > a firewall concept. Beside the fact that one can save > some official address-space by using NAT, are there > any relevant arguments for/against the security of > for example Cisco's PIX vs Gauntlet or Firewall-1? A NAT (alone, and in the pure sense of the acronym) DOESN'T provide any security, per-se. It might be implied by assuming that an internal IP# doesn't have an externally accessible one all the time, but those external addresses will become evident when the host(s) go through the NAT to the other network. The NAT provides what some people call "address hiding", which is, as it suggests, security through obscurity at best. Gauntlet/FW-1 are going to provide you with an equivalent to this (assume FW-1 v2.0) plus extra things like user authentication for proxied services. darren From firewalls-owner Mon Jun 3 18:39:56 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA09985 for firewalls-outgoing; Mon, 3 Jun 1996 10:32:58 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id KAA09807 for ; Mon, 3 Jun 1996 10:31:48 -0700 (PDT) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) Received: from ms-paris.france3.fr(194.51.91.1) by mycroft via smap (V1.3mjr) Received: by route1.france3.fr (8.7.1/SMI-4.1) Received: from miles.greatcircle.com by relay5.UU.NET with ESMTP Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id MAA14430 for firewalls-outgoing; Fri, 12 Apr 1996 12:32:52 -0700 (PDT) Received: from whiz.mfi.com (whiz.mfi.com [198.71.19.34]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id MAA14422 for ; Fri, 12 Apr 1996 12:32:48 -0700 (PDT) Received: from ccmail.mfi.com by whiz.mfi.com (AIX 3.2/UCB 5.64/4.03) Received: from ccMail by mfi.com Date: Fri, 12 Apr 96 12:23:24 PST From: "Power, Richard" Message-Id: <9603128293.AA829337004@mfi.com> To: Firewalls@GreatCircle.COM Subject: Re: Firewalls-Digest V5 #226 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Free firewall product matrix available from CSI SAN FRANCSICO -- Firewall revenues are estimated to surge from $160 million in 1995 to $980 million in 2000. But a recent CSI survey shows that 30% of Internet-based intrusions occured with a firewall installed. Clearly, there is a vital need for better information on which to make buying decisions. The CSI 1996 Firewall Product Matrix is a practical tool. The comprehensive evaluation of 22 different firewall products covers every feature of firewall design: e.g., administration, reports, alarms, encryption, training costs. It even lists proxies, gateways and servers. "You should be leery of vendor-sponsored evaluations," says Richard Power, CSI editor, "They lack the real-world perspective of practitioners. Our matrix was developed with input from both actual practitioners and leading independent experts in the field." "This year's firewall matrix attempts to pick out the areas that indicate a product's capabilities in filtering out attacks while passing other data through transparently," says Rik Farrow, a leading authority on Internet and UNIX security who worked on the matrix. "We looked for indications of flexibility that do not come at the expense of security. We want to provide you with a good starting point on your search." To obtain a free copy of the CSI 1996 Firewall Product Matrix, e-mail your address to prapalus@mfi.com, phone 415/905-2310 or fax 415/905-2218. This document is not available electronically. ### Computer Security Institute is the oldest international membership organization specifically serving the information security professional. Established in 1974, CSI has thousands of members worldwide and provides a wide variety of information and educational programs to assist practitioner in protecting the information assets of corporations and governmental organizations. From firewalls-owner Mon Jun 3 18:47:16 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA09986 for firewalls-outgoing; Mon, 3 Jun 1996 10:32:58 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id KAA09799 for ; Mon, 3 Jun 1996 10:31:46 -0700 (PDT) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) Received: from ms-paris.france3.fr(194.51.91.1) by mycroft via smap (V1.3mjr) Received: by route1.france3.fr (8.7.1/SMI-4.1) Received: from miles.greatcircle.com by relay7.UU.NET with ESMTP Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA10863 for firewalls-outgoing; Mon, 22 Apr 1996 07:46:52 -0700 (PDT) Received: from telxon.mis.telxon.com (telxon.mis.telxon.com [149.23.2.4]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id HAA10857 for ; Mon, 22 Apr 1996 07:46:48 -0700 (PDT) Received: from SBRIDG.mis.telxon.com by telxon.mis.telxon.com (SMI-8.6/3.1.090690-Telxon Corporation) Message-Id: <199604221445.OAA27313@telxon.mis.telxon.com> From: jwojn@telxon.mis.telxon.com (Wojno, Jim) Date: Mon, 22 Apr 1996 10:41 To: firewalls@greatcircle.com Subject: Firewall outsourcing Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Just a quick question; what is the general consensus of outsourcing your company's firewall? We are currently looking into various options to upgrade our current security measures, one of which is to outsource the firewall to a third party. Specifically, the company in question is BBN. While I am aware of their reputation and history, I am not sure how I feel about someone from outside the company controlling our firewall. Has anyone had direct dealings with BBN in this capacity, and if so, what can you tell me about this? If you like, respond to me off-list at jwojn@telxon.com. My specific concerns are: 1.) Response time: this is not only in times of break-in or equipment failure, although I am interested in that. I also want to know how fast, and effectively they respond to required changes in configuration, implementing new technologies, installing patches, etc. 2.) How would you rate their service; good, bad or poor? Why? 3.) How helpful and knowledgeable is their technical support? When they had to work on the system, did they explain what they were doing and why, or did they just do it and leave? 4.) Were there any services that you couldn't use on their firewall, such as Real Audio? What measures have been taken to accommodate this? The firewall they offer is TIS Guantlet, which I know has a good reputation. Also, some features such as 24 hour monitoring, 365 days a year are attractive, considering that even if I were paged in the evening, it would take at least 10 to 15 minutes for me to respond. I like the idea that there is someone keeping an eye on things, ready to respond at any minute. On the other hand, I am nervous about giving our security over to a stranger. Any info that anyone feels will be helpful is greatly appreciated. Thanks in advance........................... Jim Wojno Systems Administrator Telxon Corporation jwojn@telxon.com From firewalls-owner Mon Jun 3 18:48:51 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA09991 for firewalls-outgoing; Mon, 3 Jun 1996 10:33:08 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id KAA09811 for ; Mon, 3 Jun 1996 10:31:48 -0700 (PDT) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) Received: from ms-paris.france3.fr(194.51.91.1) by mycroft via smap (V1.3mjr) Received: by route1.france3.fr (8.7.1/SMI-4.1) Received: from miles.greatcircle.com by relay4.UU.NET with ESMTP Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA00139 for firewalls-outgoing; Sat, 27 Apr 1996 06:11:55 -0700 (PDT) Received: from mail.Clark.Net (mail.clark.net [168.143.0.10]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id GAA00133 for ; Sat, 27 Apr 1996 06:11:49 -0700 (PDT) Received: from clark.net (mjr@clark.net [168.143.0.7]) by mail.Clark.Net (8.7.3/8.6.5) with ESMTP id JAA28049 for ; Sat, 27 Apr 1996 09:09:23 -0400 (EDT) From: "Marcus J. Ranum" Received: (from mjr@localhost) by clark.net (8.7.1/8.7.1) id JAA17719 for Firewalls@GreatCircle.COM; Sat, 27 Apr 1996 09:09:21 -0400 (EDT) Message-Id: <199604271309.JAA17719@clark.net> Subject: pros and CONS: Intel/UNIX To: Firewalls@GreatCircle.COM Date: Sat, 27 Apr 1996 09:09:21 -0400 (EDT) In-Reply-To: <199604270358.UAA16309@miles.greatcircle.com> from "firewalls-digest-owner@GreatCircle.COM" at Apr 26, 96 08:58:41 pm Reply-To: mjr@v-one.com Organization: V-One Corporation, Baltimore, MD Office Phone: 410-889-8569 X-Mailer: ELM [version 2.4 PL24alpha3] MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk gcl@nikko.com (George Lee) writes: >Question: What are the PROS and CONS between using an intel box vs. > UNIX box ? (beside pricing and support)... Intel boxes are an architecture. UNIX is an operating system. Unix can run on a lot of architectures, including Intel boxes. Gauntlet runs UNIX on an Intel box. You can also buy it on SPARC boxes and a couple of other architectures. I forget the whole list. What I suspect you're asking is whether Intel boxes have as much horsepower as SPARCs or whatever for building firewalls. Which raises a lot of questions about cost effectiveness, the kind of load you are planning on pushing through it, etc. My experience is that an Intel box running BSDI frequently humiliates much more expensive Sun workstations at handling network loads. Unless you have some unique requirement an Intel box is my recommended platform. That's based on the fact that they can scale up to (easily) ether to ether speeds, and they are very much a commodity. Most Intel boxes are CPU-upgradeable and use very cheap components. If you are concerned about spares or spare parts, it's nice to know that you can buy an off-the-shelf motherboard, hard disk controller, or network card replacement at (practially) the grocery store down the street. The case where I recommend using a high-end workstation instead of an Intel box is for sites that already have the hardware lying around, and who have good maintenance contracts they want to take advantage of. Also for sites that have a lot of spare cash they'd rather spend on boxes than on other things. mjr. From firewalls-owner Mon Jun 3 18:51:48 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA12061 for firewalls-outgoing; Mon, 3 Jun 1996 10:55:08 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id KAA11969 for ; Mon, 3 Jun 1996 10:54:16 -0700 (PDT) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) Received: from ms-paris.france3.fr(194.51.91.1) by mycroft via smap (V1.3mjr) Received: by route1.france3.fr (8.7.1/SMI-4.1) Received: from miles.greatcircle.com by relay2.UU.NET with ESMTP Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA14988 for firewalls-outgoing; Thu, 25 Apr 1996 09:29:59 -0700 (PDT) Received: from dns2.noc.best.net (dns2.noc.best.net [206.86.0.21]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id JAA14982 for ; Thu, 25 Apr 1996 09:29:54 -0700 (PDT) Received: from shellx.best.com (shellx.best.com [206.86.0.11]) by dns2.noc.best.net (8.6.12/8.6.5) with ESMTP id JAA09894; Thu, 25 Apr 1996 09:27:40 -0700 Received: from yobie.csaa.com (yobie.vip.best.com [204.156.155.53]) by shellx (8.6.12/8.6.5) with SMTP id JAA29269; Thu, 25 Apr 1996 09:27:13 -0700 Message-ID: <317FA7C6.21B1@yobie.com> Date: Thu, 25 Apr 1996 09:26:46 -0700 From: Yobie Benjamin Organization: MetaGenesis, Inc. X-Mailer: Mozilla 2.01Gold (Win95; I) MIME-Version: 1.0 To: Chris CC: firewalls@GreatCircle.COM Subject: Re: location of public hosts References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk -----BEGIN PGP SIGNED MESSAGE----- Chris wrote: > > Please can someone give me some advice. > > I have a connection to the net through a Gauntlet firewall. I want to run a > web server (NT) and have received conflicting advice as to where it should be > located, internal or external to the firewall. > > In addition, what other risks need to be considered with using an NT server > either internal or external. This could be a long drawn out thread... Let me start... 1) No disk quota controls. Let's say you designate drive "D", which has 2.0 gigabytes of space as your internet drive... irrelevant whether it's inside or outside the firewall. It is possible to flood that disk's entire space with "flood mail" or "fake mail" because you cannot impose a quota on disk usage. 2) No port control...Try it, if you can. This is not available on NT 4.0 either unless they change things on the GA release. Next... Opppss... Don't get me wrong, I'm not implying that you should not use NT. That's a call for you to make. > > Thanks in advance for your help > > Chris -- http://www.yobie.com yobie@yobie.com -----BEGIN PGP SIGNATURE----- Version: 2.6.2 mQINAzBWg18AAAEQANnXKRohQlsdi+E2pVGH9/0ljIJFwg6TCQQ37Lcv8LfIR1RP FbwXDfMAWtRKQkYtHUa18png/qMlDJeaethHDaotRMuhUtDpvWxLH7HmWyJ6sz78 ZHN3/ddtLrzrb+fYgjXhBnkSckmxwNQ8o1k4E45UvWGL2BzldVeOKmmBHjI8hgxX lgPAw+Ozl2JESYvRjj3OT1jHFGlri/Hzvd/D7kbkhF6eMcCotX1h6ZcoTUka5qqh PzKr04zCzQrw0z/Qy5St1gA2gB40mwsxICnrLo7y0fXilFT0qtQI+bj2pV2rfPhe KQYXLHuL3Hrv8vUhciPtNrS3iPESTsIeADZ3r+0g6RJ1XDkZ1P9iaM4S6TRjugw1 CmBaj9rpkJ79MV235n3a0q6ZlWMzhPJ5yz+kt2UdBMeeWXT5eV+AB0tfgYUt9Mss G8/h+m8FypdxKlEs/9e3PtROmoIm2OXKUEFzY9Cl6Ew0nisCXyPYtuRRrC7w6EWR oj5WItiIdZvbN9GmTJ5seBA2TwAxKcDw7LEieaItCcUsG955jbagOaptBOPSUrv8 LJA40PIPgXpXP+SEJiL9wJQ5TGvkAsZkw+X9z26c9chImPy5A7qCZy3R/XZYu0Hc OCd2zQnjzw87LKfIhJ3LDHMZADBdLvVdFfCd4EihjldGdzGzoQJ1FGhpIpSRAAUT tCBZb2JpZSBCZW5qYW1pbiA8eW9iaWVAeW9iaWUuY29tPg== =9HBa -----END PGP SIGNATURE----- From firewalls-owner Mon Jun 3 18:52:48 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA13873 for firewalls-outgoing; Mon, 3 Jun 1996 11:09:30 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id KAA08643 for ; Mon, 3 Jun 1996 10:25:48 -0700 (PDT) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) Received: from ms-paris.france3.fr(194.51.91.1) by mycroft via smap (V1.3mjr) Received: by route1.france3.fr (8.7.1/SMI-4.1) Received: from miles.greatcircle.com by relay6.UU.NET with ESMTP Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA16912 for firewalls-outgoing; Fri, 26 Apr 1996 05:10:12 -0700 (PDT) Received: from uu9.psi.com (uu9.psi.com [38.145.107.9]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id FAA16882 for ; Fri, 26 Apr 1996 05:09:50 -0700 (PDT) Received: from infosys.inf.COM by uu9.psi.com (5.65b/4.0.071791-PSI/PSINet) via SMTP; Received: by Inf.COM (4.1/SMI-4.1) Received: from unknown(204.4.59.106) by infosys.inf.COM via smap (V1.3) Received: from cc:Mail by smtp_gw.inf.com Date: Fri, 26 Apr 96 17:30:20 EST From: "MURALIKRISHNAK" Message-Id: <9603268305.AA830533461@smtp_gw.inf.com> To: Firewalls@GreatCircle.COM Subject: Monitoring CISCO 4K Router under RLW Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, Is it possible for Cabletron Remote LANVIEW/Windows (RLW) software to monitor the Cisco 4000 Router whose software ver. is 9.14(7)? In fact, I have configured the Cisco 4K under RLW as shown below along with the error messages I am getting : 1. Selected the Generic component - Router Message : CoomWindProc Communication with this device has not been established yet 2. Contacted thru the MIB Stats Confign, which gives an error Error : OVWIN No Alarm notification available (OV1409) 3. Status under Unacknowledged alarms is shown as CRITICAL Can anyone tell me what the problem is and how to overcome that? TIA - Murali Krishna (INFOSYS TECHNOLOGIES LTD, BANGALORE, INDIA) From firewalls-owner Mon Jun 3 18:56:46 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA13273 for firewalls-outgoing; Mon, 3 Jun 1996 11:05:00 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id KAA08703 for ; Mon, 3 Jun 1996 10:25:55 -0700 (PDT) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) Received: from ms-paris.france3.fr(194.51.91.1) by mycroft via smap (V1.3mjr) Received: by route1.france3.fr (8.7.1/SMI-4.1) Received: from miles.greatcircle.com by relay3.UU.NET with ESMTP Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA29539 for firewalls-outgoing; Tue, 23 Apr 1996 07:08:07 -0700 (PDT) Received: from hades.wvs.com ([204.247.81.10]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id HAA29533 for ; Tue, 23 Apr 1996 07:08:01 -0700 (PDT) Received: from sol.wvs.com (sol.wvs.com [204.247.80.10]) by hades.wvs.com (8.7.4/8.7.3) with ESMTP id HAA11352 for ; Tue, 23 Apr 1996 07:05:08 -0700 (PDT) Received: from zorch.sf-bay.org (Uzorch@localhost) by sol.wvs.com (8.7.4/8.7.3) with UUCP id HAA29308 for firewalls@greatcircle.com; Tue, 23 Apr 1996 07:05:07 -0700 (PDT) X-Authentication-Warning: sol.wvs.com: Uzorch set sender to zorch.sf-bay.org!news using -f Received: (from news@localhost) by zorch.sf-bay.org (8.6.11/8.6.9) id HAA23592 for firewalls@greatcircle.com; Tue, 23 Apr 1996 07:01:07 -0700 Newsgroups: zorch.lists.firewalls Path: zorch.sf-bay.org!scott From: scott@zorch.sf-bay.org (Scott Hazen Mueller) Subject: Re: Filtering by Source Port Distribution: zorch Reply-To: scott@zorch.sf-bay.org Organization: At Home; Salida, CA Message-ID: References: <199604221540.IAA21891@dfw-ix7.ix.netcom.com> X-Nntp-Posting-Host: localhost.sf-bay.org Date: Tue, 23 Apr 1996 14:01:04 GMT Apparently-To: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >>ps. When I talked to Cisco Tech Support they couldn't understand why anyone >>would even want to filter by source port. >I don't understand why you would want to filter by source port either. Given x.y.z.0 as your internal network: access-list 101 permit tcp any eq ftp-data x.y.z.0 gt 1023 It's sure not perfect, but if you don't have an active gateway, it's a tiny bit better than just allowing random TCP connections to internal high ports. -- Scott Hazen Mueller | scott@zorch.SF-Bay.ORG or tandem!zorch!scott From firewalls-owner Mon Jun 3 19:00:34 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA14496 for firewalls-outgoing; Mon, 3 Jun 1996 11:14:11 -0700 (PDT) Received: from route1.france3.fr (route1.france3.fr [194.51.91.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id LAA14117 for ; Mon, 3 Jun 1996 11:11:34 -0700 (PDT) Received: by route1.france3.fr (8.7.1/SMI-4.1) Received: from miles.greatcircle.com by relay7.UU.NET with ESMTP Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id QAA27869 for firewalls-outgoing; Fri, 26 Apr 1996 16:22:46 -0700 (PDT) Received: from mail.RC.Toronto.on.ca ([207.6.29.231]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id QAA27791 for ; Fri, 26 Apr 1996 16:22:32 -0700 (PDT) Received: from rwcooper.rc.toronto.on.ca ([207.6.29.232]) Received: by rwcooper.rc.toronto.on.ca with Microsoft Mail Message-ID: <01BB338A.E5C95120@rwcooper.rc.toronto.on.ca> From: Russ To: Rolf Weber , "'Rick Smith'" Cc: firewalls Subject: RE: location of public hosts Date: Fri, 26 Apr 1996 16:10:32 -0700 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk "Typical commercial hosts just don't cut it. You need mandatory access control like on "multilevel secure" systems or like type enforcement on Sidewinder. Then it can even be part of the site's firewall." I'm sorry Rick, but are you saying that the only Web Servers that can be run have to allow the use of type enforcement or similar security? Come on guys, this attitude which says that if it can't withstand the most serious types of attacks it ain't good enough is just not going to cut it in a world where most companies have a web site. Sure, I agree, it is the best security, but is there no room to evaluate the value of the information being protected against the cost of the security implementation? After all, it is said over and over again that the biggest security risk is not from the Internet but from the local network. By putting a web server outside of the local LAN, protected from it by a firewall, you have taken care of your biggest risk by securing it from your local network. This has nothing to do with NT or any other OS, but if people come to the Firewalls list to get a feel for what their personal security needs might be, and are sifting through all the information they can get from here, these kinds of answers are going to make many people believe that the cost of making a presence on the WWW is simply way to high and complex for them to try. Nobody asked the person what they wanted to do with the web server, what kind of web server software they were planning to use, and whether or not there was a need for the web server to participate in an Intranet. I understand that there is a Gatekeeper motto that says "nothing in, nothing out", but there is a tidal wave of commerce that says "if I ain't out there, I won't get the new shareholders in", or something like that. For example, with BorderWare I could put the NT Web server on a secure side network, a third adapter in the Firewall. This has its own access lists and HTTP would be proxied from the outside onto the side network directly to the NT Web server. Only requests from the external adapter address on the specified port would be allowed to connect to the web server. If the web server needed to connect to a SQL server, for example, a proxy would be established between the secure side network and the internal network. Only access from the IP address (translated address) would be allowed through the proxy on the specified port into the internal network. Now the only question in my mind is the security of the web server software, not the NT box. Considering the HTTP request would be on one port, and the SQL access would be on a different port, and only HTTP is allowed in/out between the side network and external network, and only SQL in/out between the side network and the internal network, sounds pretty secure to me. Now I could be completely wrong here, but I think it would take a pretty sophisticated hack to get into the internal network. Getting access to the SQL data in some way not intended is up to the HTTP server. How about some simpler solutions with proviso's rather than just tons of warnings and expensive or complex solutions...there's ideal, and then there's the rest of us... Cheers, Russ From firewalls-owner Mon Jun 3 19:52:17 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA05137 for firewalls-outgoing; Mon, 3 Jun 1996 09:51:48 -0700 (PDT) Received: from route1.france3.fr (route1.france3.fr [194.51.91.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id JAA04873 for ; Mon, 3 Jun 1996 09:50:52 -0700 (PDT) Received: by route1.france3.fr (8.7.1/SMI-4.1) Received: from miles.greatcircle.com by relay3.UU.NET with ESMTP Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-951222-1) id JAA00146 for firewalls-outgoing; Fri, 12 Apr 1996 09:10:51 -0700 (PDT) Received: from ibmmail.COM (ibmmail.com [199.171.26.3]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id EAA01557 for ; Fri, 12 Apr 1996 04:53:11 -0700 (PDT) From: gblolmxb@ibmmail.com Message-Id: <199604121153.EAA01557@miles.greatcircle.com> Received: from ibmmail by ibmmail.COM (IBM VM SMTP V2R3) with BSMTP id 1281; Date: Fri, 12 Apr 1996 07:50:59 EDT To: ac141@typhoon.dial.pipex.net, firewalls@greatcircle.com MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: Re Finding domain name from IP address Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Ben said: >We have a combination of registered and unregistered IP addresses on >our network (no Internet connection yet). >Is there a way I can find out who the unregistered ones are really >registered to? Try telnetting to rs.internic.net and run whois. or for European registrations, try info.ripe.net, or even ns.ripe.net. Mark. From firewalls-owner Tue Jun 4 05:50:43 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA19776 for firewalls-outgoing; Mon, 3 Jun 1996 11:39:47 -0700 (PDT) Received: from gladiator.transdyn.com (gladiator.transdyn.com [206.217.196.10]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id LAA19702 for ; Mon, 3 Jun 1996 11:39:24 -0700 (PDT) Received: (from mail@localhost) by gladiator.transdyn.com (8.6.12/8.6.12) id LAA14631; Mon, 3 Jun 1996 11:35:46 -0700 Message-Id: <199606031833-38781@Transdyn.COM> Date: Mon, 03 Jun 1996 11:33:04 -0800 X-Mailer: Microsoft Mail with Intergate/SMTP (v9603.07) X-Sender: JRankin@Transdyn.COM From: JRankin@transdyn.com (Jeff Rankin) To: fwtk-users@tis.com, rhicks@MO.NET Cc: firewalls@greatcircle.com Subject: RE: Sendmail with firewall relay - Updat Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk We implemented a couple line hack to smap.c to remove change from user@internal.domain.com to user@domain.com. I'm pretty sure it can be done with sendmail also but this was easier for us. Jeff Rankin Transdyn Controls ---------- From: Rick Hicks To: fwtk-users Cc: firewalls Subject: Sendmail with firewall relay - Update Date: Thursday, April 25, 1996 11:20PM [To unsubscribe from this list send the message "unsubscribe fwtk-users" in the BODY of a mail message to majordomo@tis.com.] First, thanks to all who have responded so far. I now have internal mail delivery working. I found the solution tucked away in one of the sendmail book's appedixes, and a few people mailed me the same advice shortly after (Thanks!). The solution was not to use the Fw macro as most replied - I needed mail delivered to other hosts once it hit the hub, I believe Fw only works if I wanted to keep the mail on the hub. The only problem left is to get the firewall to rewrite internal senders as user@my.domain instead of user@host.my.domain. I don't know that this can be done since the firewall just relays mail to the providers mail host or my internal hub and never gets to any rules other than rule set 0, which, as far as I know, only investigates recipient addresses. With this being the case is there any way to hack around it? TIA, Rick __________________________________ Rick Hicks System Specialist Hussmann Corporation From firewalls-owner Tue Jun 4 06:05:28 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id DAA02805 for firewalls-outgoing; Tue, 4 Jun 1996 03:00:57 -0700 (PDT) Received: from relay2.UU.NET (relay2.UU.NET [192.48.96.7]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id CAA01605 for ; Tue, 4 Jun 1996 02:57:16 -0700 (PDT) Received: from mail.rc.toronto.on.ca by relay2.UU.NET with ESMTP Received: from rwcooper.rc.toronto.on.ca ([207.6.29.232]) Received: by rwcooper.rc.toronto.on.ca with Microsoft Mail Message-ID: <01BB519B.75874280@rwcooper.rc.toronto.on.ca> From: Russ To: "Firewalls@GreatCircle.COM" Subject: RE: NT firewalls & NOS admins Date: Mon, 3 Jun 1996 22:24:40 -0400 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk It never ceases to amaze me how some Unichs seem to think that only UNIX experience is viable when it comes to working with an Internet connection. Some may be surprised to find out that TCP/IP has been included in NT since it was first released, and its been around for quite some time in DOS or Windows. One doesn't need a UNIX degree to know how IP works, or how the Internet works, for that matter. I know quite a few UNIX SQL administrators who wouldn't know how to configure their inetd if it bit them in the ass. Some thoughts: - Lots of companies want to get an Internet connection. - More security breaches occur internally than happen via an Internet connection. - Lots of companies are none too concerned about their security issues (some less concerned than they should be, others not). - Most companies do not have a security policy of any kind. - Not everyone will be hacked to death on the Internet! - Not every company will handle their own connection. - Consultants can do much of what a company might be able to do itself. - One can learn TCP/IP without learning anything about UNIX (even though some or all of the tools they use might be UNIX tools) There are lots of places where a dedicated Firewall Administrator *must* exist, and lots of places where dedicated security administration staff *have to* be on staff. Then there are the *majority* of companies who neither need, nor can afford, to have either, yet still want to be part of the 'net. The Internet, and vendors that make tools that utilize it, are just going to have to accept that fact and provide for it accordingly, that's just a reality we're all going to have to accept. Stupid ISP's, auto-responders on mail IDs, spamming, live CuSeeMe Poison concerts, casual hackers, and of course, Bad Guys (tm). "UNIX is useful because that's where the picture came from! If you have a decent UNIX geek on staff, then you likely have someone who understands how things work on the Internet (i.e. how the services are provided, how mail flows, etc). If you have some guy with a Microsoft Certification for NT, then you probably don't." Surely you jest...like IP is rocket science or something...sheesh. I've never administered a UNIX system in my life, does it show that much? Cheers, Russ From firewalls-owner Tue Jun 4 06:21:24 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id DAA05288 for firewalls-outgoing; Tue, 4 Jun 1996 03:09:56 -0700 (PDT) Received: from relay2.UU.NET (relay2.UU.NET [192.48.96.7]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id DAA05221 for ; Tue, 4 Jun 1996 03:09:28 -0700 (PDT) Received: from plum.cyber.com.au by relay2.UU.NET with SMTP Received: (from mikec@localhost) by plum.cyber.com.au (8.6.12/8.6.6) id LAA07588; Tue, 4 Jun 1996 11:14:56 +1000 From: Michael Ciavarella Message-Id: <199606040114.LAA07588@plum.cyber.com.au> Subject: Re: What do you want to know about Windows NT? To: Russ.Cooper@RC.Toronto.on.ca (Russ) Date: Tue, 4 Jun 1996 11:14:55 +1000 (EST) Cc: firewalls@GreatCircle.COM In-Reply-To: <01BB4DB7.9D7EAFE0@ts1-13.vcr.iSTAR.ca> from "Russ" at May 29, 96 11:03:31 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi Russ, (background: I'm one of those wierd people who believes that picking the right tool for the job is more important than "running unix" or "running NT". I'm much more familiar with security in UNIX environments, but even with less experience in NT environments, it's become obvious that security admins in general lack detailed knowledge about NT. Part of this is that the relevant information isn't easily available in the one place. On this point, I think Russ's idea is a Good Thing. On the other side, I've experienced M$ support (spell 'oxymoron'), misleading technotes, etc. For an application which is as business-critical as a firewall tends to be, these are part of _my_ considerations when searching for "the right tools", and hence U*X-type solutions tend to win out. On with the show... ) > However, if we assume that I was able to get Microsoft to put together a CD > that contained White Paper and technical information regarding Windows NT, > what would you like to know about Windows NT to help you evaluate its > impact on the security within your environment? > > A few assumptions; > > - it will not contain source code for any products which source code is not > already publically available Does this include Microsoft modifications to publically available source code, in particular, encryption algorithms? What about code fragments eg. for key exchange?? > - it will contain all available API specifications > - it will contain RFC implementations and any MS-specific extentions to > them > - it will contain information from 3rd party ISV's who offer security > solutions It would be worthwhile breaking this down further... some NT products which shall remain nameless O:-) just uze NT as a boot loader before taking over the machine and having their wicked way. They don't use SAM or take advantage of any of the other NT features which a "real" NT package would do. Some areas which might be worthwhile: * Single signon systems * Remote access control * Security management tools > Some ideas; > - The CD could come with a 60-day Windows NT Server/BackOffice evaluation, > would that be useful? > - There is a C2 configuration guide (manual), maybe it should be included Might also be an idea to include technical information on the NT architecture features which support C2 requirements, and which allow performance to be maintained when running C2 (sic). > - There is a Network Monitoring tool (Netmon), maybe it should be included > - There are a variety of tools that are part of the Resource kits to add > unix-like functionality to NT, maybe they should be included > - More information could be given if the CD was available under NDA, would > you prefer that? *sigh* the people who know enough about NT to break it will already have this information - if Beelzegates wants people to consider NT as a basis for their security then maybe he should consider that as security admins, we DON'T like being left behind by a vendor's need to hide the information we need to do our job. Unless of course he's throwing in the source code for NT :-ppp > - The NT Knowledgebase includes articles about many issues relating to > security problems, misconfigurations, and bugs, should that be included? > - There are numerous SDK's for the various NT BackOffice products, would > these be useful? For an evaluation? probably not. The API's and documentation however would be important to assessing the extent to which local customisations etc. can be made. > What kind of information, what format should it be in, and what level > should it be positioned for? Suggestion: Put it on two CD's - eval software on one CD and doco/papers/api references etc on the second CD. If the doco isn't accessible then this whole exercise would be wasted - something a little more than Knowledgebase (ie. more indexing) would be a good start. > Treat me like the university student asking for information about a thesus. Russ, you should read the FAQ (http://www.whitehouse.gov), and get copies of Cheswick and Bellovin's "Firewalls and Internet Seucirty", and "Building Internet Firewalls" by Chapman and Zwicky. They will be very helpful in writing your thesis. :-)))) cheers mike From firewalls-owner Tue Jun 4 06:37:53 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA26160 for firewalls-outgoing; Mon, 3 Jun 1996 12:16:10 -0700 (PDT) Received: from greatcircle.com ([206.172.56.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id MAA25881 for ; Mon, 3 Jun 1996 12:15:12 -0700 (PDT) Date: Mon, 3 Jun 1996 12:15:12 -0700 (PDT) From: bobm@network.com Message-Id: <199606031915.MAA25881@miles.greatcircle.com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Test From firewalls-owner Tue Jun 4 06:45:27 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA24116 for firewalls-outgoing; Mon, 3 Jun 1996 12:06:39 -0700 (PDT) Received: from brahma.iitm.ernet.in (brahma.iitm.ernet.in [144.16.224.3]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id MAA23049 for ; Mon, 3 Jun 1996 12:00:32 -0700 (PDT) Received: by brahma.iitm.ernet.in; (5.65/1.1.8.2/07Feb96-0917AM) Date: Tue, 4 Jun 1996 00:14:38 +0530 (IST) From: Natchu Vishnu Priya To: gblolmxb@ibmmail.com Cc: ac141@typhoon.dial.pipex.net, firewalls@greatcircle.com Subject: Re: Re Finding domain name from IP address In-Reply-To: <199604121153.EAA01557@miles.greatcircle.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 12 Apr 1996 gblolmxb@ibmmail.com wrote: > Ben said: > > >We have a combination of registered and unregistered IP addresses on > >our network (no Internet connection yet). > > >Is there a way I can find out who the unregistered ones are really > >registered to? > > Try telnetting to rs.internic.net and run whois. or for European > registrations, try info.ripe.net, or even ns.ripe.net. just use nslookup or dig and look for the nameservers of the inverted ip domains.. like if the ip address are 10.11.12.xx look for the nameservers of 12.11.10.in-addr.arpa. -vishnu _______________________________________________________ Vishnu Priya Natchu System Administrator 225, Saraswathi, Network Systems Lab, IIT Madras 600 036 Computer Science & Engg. INDIA IIT Madras 0091-044-235-1889 0091-044-235-1921 _______________________________________________________ Email: mailto:vishnu@brahma.iitm.ernet.in WWW page: http://brahma.iitm.ernet.in/~vishnu _______________________________________________________ From firewalls-owner Tue Jun 4 06:50:24 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id EAA19490 for firewalls-outgoing; Tue, 4 Jun 1996 04:24:31 -0700 (PDT) Received: from relay6.UU.NET (relay6.UU.NET [192.48.96.16]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id CAA17224 for ; Tue, 4 Jun 1996 02:14:35 -0700 (PDT) Received: from mail.marben.com by relay6.UU.NET with SMTP Received: (from girsch@localhost) From: girsch@marben.com (Arnaud Girsch) Message-Id: <199606040133.SAA07814@mail.marben.com> Subject: Re: suspicious packets in firewall logs?? To: equaad@indigo.mit.edu Date: Mon, 3 Jun 1996 18:33:06 -0700 (PDT) Cc: firewalls@greatcircle.com In-Reply-To: <199604232019.NAA10398@miles.greatcircle.com> from "equaad@indigo.mit.edu" at Apr 23, 96 04:14:14 pm X-Organization: Marben Products, Inc. X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > proto udp src 555.555.555.555 dst 444.444.444.444 service 1064 s_port > domain-udp len 378 rule 9 > > proto udp src 555.555.555.555 dst 444.444.444.444 service 1065 s_port > domain-udp len 353 rule 9 > > proto udp src 555.555.555.555 dst 444.444.444.444 service 1066 s_port > domain-udp len 371 rule 9 > > proto udp src 555.555.555.555 dst 444.444.444.444 service 1067 s_port > domain-udp len 353 rule 9 > > firewall-1 as a firewall. Notice how the service (which is just the > destination port number I believe) increments by one each time. What > kind of application would generate traffic like this?? Or is someone > sending packets to a bunch of different ports on the system to see > whether any of those might be running an unusual service that they can > then use to break in? Any ideas would be helpful. Right now the > firewall is set up to drop such packets. Could be answers to DNS queries ... if 555.555.555.555 can send DNS queries to 444.444.444.444 (according to your outgoing filter) Arnaud. -- Arnaud Girsch -+- agirsch@marben.com -+- Marben Products, Inc. - San Jose, CA From firewalls-owner Tue Jun 4 07:10:15 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA07373 for firewalls-outgoing; Mon, 3 Jun 1996 13:11:10 -0700 (PDT) Received: from lifeguard.com ([38.249.226.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id NAA07172 for ; Mon, 3 Jun 1996 13:10:24 -0700 (PDT) Received: from is-am ([199.181.86.146]) by firewall.lifeguard.com with SMTP id <36865>; Mon, 3 Jun 1996 13:13:47 -0700 Comments: Authenticated sender is From: "Alan Millar" To: firewalls@greatcircle.com Date: Mon, 3 Jun 1996 06:09:02 -0700 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Strange mail Sender: problem with Borderware? X-mailer: Pegasus Mail for Windows (v2.33) Message-Id: <96Jun3.131347pdt.36865@firewall.lifeguard.com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I've just inherited a Borderware Firewall Server and I'm having a strange mail problem with it. The Sender: header and envelope sender are being rewritten on both incoming and outgoing mail, to the ID of one particular POP mailbox. When we deleted that mailbox, it changed to the next one in line. The From: header is untouched, so most person-to-person mail is OK. But for anything that looks at the envelope sender (Microsoft Mail SMTP gateway, Listproc, Listserv) it's really a problem. Borderware tech support had me install a 7 megabyte patch file to bring me up to the latest release, which went smoothly but didn't help :-( Other than that they don't seem to know what to do with it. This thing is basically a black box that doesn't let you in to see what's going on. I know it's BSDI in there somewhere from the boot messages, but it's locked down tight through the user interface. I was undecided if that's good or bad, but my opinion is starting to lean.... Has anyone else had this problem on a Borderware Firewall Server, or can offer any suggestions? I'd appreciate any and all tips. Thanks! - Alan -- Alan Millar AMillar@LifeGuard.com Internetworking Manager LifeGuard HMO From firewalls-owner Tue Jun 4 07:13:38 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id EAA19810 for firewalls-outgoing; Tue, 4 Jun 1996 04:30:02 -0700 (PDT) Received: from relay3.UU.NET (relay3.UU.NET [192.48.96.8]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id AAA14599 for ; Tue, 4 Jun 1996 00:39:46 -0700 (PDT) Received: from cheops.anu.edu.au by relay3.UU.NET with ESMTP Message-Id: Received: by cheops.anu.edu.au From: Darren Reed Subject: Re: Cross Realm Kerberos/DCE Proxy, NAT, UDP To: asafier@explorer.csc.com (Adam Safier) Date: Tue, 4 Jun 1996 10:33:51 +1000 (EST) Cc: Firewalls@GreatCircle.COM In-Reply-To: from "Adam Safier" at Apr 8, 96 04:34:00 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In some mail from Adam Safier, sie said: [...] > The NAT could be a real problem. Kerberos apparently packs the nodes > network address as part of the authentication packet so if your IP address > is hidden by the firewall I expect the authentication at the client/server > to fail when source and encrypted address are compared. (are they?). First, you can't change the encrypted addresses. Second, having done this recently, you don't send any encrypted data to the server unless you have the IP addresses in your preauthentication data. If I send a Kerberos TGT request, rewrite the packet IP#'s and then look inside the Kerberos packet and do the same, so long as the data matches your DNS/hosts database, things are fine. However, the TGT reply will quite likely have IP#'s encrypted. This is a problem for the client. If memory serves me correctly, Kerberos4 doesn't use IP#'s in tickets yet, and in Kerberos5-Beta5 (RFC1510), IP#'s are documented as being optional. If you're buying a commercial Kerberos solution, check with them before assuming what is in the RFC to be correct and how they've implemented it. The IP#'s for the source and destination of the packet don't need to match those inside the Kerberos packet: this is easily tested by setting up a host with a UDP relay on port 88 to the real KDC and pretending the relay host is the KDC when doing the kinit. darren From firewalls-owner Tue Jun 4 07:16:55 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA06003 for firewalls-outgoing; Mon, 3 Jun 1996 13:03:12 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id MAA00575 for ; Mon, 3 Jun 1996 12:34:01 -0700 (PDT) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) Received: from unknown(194.218.38.3) by mycroft via smap (V1.3mjr) Received: by iez.com (AIX 3.2/UCB 5.64/4.03) Received: from spibm02(172.16.13.62) by iez.com via smap (V1.3) Received: from iez.com by spibm02 (AIX 3.2/UCB 5.64/4.03) Message-Id: <9606031714.AA18507@spibm02> Received: from inhps-a by iez.com with SMTP Received: by inhps-a From: Rolf Weber Subject: Re: RE: Raptor's Eagle Firewall To: ianj-b@dial.pipex.com (Ian Johnstone-Bryden) Date: Mon, 3 Jun 1996 19:14:37 +0200 (MESZ) Cc: firewalls@greatcircle.com (firewalls) In-Reply-To: from "Ian Johnstone-Bryden" at Jun 3, 96 04:16:24 pm X-Mailer: ELM [version 2.4 PL24] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > gary flynn wrote in part: > > > The whole idea > > behind > > firewalls is to have tightly controlled code. It is the instability > > and > > poor security design of present operating systems that necessitate > > firewalls > > in the first place. > > > > ?????????????????????????Really!! > > The firewall exists most commonly as a placebo to allow people who > poorly specify, procure, implement, maintain, manage untrusted > informtion systems, to feel comfortable and secure from the fear of > attack via public networks. > > Like marriage it is a triumph of hope over experience, which doesnt > mean it cant work for some people. > > That doesnt of course mean that a firewall cannot reduce risks, just > that its a costly way of doing so in many cases and no substitute for > implementing and running reliable information systems. > you're right that you can't neglect internal security even when you have a firewall. but all threats i know about require, in any way, help from inside. i don't believe that users on "trusted systems" are better educated as others, so this threat is still true with trusted systems. of course, the attacker will firstly only have the permissions of this user, and it may be harder for the attacker to gain higher privileges, but even to have this reduced permissions are almost (i think) worse enough. > > Even if all internal networks were well specified, procured, > implemented and operated, there would still be a need for a guard at > the gateways to public systems (at least for most people) because > there would still be the potential risk of attack from outside. > yes, i agree. > > OTOH some internal networks could be traditional poor design and > require no firewall because there was nothing worth attacking or > protecting. > i really doubt this. there is, at least, the risk to lose reputation. another point is that you can't say "this internal host isn't worth to protect". if *one* internal hosts did fall, the attacker has: - access to the internal net with the possibility to use sniffers. - a very fast connection to the other hosts. - direct access to the internal DNS server. - the hope there is a misconfiguration an another internal host trust it. a nightmare, i think. > > BTST a firewall built on an untrusted OS has itself got a number of > exploitable vulnerabilities. As many firewalls are built in the same > careless fashion, as the internal networks they are supposed to > protect, it is no great surprise to find that they are largely > ineffective in most things other than consuming corporate funding. > i think this is said too common. i'm sure there are a lot of poor firewalls, however not because of the firewall's software but because of some guys configuring it. (those of you who are subscribed to fwall-users@tis.com know what i'm speaking about, i think.) rolf -- ----------------------------------------- Rolf Weber | All I ask is a chance IEZ AG D-64625 Bensheim | to prove that money ++49-6251-1309-109 | can't make me happy. From firewalls-owner Tue Jun 4 07:20:13 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id EAA17069 for firewalls-outgoing; Tue, 4 Jun 1996 04:01:00 -0700 (PDT) Received: from relay5.UU.NET (relay5.UU.NET [192.48.96.15]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id AAA05829 for ; Tue, 4 Jun 1996 00:13:36 -0700 (PDT) Received: from nsco.network.com by relay5.UU.NET with SMTP Received: from anubis.network.com by nsco.network.com (4.1/1.34) Received: from blefscu.network.com by anubis.network.com (4.1/SMI-4.1) Date: Mon, 3 Jun 96 21:56:37 CDT From: amolitor@anubis.network.com (Andrew Molitor) Message-Id: <9606040256.AA13204@anubis.network.com> To: firewalls@greatcircle.com Subject: Re: Filtering by Source Port Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Basically any router built can filter by source port. Even newer cisco software can filter by source port (11.x?). Cisco tech support has apparently been given a stock 'you must be crazy' answer to at least the source port thing, and apparently have not yet received the new gospel. Certainly the fine, wonderful and all-around special Network Systems products can, and has been able to do so for going on 10 years now. I am quite certain that 3Com and Bay equipemnt can as well, and I am almost certain cisco can as well. Andrew P.S. My praises of Network Systems equipment is, obviously, biased. I work there, and in fact do packet filtering stuff. From firewalls-owner Tue Jun 4 07:20:19 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA07764 for firewalls-outgoing; Tue, 4 Jun 1996 06:03:40 -0700 (PDT) Received: from cass.ma02.bull.com (cass.ma02.bull.com [128.35.32.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id GAA07732 for ; Tue, 4 Jun 1996 06:03:21 -0700 (PDT) Received: from flight.ma02.bull.com by cass.ma02.bull.com with SMTP Received: from flight.ma02.bull.com by flight.ma02.bull.com (AIX 4.1/UCB 5.64/4.03) Message-Id: <31B43435.41C6@flight.ma02.bull.com> Date: Tue, 04 Jun 1996 09:03:49 -0400 From: "John B. Young" Organization: International Bull Telecommunications X-Mailer: Mozilla 2.01 (X11; I; AIX 1) Mime-Version: 1.0 To: firewalls@greatcircle.com Subject: Re: Filtering by Source Port References: <199604221540.IAA21891@dfw-ix7.ix.netcom.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Note that this feature only exists in release 10.3 and above, none of which is considered general release yet... Scott Hazen Mueller wrote: > > >>ps. When I talked to Cisco Tech Support they couldn't understand why anyone > >>would even want to filter by source port. > > >I don't understand why you would want to filter by source port either. > > Given x.y.z.0 as your internal network: > > access-list 101 permit tcp any eq ftp-data x.y.z.0 gt 1023 > > It's sure not perfect, but if you don't have an active gateway, it's a tiny > bit better than just allowing random TCP connections to internal high ports. > > -- > Scott Hazen Mueller | scott@zorch.SF-Bay.ORG or tandem!zorch!scott -- *********************************************************************** * John B. Young (JY235) * * Network Engineer Phone: (508)294-6384 * * Bull HN Information Systems Fax: (508)294-4274 * * Technology Park MA02-203S Email: j.o.young@bull.com * * Billerica, MA 01821 * *********************************************************************** From firewalls-owner Tue Jun 4 07:50:18 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA15666 for firewalls-outgoing; Mon, 3 Jun 1996 13:51:21 -0700 (PDT) Received: from .cdnoxy.com ([206.172.56.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id NAA15602 for ; Mon, 3 Jun 1996 13:51:02 -0700 (PDT) From: . Date: Mon, 3 Jun 96 13:55:13 PDT Subject: test To: firewalls@greatcircle.com X-PRIORITY: 3 (Normal) X-Mailer: Chameleon 4.6, TCP/IP for Windows, NetManage Inc. Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ------------------------------------- E-mail: . Date: 6/3/96 Time: 1:55:13 PM This message was sent by Chameleon ------------------------------------- From firewalls-owner Tue Jun 4 08:05:25 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA20417 for firewalls-outgoing; Mon, 3 Jun 1996 11:43:18 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id LAA16208 for ; Mon, 3 Jun 1996 11:23:38 -0700 (PDT) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) Received: from ivac.ivac.com(206.216.182.1) by mycroft via smap (V1.3mjr) Received: from auspex (auspex.ivac.com [204.193.38.33]) by ivac2arpa.ivac.com (8.7.5/8.7.3) with SMTP id JAA04123 for ; Mon, 3 Jun 1996 09:25:16 -0700 (PDT) Received: from ivac35.ivac_eng by auspex (4.1/SMI-4.1) Date: Mon, 3 Jun 96 09:24:40 PDT From: dengland@ivac.com (Dave England) Message-Id: <9606031624.AA11827@auspex> To: firewalls@GreatCircle.COM Subject: Re: Psychic Friends as Sysadmins! Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I wonder if this guy is running a program like Crack, he never said that he takes measures to protect his root passwords and ensure that they can't be broken by normal human efforts. From firewalls-owner Tue Jun 4 08:05:26 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA22472 for firewalls-outgoing; Mon, 3 Jun 1996 11:58:10 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id LAA16280 for ; Mon, 3 Jun 1996 11:23:47 -0700 (PDT) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) Received: from access1.digex.net(205.197.245.192) by mycroft via smap (V1.3mjr) Received: from localhost (brads@localhost) by access1.digex.net (8.6.12/8.6.12) with SMTP id NAA12269 ; for ; Mon, 3 Jun 1996 13:19:40 -0400 Date: Mon, 3 Jun 1996 13:19:40 -0400 (EDT) From: Bradley Smith X-Sender: brads@access1.digex.net To: ygerman cc: Firewalls Subject: Re: Ability To Track Logs In-Reply-To: <9606031534.AA0078@grcstm-nx02.genre.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The swatch package is what you need; it's available at coast.cs.purdue.edu in /pub/tools/unix/swatch -brad On 3 Jun 1996, ygerman wrote: > I am in a bind on how to accomplish something on our firewall. > I would like to check the logs on the firewall continuosly looking for certain > fields and based on the fields initiate an action. The action will be mail to a > different address depending on the field found. > > Currently I am seting this up via a c shell script and doing a grep for certain > things every hour. The problem is I would like not to have to wait an hour. Has > anyone had any experience with this. Is there a way to accomplish this easier? > Please respond as soon as possible, thanks! > From firewalls-owner Tue Jun 4 08:05:31 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA16801 for firewalls-outgoing; Mon, 3 Jun 1996 13:55:54 -0700 (PDT) Received: from dns.eng.auburn.edu (dns.eng.auburn.edu [131.204.10.13]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id NAA16650 for ; Mon, 3 Jun 1996 13:55:21 -0700 (PDT) Received: from netman.eng.auburn.edu (netman.eng.auburn.edu [131.204.12.24]) by dns.eng.auburn.edu (8.7.4/8.6.4) with ESMTP id PAA25057; Mon, 3 Jun 1996 15:52:46 -0500 (CDT) From: Doug Hughes Received: (doug@localhost) by netman.eng.auburn.edu (SMI-8.6/8.6.4) id PAA24351; Mon, 3 Jun 1996 15:52:43 -0500 Date: Mon, 3 Jun 1996 15:52:43 -0500 Subject: Re: Ability To Track Logs To: ygerman@genre.com Cc: firewalls@greatcircle.com Message-Id: In-Reply-To: <9606031534.AA0078@grcstm-nx02.genre.com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >I am in a bind on how to accomplish something on our firewall. >I would like to check the logs on the firewall continuosly looking for certain >fields and based on the fields initiate an action. The action will be mail to a >different address depending on the field found. > >Currently I am seting this up via a c shell script and doing a grep for certain >things every hour. The problem is I would like not to have to wait an hour. Has >anyone had any experience with this. Is there a way to accomplish this easier? >Please respond as soon as possible, thanks! > > > Do an archie search for 'swatch'. It is a Perl program that can be configured to do what you want. -- ____________________________________________________________________________ Doug Hughes Engineering Network Services System/Net Admin Auburn University doug@eng.auburn.edu Pro is to Con as progress is to congress From firewalls-owner Tue Jun 4 08:20:14 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA25479 for firewalls-outgoing; Mon, 3 Jun 1996 14:39:36 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id OAA18513 for ; Mon, 3 Jun 1996 14:03:19 -0700 (PDT) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) Received: from disperse.demon.co.uk(158.152.1.77) by mycroft via smap (V1.3mjr) Received: from post.demon.co.uk ([158.152.1.72]) by relay-2.mail.demon.net Received: from youngman.demon.co.uk ([158.152.67.147]) by relay-3.mail.demon.net Message-ID: <31B3486F.67BD@youngman.demon.co.uk> Date: Mon, 03 Jun 1996 20:17:51 +0000 From: Jeremy Youngman X-Mailer: Mozilla 2.02 (Win16; I) MIME-Version: 1.0 To: firewalls@greatcircle.com, firewalls-digest@greatcircle.com CC: "Jeremy Youngman (home)" Subject: Compuserve Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, does anybody allow Compuserve access through their Firewall (TCP port 4144)? Are there any security considerations, so long as i only allow SYN's outbound? Are there any good places to read up about this? I've got a user who wants this access. TIA, PS This is the 5th time i've send this, so apologies if you keep getting copies -- but i've been subscribing to firewalls-digest for the last couple of weeks and never seen my note appear -- and because i've had no replies i'm still not absolutely sure whether it is getting delivered properly! -- Jeremy Youngman | ###### ## ## | ("`-/")_.-'"``-. jeremy@youngman.demon.co.uk | ## ##### | . . `; -._ )-;-,_`) Tel: +44 (0)1603 686258 | # ## ## | (v_,)' _ )`-.\ ``-' PGP: Key avail on request | #### ##### | _.- _..-_/ / ((.' ----- All cats look grey in the dark ----- ((,.-' ((,/ From firewalls-owner Tue Jun 4 08:40:10 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA24453 for firewalls-outgoing; Mon, 3 Jun 1996 14:33:26 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id OAA18523 for ; Mon, 3 Jun 1996 14:03:20 -0700 (PDT) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) Received: from disperse.demon.co.uk(158.152.1.77) by mycroft via smap (V1.3mjr) Received: from post.demon.co.uk ([158.152.1.72]) by relay-2.mail.demon.net Received: from youngman.demon.co.uk ([158.152.67.147]) by relay-3.mail.demon.net Message-ID: <31B3486F.67BD@youngman.demon.co.uk> Date: Mon, 03 Jun 1996 20:17:51 +0000 From: Jeremy Youngman X-Mailer: Mozilla 2.02 (Win16; I) MIME-Version: 1.0 To: firewalls@greatcircle.com, firewalls-digest@greatcircle.com CC: "Jeremy Youngman (home)" Subject: Compuserve Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, does anybody allow Compuserve access through their Firewall (TCP port 4144)? Are there any security considerations, so long as i only allow SYN's outbound? Are there any good places to read up about this? I've got a user who wants this access. TIA, PS This is the 5th time i've send this, so apologies if you keep getting copies -- but i've been subscribing to firewalls-digest for the last couple of weeks and never seen my note appear -- and because i've had no replies i'm still not absolutely sure whether it is getting delivered properly! -- Jeremy Youngman | ###### ## ## | ("`-/")_.-'"``-. jeremy@youngman.demon.co.uk | ## ##### | . . `; -._ )-;-,_`) Tel: +44 (0)1603 686258 | # ## ## | (v_,)' _ )`-.\ ``-' PGP: Key avail on request | #### ##### | _.- _..-_/ / ((.' ----- All cats look grey in the dark ----- ((,.-' ((,/ From firewalls-owner Tue Jun 4 08:50:41 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA10413 for firewalls-outgoing; Tue, 4 Jun 1996 06:27:00 -0700 (PDT) Received: from okjunc.junction.net (okjunc.junction.net [199.166.227.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id GAA10244 for ; Tue, 4 Jun 1996 06:26:18 -0700 (PDT) Received: from sidhe.memra.com (sidhe.memra.com [199.166.227.105]) by okjunc.junction.net (8.6.11/8.6.11) with SMTP id FAA02288; Tue, 4 Jun 1996 05:38:23 -0700 Date: Tue, 4 Jun 1996 06:21:42 -0700 (PDT) From: Michael Dillon To: Isaac Labaton cc: firewalls@GreatCircle.COM Subject: RE: Stopping Fakemail In-Reply-To: Message-ID: Organization: Memra Software Inc. - Internet consulting MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 4 Jun 1996, Isaac Labaton wrote: > How can you send fake mail? Using Eudora or Netscape, change your config to have a fake Reply-To: address before sending the message. There are other ways too, but a bit harder. Michael Dillon ISP & Internet Consulting Memra Software Inc. Fax: +1-604-546-3049 http://www.memra.com E-mail: michael@memra.com From firewalls-owner Tue Jun 4 09:16:40 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA20175 for firewalls-outgoing; Mon, 3 Jun 1996 14:10:04 -0700 (PDT) Received: from okjunc.junction.net (okjunc.junction.net [199.166.227.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id OAA20020 for ; Mon, 3 Jun 1996 14:09:31 -0700 (PDT) Received: from sidhe.memra.com (sidhe.memra.com [199.166.227.105]) by okjunc.junction.net (8.6.11/8.6.11) with SMTP id NAA21796 for ; Mon, 3 Jun 1996 13:22:52 -0700 Date: Mon, 3 Jun 1996 14:06:09 -0700 (PDT) From: Michael Dillon To: firewalls@greatcircle.com Subject: ISP mailing lists Message-ID: Organization: Memra Software Inc. - Internet consulting MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I've gotten 5 requests so far for these ISP mailing lists so I thought I would share this with the list... > > And now a bunch of those ISP's are a bit more clued in since I just > > forwarded your nice case-study to 5 ISP mailing lists. > > I'm curious to know which 5 ISP mailing lists are you talking about.. Send a message reading as follows: subscribe To one of the following addresses: inet-access-request@earth.com linuxisp-request@lightning.com freebsd-isp-request@freebsd.org Send the following subscribe IAP Your Name to the address listserv@vma.cc.nd.edu Send the following subscribe os2-isp Your Name to the address listserv@dental.stat.com inet-access is general stuff for medium to large providers, IAP is general stuff for small to medium providers and the other three are OS specific. Michael Dillon ISP & Internet Consulting Memra Software Inc. Fax: +1-604-546-3049 http://www.memra.com E-mail: michael@memra.com From firewalls-owner Tue Jun 4 09:20:14 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA23160 for firewalls-outgoing; Mon, 3 Jun 1996 14:25:22 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id OAA23080 for ; Mon, 3 Jun 1996 14:24:55 -0700 (PDT) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) Message-Id: <199606031732.KAA02546@mycroft.GreatCircle.COM> Received: from habanero.jmu.edu(134.126.70.210) by mycroft via smap (V1.3mjr) Received: by habanero.jmu.edu Date: Mon, 3 Jun 1996 13:37:31 -0400 From: gary flynn To: firewalls-owner@GreatCircle.COM, firewalls@GreatCircle.COM Subject: Re: RE: Raptor's Eagle Firewall Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > From: Ian Johnstone-Bryden > Subject: Re: RE: Raptor's Eagle Firewall > > gary flynn wrote in part: > > > The whole idea behind firewalls is to have tightly controlled code. > > It is the instability and poor security design of present operating > > systems that necessitate firewalls in the first place. > > > > ?????????????????????????Really!! Is this a statement expressing sarcasm as the result of my stating the obvious or is it something that represents your disagreement with my statement. If the former, your arguments are exactly those that I would make. If the latter, you've argued my case extremely well :-) > The firewall exists most commonly as a placebo to allow people who > poorly specify, procure, implement, maintain, manage untrusted > informtion systems, to feel comfortable and secure from the fear of > attack via public networks. Its more than a placebo. Filtering ports 512-514 protects poorly administered unix machines. Completely blocking telnet other than through a proxy with "strong" authentication protects buggy telnet implementations and also the lack of design security in the underlying protocols, the applications, and the underlying operating systems. The average end user of a desktop system is generally unwilling or incapable of properly managing a desktop in today's environment. Training would be prohibitive and ongoing (hell, I can't keep up and end users do have jobs besides maintaining their computers). If the computer architecture itself were designed with security in mind, there would exist some method of central administration that can't be circumvented at the desktop. Today's architecture of random plug and play components matched with whatever application one can download off the Internet all running over a shared, wide open data communications path doesn't match this very well. I'm not complaining...I love working in the environment... I just don't like managing it...or worse, securing it :-) > Like marriage it is a triumph of hope over experience, which doesnt > mean it cant work for some people. > > That doesnt of course mean that a firewall cannot reduce risks, just > that its a costly way of doing so in many cases and no substitute for > implementing and running reliable information systems. The cost of PROPERLY administering hundreds or thousands of desktop machines in such a way to ensure some semblance of security far outweighs the cost of a firewall. > Even if all internal networks were well specified, procured, > implemented and operated, there would still be a need for a guard at > the gateways to public systems (at least for most people) because > there would still be the potential risk of attack from outside. You've reversed yourself. If all the machines were "well specified, procured, implemented, and operated" that only leaves poor design to protect. That was my original statement. > OTOH some internal networks could be traditional poor design and > require no firewall because there was nothing worth attacking or > protecting. > > BTST a firewall built on an untrusted OS has itself got a number of > exploitable vulnerabilities. As many firewalls are built in the same > careless fashion, as the internal networks they are supposed to > protect, it is no great surprise to find that they are largely > ineffective in most things other than consuming corporate funding. This was the other point I was trying to make. A firewall application that depends upon unknown underlying operating system structure has a large window of vulnerability. Its unfortunate that people have the mindset that everything that doesn't run on off-the-shelf operating systems, hardware, etc. (and, of course, has a GUI, OLE support, etc) is necessarily bad. No one yells at Cisco because their IOS doesn't run on 386 PCs under Windows. Cheap, fast, or good...pick any two. Yes, its complex to maintain and administer. Thats the state of the industry today. > There really is no substitute for enterprise planning to ensure > achievement by objective. That means identifying the objectives and > risks and then building the policies necessary to sustain > achievement. But in the real world, policies aren't enough. There must be an enforcement arm. A firewall is a form of policy enforcement. So if an organization's risk analysis said that direct, unencryted telnet access posed an unacceptable risk, the firewall could enforce that policy. (Of course, one would have to get someone in one's organization to make such a statement :-) > In the short term this could mean that internal networks cannot be > connected directly to the public networks until adequate > reconstruction has taken place internally. > > While this is in progress, an air-gapped, or sneakernet, service may > be provided. This could be described as a firewall but not in the > sense that many would understand as a firewall. The inner and outer > machines would be typical untrusted systems. The 'firewall' would be > the person in the sneakers running between the two machine. > Ian J-B. > gary From firewalls-owner Tue Jun 4 11:40:22 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA28350 for firewalls-outgoing; Tue, 4 Jun 1996 11:21:24 -0700 (PDT) Received: from gauntlet-1.trusted.com (gauntlet-1.trusted.com [204.254.155.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id KAA23655 for ; Tue, 4 Jun 1996 10:55:55 -0700 (PDT) Received: by gauntlet-1.trusted.com; id OAA17387; Tue, 4 Jun 1996 14:07:56 -0400 Received: from hilo.trusted.com(10.0.1.126) by gauntlet-1.trusted.com via smap (V3.1.1) Received: from freds.trusted.com by hilo.trusted.com with SMTP Date: Tue, 4 Jun 96 13:54:31 -0400 Message-Id: <2.2.16.19960604135220.0d673ba4@pop.trusted.com> X-Sender: avolio@pop.trusted.com X-Mailer: Windows Eudora Pro Version 2.2 (16) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: cmcurtin@fahlgren.com, Yossi Goltz From: Frederick M Avolio Subject: Re: WWW proxy to cut off Java. Cc: Firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 05:24 PM 6/3/96 -0400, C Matthew Curtin wrote: >Because JavaScript is typically embedded within your HTML, you really >can't block it at the firewall. It is difficult, but you can. We do in the Gauntlet Internet Firewall. SO, don't give up on doing it. Fred From firewalls-owner Tue Jun 4 11:56:36 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA02914 for firewalls-outgoing; Tue, 4 Jun 1996 11:40:51 -0700 (PDT) Received: from gatekeeper.strydr.com (gatekeeper.strydr.com [199.217.201.253]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id LAA02834 for ; Tue, 4 Jun 1996 11:40:20 -0700 (PDT) Received: (from Unknown UID 6@localhost) by gatekeeper.strydr.com (8.6.9/8.6.9) id NAA07072 for ; Tue, 4 Jun 1996 13:39:12 -0500 Received: from strydr.strydr.com(198.134.134.1) by gatekeeper.strydr.com via smap (V1.3) Received: (from ds3721@localhost) by strydr.strydr.com (8.6.12/8.6.11) id NAA27655 for firewalls@greatcircle.com; Tue, 4 Jun 1996 13:36:42 -0500 From: David Schnardthorst Message-Id: <199606041836.NAA27655@strydr.strydr.com> Subject: FWTK / BSD Checklist To: firewalls@greatcircle.com Date: Tue, 4 Jun 1996 13:36:42 -0500 (CDT) Organization: Stryder Communications, Inc. Address: 869 St. Francois, Florissant, Mo. 63031 Telephone: (314)838-6839 Fax: (314)838-8527 X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk A few weeks ago, I answered some replies for people who were installing the Firewall Toolkit on FreeBSD. Due to the overwhelming responses from people interested in receiving this checklist, I have put it at the following URL, http://www.strydr.com/misc/checklists/fwtkchk.html. Thank You, ============================================================================ David Schnardthorst, Systems/Network Eng. * Phone: (314)838-6839 Stryder Communications, Inc. * Fax: (314)838-8527 869 St. Francois * E-Mail: ds3721@strydr.com Florissant, MO 63031 * URL: http://www.strydr.com ============================================================================ From firewalls-owner Tue Jun 4 12:05:48 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA14010 for firewalls-outgoing; Tue, 4 Jun 1996 10:09:38 -0700 (PDT) Received: from iez.com (mail.iez.com [194.218.38.3]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id KAA13984 for ; Tue, 4 Jun 1996 10:09:24 -0700 (PDT) Received: by iez.com (AIX 3.2/UCB 5.64/4.03) Received: from spibm02(172.16.13.62) by iez.com via smap (V1.3) Received: from iez.com by spibm02 (AIX 3.2/UCB 5.64/4.03) Message-Id: <9606041708.AA12343@spibm02> Received: from inhps-a by iez.com with SMTP Received: by inhps-a From: Rolf Weber Subject: Re: WWW proxy to cut off Java. To: cmcurtin@fahlgren.com Date: Tue, 4 Jun 1996 19:08:05 +0200 (MESZ) Cc: firewalls@greatcircle.com (firewalls) In-Reply-To: <199606032124.RAA24377@goffer.ee.net> from "C Matthew Curtin" at Jun 3, 96 05:24:47 pm X-Mailer: ELM [version 2.4 PL24] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > Because JavaScript is typically embedded within your HTML, you really > can't block it at the firewall. > sorry, why not? the proxy has all the data. (sure, you have to stay up to date with new javascript commands.) i think there is a patch in the fwall-users@tis.com archive for the TIS http-gw. rolf -- ----------------------------------------- Rolf Weber | All I ask is a chance IEZ AG D-64625 Bensheim | to prove that money ++49-6251-1309-109 | can't make me happy. From firewalls-owner Tue Jun 4 12:12:33 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA15398 for firewalls-outgoing; Tue, 4 Jun 1996 10:20:11 -0700 (PDT) Received: from mail.ee.net (mail.ee.net [206.31.38.3]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id KAA15356 for ; Tue, 4 Jun 1996 10:19:54 -0700 (PDT) Received: from goffer.ee.net (digital31.ee.net [206.230.35.31]) by mail.ee.net (8.7.4/8.7.3) with SMTP id NAA10051; Tue, 4 Jun 1996 13:16:28 -0400 (EDT) Received: by goffer.ee.net (SMI-8.6/SMI-SVR4) Date: Tue, 4 Jun 1996 13:14:22 -0400 Message-Id: <199606041714.NAA00677@goffer.ee.net> From: C Matthew Curtin To: Rolf Weber Cc: firewalls@greatcircle.com (firewalls) Subject: Re: WWW proxy to cut off Java. In-Reply-To: <9606041708.AA12343@spibm02> References: <199606032124.RAA24377@goffer.ee.net> Reply-To: cmcurtin@fahlgren.com X-Attribution: Matt Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >>>>> "Rolf" == Rolf Weber writes: Rolf> sorry, why not? the proxy has all the data. (sure, you have to Rolf> stay up to date with new javascript commands.) i think there is Rolf> a patch in the fwall-users@tis.com archive for the TIS http-gw. Perhaps I phrased my statement poorly. It probably isn't practical, since you would need to filter all incoming HTML to remove the JavaScript. -- C Matthew Curtin Chief Hacker Fahlgren, Inc. 655 Metro Pl S, Ste 700, Box 7159 Dublin OH 43017-7159 http://users1.ee.net/cmcurtin/ cmcurtin@fahlgren.com PGP Mail Preferred From firewalls-owner Tue Jun 4 12:42:34 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA05868 for firewalls-outgoing; Tue, 4 Jun 1996 12:11:01 -0700 (PDT) Received: from london.micrognosis.com (midas.london.micrognosis.com [193.114.123.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id MAA05849 for ; Tue, 4 Jun 1996 12:10:49 -0700 (PDT) Received: by london.micrognosis.com (4.1/NAR-Gateway) Received: from zeus.london.micrognosis.com(192.83.165.17) by midas via smap (V1.0mjr) Received: from moria by zeus.london.micrognosis.com (4.1/SMI-4.1) From: nreadwin@london.micrognosis.com (Neil Readwin) Received: by moria Message-Id: <9606041906.AA01093@moria> Subject: Re: WWW proxy to cut off Java. To: cmcurtin@fahlgren.com Date: Tue, 4 Jun 1996 20:06:49 +0100 (BST) Cc: Firewalls@GreatCircle.COM In-Reply-To: <199606032124.RAA24377@goffer.ee.net> from "C Matthew Curtin" at Jun 3, 96 05:24:47 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Because JavaScript is typically embedded within your HTML, you really > can't block it at the firewall. But you can try - Carl Claunch wrote a patch to the TIS http-gw that will filter java and javascript out of HTML as it goes by. Details are at http://www.hdshq.com/fixes/fwtk/welcome.html Pointers to various other fwtk patches are at http://www.micrognosis.com/%7enreadwin/fwtk.html fwtk related followups to the fwtk-users list please. Neil. -- "For some reason all the very worst install scripts are written in csh." Geoff. Lane. (in bofh.jobfh.misc) From firewalls-owner Tue Jun 4 12:53:05 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA26582 for firewalls-outgoing; Mon, 3 Jun 1996 14:45:38 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id OAA23999 for ; Mon, 3 Jun 1996 14:30:55 -0700 (PDT) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) Received: from mail.ee.net(206.31.38.3) by mycroft via smap (V1.3mjr) Received: from goffer.ee.net (digital57.ee.net [206.230.35.57]) by mail.ee.net (8.7.4/8.7.3) with SMTP id RAA02269; Mon, 3 Jun 1996 17:26:55 -0400 (EDT) Received: by goffer.ee.net (SMI-8.6/SMI-SVR4) Date: Mon, 3 Jun 1996 17:24:47 -0400 Message-Id: <199606032124.RAA24377@goffer.ee.net> From: C Matthew Curtin To: Yossi Goltz Cc: Firewalls@GreatCircle.COM Subject: Re: WWW proxy to cut off Java. In-Reply-To: References: <199604052113.NAA19679@miles.greatcircle.com> Reply-To: cmcurtin@fahlgren.com X-Attribution: Matt Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >>>>> "Yossi" == Yossi Goltz writes: Yossi> Hi! Could a nice sole advice me how to set up a proxy http Yossi> server that can cut off java applets on their way in to our Yossi> site. You'll need to tell your proxy server to not allow "*.class" or "*.cla" files through to block Java applets. Yossi> I'm becoming more and more concerned about Java (after reading Yossi> the last messages from Netscape and Sun), and would like to Yossi> keep off Java and Javascript until they become more safe. Because JavaScript is typically embedded within your HTML, you really can't block it at the firewall. You're best off with a configuration policy that will have to be enforced at the browser level, IMHO. -- C Matthew Curtin Chief Hacker Fahlgren, Inc. 655 Metro Pl S, Ste 700, Box 7159 Dublin OH 43017-7159 http://users1.ee.net/cmcurtin/ cmcurtin@fahlgren.com PGP Mail Preferred From firewalls-owner Tue Jun 4 13:40:14 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA08383 for firewalls-outgoing; Tue, 4 Jun 1996 12:29:44 -0700 (PDT) Received: from okjunc.junction.net (okjunc.junction.net [199.166.227.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id MAA08376 for ; Tue, 4 Jun 1996 12:29:35 -0700 (PDT) Received: from sidhe.memra.com (sidhe.memra.com [199.166.227.105]) by okjunc.junction.net (8.6.11/8.6.11) with SMTP id LAA10122; Tue, 4 Jun 1996 11:42:54 -0700 Date: Tue, 4 Jun 1996 12:26:13 -0700 (PDT) From: Michael Dillon To: Alan Millar cc: firewalls@GreatCircle.COM Subject: Re: Strange mail Sender: problem with Borderware? In-Reply-To: <96Jun3.131347pdt.36865@firewall.lifeguard.com> Message-ID: Organization: Memra Software Inc. - Internet consulting MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 3 Jun 1996, Alan Millar wrote: > This thing is basically a black box that doesn't let you in to see > what's going on. I know it's BSDI in there somewhere from the boot > messages, but it's locked down tight through the user interface. > I was undecided if that's good or bad, but my opinion is starting to > lean.... If you can open up the box then it's not locked down tight. Maybe the previous admin cracked it open and installed some custom mail processing stuff. You should ask Borderware if there is a way to check whether this has happened, or better yet, reset everything to a known starting point. Michael Dillon ISP & Internet Consulting Memra Software Inc. Fax: +1-604-546-3049 http://www.memra.com E-mail: michael@memra.com From firewalls-owner Tue Jun 4 13:45:27 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA07325 for firewalls-outgoing; Tue, 4 Jun 1996 12:21:58 -0700 (PDT) Received: from mail.Clark.Net (mail.clark.net [168.143.0.10]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id MAA07240 for ; Tue, 4 Jun 1996 12:21:28 -0700 (PDT) Received: from explorer2.clark.net (mjr@explorer2.clark.net [168.143.0.5]) by mail.Clark.Net (8.7.3/8.6.5) with ESMTP id PAA28497 for ; Tue, 4 Jun 1996 15:18:52 -0400 (EDT) From: "Marcus J. Ranum" Received: (from mjr@localhost) by explorer2.clark.net (8.7.1/8.7.1) id PAA13158 for firewalls@greatcircle.com; Tue, 4 Jun 1996 15:18:51 -0400 (EDT) Message-Id: <199606041918.PAA13158@explorer2.clark.net> Subject: Firewalls performance To: firewalls@greatcircle.com Date: Tue, 4 Jun 1996 15:18:51 -0400 (EDT) Reply-To: mjr@v-one.com Organization: V-One Corporation, Baltimore, MD Office Phone: 410-889-8569 X-Mailer: ELM [version 2.4 PL24alpha3] MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Since I'm not sure how much cross-pollination there is between firewalls@greatcircle.com and firewalls-performance@greatcircle.com, I thought I'd mention that lately there have been a number of good papers and tools posted for measuring performance. All are available on the firewalls performance web page http://www.v-one.com/pubs/perf Firewall performance, as a thread, seems to appear in this list about every month, and I thought I'd inject the pointer now since the topic is about due for it's periodic rehashing. Please redirect follow-up discussion to firewalls-performance. mjr. -- Chief Scientist, V-ONE Corporation -- "Security for a connected world" work http://www.v-one.com personal http://www.clark.net/pub/mjr/mjr-top.html From firewalls-owner Tue Jun 4 14:11:47 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA07174 for firewalls-outgoing; Tue, 4 Jun 1996 12:21:11 -0700 (PDT) Received: from okjunc.junction.net (okjunc.junction.net [199.166.227.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id MAA07009 for ; Tue, 4 Jun 1996 12:20:28 -0700 (PDT) Received: from sidhe.memra.com (sidhe.memra.com [199.166.227.105]) by okjunc.junction.net (8.6.11/8.6.11) with SMTP id LAA09822; Tue, 4 Jun 1996 11:33:12 -0700 Date: Tue, 4 Jun 1996 12:16:30 -0700 (PDT) From: Michael Dillon To: Russ cc: "Firewalls@GreatCircle.COM" Subject: RE: NT firewalls & NOS admins In-Reply-To: <01BB519B.75874280@rwcooper.rc.toronto.on.ca> Message-ID: Organization: Memra Software Inc. - Internet consulting MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 3 Jun 1996, Russ wrote: > It never ceases to amaze me how some Unichs seem to think that only UNIX > experience is viable when it comes to working with an Internet connection. Who said that? Anyway, experience comes from doing it and since UNIX and the Internet have been around a lot longer than NT it's not surprising that most of the people with solid time-tested Internet experience have a UNIX background. > Some may be surprised to find out that TCP/IP has been included in NT since > it was first released, and its been around for quite some time in DOS or > Windows. Most UNIX network admins have been attaching DOS boxes, Macs and Windows machines via TCP/IP to UNIX servers for eons. > One doesn't need a UNIX degree to know how IP works, or how the > Internet works, for that matter. I beg to differ. It only takes a while to get a basic familiarity with IP and the Internet but while I didn't get a degree in IP I certainly did spend an equivalent amount of time and effort in studying and learning the finer details. > I know quite a few UNIX SQL administrators > who wouldn't know how to configure their inetd if it bit them in the ass. Doesn't surprise me. Why should a database administrator need to know anything about configuring the network. Managing the company's central mission-critical database is important enough on its own. > - More security breaches occur internally than happen via an Internet > connection. This is a good point and some people are looking at ways to use firewall technology internally to protect against this. > - Most companies do not have a security policy of any kind. Unfortunately... > Then there are the *majority* of companies who > neither need, nor can afford, to have either, yet still want to be part of > the 'net. Right now these folks tend to be installing firewalls that are recommended to them by a consultant (or their ISP) and are maintained by the consultant (or their ISP). > Surely you jest...like IP is rocket science or something...sheesh. I've > never administered a UNIX system in my life, does it show that much? When you are talking about firewalls, then yes, IP *IS* rocket science. If you just mean setting up a few Windows or Macintosh or OS/2 desktops to connect to the net, then no, there is no rocket science. Michael Dillon ISP & Internet Consulting Memra Software Inc. Fax: +1-604-546-3049 http://www.memra.com E-mail: michael@memra.com From firewalls-owner Tue Jun 4 14:13:48 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA16606 for firewalls-outgoing; Tue, 4 Jun 1996 13:33:06 -0700 (PDT) Received: from hidata.com ([205.158.61.34]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id NAA16596 for ; Tue, 4 Jun 1996 13:32:56 -0700 (PDT) Received: by hidata.com; id AA13553; Tue, 4 Jun 96 13:30:30 PDT Received: from osc.hidata.com(205.158.62.10) by hds-gw.hidata.com via smap (V3.1) Received: from enterprise by osc.osc.hidata.com (SMI-8.6/SMI-SVR4) Date: Tue, 4 Jun 1996 13:30:15 -0700 Message-Id: <199606042030.NAA08202@osc.osc.hidata.com> X-Sender: bstout@osc.hidata.com X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: Firewalls@GreatCircle.COM From: Bill Stout Subject: NT DNS in 4.0b2 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I've just inspected my newly arrived NT4.0b2 software. DNS seems to work! Amazing that DNS can be setup via point and click. DNS setup within the Solaris and SunOS systems I've setup as firewalls is not a trivial task, usually taking days or weeks (depending on process time). NT DNS setup took minutes, even giving you drop-down selections for record types that you want to add for hosts, zones, addresses, etc. The only drawback I've seen is not being able to connect to non-NT DNS server properties. BTW - My opinion is that MS is run by 'Beezelgates', but NT was written by the VMS guys from DEC, they know UNIX too, and are no dummies. The use of NT as a firewall platform is unstoppable. However I still think that using NT as a base for a firewall system needs to be attacked three ways; the I/O, the filesystem, and the O.S. The I/O can be addressed by a 'Raptor' approach, which replaces the network stack, or listing areas that need attention; Control Panel - Services, and Networks. Any other area need attention?. Does anyone know of a 3rd party OPEN SOURCE network stack replacement for NT? The Filesystem currently can be compromised two ways that I know of, via Linux boot disk mount, and DOS boot diskette with NTFSDOS.EXE driver. The filesystem needs to be protected for use as a firewall. Anyone know of a cryptographic filesystem for NT? The O.S. has multiple security privileges/holes that need to be watched. I don't know of a way to watch each and every permission without MS sending out a feature-stripped version of NT. I know I've had a problem with 3.51 server, 4.0b1 workstation, and seeing all (private user access only) areas on the 3.51 server with any user logged in on the 4.0b1 workstation. My belief is that features in Firewalls are holes, and that firewalls should be functionally stripped. Maybe some company can resell NT with just the basics installed on CD for a firewall install? How about UNIX kernel with an NT GUI? That'll fake out our managers! Yeah boss, it's BSD-NT! Well I'm impressed by the features and functions of NT, and the ever growing list. But the three areas in NT that need to be addressed for use as a firewall all seem to need replacement. Bill <=======10========20====Ruler for Eudora users==50========60========70========80 William B. Stout | "Stop socialism in America!" Senior Systems Admin | "Dilbert for President." Hitachi Data Systems | "Police power today=police state tomorrow." Open Systems Center | "The secret of life - being part of the process of Santa Clara, California | creation." 408-970-4822 | #include <=======10========20========30========40========50========60========70========80 From firewalls-owner Tue Jun 4 16:35:28 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id QAA02098 for firewalls-outgoing; Tue, 4 Jun 1996 16:18:09 -0700 (PDT) Received: from ns1.ptd.net (ns1.ptd.net [198.80.46.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id QAA02091 for ; Tue, 4 Jun 1996 16:18:01 -0700 (PDT) Received: from cs1-2.leh.ptd.net (cs1-2.leh.ptd.net [204.186.4.2]) by ns1.ptd.net (8.7.3/8.7.3) with SMTP id TAA13512 for ; Tue, 4 Jun 1996 19:15:19 -0400 (EDT) Date: Tue, 4 Jun 1996 19:15:19 -0400 (EDT) Message-Id: <199606042315.TAA13512@ns1.ptd.net> X-Sender: darkwing@postoffice.ptd.net X-Mailer: Windows Eudora Light Version 1.5.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@greatcircle.com From: Ed Mulligan Subject: RE: Stopping Fakemail Sender: firewalls-owner@GreatCircle.COM Precedence: bulk -----BEGIN PGP SIGNED MESSAGE----- At 06:21 AM 6/4/96 -0700, you wrote: >On Tue, 4 Jun 1996, Isaac Labaton wrote: > >> How can you send fake mail? > >Using Eudora or Netscape, change your config to have a fake Reply-To: >address before sending the message. There are other ways too, but a bit >harder. Actually, as many of you remember, we had this whole discussion before. Im sure all of the articles are in the firewalls archives. Sending mail with a forged from: field is easy to do, as stated. But it is also easy to track with the x-ref headers and stamps along the way. The orginal question on this thread was "How do you stop fakemail sent via telnet to port 25". Granted, Eudora and Netscape can forge mail to some extent, but Im sure that with the help of your friendly neighborhood sysadmin, the perpetrator can be caught. (We catch them on our network which is a 5000+ user system). I can see this thread doing a loop... next will come the deluge of people saying that if we all used PGP we wouldnt have this problem. Which is very true, and my personal favorite (if utopian) solution. It simply is not practicle at this time. PGP is beyond Joe User on most systems. It works... but not dumbed down enough yet for eveyone to handle it. The documentation of TCP Wrappers (7.4) suggests running sendmail as a daemon and wrapping it with tcpd. Anyone tried this? Sincerely, John P. Mulligan Lafayette College Academic Computing Services (systems) -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQB1AwUBMbTtXX+KnP1k0ErJAQFSHwL/cmnNDbMkpKiGir2IoCF7A6wk6bps+9Dn WRPvNWbx+O4d4NgTxwjw4ooR5u/1njZWPsWdcIuqEi05v8kBYI+CxcdkO8AyLQxs 2GtPiNqrCdvkkNzrxRMiYi4U5ewoTcel =Y8FQ -----END PGP SIGNATURE----- Use Public Key for From firewalls-owner Tue Jun 4 17:20:28 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA04026 for firewalls-outgoing; Tue, 4 Jun 1996 17:02:10 -0700 (PDT) Received: from fionn.lbl.gov (fionn.lbl.gov [128.3.128.60]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id RAA03998 for ; Tue, 4 Jun 1996 17:01:56 -0700 (PDT) Received: (mike@localhost) by fionn.lbl.gov (LBNLMWH3/LBNLCF) id QAA21190; Tue, 4 Jun 1996 16:59:22 -0700 (PDT) Message-Id: <199606042359.QAA21190@fionn.lbl.gov> From: mike@fionn.lbl.gov (Michael Helm) Date: Tue, 4 Jun 1996 16:59:22 PDT In-Reply-To: Ed Mulligan Reply-To: mike@fionn.lbl.gov X-Mailer: Mail User's Shell (7.2.3 5/22/91) To: Ed Mulligan Subject: RE: Stopping Fakemail Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Jun 4, 7:15pm, Ed Mulligan wrote: > The documentation of TCP Wrappers (7.4) suggests running sendmail as a > daemon and wrapping it with tcpd. Anyone tried this? If the mail server isn't too busy, this may be ok. If the mail server is a busy one, the number of processes spawned can overwhelm the mail server & cause lots of ugly side effects (bounced mail, hangs, & system crashes). I don't recommend this. I've seen some pretty poor results with it. BTW it's hard to tell what "too busy" will be, tho you will know it when you get there! I have heard that there are patches for some revs of sendmail8-7-* to integrate the tcp wrapper's host checking abstraction (call outs to the library). I haven't used this but I've seen it go by in comp.mail.sendmail. From firewalls-owner Tue Jun 4 18:20:42 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id SAA08080 for firewalls-outgoing; Tue, 4 Jun 1996 18:16:14 -0700 (PDT) Received: from Arizona.EDU (Penny.Telcom.Arizona.EDU [128.196.128.217]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id SAA08073 for ; Tue, 4 Jun 1996 18:16:03 -0700 (PDT) Received: from sun1paztcn.wr.usgs.gov by Arizona.EDU (PMDF V5.0-5 #2381) Received: from localhost by sun1paztcn.wr.usgs.gov (4.1/SMI-4.1) Date: Tue, 04 Jun 1996 18:12:12 -0700 From: Renaissance Man - The Enigma Subject: Re: Stopping Fakemail In-reply-to: "Your message of Tue, 04 Jun 1996 19:15:19 -0400." To: Ed Mulligan Cc: firewalls@greatcircle.com, doug@sun1paztcn.wr.usgs.gov Message-id: <9606050112.AA02724@sun1paztcn.wr.usgs.gov> MIME-version: 1.0 Content-type: TEXT/PLAIN; CHARSET=US-ASCII Content-transfer-encoding: 7BIT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Previously: >The documentation of TCP Wrappers (7.4) suggests running sendmail as a >daemon and wrapping it with tcpd. Anyone tried this? Hmmm... Sendmail DOES run as a daemon. My guess is that you really mean to NOT run sendmail as a full-time daemon, but to use inetd as the starting point and have it spawn sendmail via tcpd... I ran sendmail from inetd as a test, but sendmail is pretty huge, so it took a lot of resources. (Then again, at the time I was running a Sun 386i...) Also, if you receive a lot of mail, spawning it from inetd can really load you down. And if you run any kind of mailing list... Ugh, forget it...! An option is to run a simpler program that only functions to receive mail. In it, you can include various "checks" such as logging the IP addresses, ports, and maybe ident or finger information. I wrote a simple program I call recvmail, which involves a small smtpd process which can be spawned from inetd with much less overhead than sendmail. (And it doesn't have to run as root, either...) Sendmail is still available for sending mail OUT, but you wouldn't have to use it to receive mail. The other feature about recvmail is that it does NO forwarding - it only accepts mail for the localhost. This won't work for a mail hub of course, but it does cut down on the number of computers that can be used to transfer faked mail... -Doug Doug Wellington doug@sun1paztcn.wr.usgs.gov System and Network Administrator US Geological Survey, Tucson, AZ Project Office According to proposed Federal guidelines, this message is a "non-record". Hmm, I wonder if _everything_ I say is a "non-record"...? FreeBSD and Apache - the best real tools for the virtual world! Check out www.freebsd.org and www.apache.org... Just say NO to Netscape Navigator! From firewalls-owner Tue Jun 4 19:38:25 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id TAA10995 for firewalls-outgoing; Tue, 4 Jun 1996 19:34:30 -0700 (PDT) Received: from orion.webspan.net (orion.webspan.net [206.154.70.41]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id TAA10988 for ; Tue, 4 Jun 1996 19:34:23 -0700 (PDT) Received: from localhost (scanner@localhost) by orion.webspan.net (8.7.5/8.6.12) with SMTP id WAA09452 for ; Tue, 4 Jun 1996 22:31:36 -0400 (EDT) Date: Tue, 4 Jun 1996 22:31:35 -0400 (EDT) From: Chris Watson To: firewalls@greatcircle.com Subject: unknown in tcpwrappers? Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk what does this mean? Jun 4 22:21:48 orion telnetd[9207]: refused connect from unknown whats the unknown part? what causes this? is this a denied spoof attempt? or is it a DNS failure? -- ===================================| Webspan Inc., ISP Division. FreeBSD 2.1.0 is available now! | Phone: 908-367-8030 ext. 126 -----------------------------------| 500 West Kennedy Blvd., Lakewood, NJ-08701 Turning PCs into Workstations | E-Mail: scanner@webspan.net http://www.freebsd.org | SysAdmin / Network Engineer / Security ===================================| Member BSDNET team! http://www.bsdnet.org From firewalls-owner Tue Jun 4 22:20:30 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id WAA15440 for firewalls-outgoing; Tue, 4 Jun 1996 22:05:37 -0700 (PDT) Received: from SterCtl.com (p208.iwl.net [204.177.208.208]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id WAA15422 for ; Tue, 4 Jun 1996 22:05:21 -0700 (PDT) Received: (from dennis@localhost) by SterCtl.com (8.6.12/8.6.12) id XAA00602; Tue, 4 Jun 1996 23:04:37 -0500 From: Dennis Moroney Message-Id: <199606050404.XAA00602@SterCtl.com> Subject: Re: Ability To Track Logs To: ygerman@genre.com (ygerman) Date: Tue, 4 Jun 1996 23:04:34 -0500 (CDT) Cc: firewalls@greatcircle.com (firewalls) In-Reply-To: <9606031534.AA0078@grcstm-nx02.genre.com> from "ygerman" at Jun 3, 96 11:32:41 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk According to ygerman: > > I am in a bind on how to accomplish something on our firewall. > I would like to check the logs on the firewall continuosly looking for certain > fields and based on the fields initiate an action. The action will be mail to a > different address depending on the field found. > > Currently I am seting this up via a c shell script and doing a grep for certain > things every hour. The problem is I would like not to have to wait an hour. Has > anyone had any experience with this. Is there a way to accomplish this easier? > Please respond as soon as possible, thanks! > ftp://ftp.coast.purdue.edu:/pub/tools/unix/swatch* -- Dennis Moroney From firewalls-owner Tue Jun 4 22:35:34 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id WAA15557 for firewalls-outgoing; Tue, 4 Jun 1996 22:11:41 -0700 (PDT) Received: from SterCtl.com (p208.iwl.net [204.177.208.208]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id WAA15550 for ; Tue, 4 Jun 1996 22:11:32 -0700 (PDT) Received: (from dennis@localhost) by SterCtl.com (8.6.12/8.6.12) id XAA00612; Tue, 4 Jun 1996 23:10:49 -0500 From: Dennis Moroney Message-Id: <199606050410.XAA00612@SterCtl.com> Subject: Re: Re Finding domain name from IP address To: gblolmxb@ibmmail.com Date: Tue, 4 Jun 1996 23:10:48 -0500 (CDT) Cc: firewalls@greatcircle.com (firewalls) In-Reply-To: <199604121153.EAA01557@miles.greatcircle.com> from "gblolmxb@ibmmail.com" at Apr 12, 96 07:50:59 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk According to gblolmxb@ibmmail.com: > > > Ben said: > > >We have a combination of registered and unregistered IP addresses on > >our network (no Internet connection yet). > > >Is there a way I can find out who the unregistered ones are really > >registered to? > > Try telnetting to rs.internic.net and run whois. or for European > registrations, try info.ripe.net, or even ns.ripe.net. > > Mark. > better yet, use the private network numbers assigned by IANA for your internal network and stop the nonsense of using 'unregistered' numbers. one day your network may leak one of the unregistered network numbers you are using and break your network or worse still break someone elses network. -- Dennis Moroney From firewalls-owner Wed Jun 5 01:35:42 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id BAA23415 for firewalls-outgoing; Wed, 5 Jun 1996 01:06:38 -0700 (PDT) Received: (mcb@localhost) by miles.greatcircle.com (8.7.4/Miles-951221-1) id BAA23393 for firewalls@greatcircle.com; Wed, 5 Jun 1996 01:06:23 -0700 (PDT) Received: from bbnplanet.com (poblano.near.net [198.114.157.116]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id KAA20619 for ; Fri, 31 May 1996 10:57:43 -0700 (PDT) Subject: New List: SdAdmin (SecurID cards & related things) To: firewalls@greatcircle.com Date: Fri, 31 May 1996 13:55:07 -0400 (EDT) From: Adam Shostack X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Message-ID: <9605311355.aa08979@poblano.bbnplanet.com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This is an announcement of a new mailing list, sdadmin, aimed at systems managers, security professionals, and others with a need to discuss issues relating to the management and administration of the SecurID card from Security Dynamics, and associated software and hardware. The list is managed by majordomo. To subscribe, send a message to majordomo@jabberwocky.bbnplanet.com with a body of: subscribe sdadmin Mail sent to sdadmin@jabberwocky.bbnplanet.com will go to the list. All adminstrative requests should be sent to majordomo. The list is hosted on a machine graciously provided by BBNPlanet. However, BBNPlanet is not responsible for the contents of the list. Adam From firewalls-owner Wed Jun 5 01:50:27 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id AAA22351 for firewalls-outgoing; Wed, 5 Jun 1996 00:52:42 -0700 (PDT) Received: from i-gw ([207.42.153.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id AAA22323 for ; Wed, 5 Jun 1996 00:52:30 -0700 (PDT) Received: (from smap@localhost) by i-gw (8.6.9/8.6.9) id CAA01345 for ; Wed, 5 Jun 1996 02:50:04 -0500 Received: from dev.dsc.dalsys.com(199.170.161.3) by i-gw.dalsys.com via smap (V1.3) Received: by dev.dsc.dalsys.com (AIX 3.2/UCB 5.64/8.6.12) From: manoj@dev.dsc.dalsys.com (Manoj Shroff) Message-Id: <9606050758.AA55240@dev.dsc.dalsys.com> Subject: Majordomo results: Help with FWTK (PartII) (fwd) To: firewalls@GreatCircle.com Date: Wed, 5 Jun 1996 02:58:27 -0500 (CDT) X-Mailer: ELM [version 2.4 PL24] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Thanks to everyone who helped me in order to get the FWTK compiled on the Linux box. However I now have another problem. When I run authsrv, and do a add user I get a segmentation fault and a core is dumped. When I run authmgr , " " " " " " " " " " " a permission denied error. Would appreciate all help. ##################### Manoj Schroff (Systems Engineer) ##### ############## Dallas Systems plc ##### ### Ocean House ## * # The Ring Tel: +44 (0)1344 420144 ##### ## Bracknell +44 (0)1344 418448 ###### # Berkshire ###### #### RG12 1AH Fax: +44 (0)1344 418400 ####### ### ##### ############# ###### ############# ####### manoj@dalsys.com ##################### +--------------------------------------------------------------+ |"He who laughs last, obviously did not understand the joke !!"| +--------------------------------------------------------------+ From firewalls-owner Wed Jun 5 02:05:27 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id BAA23331 for firewalls-outgoing; Wed, 5 Jun 1996 01:05:46 -0700 (PDT) Received: (mcb@localhost) by miles.greatcircle.com (8.7.4/Miles-951221-1) id BAA23260 for firewalls@greatcircle.com; Wed, 5 Jun 1996 01:05:30 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id OAA25296 for ; Thu, 30 May 1996 14:28:31 -0700 (PDT) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) Received: from disperse.demon.co.uk(158.152.1.77) by mycroft via smap (V1.3mjr) Received: from post.demon.co.uk ([158.152.1.72]) by relay-2.mail.demon.net Received: from youngman.demon.co.uk ([158.152.67.147]) by relay-3.mail.demon.net Message-ID: <31ADFA1E.563C@youngman.demon.co.uk> Date: Thu, 30 May 1996 19:42:22 +0000 From: Jeremy Youngman X-Mailer: Mozilla 2.02 (Win16; I) MIME-Version: 1.0 To: firewalls@greatcircle.com Subject: Compuserve Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, does anybody allow Compuserve access through their Firewall (TCP port 4144)? Are there any security considerations, so long as i only allow SYN's outbound? Are there any good places to read up about this? I've got a user who wants this access. Please reply by email if poss as I don't usually subscribe to this mailing list (yes, it's good and interesting but a little too much traffic for me normally). TIA, PS This is the 4th time i've send this, so apologies if you keep getting copies -- but i've been subscribing to firewalls-digest for the last couple of weeks and never seen my note appear -- and because i've had no replies i'm still not absolutely sure whether it is getting delivered properly! -- Jeremy Youngman | ###### ## ## | ("`-/")_.-'"``-. jeremy@youngman.demon.co.uk | ## ##### | . . `; -._ )-;-,_`) Tel: +44 (0)1603 686258 | # ## ## | (v_,)' _ )`-.\ ``-' PGP: Key avail on request | #### ##### | _.- _..-_/ / ((.' ----- All cats look grey in the dark ----- ((,.-' ((,/ From firewalls-owner Wed Jun 5 02:06:06 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id BAA23549 for firewalls-outgoing; Wed, 5 Jun 1996 01:08:10 -0700 (PDT) Received: (mcb@localhost) by miles.greatcircle.com (8.7.4/Miles-951221-1) id BAA23530 for firewalls@greatcircle.com; Wed, 5 Jun 1996 01:08:02 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id EAA22482 for ; Tue, 4 Jun 1996 04:55:44 -0700 (PDT) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) Received: from rt.synx.com(194.167.81.239) by mycroft via smap (V1.3mjr) Received: from s3.synx.com (s3 [192.1.1.247]) by bsd.synx.com (8.6.12/8.6.12) with SMTP id KAA04022; Tue, 4 Jun 1996 10:55:48 +0100 Received: from rs1 by s3.synx.com id aa23038; 4 Jun 96 11:37 BST Date: Tue, 4 Jun 1996 11:52:32 -2300 () From: Remy NONNENMACHER To: Russ cc: "'Firewalls'" Subject: Re: What do you want to know about Windows NT? In-Reply-To: <01BB4DB7.9D7EAFE0@ts1-13.vcr.iSTAR.ca> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 29 May 1996, Russ wrote: > I have an offer to you all. I have been working very hard for the past 6 > months or so to try and raise the level of awareness about Windows NT and > the Internet. My motivation was selfish, of course, in that I hope to gain > knowledge about where the obstacles are in getting NT accepted by you, the > security administrators. > > I am now in the process of putting together the information that you need > to be able to better understand the risks involved with Windows NT and its > deployment in your organization. I have always believed that you, the > security administrators, hold in your hand the ability to delay the > deployment of NT on as broad a scale as I might like to see. Microsoft, I > should add, has not necessarily agreed with me on this, which is why, IMHO, > I have been the one here and not them...;-] > > However, if we assume that I was able to get Microsoft to put together a CD > that contained White Paper and technical information regarding Windows NT, God !!, He *IS* god !! He will do a miracle for all of us !! > what would you like to know about Windows NT to help you evaluate its > impact on the security within your environment? > > A few assumptions; > > - it will not contain source code for any products which source code is not > already publically available Too bad !!. I wont never rely on the "guaranteed" security of the code made by a company known for the great amount of bugs in their past (and present) products without an external, huge and deep review by many external eyes. Otherwise, nothing will guarantee me that trap codes as not been included in the product. (ie : the 'special' WINSOCK.DLL needed for MSN in Europe that can "upgrade" dll's !!). This argument is also true for a lot of commercial products. BUT M$ is a too offensive company to be believed without care. > - it will contain all available API specifications M$ sells a lot of API docs about their products. I can give you the conclusions of the Windows (all flavor) programmers here : 10% written tradition, 90% oral tradition. That is : an API could have the right or wrong behaviour depending on undocumented parameters or ranges in parameters or call order. If you only read the doc, you will *NEVER* succeed in producing more than a 2+2=4 program. API programming is stochastic. When you know that, and assuming that firewall product MUST use APIs, and even if the product itself is public, you will never be sure that the underlying M$ code won't fail, weaking the whole security. > - it will contain RFC implementations and any MS-specific extentions to > them That's a great point : RFC'ing is publicly done. The technical points exposed on an RFC as been discussed, reviewed, criticized, improved many time before the final edition. I do not grant the right to M$ to modify by its own the specifications. This is a lack of culture when you work in the Internet. > - it will contain information from 3rd party ISV's who offer security > solutions > > Some ideas; > > - The CD could come with a 60-day Windows NT Server/BackOffice evaluation, > would that be useful? may be > - There is a C2 configuration guide (manual), maybe it should be included indispensable > - There is a Network Monitoring tool (Netmon), maybe it should be included indispensable > - There are a variety of tools that are part of the Resource kits to add > unix-like functionality to NT, maybe they should be included helpfull > - More information could be given if the CD was available under NDA, would > you prefer that? NO. NDA is the right way to give a sword to a possible bad guy just before anyone else can wear an armor. > - The NT Knowledgebase includes articles about many issues relating to > security problems, misconfigurations, and bugs, should that be included? ^^^^ and bugs !, simply !!. . (I'm probably dreaming !!). Are you asking us why we don't go right now with our money in our little hands to the Great Bill House to buy a *BUGGED* product ? For my own, i buy software with the great hope there is NO bug in it. Anyway, i doubt that commercial dept of M$ frequently spot this point. That means the bad guy will better have a machine gun than a sword. (Remember how long it take to M$ teams to fix a bug ? would you really risk a "stop using it while we repair" answer ?). > - There are numerous SDK's for the various NT BackOffice products, would > these be useful? > > What kind of information, what format should it be in, and what level > should it be positioned for? > > Now I don't speak for Microsoft, never have, but I do believe I can get > this CD put together and make it available to you for free, or a nominal > charge. If you give me the feedback that I hope to see, it will be done. > > Treat me like the university student asking for information about a thesus. > > Cheers, > Russ > > The thesus would better point on : "Why people do buy a private, costy, bugged, unmanageable, corruptable, unreliable and young and product better than a free (or cheap), stable, reliable, simple, fast and powerfull one ?" (Please, feel no offense in all of this. I would also like to have the answer to that question.). ------------------------------------------------------------------------------- S Y N C H R O N I X S.A. Avn des ANDES, Bat. LE CEDRE - 91952 LES ULIS - FRANCE Tel : +33 1 64462626 - FAX : +33 1 64466976 - Internet : Synx.com Remy NONNENMACHER - APAV Dpt. (remy@synx.com) #include #include ---- "My uncle and I entered a better life" - Alfonse Allais (When his rich uncle died). From firewalls-owner Wed Jun 5 04:35:41 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id EAA08578 for firewalls-outgoing; Wed, 5 Jun 1996 04:30:07 -0700 (PDT) Received: from gatekeeper.3Com.COM (gatekeeper.3Com.COM [129.213.128.5]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id EAA08568 for ; Wed, 5 Jun 1996 04:29:54 -0700 (PDT) Received: from manzanita.DEV.3Com.COM.noname (manzanita.DEV.3Com.COM) by gatekeeper.3Com.COM with SMTP id AA02874 Received: by manzanita.DEV.3Com.COM.noname (4.1/SMI-4.1) Date: Wed, 5 Jun 96 04:26:27 PDT From: bobk@manzanita.DEV.3Com.COM (Bob Konigsberg) Message-Id: <9606051126.AA05951@manzanita.DEV.3Com.COM.noname> To: firewalls@greatcircle.com Subject: ICMP Source Quench Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I've noticed a lot of ICMP Source Quench packets in my firewall logs. They are (or were more precisely) outbound. My references say that this is a primitive form of flow control. What are people's experiences with allowing this as an outbound packet. I don't see any security risk offhand, but I'd like to know what others have seen. Does anyone know of any security weaknesses related to Source Quench? Thanks, BobK From firewalls-owner Wed Jun 5 05:20:45 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA09948 for firewalls-outgoing; Wed, 5 Jun 1996 05:04:58 -0700 (PDT) Received: from lint.cisco.com (lint.cisco.com [171.68.223.44]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id FAA09940 for ; Wed, 5 Jun 1996 05:04:49 -0700 (PDT) Received: from pferguso-pc.cisco.com (c1robo14.cisco.com [171.68.13.14]) by lint.cisco.com (8.6.10/CISCO.SERVER.1.1) with SMTP id FAA07347; Wed, 5 Jun 1996 05:03:05 -0700 Message-Id: <199606051203.FAA07347@lint.cisco.com> X-Sender: pferguso@lint.cisco.com X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 05 Jun 1996 08:02:22 -0400 To: bobk@manzanita.DEV.3Com.COM (Bob Konigsberg) From: Paul Ferguson Subject: Re: ICMP Source Quench Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk My vote is to block it. I 'primitive' is an accurate description of the effectiveness of icmp source-quench. :-) - paul At 04:26 AM 6/5/96 PDT, Bob Konigsberg wrote: >I've noticed a lot of ICMP Source Quench packets in my firewall logs. They >are (or were more precisely) outbound. My references say that this is a >primitive form of flow control. What are people's experiences with allowing >this as an outbound packet. I don't see any security risk offhand, but >I'd like to know what others have seen. Does anyone know of any security >weaknesses related to Source Quench? > >Thanks, > >BobK > -- Paul Ferguson || || Consulting Engineering || || Reston, Virginia USA |||| |||| tel: +1.703.716.9538 ..:||||||:..:||||||:.. e-mail: pferguso@cisco.com c i s c o S y s t e m s From firewalls-owner Wed Jun 5 06:05:51 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA11968 for firewalls-outgoing; Wed, 5 Jun 1996 05:47:55 -0700 (PDT) Received: from babylon5.ccd.harris.com (babylon5.ccd.harris.com [192.68.26.5]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id FAA11948 for ; Wed, 5 Jun 1996 05:47:43 -0700 (PDT) Received: (from root@localhost) by babylon5.ccd.harris.com (8.6.10/8.6.10) id IAA19840 for ; Wed, 5 Jun 1996 08:45:14 -0400 Received: from rs2.ccd.harris.com(147.90.4.5) by babylon5.ccd.harris.com via smap (V1.3) Received: by rs2.ccd.harris.com (AIX 3.2/UCB 5.64/4.03) From: akakinad@ccd.harris.com (Achari U.M. Kakinada) Message-Id: <9606051245.AA341733@rs2.ccd.harris.com> Subject: IANA private network numbers .. To: firewalls@GreatCircle.com Date: Wed, 5 Jun 1996 08:45:04 -0400 (EDT) X-Mailer: ELM [version 2.4 PL22] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >> better yet, use the private network numbers assigned by IANA for >> your internal network and stop the nonsense of using 'unregistered' >> numbers. one day your network may leak one of the unregistered network >> numbers you are using and break your network or worse still break someone >> elses network. >> >> -- >> Dennis Moroney >> Can you please elaborate on the IANA private network numbers, and how it shall help if some one has a mix of registered and unregistered networks. -Achari From firewalls-owner Wed Jun 5 06:40:22 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA14050 for firewalls-outgoing; Wed, 5 Jun 1996 06:22:29 -0700 (PDT) Received: from relay1.pipex.net (relay1.pipex.net [158.43.128.6]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id GAA14042; Wed, 5 Jun 1996 06:22:18 -0700 (PDT) Received: from mailhost.ashridge.org.uk by flow.pipex.net with SMTP (PP); Received: from ccMail by mailhost.ashridge.org.uk Mime-Version: 1.0 Date: Wed, 5 Jun 1996 09:58:00 +0100 Message-ID: <1b53e6f0@ashridge.org.uk> From: Mike.Baxter@ashridge.org.uk (Mike Baxter) Subject: Re: Compuserve To: firewalls@greatcircle.com, firewalls-digest@greatcircle.com Cc: jeremy@youngman.demon.co.uk Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Description: cc:Mail note part Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, I am not entirely clear what it is you are doing. I am in the process of joining the CompuServe mail system to our cc:Mail system. When I went through this process I looked at the option of connecting for a full logon over the Internet. I think this was possible but it was only telnet access not WinCIM, which is too basic for our needs. The system that was proposed for WinCIM was a modem server. So are you looking for a mail connection or a telnet connection? The telnet makes more sense. If telnet I would be interested in what front end you are using. Mike Baxter ______________________________ Reply Separator _________________________________ Subject: Compuserve Author: Jeremy Youngman at Internet Date: 03/06/96 20:17 Hi, does anybody allow Compuserve access through their Firewall (TCP port 4144)? Are there any security considerations, so long as i only allow SYN's outbound? Are there any good places to read up about this? I've got a user who wants this access. TIA, PS This is the 5th time i've send this, so apologies if you keep getting copies -- but i've been subscribing to firewalls-digest for the last couple of weeks and never seen my note appear -- and because i've had no replies i'm still not absolutely sure whether it is getting delivered properly! -- Jeremy Youngman | ###### ## ## | ("`-/")_.-'"``-. jeremy@youngman.demon.co.uk | ## ##### | . . `; -._ )-;-,_`) Tel: +44 (0)1603 686258 | # ## ## | (v_,)' _ )`-.\ ``-' PGP: Key avail on request | #### ##### | _.- _..-_/ / ((.' ----- All cats look grey in the dark ----- ((,.-' ((,/ From firewalls-owner Wed Jun 5 06:50:32 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA15421 for firewalls-outgoing; Wed, 5 Jun 1996 06:36:42 -0700 (PDT) Received: from lint.cisco.com (lint.cisco.com [171.68.223.44]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id GAA15384 for ; Wed, 5 Jun 1996 06:36:26 -0700 (PDT) Received: from pferguso-pc.cisco.com (c1robo14.cisco.com [171.68.13.14]) by lint.cisco.com (8.6.10/CISCO.SERVER.1.1) with SMTP id GAA22217; Wed, 5 Jun 1996 06:34:46 -0700 Message-Id: <199606051334.GAA22217@lint.cisco.com> X-Sender: pferguso@lint.cisco.com X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 05 Jun 1996 09:33:58 -0400 To: akakinad@ccd.harris.com (Achari U.M. Kakinada) From: Paul Ferguson Subject: Re: IANA private network numbers .. Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 08:45 AM 6/5/96 -0400, Achari U.M. Kakinada wrote: > > Can you please elaborate on the IANA private network numbers, and how it > shall help if some one has a mix of registered and unregistered networks. > > -Achari > > See RFC-1918. - paul -- Paul Ferguson || || Consulting Engineering || || Reston, Virginia USA |||| |||| tel: +1.703.716.9538 ..:||||||:..:||||||:.. e-mail: pferguso@cisco.com c i s c o S y s t e m s From firewalls-owner Wed Jun 5 07:05:59 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA15134 for firewalls-outgoing; Wed, 5 Jun 1996 06:33:31 -0700 (PDT) Received: from sbergeon.neosoft.com (sbergeon.neosoft.com [206.109.21.126]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id GAA15127 for ; Wed, 5 Jun 1996 06:33:23 -0700 (PDT) Received: by sbergeon.neosoft.com (951211.SGI.8.6.12.PATCH1042/bit.tweeker) From: "Steve Bergeon" Message-Id: <9606050828.ZM6392@sbergeon.neosoft.com> Date: Wed, 5 Jun 1996 08:28:31 -0500 References: X-Mailer: Z-Mail (3.2.0 26oct94 MediaMail) To: scanner@webspan.net, firewalls@GreatCircle.COM Subject: Re: unknown in tcpwrappers? Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Wrappers were unable to verify the systems name and ip address match. This could just be someone attempting access from an isp that does not have dns names assigned to all of its' address space. Or... If you want unresolvable systems to have access to a service, you can use the keyword UNKNOWN in your hosts.allow file. On Jun 4, 10:31pm, Chris Watson allegedly wrote: | Subject: unknown in tcpwrappers? | | what does this mean? | | Jun 4 22:21:48 orion telnetd[9207]: refused connect from unknown | | whats the unknown part? what causes this? is this a denied spoof attempt? | or is it a DNS failure? | | | -- | | ===================================| Webspan Inc., ISP Division. | FreeBSD 2.1.0 is available now! | Phone: 908-367-8030 ext. 126 | -----------------------------------| 500 West Kennedy Blvd., Lakewood, NJ-08701 | Turning PCs into Workstations | E-Mail: scanner@webspan.net | http://www.freebsd.org | SysAdmin / Network Engineer / Security | ===================================| Member BSDNET team! http://www.bsdnet.org | | | |-- End of excerpt blamed on Chris Watson -- (713) 917-0425 Office "Spirit is the journey, Body is the Bus. I am the driver, From Dust to dust." - Jaluka - PGP Keys: http://www-swiss.ai.mit.edu/~bal/pks-toplev.html From firewalls-owner Wed Jun 5 07:42:32 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA18804 for firewalls-outgoing; Wed, 5 Jun 1996 07:25:05 -0700 (PDT) Received: from babylon5.ccd.harris.com (babylon5.ccd.harris.com [192.68.26.5]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id HAA18796 for ; Wed, 5 Jun 1996 07:24:54 -0700 (PDT) Received: (from root@localhost) by babylon5.ccd.harris.com (8.6.10/8.6.10) id KAA23905 for ; Wed, 5 Jun 1996 10:22:28 -0400 Received: from rs2.ccd.harris.com(147.90.4.5) by babylon5.ccd.harris.com via smap (V1.3) Received: by rs2.ccd.harris.com (AIX 3.2/UCB 5.64/4.03) From: akakinad@ccd.harris.com (Achari U.M. Kakinada) Message-Id: <9606051422.AA263413@rs2.ccd.harris.com> Subject: CISCO serial links To: firewalls@GreatCircle.com Date: Wed, 5 Jun 1996 10:22:09 -0400 (EDT) X-Mailer: ELM [version 2.4 PL22] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk For the following net configuration H1 H2 H3 H4 | | | | ------------------------------------------ | | | --- Cisco Router \ \ \ --- Serial link. \ ISP Cisco Router ---- | | INTERNET In the above configuration, is it be possible to configue the serial interfaces of both Cisco routers with out assigning any IP addresses OR assigning IP host address ( only two IP addresses shall be used ). Can some kind soul help. -- Achari From firewalls-owner Wed Jun 5 07:50:39 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA19793 for firewalls-outgoing; Wed, 5 Jun 1996 07:35:50 -0700 (PDT) Received: from .cdnoxy.com ([206.172.56.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id HAA19763 for ; Wed, 5 Jun 1996 07:35:30 -0700 (PDT) From: . Date: Wed, 5 Jun 96 07:33:37 PDT Subject: Memra To: firewalls@greatcircle.com X-PRIORITY: 3 (Normal) X-Mailer: Chameleon 4.6, TCP/IP for Windows, NetManage Inc. Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Last Friday, Michael Dillon wrote: >Date: Fri, 31 May 1996 10:12:07 -0700 (PDT) >rom: Michael Dillon >Subject: Re: commercial license for fwtk from TIS > >On Fri, 31 May 1996, Ralf Naegele wrote: > >> our organization is thinking about providing the fwtk. >> I need very urgent an answer what we must pay for a >>commercial license for >> the firewall toolkit. >> On the ftp-server of TIS I don't found the pricing for a >>commercial license. > >Why don't you ask them? > >If you would rather have me ask them, my fee to act as your >agent would be >US$2,000 per day. Send me email to get my bank account >information to >deposit the money. > >;-) > >Michael Dillon ISP & >Internet Consulting >Memra Software Inc. Fax: >+1-604-546-3049 >http://www.memra.com E-mail: >michael@memra.com Michael, Please do not use this forum for advertising your services. I personally have had trouble getting simple answers from companies, and I don't think Ralf's question was out of line. Is your arrogant, condescending, and unprofessional attitude a reflection on your entire British Columbia based company? From firewalls-owner Wed Jun 5 08:05:46 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA19733 for firewalls-outgoing; Wed, 5 Jun 1996 07:35:05 -0700 (PDT) Received: from Firewall.dofasco.ca (firewall.dofasco.ca [192.139.152.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id HAA19682 for ; Wed, 5 Jun 1996 07:34:48 -0700 (PDT) Received: (from smap@localhost) by Firewall.dofasco.ca (8.6.12/8.6.10) id JAA29510; Wed, 5 Jun 1996 09:34:54 -0400 Received: from usenet.dofasco.ca(142.153.128.2) by Firewall.dofasco.ca via smap (V1.3) Received: from hugh_fraser.dofasco.ca by USENET.DOFASCO.CA (MX V4.1 VAX) with Received: (from hugh@localhost) by hugh_fraser.dofasco.ca (8.6.12/8.6.9) id Date: Wed, 5 Jun 1996 10:34:30 -0400 (EDT) From: Hugh Fraser To: Jeremy Youngman CC: firewalls@GreatCircle.COM Subject: Re: Compuserve In-Reply-To: <31ADFA1E.563C@youngman.demon.co.uk> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk We've done exactly this to reduce the cost of phone lines to people's desks, modems, etc.. We use an application proxy firewall and simply connect Compuserve's port through the firewall. Functionally, it works as expected. Performance, though, doesn't seem much faster that through one of their dial-in ports. >From a security standpoint, the connection is one-way, and I don't expect any unique security concerns that don't already exist with providing access to other services. On Thu, 30 May 1996, Jeremy Youngman wrote: > Hi, does anybody allow Compuserve access through their Firewall > (TCP port 4144)? Are there any security considerations, so long > as i only allow SYN's outbound? Are there any good places to read > up about this? I've got a user who wants this access. > > Please reply by email if poss as I don't usually subscribe to this > mailing list (yes, it's good and interesting but a little too much > traffic for me normally). > > TIA, > > PS This is the 4th time i've send this, so apologies if you keep > getting copies -- but i've been subscribing to firewalls-digest > for the last couple of weeks and never seen my note appear -- > and because i've had no replies i'm still not absolutely sure > whether it is getting delivered properly! > > -- > Jeremy Youngman | ###### ## ## | ("`-/")_.-'"``-. > jeremy@youngman.demon.co.uk | ## ##### | . . `; -._ )-;-,_`) > Tel: +44 (0)1603 686258 | # ## ## | (v_,)' _ )`-.\ ``-' > PGP: Key avail on request | #### ##### | _.- _..-_/ / ((.' > ----- All cats look grey in the dark ----- ((,.-' ((,/ > > From firewalls-owner Wed Jun 5 08:35:43 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA25525 for firewalls-outgoing; Wed, 5 Jun 1996 08:26:26 -0700 (PDT) Received: from okjunc.junction.net (okjunc.junction.net [199.166.227.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id IAA25484 for ; Wed, 5 Jun 1996 08:26:08 -0700 (PDT) Received: from sidhe.memra.com (sidhe.memra.com [199.166.227.105]) by okjunc.junction.net (8.6.11/8.6.11) with SMTP id HAA07325; Wed, 5 Jun 1996 07:39:27 -0700 Date: Wed, 5 Jun 1996 08:22:48 -0700 (PDT) From: Michael Dillon To: "Achari U.M. Kakinada" cc: firewalls@GreatCircle.COM Subject: Re: IANA private network numbers .. In-Reply-To: <9606051245.AA341733@rs2.ccd.harris.com> Message-ID: Organization: Memra Software Inc. - Internet consulting MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 5 Jun 1996, Achari U.M. Kakinada wrote: > Can you please elaborate on the IANA private network numbers, and how it > shall help if some one has a mix of registered and unregistered networks. Read RFC1918. It is all explained there. As long as the unregistered networks use the private network numbers from RFC1918 you won't ever have any problems. Michael Dillon ISP & Internet Consulting Memra Software Inc. Fax: +1-604-546-3049 http://www.memra.com E-mail: michael@memra.com From firewalls-owner Wed Jun 5 08:50:44 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA27395 for firewalls-outgoing; Wed, 5 Jun 1996 08:47:16 -0700 (PDT) Received: from hp01.vak12ed.edu (hp01.vak12ed.edu [141.104.150.251]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id IAA27388 for ; Wed, 5 Jun 1996 08:47:06 -0700 (PDT) Message-Id: <199606051547.IAA27388@miles.greatcircle.com> Received: by hp01.vak12ed.edu From: "W.C. Epperson" Subject: Re: Memra To: firewalls@greatcircle.com Date: Wed, 05 Jun 1996 11:44:46 EDT In-Reply-To: ; from ".@GreatCircle.COM" at Jun 5, 96 7:33 am X-Mailer: Elm [revision: 109.17] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Someone in search of a clue flamed Michael Dillon thusly: > > Michael, > > Please do not use this forum for advertising your services. > > I personally have had trouble getting simple answers from > companies, and I don't think Ralf's question was out of line. > > Is your arrogant, condescending, and unprofessional attitude > a reflection on your entire British Columbia based company? > Dear .@greatcircle.com mailing from .cdnoxy.com: Since you appear to be using a forged (inadvertently, from the looks of it) >From address and mailing from a domain with a busted DNS and a net with a hosed or non-existent inverse arpa domain, I can conjecture as to why you might have difficulty getting replies from vendors. Michael's _reply_ did not seem out of line either: he pointed out the obvious line of inquiry and gently poked the poster for not having followed it to start with (the fwtk distribution and the TIS ftp server are replete with references on where to turn, and Fred is nothing if not responsive....). Oh, and my attitude is a reflection of yours. Have a nice day. -- W.C. Epperson "I have great faith in fools. Senior SE Self-confidence, my friends call it." Information Security Officer --Edgar Allan Poe-- DBA Emeritus Curmudgeon-for-Life Virginia Dept. of Education epperson@pen.k12.va.us From firewalls-owner Wed Jun 5 09:07:37 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA26334 for firewalls-outgoing; Wed, 5 Jun 1996 08:35:03 -0700 (PDT) Received: from bastion.sware.com (bastion.sware.com [139.131.15.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id IAA26325 for ; Wed, 5 Jun 1996 08:34:53 -0700 (PDT) Received: from shlep.sware.com (shlep.sware.com [139.131.1.14]) by bastion.sware.com (8.6.12/8.6.5) with SMTP id LAA12676 for ; Wed, 5 Jun 1996 11:31:39 -0400 Received: by shlep.sware.com (5.65/2.0) from localhost id AA11012; Wed, 5 Jun 96 11:26:49 -0400 Message-Id: <9606051526.AA11012@shlep.sware.com> From: Renee Landers X-Mailer: SecureMail [2.3.2] Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: cisco docs, user access To: firewalls@greatcircle.com Date: Wed, 05 Jun 96 11:26:48 EDT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk First, does anyone know of any third-party guides to configuring Cisco routers? (i.e. IOS for Dummies :-) Or does Cisco put out anything more useful than the UniverCD -- something that would provide guidelines for configuring, including information on some of the different configuration possibilities, something with actual chapters, and sections, and paragraphs? Perhaps I am just not looking hard enough at the UniverCD? Second, I have a Cisco router with version 10.2 of the software. I have several modems connected via async line to that router. I have defined several usernames with passwords. Is there a way to limit which users can connect to which modems? (I know I can prevent certain users from doing stuff once they get on, via access- classes, but can I reject the connection altogether?) Am I missing something, or is the capability just not there? Thanks for your help From firewalls-owner Wed Jun 5 09:20:59 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA27730 for firewalls-outgoing; Wed, 5 Jun 1996 08:51:47 -0700 (PDT) Received: from okjunc.junction.net (okjunc.junction.net [199.166.227.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id IAA27721; Wed, 5 Jun 1996 08:51:31 -0700 (PDT) Received: from sidhe.memra.com (sidhe.memra.com [199.166.227.105]) by okjunc.junction.net (8.6.11/8.6.11) with SMTP id IAA07966; Wed, 5 Jun 1996 08:04:49 -0700 Date: Wed, 5 Jun 1996 08:48:09 -0700 (PDT) From: Michael Dillon To: .@GreatCircle.COM cc: firewalls@GreatCircle.COM Subject: Re: Memra In-Reply-To: Message-ID: Organization: Memra Software Inc. - Internet consulting MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 5 Jun 1996 .@GreatCircle.COM wrote: > >> I need very urgent an answer what we must pay for a > >>commercial license for > >> the firewall toolkit. > >> On the ftp-server of TIS I don't found the pricing for a > >>commercial license. > > > >Why don't you ask them? > > > >If you would rather have me ask them, my fee to act as your > >agent would be > >US$2,000 per day. Send me email to get my bank account > >information to > >deposit the money. > > > >;-) ^^^ See that? > Please do not use this forum for advertising your services. I thought the ridiculously high dollar figure would make everyone realize that this was a bit of sarcasm but I added the winking smiley just to be sure. For the record, I don't charge $2,000 per day to make a few phone calls that people can make for themselves. > I personally have had trouble getting simple answers from > companies, and I don't think Ralf's question was out of line. He wants to negotiate a dealership agreement and you think that's a good question for the list? IMHO it's OK for end-users to ask "how much will it cost me" but dealers had better find out for themselves. > Is your arrogant, condescending, and unprofessional attitude > a reflection on your entire British Columbia based company? I'll agree with the arrogant part and the message was definitely condescending, but I draw the line at "unprofessional". The most unprofessional thing I do on this list is give away information and opinions for free. That is the mark of an amateur. But I do try to give the most accurate and complete answers that I can. Sometimes that means I do a little bit of research before answering the question. In the case above, my research included a quick check of the TIS website and a readthrough of their license agreement to refresh my memory. But I'm human to and subject to all the emotional foibles of being human and, being that I'm arrogant, can't resist dishing out a little sarcastic humor with my advice sometimes. Consider it my emotional payment for the "free" advice. Michael Dillon ISP & Internet Consulting Memra Software Inc. Fax: +1-604-546-3049 http://www.memra.com E-mail: michael@memra.com From firewalls-owner Wed Jun 5 09:35:38 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA29168 for firewalls-outgoing; Wed, 5 Jun 1996 09:03:46 -0700 (PDT) Received: from okjunc.junction.net (okjunc.junction.net [199.166.227.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id JAA29105 for ; Wed, 5 Jun 1996 09:03:22 -0700 (PDT) Received: from sidhe.memra.com (sidhe.memra.com [199.166.227.105]) by okjunc.junction.net (8.6.11/8.6.11) with SMTP id IAA08062; Wed, 5 Jun 1996 08:08:17 -0700 Date: Wed, 5 Jun 1996 08:51:38 -0700 (PDT) From: Michael Dillon To: Hugh Fraser cc: Jeremy Youngman , firewalls@GreatCircle.COM Subject: Re: Compuserve In-Reply-To: Message-ID: Organization: Memra Software Inc. - Internet consulting MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 5 Jun 1996, Hugh Fraser wrote: > expected. Performance, though, doesn't seem much faster that through one > of their dial-in ports. I found it faster on the net, but then, I also set the speed in the Settings dialog to 38400 bps. I remember when I used to telnet directly to COmpuserve that they would ask what speed you wanted to "simulate" because, of course, there were different fees for different speeds. Maybe WinCIM still negotiates the simulated speed? Or maybe you just have good dialin ports in your area. Michael Dillon ISP & Internet Consulting Memra Software Inc. Fax: +1-604-546-3049 http://www.memra.com E-mail: michael@memra.com From firewalls-owner Wed Jun 5 09:50:41 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA29341 for firewalls-outgoing; Wed, 5 Jun 1996 09:05:04 -0700 (PDT) Received: from okjunc.junction.net (okjunc.junction.net [199.166.227.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id JAA29039 for ; Wed, 5 Jun 1996 09:02:54 -0700 (PDT) Received: from sidhe.memra.com (sidhe.memra.com [199.166.227.105]) by okjunc.junction.net (8.6.11/8.6.11) with SMTP id HAA07596; Wed, 5 Jun 1996 07:48:05 -0700 Date: Wed, 5 Jun 1996 08:31:25 -0700 (PDT) From: Michael Dillon To: Mike Baxter cc: firewalls@GreatCircle.COM, jeremy@youngman.demon.co.uk Subject: Re: Compuserve In-Reply-To: <1b53e6f0@ashridge.org.uk> Message-ID: Organization: Memra Software Inc. - Internet consulting MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 5 Jun 1996, Mike Baxter wrote: > I am not entirely clear what it is you are doing. I am in the > process of joining the CompuServe mail system to our cc:Mail system. > When I went through this process I looked at the option of connecting > for a full logon over the Internet. I think this was possible but it > was only telnet access not WinCIM, which is too basic for our needs. Wait a minute. Don't you realize that you can connect with WinCIM over the Internet? In WinCIM 1.4 you go into the Special menu, then Session Setting... and then choose WINSOCK in the Connector drop-down list as well as Internet in the Network drop-down list. If you are behind a firewall you also need to open a plug-gw on port 4144 and you need to go into the CIS.INI file and change occurences of "compuserve.com" to "firewall-machine.yourdomain.com". I don't have an original CIS.INI here any more but I find lines like the following in mine: LogonParams=firewall-machine.yourdomain.com HostIPName=firewall-machine.yourdomain.com > So are you looking for a mail connection or a telnet connection? The > telnet makes more sense. If telnet I would be interested in what front > end you are using. WinCIM 1.4 :-) Michael Dillon ISP & Internet Consulting Memra Software Inc. Fax: +1-604-546-3049 http://www.memra.com E-mail: michael@memra.com From firewalls-owner Wed Jun 5 10:05:52 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA29108 for firewalls-outgoing; Wed, 5 Jun 1996 09:03:23 -0700 (PDT) Received: from connectnet1.connectnet.com (connectnet1.connectnet.com [207.110.0.50]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id JAA29076 for ; Wed, 5 Jun 1996 09:03:09 -0700 (PDT) Received: from it.is.my.broken.net (it.is.my.broken.net [204.252.2.92]) by connectnet1.connectnet.com (15.9/Connectnet-2.2) with SMTP id IAA15515; Wed, 5 Jun 1996 08:19:30 -0700 (PDT) Received: by it.is.my.broken.net (4.1/SMI-4.1) Date: Wed, 5 Jun 1996 08:19:24 -0700 (PDT) From: Jason Matthews X-Sender: jason@it.is.my.broken.net To: Steve Bergeon Cc: scanner@webspan.net, firewalls@GreatCircle.COM Subject: Re: unknown in tcpwrappers? In-Reply-To: <9606050828.ZM6392@sbergeon.neosoft.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Unless this has recently been changed in tcpd that is incorrect. Even if no PTR record is recorded with the authoriatative name servers tcpd will return a message with the offending ip address. If unknown was returned it was because of some -special- condition. I would have to read the code to see what that is however ;-) j. On Wed, 5 Jun 1996, Steve Bergeon wrote: > Wrappers were unable to verify the systems name and ip address match. > This could just be someone attempting access from an isp that does not > have dns names assigned to all of its' address space. Or... > > If you want unresolvable systems to have access to a service, you can > use the keyword UNKNOWN in your hosts.allow file. > > > On Jun 4, 10:31pm, Chris Watson allegedly wrote: > | Subject: unknown in tcpwrappers? > | > | what does this mean? > | > | Jun 4 22:21:48 orion telnetd[9207]: refused connect from unknown > | > | whats the unknown part? what causes this? is this a denied spoof attempt? > | or is it a DNS failure? > | > | > | -- > | > | ===================================| Webspan Inc., ISP Division. > | FreeBSD 2.1.0 is available now! | Phone: 908-367-8030 ext. 126 > | -----------------------------------| 500 West Kennedy Blvd., Lakewood, > NJ-08701 > | Turning PCs into Workstations | E-Mail: scanner@webspan.net > | http://www.freebsd.org | SysAdmin / Network Engineer / Security > | ===================================| Member BSDNET team! > http://www.bsdnet.org > | > | > | > |-- End of excerpt blamed on Chris Watson > > > > -- > (713) 917-0425 Office > "Spirit is the journey, Body is the Bus. > I am the driver, From Dust to dust." - Jaluka > - PGP Keys: http://www-swiss.ai.mit.edu/~bal/pks-toplev.html > From firewalls-owner Wed Jun 5 10:42:29 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA06209 for firewalls-outgoing; Wed, 5 Jun 1996 10:10:19 -0700 (PDT) Received: from lint.cisco.com (lint.cisco.com [171.68.223.44]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id KAA06200 for ; Wed, 5 Jun 1996 10:10:07 -0700 (PDT) Received: from pferguso-pc.cisco.com (c6robo16.cisco.com [171.68.13.176]) by lint.cisco.com (8.6.10/CISCO.SERVER.1.1) with SMTP id KAA21902; Wed, 5 Jun 1996 10:07:57 -0700 Message-Id: <199606051707.KAA21902@lint.cisco.com> X-Sender: pferguso@lint.cisco.com X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 05 Jun 1996 13:07:10 -0400 To: Michael Dillon From: Paul Ferguson Subject: Re: IANA private network numbers .. Cc: "Achari U.M. Kakinada" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 08:22 AM 6/5/96 -0700, Michael Dillon wrote: >On Wed, 5 Jun 1996, Achari U.M. Kakinada wrote: > >> Can you please elaborate on the IANA private network numbers, and how it >> shall help if some one has a mix of registered and unregistered networks. > >Read RFC1918. It is all explained there. >As long as the unregistered networks use the private network numbers from >RFC1918 you won't ever have any problems. > Well, of course, you will not be able to *advertise* them to The World. :-) - paul >Michael Dillon ISP & Internet Consulting >Memra Software Inc. Fax: +1-604-546-3049 >http://www.memra.com E-mail: michael@memra.com > -- Paul Ferguson || || Consulting Engineering || || Reston, Virginia USA |||| |||| tel: +1.703.716.9538 ..:||||||:..:||||||:.. e-mail: pferguso@cisco.com c i s c o S y s t e m s From firewalls-owner Wed Jun 5 10:51:55 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA04365 for firewalls-outgoing; Wed, 5 Jun 1996 09:58:11 -0700 (PDT) Received: from halon.sybase.com (halon.sybase.com [192.138.151.33]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id JAA04336 for ; Wed, 5 Jun 1996 09:57:56 -0700 (PDT) Received: from smtp1.sybase.com (sybgate) by halon.sybase.com (5.x/SMI-SVR4/SybFW4.0) Received: from notesgw2.sybase.com by smtp1.sybase.com (4.1/SMI-4.1/SybH3.5-030896) Received: by notesgw2.sybase.com (5.x/SMI-4.1/SybEGW3.3) Message-Id: <9606051655.AA27060@notesgw2.sybase.com> Received: by SybaseNotes (Lotus Notes Mail Gateway for SMTP V1.1) id To: "Achari U.M. Kakinada" Cc: firewalls From: Ryan.Russell/SYBASE Date: 5 Jun 96 9:55:50 EDT Subject: Re: CISCO serial links X-Lotus-Type: Reply All Mime-Version: 1.0 Content-Type: Text/Plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'm not sure I follow you, but... You can put the two routers in bridging mode (ISP willing, of course) and and long as the ISP has routes to the 2 addresses you want, it will work. You do have four hosts shown in the picture tho.. Did I miss part of your question? Ryan ---------- Previous Message ---------- To: firewalls cc: From: akakinad @ ccd.harris.com (Achari U.M. Kakinada) @ smtp Date: 06/05/96 10:22:09 AM Subject: CISCO serial links For the following net configuration H1 H2 H3 H4 | | | | ------------------------------------------ | | | --- Cisco Router \ \ \ --- Serial link. \ ISP Cisco Router ---- | | INTERNET In the above configuration, is it be possible to configue the serial interfaces of both Cisco routers with out assigning any IP addresses OR assigning IP host address ( only two IP addresses shall be used ). Can some kind soul help. -- Achari From firewalls-owner Wed Jun 5 11:06:01 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA07940 for firewalls-outgoing; Wed, 5 Jun 1996 10:22:16 -0700 (PDT) Received: from lint.cisco.com (lint.cisco.com [171.68.223.44]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id KAA07849 for ; Wed, 5 Jun 1996 10:21:49 -0700 (PDT) Received: from pferguso-pc.cisco.com (c6robo16.cisco.com [171.68.13.176]) by lint.cisco.com (8.6.10/CISCO.SERVER.1.1) with SMTP id KAA25825; Wed, 5 Jun 1996 10:19:23 -0700 Message-Id: <199606051719.KAA25825@lint.cisco.com> X-Sender: pferguso@lint.cisco.com X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 05 Jun 1996 13:18:35 -0400 To: Renee Landers From: Paul Ferguson Subject: Re: cisco docs, user access Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 11:26 AM 6/5/96 EDT, Renee Landers wrote: >First, does anyone know of any third-party guides to configuring Cisco routers? >(i.e. IOS for Dummies :-) Or does Cisco put out anything more useful than the >UniverCD -- something that would provide guidelines for configuring, including >information on some of the different configuration possibilities, something with >actual chapters, and sections, and paragraphs? Perhaps I am just not looking >hard enough at the UniverCD? > You're not looking hard enough at the CD. ;-) >Second, I have a Cisco router with version 10.2 of the software. I have several >modems connected via async line to that router. I have defined several usernames >with passwords. Is there a way to limit which users can connect to which modems? >(I know I can prevent certain users from doing stuff once they get on, via access- >classes, but can I reject the connection altogether?) Am I missing something, >or is the capability just not there? > >Thanks for your help > Why don't you re-send this to the cisco Users mailing list [cisco@spot.colorado.edu] instead? It would be a much more appropriate forum than the firewalls list. - paul -- Paul Ferguson || || Consulting Engineering || || Reston, Virginia USA |||| |||| tel: +1.703.716.9538 ..:||||||:..:||||||:.. e-mail: pferguso@cisco.com c i s c o S y s t e m s From firewalls-owner Wed Jun 5 11:29:58 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA10534 for firewalls-outgoing; Wed, 5 Jun 1996 10:47:12 -0700 (PDT) Received: from okjunc.junction.net (okjunc.junction.net [199.166.227.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id KAA10526 for ; Wed, 5 Jun 1996 10:47:03 -0700 (PDT) Received: from sidhe.memra.com (sidhe.memra.com [199.166.227.105]) by okjunc.junction.net (8.6.11/8.6.11) with SMTP id JAA10160 for ; Wed, 5 Jun 1996 09:59:45 -0700 Date: Wed, 5 Jun 1996 10:43:05 -0700 (PDT) From: Michael Dillon To: firewalls@GreatCircle.COM Subject: Re: IANA private network numbers .. In-Reply-To: <199606051707.KAA21902@lint.cisco.com> Message-ID: Organization: Memra Software Inc. - Internet consulting MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 5 Jun 1996, Paul Ferguson wrote: > >> Can you please elaborate on the IANA private network numbers, and how it > >> shall help if some one has a mix of registered and unregistered networks. > > > >Read RFC1918. It is all explained there. > >As long as the unregistered networks use the private network numbers from > >RFC1918 you won't ever have any problems. > > > > Well, of course, you will not be able to *advertise* them to The World. :-) Which means .. *ding* *ding* *ding* .. you'll have to install a proxy firewall! I don't suppose those Cisco NAT's will do any good here will they Paul? However, if you can't renumber the bad hosts or if you are using RFC1918 numbers solely to protect yourself against having to renumber when you change providers, then a NAT is a very handy solution to use along with packet filtering. Michael Dillon ISP & Internet Consulting Memra Software Inc. Fax: +1-604-546-3049 http://www.memra.com E-mail: michael@memra.com From firewalls-owner Wed Jun 5 11:36:15 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA11132 for firewalls-outgoing; Wed, 5 Jun 1996 10:54:27 -0700 (PDT) Received: from elsol.dataway.com (elsol.dataway.com [205.158.49.17]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id KAA11065 for ; Wed, 5 Jun 1996 10:54:04 -0700 (PDT) Received: from wildcat ([205.158.49.16]) by elsol.dataway.com Message-ID: <31B5C8D1.167E@dataway.com> Date: Wed, 05 Jun 1996 10:50:09 -0700 From: Mathias Kolehmainen Organization: DataWay Design X-Mailer: Mozilla 3.0b4Gold (X11; I; IRIX 5.3 IP22) MIME-Version: 1.0 To: "Achari U.M. Kakinada" CC: firewalls@GreatCircle.COM Subject: Re: CISCO serial links References: <9606051422.AA263413@rs2.ccd.harris.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, Although I've never used it, I belive that the "ip-unnumbered" interface command will do the trick. It takes as an argument the number of another interface that does have an IP address. Achari U.M. Kakinada wrote: > Cisco Router > \ > \ > \ --- Serial link. > \ > ISP Cisco Router > > In the above configuration, is it be possible to configue the > serial interfaces of both Cisco routers with out assigning any IP > addresses OR assigning IP host address ( only two IP addresses > shall be used ). -- ------------------------------------- Mathias Kolehmainen ripper@dataway.com "Now it flushes away AUTOMATICALLY!" From firewalls-owner Wed Jun 5 11:48:57 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA11496 for firewalls-outgoing; Wed, 5 Jun 1996 10:57:38 -0700 (PDT) Received: from zen.com (zen.com [156.70.135.251]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id KAA11433 for ; Wed, 5 Jun 1996 10:57:13 -0700 (PDT) Received: from by zen.com (4.1/SMI-4.1) Received: by usuwphmsx03.zen.con with Microsoft Exchange (IMC 4.0.837.3) Message-Id: From: Miller Robert RC To: "'Michael Dillon'" Cc: "'firewalls@GreatCircle.COM'" Subject: RE: Memra Date: Wed, 5 Jun 1996 13:56:46 -0400 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.837.3 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I concur w/ Michael and agree with his response to the original note. If people can't understand a tongue-in-cheek response when they see one, despite the use of a smiley, then TS for them. Also, it did seem to me that the sender of the original note was using this list to get specific vendor/pricing info which could easily have been gotten directly from the vendor. Bob Miller millerrc@zen.com Zeneca Pharmaceuticals, Inc. PS: Also, at least Michael was not such a wus as to send a harassing note (and his WASN'T really harassing!) and at the same time try to hide his return email address! (.@GreatCircle.COM a.k.a. ???@.cdnoxy.com). I'll refrain here from saying anything sarcastic about your Ontario-based company... (cdnoxy.com = Canadian Occidental Petroleum Ltd. @ Calgary, Ontario) >---------- >From: Michael Dillon[SMTP:michael@memra.com] >Sent: Wednesday, June 05, 1996 11:48 AM >To: .@GreatCircle.COM >Cc: firewalls@GreatCircle.COM >Subject: Re: Memra > >On Wed, 5 Jun 1996 .@GreatCircle.COM wrote: > >> >> I need very urgent an answer what we must pay for a >> >>commercial license for >> >> the firewall toolkit. >> >> On the ftp-server of TIS I don't found the pricing for a >> >>commercial license. >> > >> >Why don't you ask them? >> > >> >If you would rather have me ask them, my fee to act as your >> >agent would be >> >US$2,000 per day. Send me email to get my bank account >> >information to >> >deposit the money. >> > >> >;-) > ^^^ >See that? > >> Please do not use this forum for advertising your services. > >I thought the ridiculously high dollar figure would make everyone >realize >that this was a bit of sarcasm but I added the winking smiley just to >be >sure. For the record, I don't charge $2,000 per day to make a few phone >calls that people can make for themselves. > >> I personally have had trouble getting simple answers from >> companies, and I don't think Ralf's question was out of line. > >He wants to negotiate a dealership agreement and you think that's a >good >question for the list? IMHO it's OK for end-users to ask "how much will >it >cost me" but dealers had better find out for themselves. > >> Is your arrogant, condescending, and unprofessional attitude >> a reflection on your entire British Columbia based company? > >I'll agree with the arrogant part and the message was definitely >condescending, but I draw the line at "unprofessional". The most >unprofessional thing I do on this list is give away information and >opinions for free. That is the mark of an amateur. > >But I do try to give the most accurate and complete answers that I can. >Sometimes that means I do a little bit of research before answering the >question. In the case above, my research included a quick check of the >TIS >website and a readthrough of their license agreement to refresh my >memory. >But I'm human to and subject to all the emotional foibles of being >human >and, being that I'm arrogant, can't resist dishing out a little >sarcastic >humor with my advice sometimes. Consider it my emotional payment for >the >"free" advice. > >Michael Dillon ISP & Internet >Consulting >Memra Software Inc. Fax: >+1-604-546-3049 >http://www.memra.com E-mail: >michael@memra.com > > From firewalls-owner Wed Jun 5 11:51:18 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA13791 for firewalls-outgoing; Wed, 5 Jun 1996 11:14:48 -0700 (PDT) Received: from wormhole.nav.cc.tx.us (wormhole.nav.cc.tx.us [205.165.189.130]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id LAA13711 for ; Wed, 5 Jun 1996 11:14:13 -0700 (PDT) Received: by wormhole.nav.cc.tx.us (AIX 3.2/UCB 5.64/4.03) Received: from dilbert.nav.cc.tx.us(205.165.188.145) by wormhole via smap (V1.3) Received: from localhost by dilbert.nav.cc.tx.us (AIX 3.2/UCB 5.64/4.03) Date: Wed, 5 Jun 1996 13:16:10 -0500 (CDT) From: Dana Brewer To: firewalls@GreatCircle.COM Subject: Re: Compuserve In-Reply-To: Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 5 Jun 1996, Michael Dillon wrote: > If you are behind a firewall you also need to open a plug-gw on port 4144 > and you need to go into the CIS.INI file and change occurences of > "compuserve.com" to "firewall-machine.yourdomain.com". I don't have an > original CIS.INI here any more but I find lines like the following in > mine: Thanks! I needed this information. Does anyone know how to connect to America Online via TCP/IP from behind a firewall? ************************************************************************** Dana Brewer Director, Computer Center Internet: dana@nav.cc.tx.us Navarro College Phone : 903-874-6501 3200 W. 7th Ave. FAX : 903-874-4636 Corsicana, TX 75110 All opinions stated are my own, and probably don't even vaguely resemble those of Navarro College. :) ************************************************************************** From firewalls-owner Wed Jun 5 12:35:44 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA19958 for firewalls-outgoing; Wed, 5 Jun 1996 12:01:52 -0700 (PDT) Received: from lint.cisco.com (lint.cisco.com [171.68.223.44]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id MAA19887 for ; Wed, 5 Jun 1996 12:01:30 -0700 (PDT) Received: from pferguso-pc.cisco.com (c1robo3.cisco.com [171.68.13.3]) by lint.cisco.com (8.6.10/CISCO.SERVER.1.1) with SMTP id LAA02285; Wed, 5 Jun 1996 11:59:34 -0700 Message-Id: <199606051859.LAA02285@lint.cisco.com> X-Sender: pferguso@lint.cisco.com X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 05 Jun 1996 14:58:46 -0400 To: Michael Dillon From: Paul Ferguson Subject: Re: IANA private network numbers .. Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 10:43 AM 6/5/96 -0700, Michael Dillon wrote: > >Which means .. *ding* *ding* *ding* .. you'll have to install a proxy >firewall! I don't suppose those Cisco NAT's will do any good here will >they Paul? However, if you can't renumber the bad hosts or if you are >using RFC1918 numbers solely to protect yourself against having to >renumber when you change providers, then a NAT is a very handy solution to >use along with packet filtering. > Having NAT functionality in IOS doesn't offer proxy services. Nope. - paul -- Paul Ferguson || || Consulting Engineering || || Reston, Virginia USA |||| |||| tel: +1.703.716.9538 ..:||||||:..:||||||:.. e-mail: pferguso@cisco.com c i s c o S y s t e m s From firewalls-owner Wed Jun 5 12:52:56 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA26008 for firewalls-outgoing; Wed, 5 Jun 1996 12:48:01 -0700 (PDT) Received: from 198.68.45.121 (www.steldyn.com [198.68.45.121]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id MAA25948 for ; Wed, 5 Jun 1996 12:47:36 -0700 (PDT) Received: from juneau.steldyn.com (172.16.31.1) by www.steldyn.com Received: by juneau.steldyn.com with Microsoft Exchange (IMC 4.12.736) Message-ID: From: Chris Pugrud To: Firewalls Mailing list Subject: RE: Windows NT and Firewalls Date: Wed, 5 Jun 1996 13:45:28 -0600 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.12.736 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'm going to try to respond here to the blast of messages that came back after I made known my feelings about Raptor's Eagle NT firewall product. If I missed your point, I'm sorry, it's Monday, and the coffee's just not strong enough. [frankw@in.net] "I wouldn't quite go as far to say that it is a "boot loader"." I can't agree Frank. Raptor does not use NT as anything but a boot loader, a memory manager, and low level I/O. At this point it is not an NT firewall. It's a firewall that "runs on top of NT". If it just runs on top of NT then there is no reason to run on NT, there is too much overhead involved. A tight Linux kernel usually comes in at about 550k and uses 1-2MB of RAM at run time. "Jaw drops... I can't believe that you would place your firewall in the same domain" ... "Can you elaborate on the trust issue." An explanation of trusts: In NT a trust is always one way. You can establish reciprocal trusts, but this negates (usually) the reasons for having separate domains. User accounts are put into the trusted (top level) domain. Access permissions in the trusting domain can be set using accounts from the trusted domain. When a user accesses a machine in the trusting domain the computer encrypts the user's ID and password and then forwards that to the trusted domain for authentication (My understanding of the encryption involved is shaky, Russ can correct any errors here). simple chart next: Accounts set up on a computer can only be used on that computer. Accounts set up in a domain can be used by any computer in that domain, and any computers in domains that trust that domain. Computer's ACL's can use any account on that computer, any account in the domain the computer belongs to, and any accounts in domains that the computer's domain trusts. Trust is one-way. Domains only have access to accounts in domains they trust. Domains have no access to domains that trust them. Trusts must be set up and authorized by the administrators of both domains involved. Trust is not inherited. If domain A trusts B, and B trusts C, A does not trust C until a trusts is explicitly set up. The key word in the above is "can". Machines can be individually configured as to whether or not to allow network access to individual resources. Where this is useful and relevant to firewalls that I can set up a proxy server on a machine and then deny all network access to the machine (this is slightly misleading, it only denies access to resources on that machine, ports are not resources, and it in no way prevents that machine from going out and accessing resources) and set up my proxy ACL's using my existing users and groups, and to get accounting and audit trails based on these accounts. This is fairly clean because of NT's single logon approach. When a user logs in they are passed back a token (encrypted?) that contains their user id (a unique hex string), and the ID's of all the groups that they belong to. When the user heads out to kill time on the Internet the proxy server requests their security token. It then checks the individual and group ID's against it's ACL to see when and if the user is permitted to loaf the Internet. This information is then logged and you have a transparent proxy with individual accounting (at least the individual that last logged on, but that's not platform specific). Side points and counter points: Small businesses are connecting up to the Internet like nobody's business. If you feel that companies that can't afford a full time network security administrator to sit around and go "wow, the Internet sure is dangerous" don't have a right to be on the Internet then you really ought to buy a ticket to Jamaica while you can still afford it. (okay I've relaxed now) Small businesses desperately want to be on the Internet right now, and a few thousand dollar setup and a couple hundred bucks a month is already straining their budget. If everybody has them convinced that it's going to cost them 20-30-50 K$ then they are far more likely to say "ahh CDA it, plug it in, we're too small to get hacked. Who would want to?" OTOH if you can walk in the door and say "my fee is a $1000 bucks, but I can have you on the Internet full time for $2000 and $200 a month." you will probably be pretty busy (this is assuming that your work is good and you have properly licensed the FWTK). Ideally my firewalls would have the Internet connected to a filtering router connected to a hard, fast firewall connected to a caching proxy, connected to a filtering router connected to the internal network all in series. Only the internal proxy would have any connection to the NT domain. This would give me good accepting and feedback and two layers of isolation to protect NT from the Internet. I dream big, but my customers have budgets. I have one customer that is biding their time waiting for the Integrated NT proxy so they can do just this design. Fortunately they are very patient. It's a lot like a Ferrari, everybody goes "WoW, that's really cool! So what do you have in the $5K price range?" Windows NT is not the be all and end all of NOS's. For the most part it is friendly and damn easy to use. If all you know is UNIX than there is a stumble until you get turned around and used to it. I heard evidence lately that IBM is still selling more copies of WARP in a month than NT has ever sold in a year. This could be entirely true. (don't people get fired for buying IBM these days?). This is just kind of scary, everyday administration of NT doesn't require any black magic (I don't think UNIX does, but most people do). Windows NT is not a secure operating system. NT has it's share of holes "out of the box." NT has a wider range of security and auditing functions than standard UNIX OS's, but they have to be turned on. NT can be setup in a very secure fashion, but it is not certifiable in any usable configuration unless you favor putting computers in vaults ala mission implausible. I love tuning systems with my bare hands. I'm a happy camper when I'm under the hood adjusting the screws, setting the valves and just adding my own characteristic signature that makes the machine hum the way I like. I've had a really fun life with the flavors of UNIX, and I've been having fun with NT lately. Now I can afford to hire lower cost help desk people for basic administration. Now I might be able to keep up on this list and stay up to date. That sounds great to me. I started on computers when I had to stand on a chair to load the punch cards and plan to be plugged in when I pass along. Short cuts and simplicity make life easier for me and my users. Thanks for hearing me out. I'll leave the flame suit in the closet, it's kind of cold in the dungeon anyways. Chris --- #include Chris Pugrud Network Engineering Stellar Dynamics, Idaho Power - Some mornings it's not worth gnawing through the restraints - From firewalls-owner Wed Jun 5 13:06:33 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA27263 for firewalls-outgoing; Wed, 5 Jun 1996 12:59:51 -0700 (PDT) Received: from gw.intuit.com (fw.intuit.com [199.2.32.4]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id MAA27206 for ; Wed, 5 Jun 1996 12:59:30 -0700 (PDT) Received: by gw.intuit.com (4.1/SMI-4.1) Received: from cliff.intuit.com(199.2.34.38) by gw.intuit.com via smap (V1.3) Received: from ra.intuit.com by cliff (4.1/SMI-4.1d) From: corby@intuit.com (Corby Anderson) Message-Id: <9606051950.AA05815@cliff> Subject: Re: Compuserve To: dana@dilbert.nav.cc.tx.us (Dana Brewer) Date: Wed, 5 Jun 1996 12:51:15 -0700 (PDT) Cc: firewalls@GreatCircle.COM In-Reply-To: from "Dana Brewer" at Jun 5, 96 01:16:10 pm X-Mailer: ELM [version 2.4 PL22] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > On Wed, 5 Jun 1996, Michael Dillon wrote: > > > If you are behind a firewall you also need to open a plug-gw on port 4144 > > and you need to go into the CIS.INI file and change occurences of > > "compuserve.com" to "firewall-machine.yourdomain.com". I don't have an > > original CIS.INI here any more but I find lines like the following in > > mine: > > Thanks! I needed this information. Does anyone know how to connect to > America Online via TCP/IP from behind a firewall? Pretty much the same thing. Open a plug-gw on port 5190 to a machine called americaonline.aol.com. They have three A records for this host in their DNS and will return any of the following three IP addresses: 198.81.8.18 198.81.18.82 198.81.18.84 To use it from AOL, find where you specify the connection type and set it to TCP/IP. Corby From firewalls-owner Wed Jun 5 13:21:32 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA28356 for firewalls-outgoing; Wed, 5 Jun 1996 13:08:15 -0700 (PDT) Received: from anchorsteam (anchorsteam.unifiedtech.com [38.251.136.100]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id NAA28319 for ; Wed, 5 Jun 1996 13:07:56 -0700 (PDT) Received: from bass.unifiedtech.com by anchorsteam (5.x/SMI-SVR4) Received: by bass.unifiedtech.com (5.x/SMI-SVR4) Date: Wed, 5 Jun 1996 15:53:32 -0400 From: Mike.Jones@unifiedtech.com (Mike Jones) Message-Id: <9606051953.AA05961@bass.unifiedtech.com> To: firewalls@greatcircle.com Subject: Re: IANA private network numbers .. X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Paul Ferguson writes... > >Which means .. *ding* *ding* *ding* .. you'll have to install a proxy > >firewall! I don't suppose those Cisco NAT's will do any good here will > >they Paul? However, if you can't renumber the bad hosts or if you are > >using RFC1918 numbers solely to protect yourself against having to > >renumber when you change providers, then a NAT is a very handy solution to > >use along with packet filtering. > Having NAT functionality in IOS doesn't offer proxy services. Nope. In fact, FireWall-1 offers NAT and it's not a proxy firewall. Michael, you're completely off base on this one. Mike Jones Sr. Network Computing Advisor Unified Technologies From firewalls-owner Wed Jun 5 13:35:44 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA28847 for firewalls-outgoing; Wed, 5 Jun 1996 13:13:45 -0700 (PDT) Received: from gatekeeper.strydr.com (gatekeeper.strydr.com [199.217.201.253]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id NAA28828 for ; Wed, 5 Jun 1996 13:13:26 -0700 (PDT) Received: (from Unknown UID 6@localhost) by gatekeeper.strydr.com (8.6.9/8.6.9) id PAA14113; Wed, 5 Jun 1996 15:12:30 -0500 Received: from strydr.strydr.com(198.134.134.1) by gatekeeper.strydr.com via smap (V1.3) Received: (from ds3721@localhost) by strydr.strydr.com (8.6.12/8.6.11) id PAA27907; Wed, 5 Jun 1996 15:09:55 -0500 From: David Schnardthorst Message-Id: <199606052009.PAA27907@strydr.strydr.com> Subject: Re: Compuserve To: dana@dilbert.nav.cc.tx.us (Dana Brewer) Date: Wed, 5 Jun 1996 15:09:55 -0500 (CDT) Cc: firewalls@GreatCircle.COM In-Reply-To: from "Dana Brewer" at Jun 5, 96 01:16:10 pm Organization: Stryder Communications, Inc. Address: 869 St. Francois, Florissant, Mo. 63031 Telephone: (314)838-6839 Fax: (314)838-8527 X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In the Original, Dana Brewer Says > >On Wed, 5 Jun 1996, Michael Dillon wrote: > >> If you are behind a firewall you also need to open a plug-gw on port 4144 >> and you need to go into the CIS.INI file and change occurences of >> "compuserve.com" to "firewall-machine.yourdomain.com". I don't have an >> original CIS.INI here any more but I find lines like the following in >> mine: > >Thanks! I needed this information. Does anyone know how to connect to >America Online via TCP/IP from behind a firewall? > In response to this question, which I myself have even asked, I have added the proxy information for AOL and Compuserve to the URL, http://www.strydr.com/misc/FAQ/firewalls/fwtk I will continue to add proxy information to this site. If you have some information to add to this site, please feel free to e-mail me your sample configurations. Configurations in HTML format would be preferred. BTW., this is not meant to be an advertisement, just an area where people can go to get sample configurations for various firewalls. ============================================================================ David Schnardthorst, Systems/Network Eng. * Phone: (314)838-6839 Stryder Communications, Inc. * Fax: (314)838-8527 869 St. Francois * E-Mail: ds3721@strydr.com Florissant, MO 63031 * URL: http://www.strydr.com ============================================================================ From firewalls-owner Wed Jun 5 14:11:12 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA03572 for firewalls-outgoing; Wed, 5 Jun 1996 13:57:19 -0700 (PDT) Received: from pangeia.com.br (acme.pangeia.com.br [200.239.53.33]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id NAA03517 for ; Wed, 5 Jun 1996 13:56:56 -0700 (PDT) Received: from localhost (nelson@localhost) by pangeia.com.br (8.7.5/8.7.3) with SMTP id SAA02260 for ; Wed, 5 Jun 1996 18:00:24 -0400 Date: Wed, 5 Jun 1996 18:00:24 -0400 (WST) From: Nelson Murilo To: firewalls@GreatCircle.COM Subject: Re: unknown in tcpwrappers? In-Reply-To: <9606050828.ZM6392@sbergeon.neosoft.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 5 Jun 1996, Steve Bergeon wrote: sbergeon>Wrappers were unable to verify the systems name and ip address match. sbergeon>This could just be someone attempting access from an isp that does not sbergeon>have dns names assigned to all of its' address space. Or... sbergeon> sbergeon>If you want unresolvable systems to have access to a service, you can sbergeon>use the keyword UNKNOWN in your hosts.allow file. FiILE: eval.c (tcp_wraper package) (...) /* * When a string has the value STRING_UNKNOWN, it means: don't bother, I * tried to look up the data but it was unavailable for some reason. When a * host name has the value STRING_PARANOID it means there was a name/address * conflict. */ char unknown[] = STRING_UNKNOWN; char paranoid[] = STRING_PARANOID; (...) TIA Nelson Murilo Pangeia Informatica - Provedor de solucoes Internet. http://www.pangeia.com.br http://www.bluesky.net/pangeia From firewalls-owner Wed Jun 5 14:50:38 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA09757 for firewalls-outgoing; Wed, 5 Jun 1996 14:33:43 -0700 (PDT) Received: from aecgate.aec.ca (aecgate.aec.ca [142.56.1.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id OAA09659 for ; Wed, 5 Jun 1996 14:33:10 -0700 (PDT) Received: from sol.aec.ca ([142.56.17.16]) by aecgate.aec.ca with ESMTP id <46891-4>; Wed, 5 Jun 1996 14:34:59 -0600 Received: from clavin017.aec.ca ([142.56.17.22]) by aec.ca with SMTP id <137389-1>; Wed, 5 Jun 1996 14:34:53 -0600 Received: by clavin017.aec.ca with Microsoft Mail From: "Post, Lenny" To: "'Firewalls'" Subject: RE: Memra Date: Wed, 05 Jun 96 13:58:00 MDT Message-ID: <31B5EF48@clavin017.aec.ca> X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk [ahhh the munch monster has struck ...] >Bob Miller >millerrc@zen.com >Zeneca Pharmaceuticals, Inc. >PS: Also, at least Michael was not such a wus as to send a harassing >note (and his WASN'T really harassing!) and at the same time try to hide >his return email address! (.@GreatCircle.COM a.k.a. ???@.cdnoxy.com). >'ll refrain here from saying anything sarcastic about your >Ontario-based company... (cdnoxy.com = Canadian Occidental Petroleum >Ltd. @ Calgary, Ontario) The city of Calgary resides in the province of Alberta (not Ontario). (We in the west just want to make that clear :-) :-) :-) Lenny Post email: lenny.post@aec.ca IT Coordinator AEC West Ltd. Calgary born and raised and Calgary, AB T2P 1H5 overall a nice guy :-) From firewalls-owner Wed Jun 5 15:09:14 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA08674 for firewalls-outgoing; Wed, 5 Jun 1996 14:27:10 -0700 (PDT) Received: from pangeia.com.br (www.pangeia.com.br [200.239.53.33]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id OAA08607 for ; Wed, 5 Jun 1996 14:26:49 -0700 (PDT) Received: from localhost (nelson@localhost) by pangeia.com.br (8.7.5/8.7.3) with SMTP id SAA02347 for ; Wed, 5 Jun 1996 18:30:40 -0400 Date: Wed, 5 Jun 1996 18:30:39 -0400 (WST) From: Nelson Murilo To: firewalls@GreatCircle.COM Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 5 Jun 1996, Steve Bergeon wrote: sbergeon>Wrappers were unable to verify the systems name and ip address match. sbergeon>This could just be someone attempting access from an isp that does not sbergeon>have dns names assigned to all of its' address space. Or... sbergeon> sbergeon>If you want unresolvable systems to have access to a service, you can sbergeon>use the keyword UNKNOWN in your hosts.allow file. FiILE: eval.c (tcp_wraper package) (...) /* * When a string has the value STRING_UNKNOWN, it means: don't bother, I * tried to look up the data but it was unavailable for some reason. When a * host name has the value STRING_PARANOID it means there was a name/address * conflict. */ char unknown[] = STRING_UNKNOWN; char paranoid[] = STRING_PARANOID; (...) TIA Nelson Murilo Pangeia Informatica - Provedor de solucoes Internet. http://www.pangeia.com.br http://www.bluesky.net/pangeia From firewalls-owner Wed Jun 5 15:20:55 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA09752 for firewalls-outgoing; Wed, 5 Jun 1996 14:33:39 -0700 (PDT) Received: from ve6bc.ampr.ab.ca (ve6bc.worldgate.com [206.75.11.41]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id OAA09657 for ; Wed, 5 Jun 1996 14:33:10 -0700 (PDT) Received: (from doug@localhost) by ve6bc.ampr.ab.ca (8.7.4/8.7.3) id PAA22194 for firewalls@greatcircle.com; Wed, 5 Jun 1996 15:30:35 -0600 (MDT) From: "Douglas R. Mackintosh" Message-Id: <199606052130.PAA22194@ve6bc.ampr.ab.ca> Subject: FLAME (was: Re: Memra) To: firewalls@greatcircle.com Date: Wed, 5 Jun 1996 15:30:35 -0600 (MDT) X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Last Friday, Michael Dillon wrote: > > >Date: Fri, 31 May 1996 10:12:07 -0700 (PDT) > >rom: Michael Dillon > >Subject: Re: commercial license for fwtk from TIS > > > >On Fri, 31 May 1996, Ralf Naegele wrote: > > > >> our organization is thinking about providing the fwtk. > >> I need very urgent an answer what we must pay for a > >>commercial license for > >> the firewall toolkit. > >> On the ftp-server of TIS I don't found the pricing for a > >>commercial license. > > > >Why don't you ask them? > > > >If you would rather have me ask them, my fee to act as your > >agent would be > >US$2,000 per day. Send me email to get my bank account > >information to > >deposit the money. > > > >;-) > > > >Michael Dillon ISP & > >Internet Consulting > >Memra Software Inc. Fax: > >+1-604-546-3049 > >http://www.memra.com E-mail: > >michael@memra.com > > Michael, > > Please do not use this forum for advertising your services. > > I personally have had trouble getting simple answers from > companies, and I don't think Ralf's question was out of line. > > Is your arrogant, condescending, and unprofessional attitude > a reflection on your entire British Columbia based company? > (My sincere apologies to the list for this email which should be private. If you don't want to read yet another flame then move along to the next message.) Dear Gomer, Since your email is BROKEN to the point that one CANNOT EVEN REPLY to it I am forced to subject the gentle readers of this list to my reply to your idiocy. (Maybe this is why you can't get your simple answers. Maybe all your simple answers are bouncing back to the vendors in question.) My points: 1) Mr. Dillon was not advertising. It was a minor flame. Get a grip. 2) Ralf's question *was* out of line in that a call to the vendor in question would have resolved it instantly. His question, asked here, is like someone walking into a Safeway store and asking the people there how much the cars cost at the Chevy dealer across the street. Can you say stooopid? 3) Mr. Dillon's attitude was neither arrogant nor unprofessional. Perhaps a wee bit condescending, but this is the normal voice one adopts when speaking to an apparently dense person. 4) Methinks you're ALONE on this one. -- Doug From firewalls-owner Wed Jun 5 15:20:55 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id PAA12469 for firewalls-outgoing; Wed, 5 Jun 1996 15:05:12 -0700 (PDT) Received: from orion.webspan.net (orion.webspan.net [206.154.70.41]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id PAA12462 for ; Wed, 5 Jun 1996 15:05:04 -0700 (PDT) Received: from localhost (scanner@localhost) by orion.webspan.net (8.7.5/8.6.12) with SMTP id SAA25768; Wed, 5 Jun 1996 18:02:01 -0400 (EDT) Date: Wed, 5 Jun 1996 18:02:01 -0400 (EDT) From: Chris Watson To: Steve Bergeon cc: firewalls@GreatCircle.COM Subject: Re: unknown in tcpwrappers? In-Reply-To: <9606050828.ZM6392@sbergeon.neosoft.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 5 Jun 1996, Steve Bergeon wrote: > Wrappers were unable to verify the systems name and ip address match. > This could just be someone attempting access from an isp that does not > have dns names assigned to all of its' address space. Or... > > If you want unresolvable systems to have access to a service, you can > use the keyword UNKNOWN in your hosts.allow file. No i DONT want them to get in but what is getting em riled is the fact that this line: Jun 4 23:23:32 orion telnetd[10526]: refused connect from unknown will repeat over and over and over and over for like 5 pages of logs. Im getting extremely annoyed at this at first i thought it was a random goof but then i sit down and look at 9 or more pages of logs with nothing in them but the same line above for 9 pages something is going on no one is dumb enough to keep trying and trying and trying to telnet in with no luck. I get the same line everynight repeatedly. I dont know if is hould be worried about this or not. I mean their NOT getting in but they are constantly trying its driving me nuts. Anyway to find out the soruce IP? I want to figure out how to get rid of this person or automated something. -- ===================================| Webspan Inc., ISP Division. FreeBSD 2.1.0 is available now! | Phone: 908-367-8030 ext. 126 -----------------------------------| 500 West Kennedy Blvd., Lakewood, NJ-08701 Turning PCs into Workstations | E-Mail: scanner@webspan.net http://www.freebsd.org | SysAdmin / Network Engineer / Security ===================================| Member BSDNET team! http://www.bsdnet.org From firewalls-owner Wed Jun 5 15:37:09 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id PAA14681 for firewalls-outgoing; Wed, 5 Jun 1996 15:28:35 -0700 (PDT) Received: from gatekeeper.alcatel.com.au (gatekeeper.alcatel.com.au [203.17.66.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id PAA14674 for ; Wed, 5 Jun 1996 15:28:21 -0700 (PDT) Received: from 139.188.22.50 (139.188.22.50) by gatekeeper.alcatel.com.au Received: from gsms01.alcatel.com.au (gsms01.alcatel.com.au) Received: (from jeremyp@localhost) by gsms01.alcatel.com.au (8.6.12/8.6.12) Date: Thu, 06 Jun 1996 08:25:46 +1000 From: Peter Jeremy Subject: Re: IANA private network numbers .. To: firewalls@GreatCircle.COM Message-id: <199606052225.IAA25447@gsms01.alcatel.com.au> Content-transfer-encoding: 7BIT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 5 Jun 1996, Michael Dillon wrote: >As long as the unregistered networks use the private network numbers from >RFC1918 you won't ever have any problems. At least until you merge with another company that is also using the same RFC1918 address block. Peter ---- Peter Jeremy (VK2PJ) peter.jeremy@alcatel.com.au Alcatel Australia Limited 41 Mandible St Phone: +61 2 690 5019 ALEXANDRIA NSW 2015 Fax: +61 2 690 5247 PGP fingerprint: 2A C6 47 D1 BF 56 5A 10 CC 02 2D 89 EA 10 AA 40 From firewalls-owner Wed Jun 5 15:37:59 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA06105 for firewalls-outgoing; Wed, 5 Jun 1996 14:12:37 -0700 (PDT) Received: from lexicon.ins.com (lexicon.ins.com [199.0.193.11]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id OAA05971 for ; Wed, 5 Jun 1996 14:11:55 -0700 (PDT) Received: from lexicon.ins.com (atl-dynamic5.ins.com [199.0.194.5]) by lexicon.ins.com (8.7.5/8.7.3) with SMTP id OAA03812; Wed, 5 Jun 1996 14:08:49 -0700 (PDT) Date: Wed, 5 Jun 1996 14:08:49 -0700 (PDT) Message-Id: <2.2.16.19960605141155.31ef8f70@lexicon.ins.com> X-Sender: matovu_g@lexicon.ins.com X-Mailer: Windows Eudora Pro Version 2.2 (16) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: bobk@manzanita.DEV.3Com.COM (Bob Konigsberg) From: George Matovu Subject: Re: ICMP Source Quench Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I would say block them. They would indicate to a denial of service attacker how effective his/her efforts are. George. At 04:26 AM 6/5/96 PDT, you wrote: >I've noticed a lot of ICMP Source Quench packets in my firewall logs. They >are (or were more precisely) outbound. My references say that this is a >primitive form of flow control. What are people's experiences with allowing >this as an outbound packet. I don't see any security risk offhand, but >I'd like to know what others have seen. Does anyone know of any security >weaknesses related to Source Quench? > >Thanks, > >BobK > > From firewalls-owner Wed Jun 5 16:40:13 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id QAA22106 for firewalls-outgoing; Wed, 5 Jun 1996 16:14:18 -0700 (PDT) Received: from okjunc.junction.net (okjunc.junction.net [199.166.227.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id QAA22086 for ; Wed, 5 Jun 1996 16:14:07 -0700 (PDT) Received: from sidhe.memra.com (sidhe.memra.com [199.166.227.105]) by okjunc.junction.net (8.6.11/8.6.11) with SMTP id PAA19482; Wed, 5 Jun 1996 15:26:18 -0700 Date: Wed, 5 Jun 1996 16:09:40 -0700 (PDT) From: Michael Dillon To: "'Firewalls'" cc: bbench@cdnoxy.com Subject: RE: Memra In-Reply-To: <31B5EF48@clavin017.aec.ca> Message-ID: Organization: Memra Software Inc. - Internet consulting MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 5 Jun 1996, Post, Lenny wrote: > >Ontario-based company... (cdnoxy.com = Canadian Occidental Petroleum > >Ltd. @ Calgary, Ontario) > > The city of Calgary resides in the province of Alberta (not Ontario). > (We in the west just want to make that clear :-) :-) :-) Guess what? Canadian Occidental has it listed as Ontario in the Internic's whois database too. Maybe we should tell Brian Bench about this? Note CC above.... Of course this may just be another case of those Eastern Imperialists attempting to foment Western alienation.... You guys at Atomic Energy Canada wouldn't have a firewall that we could install between Ontario and Manitoba, would you? And for the rest of you, it is always a good idea to review your registration info in the Internic's database because they DO make mistakes, they DO get nameserver IP addresses wrong and the DO occasionally change things unannounced and without your permission. If you review your info every once in a while you can keep it on track. I have even heard of denial of service attacks caused by people maliciously updating a company's Internic info. Michael Dillon ISP & Internet Consulting Memra Software Inc. Fax: +1-604-546-3049 http://www.memra.com E-mail: michael@memra.com From firewalls-owner Wed Jun 5 17:15:05 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id QAA20970 for firewalls-outgoing; Wed, 5 Jun 1996 16:07:10 -0700 (PDT) Received: from okjunc.junction.net (okjunc.junction.net [199.166.227.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id QAA20923 for ; Wed, 5 Jun 1996 16:06:52 -0700 (PDT) Received: from sidhe.memra.com (sidhe.memra.com [199.166.227.105]) by okjunc.junction.net (8.6.11/8.6.11) with SMTP id PAA19325; Wed, 5 Jun 1996 15:19:51 -0700 Date: Wed, 5 Jun 1996 16:03:11 -0700 (PDT) From: Michael Dillon To: Mike Jones cc: firewalls@GreatCircle.COM Subject: Re: IANA private network numbers .. In-Reply-To: <9606051953.AA05961@bass.unifiedtech.com> Message-ID: Organization: Memra Software Inc. - Internet consulting MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 5 Jun 1996, Mike Jones wrote: > In fact, FireWall-1 offers NAT and it's not a proxy firewall. Michael, > you're completely off base on this one. I think what you mean to say is that using RFC1918 addresses doesn't necessarily require a proxy firewall if you have a set of registered addresses that can be used with a NAT in between to translate. I was thinking of the scenario in which no NAT is used, all hosts on the internal networks have RFC1918 addresses and all access to the Internet is through a proxy firewall that consumes one single registered host IP address. Both scenarios are possible and both accomplish different things. For instance, in the NAT scenario anyone can set up a WWW server on their desktop and give access to the global Internet assuming that there are no packet filters in place to prevent it. In the non-NAT scenario the desktop WWW server is inaccessible to the global Internet because only the one proxy server is visible globally. However, the admin could open up a plug-gw on som port of the proxy server to provide access to that desktop WWW server if it was warranted but the URL would then be http://firewall.yourdomain.com:5555 or some such. Just in case someone is lurking out there wondering what NAT is, it stands for Network Address Translator and it converts IP addresses (and a bit of other stuff) on the fly so that you can renumber your network from the global point of view without doing anything locally other than installing and configuring the NAT. Michael Dillon ISP & Internet Consulting Memra Software Inc. Fax: +1-604-546-3049 http://www.memra.com E-mail: michael@memra.com From firewalls-owner Wed Jun 5 17:36:12 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id QAA24914 for firewalls-outgoing; Wed, 5 Jun 1996 16:44:39 -0700 (PDT) Received: (mcb@localhost) by miles.greatcircle.com (8.7.4/Miles-951221-1) id QAA24903 for firewalls@greatcircle.com; Wed, 5 Jun 1996 16:44:33 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id XAA00978 for ; Mon, 3 Jun 1996 23:59:13 -0700 (PDT) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) Received: from ns.coy.com(206.224.78.2) by mycroft via smap (V1.3mjr) Received: (from coy@localhost) by ns.coy.com (8.7.4/8.7.3) id SAA26486; Mon, 3 Jun 1996 18:14:55 -0500 Date: Mon, 3 Jun 1996 18:14:54 -0500 (CDT) From: RHS Linux User To: ygerman cc: Firewalls Subject: Re: Ability To Track Logs In-Reply-To: <9606031534.AA0078@grcstm-nx02.genre.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On 3 Jun 1996, ygerman wrote: > I am in a bind on how to accomplish something on our firewall. > I would like to check the logs on the firewall continuosly looking for certain > fields and based on the fields initiate an action. The action will be mail to a > different address depending on the field found. > > Currently I am seting this up via a c shell script and doing a grep for certain > things every hour. The problem is I would like not to have to wait an hour. Has > anyone had any experience with this. Is there a way to accomplish this easier? > Please respond as soon as possible, thanks! Have you considered Swatch (available at ftp://coast.cs.purdue.edu/pub/tools/unix/swatch)? It watches a log file and takes an action when a pattern matches. Chip Coy coy@coy.com http://www.awebs.com/~coy/ "Do not mistake composure for ease." - Tuvok From firewalls-owner Wed Jun 5 17:38:35 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id PAA17130 for firewalls-outgoing; Wed, 5 Jun 1996 15:43:01 -0700 (PDT) Received: from okjunc.junction.net (okjunc.junction.net [199.166.227.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id PAA17091 for ; Wed, 5 Jun 1996 15:42:32 -0700 (PDT) Received: from sidhe.memra.com (sidhe.memra.com [199.166.227.105]) by okjunc.junction.net (8.6.11/8.6.11) with SMTP id OAA18866; Wed, 5 Jun 1996 14:55:59 -0700 Date: Wed, 5 Jun 1996 15:39:19 -0700 (PDT) From: Michael Dillon To: Dana Brewer cc: firewalls@GreatCircle.COM Subject: Re: Compuserve In-Reply-To: Message-ID: Organization: Memra Software Inc. - Internet consulting MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 5 Jun 1996, Dana Brewer wrote: > On Wed, 5 Jun 1996, Michael Dillon wrote: > > > If you are behind a firewall you also need to open a plug-gw on port 4144 > > and you need to go into the CIS.INI file and change occurences of > > "compuserve.com" to "firewall-machine.yourdomain.com". I don't have an > > original CIS.INI here any more but I find lines like the following in > > mine: > > Thanks! I needed this information. Does anyone know how to connect to > America Online via TCP/IP from behind a firewall? Basically the same way except that the port number that needs the plug-gw is 5190 and you need to edit TCP.CCL in the CCL directory to read like this: NetConnect 1 5190 10 firewall.yourdomain.com instead of what was already there I am using AOL 2.5 for Windows. On the startup screen click Setup, then Edit Location, then select TCP/IP from the Network drop-down box. Michael Dillon ISP & Internet Consulting Memra Software Inc. Fax: +1-604-546-3049 http://www.memra.com E-mail: michael@memra.com From firewalls-owner Wed Jun 5 17:38:57 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id PAA17168 for firewalls-outgoing; Wed, 5 Jun 1996 15:43:09 -0700 (PDT) Received: from mailbox.neosoft.com (mailbox.neosoft.com [206.109.1.16]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id PAA17064 for ; Wed, 5 Jun 1996 15:42:27 -0700 (PDT) Received: from fw.nmti.com (fw.baileynm.com [206.109.159.11]) by mailbox.neosoft.com (8.7.5/8.7.3) with SMTP id RAA29845; Wed, 5 Jun 1996 17:40:00 -0500 (CDT) Received: from web.nmti.com(198.178.0.201) by fw.nmti.com via smap (V1.3) Received: from sonic.nmti.com (peter@sonic.nmti.com [198.178.0.2]) by web.nmti.com (8.6.12/8.6.9) with SMTP id RAA10123; Wed, 5 Jun 1996 17:33:35 -0500 Received: by sonic.nmti.com; id AA29790; Wed, 5 Jun 1996 17:33:34 -0500 From: peter@baileynm.com (Peter da Silva) Message-Id: <9606052233.AA29790@sonic.nmti.com.nmti.com> Subject: Re: Windows NT and Firewalls To: ChrisP@steldyn.com (Chris Pugrud) Date: Wed, 5 Jun 1996 17:33:33 -0500 (CDT) Cc: firewalls@GreatCircle.COM In-Reply-To: from "Chris Pugrud" at Jun 5, 96 01:45:28 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > The key word in the above is "can". Machines can be individually configured > as to whether or not to allow network access to individual resources. Where > this is useful and relevant to firewalls that I can set up a proxy server on > a machine and then deny all network access to the machine (this is slightly > misleading, it only denies access to resources on that machine, ports are > not resources, and it in no way prevents that machine from going out and > accessing resources) and set up my proxy ACL's using my existing users and > groups, and to get accounting and audit trails based on these accounts. And if someone compromises your internal server, they can waltz through your firewall. Basically, the only way I can see having a firewall on top of NT that I could trust would be one where Workstation and Server are *completely* islated from TCP/IP, and there's a router between you and the internal network. > Small businesses are connecting up to the Internet like nobody's business. > If you feel that companies that can't afford a full time network security > administrator to sit around and go "wow, the Internet sure is dangerous" > don't have a right to be on the Internet then you really ought to buy a > ticket to Jamaica while you can still afford it. (okay I've relaxed now) If NT security is good enough that you can leave the bastion sitting there using it to manage accesses, then it's good enough you don't need a bastion at all. When you set up a UNIX (BSD, Linux) bastion the first thing you do is shut down inetd, sendmail, syslogd, lpd, and so on. NOW you can add proxies without any concern that someone's going to hack the firewall through the normal administration channels. I can't see how you can get that sort of assurance with NT, and if you do have that level of assurance you might as well toss the bastion, and simply filter out accesses to low ports in case some twit's turned on the FTP service or something... you can set up a filtering router a lot cheaper than a dual homed bastion... if you bought an Ascend Pipeline to hook into the Internet you've already got one, and the filtering rules for that are simple enough even I'd trust you to get them right. Personally, I don't have that level of trust in NT security. And whether the firewall is running on top of NT or BSD or LSD I'm not going to administer it over the network from a less-secure server. I'm going to sit down at the console and drive the thing, or drive it from a VPN that only contains other equally secure hosts. And if you're a small enough company that you can't afford a full time net nerd you're a small enough company it's not going to take more than half an hour a week to do that. From firewalls-owner Wed Jun 5 18:35:40 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id SAA06537 for firewalls-outgoing; Wed, 5 Jun 1996 18:30:26 -0700 (PDT) Received: from mailhub.cts.com (mailhub.cts.com [192.188.72.25]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id SAA06518 for ; Wed, 5 Jun 1996 18:30:15 -0700 (PDT) Received: from rruda(really [204.212.129.32]) by mailhub.cts.com Received: by rruda with Microsoft Mail Message-ID: <01BB530D.1A1848E0@rruda> From: Richard Ruda To: "'Firewalls@GreatCircle.COM'" Cc: "'bill.stout@hidata.com'" Subject: RE: Firewalls-Digest V5 #356 Date: Wed, 5 Jun 1996 18:01:55 -0700 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="---- =_NextPart_000_01BB530D.1A417BC0" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ------ =_NextPart_000_01BB530D.1A417BC0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit On Tue, 4 Jun 1996 13:30:15 -0700 Bill Stout Wrote Subject: NT DNS in 4.0b2 "The only drawback I've seen is not being able to connect to non-NT DNS server properties." Can you explain exactly what you mean. Will an internal DNS running on NT4.0b2 not be able to say talk to a Unix firewall?? Thanks Richard ------ =_NextPart_000_01BB530D.1A417BC0 Content-Type: application/x-tnef Content-Transfer-Encoding: base64 eJ8+IioBAQaQCAAEAAAAAAABAAEAAQeQBgAIAAAA5AQAAAAAAADoAAENgAQAAgAAAAIAAgABBJAG ALACAAACAAAADQAAAAMAADAEAAAACwAPDgEAAAACAf8PAQAAAEkAAAAAAAAAgSsfpL6jEBmdbgDd AQ9UAgAAAQBiaWxsLnN0b3V0QGhpZGF0YS5jb20AU01UUABiaWxsLnN0b3V0QGhpZGF0YS5jb20A AAAAHgACMAEAAAAFAAAAU01UUAAAAAAeAAMwAQAAABYAAABiaWxsLnN0b3V0QGhpZGF0YS5jb20A AAADABUMAgAAAAIB+Q8BAAAASQAAAAAAAACBKx+kvqMQGZ1uAN0BD1QCAAABAGJpbGwuc3RvdXRA aGlkYXRhLmNvbQBTTVRQAGJpbGwuc3RvdXRAaGlkYXRhLmNvbQAAAAADAP4PBgAAAB4AATABAAAA GAAAACdiaWxsLnN0b3V0QGhpZGF0YS5jb20nAAIBCzABAAAAGwAAAFNNVFA6QklMTC5TVE9VVEBI SURBVEEuQ09NAAADAAA5AAAAAAsAQDoAAAAAAgH2DwEAAAAEAAAAAAAABAwAAAADAAAwBQAAAAsA Dw4AAAAAAgH/DwEAAABRAAAAAAAAAIErH6S+oxAZnW4A3QEPVAIAAAAARmlyZXdhbGxzQEdyZWF0 Q2lyY2xlLkNPTQBTTVRQAEZpcmV3YWxsc0BHcmVhdENpcmNsZS5DT00AAAAAHgACMAEAAAAFAAAA U01UUAAAAAAeAAMwAQAAABoAAABGaXJld2FsbHNAR3JlYXRDaXJjbGUuQ09NAAAAAwAVDAEAAAAD AP4PBgAAAB4AATABAAAAHAAAACdGaXJld2FsbHNAR3JlYXRDaXJjbGUuQ09NJwACAQswAQAAAB8A AABTTVRQOkZJUkVXQUxMU0BHUkVBVENJUkNMRS5DT00AAAMAADkAAAAACwBAOgEAAAACAfYPAQAA AAQAAAAAAAAFuYoBCIAHABgAAABJUE0uTWljcm9zb2Z0IE1haWwuTm90ZQAxCAEEgAEAHQAAAFJF OiBGaXJld2FsbHMtRGlnZXN0IFY1ICMzNTYAswgBBYADAA4AAADMBwYABQASAAEANwADACsBASCA AwAOAAAAzAcGAAUAEQAsABwAAwA6AQEJgAEAIQAAAEI5RDRBRkQzQTlCRUNGMTFBOEQyMDBBQTAw MTQ0RjMxAFEHAQOQBgBkAwAAEgAAAAsAIwAAAAAAAwAmAAAAAAALACkAAAAAAAMANgAAAAAAQAA5 AMAkR8FDU7sBHgBwAAEAAAAdAAAAUkU6IEZpcmV3YWxscy1EaWdlc3QgVjUgIzM1NgAAAAACAXEA AQAAABYAAAABu1NDwLfTr9S6vqkRz6jSAKoAFE8xAAAeAB4MAQAAAAUAAABTTVRQAAAAAB4AHwwB AAAADwAAAHJydWRhQG9zdGkuY29tAAADAAYQHei5DQMABxAJAQAAHgAIEAEAAABlAAAAT05UVUUs NEpVTjE5OTYxMzozMDoxNS0wNzAwQklMTFNUT1VUPEJJTExTVE9VVEBISURBVEFDT01XUk9URVNV QkpFQ1Q6TlRETlNJTjQwQjIiVEhFT05MWURSQVdCQUNLSVZFUwAAAAACAQkQAQAAAOcBAADjAQAA OQMAAExaRnVa/q3i/wAKAQ8CFQKoBesCgwBQAvIJAgBjaArAc2V0MjcGAAbDAoMyA8UCAHByQnER 4nN0ZW0CgzN3AuQHEwKAfQqACM8J2TvxFg8yNTUCgAqBDbELYOBuZzEwMxRQCwoUUaUL8mMN4CBP A6BUGc9rDfATUG8T0GMFQApQLCAgNCBKdQOgMTkEOTYdcDM6MzA6gDE1IC0wNzAKdmZCAxADIFN0 CGAFQDwaYh8xLhPAH5FAaGmUZGEBkC4FoG0+CodxGe0xIFccciGvHDlTKHViahyhOgewVCAcRE4F 8AuAHRAuMGI2MiFPGmciJu8cSFRoAyMgAiBseSBkcmEEd2IA0GsgSSd2XyMgEbAJ8CXgBCBuHIAg pGJlC4BnIAGgbCMg5R+AIAWgbm4coiyxK8Dsbi0lhRGwcisQBcAcYcpwBJB0CJBzLigvJ/EVCoVD A5F5CGAgZXjXC1MxgQDQdCoxdxGABUCnMVIHgABwLiAKhVcfMr8DkQuAE9AEoAdAJaNyHVDfAwAs MQIgJXEmIyArtSxXbHNhKkABkGwq0CyxYYQgVQMAeCBmaRYQ4ncHQGw/PwqFCoUp0EkAcGtzOUxS aRFyZIcKjyIMO9tsaTM2HEEXL4ozdhUxAECAAAMAEBAAAAAAAwAREAAAAABAAAcwIP4vUUFTuwFA AAgwIP4vUUFTuwEeAD0AAQAAAAUAAABSRTogAAAAAHna ------ =_NextPart_000_01BB530D.1A417BC0-- From firewalls-owner Wed Jun 5 18:59:45 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id SAA06566 for firewalls-outgoing; Wed, 5 Jun 1996 18:31:16 -0700 (PDT) Received: from mercury.Sun.COM (mercury.Sun.COM [192.9.25.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id SAA06559 for ; Wed, 5 Jun 1996 18:31:04 -0700 (PDT) Received: by mercury.Sun.COM (Sun.COM) Received: from nsg.Singapore.Sun.COM by Singapore.Sun.COM (SMI-8.6/SMI-5.3) Received: by nsg.Singapore.Sun.COM (SMI-8.6/SMI-SVR4) Date: Thu, 6 Jun 1996 09:25:32 +0800 From: rc@Singapore.Sun.COM (Ran-Chi Huang - Asia ENS Manager) Message-Id: <199606060125.JAA13569@nsg.Singapore.Sun.COM> To: akakinad@ccd.harris.com, ripper@dataway.com Subject: Re: CISCO serial links Cc: firewalls@GreatCircle.COM X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Mathias, You are absolutely right. We are using the ip unnumbered command which takes the address of the ethernet interface. E.g. interface Serial0 ip unnumbered Ethernet0 Hope this helps -rc > From ripper@dataway.com Thu Jun 6 03:10:34 1996 > Date: Wed, 05 Jun 1996 10:50:09 -0700 > From: Mathias Kolehmainen > MIME-Version: 1.0 > To: "Achari U.M. Kakinada" > CC: firewalls@GreatCircle.COM > Subject: Re: CISCO serial links > Content-Transfer-Encoding: 7bit > > Hi, > > Although I've never used it, I belive that the "ip-unnumbered" interface command > will do the trick. It takes as an argument the number of another interface that > does have an IP address. > > > > Achari U.M. Kakinada wrote: > > Cisco Router > > \ > > \ > > \ --- Serial link. > > \ > > ISP Cisco Router > > > > In the above configuration, is it be possible to configue the > > serial interfaces of both Cisco routers with out assigning any IP > > addresses OR assigning IP host address ( only two IP addresses > > shall be used ). > -- > > ------------------------------------- > Mathias Kolehmainen > ripper@dataway.com > > "Now it flushes away AUTOMATICALLY!" > From firewalls-owner Thu Jun 6 00:46:09 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id AAA17530 for firewalls-outgoing; Thu, 6 Jun 1996 00:21:47 -0700 (PDT) Received: from gatekeeper.ebrd.com (gatekeeper.ebrd.com [193.128.203.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id AAA17511 for ; Thu, 6 Jun 1996 00:21:23 -0700 (PDT) Received: by gatekeeper.ebrd.com; id IAA24688; Thu, 6 Jun 1996 08:19:03 +0100 Received: from camalot.ebrd.com(193.128.31.1) by gatekeeper.ebrd.com via smap (g3.0.3) Received: from ariel (ariel.ebrd.com) by ebrd.com (4.1/SMI-4.1) Message-Id: <31B68655.3372@ebrd.com> Date: Thu, 06 Jun 1996 08:18:45 +0100 From: Martin Marshall Organization: European Bank for Reconstruction and Development X-Mailer: Mozilla 2.01 (X11; I; SunOS 5.4 sun4m) Mime-Version: 1.0 To: firewalls@GreatCircle.COM Subject: NT Firewalls Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk We currently have a Unix Firewall solution, we would like to move to a NT Firewall (If Possible). Could anyone let me know where to jump, if a jump is to be made at all ! Any comments will be welcomed Martin Marshall From firewalls-owner Thu Jun 6 01:20:33 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id AAA18166 for firewalls-outgoing; Thu, 6 Jun 1996 00:42:10 -0700 (PDT) Received: (mcb@localhost) by miles.greatcircle.com (8.7.4/Miles-951221-1) id AAA18158 for firewalls@greatcircle.com; Thu, 6 Jun 1996 00:42:06 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id PAA17726 for ; Wed, 5 Jun 1996 15:47:58 -0700 (PDT) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) Received: from relay-4.mail.demon.net(158.152.1.108) by mycroft via smap (V1.3mjr) Received: from post.demon.co.uk ([158.152.1.72]) by relay-4.mail.demon.net Received: from youngman.demon.co.uk ([158.152.67.147]) by relay-3.mail.demon.net Message-ID: <31B5F253.6DF@youngman.demon.co.uk> Date: Wed, 05 Jun 1996 20:47:15 +0000 From: Jeremy Youngman X-Mailer: Mozilla 2.02 (Win16; I) MIME-Version: 1.0 To: firewalls@greatcircle.com Subject: Compuserve results Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi and thanks to everybody who has replied to my note about Compuserve. I hope you get this reply - I sent five queries and apparently they did not all arrive (some people only got one, and some people got the 5th followed by the 4th; I got none :( but I digress...) I had four replies from people successfully allowing Compuserve access. Nobody said they had considered it but decided against, and nobody was aware of any problems. So far so good... I also had a few queries asking what i was talking about, so: You can connect to Compuserve via the Internet instead of a dial-up link. You do this by configuring your software to use WINSOCK and giving it the name of a Compuserve gateway. The s/ware then talks to Compuserve's TCP PORT 4144 (that's a rough summary). I guess the benefit of this is that you can access Compuserve so long as you have access to the Internet, without having to pay phone bills (unless your Internet connection is a dial-up one ;) ). So this could be an advantage to companies with direct Internet access. A couple of people said they thought that Internet access only provided a limited Telnet-type connection. As far as I could tell the access via PORT 4144 gives full Compuserve functionality - I can't tell for sure because i'm not a great Compuserve user, but one of my respondents certainly thought this. It's certainly more than just Telnet. Note that you may need a certain level of WinCIM (V1.4?). In summary: a number of people are doing it, there are no known probs, and you can plug-gw it. Hope this helps, -- Jeremy Youngman | ###### ## ## | ("`-/")_.-'"``-. jeremy@youngman.demon.co.uk | ## ##### | . . `; -._ )-;-,_`) Tel: +44 (0)1603 686258 | # ## ## | (v_,)' _ )`-.\ ``-' PGP: Key avail on request | #### ##### | _.- _..-_/ / ((.' ----- All cats look grey in the dark ----- ((,.-' ((,/ From firewalls-owner Thu Jun 6 03:05:46 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id CAA27833 for firewalls-outgoing; Thu, 6 Jun 1996 02:43:51 -0700 (PDT) Received: from Legato.COM (legato.Legato.COM [137.69.1.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id CAA27822 for ; Thu, 6 Jun 1996 02:43:35 -0700 (PDT) Received: from jupiter.Legato.COM by Legato.COM (4.1/SMI-4.1) Received: from hydrus.Legato.COM by jupiter.Legato.COM (5.x/SMI-SVR4) Date: Thu, 6 Jun 1996 02:41:11 -0700 From: wbelfer@jupiter.Legato.COM (Warren Belfer) Message-Id: <9606060941.AA19105@jupiter.Legato.COM> To: firewalls@greatcircle.com Subject: Re: Compuserve Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi folks, Just to verify Compuserve access via direct internet. I'm the sysop for our forum on compuserve and my only access is directly over the internet. I use the latest version or wincim and have it setup to use winsock. The only limitation I'm aware of, is that during the day you may have trouble getting in. I do my stuff at nite, but once the sun starts to come up, I get lots of "WinSock" errors with the program advising me to fix my winsock setup. In reality this is just a "busy signal" from their gateway that the program doesn't handle very well. Good luck Warren From firewalls-owner Thu Jun 6 03:20:38 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id CAA27925 for firewalls-outgoing; Thu, 6 Jun 1996 02:46:19 -0700 (PDT) Received: from swissbank.swissbank.com (swissbank.swissbank.com [146.180.1.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id CAA27904 for ; Thu, 6 Jun 1996 02:45:35 -0700 (PDT) Received: by swissbank.swissbank.com with UUCP Received: from il.us.swissbank.com by gatekeeper.swissbank.com with SMTP Received: from chmail.ch.swissbank.com (chmailhost) by il.us.swissbank.com (4.1/SBCW oconnor v1.3 96/06/04) Received: from chbslu08 by chmail.ch.swissbank.com with SMTP id AA25562 Received: from cp690016 ([161.20.3.107]) by chbslu08 (4.1/SMI-4.1) Date: Thu, 6 Jun 96 11:36:49 +0200 Message-Id: <9606060936.AA16675@chbslu08> X-Sender: t075456@jupiter X-Mailer: Windows Eudora Light Version 1.5.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: Firewalls@GreatCircle.COM From: Martin Hauser Subject: Re: Compuserve Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > On Wed, 5 Jun 1996, Michael Dillon wrote: > > > If you are behind a firewall you also need to open a plug-gw on port 4144 > > and you need to go into the CIS.INI file and change occurences of > > "compuserve.com" to "firewall-machine.yourdomain.com". I don't have an > > original CIS.INI here any more but I find lines like the following in > > mine: ... SNIP OK - this seems to work, but how secure is it? Are there any specs available for this compuserve protocol (Compuserve has not been responsive for such requests in the past)? Before opening a hole in the wall it would be nice to know more about the protocol. Martin From firewalls-owner Thu Jun 6 04:55:27 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id EAA03248 for firewalls-outgoing; Thu, 6 Jun 1996 04:32:30 -0700 (PDT) Received: from mail.vtx.ch (mail.vtx.ch [194.51.92.4]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id EAA03239 for ; Thu, 6 Jun 1996 04:32:15 -0700 (PDT) Received: from tla03 (194.235.15.17) by mail.vtx.ch Message-ID: <31B6BF97.2D00@tla.ch> Date: Thu, 06 Jun 1996 13:23:03 +0200 From: Christian ALT X-Mailer: Mozilla 2.01Gold (WinNT; I) MIME-Version: 1.0 To: firewalls@greatcircle.com Subject: SNA Gateways on NT Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk hi to all, We are conceiving a TCP/IP network with some other companies. We intend to secure the access to our network by setting a firewall. We have several services that we want to let incoming. Among those services is the SNA gateway trafic, from external clients to our internal SNA gateway running on NT. We discovered that the port 1478/tcp and 1477/tcp were used. We do not know the content of that protocol. We are interested in getting informations about the security aspects of that protocol, authentification, encryption. We went through the Microsoft documentation and were unable to find something specific to those two points. Does anybody have that kind of information, or did anyone study that point. TIA CHA From firewalls-owner Thu Jun 6 05:08:15 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id EAA03233 for firewalls-outgoing; Thu, 6 Jun 1996 04:31:47 -0700 (PDT) Received: from inetgate.scitexdpi.com (firewall.sdp.scitex.com [149.115.248.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id EAA03225 for ; Thu, 6 Jun 1996 04:31:34 -0700 (PDT) Received: by inetgate.scitexdpi.com; id AA04264; Thu, 6 Jun 96 07:29:09 EDT Received: from mailhub.scitexdpi.com(172.16.9.23) by inetgate.scitexdpi.com via smap (V3.1) Received: from mailhub.scitexdpi.com by mailhub with SMTP id AA24477 Received: from sdphq-Message_Server by mailhub.scitexdpi.com Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Thu, 06 Jun 1996 07:28:22 -0400 From: Bob Allison To: firewalls@GreatCircle.COM Subject: Re: Compuserve -Reply Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Quick reminder to everyone using the Internet to get to Compu$erve and AOL: Last I heard, your account/password information was transmitted in the clear, which means, of course, that a snooper has access to your CS or AOL account. (If this info is outdated, I'm sure someone will be kind enough to tell me.) >>> Dana Brewer 06/05/96 02:16pm >>> On Wed, 5 Jun 1996, Michael Dillon wrote: > If you are behind a firewall you also need to open a plug-gw on port 4144 > and you need to go into the CIS.INI file and change occurences of > "compuserve.com" to "firewall-machine.yourdomain.com". I don't have an > original CIS.INI here any more but I find lines like the following in > mine: Thanks! I needed this information. Does anyone know how to connect to America Online via TCP/IP from behind a firewall? ************************************************************************** Dana Brewer Director, Computer Center Internet: dana@nav.cc.tx.us Navarro College Phone : 903-874-6501 3200 W. 7th Ave. FAX : 903-874-4636 Corsicana, TX 75110 All opinions stated are my own, and probably don't even vaguely resemble those of Navarro College. :) ************************************************************************** From firewalls-owner Thu Jun 6 05:16:34 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id EAA03084 for firewalls-outgoing; Thu, 6 Jun 1996 04:25:22 -0700 (PDT) Received: from fire1.sprintlink.net (fire1.sprintlink.net [206.229.244.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id EAA03053 for ; Thu, 6 Jun 1996 04:25:00 -0700 (PDT) Received: from fire2.int.sprintlink.net ([206.229.244.28]) by fire1.sprintlink.net Received: from athens.int.sprintlink.net ([208.0.2.203]) by fire2.int.sprintlink.net Received: (from rquinn@localhost) by athens.int.sprintlink.net (8.7.5/8.7.3) id HAA11347 for Firewalls@GreatCircle.COM; Thu, 6 Jun 1996 07:22:09 -0400 (EDT) From: Rob Quinn Message-Id: <199606061122.HAA11347@athens.int.sprintlink.net> Subject: Re: unknown in tcpwrappers? To: Firewalls@GreatCircle.COM Date: Thu, 6 Jun 1996 07:22:09 -0400 (EDT) In-Reply-To: <199606060800.BAA19258@miles.greatcircle.com> from "Firewalls-Digest" at Jun 6, 96 01:00:38 am X-Alternate-Address: rjq@phys.ksu.edu Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Date: Wed, 5 Jun 1996 18:02:01 -0400 (EDT) > From: Chris Watson > Subject: Re: unknown in tcpwrappers? > > No i DONT want them to get in but what is getting em riled is the fact > that this line: > Jun 4 23:23:32 orion telnetd[10526]: refused connect from unknown > will repeat over and over and over and over for like 5 pages of logs. You get that when you invoke the tcp wrappers from the command like. For instance I just type ``tcpd'' and I get: athens tcpd[11337]: refused connect from unknown Did wrap some program that's being invoked from a cron job, like sendmail or something? > Im getting extremely annoyed at this at first i thought it was a random > goof but then i sit down and look at 9 or more pages of logs with nothing > in them but the same line above for 9 pages something is going on no one > is dumb enough to keep trying and trying and trying to telnet in with no > luck. I get the same line everynight repeatedly. At fixed intervals? That would be a clue that it's cron. -- | Rob Quinn | | (703)904-2125 | | rquinn@sprint.net | | Sprint Corporate Security | From firewalls-owner Thu Jun 6 06:00:07 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA08527 for firewalls-outgoing; Thu, 6 Jun 1996 05:40:51 -0700 (PDT) Received: from anchorsteam (anchorsteam.unifiedtech.com [38.251.136.100]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id FAA08470 for ; Thu, 6 Jun 1996 05:40:26 -0700 (PDT) Received: from bass.unifiedtech.com by anchorsteam (5.x/SMI-SVR4) Received: by bass.unifiedtech.com (5.x/SMI-SVR4) Date: Thu, 6 Jun 1996 08:26:01 -0400 From: Mike.Jones@unifiedtech.com (Mike Jones) Message-Id: <9606061226.AA06299@bass.unifiedtech.com> To: michael@memra.com Subject: Re: IANA private network numbers .. Cc: firewalls@greatcircle.com X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk You write.. > On Wed, 5 Jun 1996, Mike Jones wrote: > > In fact, FireWall-1 offers NAT and it's not a proxy firewall. Michael, > > you're completely off base on this one. > I think what you mean to say is that using RFC1918 addresses doesn't > necessarily require a proxy firewall if you have a set of registered > addresses that can be used with a NAT in between to translate. Basically, yes. > I was thinking of the scenario in which no NAT is used, all hosts on the > internal networks have RFC1918 addresses and all access to the Internet is > through a proxy firewall that consumes one single registered host IP > address. Ah. I would normally consider this to be a special case of NAT, but that's more a terminology difference than anything else. > Both scenarios are possible and both accomplish different things. For > instance, in the NAT scenario anyone can set up a WWW server on their > desktop and give access to the global Internet assuming that there are no > packet filters in place to prevent it. It depends on how the NAT is done. FW-1, for example, supports three modes of doing this: All-to-1, which is the scenario you describe where the firewall only consumes 1 "real" IP address, Fixed, where there is a set correspondence between internal and translated addresses, which is the scenario you describe in the paragraph immediately above, and Dynamic, where "real" IPs are assigned "on demand" when connections are made. In this case it's generally not possible to give outside access to a desktop server because only specified addresses (typically for the organization's central mail server, web server, etc.) are allowed to be issued on a request from the outside. From firewalls-owner Thu Jun 6 06:49:49 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA11891 for firewalls-outgoing; Thu, 6 Jun 1996 06:31:03 -0700 (PDT) Received: from wormhole.nav.cc.tx.us (wormhole.nav.cc.tx.us [205.165.189.130]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id GAA11872 for ; Thu, 6 Jun 1996 06:30:50 -0700 (PDT) Received: by wormhole.nav.cc.tx.us (AIX 3.2/UCB 5.64/4.03) Received: from dilbert.nav.cc.tx.us(205.165.188.145) by wormhole via smap (V1.3) Received: from localhost by dilbert.nav.cc.tx.us (AIX 3.2/UCB 5.64/4.03) Date: Thu, 6 Jun 1996 08:32:34 -0500 (CDT) From: Dana Brewer To: firewalls@greatcircle.com Subject: Re: Compuserve -Reply In-Reply-To: Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Thanks for the answers about connecting AOL through a firewall. ************************************************************************** Dana Brewer Director, Computer Center Internet: dana@nav.cc.tx.us Navarro College Phone : 903-874-6501 3200 W. 7th Ave. FAX : 903-874-4636 Corsicana, TX 75110 All opinions stated are my own, and probably don't even vaguely resemble those of Navarro College. :) ************************************************************************** From firewalls-owner Thu Jun 6 06:50:54 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA12356 for firewalls-outgoing; Thu, 6 Jun 1996 06:43:52 -0700 (PDT) Received: from hprofsdv.nwscc.sea06.navy.mil ([130.163.113.128]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id GAA12348 for ; Thu, 6 Jun 1996 06:43:43 -0700 (PDT) Received: from JB4061CACI by hprofsdv.nwscc.sea06.navy.mil with SMTP Message-Id: <31B6FC00.2DC0@hprofsdv.nwscc.sea06.navy.mil> Date: Thu, 06 Jun 1996 08:40:48 -0700 From: John Bell Organization: CACI Inc (Federal) X-Mailer: Mozilla 2.02 (Win16; I) Mime-Version: 1.0 To: Martin Marshall Cc: firewalls@greatcircle.com Subject: Re: NT Firewalls References: <31B68655.3372@ebrd.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Martin Marshall wrote: > > We currently have a Unix Firewall solution, we would like to move to a > NT Firewall (If Possible). Why? > > Could anyone let me know where to jump, if a jump is to be made at all ! > Why the urge to jump? Doesn't your firewall work properly? You said above the firewall you have is a firewall solution... what new problems/wants/ desires for feeping creaturism have you identified? > Any comments will be welcomed That's mine... -- John Bell, CACI Inc (Federal) Bloomington, Indiana (Midwest RE-Engineering Division) job@hprofsdv.nwscc.sea06.navy.mil -OR- jbii@mama.indstate.edu "Hi ho! Yow! I'm surfing ARPANET!" - anagram for "The Information Superhighway" From firewalls-owner Thu Jun 6 07:27:17 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA14225 for firewalls-outgoing; Thu, 6 Jun 1996 07:02:36 -0700 (PDT) Received: from Cee-Jay ([199.126.187.170]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id HAA14015 for ; Thu, 6 Jun 1996 07:01:50 -0700 (PDT) Received: Smail 3.1.29.1 running on Cee-Jay - router: match_mx_hosts - transport: smtp) Date: Thu, 6 Jun 1996 09:59:41 -0400 (EDT) From: N D Ghaznavi X-Sender: ndg@Cee-Jay.Reachit.com To: Chris Watson cc: firewalls@GreatCircle.COM Subject: Re: unknown in tcpwrappers? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > On Wed, 5 Jun 1996, Steve Bergeon wrote: > > I dont know if is hould be worried about this or not. I mean their NOT > getting in but they are constantly trying its driving me nuts. I'm having a similar experience from named, which leads me to think that you're probably having DNS problems. I *think* this might be related to the version of BIND running, but that's really only a guess. This is from syslogd's `daemon' facility: Jun 5 18:36:06 Cee-Jay named[75]: recvfrom: Connection refused Jun 5 18:36:31 Cee-Jay named[75]: recvfrom: Connection refused Jun 5 21:22:16 Cee-Jay named[75]: recvfrom: Connection refused Jun 5 22:50:16 Cee-Jay named[75]: recvfrom: Connection refused Jun 5 23:20:14 Cee-Jay named[75]: recvfrom: Connection refused Jun 6 01:42:59 Cee-Jay named[75]: recvfrom: Connection refused Jun 6 09:20:17 Cee-Jay named[75]: recvfrom: Connection refused Jun 6 09:40:00 Cee-Jay named[75]: recvfrom: Connection refused If anyone has any ideas about what exactly this is, please comment. Nadim --N D Ghaznavi----------------------------------------------------------- Unix System Administrator ndg@CADlink.com --CADlink.com--------Reachit.com--------Ghaznavi.com--------Apparel.org-- From firewalls-owner Thu Jun 6 07:35:56 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA13758 for firewalls-outgoing; Thu, 6 Jun 1996 06:59:57 -0700 (PDT) Received: from eclipse.esr.com (eclipse.esr.com [204.77.128.18]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id GAA13728 for ; Thu, 6 Jun 1996 06:59:43 -0700 (PDT) Received: from cerberus.esr.com by eclipse.esr.com with SMTP (5.65/1.2-eef) Received: from esig.esr.com ([204.77.128.38]) by cerberus.esr.com Received: by esig.esr.com; Wed, 5 Jun 96 18:41:46 EDT Date: Wed, 5 Jun 96 18:39:09 EDT Message-Id: X-Priority: 3 (Normal) To: From: "Mike Weaver, Senior Systems Consultant" Subject: Re: WWW proxy to cut off Java. X-Incognito-Sn: 946 X-Incognito-Format: VERSION=2.01a ENCRYPTED=NO Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Raptor Systems has also announced a patch for its Eagle Firewall that will allow their httpd to now support filtering based on mime types, the most important consequence of which is that you can now filter out Java applets. ------------- Original Text >From nreadwin@london.micrognosis.com (Neil Readwin), on 6/4/96 8:06 PM: > Because JavaScript is typically embedded within your HTML, you really > can't block it at the firewall. But you can try - Carl Claunch wrote a patch to the TIS http-gw that will filter java and javascript out of HTML as it goes by. Details are at http://www.hdshq.com/fixes/fwtk/welcome.html Pointers to various other fwtk patches are at http://www.micrognosis.com/%7enreadwin/fwtk.html fwtk related followups to the fwtk-users list please. Neil. -- "For some reason all the very worst install scripts are written in csh." Geoff. Lane. (in bofh.jobfh.misc) ####################################################### # Mike Weaver Electronic Systems, Inc # # Senior Systems Consultant Richmond, Virginia # # mike@esr.com (804) 330-5555 # ####################################################### # Network Integration Services, Consulting, Internet # # A Commercial Internet Exchange Member # ####################################################### From firewalls-owner Thu Jun 6 07:50:47 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA14364 for firewalls-outgoing; Thu, 6 Jun 1996 07:03:58 -0700 (PDT) Received: from gatekeeper.mpsisys.com (ppp.mpsisys.com [198.65.132.134]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id HAA14330 for ; Thu, 6 Jun 1996 07:03:33 -0700 (PDT) Received: (from smap@localhost) by gatekeeper.mpsisys.com (8.6.10/8.6.10) id JAA08818 for ; Thu, 6 Jun 1996 09:01:10 -0500 Received: from mpsi.mpsisys.com(139.45.3.26) by gatekeeper.mpsisys.com via smap (V1.3) Received: from omni.mpsisys.com by mpsi.mpsisys.com (AIX 3.2/UCB 5.64/4.03) Received: by omni.mpsisys.com (AIX 4.1/UCB 5.64/4.03) From: ralph@omni.mpsisys.com (Ralph Mitchell) Message-Id: <9606061401.AA32826@omni.mpsisys.com> Subject: Re: FLAME (was: Re: Memra) To: firewalls@GreatCircle.COM Date: Thu, 6 Jun 1996 09:01:05 -0500 (CDT) In-Reply-To: <199606052130.PAA22194@ve6bc.ampr.ab.ca> from "Douglas R. Mackintosh" at Jun 5, 96 03:30:35 pm X-Mailer: ELM [version 2.4 PL24] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > (My sincere apologies to the list for this email which should be private. If > you don't want to read yet another flame then move along to the next message.) I would like to apologise in advance too, as this is not really firewall related... > Dear Gomer, > > Since your email is BROKEN to the point that one CANNOT EVEN REPLY to it I > am forced to subject the gentle readers of this list to my reply to your > idiocy. > > (Maybe this is why you can't get your simple answers. Maybe all your simple > answers are bouncing back to the vendors in question.) If his email is so completely broken, how is he getting mail from this list in the first place ? Can he even see these replies & flames ? If not, we might as well stop thumping on the table... :) Just my $0.02 Ralph Mitchell (System Administrator) -- MPSI Inc., 8282 South Memorial Drive, Tulsa, Oklahoma 74133 Email: ralph@mpsisys.com PHONE: 918-250-9611 x237 FAX: 918-254-8764 "Never underestimate the power of human stupidity" - Salvor Hardin, Foundation From firewalls-owner Thu Jun 6 08:05:44 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA18051 for firewalls-outgoing; Thu, 6 Jun 1996 07:39:33 -0700 (PDT) Received: from 198.68.45.121 (www.steldyn.com [198.68.45.121]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id HAA18041 for ; Thu, 6 Jun 1996 07:39:18 -0700 (PDT) Received: from juneau.steldyn.com (172.16.31.1) by www.steldyn.com Received: by juneau.steldyn.com with Microsoft Exchange (IMC 4.12.736) Message-ID: From: Chris Pugrud To: "'Martin Marshall'" Subject: RE: NT Firewalls Date: Thu, 6 Jun 1996 08:37:30 -0600 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.12.736 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Since you already have a working UNIX firewall, there really is no compelling reason to switch to an NT product unless some exec on high (or really high exec ;>) is demanding the NT switch. The current generation of NT firewalls (0.9) offer no advantages over their UNIX counterparts. We have been going through some very heavy debating about what advantages we feel would be appropriate to use in NT and not create an extra security breach. There is also a very heated and long running debate about whether or not NT is an appropriate platform to run a firewall on. In short: At this point in time a jump is not appropriate (if the money is burning that bad of a hole in your pocket hire a security consultant to evaluate your current firewall). If you have an NT based network then at some point in the future (hopefully 8-12 months) feature sets will come about on NT platforms that do give them a distinct advantage. Hopefully at that time several of the security questions and snags will be worked out. When that time comes I don't doubt that we will still be here pissing and squabbling about the appropriateness of NT as a firewall, but don't worry, most of us here are more than a little conservative and paranoid about security. Chris >---------- >From: Martin Marshall[SMTP:marshall@ebrd.com] >Sent: Thursday, June 06, 1996 1:18 AM >To: Firewalls Mailing list >Subject: NT Firewalls > >We currently have a Unix Firewall solution, we would like to move to a >NT Firewall (If Possible). > >Could anyone let me know where to jump, if a jump is to be made at all ! > >Any comments will be welcomed > >Martin Marshall > From firewalls-owner Thu Jun 6 08:42:22 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA23214 for firewalls-outgoing; Thu, 6 Jun 1996 08:23:28 -0700 (PDT) Received: from pimaia2y.prodigy.com (pimaia2y.prodigy.com [198.83.18.95]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id IAA23194 for ; Thu, 6 Jun 1996 08:23:17 -0700 (PDT) Received: from mime3.prodigy.com ([192.168.253.27]) by pimaia2y.prodigy.com (8.6.10/8.6.9) with ESMTP id KAD15772 for ; Thu, 6 Jun 1996 10:58:09 -0400 Received: (from root@localhost) by mime3.prodigy.com (8.6.10/8.6.9) id KAA21600 for firewalls@greatcircle.com; Thu, 6 Jun 1996 10:53:15 -0400 Message-Id: <199606061453.KAA21600@mime3.prodigy.com> X-Mailer: Prodigy Internet GW(v0.9beta) - ae01dm04sc03 From: HFDK41A@prodigy.com (MR. JOHN K MOLNAR) Date: Thu, 6 Jun 1996 10:53:15, -0500 To: firewalls@greatcircle.com Subject: RE: cisco docs, user access Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Date: Wed, 05 Jun 96 11:26:48 EDT >From: Renee Landers [rlanders@sware.com] >Sender: firewalls-owner@GreatCircle.COM [firewalls- owner@GreatCircle.COM] >Subject: cisco docs, user access > >First, does anyone know of any third-party guides to configuring Cisco routers? >(i.e. IOS for Dummies :-) Or does Cisco put out anything more useful than the >UniverCD -- something that would provide guidelines for configuring, including i>nformation on some of the different configuration possibilities, something with >actual chapters, and sections, and paragraphs? Perhaps I am just not looking >hard enough at the UniverCD? > >Second, I have a Cisco router with version 10.2 of the software. I have several >modems connected via async line to that router. I have defined several usernames >with passwords. Is there a way to limit which users can connect to which modems? >(I know I can prevent certain users from doing stuff once they get on, via access- >classes, but can I reject the connection altogether?) Am I missing something, >or is the capability just not there? > >Thanks for your help Try taking a look at CCO, Cisco Online at www.cisco.com -John Molnar From firewalls-owner Thu Jun 6 09:21:19 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA25881 for firewalls-outgoing; Thu, 6 Jun 1996 08:49:59 -0700 (PDT) Received: from fw.pco.gc.ca (FW.PCO.GC.CA [198.103.111.3]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id IAA25862 for ; Thu, 6 Jun 1996 08:49:37 -0700 (PDT) Received: from CABNET-Message_Server by pco.gc.ca Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Thu, 06 Jun 1996 11:46:49 -0400 From: Nicolas Tolstoy To: Firewalls-Digest@GreatCircle.COM Subject: Subject: Re: IANA private network numbers .. Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 5 Jun 1996, Mike Jones wrote: > In fact, FireWall-1 offers NAT and it's not a proxy firewall. Michael, > you're completely off base on this one. The please explain why Checkpoint advertises Firewall -1 as an application gateway ? From firewalls-owner Thu Jun 6 09:26:33 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA25594 for firewalls-outgoing; Thu, 6 Jun 1996 08:45:52 -0700 (PDT) Received: from mailhub.cts.com (mailhub.cts.com [192.188.72.25]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id IAA25558 for ; Thu, 6 Jun 1996 08:45:33 -0700 (PDT) Received: from rruda(really [204.212.129.32]) by mailhub.cts.com Received: by rruda with Microsoft Mail Message-ID: <01BB5384.98427020@rruda> From: Richard Ruda To: "'GreatCircles firewall message host'" Subject: NT-DNS Date: Thu, 6 Jun 1996 08:45:56 -0700 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 4 Jun 1996 13:30:15 -0700 Bill Stout Wrote Subject: NT DNS in 4.0b2 "The only drawback I've seen is not being able to connect to non-NT DNS server properties." Can you explain exactly what you mean. Will an internal DNS running on NT4.0b2 not be able to say talk to a Unix firewall?? Thanks Richard From firewalls-owner Thu Jun 6 09:39:43 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA25266 for firewalls-outgoing; Thu, 6 Jun 1996 08:42:45 -0700 (PDT) Received: from fw.pco.gc.ca (FW.PCO.GC.CA [198.103.111.3]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id IAA25228 for ; Thu, 6 Jun 1996 08:42:30 -0700 (PDT) Received: from CABNET-Message_Server by pco.gc.ca Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Thu, 06 Jun 1996 11:29:31 -0400 From: Nicolas Tolstoy To: Firewalls-Digest@GreatCircle.COM Subject: Re:Flame memra Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On June 5, someone wrote: > Is your arrogant, condescending, and unprofessional attitude > a reflection on your entire British Columbia based company? > >(My sincere apologies to the list for this E-mail which should be private. 1) BC is an independent entity from Micheal, name four cities in the province and your dig can stand; otherwise "what a cheap shot at a great place". 2.) If meant as private mail, not only are you out of line, you've got your hat on backwards too. 3.) Perhaps Ralf's wording should have said "can someone get me a telephone number for TIS or a TIS fw var, I need a quote for.... it's urgent." None the less, Michael 9 Gomer 0 From firewalls-owner Thu Jun 6 09:53:31 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA26787 for firewalls-outgoing; Thu, 6 Jun 1996 09:01:38 -0700 (PDT) Received: from lafvax (lafvax.lafayette.edu [139.147.8.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id JAA26780 for ; Thu, 6 Jun 1996 09:01:29 -0700 (PDT) Received: from stupid.lafayette.edu by lafvax.lafayette.edu (PMDF V5.0-4 #6834) Received: from localhost by stupid.lafayette.edu (SMI-8.6/SMI-SVR4) Date: Thu, 06 Jun 1996 11:56:23 -0400 (EDT) From: John Mulligan Subject: REQ:rshd command logging To: firewalls@greatcircle.com Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Content-transfer-encoding: 7BIT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk -----BEGIN PGP SIGNED MESSAGE----- Does anyone know of an rsh daemon replacement that will allow command logging? We have TCP_Wrappers 7.4 installed, if anything could be used in conjuction with that. Systems include: SunSparcs running Soalris 2.5 and SunOS 4.1.3 Please reply via direct email to mulligan@stupid.lafayette.edu Thanks! John John P. Mulligan Lafayette College ACS PGP Public Key available at http://www.lafayette.edu/~mulligaj -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQB1AwUBMbb/rX+KnP1k0ErJAQHtggMAjSZg4zInApXBda35pC4v1+0+XjXqCaH2 h8sbAVG2f9WYihuuqKPw6FnTMVwwySfOomQroTyfIVK6g9zFVkCUJVCNJXQeE2F2 W7NmZ/I57Nm92iR+7eQXZM9/bdQ2HbDG =zpbe -----END PGP SIGNATURE----- From firewalls-owner Thu Jun 6 10:26:40 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA03029 for firewalls-outgoing; Thu, 6 Jun 1996 10:01:03 -0700 (PDT) Received: from netcom21.netcom.com (netcom21.netcom.com [192.100.81.135]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id KAA02878 for ; Thu, 6 Jun 1996 10:00:21 -0700 (PDT) Received: (from das@localhost) by netcom21.netcom.com (8.6.13/Netcom) Date: Thu, 6 Jun 1996 09:56:42 -0700 (PDT) From: Das Devaraj Reply-To: Das Devaraj Subject: Re: FLAME (was: Re: Memra) To: Ralph Mitchell cc: firewalls@GreatCircle.COM In-Reply-To: <9606061401.AA32826@omni.mpsisys.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 6 Jun 1996, Ralph Mitchell wrote: > If his email is so completely broken, how is he getting mail from this > list in the first place ? Can he even see these replies & flames ? If > not, we might as well stop thumping on the table... :) May be not. Lot of people have taken to faking e-mail addresses, including fake domains, when they post to mailing list and news groups. This is to prevent "personalized" spam messages, which are becoming increasingly popular these days. Das ------------------------------------------------------------------- Interested in Vegetarianism? Vegetarian Restaurant Trek Web http://www.VegInfo.com 712 Bancroft Road #320 e-mail info@VegInfo.com (subject Help) Walnut Creek, CA 94598 Interactive Voice/fax Response (510) 256-8420 USA From firewalls-owner Thu Jun 6 10:41:21 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA06219 for firewalls-outgoing; Thu, 6 Jun 1996 10:23:58 -0700 (PDT) Received: from mailhub.cts.com (mailhub.cts.com [192.188.72.25]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id KAA06180 for ; Thu, 6 Jun 1996 10:23:43 -0700 (PDT) Received: from rruda(really [204.212.129.32]) by mailhub.cts.com Received: by rruda with Microsoft Mail Message-ID: <01BB5392.4C79C540@rruda> From: Richard Ruda To: "'GreatCircles firewall message host'" Cc: "'bill.stout@hidata.com'" Subject: NT-DNS Date: Thu, 6 Jun 1996 10:24:03 -0700 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 4 Jun 1996 13:30:15 -0700 Bill Stout Wrote Subject: NT DNS in 4.0b2 "The only drawback I've seen is not being able to connect to non-NT DNS server properties." Can you explain exactly what you mean. Will an internal DNS running on NT4.0b2 not be able to say talk to a Unix firewall?? Thanks Richard From firewalls-owner Thu Jun 6 10:50:46 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA06308 for firewalls-outgoing; Thu, 6 Jun 1996 10:25:18 -0700 (PDT) Received: from netcomsv.netcom.com (uucp2.netcom.com [163.179.3.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id KAA06273 for ; Thu, 6 Jun 1996 10:25:04 -0700 (PDT) Received: from rise_2.UUCP by netcomsv.netcom.com with UUCP (8.6.12/SMI-4.1) Received: from viper.rise.com by rise_2.rise_2.uucp.netcom.COM (4.1/SMI-4.1) Date: Thu, 6 Jun 96 10:20:07 PDT From: rise_2!dzung@netcom.com (Dzung Tran) Message-Id: <9606061720.AA24039@rise_2.rise_2.uucp.netcom.COM> To: Firewalls-Digest@GreatCircle.COM Subject: Re: Subject: Re: IANA private network numbers .. Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > On Wed, 5 Jun 1996, Mike Jones wrote: > > > In fact, FireWall-1 offers NAT and it's not a proxy firewall. Michael, > > you're completely off base on this one. > > The please explain why Checkpoint advertises Firewall -1 as an > application gateway ? > > > According to Network Computing Magazine (4/1/96): ".. CheckPoint FireWall-1 uses a powerful scripting language called Inspect, which dynamically tracks and examines packets up through the application layer. Even though it does not implement proxies in the traditional sense, like Gauntlet and CyberGuard, its ability to analyze the applicatin data allows CheckPoint to implement many of the same capabilities without sacrificing performance.." From firewalls-owner Thu Jun 6 11:02:44 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA03030 for firewalls-outgoing; Thu, 6 Jun 1996 10:01:04 -0700 (PDT) Received: from mail13.digital.com (mail13.digital.com [192.208.46.30]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id KAA02841 for ; Thu, 6 Jun 1996 10:00:13 -0700 (PDT) Received: from dasmts.imc.das.dec.com by mail13.digital.com (8.7.5/UNX 1.2/1.0/WV) Received: from mts.dec.com by dasmts.imc.das.dec.com (PMDF V5.0-7 #16470) Received: with PMDF-MR; Thu, 06 Jun 1996 16:33:03 +0000 (GMT) MR-Received: by mta MSDOA2; Relayed; Thu, 06 Jun 1996 16:33:03 +0000 MR-Received: by mta SOAREA; Relayed; Thu, 06 Jun 1996 16:32:51 +0000 MR-Received: by mta DASMTS; Relayed; Thu, 06 Jun 1996 16:33:05 +0000 Alternate-recipient: prohibited Date: Thu, 06 Jun 1996 16:26:12 +0000 (GMT) From: "WENDY HEDGPETH @CEO 704-827-7687" Subject: RE: digital unix firewall 1 To: firewalls@greatcircle.com Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; CHARSET=US-ASCII Content-transfer-encoding: 7BIT Posting-date: Thu, 06 Jun 1996 16:33:00 +0000 (GMT) Importance: normal UA-content-id: E115ZWIJHXGNB X400-MTS-identifier: [;30336160606991/3331481@MSDOA] A1-type: MAIL Hop-count: 3 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Juan, I have been installing the digital unix firewall for the past year. We have recently rolled out DFU 2.0 which is GUI managed and can be integrated with a high-end multiple nodes solution. This should be what you are upgrading to. If you have any questions fire away and I'll do my best. I think there is another Digital firewall person on this list as well. :) Wendy From firewalls-owner Thu Jun 6 11:06:56 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA00911 for firewalls-outgoing; Thu, 6 Jun 1996 09:48:49 -0700 (PDT) Received: from hidata.com ([205.158.61.34]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id JAA00842 for ; Thu, 6 Jun 1996 09:48:29 -0700 (PDT) Received: by hidata.com; id AA19648; Thu, 6 Jun 96 09:46:06 PDT Received: from osc.hidata.com(205.158.62.10) by hds-gw.hidata.com via smap (V3.1) Received: from enterprise by osc.osc.hidata.com (SMI-8.6/SMI-SVR4) Date: Thu, 6 Jun 1996 09:46:00 -0700 Message-Id: <199606061646.JAA15537@osc.osc.hidata.com> X-Sender: bstout@osc.hidata.com X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: Firewalls@GreatCircle.COM From: Bill Stout Subject: RE: Firewalls-Digest V5 #356 Cc: "'bill.stout@hidata.com'" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 06:01 PM 6/5/96 -0700, Richard Ruda wrote: >On Tue, 4 Jun 1996 13:30:15 -0700 >Bill Stout >Wrote Subject: NT DNS in 4.0b2 >"The only drawback I've seen is not being able to connect to non-NT DNS server properties." >Can you explain exactly what you mean. >Will an internal DNS running on NT4.0b2 not be able to say talk to a Unix firewall?? I don't mean the NT system can't do nslookups with a forwarder set to a firewall, it's just that the DNS administration program can only graphically display properties of other NT DNS systems. NT uses the control panel - networks to set the address of DNS servers. >Thanks > >Richard > > > > <=======10========20====Ruler for Eudora users==50========60========70========80 William B. Stout | "Stop socialism in America!" Senior Systems Admin | "Dilbert for President." Hitachi Data Systems | "Police power today=police state tomorrow." Open Systems Center | "The secret of life - being part of the process of Santa Clara, California | creation." 408-970-4822 | #include <=======10========20========30========40========50========60========70========80 From firewalls-owner Thu Jun 6 11:20:39 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA12009 for firewalls-outgoing; Thu, 6 Jun 1996 11:14:22 -0700 (PDT) Received: from dsacg1.dsac.dla.mil (dsacg1.dsac.dla.mil [131.78.1.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id LAA11843 for ; Thu, 6 Jun 1996 11:13:00 -0700 (PDT) Received: by dsacg1.dsac.dla.mil (1.38.193.5/1.40 (DSDC Columbus DSDCG1)) From: nto2584@dsacg1.dsac.dla.mil (Steven C. Payne) Message-Id: <9606061805.AA17298@dsacg1.dsac.dla.mil> Subject: Re: NT-DNS To: rruda@osti.com (Richard Ruda) Date: Thu, 6 Jun 96 14:05:19 EDT Cc: firewalls@greatcircle.com In-Reply-To: <01BB5384.98427020@rruda>; from "Richard Ruda" at Jun 6, 96 8:45 am Mailer: Elm [revision: 70.85.2.1] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > > On Tue, 4 Jun 1996 13:30:15 -0700 > Bill Stout > Wrote Subject: NT DNS in 4.0b2 > "The only drawback I've seen is not being able to connect to non-NT DNS server properties." > Can you explain exactly what you mean. > Will an internal DNS running on NT4.0b2 not be able to say talk to a Unix firewall?? Hi, I setup an older version of DNS and in my testing, I ran into 2 problems which maybe you can elaborate on in this new version. First, I could not just "move" my zone and revs to the NT server because we do secondary DNS for 50 domains. This equates to 50 zone files and 50 rev files. Well When I set up the dns boot file on the NT box, I started the service it ran for maybe 5 mins caching and then died, no errors, nothing. I also could not stop the service, I had to reboot the NT server. So, I thought ok, scale it back to just ONE domain, (my local one) I deleted all other domains and started the service again, it cached for about 2 minutes and died. Again, I tried to stop the service and it would not allow me to, so I had to reboot the NT server. This happened on a domain with around 2500 entries. I scaled it back to only 500 entries and tried again. This time the services started, ran with no errors. I then went to a unix box and tried nslookup on hosts I new were in the DNS files on the NT server, I got absolutely NO responses from the NT server, and timed out on every attempt I tried to query on. was able to use the nslookup client on the NT box and query EVERYTHING in the NT's domain files. I even configured the WINS entry in the zone file and that worked, but ONLY from the NT client. I never got nslookup on unix boxes (hpux, solaris, interactive, bsdi, sco) to work. My 2 problems are does NT service other clients than just NT, and second, how much can you cache? If you can't cache secondary servers then I don't see NT DNS as doing anything worth wile in DNS. BTW the server had 64 mg of ram, and was not doing anything, it was pretty much just idling. Is this what you were talking about? thanks steve > > Thanks > > Richard > > > > From firewalls-owner Thu Jun 6 12:16:28 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA16876 for firewalls-outgoing; Thu, 6 Jun 1996 11:41:18 -0700 (PDT) Received: from hosaka.smallworks.com (hosaka.SmallWorks.COM [192.207.126.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id LAA16695 for ; Thu, 6 Jun 1996 11:40:29 -0700 (PDT) From: jim@SmallWorks.COM Received: from butthead.SmallWorks.COM by hosaka.smallworks.com (5.x/SMI-SVR4) Received: by butthead.SmallWorks.COM (4.1/SPARCbook_POP1.3) Date: Thu, 6 Jun 96 13:33:55 CDT Message-Id: <9606061833.AA15356@butthead.SmallWorks.COM> To: firewalls@GreatCircle.COM, rlanders@sware.com Subject: Re: cisco docs, user access Sender: firewalls-owner@GreatCircle.COM Precedence: bulk 1) Load at least 10.3, preferably 11.0 or 11.1. 2) Configure TACACS+. From firewalls-owner Thu Jun 6 12:26:45 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA17020 for firewalls-outgoing; Thu, 6 Jun 1996 11:41:56 -0700 (PDT) Received: from gjones.inhouse.compuserve.com (gjones.inhouse.compuserve.com [149.174.150.20]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id LAA16779 for ; Thu, 6 Jun 1996 11:40:49 -0700 (PDT) Received: from gjones.inhouse.compuserve.com (gjones@gjones.inhouse.compuserve.com [149.174.150.20]) by gjones.inhouse.compuserve.com (8.6.12/8.6.9) with SMTP id OAA03760; Thu, 6 Jun 1996 14:37:33 -0400 Date: Thu, 6 Jun 1996 14:37:33 -0400 (EDT) From: "George M. Jones" Reply-To: "George M. Jones" Subject: Re: Compuserve -Reply To: Bob Allison cc: firewalls@GreatCircle.COM In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Quick reminder to everyone using the Internet to get to Compu$erve and AOL: > > Last I heard, your account/password information was transmitted in the > clear, which means, of course, that a snooper has access to your CS or AOL > account. (If this info is outdated, I'm sure someone will be kind enough to > tell me.) Passwords have been encrypted for about a year, starting with WinCIM 2.0. It is also in the Wow product. ---George Jones Internet Technologist, CompuServe, Inc., Columbus, Ohio, USA Email: gjones@csi.compuserve.com, Voice: +1 614 538 4052, Fax: +1 614 457 0348 "He is no fool who gives what he can not keep, to gain what he can not loose" ---Jim Elliot From firewalls-owner Thu Jun 6 12:35:39 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA15748 for firewalls-outgoing; Thu, 6 Jun 1996 11:34:46 -0700 (PDT) Received: from icarus.nodewarrior.net ([206.117.97.4]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id LAA15611 for ; Thu, 6 Jun 1996 11:34:10 -0700 (PDT) Received: from bubba.earthlink.net ([192.237.125.153]) Message-ID: <31B72402.6F4@nodewarrior.net> Date: Thu, 06 Jun 1996 11:31:30 -0700 From: hoff@nodewarrior.net (Christofer Hoff) Organization: NodeWarrior NetWorks, Inc. X-Mailer: Mozilla 2.01Gold (Win95; I) MIME-Version: 1.0 To: Dzung Tran CC: Firewalls-Digest@GreatCircle.COM Subject: Re: Subject: Re: IANA private network numbers .. References: <9606061720.AA24039@rise_2.rise_2.uucp.netcom.COM> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Dzung Tran wrote: > > > > > On Wed, 5 Jun 1996, Mike Jones wrote: > > > > > In fact, FireWall-1 offers NAT and it's not a proxy firewall. Michael, > > > you're completely off base on this one. > > > > The please explain why Checkpoint advertises Firewall -1 as an > > application gateway ? > > > > > > > > According to Network Computing Magazine (4/1/96): > > ".. CheckPoint FireWall-1 uses a powerful scripting language called > Inspect, which dynamically tracks and examines packets up through the > application layer. Even though it does not implement proxies in the > traditional sense, like Gauntlet and CyberGuard, its ability to > analyze the applicatin data allows CheckPoint to implement many of > the same capabilities without sacrificing performance.." Also, FW-1 DOES have FTP, Telnet, and HTTP proxies (which are considered application-level.) Chris From firewalls-owner Thu Jun 6 12:42:15 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA18737 for firewalls-outgoing; Thu, 6 Jun 1996 11:52:28 -0700 (PDT) Received: from gjones.inhouse.compuserve.com (gjones.inhouse.compuserve.com [149.174.150.20]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id LAA18730 for ; Thu, 6 Jun 1996 11:52:19 -0700 (PDT) Received: from gjones.inhouse.compuserve.com (gjones@gjones.inhouse.compuserve.com [149.174.150.20]) by gjones.inhouse.compuserve.com (8.6.12/8.6.9) with SMTP id OAA03778; Thu, 6 Jun 1996 14:47:55 -0400 Date: Thu, 6 Jun 1996 14:47:55 -0400 (EDT) From: "George M. Jones" Reply-To: "George M. Jones" Subject: Re: Compuserve To: Michael Dillon cc: Hugh Fraser In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > On Wed, 5 Jun 1996, Hugh Fraser wrote: > > > expected. Performance, though, doesn't seem much faster that through one > > of their dial-in ports. > > I found it faster on the net, but then, I also set the speed in the > Settings dialog to 38400 bps. I remember when I used to telnet directly to > COmpuserve that they would ask what speed you wanted to "simulate" > because, of course, there were different fees for different speeds. Maybe > WinCIM still negotiates the simulated speed? The rate throttling stuff is gone. The only limits now are your line speed, the speed of the net between where you are and the hosts that pick up compuserve.com:{23,4144}. Once you get to the gateway hosts the limit will the bandwidth from the gateway machines divided by the number of users (actually  the sum of the load generated by all the users). ---George Jones Internet Technologist, CompuServe, Inc., Columbus, Ohio, USA Email: gjones@csi.compuserve.com, Voice: +1 614 538 4052, Fax: +1 614 457 0348 "He is no fool who gives what he can not keep, to gain what he can not loose" ---Jim Elliot From firewalls-owner Thu Jun 6 12:50:46 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA20059 for firewalls-outgoing; Thu, 6 Jun 1996 12:03:57 -0700 (PDT) Received: from trex.netrex.com (trex.netrex.com [205.254.178.3]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id MAA20052 for ; Thu, 6 Jun 1996 12:03:48 -0700 (PDT) Received: from foghorn (foghorn [205.254.178.10]) by trex.netrex.com (8.7.5/8.7.3) with SMTP id OAA06684; Thu, 6 Jun 1996 14:47:09 -0400 (EDT) Message-Id: <2.2.32.19960606184328.00ad0ae4@trex.netrex.com> X-Sender: richards@trex.netrex.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Thu, 06 Jun 1996 14:43:28 -0400 To: rise_2!dzung@netcom.com (Dzung Tran) From: "Richard D. Stiennon" Subject: Re: Subject: Re: IANA private network numbers .. Cc: Firewalls-Digest@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 10:20 AM 6/6/96 PDT, Dzung Tran wrote: > > >> On Wed, 5 Jun 1996, Mike Jones wrote: >> >> > In fact, FireWall-1 offers NAT and it's not a proxy firewall. Michael, >> > you're completely off base on this one. >> >> The please explain why Checkpoint advertises Firewall -1 as an >> application gateway ? >> >According to Network Computing Magazine (4/1/96): > >".. CheckPoint FireWall-1 uses a powerful scripting language called >Inspect, which dynamically tracks and examines packets up through the >application layer. Even though it does not implement proxies in the >traditional sense, like Gauntlet and CyberGuard, its ability to >analyze the applicatin data allows CheckPoint to implement many of >the same capabilities without sacrificing performance.." Good summary. Firewall-1 uses a Statefull Multilayered Inspection (SMLI) technique. Inspect is a language that allows quick modifications. The SMLI engine is a virtual machine that resides within the kernal and examines packets and makes allow/dis-allow decisions based on the rule set and the state table. Very kewl. Richard Stiennon richards@netrex.com Director, Business Development www.netrex.com/richard Netrex, Inc. Voice: 810-352-9643 3000 Town Center, Suite 1100 Fax: 810-352-2375 Southfield, MI 48075 From firewalls-owner Thu Jun 6 13:20:42 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA26328 for firewalls-outgoing; Thu, 6 Jun 1996 13:04:02 -0700 (PDT) Received: from ftp.com (ftp.com [128.127.2.122]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id NAA26301 for ; Thu, 6 Jun 1996 13:03:45 -0700 (PDT) Received: from ftp.com by ftp.com ; Thu, 6 Jun 1996 16:01:21 -0400 Received: from mailserv-2high.ftp.com by ftp.com ; Thu, 6 Jun 1996 16:01:21 -0400 Received: by MAILSERV-2HIGH.FTP.COM (SMI-8.6/SMI-SVR4) Date: Thu, 6 Jun 1996 16:01:19 -0400 Message-Id: <199606062001.QAA00167@MAILSERV-2HIGH.FTP.COM> To: Firewalls-Digest@GreatCircle.COM Subject: How to Connect WINS and DNS in NT 4.02 b2 ? From: shishir@ftp.com Reply-To: shishir@ftp.com Repository: mailserv-2high.ftp.com, [message accepted at Thu Jun 6 16:01:15 1996] Originating-Client: everest Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ..so that DNS checks the WINS database before returning a non existent machine's ip-address/hostname. Thank you. shishir From firewalls-owner Thu Jun 6 13:35:36 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA26197 for firewalls-outgoing; Thu, 6 Jun 1996 13:03:10 -0700 (PDT) Received: from schwab.com (s0052dev.schwab.com [162.93.15.188]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id NAA26132 for ; Thu, 6 Jun 1996 13:02:52 -0700 (PDT) Received: from s0043dev.schwab.com by schwab.com (8.6.9/SMI-4.1(950622rm)) Received: from w0102dev.schwab.com by s0043dev.schwab.com (4.1/SMI-4.1(950622rm)) Received: by w0102dev.schwab.com (5.x/SMI-SVR4) Date: Thu, 6 Jun 1996 12:57:42 -0700 From: rricardo@schwab.com (ray ricardo) Message-Id: <9606061957.AA01826@w0102dev.schwab.com> To: firewalls@greatcircle.com Subject: Gauntlet & Glance Plus Cc: geraldine.martin@schwab.com X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Are any Gauntlet 3.1 (sun/os) users using the performance measuring tool Glance Plus from HP on the firewall machine to measure its performance? If so, any adverse affects or install problems? Any better tools for this application? From firewalls-owner Thu Jun 6 13:50:43 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA27541 for firewalls-outgoing; Thu, 6 Jun 1996 13:12:11 -0700 (PDT) Received: from anchorsteam (anchorsteam.unifiedtech.com [38.251.136.100]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id NAA27516 for ; Thu, 6 Jun 1996 13:11:58 -0700 (PDT) Received: from bass.unifiedtech.com by anchorsteam (5.x/SMI-SVR4) Received: by bass.unifiedtech.com (5.x/SMI-SVR4) Date: Thu, 6 Jun 1996 15:57:18 -0400 From: Mike.Jones@unifiedtech.com (Mike Jones) Message-Id: <9606061957.AA06584@bass.unifiedtech.com> To: Firewalls-Digest@GreatCircle.COM, ntolstoy@pco.gc.ca Subject: Re: Subject: Re: IANA private network numbers .. X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > On Wed, 5 Jun 1996, Mike Jones wrote: > > In fact, FireWall-1 offers NAT and it's not a proxy firewall. Michael, > > you're completely off base on this one. > The please explain why Checkpoint advertises Firewall -1 as an > application gateway ? I've never seen it advertised that way. They usually feature the phrase "advanced packet filter". -- Mike.Jones@unifiedtech.com August 24, 1945: After serving nearly 44 months in the navy, Bob Feller four-hits the Tigers in his first start. From firewalls-owner Thu Jun 6 14:05:45 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA01875 for firewalls-outgoing; Thu, 6 Jun 1996 13:47:46 -0700 (PDT) Received: from jalisco.optimum.net (jalisco.optimum.net [198.81.218.66]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id NAA01834 for ; Thu, 6 Jun 1996 13:47:17 -0700 (PDT) Received: by jalisco.optimum.net (5.67a/94071801) Received: from GATEWAY by jalisco with netnews To: firewalls@greatcircle.com Date: Thu, 06 Jun 1996 16:44:48 -0400 Message-Id: Organization: Optimum Group From: list.firewalls@optimum.net (optimum.net newsgate) Subject: Virus detection for http proxy servers Sender: firewalls-owner@GreatCircle.COM Precedence: bulk One of our users has been asking about virus protection against software he has downloaded through the Netscape proxy server. He was asking about something that would scan the software as it was being download I didn't think there was anything to do this, given all of the file formats, compression methods, and hardware platforms that could be using the proxy server, but I thought I'd look into it anyway. Does anyone know of a solution or partial solution to this question? Thank you! Steve Pfister // Optimum Group srp336@optimum.com From firewalls-owner Thu Jun 6 14:50:44 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA04576 for firewalls-outgoing; Thu, 6 Jun 1996 14:09:30 -0700 (PDT) Received: from hosaka.smallworks.com (hosaka.SmallWorks.COM [192.207.126.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id OAA04511 for ; Thu, 6 Jun 1996 14:09:06 -0700 (PDT) From: jim@SmallWorks.COM Received: from butthead.SmallWorks.COM by hosaka.smallworks.com (5.x/SMI-SVR4) Received: by butthead.SmallWorks.COM (4.1/SPARCbook_POP1.3) Date: Thu, 6 Jun 96 16:02:51 CDT Message-Id: <9606062102.AA16224@butthead.SmallWorks.COM> To: epperson@vak12ed.edu Subject: Re: cisco docs, user access Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > BTW, according to Product Bulletin #367, 10.2(9) is still the highest GD. And doesn't actually run on some of the newer hardware. This has wandered far enough off-topic, no? From firewalls-owner Thu Jun 6 14:55:22 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA04722 for firewalls-outgoing; Thu, 6 Jun 1996 14:10:37 -0700 (PDT) Received: from apollo.intermind.com (apollo.intermind.com [206.40.151.25]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id OAA04683 for ; Thu, 6 Jun 1996 14:10:16 -0700 (PDT) Received: from malkav.intermind.com ([206.40.150.122]) Message-Id: <2.2.32.19960606210744.00adf5d4@intermind.com> X-Sender: jnoetzel@intermind.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Thu, 06 Jun 1996 14:07:44 -0700 To: firewalls@greatcircle.com From: jnoetzel@intermind.com (Jeremy Noetzelman) Subject: Firewalls and DNS Sender: firewalls-owner@GreatCircle.COM Precedence: bulk We'd like to have a split DNS with a public server and a private server. We've initially started with two servers, one of which has dummy DNS entries, one of them has the real entries. The one with the real entries is behind the firewall, and is set up as a slave/forwarder to the external one with the dummy DNS entries. So far so good, but the problem is incredibly slow DNS lookups, which timeout regularly. For example, with Netscape if you click on a link, it times out the first time, but the answer is available immediately on the second try. I'm completely uncertain what the problem is. while this may not be a strict firewalls question, I'm sure it's one that is of interest to many. Any help would be much appreciated. Jeremy Noetzelman --- Jeremy Noetzelman jnoetzel@intermind.com Operations Specialist Intermind Corporation From firewalls-owner Thu Jun 6 15:08:03 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA01660 for firewalls-outgoing; Thu, 6 Jun 1996 13:46:00 -0700 (PDT) Received: from aspen3.aspensys.com (aspensys3.aspensys.com [198.77.70.84]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id NAA01568 for ; Thu, 6 Jun 1996 13:45:01 -0700 (PDT) Received: from smtpinet.aspensys.com by aspen3.aspensys.com (SMI-8.6/SMI-SVR4) Received: from ccMail by smtpinet.aspensys.com (SMTPLINK V2.10.08) Date: Thu, 06 Jun 96 16:40:12 EST From: "Jim Meritt" Message-Id: <9605068341.AA834104815@smtpinet.aspensys.com> To: firewalls@greatcircle.com, John Mulligan Subject: Re: REQ:rshd command logging Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Since you have the wrapper, and presumably are proficient in its use, why not just wrap the r* in the inetd.conf? Jim Meritt ______________________________ Reply Separator _________________________________ Subject: REQ:rshd command logging Author: John Mulligan at SMTPINET Date: 6/6/96 1:31 PM -----BEGIN PGP SIGNED MESSAGE----- Does anyone know of an rsh daemon replacement that will allow command logging? We have TCP_Wrappers 7.4 installed, if anything could be used in conjuction with that. Systems include: SunSparcs running Soalris 2.5 and SunOS 4.1.3 Please reply via direct email to mulligan@stupid.lafayette.edu Thanks! John John P. Mulligan Lafayette College ACS PGP Public Key available at http://www.lafayette.edu/~mulligaj -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQB1AwUBMbb/rX+KnP1k0ErJAQHtggMAjSZg4zInApXBda35pC4v1+0+XjXqCaH2 h8sbAVG2f9WYihuuqKPw6FnTMVwwySfOomQroTyfIVK6g9zFVkCUJVCNJXQeE2F2 W7NmZ/I57Nm92iR+7eQXZM9/bdQ2HbDG =zpbe -----END PGP SIGNATURE----- From firewalls-owner Thu Jun 6 15:22:54 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA01484 for firewalls-outgoing; Thu, 6 Jun 1996 13:44:17 -0700 (PDT) Received: from hidata.com ([205.158.61.34]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id NAA01347; Thu, 6 Jun 1996 13:43:40 -0700 (PDT) Received: by hidata.com; id AA20768; Thu, 6 Jun 96 13:41:13 PDT Received: from osc.hidata.com(205.158.62.10) by hds-gw.hidata.com via smap (V3.1) Received: from enterprise by osc.osc.hidata.com (SMI-8.6/SMI-SVR4) Date: Thu, 6 Jun 1996 13:41:04 -0700 Message-Id: <199606062041.NAA16267@osc.osc.hidata.com> X-Sender: bstout@osc.hidata.com X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: Firewalls@GreatCircle.COM, rruda@osti.com (Richard Ruda) From: Bill Stout Subject: Re: NT-DNS Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Umm, let's take this offline before we freak the list out... BTW - Also reference comp.os.ms-windows.nt.pre-release comp.os.ms-windows.nt.admin.networking and majordomo@iss.net (NT Security) Bill At 02:05 PM 6/6/96 EDT, Steven C. Payne wrote: >> >> >> On Tue, 4 Jun 1996 13:30:15 -0700 >> Bill Stout >> Wrote Subject: NT DNS in 4.0b2 >> "The only drawback I've seen is not being able to connect to non-NT DNS server properties." >> Can you explain exactly what you mean. >> Will an internal DNS running on NT4.0b2 not be able to say talk to a Unix firewall?? > >Hi, >I setup an older version of DNS and in my testing, I ran into >2 problems which maybe you can elaborate on in this new version. > >First, I could not just "move" my zone and revs to the NT server >because we do secondary DNS for 50 domains. This equates to 50 zone >files and 50 rev files. Well When I set up the dns boot file on the >NT box, I started the service it ran for maybe 5 mins caching and then died, >no errors, nothing. I also could not stop the service, I had to reboot >the NT server. > >So, I thought ok, scale it back to just ONE domain, (my local one) >I deleted all other domains and started the service again, it cached for >about 2 minutes and died. Again, I tried to stop the service and >it would not allow me to, so I had to reboot the NT server. >This happened on a domain with around 2500 entries. > >I scaled it back to only 500 entries and tried again. This >time the services started, ran with no errors. > >I then went to a unix box and tried nslookup on hosts I new >were in the DNS files on the NT server, I got absolutely >NO responses from the NT server, and timed out on every >attempt I tried to query on. > >was able to use the nslookup client on the NT box and query EVERYTHING >in the NT's domain files. I even configured the WINS entry in the >zone file and that worked, but ONLY from the NT client. >I never got nslookup on unix boxes (hpux, solaris, interactive, bsdi, sco) >to work. > > >My 2 problems are does NT service other clients than just NT, >and second, how much can you cache? If you can't cache secondary >servers then I don't see NT DNS as doing anything worth wile in DNS. >BTW the server had 64 mg of ram, and was not doing anything, it was >pretty much just idling. > >Is this what you were talking about? >thanks >steve >> >> Thanks >> >> Richard >> >> >> >> > > > <=======10========20====Ruler for Eudora users==50========60========70========80 William B. Stout | "Stop socialism in America!" Senior Systems Admin | "Dilbert for President." Hitachi Data Systems | "Police power today=police state tomorrow." Open Systems Center | "The secret of life - being part of the process of Santa Clara, California | creation." 408-970-4822 | #include <=======10========20========30========40========50========60========70========80 From firewalls-owner Thu Jun 6 15:27:09 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA29573 for firewalls-outgoing; Thu, 6 Jun 1996 13:31:31 -0700 (PDT) Received: from wpg-01.escape.ca (wpg-01.escape.ca [198.163.232.254]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id NAA29555 for ; Thu, 6 Jun 1996 13:31:18 -0700 (PDT) Received: from wpg-01.escape.ca (ts2dl17.escape.ca [198.163.232.132]) by wpg-01.escape.ca (8.6.11/8.6.11) with SMTP id PAA10910 for ; Thu, 6 Jun 1996 15:32:27 -0500 Message-Id: <199606062032.PAA10910@wpg-01.escape.ca> Comments: Authenticated sender is From: "Ratak" Organization: Classified To: Firewalls-Digest@GreatCircle.COM Date: Thu, 6 Jun 1996 15:22:21 +0000 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Firewall for NT X-mailer: Pegasus Mail for Win32 (v2.31) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello I saw a post a little while ago about a Freeware or cheap NT firewall, but I didn't pay much attention. I wanted to put up this firewall while we wait for Firewall-1 NT... Can someone repost that message? Thankyou GarGoyle Securities Network Intrussion Assessment Systems Voice/Data/Fax: (204)878 2190 Email: ratak@escape.ca PGP Key available via Keyserver nearest you. . . Key Fingerprint= 25 03 97 D1 1E 9C 2D 98 D1 2F 8D EC 49 C2 64 12 From firewalls-owner Thu Jun 6 15:31:43 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA29180 for firewalls-outgoing; Thu, 6 Jun 1996 13:27:53 -0700 (PDT) Received: from hp01.vak12ed.edu (hp01.vak12ed.edu [141.104.150.251]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id NAA29139 for ; Thu, 6 Jun 1996 13:27:39 -0700 (PDT) Message-Id: <199606062027.NAA29139@miles.greatcircle.com> Received: by hp01.vak12ed.edu From: "W.C. Epperson" Subject: Re: cisco docs, user access To: jim@SmallWorks.COM Date: Thu, 06 Jun 1996 16:25:05 EDT Cc: firewalls@greatcircle.com In-Reply-To: <9606061833.AA15356@butthead.SmallWorks.COM>; from "jim@SmallWorks.COM" at Jun 6, 96 1:33 pm X-Mailer: Elm [revision: 109.17] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Jim appears to have advised: > > 1) Load at least 10.3, preferably 11.0 or 11.1. > 2) Configure TACACS+. > And bear in mind that none of those releases are in General Deployment (GD), which is, according to Cisco, "The software version which has achieved a level of stability appropriate for general use in customers' networks". Their official policy is that only GD releases are appropriate for critical infrastructure use, although my experience is that their support engineers routinely recommend higher releases until confronted with the official policy. My position is that if it ain't stable enough for general use, it ain't ready for use in access control. I know, I know, lots of folks use FCS and LD releases without problems (that they know of), but if the guys who own the source code won't put their deployment policy behind it, due care principles prevent me from using it for security. My $.02. BTW, according to Product Bulletin #367, 10.2(9) is still the highest GD. -- W.C. Epperson "I have great faith in fools. Senior SE Self-confidence, my friends call it." Information Security Officer --Edgar Allan Poe-- DBA Emeritus Curmudgeon-for-Life Virginia Dept. of Education epperson@pen.k12.va.us From firewalls-owner Thu Jun 6 16:13:32 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id PAA11188 for firewalls-outgoing; Thu, 6 Jun 1996 15:17:52 -0700 (PDT) Received: from antares.cica.indiana.edu (antares.cica.indiana.edu [129.79.20.24]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id PAA11144 for ; Thu, 6 Jun 1996 15:17:33 -0700 (PDT) From: emo@antares.cica.indiana.edu Message-Id: <199606062217.PAA11144@miles.greatcircle.com> Received: by antares.cica.indiana.edu Date: Thu, 6 Jun 96 17:15:09 -0500 To: firewalls@greatcircle.com Subject: Re: Virus detection for http proxy servers Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >He was asking about something that would >scan the software as it was being download check out the products from McAfee Associates, http://www.mcafee.com. good luck, eric From firewalls-owner Thu Jun 6 16:20:47 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id PAA12087 for firewalls-outgoing; Thu, 6 Jun 1996 15:25:00 -0700 (PDT) Received: from salsa.gv.ssi1.com (salsa.gv.ssi1.com [146.252.44.194]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id PAA12038 for ; Thu, 6 Jun 1996 15:24:40 -0700 (PDT) Received: (from gdonl@localhost) by salsa.gv.ssi1.com (8.7.4/8.7.3) id PAA25075; Thu, 6 Jun 1996 15:22:12 -0700 (PDT) Message-Id: <199606062222.PAA25075@salsa.gv.ssi1.com> From: gdonl@gv.ssi1.com (Don Lewis) Date: Thu, 6 Jun 1996 15:22:11 -0700 In-Reply-To: N D Ghaznavi X-Mailer: Mail User's Shell (7.2.6 alpha(3) 7/19/95) To: N D Ghaznavi Subject: Re: unknown in tcpwrappers? Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Jun 6, 9:59am, N D Ghaznavi wrote: } Subject: Re: unknown in tcpwrappers? } I'm having a similar experience from named, which leads me to think that } you're probably having DNS problems. I *think* this might be related to } the version of BIND running, but that's really only a guess. } } This is from syslogd's `daemon' facility: } } Jun 5 18:36:06 Cee-Jay named[75]: recvfrom: Connection refused Looks like you're running and early 4.9.3 Beta version of BIND on a Linux box. You should upgrade to 4.9.3-REL + Patch1 from http://www.isc.org/ --- Truck From firewalls-owner Thu Jun 6 20:05:35 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id UAA03910 for firewalls-outgoing; Thu, 6 Jun 1996 20:02:22 -0700 (PDT) Received: from puli.cisco.com (puli.cisco.com [171.69.1.174]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id UAA03903 for ; Thu, 6 Jun 1996 20:02:15 -0700 (PDT) Received: from localhost.cisco.com (localhost.cisco.com [127.0.0.1]) by puli.cisco.com (8.6.8+c/8.6.5) with SMTP id TAA28047; Thu, 6 Jun 1996 19:59:41 -0700 Message-Id: <199606070259.TAA28047@puli.cisco.com> To: firewalls@greatcircle.com Cc: cs-ipsecurity@cisco.com Subject: "how-to" scripts for configuring cisco routers as good packet-screeners Date: Thu, 06 Jun 1996 19:59:41 -0700 From: Paul Traina Sender: firewalls-owner@GreatCircle.COM Precedence: bulk A number of years ago, I wrote a bunch of scripts to help me maintain part of cisco's firewalling system. I just recently updated those scripts to match some of the nasty new tricks that have come up through the years and also address new "fad" services like WWW :-) The scripts in question include an ACL generator that takes a fairly readable syntax and converts it into raw cisco ACLs (including doing DNS translation) and a commentary about why certain holes were opened, why they might be dangerous, what the trade-offs are, et al. (no, I didn't document anything useful for bad guys...sorry.) These scripts are based upon real-life operational experience, however they have been sanitized to protect the guilty and avoid causing temptation to would-be bad-guys. (e.g. the name of the machintosh that allows non-passive FTP is not called "dickhead-bigshot-mac" :-)). As before, these scripts are being offered "AS-IS" -- do not sic your lawyers on myself or cisco if you use them and some nasty clod messes you up. They're only intended for reference and educational use. Cisco will not answer questions about these scripts, they are not a supported product. Caveat emptor. ftp://ftp-eng.cisco.com/pub/acl-examples.tar.gz Paul From firewalls-owner Thu Jun 6 21:50:39 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id VAA07618 for firewalls-outgoing; Thu, 6 Jun 1996 21:43:45 -0700 (PDT) Received: from po.pacific.net.sg (po.pacific.net.sg [203.120.88.11]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id VAA07611 for ; Thu, 6 Jun 1996 21:43:39 -0700 (PDT) Received: from GM.compex.com.sg ([203.120.12.4]) by po.pacific.net.sg Date: Fri, 7 Jun 1996 12:36:50 From: berkelec@pacific.net.sg (Tey Wei Ming) Message-Id: <19960607123650berkelec@GM.compex.com.sg> To: firewalls@GreatCircle.com Subject: nt firewall X-Mailer: Pronto E-Mail [version 2.0] MIME-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >From: Martin Marshall[SMTP:marshall@ebrd.com] >Sent: Thursday, June 06, 1996 1:18 AM >To: Firewalls Mailing list >Subject: NT Firewalls > >We currently have a Unix Firewall solution, we would like to move to a >NT Firewall (If Possible). > >Could anyone let me know where to jump, if a jump is to be made at all ! > there is one nt firewall available from netguard (www.netguard.com). i heard checkpoint and ibm will also be releasing an nt version soon. to me nt is easier to administer than unix, and unix also have lots of security risks - just look at the list on cert! and unix hardware are still too costly. william tey berkeley electronics From firewalls-owner Fri Jun 7 00:05:39 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id XAA13140 for firewalls-outgoing; Thu, 6 Jun 1996 23:55:47 -0700 (PDT) Received: from mail2.digital.com (mail2.digital.com [204.123.2.56]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id XAA13133 for ; Thu, 6 Jun 1996 23:55:42 -0700 (PDT) Received: from osftag.geo.dec.com by mail2.digital.com (5.65 EXP 4/12/95 for V3.2/1.0/WV) Received: from osftag.geo.dec.com (osftag.geo.dec.com [16.184.80.100]) by osftag.geo.dec.com (8.7.1/8.6.10) with SMTP id IAA12244; Fri, 7 Jun 1996 08:49:32 +0200 (MET DST) Message-Id: <31B7D0FC.41C6@osftag.geo.dec.com> Date: Fri, 07 Jun 1996 08:49:32 +0200 From: thierry agassis Organization: Multivendor Customers Services - Digital X-Mailer: Mozilla 2.0 (X11; I; OSF1 V3.2 alpha) Mime-Version: 1.0 To: shishir@ftp.com Cc: Firewalls-Digest@GreatCircle.COM Subject: Re: How to Connect WINS and DNS in NT 4.02 b2 ? References: <199606062001.QAA00167@MAILSERV-2HIGH.FTP.COM> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi Shishir, If I remember well, you just have to put the $WINS directive in the respective ZONE file(s) (not boot file). Best regards ! -- Thierry AGASSIS Mail address : UNIX and Internet Support thierry@osftag.geo.dec.com DEC-TEP 16 Partner URL : (from inside dec.com ): http://www-mcs.geo.dec.com From firewalls-owner Fri Jun 7 00:35:42 1996 Received