From firewalls-owner Mon Jul 1 01:33:56 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id BAA27214 for firewalls-outgoing; Mon, 1 Jul 1996 01:20:54 -0700 (PDT) Received: from uucp.DK.net (uucp.DK.net [193.88.44.47]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id BAA27169 for ; Mon, 1 Jul 1996 01:20:41 -0700 (PDT) From: michaelf@amitech.dk Received: from pingnet (uucp@localhost) by uucp.DK.net (8.6.12/8.6.12) with UUCP id KAA08138 for firewalls@GreatCircle.COM; Mon, 1 Jul 1996 10:17:56 +0200 Received: by ic1.ic.dk id AA14216 Received: from ice-tfs by ic1.ic.dk with UUCP id AA14073 Message-Id: <199607010815.AA14073@ic1.ic.dk> Date: Mon, 1 Jul 1996 10:18:05 +0200 To: firewalls@GreatCircle.COM Subject: RE: NT Backoffice "Catapult" firewall ce X-Mailer: TFS Gateway V210U0459W X-Charset: Latin1 X-Char-Esc: 29 X-Relay-Mailer: Icerelay 0.1.4.6 (Send any queries to postmaster@ic.dk) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The "list" Bill Stout put together, where can I get it ? Btw. It is very impressive that you have been securing NT systems for 5 years! I mean, v3.1 was released in 1993. (don't flame, I think it is OK to over do something when it serves a purpose! "michael@memra.com" certainly have a bit in his head permanenlty turned against NT ?!??) Michael Frandsen michaelf@amitech.dk ---------- From: Russ.Cooper@RC.Toronto.on.ca Sent: 01. July 1996 03:21 To: "'johnb@aztec.co.za'" ; Mon, 1 Jul 1996 04:35:29 -0700 (PDT) Received: from slip-ppp10.ottawa.net (slip-ppp10.ottawa.net [205.211.5.10]) by dns.ottawa.net (8.7.5/1.2) with SMTP id HAA26749; Mon, 1 Jul 1996 07:32:42 -0400 (EDT) Date: Mon, 1 Jul 1996 07:32:42 -0400 (EDT) Message-Id: <199607011132.HAA26749@dns.ottawa.net> X-Sender: bjm@ottawa.net X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: CMH@Interramp.com From: bjm@ottawa.net (Brian McIntosh) Subject: Re: NCSA Certification Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >> >> Incorrect. Only those vendors who were members knew. First, you had to join. > Any firewall vendor who doesn't know what's going on with NCSA (and in particular with their firewall vendors working group) is not a vendor that I would want to buy a firewall from. If a vendor chooses to conduct business as though they were living alone on an isolated island then they shouldn't complain when the rest of the world throws a party and they aren't invited. Regards, Brian ======================================================== Brian J. McIntosh UniSol Inc. 53 Courtney Road Tel: 613 831 6373 Kanata, Ontario Fax: 613 831 4739 Canada, K2L 1M1 Email: bjm@ottawa.net ======================================================== From firewalls-owner Mon Jul 1 05:04:22 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id EAA07419 for firewalls-outgoing; Mon, 1 Jul 1996 04:38:58 -0700 (PDT) Received: from smtpgate.saa-cons.co.uk (haddock.demon.co.uk [158.152.16.191]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id EAA07400 for ; Mon, 1 Jul 1996 04:38:40 -0700 (PDT) Received: from haddock.saa-cons.co.uk by smtpgate.saa-cons.co.uk with SMTP (5.65/1.3-eef) Received: by haddock.saa-cons.co.uk (AIX 3.2/UCB 5.64/5.00) Date: Mon, 1 Jul 1996 12:37:56 +0100 (BST) From: Dave Roberts To: Alex Filacchione Cc: Darwin Martinez Subject: RE: ftp problem In-Reply-To: <01BB61C3.CCAFA240@alexf.iss.net> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 24 Jun 1996, Alex Filacchione wrote: >> You would need to allow incoming connection from the outside port 20, to >> the inside port >1023 (probably excluding the X11 ports). > > If you do this, then will you not be opening up potential source porting problems? Incoming TCP connections from port 20 on an attacking machine would make it through, no? Isn't the purpose behind PASV ftp specifically to stop this potential problem? Something to think about. Sure, and hence the usual arguement ensues about PASV or not PASV. :-) If you use PASV, then the server has to open up a wide number of ports. If you use normal mode, then you do. Someone takes the risk. Someone mentioned that FW-1 uses a stateful filter, which could be the answer. If the filter recognises an outgoing FTP connection, then perhaps it then allows incoming connections from that IP's port 20. A little more helpful - perhaps. Dave Roberts | "Surfing the Internet" is a sad term for sad people. Unix Systems Admin | Get a board, find a beach, surf some REAL waves and SAA Consultants Ltd | get a *real* life. Plymouth, U.K. | -=[For PGP Key, send mail with subject of "get pgp"]=- From firewalls-owner Mon Jul 1 05:34:22 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA11280 for firewalls-outgoing; Mon, 1 Jul 1996 05:28:06 -0700 (PDT) Received: from dtcro002.apogee-com.fr (firewall.apogee-com.fr [194.2.187.130]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id FAA11255 for ; Mon, 1 Jul 1996 05:27:55 -0700 (PDT) Received: by dtcro002.apogee-com.fr; id OAA26615; Mon, 1 Jul 1996 14:20:33 +0200 (MET DST) Received: from dtcxs001.apogee-com.fr(10.129.16.1) by firewall.apogee-com.fr via smap (V3.1.1) Received: from ingpc003.apogee-com.fr by dtcxs001.apogee-com.fr.apogee-com.fr (4.1/SMI-4.1) Message-Id: <31D7C2D2.25E@apogee-com.fr> Date: Mon, 01 Jul 1996 14:21:38 +0200 From: Jean-Francois Zwobada Organization: APOGEE Communications X-Mailer: Mozilla 2.02 (Win95; I) Mime-Version: 1.0 To: firewalls@greatcircle.com Subject: Config NTP References: <199606280840.KAA08501@mailimailo.univ-rennes1.fr> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, I need to configure a firewall as an NTP relay... I will use 2 or 3 french public servers (Is this enough to avoid any time spoof ?) and relay it to internal servers. I built a first configuration scheme, and I am interested by any comment on such a config -------------------------------------- driftfile /usr/local/ntp/ntp.drift statsdir /usr/local/ntp/stats/ disable pll # firewall won't be affected enable monitor enable stats restrict default notrust nomodify peer external_ntp_server_1 restrict external_ntp_server_1 peer ... restrict ... broadcast my_subnet --------------------------------------- I won't use any authentication on the site, since I trust my firewall (Well... :^) and all the servers will be managed by the same team. Any advice would be welcomed ! Jean-Francois -- ______________________ Jean-Francois Zwobada ____________________ Apogee Communications Tel : +33 (1) 69 85 56 47 Parc Club Universite Fax : +33 (1) 69 85 56 48 28, rue Jean Rostand 91893 ORSAY Cedex e-mail : zwobada@apogee-com.fr __________________________________________________________________ From firewalls-owner Mon Jul 1 05:49:06 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA11917 for firewalls-outgoing; Mon, 1 Jul 1996 05:37:41 -0700 (PDT) Received: from habanero.jmu.edu (habanero.jmu.edu [134.126.70.210]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id FAA11910 for ; Mon, 1 Jul 1996 05:37:33 -0700 (PDT) Message-Id: <199607011237.FAA11910@miles.greatcircle.com> Received: by habanero.jmu.edu Date: Mon, 1 Jul 1996 08:34:50 -0400 From: gary flynn To: firewalls@GreatCircle.COM Subject: Re: NCSA Certification Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > I think some important important questions need to asked: > > 1. Who appointed the NCSA as the proper body to approve firewalls? > I think your questions are valid but I think the underlying principle is "lead, follow, or get the hell out of the way" :-) From firewalls-owner Mon Jul 1 06:19:07 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA14993 for firewalls-outgoing; Mon, 1 Jul 1996 06:11:34 -0700 (PDT) Received: from maddie.atlantic.com (maddie.atlantic.com [198.252.200.3]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id GAA14962 for ; Mon, 1 Jul 1996 06:11:24 -0700 (PDT) Received: (pokey@localhost) by maddie.atlantic.com (8.6.10/8.6.11) id JAA26894; Mon, 1 Jul 1996 09:00:51 -0400 From: Rick Romkey Message-Id: <199607011300.JAA26894@maddie.atlantic.com> Subject: Re: Hardware requirements of Firewall-1 To: baysalc@boun.edu.tr (Can BAYSAL) Date: Mon, 1 Jul 1996 09:00:51 -0400 (EDT) Cc: firewalls@GreatCircle.COM In-Reply-To: from "Can BAYSAL" at Jun 30, 96 03:08:07 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > Hi there; > I wonder what is the REAL minimum required configuration of > Firewall-1. The book says that Sun SPARC based system, I do not think > this means IPX :) , does it? For example on a 10 Mbits ethernet would a > Sparc 5 be acceptable? Firewall-1 can even run on Intel hardware. In its 2.0 release, you can install it on Solaris for Intel...it works great. Of course, in its 2.1 release you can run under NT, so Intel is definately an option. -Rick ---------------------------------------------------------------------------- Rick E Romkey | A T L A N T I C | Internet pokey@atlantic.com | Computing Technology Corporation | Specialists (860) 667-9596 | http://www.atlantic.com/ | ----------------------------------------------------------------------------- From firewalls-owner Mon Jul 1 06:49:40 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA18706 for firewalls-outgoing; Mon, 1 Jul 1996 06:47:24 -0700 (PDT) Received: from mailbox.neosoft.com (mailbox.neosoft.com [206.109.1.16]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id GAA18688 for ; Mon, 1 Jul 1996 06:47:17 -0700 (PDT) Received: from fw.nmti.com (fw.baileynm.com [206.109.159.11]) by mailbox.neosoft.com (8.7.5/8.7.3) with SMTP id IAA16324; Mon, 1 Jul 1996 08:43:11 -0500 (CDT) Received: from web.nmti.com(198.178.0.201) by fw.nmti.com via smap (V1.3) Received: from sonic.nmti.com (peter@sonic.nmti.com [198.178.0.2]) by web.nmti.com (8.6.12/8.6.9) with SMTP id IAA05949; Mon, 1 Jul 1996 08:37:29 -0500 Received: by sonic.nmti.com; id AA04872; Mon, 1 Jul 1996 08:37:28 -0500 From: peter@baileynm.com (Peter da Silva) Message-Id: <9607011337.AA04872@sonic.nmti.com.nmti.com> Subject: Re: Stateful Packet Screens To: shaver@neon.ingenia.ca (Mike Shaver) Date: Mon, 1 Jul 1996 08:37:28 -0500 (CDT) Cc: avalon@coombs.anu.edu.au, chris@dejong.com, Firewalls@GreatCircle.COM In-Reply-To: <199606302141.RAA31883@neon.ingenia.com> from "Mike Shaver" at Jun 30, 96 05:41:40 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > As Darren pointed out, it's possible to do everything an AG does with > an SPS, and vice versa. However, in practical terms, you can't get a stateful packet filter that will do all the stuff even the simplest application level gateways do as a matter of course, and for a simple configuration it's much easier to get the existing ALGs configured right than the existing SPFs. In theory, you and Darren are correct. In practice, existing implementations do fall into clumps with user convenience and performance being highest for packet filters, and administrative convenience and security being highest for proxies. From firewalls-owner Mon Jul 1 07:04:08 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA19240 for firewalls-outgoing; Mon, 1 Jul 1996 06:56:03 -0700 (PDT) Received: from mailbox.neosoft.com (mailbox.neosoft.com [206.109.1.16]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id GAA19233 for ; Mon, 1 Jul 1996 06:55:56 -0700 (PDT) Received: from fw.nmti.com (fw.baileynm.com [206.109.159.11]) by mailbox.neosoft.com (8.7.5/8.7.3) with SMTP id IAA17120; Mon, 1 Jul 1996 08:53:11 -0500 (CDT) Received: from web.nmti.com(198.178.0.201) by fw.nmti.com via smap (V1.3) Received: from sonic.nmti.com (peter@sonic.nmti.com [198.178.0.2]) by web.nmti.com (8.6.12/8.6.9) with SMTP id IAA06021; Mon, 1 Jul 1996 08:42:51 -0500 Received: by sonic.nmti.com; id AA05303; Mon, 1 Jul 1996 08:42:51 -0500 From: peter@baileynm.com (Peter da Silva) Message-Id: <9607011342.AA05303@sonic.nmti.com.nmti.com> Subject: Re: NT Backoffice "Catapult" firewall certified? To: michael@memra.com (Michael Dillon) Date: Mon, 1 Jul 1996 08:42:51 -0500 (CDT) Cc: firewalls@GreatCircle.COM In-Reply-To: from "Michael Dillon" at Jun 30, 96 03:25:07 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Looking for a specific mailing list? http://www.liszt.com has the largest > list of mailing lists available on the Internet. You have to be careful. They don't do much checking and a hell of a lot of the lists they come up with are defunct, private, or innacurately described. I don't think it would be practical for them to even try, given the number of lists... just keep that in mind. > With around 48,000 lists > in their database it appears that there are 3 times as many mailing lists > as USENET discussion groups. I would imagine so, since I have three or four mailing lists they don't include (small, special purpose lists... they *won't* include them if I have anything to do with it). From firewalls-owner Mon Jul 1 07:18:57 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA19641 for firewalls-outgoing; Mon, 1 Jul 1996 07:04:19 -0700 (PDT) Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.76.24]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id HAA19631 for ; Mon, 1 Jul 1996 07:04:04 -0700 (PDT) Message-Id: <199607011404.HAA19631@miles.greatcircle.com> Received: by cheops.anu.edu.au From: Darren Reed Subject: Re: Stateful Packet Screens To: peter@baileynm.com (Peter da Silva) Date: Mon, 1 Jul 1996 23:58:17 +1000 (EST) Cc: shaver@neon.ingenia.ca, Firewalls@GreatCircle.COM (Firewalls Mailing List) In-Reply-To: <9607011337.AA04872@sonic.nmti.com.nmti.com> from "Peter da Silva" at Jul 1, 96 08:37:28 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In some mail from Peter da Silva, sie said: > > > As Darren pointed out, it's possible to do everything an AG does with > > an SPS, and vice versa. > > However, in practical terms, you can't get a stateful packet filter that > will do all the stuff even the simplest application level gateways do as > a matter of course, and for a simple configuration it's much easier to > get the existing ALGs configured right than the existing SPFs. The simplest application gateways just forward data, in sequence. I class things like "tcp-relay", etc, as AG's. Even plug-gw isn't that complicated, compared to, say, ftp-gw. > In theory, you and Darren are correct. In practice, existing implementations > do fall into clumps with user convenience and performance being highest for > packet filters, and administrative convenience and security being highest > for proxies. Time permitting, I'll make you eat those words. From firewalls-owner Mon Jul 1 07:50:17 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA23379 for firewalls-outgoing; Mon, 1 Jul 1996 07:39:11 -0700 (PDT) Received: from smtp1.interramp.com (smtp1.interramp.com [38.8.45.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id HAA23365; Mon, 1 Jul 1996 07:39:05 -0700 (PDT) Received: from [38.12.99.250] by smtp1.interramp.com (8.6.12/SMI-4.1.3-PSI-irsmtp) Date: Mon, 1 Jul 1996 10:34:58 -0400 X-Sender: ir002446@38.8.32.2 Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: gary flynn , firewalls@GreatCircle.COM From: CMH@Interramp.com (Corey M. Horowitz) Subject: Re: NCSA Certification Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 08:34 AM 7/1/96, gary flynn wrote: >> I think some important important questions need to asked: >> >> 1. Who appointed the NCSA as the proper body to approve firewalls? >> > >I think your questions are valid but I think the underlying >principle is "lead, follow, or get the hell out of the way" :-) I think you're all missing the point. I have no problem with the concept of the NCSA or any other responsible body acting as a protector of the public interest in insuring that all firewall products deliver the security promised or, at a minimum, necessary to adequately protect our networks. The mission statement is admirable. The execution is faulty. According to Mr. Tippett, President of NCSA, "the NCSA tries to act in this regard like a government agency for the commercial sector." (Communications Week. June 17). What goverment agency requires membership for a fee prior to testing a vendors product? Moreover, isn't the NCSA's list just an advertisement unless all firewall vendors are invited to have their product tested irrespective of membership in the NCSA? Does the list state that it is an ad for the NCSA and its members? Mr Tippett adds " "you shouldn't buy a firewall that hasn't been tested and certified, just like youshuldn't buy a lamp that does not have a UL stamp on it." (Communications Week, June 17). I don't believe the UL is a for-profit organization nor is any vendor's product not acceptable for testing. The issue here is disclosure and proper execution of a responsible mission. ------------ Corey M. Horowitz CMH Capital Management Corp. 909 Third Avenue 9th Floor New York, N.Y. 10022 CMH@Interramp.com 212-293-3082 (voice) 212-293-3090 (fax) From firewalls-owner Mon Jul 1 08:04:06 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA24027 for firewalls-outgoing; Mon, 1 Jul 1996 07:46:41 -0700 (PDT) Received: from rbit.co.za (rbit.co.za [196.7.71.94]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id HAA24007 for ; Mon, 1 Jul 1996 07:46:30 -0700 (PDT) Received: (from johnb@localhost) by rbit.co.za (8.7.3/8.7.3) id QAA30859; Mon, 1 Jul 1996 16:43:32 +0200 From: John Betts Message-Id: <199607011443.QAA30859@rbit.co.za> Subject: Re: NT Backoffice "Catapult" firewall certified? To: dleblanc@iss.net (David LeBlanc) Date: Mon, 1 Jul 1996 16:43:31 +0200 (SAT) Cc: firewalls@greatcircle.com In-Reply-To: <2.2.32.19960701134725.009546f4@mail.iss.net> from "David LeBlanc" at Jul 1, 96 09:47:25 am Reply-to: johnb@aztec.co.za Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk % This isn't true. Guest doesn't have permissions to write the registry. % Besides which, the first thing you do when setting up an NT machine is to % disable guest. Somewhat like taking the + out of the rhosts file on a Sun. % In my haste to clear my mailbox, I didnt give 100% truths. I didnt mean to imply that Guest could do _anything_ to the registry, just some things (remotely). Not every person who puts NT boxes (or any other unix box for that matter) on the Internet knows about things like disabling guest account, setting permissions on shares correctly, etc. I am fairly sure that _MY_ nt box is fairly secure, but that's only because I spent time going through anything that I could think of to secure it. My main point against NT firewalls is the following: _as a general rule_ people who want NT firewalls, want them because any tom, dick and harry can get them going, without extensive knowledge of security and tcp/ip. I have no problem with firewalls that are so easy to administer,etc, BUT, generally, the people who setup these easy-to-use firewalls, dont know/think about things like disabling guest account (I know, lame example), or setting permissions on shares (or disabling all shares, or whatever), etc, and if the firewall software dosnt do this for them, then their firewall host can be easilly compromised.... It takes time and knowledge (well, more like common sense) to make an NT box secure(ish). We all know that a large majority of ppl who insist on NT because of its ease of use, and requirement for little-to no knowledge of system administration and security, dont have the time and knowledge to secure their box. I hope that I did not offend or mislead anyone here. if so, I'm sorry, and you are welcome to flame my procmail^H^H^H^H^H^H^H^Hme ;-) ciao -- John -- John Betts, Aztec Internet Services Port Elizabeth, South Africa johnb@aztec.co.za, Tel. +27(0)41 303 475, Fax. +27(0)41 301 052 The world is complex. The Sendmail configuration reflects this. From firewalls-owner Mon Jul 1 08:34:10 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA27172 for firewalls-outgoing; Mon, 1 Jul 1996 08:21:06 -0700 (PDT) Received: from interlock.mgh.com (interlock.mgh.com [152.159.1.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id IAA27103 for ; Mon, 1 Jul 1996 08:20:48 -0700 (PDT) From: dnewman@mcgraw-hill.com Received: by interlock.mgh.com id AA14150 Message-Id: <199607011517.AA14150@interlock.mgh.com> Received: by interlock.mgh.com (Protected-side Proxy Mail Agent-1); Date: Mon, 01 Jul 96 09:09:19 edt Subject: NT security--Bill Stout's list Apparently-To: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Russ Cooper writes: >> "Because NT has even more security holes than Irix *duck*, I wont list >> them here," >Its interesting that you should say this. Bill Stout put a very good list >together, but a number of those issues can be addressed. . . Russ, can you please post a URL for this list? TIA. Regards David Newman From firewalls-owner Mon Jul 1 08:49:01 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA28880 for firewalls-outgoing; Mon, 1 Jul 1996 08:38:39 -0700 (PDT) Received: from delta.eecs.nwu.edu (delta.eecs.nwu.edu [129.105.5.103]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id IAA28873 for ; Mon, 1 Jul 1996 08:38:33 -0700 (PDT) Received: (from bonomi@localhost) by delta.eecs.nwu.edu (8.7.4/8.7.3) id KAA04130 for firewalls@GreatCircle.COM; Mon, 1 Jul 1996 10:35:50 -0500 (CDT) Date: Mon, 1 Jul 1996 10:35:50 -0500 (CDT) From: Robert Bonomi Message-Id: <199607011535.KAA04130@delta.eecs.nwu.edu> To: firewalls@GreatCircle.COM Subject: Re: NCSA Certification Sender: firewalls-owner@GreatCircle.COM Precedence: bulk + From: CMH@Interramp.com (Corey M. Horowitz) + Subject: Re: NCSA Certification + Cc: firewalls@GreatCircle.COM + Sender: firewalls-owner@GreatCircle.COM + + At 08:34 AM 7/1/96, gary flynn wrote: + >> I think some important important questions need to asked: + >> + >> 1. Who appointed the NCSA as the proper body to approve firewalls? + >> + > + >I think your questions are valid but I think the underlying + >principle is "lead, follow, or get the hell out of the way" :-) + + + I think you're all missing the point. I have no problem with the concept + of the NCSA or any other responsible body acting as a protector of the + public interest in insuring that all firewall products deliver the security + promised or, at a minimum, necessary to adequately protect our networks. + The mission statement is admirable. The execution is faulty. + + According to Mr. Tippett, President of NCSA, "the NCSA tries to act in this + regard like a government agency for the commercial sector." (Communications + Week. June 17). What goverment agency requires membership for a fee prior + to testing a vendors product? Moreover, isn't the NCSA's list just an + advertisement unless all firewall vendors are invited to have their product + tested irrespective of membership in the NCSA? Does the list state that it + is an ad for the NCSA and its members? + + Mr Tippett adds " "you shouldn't buy a firewall that hasn't been tested + and certified, just like youshuldn't buy a lamp that does not have a UL + stamp on it." (Communications Week, June 17). I don't believe the UL is a + for-profit organization nor is any vendor's product not acceptable for + testing. I'll admit ignorance about UL's for-profit status, and I'll agree that they -wiLl- test anything for anybody. I would point out that they -CHARGE- for doing that testing, however. I'll suggest that there's no problem with NCSA charging a fee for the eval- uation, *even*if* there are different fee schedules for members/non-members. Does anybody _know_ if NCSA -would- test a non-member implementation? From firewalls-owner Mon Jul 1 09:24:19 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA01765 for firewalls-outgoing; Mon, 1 Jul 1996 09:15:47 -0700 (PDT) Received: from snmpmgr.state.tn.us (snmpmgr.state.tn.us [170.142.1.74]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id JAA01738 for ; Mon, 1 Jul 1996 09:15:37 -0700 (PDT) Received: from langate.tnet.state.tn.us ([170.142.11.126]) by snmpmgr.state.tn.us with SMTP id AA12558 Received: from tn01-Message_Server by langate.tnet.state.tn.us Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Mon, 01 Jul 1996 11:14:35 -0500 From: "Samuel T. Baker" To: firewalls@GreatCircle.COM Cc: CMH@Interramp.com Subject: Re: NCSA Certification -Reply Mime-Version: 1.0 Content-Type: text/plain Content-Disposition: inline Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >>> Corey M. Horowitz 09:34 1 Jul1996 >>> [snip] > What goverment agency requires membership for a fee prior > to testing a vendors product? [snip] Government requires payment of taxes to be a member of the nation and enjoy its services. [snip] > I don't believe the UL is a for-profit organization nor is any vendor's product not > acceptable for testing. [snip] How is the UL funded? How could a funding source be developed for NCSA? (No free lunch.) I expect NCSA would be willing to consider positive suggestions about its role and funding that would enhance its services. Samuel T. Baker . . . standard disclaimer . . . Happy Birthday, Tennessee Celebration of the Centuries, 1796-1996 From firewalls-owner Mon Jul 1 09:56:54 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA04479 for firewalls-outgoing; Mon, 1 Jul 1996 09:39:38 -0700 (PDT) Received: from access1.digex.net (access1.digex.net [205.197.245.192]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id JAA04461 for ; Mon, 1 Jul 1996 09:39:30 -0700 (PDT) Received: from dcc02469.slip.digex.net (dcc02469.slip.digex.net [204.91.213.200]) by access1.digex.net (8.6.12/8.6.12) with SMTP id MAA10634 ; for ; Mon, 1 Jul 1996 12:36:47 -0400 Received: by dcc02469.slip.digex.net with Microsoft Mail Message-ID: <01BB674A.AC194A40@dcc02469.slip.digex.net> From: "Russell L. Jones" To: "'firewalls@GreatCircle.COM'" Subject: General Questions Date: Mon, 1 Jul 1996 12:41:45 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Where are the archives for this discussion group located? Thanks in advance. From firewalls-owner Mon Jul 1 10:08:16 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA06086 for firewalls-outgoing; Mon, 1 Jul 1996 09:57:57 -0700 (PDT) Received: from gatekeeper.mpsisys.com (ppp.mpsisys.com [198.65.132.134]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id JAA06068 for ; Mon, 1 Jul 1996 09:57:44 -0700 (PDT) Received: (from smap@localhost) by gatekeeper.mpsisys.com (8.6.10/8.6.10) id LAA20808 for ; Mon, 1 Jul 1996 11:55:25 -0500 Received: from mpsi.mpsisys.com(139.45.3.26) by gatekeeper.mpsisys.com via smap (V1.3) Received: from omni.mpsisys.com by mpsi.mpsisys.com (AIX 3.2/UCB 5.64/4.03) Received: by omni.mpsisys.com (AIX 4.1/UCB 5.64/4.03) From: ralph@omni.mpsisys.com (Ralph Mitchell) Message-Id: <9607011654.AA15034@omni.mpsisys.com> Subject: Re: NCSA Certification To: firewalls@GreatCircle.COM Date: Mon, 1 Jul 1996 11:54:46 -0500 (CDT) In-Reply-To: from "Corey M. Horowitz" at Jun 30, 96 12:38:03 pm X-Mailer: ELM [version 2.4 PL24] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > >Every vendor still knew what it was about and could have joined. Let's > >say you and your friends are told you can make an investment, but can > >only find out how to make the investment pay off until you do invest. > >And you decide not to do it, but everyone else does. Do you now cry > >'unfair, unfair' if it pays off for them?!? I would think not. > > > Certainly not. However, the NCSA is now holding itself out as the > firewall approval body. Fine, don't they have an obligation to the public > to review all firewalls, not just their paying members? They way they do > it is paying off to them to the detriment of others and misleading the > public. Without full disclosure, their list is misleading. I don't know much about NCSA, but unless *all* their equipment is donated and *all* their staff are volunteers, someone has to foot the bill... OK, so maybe instead of insisting on vendors paying a membership fee they could charge non-members a reasonable hourly or daily rate for the testing. But then, who decides what's 'reasonable' ? :) Would say, $100 per hour, or $1000 per day be considered 'reasonable' ? Wouldn't take too many days to add up to $22,000... :) And then, I guess, we'd have people bitching about "It cost me twice as much to have my whizz-bang XYZ firewall tested, compared to the FireBall from Great Walls of Fire Corp..." Before anyone wastes bandwidth stating the obvious, I realize that a more complex firewall would take more time (and money...) to fully test... My point is that it's gonna cost someone, somewhere, a pile of money to put together the equipment and expertise to properly test each firewall, and it's not at all unreasonable to expect the vendor to pay, whether it be a flat-rate membership fee, or a per-hour/per-firewall fee. Just my $0.02... Ralph Mitchell (System Administrator) -- MPSI Inc., 8282 South Memorial Drive, Tulsa, Oklahoma 74133 Email: ralph@mpsisys.com PHONE: 918-250-9611 x237 FAX: 918-254-8764 "Never underestimate the power of human stupidity" - Salvor Hardin, Foundation From firewalls-owner Mon Jul 1 10:29:19 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA04138 for firewalls-outgoing; Mon, 1 Jul 1996 09:36:13 -0700 (PDT) Received: from access1.digex.net (access1.digex.net [205.197.245.192]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id JAA04079 for ; Mon, 1 Jul 1996 09:35:51 -0700 (PDT) Received: from dcc02469.slip.digex.net (dcc02469.slip.digex.net [204.91.213.200]) by access1.digex.net (8.6.12/8.6.12) with SMTP id MAA10567 ; for ; Mon, 1 Jul 1996 12:33:04 -0400 Received: by dcc02469.slip.digex.net with Microsoft Mail Message-ID: <01BB674A.2AC7D240@dcc02469.slip.digex.net> From: "Russell L. Jones" To: "'firewalls@GreatCircle.COM'" Subject: Cisco Router security Date: Mon, 1 Jul 1996 12:38:03 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk What are the known bugs which leave Cisco routers running the 10.X version of the management software vulnerable to IP based attacks? Russell L. Jones From firewalls-owner Mon Jul 1 10:38:02 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA07914 for firewalls-outgoing; Mon, 1 Jul 1996 10:16:54 -0700 (PDT) Received: from firewall.cwa.com (firewall.cwa.com [192.100.4.193]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id KAA07857 for ; Mon, 1 Jul 1996 10:16:36 -0700 (PDT) Received: by firewall.cwa.com (4.1/CWA-SMI-4.1) Received: from cwa.com(192.100.4.14) by firewall via smap (V1.3jcf) Received: from hilo.cwa.com by cwa.com (4.1/CWA-PSI-SMI-1.0) Received: by hilo.cwa.com (SMI-8.6/SMI-SVR4) Date: Mon, 1 Jul 1996 10:13:26 -0700 From: dmurphy@cwa.com (Dan Murphy x286) Message-Id: <199607011713.KAA12285@hilo.cwa.com> To: firewalls@GreatCircle.COM Subject: Re: NCSA Certification Cc: CMH@Interramp.com, gary@habanero.jmu.ed X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At the risk of prolonging this discussion further, I'd like to point out that if this quote is accurate (from one of CMH's posts, I think): + According to Mr. Tippett, President of NCSA, "the NCSA tries to act in this + regard like a government agency for the commercial sector." (Communications + Week. June 17). then NCSA, if it is a 501-C tax-exempt US trade association, may be in a world of trouble with respect to US anti-trust laws. Gary Flynn and his company might get a better ROI if, instead of joining NCSA and whining in this forum about their certification program, they spent the same kind of time, energy and money talking to one of the many DC law firms that does a lot of competitive restraint-of-trade work. With treble damages and criminal penalties at risk, behaviors can influenced much more quickly than with a PR campaign. +-------------------------------------------------------------------+ | Dan Murphy, CWA Communication Products | email: dmurphy@cwa.com | | 401 Alberto Way, Los Gatos, CA 95032 | voice: 408-358-1529 | | (Nihon-go wa mada jouzo ja arimasen.) | faxen: 408-356-7061 | +-------------------------------------------------------------------+ From firewalls-owner Mon Jul 1 10:45:33 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA05475 for firewalls-outgoing; Mon, 1 Jul 1996 09:50:31 -0700 (PDT) Received: from mail.rc.toronto.on.ca ([207.6.29.231]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id JAA05435 for ; Mon, 1 Jul 1996 09:50:13 -0700 (PDT) Received: from rwcooper.rc.toronto.on.ca ([207.6.29.232]) Received: by rwcooper.rc.toronto.on.ca with Microsoft Mail Message-ID: <01BB674A.C4294360@rwcooper.rc.toronto.on.ca> From: Russ To: David LeBlanc Cc: "firewalls@greatcircle.com" Subject: RE: NT Backoffice "Catapult" firewall certified? Date: Mon, 1 Jul 1996 12:42:28 -0400 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I promise not to drag this thread out any longer than it absolutely has to, but a couple of generalizations by John Betts need to be addressed. "Not every person who puts NT boxes (or any other unix box for that matter) on the Internet knows about things like disabling guest account, setting permissions on shares correctly, etc." This is unfortunately true, but I fail to see its relevance in this discussion. Basically, you are saying that people don't know/aren't interested in properly securing their boxes (any OS) despite putting them in risky environments, which is one of the reasons this list exists, so we all knew that one already. The basics, like disabling guest privileges, setting permissions on shares correctly, etc. are just that, basics. "My main point against NT firewalls is the following: _as a general rule_ people who want NT firewalls, want them because any tom, dick and harry can get them going, without extensive knowledge of security and tcp/ip." Funny, but isn't it true to say that anyone who goes out and buys any firewall is doing so because they don't want (don't have the time) to have to learn everything that the firewall vendor learned about security and tcp/ip? Isn't the whole idea behind a purchased firewall that it should make it easier to get them going rather than programming it all yourself? A Borderware firewall gets plugged in, installed (which any tom, dick, or harry could do), and is up and running, with all ports closed. A couple of menu selections later and your site has HTTP, SMTP, FTP, NNTP access to the Internet, securely. Any idiot could set up a Borderware firewall, with no real understanding of either security or tcp/ip (no more than any other machine where you have to configure a network stack). Same holds true for many of the commercial Firewalls available today. This is not an NT-thing!!! Personally, I believe that people who want to buy an NT-based Firewall are simply trying to provide a consistent inter face to their client environment. Probably the single most important reason I can think of is integration with an existing user database, thereby avoiding having to have multiple databases to administer. The old "single sign-on" thing. Truth be told, getting an NT-based Firewall does not translate to "single sign-on", there are far better methods (like ACE) to achieve that goal. However, if you're environment doesn't include Unix boxes or large servers (a.k.a. mainframes), an NT-based Firewall may make administration considerably easier. "I have no problem with firewalls that are so easy to administer,etc, BUT, generally, the people who setup these easy-to-use firewalls, dont know/think about things like disabling guest account (I know, lame example), or setting permissions on shares (or disabling all shares, or whatever), etc, and if the firewall software dosnt do this for them, then their firewall host can be easilly compromised...." I don't know of any NT-based Firewall product available today that does not do the things you are talking about during its installation, and I've looked at more than most. The statement would imply that you have seen an NT-based Firewall that doesn't do this, and if so, which one, I want to know? What you are implying is that the designers of *some* NT Firewall products do not know about these basic security steps. I have not seen an NT Firewall which can be installed *insecurely*. Products like WinGate, or Catapult, are not Firewalls, but proxy servers, and while their security is no less important than that of a firewall, they are both designed to run with other applications on an NT-box (WinGate wasn't specifically designed for NT, but will run on NT). As such, neither impose a security model on the installer and instead leave it up to the installer to decide what to do to secure the box properly. Both can be installed *insecurely*, such that the box can be compromised. "It takes time and knowledge (well, more like common sense) to make an NT box secure(ish). We all know that a large majority of ppl who insist on NT because of its ease of use, and requirement for little-to no knowledge of system administration and security, dont have the time and knowledge to secure their box." Again, this generalization applies to all computers, period. I personally don't think that there is a large majority of people who are insisting on NT because of its ease of use, and requirement for little-to no knowledge of system administration and security. If that was true, it wouldn't be so difficult to find people who are good at NT. NT's administrative model is no less complex than Novell's, or Banyan's, and in some cases it can be far more complex (due to the lack of Directory Services). By default, both NT and Novell are very wide open after an initial installation, so NT doesn't simplify the security either. I would counter your generalization with one of my own. A large majority of people who are administering NT do have the ability to properly secure a large majority of the security requirements of an NT environment. Its sad, but true, that many companies do not give their administrative IS staff enough time to properly configure that security or properly construct a viable security policy, irregardless of the OS involved. "I hope that I did not offend or mislead anyone here." Offend, definitely not. Mislead, you continue to do so...;-] "if so, I'm sorry, and you are welcome to flame my procmail^H^H^H^H^H^H^H^Hme ;-)" Well, here goes...;-] Cheers, Russ From firewalls-owner Mon Jul 1 11:10:40 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA07998 for firewalls-outgoing; Mon, 1 Jul 1996 10:17:28 -0700 (PDT) Received: from scc.net (scc.net [204.220.33.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id KAA07966 for ; Mon, 1 Jul 1996 10:17:14 -0700 (PDT) Received: from 204.220.33.101 (port-1.scc.net [204.220.33.101]) by scc.net (8.6.12/8.6.10) with SMTP id MAA11949 for ; Mon, 1 Jul 1996 12:14:21 -0500 Message-ID: <31D8073E.2CF7@tsg-usa.com> Date: Mon, 01 Jul 1996 12:13:34 -0500 From: "Urban A. Haas" Reply-To: uhaas@tsg-usa.com Organization: Total Solutions Group X-Mailer: Mozilla 2.02 (Macintosh; I; 68K) MIME-Version: 1.0 To: Firewall Mailing List at Great Circle Subject: Re: Network ethernet sniffer References: <31D8069C.1A52@tsg-usa.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Ben wrote: > > > is it possible to detect if a machine and then which machine might be > > sniffing the network if the machines are about 60 - 70 on that subnet. > > It would be good to know if it is possible and then how if someone knows. You can usually do this on Token-ring, but not Ethernet. It just isn't designed in there. > > You can use programs to detect if there are any ethernet adaptors in > promiscuous mode. > This also isn't a good test, but it's a start. Some *IX machines go into promiscuous mode to automatically build arp caches, do dpli (for IPX or NetBIOS) and other things. -- Urban A. Haas | Total Solutions Group | Open Systems & Network Consultant | (612) 831-8320 x133 | Internet: uhaas@tsg-usa.com | mailto:uhaas@tsg-usa.com -or- | mailto:uhaas@aol.com | From firewalls-owner Mon Jul 1 11:28:50 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA16691 for firewalls-outgoing; Mon, 1 Jul 1996 11:12:11 -0700 (PDT) Received: from relay.ashton.csc.com (relay.ashton.csc.com [20.2.54.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id LAA16682 for ; Mon, 1 Jul 1996 11:12:02 -0700 (PDT) Received: by relay.ashton.csc.com; id OAA25509; Mon, 1 Jul 1996 14:10:27 -0400 Received: from ckostick.sed.csc.com(20.2.53.154) by relay.ashton.csc.com via smap (g3.0.1) Received: by ckostick.sed.csc.com with Microsoft Mail Message-ID: <01BB6756.EB0A74C0@ckostick.sed.csc.com> From: Chris Kostick To: "firewalls@GreatCircle.COM" Subject: RE: NCSA Certification Date: Mon, 1 Jul 1996 14:09:27 -0400 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Dan Murphy x286[SMTP:dmurphy@cwa.com] wrote: > > At the risk of prolonging this discussion further, I'd like to point out > that if this quote is accurate (from one of CMH's posts, I think): > > + According to Mr. Tippett, President of NCSA, "the NCSA tries to act in this > + regard like a government agency for the commercial sector." (Communications > + Week. June 17). > > then NCSA, if it is a 501-C tax-exempt US trade association, may be in a > world of trouble with respect to US anti-trust laws. Gary Flynn and his > company might get a better ROI if, instead of joining NCSA and whining in > this forum about their certification program, they spent the same kind of > time, energy and money talking to one of the many DC law firms that does > a lot of competitive restraint-of-trade work. With treble damages and > criminal penalties at risk, behaviors can influenced much more quickly > than with a PR campaign. And with this posting, we have officially gone off the deep end. -- Chris From firewalls-owner Mon Jul 1 11:34:06 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA15238 for firewalls-outgoing; Mon, 1 Jul 1996 11:00:45 -0700 (PDT) Received: from dns.ottawa.net (dns.ottawa.net [205.211.4.4]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id LAA15213 for ; Mon, 1 Jul 1996 11:00:36 -0700 (PDT) Received: from slip-ppp17.ottawa.net (slip-ppp17.ottawa.net [205.211.5.17]) by dns.ottawa.net (8.7.5/1.2) with SMTP id NAA01778; Mon, 1 Jul 1996 13:57:42 -0400 (EDT) Date: Mon, 1 Jul 1996 13:57:42 -0400 (EDT) Message-Id: <199607011757.NAA01778@dns.ottawa.net> X-Sender: bjm@ottawa.net X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: CMH@Interramp.com From: bjm@ottawa.net (Brian McIntosh) Subject: Re: NCSA Certification Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > >I think you're all missing the point. > Corey, perhaps you're the one who's missing the point rather than all of us. NCSA is a private organization and they can establish firewall criteria if they feel like it. Adherence by vendors as well as acceptance by users is purely voluntary. There are no laws or statutes that say a vendor must test / comply nor are users forced by to only buy an NCSA-certified firewall. If a vendor chooses to participate and a user willingly accepts the certification process as having merit, then so be it - this is the basis of the free market system. Similarily, you have every right to not participate in, or accept, the process but you shouldn't expect the whole netsec community to necessarily agree with your position. This too, is a matter of free choice. > > I don't believe the UL is a for-profit organization nor is any vendor's product > not acceptable for testing. > U.L. is a private organization founded in 1894 by William H. Merrill. Vendors pay U.L. for evaluating their products and this is the organization's principle source of revenue. If a vendor is willing to pay the fee, U.L. will test. ======================================================== Brian J. McIntosh UniSol Inc. 53 Courtney Road Tel: 613 831 6373 Kanata, Ontario Fax: 613 831 4739 Canada, K2L 1M1 Email: bjm@ottawa.net ======================================================== From firewalls-owner Mon Jul 1 12:15:15 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA13318 for firewalls-outgoing; Mon, 1 Jul 1996 10:50:44 -0700 (PDT) Received: from mailbox.neosoft.com (mailbox.neosoft.com [206.109.1.16]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id KAA13015 for ; Mon, 1 Jul 1996 10:49:39 -0700 (PDT) Received: from fw.nmti.com (fw.baileynm.com [206.109.159.11]) by mailbox.neosoft.com (8.7.5/8.7.3) with SMTP id MAA08358; Mon, 1 Jul 1996 12:46:50 -0500 (CDT) Received: from web.nmti.com(198.178.0.201) by fw.nmti.com via smap (V1.3) Received: from sonic.nmti.com (peter@sonic.nmti.com [198.178.0.2]) by web.nmti.com (8.6.12/8.6.9) with SMTP id MAA15413; Mon, 1 Jul 1996 12:31:17 -0500 Received: by sonic.nmti.com; id AA26472; Mon, 1 Jul 1996 12:31:16 -0500 From: peter@baileynm.com (Peter da Silva) Message-Id: <9607011731.AA26472@sonic.nmti.com.nmti.com> Subject: Re: NT Backoffice "Catapult" firewall certified? To: Russ.Cooper@RC.Toronto.on.ca (Russ) Date: Mon, 1 Jul 1996 12:31:16 -0500 (CDT) Cc: johnb@aztec.co.za, firewalls@GreatCircle.COM In-Reply-To: <01BB66C2.56E11220@rwcooper.rc.toronto.on.ca> from "Russ" at Jun 30, 96 08:25:47 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > I've been securing Windows NT for almost 5 years now, and while there are > some environments which I admit are almost impossible to properly secure > (access to NT through WinDD, Citrix, or some other terminal-emulation-like > server-based environment...thanks to Pete Da Silva) Or any other situation where more than one user shares an NT workstation, including kiosk type access to general applications (such as a public print shop, computer lab, hotelling, ...), so it's not really fair to simply dismiss this so blithely as a side effect of third party software. NTFS is a reasonably good file system and NT provides all the hooks to make shared use of hardware as secure as it is in UNIX. The problem is that it's extremely difficult to simultaneously secure the system and actually allow users to log in and run applications, because of the way Windows software works... in fact, Microsoft is still telling application vendors to have their programs put files in system directories, and doing so themselves. I am but secure north by northwest, when the wind is from the south I can't tell a hack from a hacksaw. *sigh* From firewalls-owner Mon Jul 1 12:20:14 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA20051 for firewalls-outgoing; Mon, 1 Jul 1996 11:43:09 -0700 (PDT) Received: from typhoon.dial.pipex.net (typhoon.dial.pipex.net [158.43.128.46]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id LAA19996 for ; Mon, 1 Jul 1996 11:42:48 -0700 (PDT) Received: from unknown by typhoon.dial.pipex.net (8.7.4/) Message-ID: In-Reply-To: References: Conversation with last message To: Corey "M." Horowitz Cc: firewalls@GreatCircle.COM MIME-Version: 1.0 From: Ian Johnstone-Bryden Subject: Re: NCSA Certification Date: Mon, 01 Jul 96 19:38:43 GMT Content-Type: text/plain; charset=US-ASCII; X-MAPIextension=".TXT" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > At 08:34 AM 7/1/96, gary flynn wrote: > >> I think some important important questions need to asked: > >> > >> 1. Who appointed the NCSA as the proper body to approve firewalls? > >> > > > >I think your questions are valid but I think the underlying > >principle is "lead, follow, or get the hell out of the way" :-) > Corey responded in part: > > I think you're all missing the point. I have no problem with the concept > of the NCSA or any other responsible body acting as a protector of the > public interest in insuring that all firewall products deliver the security > promised or, at a minimum, necessary to adequately protect our networks. > The mission statement is admirable. The execution is faulty. > I think the real point is that a load of small groups are trying to establish themselves as certification authorities on security. There are also the national and international initiatives backed by governments. OK US NCSC may have been too restricted in the past. ITSEC addressed most of the major issues, and we are all supposed to be backing Common Criteria. None of those schemes are perfect, but one of the reasons for that is that vendors and users outside government have been very slow to join the party. Thats meant that criteria have been driven by academics and government officials and they dont have a really good understanding of what drives commercial enterprises. Rather than sulk off and try to set up many competitive partial schemes, it would be more productive to participate in the major schemes which are well established and try to improve them. I personally have a few reservations about Common Criteria, but it does offer the prospect of a true international criteria, its based on ITSEC, which was in turn an improvement based on TCSEC, and is well worth actively supporting and changing from within. WRT the nasty commercial issues, no one does anything for free. TCSEC certifications cost money, ITSEC requires the vendor to pay for evaluation time at commercial rates, Common Criteria wont be for free. The major differences between NCSA certification and say ITSEC are: 1. NCSA are charging a membership fee which is less than 25% of what it would cost for an ITSEC evaluation of a firewall at E2 or E3. If NCSA prove to do as good as or better evaluation job then they have commercial advantage. Probability though is that their evaluation will be trivial by comparison - if not they are sure to say so on this forum. 2. ITSEC is open (and has been since 1990) to anyone who wants to submit a product and pay for the evaluation. You dont have to be a member of the club. Also the criteria is public domain and the evaluators and certifiers are not only independent of the vendor, but of eachother - you cant get much more equal than that. 3. National and international legislation will be based on ITSEC and CC rather than on trade groups like NCSA. Ian J-B. From firewalls-owner Mon Jul 1 12:24:29 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA19355 for firewalls-outgoing; Mon, 1 Jul 1996 11:36:32 -0700 (PDT) Received: from mail.rc.toronto.on.ca ([207.6.29.231]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id LAA19293 for ; Mon, 1 Jul 1996 11:36:10 -0700 (PDT) Received: from rwcooper.rc.toronto.on.ca ([207.6.29.232]) Received: by rwcooper.rc.toronto.on.ca with Microsoft Mail Message-ID: <01BB6759.B1C8D5A0@rwcooper.rc.toronto.on.ca> From: Russ To: "'Peter da Silva'" Cc: "johnb@aztec.co.za" Subject: RE: NT Backoffice "Catapult" firewall certified? Date: Mon, 1 Jul 1996 14:29:19 -0400 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I didn't make it clear in my message, but I was referring to securing an NT Server, not an NT Workstation. "Or any other situation where more than one user shares an NT workstation, including kiosk type access to general applications (such as a public print shop, computer lab, hotelling, ...), so it's not really fair to simply dismiss this so blithely as a side effect of third party software." First of all, the issue was raised about the ability to secure an NT Server for Internet use as a Firewall. This situation is definitely not one where we are talking about multiple users sharing the machine for access to general applications. In an attempt to show that NT is *not* all things to all men, I used an example that certain configurations of an NT server are virtually impossible to secure. This was not an attempt to isolate a single third party vendor, but merely a statement of fact of which I am personally familiar. The fact that many *existing* Windows-based applications cannot be properly secured on an NT box that is going to be logged into locally by multiple users is a valid extension of my example. Securing an NT box for multiple users locally (i.e. not network access but actually sitting down in front of the box and using its keyboard, or, in the case of Citrix-like applications, doing so through remote emulation), can be very complex and in some cases impossible. It all depends on the applications that *must* run on the box. Almost all *NT-specific* user applications comply with the profile model and can be installed appropriately. Arcada's Backup Exec is one good example. I don't think I am blithely dismissing anything. If your workstations are running server-based installations of Office, you can secure them properly. Word, Excel, etc. can all be installed on a shared machine running from a server such that they are secure enough to prevent attacks, even Trojans. This presumes that the clients are NT as well, in which case application profiles can be secured by individual user ID. Write access is not necessary to their shared components once the application has been installed. The need to maintain write access to a shared component is not mandated by NT, but by the application. There is a big difference between a network installation of Office and a local installation. Remember, also, that there is an NT-specific version of Word and Excel which do properly understand profiles. So, you're right Pete, but...;-] Cheers, Russ From firewalls-owner Mon Jul 1 12:25:05 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA22056 for firewalls-outgoing; Mon, 1 Jul 1996 12:00:54 -0700 (PDT) Received: from habanero.jmu.edu (habanero.jmu.edu [134.126.70.210]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id MAA21987; Mon, 1 Jul 1996 12:00:44 -0700 (PDT) Message-Id: <199607011900.MAA21987@miles.greatcircle.com> Received: by habanero.jmu.edu Date: Mon, 1 Jul 1996 14:57:48 -0400 From: gary flynn To: firewalls-owner@GreatCircle.COM, firewalls@GreatCircle.COM Subject: Re: NCSA Certification Cc: CMH@Interramp.com, gary@habanero.jmu.ed Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > then NCSA, if it is a 501-C tax-exempt US trade association, may be in a > world of trouble with respect to US anti-trust laws. Gary Flynn and his ^^^^^^^^^^ > company might get a better ROI if, instead of joining NCSA and whining in > this forum about their certification program, they spent the same kind of Just to set the record straight, my response to SOMEONE ELSE's concerns (I won't say whines) about the certification process was that I saw it as a "lead, follow, or get out of the way" decision. I won't say "whine" because if I had a company that developed firewall products I think I'd be justifiably concerned along the same lines as the original poster's questions. Gary Flynn Network Manager James Madison University From firewalls-owner Mon Jul 1 12:41:23 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA23086 for firewalls-outgoing; Mon, 1 Jul 1996 12:10:48 -0700 (PDT) Received: from lexicon.ins.com (lexicon.ins.com [199.0.193.11]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id MAA23044 for ; Mon, 1 Jul 1996 12:10:33 -0700 (PDT) Received: from ragans-laptop (atl-dynamic4.ins.com [199.0.194.4]) by lexicon.ins.com (8.7.5/8.7.3) with SMTP id MAA20349; Mon, 1 Jul 1996 12:07:05 -0700 (PDT) Message-Id: <2.2.32.19960701182006.00f95000@lexicon.ins.com> X-Sender: ragan@lexicon.ins.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Mon, 01 Jul 1996 13:20:06 -0500 To: "Russell L. Jones" From: Charles Ragan Subject: Re: Cisco Router security Cc: "'firewalls@GreatCircle.COM'" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk You can read about it below; http://www.cisco.com/warp/customer/707/2.html Charles At 12:38 PM 7/1/96 -0400, Russell L. Jones wrote: >What are the known bugs which leave Cisco routers running the 10.X version of the management software vulnerable to IP based attacks? > > > > > > > > >Russell L. Jones > > > ______________________________________________________________ Charles Ragan, Jr. International Network Services CCIE #1764, MCSE, MCNE, CBE Pager - 1-800-INS-1-INS Using NT Server 4.0 Beta2 & Eudora 2.2(32) ______________________________________________________________ From firewalls-owner Mon Jul 1 13:29:57 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA01829 for firewalls-outgoing; Mon, 1 Jul 1996 13:16:21 -0700 (PDT) Received: from halon.sybase.com (halon.sybase.com [192.138.151.33]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id NAA01811 for ; Mon, 1 Jul 1996 13:16:11 -0700 (PDT) Received: from smtp1.sybase.com (sybgate) by halon.sybase.com (5.x/SMI-SVR4/SybFW4.0) Received: from notesgw2.sybase.com by smtp1.sybase.com (4.1/SMI-4.1/SybH3.5-030896) Received: by notesgw2.sybase.com (5.x/SMI-4.1/SybEGW3.3) Message-Id: <9607012013.AA21341@notesgw2.sybase.com> Received: by SybaseNotes (Lotus Notes Mail Gateway for SMTP V1.1) id To: Peter da Silva Cc: Mike Shaver , avalon From: Ryan.Russell/SYBASE Date: 1 Jul 96 13:13:23 EDT Subject: Re: Stateful Packet Screens X-Lotus-Type: Reply All Mime-Version: 1.0 Content-Type: Text/Plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I would not disagree that ALGs would probably allow one to more easily filter stuff in the datastream (i.e. yank out stuff between the tags.) This is because , by their nature, many of them store a signifcant portion of the document on it's way through, and hence, would make it easier to run through some script on the proxy server. This would also be why they would tend to be slower. Please correct me if I'm wrong, I'm no proxy expert. I've only used CERN and Socks proxies. And I didn't administer them. I suppose the upshot would be that web proxies could cache today's Dilbert if you wanted. I agree that you could probably do the same with the SPFs on the market today, but I wouldn't want to try. I'm not sure about the security point.... If your assumption is that being able to parse datastreams makes for better security, I suppose that could be correct. I think it might be a difference of opinion though.. as I've mentioned on the list before, I am not about to attempt to catch viruses and evil applets on their was in through the firewall. I think that is a losing battle. I would rather have good antivirus and a fixed Netscape on the host on the inside. I definately disagree on the administrative convenience point. I have/had a socks proxy, and haveing a transparent SPF in MUCH easier for me. Granted, it was Socks 4, but even so. I suspect that one will have a much easier time allowing a new type of service on a SPF than an AG. The SPF I have (FW1) will automatically allow some new service out of the box, if the network transaction is simple enough (i.e. a simple TCP transaction.) That may or may not be a good thing. I prefer to let my users access as many toys as will work through the firewall. I'll let you know if I change my mind when we use up our bandwidth. Are there proxies that are as transparent as something like FW1? If not, how can you say that having to set proxy entries on all your inside hosts on a per-app basis is administrativly easier? Ryan ---------- Previous Message ---------- To: shaver cc: avalon, chris, Firewalls From: peter @ baileynm.com (Peter da Silva) @ smtp Date: 07/01/96 08:37:28 AM Subject: Re: Stateful Packet Screens > As Darren pointed out, it's possible to do everything an AG does with > an SPS, and vice versa. However, in practical terms, you can't get a stateful packet filter that will do all the stuff even the simplest application level gateways do as a matter of course, and for a simple configuration it's much easier to get the existing ALGs configured right than the existing SPFs. In theory, you and Darren are correct. In practice, existing implementations do fall into clumps with user convenience and performance being highest for packet filters, and administrative convenience and security being highest for proxies. From firewalls-owner Mon Jul 1 15:36:45 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA04881 for firewalls-outgoing; Mon, 1 Jul 1996 14:55:59 -0700 (PDT) Received: from mercury.Sun.COM (mercury.Sun.COM [192.9.25.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id OAA04874 for ; Mon, 1 Jul 1996 14:55:50 -0700 (PDT) Received: by mercury.Sun.COM (Sun.COM) Received: from sunesc.East.Sun.COM by East.Sun.COM (5.x/SMI-5.3) Received: from breakers.East.Sun.COM by sunesc.East.Sun.COM (SMI-8.6/SMI-SVR4) Received: by breakers.East.Sun.COM (SMI-8.6/SMI-SVR4) Date: Mon, 1 Jul 1996 17:52:23 -0400 From: ericj@breakers.East.Sun.COM (Eric Johnson) Message-Id: <199607012152.RAA12553@breakers.East.Sun.COM> To: firewalls@greatcircle.com Subject: ftp PASV risks? X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk All, Can someone tell me what security risks are associated with allowing PASSV ftp? I've got a few ideas, but I'd like to hear from the experts. Please send mail to me directly, as well as to the list. (I didn't mail my check to SiCk PuPpY promptly, so my subscription has lapsed.) Thanks in advance, Eric From firewalls-owner Mon Jul 1 15:48:58 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA04619 for firewalls-outgoing; Mon, 1 Jul 1996 14:51:24 -0700 (PDT) Received: from halon.sybase.com (halon.sybase.com [192.138.151.33]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id OAA04609 for ; Mon, 1 Jul 1996 14:51:17 -0700 (PDT) Received: from smtp1.sybase.com (sybgate) by halon.sybase.com (5.x/SMI-SVR4/SybFW4.0) Received: from notesgw2.sybase.com by smtp1.sybase.com (4.1/SMI-4.1/SybH3.5-030896) Received: by notesgw2.sybase.com (5.x/SMI-4.1/SybEGW3.3) Message-Id: <9607012148.AA24761@notesgw2.sybase.com> Received: by SybaseNotes (Lotus Notes Mail Gateway for SMTP V1.1) id To: Peter da Silva Cc: firewalls From: Ryan.Russell/SYBASE Date: 1 Jul 96 14:48:37 EDT Subject: Re: Stateful Packet Screens X-Lotus-Type: Reply All Mime-Version: 1.0 Content-Type: Text/Plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Why "low security" end of the spectrum? Because SPF tends to support more app types? I don't believe in restricting the kind of data that users can access a reasonable form of security. Besides, they will always find a way around it. Do you think that proxies that support essentially Telnet, FTP, and HTTP are more secure than other solutions that support more? In theory, yes, less data attacks to worry about.. in practice, all the interesting data attacks are coming through HTTP anyway. And, it's quite easy for me to deny a particular service should I choose to. Just as easy as it would be on a proxy, I would expect. What kind of proxy do you use? Why couldn't a proxy be transparent? Is anyone out there doing anything with, say a web proxy, besides just passing the HTML document through? Is anyone getting any value while taking the speed hit and having to configure your clients special? Ryan ---------- Previous Message ---------- To: Ryan.Russell cc: firewalls From: peter @ baileynm.com (Peter da Silva) @ smtp Date: 07/01/96 03:53:06 PM Subject: Re: Stateful Packet Screens > I definately disagree on the administrative convenience point. I have/had > a socks proxy, and haveing a transparent SPF in MUCH easier for me. That depends on what your security policy is. If it's "allow anything if it's initiated on the inside" then a packet filter is definitely easier than SOCKS. But then you're tending towards the "low security" end of the spectrum to begin with. > Are there proxies that are as transparent as something like FW1? If there are, they're not doing anything more than a packet filter. From firewalls-owner Mon Jul 1 16:04:05 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id PAA10379 for firewalls-outgoing; Mon, 1 Jul 1996 15:34:36 -0700 (PDT) Received: from hidata.com (hidata.com [205.158.61.34]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id PAA10370 for ; Mon, 1 Jul 1996 15:34:29 -0700 (PDT) Received: by hidata.com; id AA12388; Mon, 1 Jul 96 15:31:43 PDT Received: from osc.hidata.com(205.158.62.10) by hds-gw.hidata.com via smap (V3.1.1) Received: from enterprise by osc.osc.hidata.com (SMI-8.6/SMI-SVR4) Date: Mon, 1 Jul 1996 15:31:30 -0700 Message-Id: <199607012231.PAA23368@osc.osc.hidata.com> X-Sender: bstout@osc.hidata.com X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: dnewman@mcgraw-hill.com From: Bill Stout Subject: Re: NT security--Bill Stout's list Cc: Firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 09:09 AM 7/1/96 edt, dnewman@mcgraw-hill.com wrote: > >Russ Cooper writes: > >>> "Because NT has even more security holes than Irix *duck*, I wont list >>> them here," > >>Its interesting that you should say this. Bill Stout put a very good list >>together, but a number of those issues can be addressed. . . > > Russ, can you please post a URL for this list? TIA. > > Regards > David Newman The following is a small list of 'concerns' I had posted to 'NT security' in administering my own domain, with additional comments. Hackers already know these, so protect your systems: Is it possible to hack a connect onto a NT fileservice from the network? There _must_ be holes: 1. I know DOS and Linux have drivers which allow you to RWED files on an NTFS disk, if the disk is in the same machine. Comment: Some have stated only read is possible with the NTFSDOS.EXE driver. I heard that a write-capable driver does exist, and if not, making a write capable driver is trivial once you can read the disk. Either way you can read the registry and files, then run crack. 2. I accidently had full access to all files once on an NT 3.51 server w/service pack 3, when I first started up NT 4.0b1 client on my network. Using any account I accessed all protected files and directories. I even double-checked permissions to see if I was really browsing a directories that only had user privileges. I haven't had time to duplicate it, but quickly fixed the problem (applied SP4) after I picked my jaw off the floor! Comment: I would appreciate it if someone with NT3.51 SVR sp3 could load NT4.0 WS (b1/b2?) to see if this happens, and e-mail me. 3. NT Workstations having the wrong challenge response can have a user login using cached data with the network cable disconnected (bypassing 'netlogon' service). When the cable is reconnected, all services (and network files) are available. I found this after someone installed a duplicate domain, the clients authenticated on the wrong domain, and wouldn't connect on the correct one, except for disconnect-logon-reconnect process. Comment: This is like bypassing NIS+ by unplugging the cable/Internet for a second. The CIFS/1.0 draft RFC by MS has some interesting comments about passwords in section "8.3 LANMAN 2.1 (and earlier) Challenge/Response", and in the sections that follow. See: ftp://ietf.cnri.reston.va.us/internet-drafts/draft-heizer-cifs-v1-spec-00.txt 4. NT MSV1.0 encrypts user password in RSA MD-4, but compromises the password by also encrypting the password in Lan Manager DES compatible mode. Then transmits the same password in both encrypted formats. For Lan Manager compatibility, of course. Comment: NT uses only RSA MD-4 when the password is longer than 14 characters. None of the existing NT user interfaces allow > 14 characters. The password is encrypted and exchanged as a 16-byte data string, which is compared to the encrypted string in the SAM database. This being a constant can be captured and reused. NT password crackers: ScanNT - http://www.omna.com/yes/andybaron/scannt.htm Kane also cracks NT - http://www.intrusion.com/ksant.htm (Very good security reports on NT users/permissions/integrity) I think both need to run on NT, and target a host or domain. 5. NT Server accepts connections without domain entries (WFW compatibility), and passwords in DES vs. RSA encryption (Lan Manager compatibility), security is compromised by the lowest common denominator: WFW and Lan Manager compatibility. Comment: Ref: http://www.microsoft.com/kb/bussys/winnt/q102716.htm Also, browse your systems' registry (95/NT) from a remote webserver: http://dev1.ora.com/andcgi/wregcgi.exe This one might make you want to unplug your Internet feed! If you know of a webserver running NT, try this from in front of your firewall, using 95 or NT: C:\> nbtstat -A 198.105.232.1 #(ftp.microsoft.com) NetBIOS Remote Machine Name Table Name Type Status --------------------------------------------- FTP <00> UNIQUE Registered INETSERVERS <00> GROUP Registered FTP <20> UNIQUE Registered INETSERVERS <1C> GROUP Registered FTP <03> UNIQUE Registered INETSERVERS <1E> GROUP Registered _SERVICE <03> UNIQUE Registered INet~Services <1C> GROUP Registered IS~FTP.........<00> UNIQUE Registered FTP <01> UNIQUE Registered MAC Address = 08-00-2B-A3-77-EC Just like finger, but better. --!> I would appreciate someone setting me straight on these. For example, if there were a way to turn off Lan Manager compatibility (DES) and accept only RSA passwords, I would appreciate it. Also, it would be nice to enforce domain entries in the connection string (I only run NT Clients). I suppose I could also remove the floppies from the servers, since I load all software with CDs. Since C2 certification was granted only with network connections disabled, there must be good reason for this. Bill Stout <=======10========20========30========40========50========60========70========80 William B. Stout | Major revelations: Senior Systems Admin | "All objects are part of a larger object." Hitachi Data Systems | "3 aware beings comprise a person; mind, body, spirit." NT/UNIX/I-net/Routers | "The secret of life: To be involved with 'creation'." 408-970-4822 | Disclaimer: I speak for no one but us three people. ;) -------------------------------------------------------------------------------- From firewalls-owner Mon Jul 1 16:50:21 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id QAA17014 for firewalls-outgoing; Mon, 1 Jul 1996 16:45:09 -0700 (PDT) Received: from ihgw1.att.com (ihgw1.att.com [207.19.48.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id QAA16991 for ; Mon, 1 Jul 1996 16:44:59 -0700 (PDT) From: rls@neptune.att.com Received: by ihig1.att.att.com (SMI-8.6/EMS-1.2 sol2) Original-From: neptune!rls Message-Id: <199607012344.SAA29664@ihig1.att.att.com> Subject: Re: How good is "stateful inspection"? (fwd) To: michael@memra.com (Michael Dillon) Date: Mon, 1 Jul 1996 19:18:10 -0400 (EDT) Original-From: Ronald L. Sharp Cc: firewalls@greatcircle.com In-Reply-To: from "Michael Dillon" at Jun 30, 96 03:16:43 pm X-Mailer: ELM [version 2.4 PL17] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Michael, you win the prize. This is exactly what I was speaking about. Most answers were concerned about the proxy knowing the buffer sizes of the internal hosts. However, what I have seen from my limited breath of experience with proxies acrossed platforms is that there are common buffer sizes for protocol elements. This is either by standard or by convention. Like much of Unix, network apps such as finger have common roots and so they will may have the common buffer sizes. The discussion now can get down to "no they don't" and "yes they do" but I would rather not. I was just bringing up one example of a possible natural protection provided by proxies that you may not find in an SPF. By their nature proxies actually parse and process the protocol data (to some extent) and this may cause some attacks to be stopped by the proxy. For those who said they feel this is more an end host problem. I am a stong advocate for security in depth and I say provide levels of security wherever you can. Thanks to everyone who participated in this discussion. If there are examples of other natural protections offered by proxies I would be interested to hear of them. > > On Sun, 30 Jun 1996, Darren Reed wrote: > > > > The person who posted the question was under the impression that SPF couldn't > > > but proxies could. I believe that neither can effectivly protect from that > > > type of attack, > > > because it requires very specific knowledge about the platform in question on > > > the > > > inside. > > > But, in both cases, you must somehow put the knowledge about what is good > > and bad in the proxy/filter code. > > > > It doesn't require any knowledge about the interior platforms which it is > > attempting to protect. > > All of this discussion about buffer overruns seems to be skirting the > issue. > > A. many protocols have defined maximum lengths for various fields > transferred within those protocols. > > B. Often implementors of a protocol inadvertently expose their products to > misuse by not checking those maximums. > > C. Often hackers break into servers by means of exploiting a buffer > overrun in a flawed server application. > > D. There is no technical reason why a firewall proxy could not examine > the data flowing through it and ensure that all fields are within the > maximums defined for the protocol by truncating the field and logging > the event. > > E. I don't know enough about stateful packet filters but they may be able > to do the same as proxies. > > F. If we assume that the applications server has been proven to operate > correctly within the protocol specification by running some sort of > test suite (a rather common occurence these days) then the proxy would > provide a greatly reduced level of risk by preventing these buffer > overrun attacks. > > G. Nothing is perfect, the solution I propose is certainly not perfect, > but I think it moves in the right direction and does not increase > any security risks or negatively impact the operation of the firewalls > or the applications. > > > Michael Dillon ISP & Internet Consulting > Memra Software Inc. Fax: +1-604-546-3049 > http://www.memra.com E-mail: michael@memra.com > > > -- Ron Sharp Internet address: r.l.sharp@att.com From firewalls-owner Mon Jul 1 17:22:32 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA18203 for firewalls-outgoing; Mon, 1 Jul 1996 17:09:10 -0700 (PDT) Received: from halon.sybase.com (halon.sybase.com [192.138.151.33]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id RAA18196 for ; Mon, 1 Jul 1996 17:09:02 -0700 (PDT) Received: from smtp1.sybase.com (sybgate) by halon.sybase.com (5.x/SMI-SVR4/SybFW4.0) Received: from notesgw2.sybase.com by smtp1.sybase.com (4.1/SMI-4.1/SybH3.5-030896) Received: by notesgw2.sybase.com (5.x/SMI-4.1/SybEGW3.3) Message-Id: <9607020006.AA29551@notesgw2.sybase.com> Received: by SybaseNotes (Lotus Notes Mail Gateway for SMTP V1.1) id To: firewalls From: Ryan.Russell/SYBASE Date: 1 Jul 96 17:07:11 EDT Subject: Re:Stateful Packet Screens Mime-Version: 1.0 Content-Type: Text/Plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hmm.. I don't know about the CC line... sigh, the joys of Notes mail. Frequently the mail gets there even if it chews the header. You're not the first to complain about my mail. Anyway, in response to your response: Yes, I allow any app initiated from the inside. (At least, any that will work with the FW, I only occasionally go out of my way to make one work that doesn't automatically.) I don't consider this to be significantly less secure than a connection with limited allowed apps. My users are just as capable of hosing themselves with telnet/http/ftp as with any other new toy. As I mentioned before, the users would find a way around you. At least I can log what they are up to, and go back if I find something nasty has toasted someone's machine. I suppose the worst case (since my FW doesn't allow incoming, like just about any FW) would be that some app, likely a Web thingy, would do some trojan stuff, and initiate a connection out from the inside. A proxy would allow that just as easily. And yes, of course I would deny based on port. There is nothing else to base a decision about service type on. Say you only allow telnet out... I do a telnet x.x.x.x 80 or 25. Am I running telnet, or am I running HTTP or SMTP? Do you have a proxy firewall in place? Do you have users? Don't they complain about not being able to use Realaudio? Ryan ---------- Previous Message ---------- To: Ryan.Russell cc: From: peter @ baileynm.com (Peter da Silva) @ smtp Date: 07/01/96 06:03:22 PM Subject: Re: Stateful Packet Screens > To: Peter da Silva > Cc: firewalls ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Are your messages getting to the list? I'll just reply to you. > Why "low security" end of the spectrum? Because SPF > tends to support more app types? I don't believe in > restricting the kind of data that users can access a > reasonable form of security. I call letting any application through by default without evaluating it for security "low security". And with a stateful packet filter, I don't see how you can do anything else without a lot of very complex rules. > And, it's quite easy for me to deny a particular > service should I choose to. OK, how would you set up a default-off environment with a staeful packet filter, based on protocols (and bearing in mind that destination port isn't really adequate, since a bandit application could listen to any port)? From firewalls-owner Mon Jul 1 17:53:21 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA21912 for firewalls-outgoing; Mon, 1 Jul 1996 17:47:21 -0700 (PDT) Received: from po.dbs.com.sg ([203.120.44.8]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id RAA21903 for ; Mon, 1 Jul 1996 17:47:14 -0700 (PDT) Received: from dbs.com.sg by po.dbs.com.sg (SMI-8.6/SMI-SVR4) Received: from T1#u#DM1-Message_Server by dbs.com.sg Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Tue, 02 Jul 1996 08:32:52 +0800 From: Chin Cheng Baey To: firewalls@GreatCircle.COM Subject: SENDING BIG FILES THRU INTERNET Sender: firewalls-owner@GreatCircle.COM Precedence: bulk 1. Am not sure whether this question should be posted to this group. If I'm wrong, my apologies for taking up your bandwidth. Hope someone can point me in the right direction. 2. I'm toying with the idea of sending encrypted files (probably DES or DES-derivative type encryption or maybe even RSA) thru the Internet to counterparts overseas. The size of the files may hit 4-5 mb. 3. Noticed that when big files are sent thru the Internet, it gets chopped up into smaller parts. Am not sure whether this is done by the sender or the Internet provider. For encrypted files, this may pose a problem because the receipient may not be able to assemble the files back for decryption. 4. Would be grateful if someone could advise whether my concerns are valid. Are there any ways to get around the problem. 5. Many thanks in advance for all your kind advice. From firewalls-owner Mon Jul 1 18:52:39 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id SAA25354 for firewalls-outgoing; Mon, 1 Jul 1996 18:25:06 -0700 (PDT) Received: (mcb@localhost) by miles.greatcircle.com (8.7.4/Miles-951221-1) id SAA25346 for firewalls@greatcircle.com; Mon, 1 Jul 1996 18:25:02 -0700 (PDT) Received: from gate.ggr.co.uk (gate.ggr.co.uk [193.128.25.10]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id EAA06185 for ; Mon, 1 Jul 1996 04:06:03 -0700 (PDT) Received: from mailhub.ggr.co.uk (uk0x07.ggr.co.uk [147.184.146.69]) by gate.ggr.co.uk; Mon, 1 Jul 1996 12:01:32 +0100 (BST) Received: from ukwit01.ggr.co.uk (ukwit01.ggr.co.uk [147.184.219.175]) by mailhub.ggr.co.uk; Mon, 1 Jul 1996 11:54:27 +0100 (BST) Received: by ukwit01.ggr.co.uk (8.7.5/imd160294) From: "Lack Mr G M" Message-Id: <9607011204.ZM4779@ukwit01> Date: Mon, 1 Jul 1996 12:04:17 +0100 In-Reply-To: Dan Shadix References: <01BB645B.80CF6E60@gccs25.gccs.cpf.navy.mil> X-Mailer: Z-Mail (3.2.0 26oct94 MediaMail) To: Dan Shadix Subject: Re: split-brain DNS Cc: "'Firewalls@GreatCircle.COM'" Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Why can't you make the one master DNS server secondary for all your internal sub-domains? Then if a request is for a domain for which it is authoritative, it will just respond, if not then it will go to the Internet at large. Whereas this might work (ie. it sounds as though it will, but I haven't thought it through completely) this would leave me with the master server being authoratative for everything. This would push the size of its database up from ca. 8000 to ca. 40000 entries (guessing here, but of that order). I don't have the memory on the servers for such numbers. Also, it strikes me as being against the "spirit" of DNS. Relatively few queries go "between" domains, so I don't want this master server to spend a lot of its time doing zone queries for timestamps and frequent zone transfers just for these. I just want to send the query off to the relevant server, just as in the "full" InterNET. A logical extension of your solution would be to get all of the root name servers to become secondaries for all domains, and I'm sure that we can agree that would be a disaster! > Not sure that the problem described is the one I have, but there is no way > for this to work if you have multiple private domains (ie. not just > sub-domains). You can get all of these to forward to an internal master, but > you can't get this master to forward the relevant queries back to the internal > domains (as you can't "prime" the cache with non-root servers). So the > internal master asks the real root servers about your internal domains and > beleives that they do not exist. The result is that you can't resolve one > internal domain from another. > > Now, even if you do have a single domain with sub-domains it is quite likley > that the *reverse lookup* domains are separate, so you have the problem then > anyway. > > I have had to use a modified version of 4.9.3B9 which, basically, does allow > me to prime the cache with internal name servers. -- ----------- Gordon Lack ----------------- gml4410@ggr.co.uk ------------ The contents of this message *may* reflect my personal opinion. They are *not* intended to reflect those of my employer, or anyone else. From firewalls-owner Mon Jul 1 18:53:07 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id SAA27126 for firewalls-outgoing; Mon, 1 Jul 1996 18:42:15 -0700 (PDT) Received: from mail.Clark.Net (mail.clark.net [168.143.0.10]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id SAA27101 for ; Mon, 1 Jul 1996 18:42:05 -0700 (PDT) Received: from explorer2.clark.net (mjr@explorer2.clark.net [168.143.0.5]) by mail.Clark.Net (8.7.3/8.6.5) with ESMTP id VAA24901 for ; Mon, 1 Jul 1996 21:39:19 -0400 (EDT) From: "Marcus J. Ranum" Received: (from mjr@localhost) by explorer2.clark.net (8.7.1/8.7.1) id VAA27764 for Firewalls@GreatCircle.COM; Mon, 1 Jul 1996 21:39:18 -0400 (EDT) Message-Id: <199607020139.VAA27764@explorer2.clark.net> Subject: Re: Catapault firewall To: Firewalls@GreatCircle.COM Date: Mon, 1 Jul 1996 21:39:17 -0400 (EDT) In-Reply-To: <199607011943.MAA27578@miles.greatcircle.com> from "Firewalls-Digest" at Jul 1, 96 12:43:30 pm Reply-To: mjr@v-one.com Organization: V-One Corporation, Baltimore, MD Office Phone: 410-889-8569 X-Mailer: ELM [version 2.4 PL24alpha3] MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I pulled down Microsoft's page on Catapult. I urge you all to do so and give it a read. From where I sit, it looks like the firewall market has reached its next level, with this announcement. The brief on Microsoft's page is completely content-free. Several times, Catapult is recommended as the solution because it's secure. Nothing about why it's secure or how it's secure. Don't bother your head with that stuff! It's SECURE, OK? ...Or at least as secure as a beta product that only runs on a beta version of NT can be. In fairness to Microsoft, it may be pretty good stuff. But we can't tell from what they say. Which is why I feel it marks a milestone in the firewall market. The Big Boys Are Here now and it's SECURE, it's OK. That argument worked for Netscape, for a while. Those of us who've been with this firewall thing for a while have seen the market get muddied before, and eventually things calm down again. It'll be fascinating to see what happens if Microsoft decides to put even a teeny bit of their marketing muscle behind Catapult. I guess it means that, as a technology, firewalls have "arrived." mjr. From firewalls-owner Mon Jul 1 19:04:04 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id SAA24852 for firewalls-outgoing; Mon, 1 Jul 1996 18:19:42 -0700 (PDT) Received: (mcb@localhost) by miles.greatcircle.com (8.7.4/Miles-951221-1) id SAA24842 for firewalls@greatcircle.com; Mon, 1 Jul 1996 18:19:38 -0700 (PDT) Received: from hippo.ru.ac.za (hippo.ru.ac.za [146.231.128.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id BAA12959 for ; Sun, 30 Jun 1996 01:23:11 -0700 (PDT) Received: by hippo.ru.ac.za (Smail3.1.29.1 #1) Message-Id: From: ccfj@hippo.ru.ac.za (F. Jacot Guillarmod) Subject: Help with cisco access list? To: firewalls@greatcircle.com Date: Sun, 30 Jun 1996 10:20:16 +0200 (GMT+0200) X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, A query on Cisco access lists... I've had a set of access lists configured and working for a while now, but the manual maintenance has become a bit confusing, so I've set up the acl-examples perl scripts by Paul Traina available from ftp.cisco.com, and am trying to use them in conjunction with other tools we use to automate the maintenance of our DNS. It looks like most of the chickens mentioned in the Chapman paper on IP packet filtering have come home to roost in a big way. The manual lists, which still work OK, probably work because they're next to useless. The automated lists generated by the "netsec" perl script have tightened things up so much that I'm forced to admit to being confused about parts of what I'm trying to achieve and how to achieve it. A search through what literature is available to me didn't bring up a whole lot of practical info on setting up access lists, so I'd be grateful for any further pointers or examples (other than those in the Cisco manuals, which tend to be somewhat ....). Anyway, here's the scenario: We have a 2514 running 10.0 and are using all 4 interfaces. Being a university, it's assumed brainpower is more plentiful than money in achieving workable solutions. We try. ISP #1 + Internet ISP #2 + Regional net -------------------- --------------------- | | | | -------------------------- | s0 s1 | | | | | | | | e0 e1 | -------------------------- | | | | -------------------- --------------------- Admin subnet Everyone else subnets A.B.16.0/255.255.248.0 A.B.128.0/255.255.248.0 A.B.64.0 A.B.192.0 etc The access lists for ether 1 are pretty standard and straightforward, as are those for serial 0 and serial 1 (which are currently identical). i.e. in isolation they work just fine and I understand them. The awkward one is the access list for ether 0, which contains admin telnet and print servers plus a large number of workstations. The type of access needed here is: Out onto ether 0: a Telnet from selected hosts outside of A.B.16.0 but inside A.B.0.0 b FTP from selected hosts outside of A.B.16.0 but inside A.B.0.0 c Printing from hosts outside of A.B.16.0 but inside A.B.0.0 d "Established" tcp services, such as WWW etc from anywhere. Out onto ether 1: e Printing from hosts in A.B.16.0 but nowhere else f Bootp from workstations within A.B.16.0 but nowhere else g The "usual" paranoid stuff, excluding UDP other than port 53. I've got most of this working, except for items c and e, printing using the BSD print spooler, which does things I can't grasp. So, to get past this misunderstanding, I've thrown caution to the winds and tried permitting all UDP between ether 0 and ether 1 but I still can't print anything. Can anyone point me in the right direction? Or explain what on earth lpr/lpd get up to when they start exchanging packets? Is there anything else to worry about (within reason) accessing admin type networks? Many thanks, -- F.F. Jacot Guillarmod - Computing Services - Rhodes University - Grahamstown Internet: ccfj@hippo.ru.ac.za Phone: +27 461 318284 Fax: +27 461 25049 The views expressed above are not necessarily those of Rhodes University From firewalls-owner Mon Jul 1 19:21:48 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id SAA24733 for firewalls-outgoing; Mon, 1 Jul 1996 18:18:43 -0700 (PDT) Received: (mcb@localhost) by miles.greatcircle.com (8.7.4/Miles-951221-1) id SAA24707 for firewalls@greatcircle.com; Mon, 1 Jul 1996 18:18:31 -0700 (PDT) Received: from typhoon.dial.pipex.net (typhoon.dial.pipex.net [158.43.128.46]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id EAA22873 for ; Sat, 29 Jun 1996 04:13:00 -0700 (PDT) Received: from unknown by typhoon.dial.pipex.net (8.7.4/) Message-ID: In-Reply-To: References: Conversation with last message To: firewalls@GreatCircle.COM MIME-Version: 1.0 From: Ian Johnstone-Bryden Subject: Re: NCSA Certification Date: Sat, 29 Jun 96 12:23:14 GMT Content-Type: text/plain; charset=US-ASCII; X-MAPIextension=".TXT" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Corey wrote: > To all: > > I think some important important questions need to asked: > > 1. Who appointed the NCSA as the proper body to approve firewalls? > > 2. Do people realize that in order to be approved, a vendor must be a > member of the NCSA? > > 3. Do people realize that the first vendors approved were all members of > the NCSA and as such got a timing advantage over other non-members? > > 4. Is it fair that all vendors, irrespective of size, must first pay a > $22,000 membership fee? > > 5. Will the NCSA put a footnote on their "approved" list that only those > vendors willing to pay $22,000 have received the NCSA's approval? > > 6. Doesn't the "bundled" concept of membership and qualification for > approval render whole process meaningless? > > 7. Have any members of NCSA not been approved? > > 8. What is NCSA doing with the funds received by its members? Is NCSA a > non-profit organization? > > I believe all of these questions need to be addressed before the NCSA holds > itdself out as the self-appointed arbiter of firewall quality assurance. > > Just one man's opinion > All very good questions. As most subscribers to this list will be well aware, we were not short of evaluation bodies in the first place. So far no one has come up with a perfect evaluation system and probably never will, so it comes down to deciding what risks each buyer is prepared to take. TCSEC/'Orange Book' NCSC still evaluates product in the national (US) interest. The evaluation has been free to the vendor but its still cost a great deal of money. The vendor has to hire a VSA who has passed the NCSC VSA training and examination system. Considerable work has to be done during an evaluation to provide the system (hardware and software) and deal with the questions and give the presentations necessary to support the NCSC evaluators. The benefit of an NCSC certificate is that NCSC does not evaluate in the vendors' interests and are a government controlled and funded agency specifically established to be independent of vendor interest. The risks of NCSC evaluation are several: 1. The process is slow and this means that the product is becoming obsolete by the time the evaluation is complete. 2. The RAMP (rating maintenance programme) is also slow and cumbersome so that the product available for delivery with a certificate is much older than the latest version in vendor development. 3. The evaluation primarily covers assurance and not integrity or availability. 4. The evaluation and certificate covers a system down to fine detail like printer cables and much of that hardware will no longer be standard production by the time the evaluation is complete. 5. The vendor jacks up the product price to reflect the cost of development and evaluation support and because the product enjoys some monopoly or quazi monopoly status through rarity of certificates. 6. TCSEC uses an incorrect model for the development processes employed by vendors. 7. Rainbow Series is based strongly on Mil-Std 2167A which assumes a detailed customer specification and custom engineering to meet that specification. 8. The system doesnt allow for sub-system certification other than you can have an evaluation which results in a D level ticket which is also issued to failed products. 9. Even today an NCSC evaluated product may not be available to all users, even inside the US. End-user certificates may still be required before legal shipment. ITSEC European Governments recognised the weaknesses and strengths of the US process and 4 countries worked together to produce ITSEC. ITSEC has several benefits over the US NCSC system: 1. Any number of Commercial Licensed Evaluation Facilities can be licensed. The UK ITSEC Scheme Body has already licensed 8 CLEFs (2 are US owned subsidiaries). The German ITSEC Scheme Body is planning to license additional CLEFs, possibly up to 120. France is planning to introduce a CLEF system with somewhere between the UK and German licensing numbers. That removes a major delay cause present in the US system where NCSC just doesnt have the manpower to handle even the relatively small number of products in the queue. 2. ITSEC certificates in the UK and Germany are mutually recognised by an agreement between the 2 national schemes and other countries are due to sign agreements this year in Europe and other areas. 3. Any vendor can present product for evaluation. 4. Any user can buy certified product - not just specialised government agencies. 5. ITSEC measures Integrity and Availability as well as measuring Assurance. 6. Software testing can be generic. Therefore a firewall mounted on an Intel-based platform and a specific trusted OS can be certified as meeting a particular TOE on any Intel platform which has a certified OS. ITSEC also has risks: 1. The CLEFs do not issue licenses, only evaluation reports. Certification is by the government run national ITSEC Scheme Bodies. Therefore the system is only as good as the policing by the Scheme Bodies who are able to place export and distribution controls on some products. 2. Although ITSEC is significantly faster than the NCSC system, its still slow and still leads to obsolete product. 3. Generic platform certificates for software do introduce risk because clone hardware may have vulnerabilities which were not present in the model and manufacture of the hardware supplied as a base for evaluation (this also applies to any platform component like the OS). 4. CLEF evaluation fees can be extortionate. ***BEFORE a CLEF objects to that statement, I would qualify it. A small product which takes one month to develop and document for evaluation can take a year to evaluate at a high day rate. Charges are proportionately more realistic as the product complexity increases. 5. There is not an established formal RAMP system and review of new versions can be erratic across a number of products. 6. Some vendors with very good products cannot justify evaluation costs and therefore a certified product is not necessarily the best solution available. Thats particularly true as long as ITSEC evaluations are in Europe and much product development is somewhere else. A vendor (for example a US vendor) who has perhaps 20 years experience of providing trusted solutions and who has already had successfull NCSC evaluations still has to undergo a development assurance inspection. If he happens to be based in a pleasant geographic area, some CLEFs may feel that its necessary to send a small team over for several weeks to review design processes, staying in the best hotels and charging a high day rate. This is still not a proportionally high cost, provided that the vendor is submitting many products over a period, because the inspection is for once only. That may be another risk because the vendor might not employ the same methods later on. Common Criteria This has yet to go into full operation and so the effects are potentially unknown. However, it is based heavily on ITSEC so it is reasonable to expect similar benefits and risks. Provided many countries sign mutual acceptance and evaluation agreements like the ITSEC agreements, CC will really become the international system. The main risk may then be that not every Scheme Body may really work as agreed and national interests may intrude. ITSEC for example lost several benefits and introduced extra risk because Europe tried very hard to accomodate the national interests of other countries in an attempt to develop a true ISO style international criteria. Self Certification. Vendors will offer self certified and 'designed to meet' products. Some vendors may be very correct and open while others will offer only a marketing view of product achievements. Potentially this is very high risk unless the vendor claims are nailed down firmly in the procurement document and you can afford to take them through the courts if necessary. Even then its still risky. Self Evaluation with Test Suites US NIST and UK NPL have both offered dial-in test suite facilities including C2 test suites. I dont believe either service has attracted many vendors and probably the benefits over self certification are minimal. There are a growing number of test suites available for network security and some of these could be used by vendors and customers alike. That does of course assume that both are capable of driving them and being hoest about the results. There is also the question of how up to date and effective the test suites are. Like penetration testing, the result may mean something or nothing. Reality of systems In the end, product testing is only a small part of the total equation in risk management. When TCSEC and ITSEC were established, there were two goals: 1. Force vendors to present adequately documented product with identified Security Targets. 2. Make project procurement easier by removing some unnecessary risks. Neither system is a destination for governments, the destination is accreditation and enforcement. Unfortunately, buying certified product to build a system doesnt mean the system achieves the same level, and vulnerabilities can be introduced during integration and implementation. Accreditation doesnt work unless you first produce a detailed risk policy to provide something against which you can measure vulnerabilities and decide which vulnerabilities have to be removed and which are acceptable risks for YOUR business. Accreditation means very little unless you have the means to enforce your risk policy. There are no short cuts. As far as NCSA Certification goes, only experience will show if its worth anything. Any trade club is vulnerable to vested interest and all the certificate might show is that a particular vendor has paid the membership fee. OTOH it can be a huge benefit to the first vendors to join because it provides their marketeers with something else to hype their products. That advantage reduces as more vendors join the club and might become worthless if some products with certificates are shown later to have severe vulnerabilities. Ian J-B. From firewalls-owner Mon Jul 1 19:58:43 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id TAA02524 for firewalls-outgoing; Mon, 1 Jul 1996 19:29:30 -0700 (PDT) Received: from apu.rcp.net.pe (apu.rcp.net.pe [161.132.5.16]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id TAA02516 for ; Mon, 1 Jul 1996 19:29:22 -0700 (PDT) Received: by apu.rcp.net.pe Message-Id: From: vadillo@apu.rcp.net.pe (Enrique Vadillo) Subject: /etc/shadow encryption To: firewalls@GreatCircle.COM Date: Mon, 1 Jul 1996 21:25:45 -0400 (EDT) X-Mailer: ELM [version 2.4 PL24] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello all! I would like to know if you know where i can get the encryption algorythm that Sun Solaris 2.5 uses to write its /etc/shadow file. I am trying to write some proggy that can let me create users thru email, i have so many by day!! i want to make this an automated process, and all i need now is to know the way this encryption is made. Thanks in advance, -- Enrique Vadillo Research & Development at RCP http://www.rcp.net.pe fax : +51 1 241-1320 Peruvian Internet Gateway work: +51 1 954-4799 From firewalls-owner Mon Jul 1 20:19:01 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id UAA07086 for firewalls-outgoing; Mon, 1 Jul 1996 20:06:07 -0700 (PDT) Received: from mail.rc.toronto.on.ca ([207.6.29.231]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id UAA07073 for ; Mon, 1 Jul 1996 20:05:59 -0700 (PDT) Received: from rwcooper.rc.toronto.on.ca ([207.6.29.232]) Received: by rwcooper.rc.toronto.on.ca with Microsoft Mail Message-ID: <01BB67A0.E5768A40@rwcooper.rc.toronto.on.ca> From: Russ To: "Firewalls@GreatCircle.COM" Subject: RE: Catapault firewall Date: Mon, 1 Jul 1996 22:59:00 -0400 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Marcus, as always your wit is fine tuned...;-] In fairness to Microsoft, the Catapult download includes over 600kb of HTML documentation explaining, in more detail than most would expect, about how it, and the Remote Winsock Service, work. The marketing dribble in the press release is definitely targeted at non-techno Purchasing Managers, certainly not security folks. Whether or not it actually represents a "new age" in Firewalls is going to be completely dependent on its actually security, and its cost; - First, it has to work according to the documentation, if it doesn't, or can't be proven, then it should be spurned like any other half-baked piece of code. - If its priced competitively with other products (like Raptor or Firewall-1), then I doubt it will be broadly accepted, people will just continue to buy their complete package from security companies. OTOH, if its cheap, then it may be the foundation on which other products are added. This could represent something new, and significant. Particularly if you get wide acceptance of PPTP. Anyway, back to my testing...;-] Cheers, Russ From firewalls-owner Mon Jul 1 20:34:04 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id SAA25920 for firewalls-outgoing; Mon, 1 Jul 1996 18:30:42 -0700 (PDT) Received: from mail.Clark.Net (mail.clark.net [168.143.0.10]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id SAA25899 for ; Mon, 1 Jul 1996 18:30:29 -0700 (PDT) Received: from explorer2.clark.net (mjr@explorer2.clark.net [168.143.0.5]) by mail.Clark.Net (8.7.3/8.6.5) with ESMTP id VAA22630 for ; Mon, 1 Jul 1996 21:27:47 -0400 (EDT) From: "Marcus J. Ranum" Received: (from mjr@localhost) by explorer2.clark.net (8.7.1/8.7.1) id VAA26749 for firewalls@greatcircle.com; Mon, 1 Jul 1996 21:27:45 -0400 (EDT) Message-Id: <199607020127.VAA26749@explorer2.clark.net> Subject: firewall certification (was Re: NCSA) To: firewalls@greatcircle.com Date: Mon, 1 Jul 1996 21:27:45 -0400 (EDT) Reply-To: mjr@v-one.com Organization: V-One Corporation, Baltimore, MD Office Phone: 410-889-8569 X-Mailer: ELM [version 2.4 PL24alpha3] MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk [This is no longer particularly related to NCSA, so it should not be taken as criticism or praise for their business.] I'm very cynical about the whole notion of firewall certification, as many of you have noted. Mostly, it's because it's nearly impossible to find an unbiassed source. For example, the federal government's various agencies have several times tried to publish firewall recommendations but whenever they do, they get slammed and threatened with lawsuits by the vendors that feel they are slighted. There are probably all kinds of goofy procurement rules that further tie the hands of government agencies, with respect to making comments. NSA, for example, has spent a lot of effort looking at firewalls. I know this for a fact, and I'm doubly frustrated by the fact that they don't say much. On one hand, it's about unclassified stuff, and WE PAID FOR IT - but - I suspect that the hassle they'd get from the vendors simply isn't worth it. I was involved in one case where NSA looked at a firewall that I built, but I was never formally told the results because they were CLASSIFIED. Hell, don't tell the author! NCSA's situation is different: they have customers who are paying them for a service. As with any service providing business, there's a transfer of power of position along with the transfer of money. I believe that with firewalls, NCSA's stated plan was to start with fairly basic tests that verified a reasonably simple baseline, and then to "raise the bar" over time. They certainly could not set the bar too high right away or they'd scare their customers (the vendors) off. I can accept that some of what NCSA's doing has value, by interpreting it as an extended marketing effort by the vendors, with NCSA as a mouthpiece that makes sure the claims aren't too egregious. That's a *START*. A tiny one. To do product reviews, I believe the only people who are qualified are the ones who are beholden to none, and who have a history (in theory) of resisting censorship. By that, I mean The Fourth Estate. Unfortunately, from the quality of a few of the firewall evaluations, it is clear that not all members of the press take their responsibility very seriously: I've seen firewall "reviews" that crib marketing copy verbatim. I continue to advocate that people EDUCATE THEMSELVES rather than take someone else's opinion in someone else's evaluation. It is foolishness to think of a firewall as an isolated "black box" that you can somehow test in a clean lab, then plug into your WAN and get security. Security is not about "black boxes" it is a PROCESS that requires UNDERSTANDING and COMMITMENT from management. Many of you (including the guys at NCSA who I've discussed this with!) sense a great deal of ambivalence on my part about their efforts. In one sense I think it is a step forward; in another I think it's a step backward. On one hand we may see some sanity in marketing claims, and on the other, we may see people abrogate their responsibility to THINK about what they are doing when they see a sticker on a firewall. Obviously, they are going to continue to move forward with their project - let's watch and see what happens. The best thing we can contribute is healthy, productive skepticism, and our support* if it looks like they're playing honestly. mjr. (* Oddly enough, I've contributed some effort pro bono to the NCSA project. They've adopted my firewall functional summaries format. I think that's a good thing, but time will tell!) -- Chief Scientist, V-ONE Corporation -- "Security for a connected world" work http://www.v-one.com personal http://www.clark.net/pub/mjr/mjr-top.html From firewalls-owner Mon Jul 1 21:19:18 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id VAA14171 for firewalls-outgoing; Mon, 1 Jul 1996 21:06:42 -0700 (PDT) Received: from mail.marben.com (losgatos.marben.com [206.86.34.51]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id VAA14164 for ; Mon, 1 Jul 1996 21:06:32 -0700 (PDT) Received: (from girsch@localhost) From: girsch@marben.com (Arnaud Girsch) Message-Id: <199607020403.VAA19025@mail.marben.com> Subject: Re: /etc/shadow encryption To: vadillo@apu.rcp.net.pe (Enrique Vadillo) Date: Mon, 1 Jul 1996 21:03:40 -0700 (PDT) Cc: firewalls@GreatCircle.COM In-Reply-To: from "Enrique Vadillo" at Jul 1, 96 09:25:45 pm X-Organization: Marben Products, Inc. X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > I would like to know if you know where i can get the encryption algorythm > that Sun Solaris 2.5 uses to write its /etc/shadow file. > > I am trying to write some proggy that can let me create users thru email, > i have so many by day!! i want to make this an automated process, > and all i need now is to know the way this encryption is made. If that's really what you want to do, you don't need the algorythm, but just have a look at crypt(3) on all (?) Un*x systems. Arnaud. -- Arnaud Girsch -+- agirsch@marben.com -+- Marben Products, Inc. - San Jose, CA From firewalls-owner Mon Jul 1 22:19:12 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id WAA17657 for firewalls-outgoing; Mon, 1 Jul 1996 22:03:49 -0700 (PDT) Received: from neon.ingenia.com (neon.ingenia.com [205.207.219.29]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id WAA17650 for ; Mon, 1 Jul 1996 22:03:43 -0700 (PDT) Received: (from shaver@localhost) by neon.ingenia.com (8.8.Alpha.2/8.6.9) id BAA04053; Tue, 2 Jul 1996 01:00:55 -0400 From: Mike Shaver Message-Id: <199607020500.BAA04053@neon.ingenia.com> Subject: Re: Stateful Packet Screens To: Ryan.Russell@sybase.com (Ryan Russell/SYBASE) Date: Tue, 2 Jul 1996 01:00:55 -0400 (EDT) Cc: firewalls@greatcircle.com In-Reply-To: <9607012013.AA21329@notesgw2.sybase.com> from "Ryan Russell/SYBASE" at Jul 1, 96 01:13:23 pm X-Mailer: ELM [version 2.4 PL24 PGP3 *ALPHA*] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Thus spake Ryan Russell/SYBASE: > This is because > , by their nature, many of them store a signifcant portion of the document > on it's way through, and hence, would make it easier to run through > some script on the proxy server. I don't think that's necessarily `by their nature', although I'll concede that the vast majority of AGs deal with data with larger granularity than the vast majority of SPFs. > This would also be why they would > tend to be slower. I think it's because of: - kernel->user->kernel data copying, since most AGs run in user space. - doing more complex analysis/manipulation of the data, which obviously takes more CPU time. (This includes the AG's TCP, if any.) > I suspect that one will have a much > easier time > allowing a new type of service on a SPF than an AG. Warning: ports are not always related to services/protocols in a 1-to-1 way. Current SPFs only really look at port and protocol info, so you can easily end up letting something through that wasn't intended, if the port->application mapping isn't what you think it is. > Are there proxies that are as transparent as something like FW1? You can make a transparent proxy (which is probably closer to an AG than an SPF, by traditional behavioural criteria) which requires no change to the client configuration. Usually requires kernel support, I think. Mike -- #> Mike Shaver (shaver@ingenia.com) Ingenia Communications Corporation <# #> UNIX medicine man -- dark magick, cheap! <# #> <# #> When the going gets tough, the tough give cryptic error messages. <# #> "We believe in rough consensus and running code." <# From firewalls-owner Tue Jul 2 02:04:08 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id BAA28079 for firewalls-outgoing; Tue, 2 Jul 1996 01:58:02 -0700 (PDT) Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.76.24]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id BAA28063 for ; Tue, 2 Jul 1996 01:57:52 -0700 (PDT) Message-Id: <199607020857.BAA28063@miles.greatcircle.com> Received: by cheops.anu.edu.au From: Darren Reed Subject: Re: Stateful Packet Screens To: shaver@neon.ingenia.ca (Mike Shaver) Date: Tue, 2 Jul 1996 18:54:52 +1000 (EST) Cc: Ryan.Russell@sybase.com, firewalls@GreatCircle.COM In-Reply-To: <199607020500.BAA04053@neon.ingenia.com> from "Mike Shaver" at Jul 2, 96 01:00:55 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In some mail from Mike Shaver, sie said: > > Thus spake Ryan Russell/SYBASE: > > This is because > > , by their nature, many of them store a signifcant portion of the document > > on it's way through, and hence, would make it easier to run through > > some script on the proxy server. > > I don't think that's necessarily `by their nature', although I'll > concede that the vast majority of AGs deal with data with larger > granularity than the vast majority of SPFs. Dealing with a 1MB e-mail is going to be difficult, in kernel space. > > This would also be why they would > > tend to be slower. > > I think it's because of: > - kernel->user->kernel data copying, since most AGs run in user space. > - doing more complex analysis/manipulation of the data, which > obviously takes more CPU time. (This includes the AG's TCP, if any.) I think the later more than the first (re. zero-copy TCP at Usenix '96 having noticable but not huge, performance gains), especially if they're putting stuff on disk (I guess virtual memory must be a consideration here too). > Warning: ports are not always related to services/protocols in a > 1-to-1 way. Current SPFs only really look at port and protocol info, > so you can easily end up letting something through that wasn't > intended, if the port->application mapping isn't what you think it is. FW-1 is a bit more advanced: it snoops RPC traffic and learns about RPC services that way rather than any configuration file. Darren From firewalls-owner Tue Jul 2 02:34:03 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id BAA27806 for firewalls-outgoing; Tue, 2 Jul 1996 01:50:40 -0700 (PDT) Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.76.24]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id BAA27791 for ; Tue, 2 Jul 1996 01:50:28 -0700 (PDT) Message-Id: <199607020850.BAA27791@miles.greatcircle.com> Received: by cheops.anu.edu.au From: Darren Reed Subject: Re: firewall certification (was Re: NCSA) To: mjr@v-one.com Date: Tue, 2 Jul 1996 18:47:34 +1000 (EST) Cc: firewalls@GreatCircle.COM In-Reply-To: <199607020127.VAA26749@explorer2.clark.net> from "Marcus J. Ranum" at Jul 1, 96 09:27:45 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In some mail from Marcus J. Ranum, sie said: > > [This is no longer particularly related to NCSA, so it > should not be taken as criticism or praise for their business.] > > I'm very cynical about the whole notion of firewall > certification, as many of you have noted. Mostly, it's because > it's nearly impossible to find an unbiassed source. For example, > the federal government's various agencies have several times > tried to publish firewall recommendations but whenever they > do, they get slammed and threatened with lawsuits by the > vendors that feel they are slighted. There are probably all > kinds of goofy procurement rules that further tie the hands > of government agencies, with respect to making comments. [...] On the topic of Government recommendations, the Australian Government has a "Firewall Requirements" document (a copy of which is hopefully going to get to me some time this century), which I think is an interesting way of approaching the "is it good enough ?" problem. What's more, I seem to get rather interesting advertising material from a local reseller of ISS's scanner which points out that a number of commerical firms which do auditting and consulting use it to verify or audit firewalls. Whilst it is a start, it is by no means comprehensive and reading the document, the way it is sold for such a purpose borders on the ridiculous. It can quite easily lead to a false sense of security, irrespective of how up-to-date it is with current patches and bugs. How secure the firewall itself is does not necessarily have anything to do with how well it protects your network. Darren From firewalls-owner Tue Jul 2 03:04:02 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id CAA02117 for firewalls-outgoing; Tue, 2 Jul 1996 02:49:49 -0700 (PDT) Received: from pegase.total.fr (pegase.total.fr [146.249.152.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id CAA02042 for ; Tue, 2 Jul 1996 02:49:21 -0700 (PDT) Received: from tidtest.total.fr (tidtest.total.fr [146.249.165.73]) by pegase.total.fr (8.6.8/8.6.6) with SMTP id LAA12235; Tue, 2 Jul 1996 11:47:10 +0200 Received: by tidtest.total.fr (4.1/SMI-4.1) Message-Id: <9607020945.AA17027@tidtest.total.fr> To: vadillo@apu.rcp.net.pe (Enrique Vadillo) Cc: firewalls@greatcircle.com Subject: Re: /etc/shadow encryption In-Reply-To: Your message of "Mon, 01 Jul 1996 21:25:45 EDT." X-Cuse: "The dog ate my network" Date: Tue, 02 Jul 1996 11:45:40 +0100 From: Michel Lavondes Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In message , Enrique Vadillo writes: > > I am trying to write some proggy that can let me create users thru email, > i have so many by day!! i want to make this an automated process, > and all i need now is to know the way this encryption is made. > Will you post the mailbot address on the list when you're done ? :-) Michel Lavondes (lavondes@tidtest.total.fr) #include Governments are guilty until proved innocent From firewalls-owner Tue Jul 2 03:19:04 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id DAA03334 for firewalls-outgoing; Tue, 2 Jul 1996 03:02:27 -0700 (PDT) Received: from gemsgw.med.ge.com ([192.88.230.10]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id DAA03305 for ; Tue, 2 Jul 1996 03:02:10 -0700 (PDT) Received: from gemed.med.ge.com (gemed.med.ge.com [3.7.12.4]) by gemsgw.med.ge.com (8.6.12/8.6.12) with ESMTP id EAA12464; Tue, 2 Jul 1996 04:57:19 -0500 Received: from wiproge.med.ge.com (jogin [3.70.200.53]) by gemed.med.ge.com (8.6.12/8.6.12) with SMTP id EAA02507; Tue, 2 Jul 1996 04:57:20 -0500 Received: from ashwini.wiproge.med.ge.com by wiproge.med.ge.com (4.1/SMI-4.1) Received: by ashwini.wiproge.med.ge.com (SMI-8.6/SMI-SVR4) Date: Tue, 2 Jul 1996 15:28:36 -0500 From: sameer@wiproge.med.ge.com (Sameer ) Message-Id: <199607022028.PAA19968@wiproge.med.ge.com> To: firewalls@GreatCircle.COM, vadillo@apu.rcp.net.pe Subject: Re: /etc/shadow encryption X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, Why do u need the passwd algo for that? Solaris allows u to create a user w/o passwd and then let the user create passwd while logging. ....sam *SAM*From firewalls-owner@GreatCircle.COM Tue Jul 2 09:26:19 1996 *SAM*From: vadillo@apu.rcp.net.pe (Enrique Vadillo) *SAM*Subject: /etc/shadow encryption *SAM*To: firewalls@GreatCircle.COM *SAM*Date: Mon, 1 Jul 1996 21:25:45 -0400 (EDT) *SAM* *SAM*Hello all! *SAM* *SAM*I would like to know if you know where i can get the encryption algorythm *SAM*that Sun Solaris 2.5 uses to write its /etc/shadow file. *SAM* *SAM*I am trying to write some proggy that can let me create users thru email, *SAM*i have so many by day!! i want to make this an automated process, *SAM*and all i need now is to know the way this encryption is made. *SAM* *SAM*Thanks in advance, *SAM*-- *SAM* Enrique Vadillo Research & Development at RCP *SAM* http://www.rcp.net.pe fax : +51 1 241-1320 *SAM* Peruvian Internet Gateway work: +51 1 954-4799 *SAM* From firewalls-owner Tue Jul 2 05:49:14 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA12268 for firewalls-outgoing; Tue, 2 Jul 1996 05:38:17 -0700 (PDT) Received: from webster.your.net (webster.your.net [205.133.197.11]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id FAA12250 for ; Tue, 2 Jul 1996 05:38:06 -0700 (PDT) Received: from web-server by webster.your.net via SMTP (940816.SGI.8.6.9/50810.SGI) Message-Id: <2.2.32.19960702073748.002bfdb0@CFConsulting.com> X-Sender: cfry@CFConsulting.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Tue, 02 Jul 1996 08:37:48 +0100 To: Firewalls@GreatCircle.COM From: Charles C Fry Subject: On Guard Experiences? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am looking for some feedback (good and bad) on the firewall called On Guard. Users who have it fw'ing IPX nets would be appreciated as well as folks uning it for Internet firewalling. Thanks. ====================================================================== = Charles Fry Consulting == Helping Retail & Direct Marketing = = New Albany, Ohio == Companies Harness Technology for = = (614) 855-3925 == Greater Profit and Market Advantage = = cfry@CFConsulting.com == http://www.CFConsulting.com = ====================================================================== From firewalls-owner Tue Jul 2 06:34:36 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA14150 for firewalls-outgoing; Tue, 2 Jul 1996 06:19:57 -0700 (PDT) Received: from isgate.is (isgate.is [193.4.58.51]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id GAA14131 for ; Tue, 2 Jul 1996 06:19:49 -0700 (PDT) Received: from linda.if.is by isgate.is (8.7.5-M/ISnet/14-10-91); Tue, 2 Jul 1996 13:17:06 GMT Received: by linda.if.is (Secure/IFnet/26-04-96); Tue, 2 Jul 1996 13:17:04 GMT From: gunni@if.is (Gunnar Ingvi Thorisson) Message-Id: <199607021317.NAA10567@linda.if.is> Subject: Reading news via a firewall To: firewalls@GreatCircle.com Date: Tue, 2 Jul 1996 13:17:04 +0000 (GMT) X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'm looking for a simple solution for reading news via a firewall. I've a Linux firewall set up on our local network and lot of PCs running Win 3.x, Win95 and/or WinNT Workstations on the protected network. The problem is that the machines on the protected network must be able to read news via/through the firewall at the news host. Is there a simple/good solution for a Linux firewall? A gateway or something? If so, what news agents do support that gateway solution? Hope someone can help me, best regards, Gunni .------. | News | `------' | | ---Firewall--- | | `-------------Protected network ========================================================================= Gunnar Ingvi Thorisson E-Mail address: gunni@if.is System administrator Iceland Software Inc. Sudurlandsbraut 4, IS-108 Reykjavík, Iceland Phone: (+354) 588-1511 Fax: (+354) 588-8728 ========================================================================= From firewalls-owner Tue Jul 2 06:49:18 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA14642 for firewalls-outgoing; Tue, 2 Jul 1996 06:26:43 -0700 (PDT) Received: from drawbridge.ascend.com (drawbridge.ascend.com [198.4.92.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id GAA14635 for ; Tue, 2 Jul 1996 06:26:37 -0700 (PDT) Received: from spud.ascend.com (fw-ext.ascend.com [198.4.92.5]) Received: from Mail-gw.ascend.com (mail-gw.ascend.com [192.207.23.142]) Received: by Mail-gw.ascend.com (IBM OS/2 SENDMAIL VERSION 1.3.14/1.0) Message-Id: <9607021322.AA1707@Mail-gw.ascend.com> Received: from Ascend with "Lotus Notes Mail Gateway for SMTP" id To: Full Name Field Cc: firewalls From: Gary Wong/Ascend/US Date: 2 Jul 96 6:22:20 Subject: Re: source routing and Ascend P50 Mime-Version: 1.0 Content-Type: Text/Plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Frank : The filter rules are as below : Input Filter 1 : Generic... Forward = No Offset = 34 Length = 1 Mask = FF00000000000000 Value = 8300000000000000 #loose source route Compare = Equals More = No Input Filter 1 : Generic... Forward = No Offset = 34 Length = 1 Mask = FF00000000000000 Value = 8900000000000000 #strict source route Compare = Equals More = No These filters will discard incoming packets with sourece route option.(ex:traceroute -g or traceroute -G) Gary Wong Ascend Communications Inc. ------------------------------------------------------------------------------------------------------------- wall @ readybox.com (Full Name Field) 06/30/96 10:14 AM To: firewalls @ GreatCircle.COM @ Internet cc: Subject: source routing and Ascend P50 I have an Ascend Pipeline 50 router and would like to kill all incoming source-routed packets. 1) Is it possible to filter source-routed packets with a P50? 2) If so, can anyone provide an example of such a filter rule? I've spent some time on the phone with Ascend in an attempt to answer these questions. In that hunt, I spoke with four support people, none of whom were familiar with the concept of source routing. (That was, in itself, a little disturbing.) I tried to explain what source routing was and why it was of interest, but I never did get any useful responses. --------------------------- Frank McCormick From firewalls-owner Tue Jul 2 07:38:12 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA18555 for firewalls-outgoing; Tue, 2 Jul 1996 07:17:42 -0700 (PDT) Received: from c2smtp.on.com (c2smtp.on.com [207.18.216.5]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id HAA18527 for ; Tue, 2 Jul 1996 07:17:33 -0700 (PDT) Received: from Connect2 Message Router by c2smtp.on.com Message-ID: Date: Tue, 2 Jul 1996 10:20:00 -0500 From: David Tate Organization: On Technology To: firewalls@greatcircle.com Subject: Training??? MIME-Version: 1.0 Content-type: text/plain; charset="US-ASCII" Content-transfer-encoding: 7BIT X-Mailer: Connect2-SMTP 4.01.b32G MHS to SMTP Gateway Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am looking for IS Security/Firewalling/Network Protection training in MA, in the month of July. Would anyone be able to recommend such training? From firewalls-owner Tue Jul 2 07:54:08 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA19970 for firewalls-outgoing; Tue, 2 Jul 1996 07:38:47 -0700 (PDT) Received: from lint.cisco.com (lint.cisco.com [171.68.223.44]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id HAA19951 for ; Tue, 2 Jul 1996 07:38:36 -0700 (PDT) Received: from pferguso-pc.cisco.com ([171.68.83.76]) by lint.cisco.com (8.6.10/CISCO.SERVER.1.1) with SMTP id HAA27981; Tue, 2 Jul 1996 07:36:17 -0700 Message-Id: <199607021436.HAA27981@lint.cisco.com> X-Sender: pferguso@lint.cisco.com X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Tue, 02 Jul 1996 10:35:14 -0400 To: "Russell L. Jones" From: Paul Ferguson Subject: Re: Cisco Router security Cc: "'firewalls@GreatCircle.COM'" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 12:38 PM 7/1/96 -0400, Russell L. Jones wrote: >What are the known bugs which leave Cisco routers running the 10.X version of the management software vulnerable to IP based attacks? > The only one that I'm aware of is the fragmentation problem when the ACK bit is set with 'established' parameter [below]. - paul [snip] Cisco Security Advisory ----------------------- Thu Jun 1 16:27:08 PDT 1995 The following describes a vulnerability in Cisco's IOS software when the 'established' keyword is used in extended IP access control lists. This bug can, under very specific circumstances and only with certain IP host implementations, allow unauthorized packets to circumvent a filtering router. This vulnerability is present in the following IOS software versions: 10.3(1) through 10.3(2) 10.2(1) through 10.2(5) 10.0(1) through 10.0(9) and all previous versions of Cisco software. If you are running any of these IOS versions on a product that uses IP extended access lists, and you are using the 'established' keyword in these lists, then Cisco strongly recommends that you take immediate action to remove the vulnerability. You can determine what version of IOS you are running by issuing the following command: show version The recommended action is to upgrade to a more recent version of IOS, or take one of the immediate workaround actions described below. The vulnerability is fixed by in the following official software releases: 10.0(10) or later 10.2(6) or later 10.3(3) or later (For reference, the Cisco update identifier for this fix is "CSCdi34061".) Customers may obtain software upgrades without going through the Cisco's Technical Assistance Center via Cisco's Customer Information On-Line service, instructions for downloading are available at the end of this message. You may also contact your Cisco distributor or contact Cisco's Technical Assistance Center (TAC) for more information. TAC can be reached by phone at 800-553-2447, by E-Mail to tac@cisco.com or via the World-Wide-Web at http://www.cisco.com. In Europe you can contact TAC by phone at 32-2-778-42-42 or via E-Mail to euro-tac@cisco.com. - ---------------------------------------------------------------------------- A) Description A bug in Cisco's extended IP access list implementation can, under very specific circumstances, allow a user to bypass IP packet filtering. This may permit unintended IP traffic to pass through your firewall setup. To determine if you are vulnerable, look through your configuration. The configuration can be displayed by enabling and then entering the command "write term". If you see an access list line using a list number in the range of 100 through 199 that permits or denies TCP traffic and contains the word 'established' near the end of the line, you may be vulnerable. An example line might look like: In IOS 10.3: access-list 100 permit tcp any any established In IOS 10.2 or earlier: access-list 100 permit tcp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 established If you do not meet this test, then you are not vulnerable. You do not need to do anything. B) Workaround The following actions will remove the vulnerability: - Rewrite the access list parameters so the 'established' keyword is not necessary. This does not simply mean that you may remove the 'established' keyword, but rather that you will need to re-design your access lists to provide similar functionality without using the established mechanism. or - Disable the interfaces to which the access list is applied using the 'shutdown' interface subcommand: example: router(config)#interface ethernet 0 router(config-if)#shutdown C) Solution Obtain and install the appropriate release of IOS software as described above. For assistance contact Cisco's TAC. D) Technical Comments This problem is caused by an obscure but common design flaw, that we believe, exists in many router/firewall vendor's packet filtering implementations. Owners of non-Cisco hardware who use IP packet filtering features similar to Cisco's "extended access lists" as part of a firewall system may wish to contact their vendor to confirm that this vulnerability does not exist in their system. (Technical discussions about the problem have already occured in the appropriate forum.) This vulnerability can only be exploited with certain IP host implementations (we do not have information on which implementations are susceptible). Cisco suggests that all routers configured to filter IP packets based upon the 'established' mechanism be upgraded. [snip] -- Paul Ferguson || || Consulting Engineering || || Reston, Virginia USA |||| |||| tel: +1.703.716.9538 ..:||||||:..:||||||:.. e-mail: pferguso@cisco.com c i s c o S y s t e m s From firewalls-owner Tue Jul 2 08:04:10 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA18862 for firewalls-outgoing; Tue, 2 Jul 1996 07:21:28 -0700 (PDT) Received: from Hydro.CAM.ORG (Hydro.CAM.ORG [198.168.100.7]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id HAA18855 for ; Tue, 2 Jul 1996 07:21:22 -0700 (PDT) Received: from Stratus.CAM.ORG (cyberia@Stratus.CAM.ORG [198.168.100.6]) by Hydro.CAM.ORG (8.7.5/8.7.3) with ESMTP id KAA28820; Tue, 2 Jul 1996 10:18:22 -0400 (EDT) Received: from localhost (cyberia@localhost) by Stratus.CAM.ORG (8.7.5/8.7.3) with SMTP id KAA23366; Tue, 2 Jul 1996 10:18:13 -0400 (EDT) X-Authentication-Warning: Stratus.CAM.ORG: cyberia owned process doing -bs Date: Tue, 2 Jul 1996 10:18:11 -0400 (EDT) From: CyberEyes To: Sameer cc: firewalls@GreatCircle.COM, vadillo@apu.rcp.net.pe Subject: Re: /etc/shadow encryption In-Reply-To: <199607022028.PAA19968@wiproge.med.ge.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 2 Jul 1996, Sameer wrote: > Why do u need the passwd algo for that? Solaris allows > u to create a user w/o passwd and then let the user create passwd while logging. Would you know if there is a way to do what you just described above, but I don't have access to root? Obviously the user would not have any privs, but is it possible? Ryan A. Rowe - Montreal, Quebec aka CyberEyes, Rubik'S Cube Tel. -> +1-514-626-0328 | __o o E-Mail -> cyberia@cam.org | _ \<_ <\ WWW -> http://www.cam.org/~cyberia | __/\o_ (_)/(_) /> IRC -> #CAli4NiA, #Triathlon, #Surfing | FTP -> ftp.cam.org /users/cyberia | swim bike run /Seeking Internet-related job./ Read my RESUME on my home page! "I may not know everything, but I'm willing to learn." Will relocate _ANYWHERE_ in North America. "Everyone has their day, mine is July 15th, 1998." From firewalls-owner Tue Jul 2 08:19:05 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA22829 for firewalls-outgoing; Tue, 2 Jul 1996 08:14:54 -0700 (PDT) Received: from eagle.twinds.com (eagle.twinds.com [206.153.22.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id IAA22799 for ; Tue, 2 Jul 1996 08:14:45 -0700 (PDT) Received: from hawk.twinds.com by eagle.twinds.com with SMTP Date: Tue, 2 Jul 1996 11:16:25 -0400 (EDT") From: Arley Carter X-Sender: ac@hawk.twinds.com To: mjr@v-one.com Cc: Firewalls@GreatCircle.COM Subject: Re: Catapault firewall In-Reply-To: <199607020139.VAA27764@explorer2.clark.net> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 1 Jul 1996, Marcus J. Ranum wrote: > The brief on Microsoft's page is completely content-free. > Several times, Catapult is recommended as the solution because > it's secure. Nothing about why it's secure or how it's secure. > Don't bother your head with that stuff! It's SECURE, OK? Nike's slogan: Just do it! Microsoft's Slogan: Just use it! Cheers: -arc Arley Carter Tradewinds Technologies, Inc. email: ac@hawk.twinds.com www: http://www.twinds.com "Trust me. This is a secure product. I'm from ." From firewalls-owner Tue Jul 2 08:20:24 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA18977 for firewalls-outgoing; Tue, 2 Jul 1996 07:23:14 -0700 (PDT) Received: from dfw-ix1.ix.netcom.com (dfw-ix1.ix.netcom.com [206.214.98.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id HAA18970 for ; Tue, 2 Jul 1996 07:23:08 -0700 (PDT) Received: from larry-s-pc (nyc-ny29-09.ix.netcom.com [207.92.153.137]) by dfw-ix1.ix.netcom.com (8.6.13/8.6.12) with SMTP id HAA06184 for ; Tue, 2 Jul 1996 07:20:24 -0700 Message-Id: <1.5.4.32.19960702161706.0068f028@popd.ix.netcom.com> X-Sender: ler@popd.ix.netcom.com X-Mailer: Windows Eudora Light Version 1.5.4 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Tue, 02 Jul 1996 10:17:06 -0600 To: firewalls@greatcircle.com From: Larry Rudnick Subject: Firewall training Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello all, As the person charged with getting my organization connected to the Internet, I have done research on firewalls, network security practices, host security practices and other related tasks. (Looked at application proxies, virus scanners, use trackers, packet filters (including the "stateful" kind), etc., etc.) I plan to have our 2 sites, in NY and Denver, connected using the same national ISP, but with the same domain name. Naturally, there will be a firewall at each location. *Question*: Other than the training that the firewall vendor offers to manage their product, and general training in TCP/IP, what other training should the groups who will manage these firewalls take? Each site will have a LAN group (primarily with Novell expertise and some prior UNIX training) that will "own" the firewall administration. We do have a central security group, but they are not staffed to handle this new job, although they will set the administrative standards for the firewall. The firewall will be UNIX based, as will the other associated products (virus scanner, etc.). Any suggestions (particularly specific training courses) will be much appreciated. Larry Rudnick <<< ++++++++++ Larry Rudnick +++++++++++ >>> <<< ++++++ OppenheimerFunds, Inc. ++++++ >>> <<< ++++++++ ler@ix.netcom.com +++++++++ >>> From firewalls-owner Tue Jul 2 08:26:30 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA19175 for firewalls-outgoing; Tue, 2 Jul 1996 07:26:31 -0700 (PDT) Received: from dfw-ix4.ix.netcom.com (dfw-ix4.ix.netcom.com [206.214.98.4]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id HAA19150 for ; Tue, 2 Jul 1996 07:26:23 -0700 (PDT) Received: from larry-s-pc (nyc-ny29-09.ix.netcom.com [207.92.153.137]) by dfw-ix4.ix.netcom.com (8.6.13/8.6.12) with SMTP id HAA16775 for ; Tue, 2 Jul 1996 07:23:00 -0700 Message-Id: <1.5.4.32.19960702161943.0066c30c@popd.ix.netcom.com> X-Sender: ler@popd.ix.netcom.com X-Mailer: Windows Eudora Light Version 1.5.4 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Tue, 02 Jul 1996 10:19:43 -0600 To: firewalls@greatcircle.com From: Larry Rudnick Subject: Firewall training Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello All, As the person charged with getting our company connected to the Internet, I have done research on firewalls, ISPs, host security, network security, etc., and have a fair idea of what is required, but I do have a question. Some background: I am planning on connecting our 2 sites, NY and Denver, with connections from the same national ISP using the same domain name (e-mail will go through one site only, however) The services will be pretty straightforward, allowing HTTP, FTP, NNTP and SMTP out, and only SMTP in. Each site will, naturally, have its own firewall. There will also be other related security products like a virus scanner at each site. The groups that will administer the firewalls will be the LAN group at each location. They have Novell expertise primarily, but some UNIX background also. The central security group does not have the staff to manage the firewall in each location, but will probably set the standards and procedures. *Question*: Other than the training offered by the firewall vendor to manage their product, and general background training in TCP/IP, what kind training should the individuals in these groups have? Although these people have some familiarity with the Internet, nobody has ever managed a firewall before. Any suggestions will be much appreciated (particularly if you have a specific course in mind). Thanks Larry Rudnick <<< ++++++++++ Larry Rudnick +++++++++++ >>> <<< ++++++ OppenheimerFunds, Inc. ++++++ >>> <<< ++++++++ ler@ix.netcom.com +++++++++ >>> From firewalls-owner Tue Jul 2 08:34:07 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA23453 for firewalls-outgoing; Tue, 2 Jul 1996 08:20:27 -0700 (PDT) Received: from kremvax.demos.su (kremvax.demos.su [194.87.0.20]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id IAA23431 for ; Tue, 2 Jul 1996 08:20:12 -0700 (PDT) Received: by kremvax.demos.su (8.6.13/D) from root@localhost Received: from db.mmtel.msk.su by scan.mmtel.msk.su id aa20114; Message-Id: Date: Tue, 02 Jul 1996 18:56:17 MSK From: anton@db.mmtel.msk.su To: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk From firewalls-owner Tue Jul 2 08:48:59 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA24879 for firewalls-outgoing; Tue, 2 Jul 1996 08:31:13 -0700 (PDT) Received: from halon.sybase.com (halon.sybase.com [192.138.151.33]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id IAA24870 for ; Tue, 2 Jul 1996 08:31:03 -0700 (PDT) Received: from smtp1.sybase.com (sybgate) by halon.sybase.com (5.x/SMI-SVR4/SybFW4.0) Received: from notesgw2.sybase.com by smtp1.sybase.com (4.1/SMI-4.1/SybH3.5-030896) Received: by notesgw2.sybase.com (5.x/SMI-4.1/SybEGW3.3) Message-Id: <9607021528.AA12740@notesgw2.sybase.com> Received: by SybaseNotes (Lotus Notes Mail Gateway for SMTP V1.1) id To: Enrique Vadillo Cc: firewalls From: Ryan.Russell/SYBASE Date: 2 Jul 96 8:29:13 EDT Subject: Re: /etc/shadow encryption X-Lotus-Type: Reply All Mime-Version: 1.0 Content-Type: Text/Plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk If memory serves... try 'man 3 crypt' Without the quotes, of course. Ryan ---------- Previous Message ---------- To: firewalls cc: From: vadillo @ apu.rcp.net.pe (Enrique Vadillo) @ smtp Date: 07/01/96 09:25:45 PM Subject: /etc/shadow encryption Hello all! I would like to know if you know where i can get the encryption algorythm that Sun Solaris 2.5 uses to write its /etc/shadow file. I am trying to write some proggy that can let me create users thru email, i have so many by day!! i want to make this an automated process, and all i need now is to know the way this encryption is made. Thanks in advance, -- Enrique Vadillo Research & Development at RCP http://www.rcp.net.pe fax : +51 1 241-1320 Peruvian Internet Gateway work: +51 1 954-4799 From firewalls-owner Tue Jul 2 09:09:11 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA26458 for firewalls-outgoing; Tue, 2 Jul 1996 08:43:37 -0700 (PDT) Received: from Hydro.CAM.ORG (Hydro.CAM.ORG [198.168.100.7]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id IAA26433 for ; Tue, 2 Jul 1996 08:43:27 -0700 (PDT) Received: from Ocean.CAM.ORG (cyberia@Ocean.CAM.ORG [198.168.100.5]) by Hydro.CAM.ORG (8.7.5/8.7.3) with ESMTP id LAA07045 for ; Tue, 2 Jul 1996 11:40:45 -0400 (EDT) Received: from localhost (cyberia@localhost) by Ocean.CAM.ORG (8.7.5/8.7.3) with SMTP id LAA06369 for ; Tue, 2 Jul 1996 11:40:42 -0400 (EDT) X-Authentication-Warning: Ocean.CAM.ORG: cyberia owned process doing -bs Date: Tue, 2 Jul 1996 11:40:41 -0400 (EDT) From: CyberEyes cc: firewalls@GreatCircle.COM Subject: Re: Training??? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 2 Jul 1996, David Tate wrote: > I am looking for IS Security/Firewalling/Network Protection training in MA, > in the month of July. Would anyone be able to recommend such training? If anyone knows of the same kind of things in Quebec/Ontario, I'd appreciate knowing about it... Thanks. Ryan A. Rowe - Montreal, Quebec aka CyberEyes, Rubik'S Cube Tel. -> +1-514-626-0328 | __o o E-Mail -> cyberia@cam.org | _ \<_ <\ WWW -> http://www.cam.org/~cyberia | __/\o_ (_)/(_) /> IRC -> #CAli4NiA, #Triathlon, #Surfing | FTP -> ftp.cam.org /users/cyberia | swim bike run /Seeking Internet-related job./ Read my RESUME on my home page! "I may not know everything, but I'm willing to learn." Will relocate _ANYWHERE_ in North America. "Everyone has their day, mine is July 15th, 1998." From firewalls-owner Tue Jul 2 09:24:43 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA23869 for firewalls-outgoing; Tue, 2 Jul 1996 08:23:33 -0700 (PDT) Received: from pathfinder.com (relay.pathfinder.com [204.71.242.18]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id IAA23759 for ; Tue, 2 Jul 1996 08:23:00 -0700 (PDT) Received: from harpoon.excalibur-group.com by pathfinder.com (8.6.12/SMI-SVR4) Message-Id: <2.2.32.19960702151929.00702b48@mail.pathfinder.com> X-Sender: josh@mail.pathfinder.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Tue, 02 Jul 1996 11:19:29 -0400 To: CyberEyes , Sameer From: Josh Hartmann Subject: Re: /etc/shadow encryption DIE DIE DIE Cc: firewalls@GreatCircle.COM, vadillo@apu.rcp.net.pe Sender: firewalls-owner@GreatCircle.COM Precedence: bulk can we put a knife through the heart of this thread *right now*? not only is it way off-topic to begin with (comp.unix.security *maybe*), but it is something a firewall administrator worth her/his salt would never have any part of! so let it die! -josh At 10:18 AM 7/2/96 -0400, CyberEyes wrote: >On Tue, 2 Jul 1996, Sameer wrote: > >> Why do u need the passwd algo for that? Solaris allows >> u to create a user w/o passwd and then let the user create passwd while logging. > > Would you know if there is a way to do what you just described >above, but I don't have access to root? Obviously the user would not have >any privs, but is it possible? > > Ryan A. Rowe - Montreal, Quebec >aka CyberEyes, Rubik'S Cube > >Tel. -> +1-514-626-0328 | __o o >E-Mail -> cyberia@cam.org | _ \<_ <\ >WWW -> http://www.cam.org/~cyberia | __/\o_ (_)/(_) /> >IRC -> #CAli4NiA, #Triathlon, #Surfing | >FTP -> ftp.cam.org /users/cyberia | swim bike run > > /Seeking Internet-related job./ Read my RESUME on my home page! > "I may not know everything, but I'm willing to learn." > Will relocate _ANYWHERE_ in North America. > > "Everyone has their day, mine is July 15th, 1998." > > > =================================================================== Josh Hartmann josh@pathfinder.com The Excalibur Group 100 First Stamford Place (203) 406-2908 Stamford, CT 06902 fax (203) 406-2921 A joint venture between Time Inc. New Media and Time Warner Cable =================================================================== From firewalls-owner Tue Jul 2 09:34:15 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA28322 for firewalls-outgoing; Tue, 2 Jul 1996 08:57:24 -0700 (PDT) Received: from mailserver.zia.ms.it (icaro.zia.ms.it [194.21.103.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id IAA28303 for ; Tue, 2 Jul 1996 08:57:14 -0700 (PDT) Organization: Rete Telematica Apuana _ Consorzio Zona Industriale Apuana - Massa - Italy Received: from netix.it (caronte.netix.it [194.21.103.247]) by mailserver.zia.ms.it (8.6.12/8.6.12) with SMTP id RAA05528; Tue, 2 Jul 1996 17:53:02 +0200 Received: from netix by netix.it (5.x/SMI-SVR4) Received: by netix (5.0/SMI-SVR4) Date: Tue, 2 Jul 1996 17:43:50 --100 From: ap@netix.it (Aldo Pannocchia) Message-Id: <9607021543.AA00907@netix> To: baysalc@boun.edu.tr Subject: Re: Hardware requirements of Firewall-1 Cc: firewalls@GreatCircle.COM X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > From firewalls-owner@GreatCircle.COM Sun Jun 30 17:47 MET 1996 > Date: Sun, 30 Jun 1996 15:08:07 +0400 (MEDT) > From: Can BAYSAL > X-Sender: baysalc@hamlin.cc.boun.edu.tr > To: firewall list > Subject: Hardware requirements of Firewall-1 > Mime-Version: 1.0 > > Hi there; > I wonder what is the REAL minimum required configuration of > Firewall-1. The book says that Sun SPARC based system, I do not think > this means IPX :) , does it? For example on a 10 Mbits ethernet would a > Sparc 5 be acceptable? > > Thanks; > Can Baysal My company use FW-1 with a SS2 16 Mbytes RAM as gateway without any problems bye Aldo ----------------------------------------------------------------- Le opinioni espresse sono quelle dello scrivente e non quelle della NetiX s.r.l. o di compagnie ad essa associate. The opinions expressed are those of the writer and not of NetiX s.r.l. nor of any NetiX-associated companies. Aldo Pannocchia phone: +39 (585) 790133 fax: +39 (585) 792552 NetiX S.r.l. Viale Stazione, 78 e-mail: apannocchia@netix.it 54100 Massa MS - Italy url: http://www.zia.ms.it/netix ----------------------------------------------------------------- From firewalls-owner Tue Jul 2 09:49:07 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA02678 for firewalls-outgoing; Tue, 2 Jul 1996 09:24:27 -0700 (PDT) Received: from neon.ingenia.com (neon.ingenia.com [205.207.219.29]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id JAA02653 for ; Tue, 2 Jul 1996 09:24:15 -0700 (PDT) Received: (from shaver@localhost) by neon.ingenia.com (8.8.Alpha.2/8.6.9) id MAA06344; Tue, 2 Jul 1996 12:21:09 -0400 From: Mike Shaver Message-Id: <199607021621.MAA06344@neon.ingenia.com> Subject: Re: Stateful Packet Screens To: avalon@coombs.anu.edu.au (Darren Reed) Date: Tue, 2 Jul 1996 12:21:08 -0400 (EDT) Cc: shaver@neon.ingenia.ca, Ryan.Russell@sybase.com, firewalls@GreatCircle.COM In-Reply-To: <199607020857.BAA28063@miles.greatcircle.com> from "Darren Reed" at Jul 2, 96 06:54:52 pm X-Mailer: ELM [version 2.4 PL24 PGP3 *ALPHA*] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Thus spake Darren Reed: > Dealing with a 1MB e-mail is going to be difficult, in kernel space. 1) Who says it has to be in kernel space? 2) Who says there has to be a kernel space at all? We're not limited to Unix here. > FW-1 is a bit more advanced: it snoops RPC traffic and learns about > RPC services that way rather than any configuration file. Wow, that almost sounds like it's processing stuff at the application level! =) Mike -- #> Mike Shaver (shaver@ingenia.com) Ingenia Communications Corporation <# #> Paranoid for money. Sarcastic for kicks. <# #> <# #> "They already *KNOW* I am a whacko, Karen. <# #> That doesn't mean I am *WRONG*." -- mjr@clark.net <# From firewalls-owner Tue Jul 2 10:18:06 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA04153 for firewalls-outgoing; Tue, 2 Jul 1996 09:33:43 -0700 (PDT) Received: from sam.networx.ie (dublin-ts15-94.indigo.ie [194.125.134.94]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id JAA04111 for ; Tue, 2 Jul 1996 09:33:29 -0700 (PDT) Received: from mip1.networx.ie (mip1.networx.ie [194.9.12.1]) by sam.networx.ie (8.6.12/8.6.12) with SMTP id QAA05181; Tue, 2 Jul 1996 16:04:29 GMT X-Organisation: I.T. NetworX Ltd X-Business: Network Consultancy and Training X-Address: 67 Merrion Square, Dublin 2, Ireland X-Voice: +353-1-676-8866 X-Fax: +353-1-676-8868 Received: from mike.networx.ie by mip1.networx.ie Date: Tue, 2 Jul 1996 16:02:52 BST From: Michael Ryan Reply-To: mike@networx.ie Subject: Re: /etc/shadow encryption To: Arnaud Girsch Cc: Enrique Vadillo , firewalls@GreatCircle.COM Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Forgive me if I'm wrong, but I believe the crypt() function is not exported outside the U.S. and I note the requestor is outside the U.S., so his Un*x probably doesn't have it. On Mon, 1 Jul 1996 21:03:40 -0700 (PDT) Arnaud Girsch wrote: > > I would like to know if you know where i can get the encryption algorythm > > that Sun Solaris 2.5 uses to write its /etc/shadow file. > > > > I am trying to write some proggy that can let me create users thru email, > > i have so many by day!! i want to make this an automated process, > > and all i need now is to know the way this encryption is made. > > If that's really what you want to do, you don't need the algorythm, but > just have a look at crypt(3) on all (?) Un*x systems. Mike --- From firewalls-owner Tue Jul 2 10:19:38 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA07252 for firewalls-outgoing; Tue, 2 Jul 1996 09:58:59 -0700 (PDT) Received: from imsc.ernet.in ([202.41.95.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id JAA07000 for ; Tue, 2 Jul 1996 09:57:32 -0700 (PDT) Received: from brahma.iitm.ernet.in by imsc.ernet.in (5.x/SMI-SVR4) Received: by brahma.iitm.ernet.in; (5.65/1.1.8.2/07Feb96-0917AM) Date: Tue, 2 Jul 1996 22:16:16 +0530 (IST) From: Natchu Vishnu Priya To: Lack Mr G M Cc: Dan Shadix Subject: Re: split-brain DNS In-Reply-To: <9607011204.ZM4779@ukwit01> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 1 Jul 1996, Lack Mr G M wrote: > > Why can't you make the one master DNS server secondary for all your internal > sub-domains? Then if a request is for a domain for which it is authoritative, > it will just respond, if not then it will go to the Internet at large. > > Whereas this might work (ie. it sounds as though it will, but I haven't > thought it through completely) this would leave me with the master server being This will work... > authoratative for everything. This would push the size of its database up from > ca. 8000 to ca. 40000 entries (guessing here, but of that order). I don't have > the memory on the servers for such numbers. > Thats bad. The point here is that since you are using a single machine to answer all of the firewalls queries it is likely to have a very very large cache. Any connection from the firewall to an internal machine will make a query to this machine. If the TTL values are around a day (this is what they would be if you do not have a rather static DNS) then a large portion of the internal records are likely to be cached most of the time. Also this machine will also cache all the outgoing queries. So you need memory for such numbers anyway... > Also, it strikes me as being against the "spirit" of DNS. Relatively few > queries go "between" domains, so I don't want this master server to spend a lot > of its time doing zone queries for timestamps and frequent zone transfers just > for these. I just want to send the query off to the relevant server, just as > in the "full" InterNET. > > A logical extension of your solution would be to get all of the root name > servers to become secondaries for all domains, and I'm sure that we can agree > that would be a disaster! That would be a disaster... but no other solution seems to present itself.... unless you are willing to patch bind to do this. _______________________________________________________ Vishnu Priya Natchu System Administrator 225, Saraswathi, Network Systems Lab, IIT Madras 600 036 Computer Science & Engg. INDIA IIT Madras 0091-044-235-1889 0091-044-235-1921 _______________________________________________________ Email: mailto:vishnu@brahma.iitm.ernet.in WWW page: http://brahma.iitm.ernet.in/~vishnu _______________________________________________________ From firewalls-owner Tue Jul 2 10:35:21 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA11746 for firewalls-outgoing; Tue, 2 Jul 1996 10:31:28 -0700 (PDT) Received: from dfw-ix6.ix.netcom.com (dfw-ix6.ix.netcom.com [206.214.98.6]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id KAA11739 for ; Tue, 2 Jul 1996 10:31:20 -0700 (PDT) Received: from larry-s-pc (nyc-ny23-18.ix.netcom.com [206.214.136.82]) by dfw-ix6.ix.netcom.com (8.6.13/8.6.12) with SMTP id KAA23155 for ; Tue, 2 Jul 1996 10:28:38 -0700 Message-Id: <1.5.4.32.19960702172838.0066c644@popd.ix.netcom.com> X-Sender: ler@popd.ix.netcom.com X-Mailer: Windows Eudora Light Version 1.5.4 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Tue, 02 Jul 1996 13:28:38 -0400 To: firewalls@greatcircle.com From: Larry Rudnick Subject: Training duplicate Sender: firewalls-owner@GreatCircle.COM Precedence: bulk My apologies to the list for the duplicate posting. Larry Rudnick <<< ++++++++++ Larry Rudnick +++++++++++ >>> <<< ++++++ OppenheimerFunds, Inc. ++++++ >>> <<< ++++++++ ler@ix.netcom.com +++++++++ >>> From firewalls-owner Tue Jul 2 11:04:10 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA14994 for firewalls-outgoing; Tue, 2 Jul 1996 10:58:09 -0700 (PDT) Received: from gatekeeper.3Com.COM (gatekeeper.3Com.COM [129.213.128.5]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id KAA14974 for ; Tue, 2 Jul 1996 10:57:59 -0700 (PDT) Received: from manzanita.DEV.3Com.COM.noname (manzanita.DEV.3Com.COM) by gatekeeper.3Com.COM with SMTP id AA16415 Received: by manzanita.DEV.3Com.COM.noname (4.1/SMI-4.1) Date: Tue, 2 Jul 96 10:50:18 PDT From: bobk@manzanita.DEV.3Com.COM (Bob Konigsberg) Message-Id: <9607021750.AA00467@manzanita.DEV.3Com.COM.noname> To: cyberia@CAM.ORG Subject: Re: Training??? Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'd recommend Learning Tree (1-800-THE-TREE). They have courses all over the place. I have no affilliation with them, but I've taken two of their courses (Windows NT Client/Server, and Internet Security) and been happy with both of them. BobK From firewalls-owner Tue Jul 2 12:24:02 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA21111 for firewalls-outgoing; Tue, 2 Jul 1996 12:07:47 -0700 (PDT) Received: from absolut-zero.winternet.com (absolut-zero.winternet.com [198.174.169.4]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id MAA21093 for ; Tue, 2 Jul 1996 12:07:38 -0700 (PDT) Received: from parka (dufresne@parka.winternet.com [198.174.169.9]) by absolut-zero.winternet.com (8.7.5/8.7.5) with ESMTP id OAA25400; Tue, 2 Jul 1996 14:04:30 -0500 (CDT) Received: (from dufresne@localhost) by parka (8.7.4/8.6.12) id OAA04622; Tue, 2 Jul 1996 14:04:29 -0500 (CDT) Posted-Date: Tue, 2 Jul 1996 14:04:29 -0500 (CDT) Date: Tue, 2 Jul 1996 14:04:29 -0500 (CDT) From: Ron DuFresne To: John Betts cc: David LeBlanc , firewalls@GreatCircle.COM Subject: Re: NT Backoffice "Catapult" firewall certified? In-Reply-To: <199607011443.QAA30859@rbit.co.za> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 1 Jul 1996, John Betts wrote: > % This isn't true. Guest doesn't have permissions to write the registry. > % Besides which, the first thing you do when setting up an NT machine is to > % disable guest. Somewhat like taking the + out of the rhosts file on a Sun. > % > > In my haste to clear my mailbox, I didnt give 100% truths. > > I didnt mean to imply that Guest could do _anything_ to the registry, > just some things (remotely). > > Not every person who puts NT boxes (or any other unix box for that matter) > on the Internet knows about things like disabling guest account, > setting permissions on shares correctly, etc. > > I am fairly sure that _MY_ nt box is fairly secure, but that's only > because I spent time going through anything that I could think of > to secure it. > > My main point against NT firewalls is the following: > _as a general rule_ people who want NT firewalls, want them > because any tom, dick and harry can get them going, without > extensive knowledge of security and tcp/ip. > > I have no problem with firewalls that are so easy to administer,etc, > BUT, generally, the people who setup these easy-to-use firewalls, > dont know/think about things like disabling guest account > (I know, lame example), or setting permissions on shares (or disabling > all shares, or whatever), etc, and if the firewall software dosnt > do this for them, then their firewall host can be easilly compromised.... > > It takes time and knowledge (well, more like common sense) to make an NT box > secure(ish). We all know that a large majority of ppl who insist on NT > because of its ease of use, and requirement for little-to no knowledge > of system administration and security, dont have the time and knowledge > to secure their box. > > John, I think Russ was also trying to point out that the same applies to unix based systems as well. They aren't secure out of the box, it takes special expertise to secure them, and thus, there's nothing here that makes them really, any different than a unix based system. The main point here being, don't let your OS religion color your judgement. Later, Ron Dufresne ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything. From firewalls-owner Tue Jul 2 12:51:43 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA23197 for firewalls-outgoing; Tue, 2 Jul 1996 12:47:07 -0700 (PDT) Received: from hp01.vak12ed.edu (hp01.vak12ed.edu [141.104.150.251]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id MAA23178 for ; Tue, 2 Jul 1996 12:47:01 -0700 (PDT) Message-Id: <199607021947.MAA23178@miles.greatcircle.com> Received: by hp01.vak12ed.edu From: "W.C. Epperson" Subject: Re: Catapault firewall To: firewalls@greatcircle.com Date: Tue, 02 Jul 1996 15:44:18 EDT In-Reply-To: <199607020139.VAA27764@explorer2.clark.net>; from "Marcus J. Ranum" at Jul 1, 96 9:39 pm X-Mailer: Elm [revision: 109.18] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Marcus appears to have writ: [snip] > The brief on Microsoft's page is completely content-free. > Several times, Catapult is recommended as the solution because > it's secure. Nothing about why it's secure or how it's secure. > Don't bother your head with that stuff! It's SECURE, OK? > > ...Or at least as secure as a beta product that only > runs on a beta version of NT can be. > > In fairness to Microsoft, it may be pretty good stuff. > But we can't tell from what they say. Which is why I feel it > marks a milestone in the firewall market. The Big Boys Are Here > now and it's SECURE, it's OK. That argument worked for Netscape, > for a while. > > Those of us who've been with this firewall thing for > a while have seen the market get muddied before, and eventually > things calm down again. It'll be fascinating to see what > happens if Microsoft decides to put even a teeny bit of their > marketing muscle behind Catapult. I guess it means that, as > a technology, firewalls have "arrived." "To question all things; never to turn away from any difficulty; to accept no doctrine either from ourselves or from other people without a rigid scrutiny by negative criticism; letting no fallacy, or incoherence or confusion of thought, step by unperceived; ...these are the lessions we learn from the ancient dialecticians." First time I saw that, I though Marcus had written it, but it's from John Stuart Mill. While I don't agree that the Microsoft fluff represents a new trend (a certain _major_ router manufacturer has for some time touted their firewalling stuff with slides like "Unix: Wrong Choice for Firewalls" with no credible evidence that their product is better, only less well understood by the black hats), they may be the first fluffers on this scale in the firewalls market with the clout and credibility to pull it off. Hmm, now that I look at it again, I guess Marcus' point is that the weighing in of a gorilla like Microsoft is a signal event of firewalls' arrival as a technology. I shudder to agree. -- W.C. Epperson "I have great faith in fools. Senior SE Self-confidence, my friends call it." Information Security Officer --Edgar Allan Poe-- DBA Emeritus Curmudgeon-for-Life Virginia Dept. of Education epperson@pen.k12.va.us From firewalls-owner Tue Jul 2 13:04:04 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA24176 for firewalls-outgoing; Tue, 2 Jul 1996 12:58:29 -0700 (PDT) Received: from relay1.smtp.psi.net (relay1.smtp.psi.net [38.8.14.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id MAA24127 for ; Tue, 2 Jul 1996 12:58:17 -0700 (PDT) Received: from adpmail.es.adp.com by relay1.smtp.psi.net (8.6.12/SMI-5.4-PSI) Received: from ccMail by adpmail.es.adp.com Mime-Version: 1.0 Date: Mon, 1 Jul 1996 16:02:06 -0500 Message-ID: <1d98ca00@es.adp.com> From: jorge_triana@es.adp.com (Jorge Triana) Subject: Re: AOL and Compuserve through f/wall To: Firewalls@GreatCircle.COM Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Description: cc:Mail note part Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Can somebody please tell me how to configure the firewall to get access to AOL and Compuserve...I have seen some msgs going back and forth here...but if anybody has specifics, I would appreciate it... Let me know what I would have to configure as far as the firewall and the perimeter router...Thanks.. Jorge Triana jorge_triana@es.adp.com From firewalls-owner Tue Jul 2 13:35:43 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA26372 for firewalls-outgoing; Tue, 2 Jul 1996 13:19:05 -0700 (PDT) Received: from neon.ingenia.com (neon.ingenia.com [205.207.219.29]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id NAA26330 for ; Tue, 2 Jul 1996 13:18:51 -0700 (PDT) Received: (from shaver@localhost) by neon.ingenia.com (8.8.Alpha.2/8.6.9) id QAA07528; Tue, 2 Jul 1996 16:15:58 -0400 From: Mike Shaver Message-Id: <199607022015.QAA07528@neon.ingenia.com> Subject: Re: Catapault firewall To: epperson@vak12ed.edu (W.C. Epperson) Date: Tue, 2 Jul 1996 16:15:57 -0400 (EDT) Cc: firewalls@GreatCircle.COM In-Reply-To: <199607021947.MAA23178@miles.greatcircle.com> from "W.C. Epperson" at Jul 2, 96 03:44:18 pm X-Mailer: ELM [version 2.4 PL24 PGP3 *ALPHA*] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Thus spake W.C. Epperson: > "To question all things; never to turn away from any difficulty; to > accept no doctrine either from ourselves or from other people without > a rigid scrutiny by negative criticism; letting no fallacy, or incoherence > or confusion of thought, step by unperceived; ...these are the lessions > we learn from the ancient dialecticians." First time I saw that, I > though Marcus had written it, but it's from John Stuart Mill. Marcus doesn't use semicolons. =) > Hmm, now that I look at it again, I guess Marcus' point is that > the weighing in of a gorilla like Microsoft is a signal event of > firewalls' arrival as a technology. I shudder to agree. And the fact that a company (even The Company) can reasonably hope to sell the product based on no factual description of its merits whatsoever. Mike (`and I'd like it written in Java') -- #> Mike Shaver (shaver@ingenia.com) Ingenia Communications Corporation <# #> Chief System Architect -- Head geek -- System exorcist <# #> <# #> "Have you considered a life? I hear they're quite affordable <# #> these days." --- shields@tembel.org <# From firewalls-owner Tue Jul 2 14:19:28 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA01199 for firewalls-outgoing; Tue, 2 Jul 1996 14:13:33 -0700 (PDT) Received: from gatekeeper.3Com.COM (gatekeeper.3Com.COM [129.213.128.5]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id OAA01112 for ; Tue, 2 Jul 1996 14:12:24 -0700 (PDT) Received: from manzanita.DEV.3Com.COM.noname (manzanita.DEV.3Com.COM) by gatekeeper.3Com.COM with SMTP id AA21721 Received: by manzanita.DEV.3Com.COM.noname (4.1/SMI-4.1) Date: Tue, 2 Jul 96 13:58:42 PDT From: bobk@manzanita.DEV.3Com.COM (Bob Konigsberg) Message-Id: <9607022058.AA00541@manzanita.DEV.3Com.COM.noname> To: Firewalls@GreatCircle.COM, jorge_triana@es.adp.com Subject: Re: AOL and Compuserve through f/wall Sender: firewalls-owner@GreatCircle.COM Precedence: bulk AOL is port 5190 (server) and is found on the following IP subnets: 198.81.8.0 198.81.18.0 198.81.22.0 Compuserve is port 4144. BobK From firewalls-owner Tue Jul 2 17:22:04 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA08587 for firewalls-outgoing; Tue, 2 Jul 1996 17:07:10 -0700 (PDT) Received: from kent.ansto.gov.au (kent.ansto.gov.au [137.157.45.204]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id RAA08559 for ; Tue, 2 Jul 1996 17:06:37 -0700 (PDT) Received: by kent.ansto.gov.au (8.7.5/1.51+ANSAMS) From: frank@ansto.gov.au (Frank Crawford) To: mike@networx.ie Cc: firewalls@GreatCircle.COM Date: Wed, 3 Jul 1996 09:55 EST Subject: Re: /etc/shadow encryption Content-Type: text/plain Message-ID: <31d9b8730.5ebc@kent.ansto.gov.au> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Michael Ryan writes: > Forgive me if I'm wrong, but I believe the crypt() function is not > exported outside the U.S. and I note the requestor is > outside the U.S., so his Un*x probably doesn't have it. In this case you are wrong, but are forgiven. The crypt program and other reversible encryption tools for Unix can't be exported, but the crypt routine (i.e. crypt(3)) is exportable, because it is a one-way "encryption" (i.e. you can't get the original info back). Frank Crawford From firewalls-owner Tue Jul 2 20:04:27 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id TAA15311 for firewalls-outgoing; Tue, 2 Jul 1996 19:55:45 -0700 (PDT) Received: from SantaClara01.pop.internex.net (SantaClara01.POP.InterNex.Net [205.158.3.18]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id TAA15304 for ; Tue, 2 Jul 1996 19:55:40 -0700 (PDT) From: carl@hdshq.com Received: from claunch.hdshq.com ([206.215.16.130]) Received: from [198.92.130.5] (claunch.hdshq.com [198.92.130.5]) by claunch.hdshq.com (1/HDS MAIL SYSTEM) with SMTP id SAA20024 for ; Tue, 2 Jul 1996 18:56:20 -0700 (PDT) Message-Id: <199607030156.SAA20024@claunch.hdshq.com> X-Sender: carl@lan.hdshq.com Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Tue, 2 Jul 1996 18:56:20 -0800 To: firewalls@greatcircle.com Subject: New version of Java, JavaScript, ActiveX screening http-gw patch Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I have posted the latest version of my patches to the TIS fwtk http-gw module, that provide site control over Java, JavaScript and/or ActiveX embedded in web pages. The patches exist for both http-gw V1.4 and http-gw V2.0alpha, and can be found at http://www.hdshq.com/fixes/fwtk/ The administrator can define global or per-client-host policies defining removal of these applets from the pages as they are browsed. In addition, this version allows the administrator to define browsers as safe for these applets based on the User-agent: header line automatically generated by browsers with each request. This allows the selective admission of applet types for browser releases the administrator deems "safe" while stripping the applets from web pages for all users of other browser versions/releases. ActiveX, the Microsoft extension of OLE (OCXs), will allow web pages to invoke application programs on the client PC. JavaScript is a web page scripting language which is mostly independent of Java. The code base for these context diffs is provided by Trusted Information Systems firewall toolkit (fwtk), which can be retrieved from ftp.tis.com The fwtk exists in both V1.3 and 2.0alpha version. The component http-gw of the fwtk is modified by these patches to provide the screening functionality. V1.3 http-gw must be upgraded first by the http-gw patches on ftp.tis.com, to reach the V1.4 base level upon which I built my patch. Carl V Claunch Hitachi Data Systems From firewalls-owner Tue Jul 2 21:19:02 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id VAA20264 for firewalls-outgoing; Tue, 2 Jul 1996 21:10:19 -0700 (PDT) Received: from andrew.cais.com (andrew.cais.com [199.0.216.215]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id VAA20254 for ; Tue, 2 Jul 1996 21:10:12 -0700 (PDT) Received: from pty.com (avatar.pty.com [206.49.54.2]) by andrew.cais.com (8.6.9/8.6.9) with ESMTP id AAA18873 for ; Wed, 3 Jul 1996 00:07:24 -0400 Received: by pty.com (SMI-8.6/SMI-SVR4) Message-Id: <199607021805.XAA08825@pty.com> Subject: Chrooted home directories ? To: firewalls@greatcircle.com Date: Tue, 2 Jul 1996 23:05:46 +0500 (GMT) From: felipe@avatar.pty.com (Ing. Felipe Tribaldos) X-URL: http://www.pty.com/ X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello; Please reply directly by emails, as I'm on the digest list, and don't always get to it on a timely basis. Also, not entirely a Firewall, question however could be used on Bastion Hosts :-), so please forgive the noise. I'm trying to create chrooted home directories to allow restricted shells, and FTP on our system. I created a user with a home dire /export/home/user. Then I copied the /etc /usr/bin /usr/lib from the anon ftp directories. Also copied sh to /export/home/user/bin/sh Then I created a script as follows, and set it as the users shell /etc/chroot /export/home/user usr/bin/sh This runs OK, when I run it from the prompt as root, however when I try to login as the user I get a chroot: not super-user error. I tried setting the login script to owner root, and permission to u+s SUID, but that didn't work either. TIA for any tips. Felipe -- ___________________________________________________________________________ | Ing. Felipe Tribaldos | | Gerente de Operaciones / Operations Manager Tel. +(507)269-3571/223-5111| | CyberMedia Panama Fax. +(507)264-6082 | | Internet Access - Web Publishing Res. +(507)269-7330 | | url: http://www.pty.com/ email: felipe@pty.com | | __________________________________________________________________________| From firewalls-owner Wed Jul 3 01:49:09 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id BAA01990 for firewalls-outgoing; Wed, 3 Jul 1996 01:31:13 -0700 (PDT) Received: from lapsene.mii.lu.lv (lapsene.mii.lu.lv [159.148.60.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id BAA01972 for ; Wed, 3 Jul 1996 01:31:01 -0700 (PDT) Received: (from uulda@localhost) by lapsene.mii.lu.lv (8.7.5/8.7.1) id LAA04839 for firewalls@greatcircle.com; Wed, 3 Jul 1996 11:28:16 +0300 (EET DST) X-Authentication-Warning: lapsene.mii.lu.lv: uulda set sender to lda!lda.gov.lv!uldis@lda.gov.lv using -f >Received: by lda.gov.lv (UUPC/@ v5.00, 25Nov92); Received: from lda by lapsene.mii.lu.lv; Wed, 3 Jul 1996 11:28 EET Received: by lda.gov.lv (UUPC/@ v5.00, 25Nov92); Received: by lda.gov.lv (FIDO2UU 1.92d [DOS]); To: firewalls@greatcircle.com From: Uldis Bojars Message-Id: <31DA8200@lda.gov.lv> Subject: OS/2 firewalls? Date: Wed, 3 Jul 1996 10:21:52 +0200 Lines: 17 Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi! I am searching for OS/2 firewalls - are there any? It's very hard to find, but I think there are some. Of course I do not want OS/2 because I want to use firewall as a workstation ;-) And - if negative - what are good firewalls for freeBSD? Our company is not so big to buy Sun or HP UNiX computer and use it as a firewall. Uldis ¾ If you learn from mistakes, you will learn a lot today. --- GoldED/386 3.00.Alpha1+ From firewalls-owner Wed Jul 3 03:49:04 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id DAA08200 for firewalls-outgoing; Wed, 3 Jul 1996 03:36:51 -0700 (PDT) Received: from lexicon.ins.com (lexicon.ins.com [199.0.193.11]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id DAA08192 for ; Wed, 3 Jul 1996 03:36:42 -0700 (PDT) Received: from user_ins.ins.com ([206.98.131.200]) by lexicon.ins.com (8.7.5/8.7.3) with SMTP id DAA26942; Wed, 3 Jul 1996 03:32:39 -0700 (PDT) Message-Id: <2.2.32.19960703223015.006c87fc@ins.com> X-Sender: martin_d@ins.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 03 Jul 1996 18:30:15 -0400 To: jorge_triana@es.adp.com (Jorge Triana) From: Darwin Martinez Subject: Re: AOL and Compuserve through f/wall Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk For AOL, our firewall (FireWall-1) allows service 5190 (tcp) for AOL, and 4144 (tcp) for Compuserve from our internal net to the internet. Our external router (cisco 4500) has some access lists but are not as intensive as the rulebase in our firewall. At 04:02 PM 7/1/96 -0500, you wrote: > > > > Can somebody please tell me how to configure the firewall to get > access to AOL and Compuserve...I have seen some msgs going back and > forth here...but if anybody has specifics, I would appreciate it... > > Let me know what I would have to configure as far as the firewall and > the perimeter router...Thanks.. > > Jorge Triana > jorge_triana@es.adp.com > > > > ------------------------------------------------------------------------ Darwin L. Martinez Email: darwin_martinez@ins.com Network Systems Engineer Site #: 404-843-5954 International Network Services Pager: 800-INS-1-INS Atlanta Office "The God that gave us life gave us liberty at the same time." Thomas Jefferson ------------------------------------------------------------------------ From firewalls-owner Wed Jul 3 04:34:00 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id EAA10332 for firewalls-outgoing; Wed, 3 Jul 1996 04:24:46 -0700 (PDT) Received: from mail.rc.toronto.on.ca ([207.6.29.231]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id EAA10317 for ; Wed, 3 Jul 1996 04:24:39 -0700 (PDT) Received: from rwcooper.rc.toronto.on.ca ([207.6.29.232]) Received: by rwcooper.rc.toronto.on.ca with Microsoft Mail Message-ID: <01BB68AF.B7985580@rwcooper.rc.toronto.on.ca> From: Russ To: "'Firewalls'" Subject: NEC SocksPlus?? Date: Wed, 3 Jul 1996 07:17:37 -0400 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I received the following recently and would appreciate comments from the collective mind... About SOCKS and SocksPlus ------------------------- SOCKS is widely recognized as the de facto standard for Internet proxy firewalls; SocksPlus from NEC is the first commercial implementation of that standard. NEC has been the steward of the publicly available free version of SOCKS since 1993, managing the FTP site where SOCKS source code is available and administering the SOCKS mailing list where users of non-commercial SOCKS trade notes on solving problems concerning SOCKS security, configuration and compatibility. SocksPlus server software is used for all outbound connections in NEC's new turnkey PrivateNet firewall server. SocksPlus contains no original SOCKS source code, but is backward-compatible with the existing installed base of version 4.2 of SOCKS. SocksPlus provides significant improvements over non-commercial SOCKS. The code has been broken into modules and thoroughly tested for added security and easy extensibility. It supports UDP applications and server-to-server encrypted communications, and the configuration files have been completely revised to make them straightforward and intuitive. http://www.privatenet.nec.com Cheers, Russ From firewalls-owner Wed Jul 3 04:49:15 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id EAA11113 for firewalls-outgoing; Wed, 3 Jul 1996 04:44:06 -0700 (PDT) Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.76.24]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id EAA11099 for ; Wed, 3 Jul 1996 04:43:58 -0700 (PDT) Message-Id: <199607031143.EAA11099@miles.greatcircle.com> Received: by cheops.anu.edu.au From: Darren Reed Subject: Re: NEC SocksPlus?? To: Russ.Cooper@RC.Toronto.on.ca (Russ) Date: Wed, 3 Jul 1996 21:41:09 +1000 (EST) Cc: firewalls@GreatCircle.COM In-Reply-To: <01BB68AF.B7985580@rwcooper.rc.toronto.on.ca> from "Russ" at Jul 3, 96 07:17:37 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In some mail from Russ, sie said: [...] > SocksPlus server software is used for all outbound connections in NEC's new > turnkey PrivateNet firewall server. SocksPlus contains no original SOCKS [...] Can you explain how the term "turnkey" applies to this product ? If I turn the key one way, I get a secure network (where nobody can access the Internet without my saying-so), but if I turn it the other, I get an insecure network (and everyone can use the Internet for anything) ? Thanks, Darren From firewalls-owner Wed Jul 3 05:04:00 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id EAA10960 for firewalls-outgoing; Wed, 3 Jul 1996 04:39:59 -0700 (PDT) Received: from gate.personal-media.co.jp (gate.personal-media.co.jp [202.218.93.10]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id EAA10953 for ; Wed, 3 Jul 1996 04:39:51 -0700 (PDT) Received: (from uucp@localhost) by gate.personal-media.co.jp (8.7.4/3.3W5-gate-mx) id UAA13870 for ; Wed, 3 Jul 1996 20:33:16 +0900 (JST) Received: from sun00(192.9.200.6) by sparc11 via smap (V1.3) Received: from sparc18.sun00net (sparc18 [192.9.200.18]) by sun00.personal-media.co.jp (8.7.5 sendmail.nomx/3.3W5-sun00) with SMTP id UAA26830 for ; Wed, 3 Jul 1996 20:31:25 +0900 (JST) Received: by sparc18.sun00net (4.1/SMI-4.1) Date: Wed, 3 Jul 96 20:31:20 JST From: ishikawa@sparc18.personal-media.co.jp (Chiaki Ishikawa) Message-Id: <9607031131.AA05717@sparc18.sun00net> To: Firewalls@GreatCircle.COM In-Reply-To: <199607030306.UAA15586@miles.greatcircle.com> (firewalls-digest-owner@GreatCircle.COM) Subject: udp 137 broadcast from Win95 PC Reply-To: ishikawa@personal-media.co.jp Sender: firewalls-owner@GreatCircle.COM Precedence: bulk PMC e-mail id: 4579 Hello. Recently, I found that a Windows-95 PC located in our DMZ broadcast udp (port=137) packets in DMZ, which subsequently showed up in CISCO router log file. Below is a summary produced from the cisco log for one day. >UDP: src=xxx.yyy.zzz.54(137), dst=xxx.yyy.zzz.255(137), length=58 3 times >UDP: src=xxx.yyy.zzz.54(137), dst=xxx.yyy.zzz.255(137), length=76 162 times **** culprit win 95 PC **** I looked up UDP 137 in some textbooks on TCP/IP and found no reference to the number 137. Can this safely be ignored? -- Ishikawa, Chiaki ishikawa@personal-media.co.jp (family name, given name) Personal Media Corp. Shinagawa, Tokyo, Japan 142 From firewalls-owner Wed Jul 3 05:34:05 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA14743 for firewalls-outgoing; Wed, 3 Jul 1996 05:22:40 -0700 (PDT) Received: from www ([206.249.80.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id FAA14725 for ; Wed, 3 Jul 1996 05:22:32 -0700 (PDT) Received: by www (SMI-8.6/SMI-SVR4) Date: Wed, 3 Jul 1996 05:18:20 -0700 (PDT) From: "Michael A. Galati - Information Services" X-Sender: mgalati@www To: firewalls@greatcircle.com Subject: NTP & DG/UX Systems Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I realize this may not be the correct mailing list for this type of question, so if someone knows of one please mail back. Thank You in advance.. The question - We have a need to have NTP with authentication running for our DG/UX systems for an application which requires it. The problem, at least with the people we have contacted at DG, is they know of no way to set it up in this mode. I was refered to RFC 1305 which deals with NTP, very interseting reading, which left me very lost. I am not a unix giant by any means, but am willing to learn. I was able to figure out the cisco part without much trouble. That said, Is there anyone who has had success with this ?? Again Thank You.... Mike Galati Information Services William Beaumont Hospital Email - mgalati@beaumont.edu From firewalls-owner Wed Jul 3 05:49:11 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA16161 for firewalls-outgoing; Wed, 3 Jul 1996 05:42:03 -0700 (PDT) Received: from artemis.rus.uni-stuttgart.de (artemis.rus.uni-stuttgart.de [129.69.18.28]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id FAA15981 for ; Wed, 3 Jul 1996 05:38:43 -0700 (PDT) Received: from info2.rus.uni-stuttgart.de (info2.rus.uni-stuttgart.de [129.69.18.15]) by artemis.rus.uni-stuttgart.de with SMTP id OAA24567 Received: by info2.rus.uni-stuttgart.de (AIX 3.2/UCB 5.64/4.03) Message-Id: <9607031234.AA29367@info2.rus.uni-stuttgart.de> Subject: Re: udp 137 broadcast from Win95 PC To: ishikawa@personal-media.co.jp Date: Wed, 3 Jul 1996 14:34:41 +0200 (MST) Cc: Firewalls@GreatCircle.COM In-Reply-To: <9607031131.AA05717@sparc18.sun00net> from "Chiaki Ishikawa" at Jul 3, 96 08:31:20 pm From: Helmut Springer Organization: Stuttgart University, FRG X-Pgp-Fingerprint: AE 42 C3 2C A1 3E 55 6D B3 AC 3C D2 F3 CF FF E7 X-Phone: +49 711 685-2003q X-Fax: +49 711 685-2043 X-Mailer: ELM [version 2.4 PL25 PGP6] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Chiaki Ishikawa wrote: > I looked up UDP 137 in some textbooks on TCP/IP and found no reference > to the number 137. > > Can this safely be ignored? netbios-ns 137/tcp # NETBIOS Name Service netbios-ns 137/udp # NETBIOS Name Service regards delta -- helmut 'delta' springer Unix/Net Consulting, InfoSystems, StudBox delta@RUS.Uni-Stuttgart.DE Stuttgart University, FRG http://home.pages.de/~delta/ phone : +49 711 685-2003 If you've got to do it, FAX : +49 711 685-2043 do it with cold blood... From firewalls-owner Wed Jul 3 06:04:15 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA17167 for firewalls-outgoing; Wed, 3 Jul 1996 05:57:10 -0700 (PDT) Received: from cyber3.servtech.com (cyber3.servtech.com [199.1.22.25]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id FAA17138 for ; Wed, 3 Jul 1996 05:56:50 -0700 (PDT) From: dan@burkegroup.com Received: from burke.burkegroup.com (burke.roc.servtech.com [206.106.148.165]) by cyber3.servtech.com (8.7.5/8.7.5) with SMTP id IAA13103 for ; Wed, 3 Jul 1996 08:54:08 -0400 (EDT) Received: from Connect2 Message Router by burke.burkegroup.com Message-ID: <271DAA3101523000@burke.burkegroup.com> Date: Wed, 3 Jul 96 8:40:06 -0500 Organization: Burke Group To: firewalls@greatcircle.com Subject: Re: NT Backoffice "Catapult" firewall certified? MIME-Version: 1.0 Content-type: text/plain; charset="US-ASCII" Content-transfer-encoding: 7BIT X-mailer: Connect2-SMTP 4.00 MHS to SMTP Gateway Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Ron DuFresne said: > > > > I have no problem with firewalls that are so easy to administer,etc, > > BUT, generally, the people who setup these easy-to-use firewalls, > > dont know/think about things like disabling guest account > > (I know, lame example), or setting permissions on shares (or disabling > > all shares, or whatever), etc, and if the firewall software dosnt > > do this for them, then their firewall host can be easilly compromised.... > > > > It takes time and knowledge (well, more like common sense) to make an NT box > > secure(ish). We all know that a large majority of ppl who insist on NT > > because of its ease of use, and requirement for little-to no knowledge > > of system administration and security, dont have the time and knowledge > > to secure their box. [snip] Is there a FAQ or other resources for necessary NT security measures in addition to the firewall? Dan Lenhard From firewalls-owner Wed Jul 3 06:21:46 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA18222 for firewalls-outgoing; Wed, 3 Jul 1996 06:07:26 -0700 (PDT) Received: from sun.aitc.rest.tasc.com (sun.aitc.rest.tasc.com [147.81.50.129]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id GAA18213 for ; Wed, 3 Jul 1996 06:07:18 -0700 (PDT) Received: from iwdc1.office.rest.tasc.com by sun.aitc.rest.tasc.com (NX5.67e/NX3.0M) Received: from iwdc1.office.rest.tasc.com by iwdc1.office.rest.tasc.com (4.1/SMI-4.1) Message-Id: <9607031305.AA07147@iwdc1.office.rest.tasc.com> X-Mailer: exmh version 1.6.6 3/24/96 To: ishikawa@personal-media.co.jp Cc: Firewalls@greatcircle.com Subject: Re: udp 137 broadcast from Win95 PC In-Reply-To: Your message of "Wed, 03 Jul 1996 20:31:20 +0200." Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Wed, 03 Jul 1996 09:05:19 -0400 From: Bob Bowes Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Chiaki Ishikawa wrote: > PMC e-mail id: 4579 > > Hello. > > Recently, I found that a Windows-95 PC located in our DMZ > broadcast udp (port=137) packets in DMZ, which > subsequently showed up in CISCO router log file. > Below is a summary produced from the cisco log for one day. > [Deleted] Port 137 is used to tunnel MS networking protocols over IP (to support an NT network with IP). I think ports 138 and 139 are also used for NetBUI and something else. These ports should definetly NOT be passed through your router/firewall to the Internet. Bob From firewalls-owner Wed Jul 3 06:30:28 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA16014 for firewalls-outgoing; Wed, 3 Jul 1996 05:39:04 -0700 (PDT) Received: from wintermute.imsi.com (wintermute.imsi.com [206.181.239.34]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id FAA15986 for ; Wed, 3 Jul 1996 05:38:55 -0700 (PDT) From: robc@webster.imsi.com Received: from relay.imsi.com by wintermute.imsi.com Received: from gt-40 by relay.imsi.com Message-Id: <960703083613.ZM2855@gt-40> Date: Wed, 3 Jul 1996 08:36:02 -0700 In-Reply-To: ishikawa@sparc18.personal-media.co.jp (Chiaki Ishikawa) References: <9607031131.AA05717@sparc18.sun00net> X-Mailer: Z-Mail 4.0.1 (4.0.1 Apr 9 1996) To: ishikawa@personal-media.co.jp, Firewalls@GreatCircle.COM Subject: Re: udp 137 broadcast from Win95 PC Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk the Microsoft Services uses UDP 137 138 TCP 139 Look in the RFC's on Netbios over TCP/IP for more info robc -- Robert L. Carbone ___ ___....-----'---`-----....___ ========================================= Systems Administrator ___`---..._______...---'___ Email : robc@imsi.com (___) _|_|_|_ (___) Phone : (212)339-2742 \\____.-'_.---._`-.____// ~~~~`.__`---'__.'~~~~ `~~~' Investment Management Services Inc. That Which Does Not kill you Makes you hurt that much longer ! -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.2 mQBNAzGA9jYAAAECAOJPmTRxeczPVvJsqV3Jc1hAJsAu19x+nm5yAj9IlBCTBZEE AjAFvi7Q15QnehJaL2p7f40Kj9CkNNTCBgMy31kABRG0E3JvYmM8cm9iY0BpbXNp LmNvbT4= =j6L1 -----END PGP PUBLIC KEY BLOCK----- From firewalls-owner Wed Jul 3 06:34:21 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA16312 for firewalls-outgoing; Wed, 3 Jul 1996 05:44:46 -0700 (PDT) Received: from dtcro002.apogee-com.fr (firewall.apogee-com.fr [194.2.187.130]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id FAA16299 for ; Wed, 3 Jul 1996 05:44:24 -0700 (PDT) Received: by dtcro002.apogee-com.fr; id OAA08816; Wed, 3 Jul 1996 14:37:21 +0200 (MET DST) Received: from dtcxs001.apogee-com.fr(10.129.16.1) by firewall.apogee-com.fr via smap (V3.1.1) Received: from ingpc003.apogee-com.fr by dtcxs001.apogee-com.fr.apogee-com.fr (4.1/SMI-4.1) Message-Id: <31DA69AB.335E@apogee-com.fr> Date: Wed, 03 Jul 1996 14:38:03 +0200 From: Jean-Francois Zwobada Organization: APOGEE Communications X-Mailer: Mozilla 2.02 (Win95; I) Mime-Version: 1.0 To: ishikawa@personal-media.co.jp Cc: Firewalls@GreatCircle.COM Subject: Re: udp 137 broadcast from Win95 PC References: <9607031131.AA05717@sparc18.sun00net> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Chiaki Ishikawa wrote: > > PMC e-mail id: 4579 > > Hello. > > Recently, I found that a Windows-95 PC located in our DMZ > broadcast udp (port=137) packets in DMZ, which > subsequently showed up in CISCO router log file. > Below is a summary produced from the cisco log for one day. > > >UDP: src=xxx.yyy.zzz.54(137), dst=xxx.yyy.zzz.255(137), length=58 3 times > >UDP: src=xxx.yyy.zzz.54(137), dst=xxx.yyy.zzz.255(137), length=76 162 times > **** culprit win 95 PC **** > > I looked up UDP 137 in some textbooks on TCP/IP and found no reference > to the number 137. > > Can this safely be ignored? > > -- > Ishikawa, Chiaki ishikawa@personal-media.co.jp > (family name, given name) > Personal Media Corp. > Shinagawa, Tokyo, Japan 142The ports # 137 and 138 are used by NetBios on IP. The Broadcasts are used to announce its presence, and learn about possible servers available. (well this is an ugly summary of the whole stuff...) Jean-Francois -- ______________________ Jean-Francois Zwobada ____________________ Apogee Communications Tel : +33 (1) 69 85 56 47 Parc Club Universite Fax : +33 (1) 69 85 56 48 28, rue Jean Rostand 91893 ORSAY Cedex e-mail : zwobada@apogee-com.fr __________________________________________________________________ From firewalls-owner Wed Jul 3 06:49:06 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA21046 for firewalls-outgoing; Wed, 3 Jul 1996 06:39:08 -0700 (PDT) Received: from magneto.acquion.com (magneto.acquion.com [206.154.17.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id GAA21026 for ; Wed, 3 Jul 1996 06:39:00 -0700 (PDT) Received: from wolverine.acquion.com ([206.154.17.12]) Message-Id: <2.2.32.19960703133616.006f0da0@mail.acquion.com> X-Sender: oolid@mail.acquion.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 03 Jul 1996 09:36:16 -0400 To: firewalls@greatcircle.com From: oolid@acqic.org (Joseph L. Moll) Subject: Re: udp 137 broadcast from Win95 PC Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 08:31 PM 7/3/96 JST, you wrote: >>UDP: src=xxx.yyy.zzz.54(137), dst=xxx.yyy.zzz.255(137), length=58 3 times >>UDP: src=xxx.yyy.zzz.54(137), dst=xxx.yyy.zzz.255(137), length=76 162 times > **** culprit win 95 PC **** This is how NetBeui works on TCP/IP, usually called NBT or recently CIFS (Common Internet File System, (C) M$). NBT (CIFS) uses UDP ports 137 and 138, and TCP port 139. UDP port 137 is specifically the name services port. UDP(138) is the datagram port; but in my experience it is rarely used and is not required for connectivity. TCP port 139 is the SMB (server message block) port and handles the data transactions. This machine is broadcasting its name for use on that segment. All NBT servers/clients listen on UDP 137 to build their name cache. Your router should not forward these broadcasts, however, you should not allow access to these ports on your DMZ unless you want all the hosts on the InterNET to be able to access your Windows Networking services; especially since Win95 is not exactly secure in the first place. An enterprising person could gain access to your Windows machine via TCP port 139 and possibly UDP port 138 if they are left unsecure. Best Regards, --- Joseph L. (Joe) Moll -- Network and Communications Engineering mailto:oolid@acqic.org http://www.acquion.com ACQUION, Inc. Greenville, SC USA -- Specialists in Electronic Commerce disclaimer: This email is not to be considered official correspondence From firewalls-owner Wed Jul 3 07:04:21 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA23640 for firewalls-outgoing; Wed, 3 Jul 1996 06:56:48 -0700 (PDT) Received: from mm1 (mm1.sprynet.com [165.121.2.50]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id GAA23629 for ; Wed, 3 Jul 1996 06:56:40 -0700 (PDT) Received: from stoico ([204.146.159.186]) by mm1.sprynet.com with SMTP id <148102-11386>; Wed, 3 Jul 1996 06:50:35 -0700 From: "Mike Stoico" To: "Bob Bowes" Cc: "Firewalls" Subject: Re: udp 137 broadcast from Win95 PC Date: Wed, 3 Jul 1996 09:52:49 -0400 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1085 MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Message-Id: <96Jul3.065035-0700pdt.148102-11386+171@mm1.sprynet.com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Bob, > > Port 137 is used to tunnel MS networking protocols over IP (to support an NT > network with IP). I think ports 138 and 139 are also used for NetBUI and > something else. These ports should definetly NOT be passed through your > router/firewall to the Internet. > What are the exposures involved in letting these pass through? -- ========================================================================= Mike Stoico, I/S Security Consultant * Phone: (518)285-2567 MetLife * Fax: (518)285-2542 500 Jordan Rd * E-Mail: mstoico@metlife.com Troy, NY 12180 * URL: www.metlife.com ========================================================================= The opinions expressed here are my own and may not be those of my employer. ========================================================================= ---------- From firewalls-owner Wed Jul 3 07:22:09 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA24773 for firewalls-outgoing; Wed, 3 Jul 1996 07:03:31 -0700 (PDT) Received: from upsmot01.msn.com (upsmot01.msn.com [204.95.110.78]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id HAA24763 for ; Wed, 3 Jul 1996 07:03:19 -0700 (PDT) Received: from upmajb04.msn.com ([204.95.110.81]) by upsmot01.msn.com (8.6.8.1/Configuration 4) with SMTP id GAA07436; Wed, 3 Jul 1996 06:52:39 -0700 Date: Wed, 3 Jul 96 14:00:25 UT From: "Gary Lynch" Message-Id: To: "CyberEyes" Cc: firewalls@GreatCircle.COM Subject: RE: Training??? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk You might try MIS Training Institute (508) 879-7999. They specialize in security training. As a second choice, you might want to look at Computer Security Institute (415) 905-2626. Both hold 1/2 day classes around the country. Unfortunately, they're not cheap (usually $850 or so for two day)..... ---------- From: firewalls-owner@GreatCircle.COM on behalf of CyberEyes Sent: Tuesday, July 02, 1996 11:40 AM Cc: firewalls@GreatCircle.COM Subject: Re: Training??? On Tue, 2 Jul 1996, David Tate wrote: > I am looking for IS Security/Firewalling/Network Protection training in MA, > in the month of July. Would anyone be able to recommend such training? If anyone knows of the same kind of things in Quebec/Ontario, I'd appreciate knowing about it... Thanks. Ryan A. Rowe - Montreal, Quebec aka CyberEyes, Rubik'S Cube Tel. -> +1-514-626-0328 | __o o E-Mail -> cyberia@cam.org | _ \<_ <\ WWW -> http://www.cam.org/~cyberia | __/\o_ (_)/(_) /> IRC -> #CAli4NiA, #Triathlon, #Surfing | FTP -> ftp.cam.org /users/cyberia | swim bike run /Seeking Internet-related job./ Read my RESUME on my home page! "I may not know everything, but I'm willing to learn." Will relocate _ANYWHERE_ in North America. "Everyone has their day, mine is July 15th, 1998." From firewalls-owner Wed Jul 3 07:34:19 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA27530 for firewalls-outgoing; Wed, 3 Jul 1996 07:24:26 -0700 (PDT) Received: from sam.networx.ie (dublin-ts12-236.indigo.ie [194.125.133.236]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id HAA27491 for ; Wed, 3 Jul 1996 07:24:06 -0700 (PDT) Received: from mip1.networx.ie (mip1.networx.ie [194.9.12.1]) by sam.networx.ie (8.6.12/8.6.12) with SMTP id PAA10368 for ; Wed, 3 Jul 1996 15:13:24 GMT X-Organisation: I.T. NetworX Ltd X-Business: Network Consultancy and Training X-Address: 67 Merrion Square, Dublin 2, Ireland X-Voice: +353-1-676-8866 X-Fax: +353-1-676-8868 Received: from mike.networx.ie by mip1.networx.ie Date: Wed, 3 Jul 1996 15:11:47 BST From: Michael Ryan Reply-To: mike@networx.ie Subject: URL for tcpshow To: Firewalls Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk As a result of my original posting to this list re tcpshow, I received many requests for the source code. David Wagner has graciously donated some of his disk space to host tcpshow.c. The program is available for download at http://www.cs.berkeley.edu/~daw/mike/tcpshow.c I'll follow up with a man page for the program in a day or so. You'll find the man page in the same directory once I've written it. Thanks to David. Mike --- From firewalls-owner Wed Jul 3 08:04:46 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA01276 for firewalls-outgoing; Wed, 3 Jul 1996 07:56:44 -0700 (PDT) Received: from keeper.NesbittBurns.ca (keeper.nesbittburns.ca [192.139.71.50]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id HAA01246 for ; Wed, 3 Jul 1996 07:56:33 -0700 (PDT) Received: from NesbittBurns.ca (tds223.nesbittburns.ca) by keeper.NesbittBurns.ca (4.1/SMI-4.1) Received: from xttor1 (xttor1.nesbittburns.ca) by NesbittBurns.ca (5.x/SMI-SVR4) Received: from xttor1 by xttor1 (SMI-8.6/SMI-SVR4) Message-Id: <31DA8975.6AC8@nesbittburns.ca> Date: Wed, 03 Jul 1996 10:53:41 -0400 From: Yasin Shaikh Organization: Nesbitt Burns Inc. X-Mailer: Mozilla 2.0 (X11; U; SunOS 5.5 sun4m) Mime-Version: 1.0 To: firewalls@greatcircle.com Subject: Integrating Reuters Service thru TIS Toolkit Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I would like to know if some one has written a proxy using the TIS Toolkit to allow Reuters Services for the brokerage industry( not Real Time feed) to proxy thru the firewall (built using TIS Toolkit and Socks). Their tech guy says any generic proxy can be used. What is a generic proxy ? Is it available with TIS Toolkit ? Reuters are only specifying the ports which the proxy will connect to. Any suggestions, advise will be appreciated. Thanks yasin -- Nesbitt Burns Inc. Tel: 416-359-5164 email:yasin@nesbittburns.ca From firewalls-owner Wed Jul 3 08:37:43 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA02819 for firewalls-outgoing; Wed, 3 Jul 1996 08:09:45 -0700 (PDT) Received: from lexicon.ins.com (lexicon.ins.com [199.0.193.11]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id IAA02792 for ; Wed, 3 Jul 1996 08:09:34 -0700 (PDT) Received: from ragans-laptop (mtv-dynamic232.ins.com [199.0.193.232]) by lexicon.ins.com (8.7.5/8.7.3) with SMTP id IAA03814; Wed, 3 Jul 1996 08:06:46 -0700 (PDT) Message-Id: <2.2.32.19960703141942.009597a0@lexicon.ins.com> X-Sender: ragan@lexicon.ins.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 03 Jul 1996 09:19:42 -0500 To: dan@burkegroup.com From: Charles Ragan Subject: Re: NT Backoffice "Catapult" firewall certified? Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk http://www.somarsoft.com/ At 08:40 AM 7/3/96 -0500, dan@burkegroup.com wrote: > >Ron DuFresne said: >> > >> > I have no problem with firewalls that are so easy to >administer,etc, >> > BUT, generally, the people who setup these easy-to-use >firewalls, >> > dont know/think about things like disabling guest account >> > (I know, lame example), or setting permissions on shares >(or disabling >> > all shares, or whatever), etc, and if the firewall software >dosnt >> > do this for them, then their firewall host can be easilly >compromised.... >> > >> > It takes time and knowledge (well, more like common >sense) to make an NT box >> > secure(ish). We all know that a large majority of ppl who >insist on NT >> > because of its ease of use, and requirement for little-to >no knowledge >> > of system administration and security, dont have the >time and knowledge >> > to secure their box. >[snip] > >Is there a FAQ or other resources for necessary NT security >measures in addition to the firewall? > >Dan Lenhard > > > > __________________________________________________________ Charles Ragan, Jr. International Network Services CCIE #1764, MCSE, MCNE, CBE Pager - 1-800-INS-1-INS Using NT Server 4.0 Beta2 & Eudora 2.2(32) ___________________________________________________________ From firewalls-owner Wed Jul 3 08:49:13 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA06390 for firewalls-outgoing; Wed, 3 Jul 1996 08:46:08 -0700 (PDT) Received: from Walden.MO.NET (walden.mo.net [199.250.196.5]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id IAA06356 for ; Wed, 3 Jul 1996 08:45:58 -0700 (PDT) Received: from gate.hussmann.com (gate.hussmann.com [205.139.241.163]) by Walden.MO.NET (8.7.4/8.6.10) with ESMTP id KAA00801 for ; Wed, 3 Jul 1996 10:38:17 -0500 (CDT) Received: (from nobody@localhost) by gate.hussmann.com (8.7.1/8.7.3) id JAA31941 for ; Wed, 3 Jul 1996 09:45:09 -0500 Message-Id: <199607031445.JAA31941@gate.hussmann.com> Received: from unknown(129.1.5.4) by gate.hussmann.com via smap (V1.3) Date: Wed, 3 Jul 1996 11:40:00 -0500 From: "Hicks, Rick" Subject: RE: Reading news via a firewall To: "'Firewalls List'" X-Mailer: Worldtalk (NetConnex V4.00a)/MIME Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > I'm looking for a simple solution for reading news via a firewall. I've >a Linux firewall set up on our local network and lot of PCs running Win >3.x, Win95 and/or WinNT Workstations on the protected network. The >problem is that the machines on the protected network must be able to >read news via/through the firewall at the news host. Is there a >simple/good solution for a Linux firewall? A gateway or something? If so, >what news agents do support that gateway solution? > >Hope someone can help me, best regards, Gunni > An easy solution is to use the plug-gw proxy that is in the TIS firewall toolkit (ftp.tis.com). It is perfect for news, it accepts connections to port 119 (or any port you wish to assign) and forwards everything to another host and port (the desired news server). Then you just tell the clients that the firewall is the news server and they will work as if they are connected to the external news server. Rick ________________________________________________ Rick Hicks Systems Specialist Hussmann Corporation rhicks@hussmann.com http://www.hussmann.com From firewalls-owner Wed Jul 3 09:19:26 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA08726 for firewalls-outgoing; Wed, 3 Jul 1996 09:17:00 -0700 (PDT) Received: from gatekeeper.Bridge.COM (gatekeeper.bridge.com [167.76.159.11]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id JAA08708 for ; Wed, 3 Jul 1996 09:16:52 -0700 (PDT) From: ken@bridge.com Received: (from mailproxy@localhost) by gatekeeper.Bridge.COM (8.6.12/8.6.9) id LAA11006; Wed, 3 Jul 1996 11:12:11 -0500 Received: from ignatz.bridge.com(167.76.24.6) by gatekeeper.Bridge.COM via smap (V1.0mjr) Received: from ernie.bridge.com by ignatz.bridge.com with SMTP id AA26451 Received: (from ken@localhost) by ernie.bridge.com (8.7.5/8.7.3) id LAA01425; Wed, 3 Jul 1996 11:12:20 -0500 (CDT) Date: Wed, 3 Jul 1996 11:12:20 -0500 (CDT) Message-Id: <199607031612.LAA01425@ernie.bridge.com> To: firewalls@GreatCircle.COM, RHicks@hussmann.com Subject: RE: Reading news via a firewall Cc: gunni@if.is X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >From: "Hicks, Rick" >An easy solution is to use the plug-gw proxy that is in the TIS firewall >toolkit (ftp.tis.com). It is perfect for news, it accepts connections to >port 119 (or any port you wish to assign) and forwards everything to >another host and port (the desired news server). Then you just tell the >clients that the firewall is the news server and they will work as if >they are connected to the external news server. The downside is that it can only be configured to connect to a single machine (which can differ based on who on the inside is connecting to it); this works well if you've a single news server that you want to connect to on the outside. But if you need to connect to a second news server, like msnews.microsoft.com (leave it to MS to screw up Usenet with their $#!@ non-propagating microsoft.* newsgroups), you'll need to set up a second plug-gw configuration listening on another port (like 120 or whatever) to connect to msnews.microsoft.com:119 (or wherever). BUT not all news readers let you specify non-standard ports, though you can make Netscape do it. I think Netscape semi-elegantly handles multiple servers, too; other (otherwise better) news readers won't always be able to handle the differences in available groups very well when you switch between servers (but that's not a firewall issue.) -KH From firewalls-owner Wed Jul 3 10:22:19 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA13415 for firewalls-outgoing; Wed, 3 Jul 1996 10:17:13 -0700 (PDT) Received: from london.micrognosis.com (midas.london.micrognosis.com [193.114.123.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id KAA13406 for ; Wed, 3 Jul 1996 10:17:05 -0700 (PDT) Received: by london.micrognosis.com (4.1/NAR-Gateway) Received: from zeus.london.micrognosis.com(192.83.165.17) by midas via smap (V1.0mjr) Received: from moria by zeus.london.micrognosis.com (4.1/SMI-4.1) From: nreadwin@london.micrognosis.com (Neil Readwin) Received: by moria Message-Id: <9607031711.AA04712@moria> Subject: Re: Integrating Reuters Service thru TIS Toolkit To: yshaikh@nesbittburns.ca (Yasin Shaikh) Date: Wed, 3 Jul 1996 18:11:19 +0100 (BST) Cc: firewalls@greatcircle.com In-Reply-To: <31DA8975.6AC8@nesbittburns.ca> from "Yasin Shaikh" at Jul 3, 96 10:53:41 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Yasin Shaikh writes: > I would like to know if some one has written a proxy using the TIS > Toolkit to allow Reuters Services for the brokerage industry( not Real > Time feed) to proxy thru the firewall If you mean RQF / RSF etc then the TIS fwtk plug-gw works well for this - we do this on our internal nets. Neil. -- "So you could say the greatest achievement of the Internet is that it turns nuclear war into nothing more than a series of routing errors." -- Mark Pesce From firewalls-owner Wed Jul 3 10:49:36 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA14390 for firewalls-outgoing; Wed, 3 Jul 1996 10:36:51 -0700 (PDT) Received: from argo.unm.edu (argo.unm.edu [129.24.9.24]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id KAA14383 for ; Wed, 3 Jul 1996 10:36:46 -0700 (PDT) Received: by argo.unm.edu (Smail3.1.29.1 #25) Message-Id: Date: Wed, 3 Jul 96 11:33 MDT From: flounder@unm.edu (--Flounder--) To: cyberia@CAM.ORG, forcible_entry@msn.com Subject: RE: Training??? Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Learning Tree was mentioned as a possible place for training. I found their web site: http://www.learningtree.com Gives details on everything from classes offered to when they take place and tuition rates. Scott From firewalls-owner Wed Jul 3 11:04:34 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA14480 for firewalls-outgoing; Wed, 3 Jul 1996 10:38:43 -0700 (PDT) Received: from dtcro002.apogee-com.fr (firewall.apogee-com.fr [194.2.187.130]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id KAA14461 for ; Wed, 3 Jul 1996 10:38:34 -0700 (PDT) Received: by dtcro002.apogee-com.fr; id TAA11191; Wed, 3 Jul 1996 19:26:20 +0200 (MET DST) Received: from dtcxs001.apogee-com.fr(10.129.16.1) by firewall.apogee-com.fr via smap (V3.1.1) Received: from ingpc003.apogee-com.fr by dtcxs001.apogee-com.fr.apogee-com.fr (4.1/SMI-4.1) Message-Id: <31DAAD64.1702@apogee-com.fr> Date: Wed, 03 Jul 1996 19:27:00 +0200 From: Jean-Francois Zwobada Organization: APOGEE Communications X-Mailer: Mozilla 2.02 (Win95; I) Mime-Version: 1.0 To: Yasin Shaikh Cc: Firewalls@greatcircle.com Subject: Re: Integrating Reuters Service thru TIS Toolkit References: <31DA8975.6AC8@nesbittburns.ca> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, There is a generic proxy in the TIS toolkit named 'plug-gw'. This proxy is designed to accept a connection on a well-known port number and relay all the traffic to the real destination. The usual example is to use plug-gw as a relay for the News (port 119) between an internal server and the external server. The plug-gw can be configured in a many-to-one manner: plug-gw: port nntp 1.2.3.* -plug-to server -port 119 and the Gauntlet version can support many-to-many connections such as: plug-gw: port nntp 1.2.3.* -port nntp where you don't specify the real destination to plug to. But I don't know if the Toolkit can do it. If your application use a single TCP connection on a defined port number then you can use the plug-gw. I've used it for such an application at a customer site. Jean-Francois -- ______________________ Jean-Francois Zwobada ____________________ Apogee Communications Tel : +33 (1) 69 85 56 47 Parc Club Universite Fax : +33 (1) 69 85 56 48 28, rue Jean Rostand 91893 ORSAY Cedex e-mail : zwobada@apogee-com.fr __________________________________________________________________ From firewalls-owner Wed Jul 3 11:34:57 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA18869 for firewalls-outgoing; Wed, 3 Jul 1996 11:29:14 -0700 (PDT) Received: from hidata.com (hidata.com [205.158.61.34]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id LAA18850 for ; Wed, 3 Jul 1996 11:29:07 -0700 (PDT) Received: by hidata.com; id AA20822; Wed, 3 Jul 96 11:26:28 PDT Received: from osc.hidata.com(205.158.62.10) by hds-gw.hidata.com via smap (V3.1.1) Received: from enterprise by osc.osc.hidata.com (SMI-8.6/SMI-SVR4) Date: Wed, 3 Jul 1996 11:26:10 -0700 Message-Id: <199607031826.LAA00463@osc.osc.hidata.com> X-Sender: bstout@osc.hidata.com X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: Firewalls@GreatCircle.COM From: Bill Stout Subject: Re: /etc/shadow encryption Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 09:55 AM 7/3/96 EST, you wrote: >Michael Ryan writes: >> Forgive me if I'm wrong, but I believe the crypt() function is not >> exported outside the U.S. and I note the requestor is >> outside the U.S., so his Un*x probably doesn't have it. > >In this case you are wrong, but are forgiven. The crypt program and other >reversible encryption tools for Unix can't be exported, but the crypt routine >(i.e. crypt(3)) is exportable, because it is a one-way "encryption" (i.e. >you can't get the original info back). > > Frank Crawford AHA! That sheds some light on the one-way-function passwords in NT... :) (Just convert the password into some binary and pass that binary string around for authentication, no one will be the wiser...) Bill Stout From firewalls-owner Wed Jul 3 12:34:15 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA23153 for firewalls-outgoing; Wed, 3 Jul 1996 12:19:16 -0700 (PDT) Received: from orion.webspan.net (orion.webspan.net [206.154.70.41]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id MAA23146 for ; Wed, 3 Jul 1996 12:19:10 -0700 (PDT) Received: from orion.webspan.net (scanner@orion.webspan.net [206.154.70.41]) by orion.webspan.net (8.7.5/8.6.12) with SMTP id PAA12594; Wed, 3 Jul 1996 15:15:50 -0400 (EDT) Date: Wed, 3 Jul 1996 15:15:49 -0400 (EDT) From: Scanner To: Uldis Bojars cc: firewalls@GreatCircle.COM Subject: Re: OS/2 firewalls? In-Reply-To: <31DA8200@lda.gov.lv> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 3 Jul 1996, Uldis Bojars wrote: > Hi! > > I am searching for OS/2 firewalls - are there any? It's > very hard to find, but I think there are some. Of course > I do not want OS/2 because I want to use firewall as a > workstation ;-) Dont know any for OS/2. > And - if negative - what are good firewalls for freeBSD? > Our company is not so big to buy Sun or HP UNiX computer > and use it as a firewall. There is native ipfw a packet filter built into FreeBSD there is also supposedly i think ipfilter for FreeBSD either in the works or out there somewhere. -- ===================================| Webspan Inc., ISP Division. FreeBSD 2.1.0 is available now! | Phone: 908-367-8030 ext. 126 -----------------------------------| 500 West Kennedy Blvd., Lakewood, NJ-08701 Turning PCs into Workstations | E-Mail: scanner@webspan.net http://www.freebsd.org | SysAdmin / Network Engineer / Security ===================================| Member BSDNET team! http://www.bsdnet.org From firewalls-owner Wed Jul 3 13:50:42 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA27484 for firewalls-outgoing; Wed, 3 Jul 1996 13:34:17 -0700 (PDT) Received: from hidata.com (hidata.com [205.158.61.34]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id NAA27477 for ; Wed, 3 Jul 1996 13:34:11 -0700 (PDT) Received: by hidata.com; id AA21883; Wed, 3 Jul 96 13:31:32 PDT Received: from osc.hidata.com(205.158.62.10) by hds-gw.hidata.com via smap (V3.1.1) Received: from enterprise by osc.osc.hidata.com (SMI-8.6/SMI-SVR4) Date: Wed, 3 Jul 1996 13:31:17 -0700 Message-Id: <199607032031.NAA01036@osc.osc.hidata.com> X-Sender: bstout@osc.hidata.com X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: Firewalls@GreatCircle.COM From: Bill Stout Subject: Computer risk lists Sender: firewalls-owner@GreatCircle.COM Precedence: bulk What risk lists are recommended by the collective? This is one cool list: http://catless.ncl.ac.uk/Risks BTW - I thought HERF guns were fantasy! Network world - 7/1/96 p.8 'CIA cyber-war center' Bill Stout <=======10========20========30========40========50========60========70========80 William B. Stout | Major revelations: Senior Systems Admin | "All objects are part of a larger object." Hitachi Data Systems | "3 aware beings comprise a person; mind, body, spirit." NT/UNIX/I-net/Routers | "The secret of life: To be involved with 'creation'." 408-970-4822 | Infowar, Cyber-war, yes, 'they' are out to get you... -------------------------------------------------------------------------------- From firewalls-owner Wed Jul 3 14:19:06 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA29386 for firewalls-outgoing; Wed, 3 Jul 1996 14:03:07 -0700 (PDT) Received: from piscopo.ncgroup.com (piscopo.ncgroup.com [192.232.23.5]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id OAA29368 for ; Wed, 3 Jul 1996 14:02:56 -0700 (PDT) Received: from MIAGI.ncgroup.com ([192.232.23.8]) by piscopo.ncgroup.com Received: by MIAGI.ncgroup.com with Microsoft Exchange (IMC 4.0.838.14) Message-ID: From: AKRUMSEE@ncgroup.com (Art Krumsee) To: "'Firewalls@GreatCircle.COM'" Subject: RE: Catapault firewall Date: Wed, 3 Jul 1996 16:53:39 -0400 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.838.14 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk While you are checking out web pages I'd suggest that you take a look at a new "firewall" from MCI and Intel. Called Webmaker, this is claimed to be a firewall/web server/router all in one Pentium system. The claim is that You will enjoy the following quotes from the web page. Art "Up and running in an hour with a total solution The networkMCI WebMaker is truly the best route to doing business on the Internet. It comes with all the hardware and software necessary for a secure Internet presence. It's installed with leased line Internet service from MCI. It's a total solution that's all preconfigured and ready to go. Built-in software wizards and pre-designed templates let you develop a "look" that suits your business and customize your site with information specific to your company. In short, it's so well thought out that most networkMCI WebMaker sites are on line, accessible to anyone with web access anywhere in the world, in about an hour." "No UNIX experts required Today's Pentium Pro processor-based servers give you a familiar Windows-based platform for your Internet server. So why add another technology to your worries? The networkMCI WebMaker can be used and maintained easily by anyone familiar with PCs and Windows NT operating system. Chances are, you have more than one such person on staff. Using somebody already on staff is much less expensive than having to hire another employee or constantly bringing in an outside consultant every time something needs to be fixed or changed. " "Safe and secure The networkMCI WebMaker features an integrated router and Proxy Server forming a security firewall. The built-in packet-filtering router and Web Proxy Server provide secure Internet access and a secure presence for your business. Having these components intergrated into a turnkey solution saves you from having to buy additonal external routers and proxy servers costing thousands of dollars. It also eliminates the need for expensive technical specialists to install them. The end result? By design, only allowed services such as HTTP and e-mail are enabled, maximizing safety, enforcing a conservative security policy, and giving you the current standard in Internet security for a fraction of the usual price. " "The bottom line The networkMCI WebMaker solution is unique. It integrates the proven components with secure Internet connectivity, comprehensive administration and ease of use. You get: Pentium Pro processor-based system, loaded and pre-configured with all necessary communication hardware and Internet services software Integrated security firewall with a packet-filtering router and Proxy Server Capacity for scalable leased line Internet connectivity from 56 Kbps to full T-1 speed Secure Web presence (Web and e-mail) and real-time Internet access for TCP/IP LAN users (Web, e-mail, FTP) Easy-to-use tools for installation, Web site creation and site promotion Intuitive WebMaker Management Console running over Windows NT operating system Web Back-end Online Service for integrated product support" ---------- From: Marcus J. Ranum[SMTP:mjr@clark.net] Sent: Monday, July 01, 1996 9:39 PM To: Firewalls@GreatCircle.COM Subject: Re: Catapault firewall I pulled down Microsoft's page on Catapult. I urge you all to do so and give it a read. From where I sit, it looks like the firewall market has reached its next level, with this announcement. The brief on Microsoft's page is completely content-free. Several times, Catapult is recommended as the solution because it's secure. Nothing about why it's secure or how it's secure. Don't bother your head with that stuff! It's SECURE, OK? ...Or at least as secure as a beta product that only runs on a beta version of NT can be. In fairness to Microsoft, it may be pretty good stuff. But we can't tell from what they say. Which is why I feel it marks a milestone in the firewall market. The Big Boys Are Here now and it's SECURE, it's OK. That argument worked for Netscape, for a while. Those of us who've been with this firewall thing for a while have seen the market get muddied before, and eventually things calm down again. It'll be fascinating to see what happens if Microsoft decides to put even a teeny bit of their marketing muscle behind Catapult. I guess it means that, as a technology, firewalls have "arrived." mjr. From firewalls-owner Wed Jul 3 14:54:05 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA02505 for firewalls-outgoing; Wed, 3 Jul 1996 14:46:34 -0700 (PDT) Received: from sam.networx.ie (dublin-ts17-132.indigo.ie [194.125.134.132]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id OAA02487 for ; Wed, 3 Jul 1996 14:46:26 -0700 (PDT) Received: from mip1.networx.ie (mip1.networx.ie [194.9.12.1]) by sam.networx.ie (8.6.12/8.6.12) with SMTP id WAA13890 for ; Wed, 3 Jul 1996 22:38:34 GMT X-Organisation: I.T. NetworX Ltd X-Business: Network Consultancy and Training X-Address: 67 Merrion Square, Dublin 2, Ireland X-Voice: +353-1-676-8866 X-Fax: +353-1-676-8868 Received: from mike.networx.ie by mip1.networx.ie Date: Wed, 3 Jul 1996 22:36:58 BST From: Michael Ryan Reply-To: mike@networx.ie Subject: tcpshow man page To: Firewalls Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The manpage for tcpshow is now at http://www.cs.berkeley.edu/~daw/mike Regards, Mike --- From firewalls-owner Wed Jul 3 15:04:48 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA03442 for firewalls-outgoing; Wed, 3 Jul 1996 14:58:35 -0700 (PDT) Received: from citecuh.citec.qld.gov.au (citecuh.citec.qld.gov.au [203.5.10.10]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id OAA03419 for ; Wed, 3 Jul 1996 14:58:19 -0700 (PDT) Received: (from mail@localhost) by citecuh.citec.qld.gov.au (8.7.5/8.7.3) id HAA16403; Thu, 4 Jul 1996 07:47:50 +1000 (EST) Received: from guru.citec.qld.gov.au(147.132.20.47) by citecuh.citec.qld.gov.au via smap (V1.3) Received: (from sgcccdc@localhost) by guru.citec.qld.gov.au (8.6.12/8.6.12) id HAA05897; Thu, 4 Jul 1996 07:55:54 +1000 From: Colin Campbell Message-Id: <199607032155.HAA05897@guru.citec.qld.gov.au> Subject: Re: NEC SocksPlus?? To: Russ.Cooper@RC.Toronto.on.ca (Russ) Date: Thu, 4 Jul 1996 07:55:52 +1000 (EST) Cc: firewalls@GreatCircle.COM In-Reply-To: <01BB68AF.B7985580@rwcooper.rc.toronto.on.ca> from "Russ" at Jul 3, 96 07:17:37 am X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk My mailer thinks Russ said: > [lots of stuff about SOCKS(Plus)] > The thing that stopped me using socks and going for fwtk was the requirement to find/manufacture socks-compatible clients. In my admittedly limitd knowledge of that side of the market, only Netscape is SOCKS-aware. What do you do when you have to support users on systems from 100 different vendors running 30 different operating systems and Win 3.X (not considered an OS :-) all with their favourite tools for ftp/telnet/.... Colin From firewalls-owner Wed Jul 3 15:23:21 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA02972 for firewalls-outgoing; Wed, 3 Jul 1996 14:53:04 -0700 (PDT) Received: from carmen.broder.com (carmen.broder.com [207.77.64.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id OAA02949 for ; Wed, 3 Jul 1996 14:52:53 -0700 (PDT) Received: (from uucp@localhost) by carmen.broder.com (8.6.13/8.6.12) id OAA23610 for ; Wed, 3 Jul 1996 14:50:12 -0700 Received: from moonix.broder.com(204.189.16.4) by carmen.broder.com via smap (V1.3) Received: (from ttt@localhost) by moonix.broder.com (8.6.12/8.6.12) id OAA00428; Wed, 3 Jul 1996 14:50:07 -0700 Date: Wed, 3 Jul 1996 14:50:06 -0700 (PDT) From: TTT Group To: firewalls@greatcircle.com Subject: *** SECURITY ALERT *** Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I spent some time exploring Novell's HTTP server and out of the box there is a CGI that is VERY VERY INSECURE!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! If you are running the Novell HTTP server, please disable the CGI's it comes with it until you understand (fully understand) what the security risks are. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! The CGI in question is convert.bas (yes, cgi's in basic, stop laughing). (There may be more CGI's in the scripts dir that can be exploited but this was all I could stomoch.) A remote user can read any file on the remote file system using this CGI. This means that if you are running the Novell HTTP server and have the 'out of box' CGI's, you are breached. Exploit code: http://victim.com/scripts/convert.bas?../../anything/you/want/to/view I was going to see how bad this threat was by connecting to www servers, testing for "Novell HTTP" in the HTTP server responce BUT WHY DO THAT WHEN YOU HAVE www.altavista.digital.com :-) +links:scripts/convert.bas will return you all the sites that can be breached. PLEASE PLEASE PLEASE don't open the box and put machine on the Internet. I am getting tired of this kind of stuff. Who the hell did Novell consult with to write these darn CGI's? It makes me sad. --blast From firewalls-owner Wed Jul 3 15:34:05 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id PAA04707 for firewalls-outgoing; Wed, 3 Jul 1996 15:18:26 -0700 (PDT) Received: from citecuh.citec.qld.gov.au (citecuh.citec.qld.gov.au [203.5.10.10]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id PAA04678 for ; Wed, 3 Jul 1996 15:18:16 -0700 (PDT) Received: (from mail@localhost) by citecuh.citec.qld.gov.au (8.7.5/8.7.3) id IAA17683; Thu, 4 Jul 1996 08:07:47 +1000 (EST) Received: from guru.citec.qld.gov.au(147.132.20.47) by citecuh.citec.qld.gov.au via smap (V1.3) Received: (from sgcccdc@localhost) by guru.citec.qld.gov.au (8.6.12/8.6.12) id IAA05993; Thu, 4 Jul 1996 08:15:43 +1000 From: Colin Campbell Message-Id: <199607032215.IAA05993@guru.citec.qld.gov.au> Subject: Re: Integrating Reuters Service thru TIS Toolkit To: zwobada@apogee-com.fr (Jean-Francois Zwobada) Date: Thu, 4 Jul 1996 08:15:43 +1000 (EST) Cc: Firewalls@GreatCircle.COM In-Reply-To: <31DAAD64.1702@apogee-com.fr> from "Jean-Francois Zwobada" at Jul 3, 96 07:27:00 pm X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk My mailer thinks Jean-Francois Zwobada said: > [lots of stuff] > > and the Gauntlet version can support many-to-many connections such > as: > plug-gw: port nntp 1.2.3.* -port nntp > where you don't specify the real destination to plug to. But I don't > know if the Toolkit can do it. > I believe they can only do this by supporting transparent proxies and that requires kernel hacks which is why Gauntlet (on BSDI only?) supports it and the toolkit doesn't. It is in essence nothing more than a router filter, restricting access to certain addresses (1.2.3.*). Colin From firewalls-owner Wed Jul 3 15:49:02 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id PAA05601 for firewalls-outgoing; Wed, 3 Jul 1996 15:29:11 -0700 (PDT) Received: from pdh.com (pdh.com [192.159.13.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id PAA05558 for ; Wed, 3 Jul 1996 15:28:59 -0700 (PDT) Received: from telluride.pdh.com by pdh.com (NeXT-1.0 (From Sendmail 5.52)/NeXT-2.0) Message-Id: <9607032224.AA09477@pdh.com> Received: by telluride.pdh.com (NX5.67f2/NX3.0X) Content-Type: text/plain Mime-Version: 1.0 (NeXT Mail 3.3 v118.2) Received: by NeXT.Mailer (1.118.2) From: Jason Rhoads Date: Wed, 3 Jul 96 15:25:36 -0700 To: firewalls@greatcircle.com Subject: Re:OS/2 firewalls? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Sorry I don't know of any OS/2 firewalls, but I do have some experience with FreeBSD. The TIS Firewall Toolkit and Darren Reed's IP Filter package both work great under FreeBSD. However, you will need some UNIX expertise in order to get things up and running. They are not plug and play solutions. TIS Toolkit (ftp://ftp.tis.com/pub/firewalls/toolkit) IP Filter (http://www.cyber.com.au/users/darrenr) FreeBSD (http://www.freebsd.org) - Jason Begin forwarded message: X-Authentication-Warning: lapsene.mii.lu.lv: uulda set sender to lda!lda.gov.lv!uldis@lda.gov.lv using -f >Received: by lda.gov.lv (UUPC/@ v5.00, 25Nov92); To: firewalls@greatcircle.com From: Uldis Bojars Subject: OS/2 firewalls? Date: Wed, 3 Jul 1996 10:21:52 +0200 Lines: 17 Sender: firewalls-owner@greatcircle.com Hi! I am searching for OS/2 firewalls - are there any? It's very hard to find, but I think there are some. Of course I do not want OS/2 because I want to use firewall as a workstation ;-) And - if negative - what are good firewalls for freeBSD? Our company is not so big to buy Sun or HP UNiX computer and use it as a firewall. Uldis > If you learn from mistakes, you will learn a lot today. --- GoldED/386 3.00.Alpha1+ From firewalls-owner Wed Jul 3 17:19:12 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA14429 for firewalls-outgoing; Wed, 3 Jul 1996 17:13:32 -0700 (PDT) Received: from ns.isk.co.kr ([203.240.169.11]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id RAA14417 for ; Wed, 3 Jul 1996 17:13:23 -0700 (PDT) Received: from isk82.isk.co.kr (isk82.isk.co.kr [203.240.169.82]) by ns.isk.co.kr (8.6.12H1/8.6.12) with SMTP id JAA02310 for ; Thu, 4 Jul 1996 09:10:37 +0900 Message-ID: <31DB0BEF.7D57@isk.co.kr> Date: Thu, 04 Jul 1996 09:10:23 +0900 From: "Kwanho Shin(=?EUC-KR?B?vcWw/Mij?=)" Organization: Internet Security Korea X-Mailer: Mozilla 3.0b4 (Win95; I) MIME-Version: 1.0 To: Firewalls@GreatCircle.COM Subject: IP translation Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk when i set the Firewall-1(Checkpoint), i met some problem. First is how I can setup for IP translation(inbound & outbound) I set route, arp for illegal IP & grobal IP. But i can translate IP address(Illegal --> Grobal, Grobal --> Illegal) -- Kwanho Shin (HL1MLV) Mailto: skh@isk.co.kr Internet Security Korea Co., Ltd. Tel:(02)786-3555 Fax:(02)786-3554 From firewalls-owner Wed Jul 3 17:34:01 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA14430 for firewalls-outgoing; Wed, 3 Jul 1996 17:13:33 -0700 (PDT) Received: from mail.rc.toronto.on.ca ([207.6.29.231]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id RAA14414 for ; Wed, 3 Jul 1996 17:13:21 -0700 (PDT) Received: from rwcooper.rc.toronto.on.ca ([207.6.29.232]) Received: by rwcooper.rc.toronto.on.ca with Microsoft Mail Message-ID: <01BB691B.1D403040@rwcooper.rc.toronto.on.ca> From: Russ To: "'Firewalls@GreatCircle.COM'" Subject: RE: Catapault firewall Date: Wed, 3 Jul 1996 20:06:24 -0400 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk [rant] Art's message about networkMCI WebMaker was the first time I'd heard of the product. See, I work for MCI, actually, SHL who is owned by MCI. Actually, I am the National Coordinator for the regional Internet/Intranet Professional Services groups here in Canada (at least that's the title they've given me). Unfortunately, my position doesn't mean squat to corporate MCI. Third party Firewall developers have asked me for my opinion on their products, but the company I work for doesn't know I exist (presumably). For Christ's sake, the damn thing even uses NT at its core...;-[...like I might know a thing or two about NT...;-[ ...Anyone wonder why I'm looking for new digs??? (p.s. has to be in Canada) [/rant] For a more detailed product of networkMCI WebMaker, have a look at; http://www.webmaker.mci.com/webmaker/features/secbrf.htm which has some technical information about the security design of the WebMaker product. It isn't simply NT running on a Pentium Pro. The box includes a "Router on an ISA card", which is a packet-filtering router which only allows packets through on tcp 80/443/25, tcp 21 (outbound only), and port 1023 for established client connections. It also allows udp 53 for DNS. With these ports only, its impossible to get to NT's server components like RPC or NetBIOS from the Internet, so issues like remotely accessing its registry or logging into the server are pretty much out of the question. Access to the box from the LAN is restricted by the Intel Proxy Server which supposedly only understands HTTP. Depending on how that's been implemented, it may still be possible to access the NT Workstation's registry from the LAN. This "Router on a card" has its own Ethernet port, and uses a management application that speaks directly to it, not to NT. IP Forwarding is turned off in NT, and two additional ethernet adapters are in the box. One connects to the ethernet port on the "Router on a card" using a cross-over cable to establish connectivity to the Internet, the other connects to the Internal network. The Proxy Server is from Intel??, and they say it will only allow outbound HTTP requests (which sorta contradicts the statement about FTP being allowed for outbound only??). It proxies the requests and therefore does not use the internal IP addresses. All the marketing tripe to one-side, this is a nice piece of hardware. So while the software being used would need to be evaluated to determine if its safe or not, the concept is pretty sound and the implementation seems to adhere to the design principle. [megarant] Either way, its another example of how my parent company wants to put me out of a job, embarrass me in public, and in general, ignore their hired guns in lieu of *unknown* (to me). Maybe they figured that since the WebMaker will only be available in the U.S. they didn't need the opinion of a Canadian. Obviously nobody from MCI (other than me) reads this list. Do I sound bitter?...naw...;-] [/megarant] Cheers, Russ From firewalls-owner Wed Jul 3 18:04:01 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA15788 for firewalls-outgoing; Wed, 3 Jul 1996 17:43:02 -0700 (PDT) Received: from mail.rc.toronto.on.ca ([207.6.29.231]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id RAA15768 for ; Wed, 3 Jul 1996 17:42:53 -0700 (PDT) Received: from rwcooper.rc.toronto.on.ca ([207.6.29.232]) Received: by rwcooper.rc.toronto.on.ca with Microsoft Mail Message-ID: <01BB691F.3F836920@rwcooper.rc.toronto.on.ca> From: Russ To: "Firewalls@GreatCircle.COM" Subject: RE: udp 137 broadcast from Win95 PC Date: Wed, 3 Jul 1996 20:35:58 -0400 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The UDP 137 packets from your Win95 machine is the machine announcing itself to the network in an attempt to determine who is the NetBIOS Browse Master for that network. In the event it cannot find one, it will become the Browse Master itself. I would suspect that your packets came about simultaneous to reboots or power-ups, which you could confirm by monitoring a power-up sequence and seeing how many packets it generates. You can turn off this capability, thereby forcing it not to attempt to become a Browse Master by going to Control Panel, Networks, File and Printer Sharing for Microsoft Networks, Properties, Browse Master = No. Make sure you have applied Service Pack #1 for Windows 95 to an Internet exposed Windows 95 machine that has File and Print Sharing enabled. Cheers, Russ From firewalls-owner Wed Jul 3 19:07:38 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id TAA22965 for firewalls-outgoing; Wed, 3 Jul 1996 19:00:49 -0700 (PDT) Received: from ns.isk.co.kr ([203.240.169.11]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id TAA22947 for ; Wed, 3 Jul 1996 19:00:38 -0700 (PDT) Received: from isk82.isk.co.kr (isk82.isk.co.kr [203.240.169.82]) by ns.isk.co.kr (8.6.12H1/8.6.12) with SMTP id KAA03666 for ; Thu, 4 Jul 1996 10:57:55 +0900 Message-ID: <31DB2515.3A83@isk.co.kr> Date: Thu, 04 Jul 1996 10:57:41 +0900 From: "Kwanho Shin(=?EUC-KR?B?vcWw/Mij?=)" Organization: Internet Security Korea X-Mailer: Mozilla 3.0b4 (Win95; I) MIME-Version: 1.0 To: firewalls@GreatCircle.COM Subject: IP address translation Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk when i set the Firewall-1(Checkpoint), i met some problem. First is how I can setup for IP translation(inbound & outbound) I set route, arp for illegal IP & grobal IP. But i can translate IP address(Illegal --> Grobal, Grobal --> Illegal) If you've been set above it, to send information, please. Have a nice Day!! -- Kwanho Shin (HL1MLV) Mailto: skh@isk.co.kr Internet Security Korea Co., Ltd. Tel:(02)786-3555 Fax:(02)786-3554 From firewalls-owner Wed Jul 3 19:21:37 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id TAA23110 for firewalls-outgoing; Wed, 3 Jul 1996 19:04:42 -0700 (PDT) Received: from pdx1 (pdx1.world.net [192.243.32.18]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id TAA23098 for ; Wed, 3 Jul 1996 19:04:34 -0700 (PDT) Received: from suburbia.net (suburbia.net [203.4.184.1]) by pdx1 (8.6.9/8.6.9) with ESMTP id TAA08601 for ; Wed, 3 Jul 1996 19:03:07 -0700 Received: (proff@localhost) by suburbia.net (8.7.4/Proff-950810) id MAA14738 for firewalls@greatcircle.com; Thu, 4 Jul 1996 12:01:07 +1000 Received: from applejack.CS.YALE.EDU (APPLEJACK.CS.YALE.EDU [128.36.0.131]) by suburbia.net (8.7.4/Proff-950810) with ESMTP id EAA28051 for ; Thu, 4 Jul 1996 04:11:41 +1000 Received: from eli.CS.YALE.EDU by applejack.CS.YALE.EDU (8.7.1/res.host.cf-4.0) Received: by eli.CS.YALE.EDU id KAA16403; Wed, 3 Jul 1996 10:32:33 -0400 (EDT) sender owner-sneakers@CS.YALE.EDU for sneakers-outgoing Received: from bulldog.CS.YALE.EDU by eli.CS.YALE.EDU (8.7.1/res.host.bitnet.cf-4.1) Received: from relay1.smtp.psi.net by bulldog.CS.YALE.EDU (8.7.1/res.host.uucp.cf-4.1) Received: from uu6.psi.com by relay1.smtp.psi.net (8.6.12/SMI-5.4-PSI) Received: from larry.dcbnet.com by uu6.psi.com (5.65b/4.0.071791-PSI/PSINet) via SMTP; Received: from jmccain.dcbnet.com (mccain [205.166.54.68]) by larry.dcbnet.com (8.6.12/8.6.12) with SMTP id JAA18448 for ; Wed, 3 Jul 1996 09:30:54 -0500 Message-Id: <199607031430.JAA18448@larry.dcbnet.com> X-Sender: jmccain@dcbnet.com X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 03 Jul 1996 09:37:05 -0500 To: sneakers@CS.YALE.EDU From: jmccain@dcbnet.com (John McCain) Subject: Iphone vulnerabilities Sender: firewalls-owner@GreatCircle.COM Precedence: bulk One of my clients came up with this today. Anyone else run into Iphone security problems? The situation. He's connected ppp to an ISP on a dial-up line.His comments... Today I was connected to the net, and my i-phone rang. Someone said they where testing their i-net phone. I told them they sounded ok, and they said "just a minute". Seconds later I noticed my i-phone software was flashing something. (Don't remember the initials now but it was three letters toward the bottom left of the screen. Not knowing, I disconnected. Later I ran netscape and found my bookmark.htm file has been drastically changed. I wonder if they were trying to download some files in hope of getting financial stuff, etc. (I don't have on laptop). Anyway, I don't think I care for I-phone now Regards, John From firewalls-owner Wed Jul 3 19:38:29 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id TAA24984 for firewalls-outgoing; Wed, 3 Jul 1996 19:33:19 -0700 (PDT) Received: from gatekeeper.qualix.com (gatekeeper.qualix.com [192.91.182.105]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id TAA24977 for ; Wed, 3 Jul 1996 19:33:12 -0700 (PDT) Received: from qualix.qualix by gatekeeper.qualix.com (8.6.9/Q940531.1) Received: from qualix20.qualix by qualix.qualix (4.1/SMI-4.1-Q931113.1) Received: from spirit.qualix by qualix20.qualix (SMI-8.6/SMI-SVR4) Received: by spirit.qualix (5.x/SMI-SVR4) From: security@qualix.com (Nik I. Knoth) Message-Id: <9607040226.AA17040@spirit.qualix> Subject: Re: Hardware requirements of Firewall-1 To: baysalc@boun.edu.tr (Can BAYSAL) Date: Wed, 3 Jul 1996 19:26:55 -0700 (PDT) Cc: firewalls@greatcircle.com In-Reply-To: from "Can BAYSAL" at Jun 30, 96 03:08:07 pm X-Mailer: ELM [version 2.4 PL24] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk It does, in fact, work on an IPX. I have a customer who is protecting his internal net with FW-1 on a sparc IPX... To answer yours, yes a sparc 5 would prob be quite sufficient. CP's FW-1 is not terribly resource- intensive. -nik -- /\/ik I. / > Hi there; > I wonder what is the REAL minimum required configuration of > Firewall-1. The book says that Sun SPARC based system, I do not think > this means IPX :) , does it? For example on a 10 Mbits ethernet would a > Sparc 5 be acceptable? > > Thanks; > Can Baysal > From firewalls-owner Wed Jul 3 20:05:42 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id TAA27725 for firewalls-outgoing; Wed, 3 Jul 1996 19:50:42 -0700 (PDT) Received: from news.tcd.net (news.tcd.net [198.70.50.3]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id TAA27696 for ; Wed, 3 Jul 1996 19:50:33 -0700 (PDT) Received: from main.tcd.net (root@main.tcd.net [198.70.50.4]) by news.tcd.net (8.6.12/8.6.9) with ESMTP id UAA07630 for ; Wed, 3 Jul 1996 20:47:54 -0600 Received: from LOCALNAME (slip13.slc.tcd.net [204.248.105.93]) by main.tcd.net (8.7.5/8.7.5) with SMTP id UAA05591 for ; Wed, 3 Jul 1996 20:47:52 -0600 Date: Wed, 3 Jul 1996 20:47:52 -0600 Message-Id: <199607040247.UAA05591@main.tcd.net> X-Sender: pate19@mail.tcd.net X-Mailer: Windows Eudora Light Version 1.5.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@greatcircle.com From: PatrickEyler Subject: RE: Training??? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 11:33 AM 7/3/96 MDT, you wrote: >Learning Tree was mentioned as a possible place for training. I found >their web site: http://www.learningtree.com > >Gives details on everything from classes offered to when they take place >and tuition rates. > >Scott > > > You might also look at http://www.arg.com -pat From firewalls-owner Wed Jul 3 22:49:05 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id WAA08886 for firewalls-outgoing; Wed, 3 Jul 1996 22:38:54 -0700 (PDT) Received: from halon.sybase.com (halon.sybase.com [192.138.151.33]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id WAA08879 for ; Wed, 3 Jul 1996 22:38:48 -0700 (PDT) Received: from smtp1.sybase.com (sybgate) by halon.sybase.com (5.x/SMI-SVR4/SybFW4.0) Received: from notesgw2.sybase.com by smtp1.sybase.com (4.1/SMI-4.1/SybH3.5-030896) Received: by notesgw2.sybase.com (5.x/SMI-4.1/SybEGW3.3) Message-Id: <9607040536.AA09660@notesgw2.sybase.com> Received: by SybaseNotes (Lotus Notes Mail Gateway for SMTP V1.1) id To: "Kwanho Shin(=?EUC-KR?B?vcWw/Mij?=)" Cc: Firewalls From: Ryan.Russell/SYBASE Date: 3 Jul 96 22:37:16 EDT Subject: Re: IP translation X-Lotus-Type: Reply All Mime-Version: 1.0 Content-Type: Text/Plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk You configure the translation via the fwxlconf program. I think the address translation was introduced in version 2. What specific trouble are you having? Ryan ---------- Previous Message ---------- To: Firewalls cc: From: skh @ isk.co.kr ("Kwanho Shin(=?EUC-KR?B?vcWw/Mij?=)") @ smtp Date: 07/04/96 09:10:23 AM Subject: IP translation when i set the Firewall-1(Checkpoint), i met some problem. First is how I can setup for IP translation(inbound & outbound) I set route, arp for illegal IP & grobal IP. But i can translate IP address(Illegal --> Grobal, Grobal --> Illegal) -- Kwanho Shin (HL1MLV) Mailto: skh@isk.co.kr Internet Security Korea Co., Ltd. Tel:(02)786-3555 Fax:(02)786-3554 From firewalls-owner Wed Jul 3 23:22:11 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id XAA10452 for firewalls-outgoing; Wed, 3 Jul 1996 23:11:54 -0700 (PDT) Received: from firewall.ddeorg.soft.net (firewall.ddeorg.soft.net [164.164.74.3]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id XAA10425 for ; Wed, 3 Jul 1996 23:11:25 -0700 (PDT) Received: by firewall.ddeorg.soft.net (5.61/9.3) Received: from orion.ddeorg.soft.net by ddeorg.soft.net (5.61/9.3) with SMTP Received: by orion.ddeorg.soft.net (4.1/9.7) Message-Id: <9607040608.AA08800@orion.ddeorg.soft.net> X-Mailer: exmh version 1.6.6 3/24/96 To: firewalls@greatcircle.com Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Thu, 04 Jul 1996 06:08:08 +0000 From: "Rajesh K. R." Sender: firewalls-owner@GreatCircle.COM Precedence: bulk How can I configure router to allow some packets to transmit and vise versa? From firewalls-owner Thu Jul 4 00:04:02 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id XAA13104 for firewalls-outgoing; Wed, 3 Jul 1996 23:57:06 -0700 (PDT) Received: from gemsgw.med.ge.com (gemsgw.med.ge.com [192.88.230.10]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id XAA13097 for ; Wed, 3 Jul 1996 23:57:00 -0700 (PDT) Received: from gemed.med.ge.com (gemed.med.ge.com [3.7.12.4]) by gemsgw.med.ge.com (8.6.12/8.6.12) with ESMTP id BAA00978; Thu, 4 Jul 1996 01:52:02 -0500 Received: from (meru [3.70.200.55]) by gemed.med.ge.com (8.6.12/8.6.12) with SMTP id BAA10280; Thu, 4 Jul 1996 01:54:22 -0500 From: Sameer - The Terminator Message-Id: <199607040654.BAA10280@gemed.med.ge.com> Received: by meru Subject: Re: your mail To: krr@ddeorg.soft.net (Rajesh K. R.) Date: Thu, 4 Jul 96 12:27:13 IST Cc: firewalls@greatcircle.com In-Reply-To: <9607040608.AA08800@orion.ddeorg.soft.net>; from "Rajesh K. R." at Jul 04, 96 6:08 am Mailer: Elm [revision: 70.85] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, even i am looking for that.Could someone help. Also, I would like to know how to see the logs on router. I am having a cisco router. ...sam > > How can I configure router to allow some packets to transmit and vise > versa? > From firewalls-owner Thu Jul 4 02:49:18 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id CAA21729 for firewalls-outgoing; Thu, 4 Jul 1996 02:30:58 -0700 (PDT) Received: from pegase.total.fr (pegase.total.fr [146.249.152.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id CAA21694 for ; Thu, 4 Jul 1996 02:29:59 -0700 (PDT) Received: from tidtest.total.fr (tidtest.total.fr [146.249.165.73]) by pegase.total.fr (8.6.8/8.6.6) with SMTP id LAA01984; Thu, 4 Jul 1996 11:27:28 +0200 Received: by tidtest.total.fr (4.1/SMI-4.1) Message-Id: <9607040925.AA21474@tidtest.total.fr> To: Sameer - The Terminator Cc: krr@ddeorg.soft.net (Rajesh K. R.), firewalls@greatcircle.com Subject: Re: your mail In-Reply-To: Your message of "Thu, 04 Jul 1996 12:27:13 +0700." X-Cuse: "The dog ate my network" Date: Thu, 04 Jul 1996 11:25:29 +0100 From: Michel Lavondes Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In message <199607040654.BAA10280@gemed.med.ge.com>, Sameer - The Terminator wr ites: > Hi, > even i am looking for that.Could someone help. > Also, I would like to know how to see the logs on router. > I am having a cisco router. > ...sam > > > > How can I configure router to allow some packets to transmit and vise > > versa? > > > Ask cisco@spot.colorado.edu. And BTW, this applies to krr's problem only if he has a cisco. Not obvious from his posting ... Michel Lavondes (lavondes@tidtest.total.fr) #include Governments are guilty until proved innocent From firewalls-owner Thu Jul 4 08:19:06 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA03048 for firewalls-outgoing; Thu, 4 Jul 1996 08:05:12 -0700 (PDT) Received: from Mailer.Uni-Marburg.DE (papin.HRZ.Uni-Marburg.DE [137.248.1.8]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id IAA03041 for ; Thu, 4 Jul 1996 08:05:05 -0700 (PDT) Received: from sumbi01.med.Uni-Marburg.DE by Mailer.Uni-Marburg.DE (AIX 3.2/UCB 5.64/20.07.94) Received: by med.uni-marburg.de (8.6.12/ADD-HUB-2.1) Received: from post.med.uni-marburg.de(137.248.202.51) by sumbi01.med.uni-marburg.de via smap (V1.3) Received: from pcmbi60.med.uni-marburg.de (pcmbi60.med.uni-marburg.de [137.248.202.60]) by post.med.uni-marburg.de (8.6.11/8.6.9) with SMTP id RAA04321 for ; Thu, 4 Jul 1996 17:10:22 +0200 Message-Id: <199607041510.RAA04321@post.med.uni-marburg.de> Comments: Authenticated sender is From: "D.A. Meyer" To: firewalls@greatcircle.com Date: Thu, 4 Jul 1996 17:06:16 +0000 Subject: port to process Reply-To: meyerd@Mailer.Uni-Marburg.DE X-Mailer: Pegasus Mail for Windows (v2.01) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'm looking for a tool which shows me the PID of the process which is responsible for the offering of a TCP/UDP-port. I think i've seen something here on the list but i do not remember the name. The cause is: sometimes i see a port (netstat -an) listening like tcp *.2230 *.* LISTEN or tcp *.1749 *.* LISTEN. I do not know anything about these ports, especially how and when they are started. I'm running fwtk and cern httpd and nothing else (I think). TIA Dirk ----------------------------------------------------------------- Dirk A. Meyer meyerd@mailer.uni-marburg.de Klinikum der Philipps-Universitaet Marburg Tel.xx49-6421-28-6291 Med. Informatik Fax.-------------8921 Bunsenstr. 3 D-35033 Marburg/Lahn ----------------------------------------------------------------- From firewalls-owner Thu Jul 4 09:04:18 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA05086 for firewalls-outgoing; Thu, 4 Jul 1996 08:47:30 -0700 (PDT) Received: from artemis.rus.uni-stuttgart.de (artemis.rus.uni-stuttgart.de [129.69.18.28]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id IAA05077 for ; Thu, 4 Jul 1996 08:47:21 -0700 (PDT) Received: from info2.rus.uni-stuttgart.de (info2.rus.uni-stuttgart.de [129.69.18.15]) by artemis.rus.uni-stuttgart.de with SMTP id RAA19244 Received: by info2.rus.uni-stuttgart.de (AIX 3.2/UCB 5.64/4.03) Message-Id: <9607041542.AA33993@info2.rus.uni-stuttgart.de> Subject: Re: port to process To: meyerd@Papin.HRZ.Uni-Marburg.DE Date: Thu, 4 Jul 1996 17:42:00 +0200 (MST) Cc: firewalls@GreatCircle.COM In-Reply-To: <199607041510.RAA04321@post.med.uni-marburg.de> from "D.A. Meyer" at Jul 4, 96 05:06:16 pm From: Helmut Springer Organization: Stuttgart University, FRG X-Pgp-Fingerprint: AE 42 C3 2C A1 3E 55 6D B3 AC 3C D2 F3 CF FF E7 X-Phone: +49 711 685-2003q X-Fax: +49 711 685-2043 X-Mailer: ELM [version 2.4 PL25 PGP6] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk -----BEGIN PGP SIGNED MESSAGE----- hi, D.A. Meyer wrote: > I'm looking for a tool which shows me the PID of the process which is > responsible for the offering of a TCP/UDP-port. I think i've seen lsof (list open filedescriptors) from Vic Abell primary site vic.cc.purdue.edu /pub/tools/unix/lsof current version 3.67 AFAIK. enjoy delta - -- helmut 'delta' springer Unix/Net Consulting, InfoSystems, StudBox delta@RUS.Uni-Stuttgart.DE Stuttgart University, FRG http://home.pages.de/~delta/ phone : +49 711 685-2003 If you've got to do it, FAX : +49 711 685-2043 do it with cold blood... -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv iQCVAwUBMdvmQUIBUTWGT7StAQHWoAP/Q9PW7Bp8xx8VJvgYTYKNu7WoLfeUUNMR UXI3OIcMoZij8A84LquDPLD9h/nJXmqqNS9FKxgVFkBfceUSNfInTP+xLeQUYJeF nNZkznPtRyK0AYT4xwa8cAmi1354cyVaBtNK2g7nR5Zj/2lV5dSLsTkop1fRVyrO raOLpB0FFgg= =h7Pn -----END PGP SIGNATURE----- From firewalls-owner Thu Jul 4 09:19:24 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA06146 for firewalls-outgoing; Thu, 4 Jul 1996 09:10:19 -0700 (PDT) Received: from gatekeeper.Bridge.COM (gatekeeper.bridge.com [167.76.159.11]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id JAA06139 for ; Thu, 4 Jul 1996 09:10:13 -0700 (PDT) From: ken@bridge.com Received: (from mailproxy@localhost) by gatekeeper.Bridge.COM (8.6.12/8.6.9) id LAA20770; Thu, 4 Jul 1996 11:00:25 -0500 Received: from ignatz.bridge.com(167.76.24.6) by gatekeeper.Bridge.COM via smap (V1.0mjr) Received: from ernie.bridge.com by ignatz.bridge.com with SMTP id AA20236 Received: (from ken@localhost) by ernie.bridge.com (8.7.5/8.7.3) id LAA04245; Thu, 4 Jul 1996 11:00:45 -0500 (CDT) Date: Thu, 4 Jul 1996 11:00:45 -0500 (CDT) Message-Id: <199607041600.LAA04245@ernie.bridge.com> To: meyerd@Papin.HRZ.Uni-Marburg.DE Subject: Re: port to process Cc: firewalls@greatcircle.com X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >From: "D.A. Meyer" >I'm looking for a tool which shows me the PID of the process which is >responsible for the offering of a TCP/UDP-port. I think i've seen >something here on the list but i do not remember the name. You're looking for "lsof". It's available at http://wuarchive.wustl.edu/packages/security/lsof/ among other places. - KH From firewalls-owner Thu Jul 4 14:49:08 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA19734 for firewalls-outgoing; Thu, 4 Jul 1996 14:39:28 -0700 (PDT) Received: from diane.inforamp.net (Diane.InfoRamp.Net [198.53.144.7]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id OAA19727 for ; Thu, 4 Jul 1996 14:39:22 -0700 (PDT) Received: from genel.inforamp.net (mpngate5.ny.us.ibm.com [198.133.29.22]) by diane.inforamp.net (8.7/8.7) with SMTP id RAA29068; Thu, 4 Jul 1996 17:36:39 -0400 (EDT) Received: by genel.inforamp.net with Microsoft Mail Message-ID: <01BB69CE.AF2D9480@genel.inforamp.net> From: Gene Lee To: "firewalls@GreatCircle.COM" Subject: RE: OS/2 firewalls? Date: Thu, 4 Jul 1996 17:31:49 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Check out Netguard at: http://www.netguard.com FW for both NT and OS/2 platforms. -- Gene Lee genel@inforamp.net genelee@vnet.ibm.com ---------- From: Uldis Bojars[SMTP:uldis@lda.gov.lv] Sent: Wednesday, July 03, 1996 4:21 AM To: firewalls@GreatCircle.COM Subject: OS/2 firewalls? Hi! I am searching for OS/2 firewalls - are there any? It's very hard to find, but I think there are some. Of course I do not want OS/2 because I want to use firewall as a workstation ;-) And - if negative - what are good firewalls for freeBSD? Our company is not so big to buy Sun or HP UNiX computer and use it as a firewall. Uldis =BE If you learn from mistakes, you will learn a lot today. --- GoldED/386 3.00.Alpha1+ From firewalls-owner Thu Jul 4 15:19:06 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id PAA22221 for firewalls-outgoing; Thu, 4 Jul 1996 15:11:53 -0700 (PDT) Received: from mail.enterprise.net (mail.enterprise.net [194.72.192.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id PAA22214 for ; Thu, 4 Jul 1996 15:11:47 -0700 (PDT) Received: from escom-p100 (max02-115.enterprise.net [194.72.197.115]) by mail.enterprise.net (8.6.12/8.6.12) with SMTP id XAA04678 for ; Thu, 4 Jul 1996 23:20:10 GMT Message-Id: <2.2.32.19960704220855.0068c0fc@mail.enterprise.net> X-Sender: jiffi@mail.enterprise.net X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Thu, 04 Jul 1996 23:08:55 +0100 To: firewalls@greatcircle.com From: Craig Wood Subject: Security Policy Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'm in the process of putting together a Security Policy for my organisation. This policy will cover firewalls, as well as general network security in a mixed NetWare/IPX and NT/IP environment. I have manmaged to get hold of NCSA's Firewall Policy Guide, but I was wondering if anyone would point me to any other resources on the Net that would help me. Whilst I appreciate that much of a security policy is organisation specific I'm all in favour of not re-inventing the wheel and utilising general rules as a basis for the polciy. If anyone can help, I'd be most greatful. Thanks and Regards, Craig From firewalls-owner Thu Jul 4 16:19:07 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id QAA25411 for firewalls-outgoing; Thu, 4 Jul 1996 16:14:30 -0700 (PDT) Received: from cet.cet.com (cet.cet.com [204.227.191.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id QAA25404 for ; Thu, 4 Jul 1996 16:14:25 -0700 (PDT) Received: from cet.cet.com (roberth@cet.cet.com [204.227.191.1]) by cet.cet.com (8.6.12/8.6.12) with SMTP id QAA00232; Thu, 4 Jul 1996 16:11:33 -0700 Date: Thu, 4 Jul 1996 16:11:33 -0700 (PDT) From: Robert Hanson To: Craig Wood cc: firewalls@GreatCircle.COM Subject: Re: Security Policy In-Reply-To: <2.2.32.19960704220855.0068c0fc@mail.enterprise.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk being new to this list... i figurered i would offer... www.cert.org the place i found the reference to this list... i have quite a lot of special hardwares and figured it was time to get more into mainstream firewall/filtering procedures for security and reduced router/lan traffics... thanks ---> Robert H. Hanson LAN/WAN Consultant - Internet Service Provider Otis Orchards, Wa. Cutting Edge Communications www.cet.com (509) 927-9541 finger: info@cet.com or email: roberth@cet.com On Thu, 4 Jul 1996, Craig Wood wrote: > I'm in the process of putting together a Security Policy for my > organisation. This policy will cover firewalls, as well as general network > security in a mixed NetWare/IPX and NT/IP environment. I have manmaged to > get hold of NCSA's Firewall Policy Guide, but I was wondering if anyone > would point me to any other resources on the Net that would help me. Whilst > I appreciate that much of a security policy is organisation specific I'm all > in favour of not re-inventing the wheel and utilising general rules as a > basis for the polciy. > > If anyone can help, I'd be most greatful. > > Thanks and Regards, > > Craig > From firewalls-owner Thu Jul 4 19:49:13 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id TAA01892 for firewalls-outgoing; Thu, 4 Jul 1996 19:35:55 -0700 (PDT) Received: from interlock.mgh.com (interlock.mgh.com [152.159.1.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id TAA01872 for ; Thu, 4 Jul 1996 19:35:46 -0700 (PDT) From: dnewman@mcgraw-hill.com Received: by interlock.mgh.com id AA10017 Message-Id: <199607050233.AA10017@interlock.mgh.com> Received: by interlock.mgh.com (Protected-side Proxy Mail Agent-1); Date: Thu, 04 Jul 96 22:03:24 edt Apparently-To: Apparently-To: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Hi! I am searching for OS/2 firewalls - are there any? Hi Uldis, A company called Netguard Ltd. in Israel supposedly does an OS/2-based firewall. I've never seen it, though, so I can't vouch for it. I think Netguard is at http://www.netguard.com Regards David Newman From firewalls-owner Thu Jul 4 22:04:07 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id WAA10228 for firewalls-outgoing; Thu, 4 Jul 1996 22:01:54 -0700 (PDT) Received: from nwnexus.wa.com (nwnexus.wa.com [192.135.191.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id WAA10215 for ; Thu, 4 Jul 1996 22:01:44 -0700 (PDT) Received: by nwnexus.wa.com id AA12704 Received: (from gfm@localhost) by angel.readybox.com (8.6.8/8.6.6) id VAA26650 for firewalls@greatcircle.com; Thu, 4 Jul 1996 21:52:45 -0700 Date: Thu, 4 Jul 1996 21:52:45 -0700 From: Frank McCormick Message-Id: <199607050452.VAA26650@angel.readybox.com> To: firewalls@greatcircle.com Subject: P50 summary Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Folks: Recently in this list, I posted a pair of questions regarding the filtering capabilities of Ascend's Pipeline 50 router. My questions dealt with how a P50 could be made to recognize and drop source-routed packets. Several of you, including two Ascend employees, were kind enough to respond, both in the list and privately. As is often the case, some answers were partial, while others posed seeming contradictions. No one was actually wrong about anything, but no one seemed to have the whole story, all in one place. In subsequent exchanges with the respondents, I've made an attempt to resolve the competing claims and to come up with a coherent picture of what the P50 actually does. The following is a summary of what I've found. Any residual misstatements, confusions and so on are my fault. * * * Source-routed packets and the Ascend P50 ---------------------------------------- At this time, all Ascend routers drop all packets with Strict Source Routing enabled. The routers, including the Pipeline 50, detect the presence of this option in their IP-recognition layer, before handing off the packet in question to the filtering rules. Any packet with strict source routing turned on is dropped before any rule has a chance to look at it. Hence, any static rule aimed at identifying strict-source-routed packets is unnecessary. Several people informed me that this was the case for the P50. More specifically, several people said the P50 dropped "source routed" packets by default. However, no one distinguished between strict source routing and loose source routing. Quite frankly, I still don't know what happens to packets having the Loose Source Routing option turned on. There is no mention of source routing at all in any of my P50 documentation. As I mentioned in my originally posted query, my calls to Ascend's formal tech support staff weren't all that enlightening. Out-of-band conversations with helpful Ascend guys worked a lot better. Regrettably, though, authoritative documentation on this subject is hard to come by, even within Ascend. The short version is that P50 owners may or may not be protected automatically from attacks based on Loose Source Routing. I just don't know. Those of you who today believe in your site's safety, based partly on your presumed immunity from such attacks, might want to run a few tests and pester Ascend to document this behavior is some credible and accessible manner. To be fair, Ascend's design choice -- kill before filtering -- is a reasonable one. By definition, Ascend's static filtering rules are ill equipped to deal sensibly with variable-length option data. Source-routing options can, in practice, show up at differing offsets in the packets, whereas an Ascend-style "generic" filter can look only at fixed locations. Hence, static filters are, in the P50, a bad choice for screening source-routed packets. With "generic" filters, you might catch some naively constructed packets of interest, but there are no guarantees. In order to deal correctly with all option-placement possibilities, you must have a packet handler that understands the underlying IP layout, which generic filters plainly do not. That's the bad news. The good news is that Ascend has recognized the need for this capability. Ascend Communications has unveiled an add-on security utility for some of their routers, including the Pipeline family, to be called Ascend Secure Access. Secure Access is supposed to be smart about IP options and should, at least in this instance, give me what I was looking for in the first place. (It also does a lot more, including dynamic reconfiguration of filtering, that looks handy. This is not an advertisement. I don't own Ascend stock. I'm just a P50 owner, telling you what I found when I went looking.) Those of you who tend to lie awake at night, worrying about your P50's filtering rules, might want to have a look at this enhancement. I have no idea what Ascend is going to charge for it. If any of you come up with a dollar figure, please post it back to this list or drop me a note. Again, this is not an ad for Ascend, but, in the interests of convenience, here are the relevant contact points, for those of you who are interested: info@ascend.com http://www.ascend.com Tel: +1 (510) 769-6001 Fax: +1 (510) 814-2300 Fax server: +1 (415) 688-4343 Special thanks to Messrs. Brennen, Edguer, Henits and Wong. If anything I've said here is wrong, please let me know -- I'll correct my errors in the mailing list. A lot of P50 owners are apparently relying on hearsay for ruleset construction (and lack thereof). This is definitely a case of ignorance not being bliss. Regards, Frank McCormick From firewalls-owner Fri Jul 5 00:52:46 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id AAA16914 for firewalls-outgoing; Fri, 5 Jul 1996 00:33:25 -0700 (PDT) Received: from cet.cet.com (cet.cet.com [204.227.191.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id AAA16873 for ; Fri, 5 Jul 1996 00:33:13 -0700 (PDT) Received: from cet.cet.com (roberth@cet.cet.com [204.227.191.1]) by cet.cet.com (8.6.12/8.6.12) with SMTP id AAA13567 for ; Fri, 5 Jul 1996 00:30:36 -0700 Date: Fri, 5 Jul 1996 00:30:35 -0700 (PDT) From: Robert Hanson To: firewalls@greatcircle.com Subject: special case ips Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk does anyone have compact filters for livingston equipment for 127.0.0.0 - 127.255.255.255 10.0.0.0 - 10.255.255.255 172.16.0.0 - 172.16.255.255 and 192.168.0.0 - 192.168.255.255 addresses... apparently these addresses need to be filtered inbound on the gateway... any pointers to faqs or what have you would be greatly appreciated... ---> Robert H. Hanson LAN/WAN Consultant - Internet Service Provider Otis Orchards, Wa. Cutting Edge Communications www.cet.com (509) 927-9541 finger: info@cet.com or email: roberth@cet.com From firewalls-owner Fri Jul 5 01:24:44 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id BAA19830 for firewalls-outgoing; Fri, 5 Jul 1996 01:18:18 -0700 (PDT) Received: from dtcro002.apogee-com.fr (firewall.apogee-com.fr [194.2.187.130]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id BAA19777 for ; Fri, 5 Jul 1996 01:18:03 -0700 (PDT) Received: by dtcro002.apogee-com.fr; id KAA04781; Fri, 5 Jul 1996 10:10:41 +0200 (MET DST) Received: from dtcxs001.apogee-com.fr(10.129.16.1) by firewall.apogee-com.fr via smap (V3.1.1) Received: from ingpc003.apogee-com.fr by dtcxs001.apogee-com.fr.apogee-com.fr (4.1/SMI-4.1) Message-Id: <31DCCE0D.70FC@apogee-com.fr> Date: Fri, 05 Jul 1996 10:10:53 +0200 From: Jean-Francois Zwobada Organization: APOGEE Communications X-Mailer: Mozilla 2.02 (Win95; I) Mime-Version: 1.0 To: Colin Campbell Cc: Firewalls@GreatCircle.COM Subject: Re: Integrating Reuters Service thru TIS Toolkit References: <199607032215.IAA05993@guru.citec.qld.gov.au> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Colin Campbell wrote: > I believe they can only do this by supporting transparent proxies and > that requires kernel hacks which is why Gauntlet (on BSDI only?) supports > it and the toolkit doesn't. It is in essence nothing more than a router > filter, restricting access to certain addresses (1.2.3.*). > > Colin You're quite right. The many-to-many feature is only possible for outgoing access with the Gauntlet using the transparency feature. The transparency is available on all platforms, not only BSD/OS. I won't use the comparison with a router filter since the Gauntlet is a real Application Gateway opening only one client port for a connection (whereas a router filter would allow all >1024 port #). But you're right to use this comparison to explain the functionnality. Regards, Jean-Francois -- ______________________ Jean-Francois Zwobada ____________________ Apogee Communications Tel : +33 (1) 69 85 56 47 Parc Club Universite Fax : +33 (1) 69 85 56 48 28, rue Jean Rostand 91893 ORSAY Cedex e-mail : zwobada@apogee-com.fr __________________________________________________________________ From firewalls-owner Fri Jul 5 01:49:13 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id BAA22000 for firewalls-outgoing; Fri, 5 Jul 1996 01:33:20 -0700 (PDT) Received: from dtcro002.apogee-com.fr (firewall.apogee-com.fr [194.2.187.130]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id BAA21980 for ; Fri, 5 Jul 1996 01:33:03 -0700 (PDT) Received: by dtcro002.apogee-com.fr; id KAA04911; Fri, 5 Jul 1996 10:26:11 +0200 (MET DST) Received: from dtcxs001.apogee-com.fr(10.129.16.1) by firewall.apogee-com.fr via smap (V3.1.1) Received: from ingpc003.apogee-com.fr by dtcxs001.apogee-com.fr.apogee-com.fr (4.1/SMI-4.1) Message-Id: <31DCD1BA.7A12@apogee-com.fr> Date: Fri, 05 Jul 1996 10:26:34 +0200 From: Jean-Francois Zwobada Organization: APOGEE Communications X-Mailer: Mozilla 2.02 (Win95; I) Mime-Version: 1.0 To: Robert Hanson Cc: firewalls@greatcircle.com Subject: Re: special case ips References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, You should read the RFC1918 dealing with those kind of network addresses. -- ______________________ Jean-Francois Zwobada ____________________ Apogee Communications Tel : +33 (1) 69 85 56 47 Parc Club Universite Fax : +33 (1) 69 85 56 48 28, rue Jean Rostand 91893 ORSAY Cedex e-mail : zwobada@apogee-com.fr __________________________________________________________________ From firewalls-owner Fri Jul 5 02:04:11 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id BAA24282 for firewalls-outgoing; Fri, 5 Jul 1996 01:55:46 -0700 (PDT) Received: from gmap-gw.gmap.leeds.ac.uk (gmap15.leeds.ac.uk [129.11.84.200]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id BAA24273 for ; Fri, 5 Jul 1996 01:55:35 -0700 (PDT) Received: (from root@localhost) by gmap-gw.gmap.leeds.ac.uk (8.7.3/8.6.9) id IAA16919 for ; Fri, 5 Jul 1996 08:57:38 +0100 (BST) Received: from gmap3.gmap.leeds.ac.uk(129.11.200.3) by gmap-gw via smap (V1.3) Received: from gmap.leeds.ac.uk (gmap124 [129.11.200.124]) by gmap3 (8.6.12/8.6.9) with SMTP id JAA13342 for ; Fri, 5 Jul 1996 09:53:37 +0100 From: Danny Cox Date: Fri, 5 Jul 1996 09:52:45 +0100 Message-Id: <19874.9607050852@gmap.leeds.ac.uk> X-Planation: X-Faces images can be viewed with the XFaces program To: Firewalls@GreatCircle.COM Subject: Re: Firewalls-Digest V5 #406 X-Sun-Charset: US-ASCII X-Face: (:_YnQcTM$q\Nl0.mYy:C'Y|(;&7.2m~Rc%xt >From: "D.A. Meyer" > >I'm looking for a tool which shows me the PID of the process which is > >responsible for the offering of a TCP/UDP-port. I think i've seen > >something here on the list but i do not remember the name. > > You're looking for "lsof". It's available at > http://wuarchive.wustl.edu/packages/security/lsof/ among other places. Hmm .. something I'd *very* much like is an extension to 'ps' to inform me which machines a connection came from, so that I could know - for example - which machine is using a given proxy etc .. anyone any ideas? I suppose I could just about cope with writing one, but there must be something out there.. cheeers, Danny From firewalls-owner Fri Jul 5 03:04:14 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id CAA29234 for firewalls-outgoing; Fri, 5 Jul 1996 02:47:14 -0700 (PDT) Received: from relay4.oleane.net (Relay4.OLEANE.NET [194.2.1.6]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id CAA29225 for ; Fri, 5 Jul 1996 02:47:01 -0700 (PDT) Received: from dyn-6.vin.oleane.com (dyn-6.vin.oleane.com [194.2.6.6]) by relay4.oleane.net (8.7.5/8.7.3) with SMTP id LAA15239 for ; Fri, 5 Jul 1996 11:43:21 +0200 (MET DST) Message-Id: <199607050943.LAA15239@relay4.oleane.net> X-Sender: fm004@pop.dial.oleane.com (Unverified) X-Mailer: Windows Eudora Light Version 1.5.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Fri, 05 Jul 1996 11:42:14 +0200 To: Firewalls@GreatCircle.COM From: Francois Mauchamp Subject: Re: Integrating Reuters Service thru TIS Toolkit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 10:10 05/07/1996 +0200, you wrote: >Colin Campbell wrote: > >> I believe they can only do this by supporting transparent proxies and >> that requires kernel hacks which is why Gauntlet (on BSDI only?) supports >> it and the toolkit doesn't. It is in essence nothing more than a router >> filter, restricting access to certain addresses (1.2.3.*). >> >> Colin > >You're quite right. The many-to-many feature is only possible for >outgoing access with the Gauntlet using the transparency feature. >The transparency is available on all platforms, not only BSD/OS. > >I won't use the comparison with a router filter since the Gauntlet >is a real Application Gateway Right but ... > opening only one client port for >a connection (whereas a router filter would allow all >1024 port #). ...IMHO, this is not the reason (but others) why we can say Gauntlet is an Application Gateway. Has it something to do with semantic analysis of protcols that are proxied ? :-) >But you're right to use this comparison to explain the functionnality. > >Regards, > >Jean-Francois > Best regards, Francois. From firewalls-owner Fri Jul 5 04:19:12 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id EAA02776 for firewalls-outgoing; Fri, 5 Jul 1996 04:11:40 -0700 (PDT) Received: from dtcro002.apogee-com.fr (firewall.apogee-com.fr [194.2.187.130]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id EAA02768 for ; Fri, 5 Jul 1996 04:11:26 -0700 (PDT) Received: by dtcro002.apogee-com.fr; id NAA06407; Fri, 5 Jul 1996 13:04:40 +0200 (MET DST) Received: from dtcxs001.apogee-com.fr(10.129.16.1) by firewall.apogee-com.fr via smap (V3.1.1) Received: from ingpc003.apogee-com.fr by dtcxs001.apogee-com.fr.apogee-com.fr (4.1/SMI-4.1) Message-Id: <31DCF6F5.3984@apogee-com.fr> Date: Fri, 05 Jul 1996 13:05:25 +0200 From: Jean-Francois Zwobada Organization: APOGEE Communications X-Mailer: Mozilla 2.02 (Win95; I) Mime-Version: 1.0 To: Francois Mauchamp Cc: Firewalls@GreatCircle.COM Subject: Re: Integrating Reuters Service thru TIS Toolkit References: <199607050943.LAA15239@relay4.oleane.net> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Francois Mauchamp wrote: > > > Right but ... > > > opening only one client port for > >a connection (whereas a router filter would allow all >1024 port #). > > ...IMHO, this is not the reason (but others) why we can say Gauntlet is an > Application Gateway. > Has it something to do with semantic analysis of protcols that are proxied ? :-) > >yup :^) But plug-gw does not analyse the protocol it relays ! It just take packets from one socket and put them in the other socket. Quite frankly, I just wanted to point out one aspect...I did not want to write a paper on the whole stuff :) Regards -- ______________________ Jean-Francois Zwobada ____________________ Apogee Communications Tel : +33 (1) 69 85 56 47 Parc Club Universite Fax : +33 (1) 69 85 56 48 28, rue Jean Rostand 91893 ORSAY Cedex e-mail : zwobada@apogee-com.fr __________________________________________________________________ From firewalls-owner Fri Jul 5 06:34:23 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA08426 for firewalls-outgoing; Fri, 5 Jul 1996 06:31:24 -0700 (PDT) Received: from ACML.COM ([206.218.249.66]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id GAA08400 for ; Fri, 5 Jul 1996 06:31:16 -0700 (PDT) Received: from smtpngw.acml.com by ACML.COM (SMI-8.6/SMI-SVR4) Received: by smtpngw.acml.com (IBM OS/2 SENDMAIL VERSION 1.3.14/2.12um) id AA1236; Fri, 05 Jul 96 09:28:55 -0400 Message-Id: <9607051328.AA1236@smtpngw.acml.com> Received: from ACML with "Lotus Notes Mail Gateway for SMTP" id To: Firewalls-Digest Cc: firewalls-digest From: Rey.LeClerc/New.York/ACMC Date: 5 Jul 96 9:24:06 Subject: Re: Firewalls-Digest V5 #404 X-Lotus-Type: Reply to _All Mime-Version: 1.0 Content-Type: Text/Plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am doing some research regarding SWIFT. Are there any security issues regarding this product? Thanks in advance for your input. From firewalls-owner Fri Jul 5 07:04:10 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA09705 for firewalls-outgoing; Fri, 5 Jul 1996 07:00:30 -0700 (PDT) Received: from relay1.UU.NET (relay1.UU.NET [192.48.96.5]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id HAA09696 for ; Fri, 5 Jul 1996 07:00:20 -0700 (PDT) Received: from netevolve.com by relay1.UU.NET with SMTP Received: from lazar by netevolve.com (4.1/SMI-4.1) Message-Id: <9607051400.AA04977@netevolve.com> Comments: Authenticated sender is From: "Irwin Lazar" Organization: Network Evolutions To: firewalls@greatcircle.com Date: Fri, 5 Jul 1996 09:58:09 +0000 Subject: Cisco IP Filters Reply-To: lazar@netevolve.com X-Mailer: Pegasus Mail for Windows (v2.23) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Could someone please point me to some good references on the web relating to implementing IP Access Lists on Cisco routers. Thanks. Irwin M. Lazar Network Evolutions, Inc. lazar@netevolve.com http://www.netevolve.com From firewalls-owner Fri Jul 5 07:19:15 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA09956 for firewalls-outgoing; Fri, 5 Jul 1996 07:03:46 -0700 (PDT) Received: from relay1.oleane.net (NS.OLEANE.NET [194.2.1.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id HAA09920 for ; Fri, 5 Jul 1996 07:03:18 -0700 (PDT) Received: from bo-corp (bo-corp.businessobjects.com [194.2.72.3]) by relay1.oleane.net (8.6.10/8.6.9) with SMTP id QAA25247 for ; Fri, 5 Jul 1996 16:00:24 +0200 Received: from gtw-smtp.businessobjects.com by bo-corp (5.x/SMI-SVR4) Received: from cc:Mail by gtw-smtp.businessobjects.com Date: Fri, 05 Jul 96 16:04:22 WET From: "Eddy JAFFRENNOU" Message-Id: <9606058366.AA836607904@gtw-smtp.businessobjects.com> To: firewalls@GreatCircle.com Subject: NAT and DNS Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Just a little question. Is it necessary, with the NAT technology, to duplicate the DNS serveur? Thanks all. Eddy JAFFRENNOU From firewalls-owner Fri Jul 5 08:04:27 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA14273 for firewalls-outgoing; Fri, 5 Jul 1996 07:52:58 -0700 (PDT) Received: from mailbox.neosoft.com (mailbox.neosoft.com [206.109.1.16]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id HAA14255 for ; Fri, 5 Jul 1996 07:52:50 -0700 (PDT) Received: from fw.nmti.com (fw.baileynm.com [206.109.159.11]) by mailbox.neosoft.com (8.7.5/8.7.3) with SMTP id JAA16496; Fri, 5 Jul 1996 09:50:06 -0500 (CDT) Received: from web.nmti.com(198.178.0.201) by fw.nmti.com via smap (V1.3) Received: from sonic.nmti.com (peter@sonic.nmti.com [198.178.0.2]) by web.nmti.com (8.6.12/8.6.9) with SMTP id JAA29762; Fri, 5 Jul 1996 09:43:07 -0500 Received: by sonic.nmti.com; id AA16714; Fri, 5 Jul 1996 09:43:06 -0500 From: peter@baileynm.com (Peter da Silva) Message-Id: <9607051443.AA16714@sonic.nmti.com.nmti.com> Subject: Re: NetworkMCI Webmaker To: Russ.Cooper@RC.Toronto.on.ca (Russ) Date: Fri, 5 Jul 1996 09:43:06 -0500 (CDT) Cc: firewalls@greatcircle.com In-Reply-To: <01BB691B.1D403040@rwcooper.rc.toronto.on.ca> from "Russ" at Jul 3, 96 08:06:24 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Re: http://www.webmaker.mci.com/webmaker/features/secbrf.htm Well well well: > Netscape server - this user account only allows the Netscape Communication > Server process to log into NT as a service. Logging in as a service allows > the networkMCI WebMaker to control all accesses of the process. Since no > external log in is permitted for this service, password guessing is not an > option. Netscape permissions narrows the total resources available to > Netscape to those in the Netscape directory on the C:\ drive. Haven't there been a couple of reports about major CGI holes in the Netscape server? Doesn't that make the lack of password guessing a moot point? All you need to do is get one DLL in there and you can proxy anything you want though to the internal net... and they've helpfully told us port 443 is available for that purpose. > 443 - TCP Secure Http (not supported in networkMCI WebMaker 1.0) And they end with: > While achieving 100% security is not practical, it is important to > match desired access security with the value of the resources being > protected. networkMCI WebMaker's firewall security system meets, or > exceeds the security requirements of most small to medium sized > businesses. Anyone remember the parable of the widow's mite? From firewalls-owner Fri Jul 5 09:34:35 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA19068 for firewalls-outgoing; Fri, 5 Jul 1996 09:26:42 -0700 (PDT) Received: from cohiba.predictive.com (cohiba.predictive.com [204.243.240.5]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id JAA19045 for ; Fri, 5 Jul 1996 09:26:34 -0700 (PDT) Received: from rachel.predictive.com (shema.planet.net [198.69.1.42]) by cohiba.predictive.com (8.6.11/8.6.12) with SMTP id LAA09551 for ; Fri, 5 Jul 1996 11:37:37 -0400 Message-ID: <31DD1AE3.6AD4@pobox.com> Date: Fri, 05 Jul 1996 09:38:43 -0400 From: Rachel Rosencrantz Reply-To: rachelr@pobox.com Organization: Predictive Systems X-Mailer: Mozilla 3.0b4 (Win95; I) MIME-Version: 1.0 To: Firewalls@GreatCircle.COM Subject: Active X and plugins (And the MSN Explorer) References: <199607040036.RAA15304@miles.greatcircle.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I haven't really been reading up on the MSN Explorer but just the other day I overheard someone say that the latest downloads plug-ins and installs them automatically. Is there a way to disable this or is this a permanent feature of the browser? Is this the default setting? I know that users can and do download plug-ins and install them, but unless there is something in the MSN security model that I'm unaware of, it seems like this would be a great way to stick some really unpleasant code on a lot of random machines without people necessarily knowing they've done it. (Check out this cool page with -put the most popular words here- and see the latest blah... Put something on the page that requires your plugin, and voilah instant mods on their browser. ) What kind of security does the MS Explorer browser have to prevent vicious plug-ins. -Rachel From firewalls-owner Fri Jul 5 09:53:03 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA19789 for firewalls-outgoing; Fri, 5 Jul 1996 09:43:42 -0700 (PDT) Received: from pegase.total.fr (pegase.total.fr [146.249.152.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id JAA19771 for ; Fri, 5 Jul 1996 09:43:33 -0700 (PDT) Received: from tidtest.total.fr (tidtest.total.fr [146.249.165.73]) by pegase.total.fr (8.6.8/8.6.6) with SMTP id SAA15979; Fri, 5 Jul 1996 18:41:20 +0200 Received: by tidtest.total.fr (4.1/SMI-4.1) Message-Id: <9607051639.AA15570@tidtest.total.fr> To: lazar@netevolve.com Cc: firewalls@greatcircle.com Subject: Re: Cisco IP Filters In-Reply-To: Your message of "Fri, 05 Jul 1996 09:58:09 -0000." X-Cuse: "The dog ate my network" Date: Fri, 05 Jul 1996 18:39:46 +0100 From: Michel Lavondes Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In message <9607051400.AA04977@netevolve.com>, "Irwin Lazar" writes: > Could someone please point me to some good references on the web > relating to implementing IP Access Lists on Cisco routers. > http://www.cisco.com/, "Technical tips" (under the heading "Technical assistance". Not sure whether you can access it without a maintenance contract. If you can't, try cisco@spot.colorado.edu, but chances are they will point you to their web server :-( Michel Lavondes (lavondes@tidtest.total.fr) #include Governments are guilty until proved innocent From firewalls-owner Fri Jul 5 10:19:20 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA21275 for firewalls-outgoing; Fri, 5 Jul 1996 10:04:31 -0700 (PDT) Received: from pegase.total.fr (pegase.total.fr [146.249.152.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id KAA21232 for ; Fri, 5 Jul 1996 10:04:20 -0700 (PDT) Received: from tidtest.total.fr (tidtest.total.fr [146.249.165.73]) by pegase.total.fr (8.6.8/8.6.6) with SMTP id TAA16129; Fri, 5 Jul 1996 19:02:20 +0200 Received: by tidtest.total.fr (4.1/SMI-4.1) Message-Id: <9607051700.AA15795@tidtest.total.fr> To: "Eddy JAFFRENNOU" Cc: firewalls@greatcircle.com Subject: Re: NAT and DNS In-Reply-To: Your message of "Fri, 05 Jul 1996 16:04:22 +0700." X-Cuse: "The dog ate my network" Date: Fri, 05 Jul 1996 19:00:51 +0100 From: Michel Lavondes Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In message <9606058366.AA836607904@gtw-smtp.businessobjects.com>, "Eddy JAFFREN NOU" writes: > Just a little question. > > Is it necessary, with the NAT technology, to duplicate the DNS > serveur? > Not quite sure what you have in mind, but I'll answer anyway :-) Your clients behind the NAT box don't need a split DNS, they should work the same wrt DNS with or without a NAT box. The machines, if any, sitting between the NAT box and the Internet (eg, WEB server accessible from outside) don't need it either, provided the NAT box can be configured to pass untouched the address of your DNS server(s) (assuming they're behind the NAT box). The only reason I can think of why you would need a split DNS is when accessing outside servers that do an address-to-name check a la wu-ftpd, in which case you would need a NAT-aware DNS server, presumably part of the NAT box itself, but even then, I don't think you would need another DNS server on top of that, except maybe for performance reasons. HTH Michel Lavondes (lavondes@tidtest.total.fr) #include Governments are guilty until proved innocent From firewalls-owner Fri Jul 5 10:49:21 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA25467 for firewalls-outgoing; Fri, 5 Jul 1996 10:46:22 -0700 (PDT) Received: from internet (internet.dswnet.com [206.214.66.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id KAA25439 for ; Fri, 5 Jul 1996 10:46:12 -0700 (PDT) Received: from ntraptor (boni) by internet (5.x/SMI-SVR4) Message-Id: <31DD544C.47BB@dswnet.com> Date: Fri, 05 Jul 1996 10:43:40 -0700 From: Boni Bruno - Director of Internet Services & Security Organization: Data Systems West X-Mailer: Mozilla 3.0B2 (WinNT; I) Mime-Version: 1.0 To: Firewalls@GreatCircle.COM Cc: mbai@straticom.com Subject: Re: Firewalls-Digest V5 #393 References: <199606271821.LAA25335@miles.greatcircle.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Date: Thu, 27 Jun 1996 09:06:16 -0400 > From: Mario Bai > Subject: Re: IP address for Enterprises use > > >Robert Bonomi wrote: > > + Dear All, > > + > > + Who can tell me where I can find the RFC document about Enterprises IP address. > > + > > + In order to avoid conflicting with Internet IP address. Our Company will use some IP address matching RFC definition. > > + > > + If anybody know the solution, please let me know where I can get such document. > > + > > > > use the class A address 10.0.0.0 netmask 255.0.0.0 this is safe. > > What is the potential problems introduced when using "bogus" or reserved > IP address behind a firewall/proxy server? I know that the proxy server > should translate all internal IP addresses and only present its own IP > address to the Internet (or receiving server), but if you have > implemented solely an HTTP proxy server and sophisticated IP filtering > on a Cisco router, what are the potential problems that could arise? Are > there any circumstances where the internal IP address would "leak" out > onto the Internet and cause problems? > > tia, You can find RFC 1918 at http://andrew2.andrew.cmu.edu/rfc/rfc1918.html, which obsoletes RFC 1627, 1597 on address allocation for private internets. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Boni D. Bruno, Director of Internet Services - x225 818-883-9800 (FAX)883-4604 Data Systems West 21101 Oxnard Street bbruno@dswnet.com Woodland Hills, CA 91367 http://www.dswnet.com ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From firewalls-owner Fri Jul 5 12:34:11 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA01144 for firewalls-outgoing; Fri, 5 Jul 1996 12:26:51 -0700 (PDT) Received: from hidata.com (hidata.com [205.158.61.34]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id MAA01135 for ; Fri, 5 Jul 1996 12:26:45 -0700 (PDT) Received: by hidata.com; id AA26901; Fri, 5 Jul 96 12:24:09 PDT Received: from osc.hidata.com(205.158.62.10) by hds-gw.hidata.com via smap (V3.1.1) Received: from enterprise by osc.osc.hidata.com (SMI-8.6/SMI-SVR4) Date: Fri, 5 Jul 1996 12:23:44 -0700 Message-Id: <199607051923.MAA08347@osc.osc.hidata.com> X-Sender: bstout@osc.hidata.com X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: Firewalls@GreatCircle.COM From: Bill Stout Subject: Secure Virtual Intranets Sender: firewalls-owner@GreatCircle.COM Precedence: bulk What are the most widely used methods to create Secure HTTP/FTP Intranets over the Internet? I can think of just a few off the top of my head: 1. Encryted PC-Firewall links. a. Webserver must be inside firewall, guests must also pass through firewall. b. You must pay for/install/support encryption software. c. Complete (IP) protocol stack encryption/access. 2. Certificates on browser and server. a. Webserver can be outside firewall. b. No (additional) cost/support for client software c. Security is based on physical browser, not user. b. Certificates must be requested from Verisign/RSA, or private certificates created via Xcert software (http://www.xcert.com/). 3. HTTPS. a. Webserver can be outside firewall. b. No (additional) cost/support for client software b. Intranet Username/Password authentication managed separately from network authentication. c. Multiple Intranet servers also managed separately. Bill Stout <=======10========20========30========40========50========60========70========80 William B. Stout | Major revelations: Senior Systems Admin | "All objects are part of a larger object." Hitachi Data Systems | "3 aware beings comprise a person; mind, body, spirit." NT/UNIX/I-net/Routers | "The secret of life: To be involved with 'creation'." 408-970-4822 | Infowar, Cyber-war, yes, 'they' are out to get you... -------------------------------------------------------------------------------- From firewalls-owner Fri Jul 5 13:04:14 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA02289 for firewalls-outgoing; Fri, 5 Jul 1996 12:51:30 -0700 (PDT) Received: from dartvax.dartmouth.edu (dartvax.dartmouth.edu [129.170.16.4]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id MAA02276 for ; Fri, 5 Jul 1996 12:51:21 -0700 (PDT) Received: from hanover.VALLEY.NET (hanover.valley.net [198.115.160.10]) by dartvax.dartmouth.edu (8.7.5.1+DND/8.7.3) with SMTP id PAA09900 for ; Fri, 5 Jul 1996 15:48:40 -0400 (EDT) Received: by hanover.VALLEY.NET (blitz.valley.net) via SMTP from v2-p-110.valley.net id <1276703> 05 Jul 96 15:48:37 EDT Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Fri, 5 Jul 1996 15:54:47 -0500 To: Firewalls@GreatCircle.COM From: randy.witlicki@valley.net (Randy Witlicki) Subject: RE: OS/2 firewalls? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Check out Netguard at: > > http://www.netguard.com > > FW for both NT and OS/2 platforms. Yikes ! I just looked at their web page and the slogan there is: "The Foolproof Internet Firewall System" Take a deep breath and chant after me: Computer Security is not Software. Computer Security is not Hardware. Computer Security is Wetware. ObStory: I just finished up a System Admin contract and the management there asked "Before you leave, could you do a write-up of all the things you do, in case something goes wrong." - Randy randy.witlicki@valley.net From firewalls-owner Fri Jul 5 13:34:13 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA04630 for firewalls-outgoing; Fri, 5 Jul 1996 13:20:56 -0700 (PDT) Received: from tigre.dc.ufscar.br ([200.9.84.141]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id NAA04539 for ; Fri, 5 Jul 1996 13:19:52 -0700 (PDT) Received: (from reis@localhost) by tigre.dc.ufscar.br (8.6.12/8.6.12) id RAA18067; Fri, 5 Jul 1996 17:17:52 -0300 Date: Fri, 5 Jul 1996 17:17:50 -0300 (EST) From: Christian Robottom Reis To: firewalls@greatcircle.com Subject: Novell 4.1 Router Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hey, Does anyone know of a way to filter out local ip numbers coming from the external network through a novell 4.1 gateway using the plain IP routing software included with netware 4.1? You can set up packet filtering with FILTCFG.NLM, but it doesn`t differentiate between incoming and outgoing packets, and just bases itself on pure IP addresses (i.e. block packets from IP address X to IP address Y on port Z). Thanx, C. ___________________________________________________________________________ So what? reis@dc.ufscar.br From firewalls-owner Fri Jul 5 14:34:09 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA10969 for firewalls-outgoing; Fri, 5 Jul 1996 14:30:24 -0700 (PDT) Received: from ram-exch-nm1.ramstein.af.mil (ws130032.ramstein.af.mil [132.25.130.32]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id OAA10953 for ; Fri, 5 Jul 1996 14:30:17 -0700 (PDT) Received: by ram-exch-nm1.ramstein.af.mil with Microsoft Exchange (IMC 4.0.837.3) Message-ID: From: Crocker Sean SSgt 786CS/SCBM To: "'Firewalls@GreatCircle.COM'" Subject: Possible TACACS vulnerabilities? Date: Fri, 5 Jul 1996 23:31:20 +0200 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.837.3 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello, Does anyone know of any particular vulnerabilites with any of the TACACS flavors, besides the overt differences of cleartext versus encrypted authentication? In particular, how about port 65 for TACACS database service? TIA ---------------------------------------------- SSgt Sean S. Crocker Network Manager Ramstein AB GE sean.crocker@ramstein.af.mil TEL: (49) 6371-47-6723 DSN: 480-6723 From firewalls-owner Fri Jul 5 17:34:11 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA18438 for firewalls-outgoing; Fri, 5 Jul 1996 17:20:34 -0700 (PDT) Received: from norway.it.earthlink.net (norway-f.it.earthlink.net [206.85.92.49]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id RAA18424 for ; Fri, 5 Jul 1996 17:20:28 -0700 (PDT) Received: from 153.37.101.40 (pool040.Max4.San-Francisco.CA.DYNIP.ALTER.NET [153.37.101.40]) by norway.it.earthlink.net (8.7.5/8.7.3) with SMTP id UAA06952; Fri, 5 Jul 1996 20:14:17 -0400 (EDT) Message-ID: <31DDB05D.686F@earthlink.net> Date: Fri, 05 Jul 1996 17:16:28 -0700 From: "Todd Glassey, Consultant" Reply-To: tglassey@earthlink.net X-Mailer: Mozilla 3.0b5Gold (Macintosh; I; 68K) MIME-Version: 1.0 To: Firewalls@GreatCircle.COM CC: Bill Stout Subject: Re: Secure Virtual Intranets References: <199607051923.MAA08347@osc.osc.hidata.com> Content-Type: text/plain; charset=iso-2022-jp Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk IMHO - Bill, is generally right, I have some specific commentary but like the idea of keeping the "autheticated" services inside the local FW so that traffic to and from them can be simply encrypted as part of a VPN architecture... As to the CA issues, hell x.509 and it's competitors are simple enough, roll your own for internal uses!. Bill Stout wrote: > > What are the most widely used methods to create Secure HTTP/FTP > Intranets over the Internet? > > I can think of just a few off the top of my head: > > 1. Encryted PC-Firewall links. > a. Webserver must be inside firewall, guests must also > pass through firewall. > b. You must pay for/install/support encryption software. > c. Complete (IP) protocol stack encryption/access. Use any of the commercial VPN based firewalls (SunScreen, Checkpoint, Raptor, Netcheck, etc...) . > > 2. Certificates on browser and server. > a. Webserver can be outside firewall. I disagree, If the traffic from the Web Server is destined for sites "ala Intranet" iot is much better to have this facility inside the firewall. Otherwise the Web server must have some sense of encryption or security services additional to it's own functionality. > b. No (additional) cost/support for client software Possibly true unless SKIP or some other layered security approach is used since this would mean an extra plug-in or layer particular to the specific implementation. > c. Security is based on physical browser, not user. Yes, sort of. > b. Certificates must be requested from Verisign/RSA, or > private certificates created via Xcert software > (http://www.xcert.com/). Not true of "Intranet" sites. Since the certificates are only to be used inside the Known Computing Base (or "internal" topology) this is one of the many instances where it makes sense to run a Mini C.A. for ones own purposes. > > 3. HTTPS. > a. Webserver can be outside firewall. > b. No (additional) cost/support for client software > b. Intranet Username/Password authentication managed > separately from network authentication. > c. Multiple Intranet servers also managed separately. > Not clean enough, IMHO. The overall "Security Paradigm" used should be a part of a networking operations plan. Thus to keep the external point of contact as homogeneous as possible is more cost effective from an ops standpoint. > Bill Stout > <=======10========20========30========40========50========60======== ---- SNIP ---- -- This email is from:: ------------------ Todd S. Glassey, Consultant (415) 324-4318 Email: tglassey@earthlink.com From firewalls-owner Fri Jul 5 21:05:31 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id VAA27235 for firewalls-outgoing; Fri, 5 Jul 1996 21:02:29 -0700 (PDT) Received: from dollar.firstpac.com.au (firstpac.com.au [203.61.7.10]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id VAA27194 for ; Fri, 5 Jul 1996 21:02:15 -0700 (PDT) Received: from shekel.firstpac.com.au (shekel [203.61.14.12]) by dollar.firstpac.com.au (8.7.5/firstpac/0.99) with ESMTP id NAA21670; Sat, 6 Jul 1996 13:57:14 +1000 (EST) Received: (from matt@localhost) by shekel.firstpac.com.au (8.7.2/8.7.2/firstpac) id NAA00873; Sat, 6 Jul 1996 13:59:49 +1000 (EST) Message-Id: <199607060359.NAA00873@shekel.firstpac.com.au> Subject: Re: P50 summary To: gfm@readybox.com (Frank McCormick) Date: Sat, 6 Jul 1996 13:59:48 +1000 (EST) Cc: firewalls@GreatCircle.COM In-Reply-To: <199607050452.VAA26650@angel.readybox.com> from "Frank McCormick" at Jul 4, 96 09:52:45 pm X-Ph: ph: +61 2 394 4320 fax: +61 2 394 4398 home: +61 2 9929 0717 X-Pgp: pub 2047/DFA91FA1 1996/05/01 Matthew Keenan X-Pgp: Key fingerprint = 36 09 88 84 FA 11 82 82 D7 E7 B8 23 6E B0 22 BB From: Matthew Keenan X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Frank McCormick wrote this... [snip] > Source-routed packets and the Ascend P50 > ---------------------------------------- [snip] > To be fair, Ascend's design choice -- kill before filtering -- is a > reasonable one. By definition, Ascend's static filtering rules are > ill equipped to deal sensibly with variable-length option data. > Source-routing options can, in practice, show up at differing > offsets in the packets, whereas an Ascend-style "generic" filter can > look only at fixed locations. ahh so then you could turn on something like IP record route and your filter wouldnt work anymore? (because the offsets are all "wrong") someone have the tools/time to test this? Matt -- Matthew Keenan Network Administrator First Pacific Stockbrokers Sydney, Australia From firewalls-owner Sat Jul 6 00:49:17 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id AAA07454 for firewalls-outgoing; Sat, 6 Jul 1996 00:27:44 -0700 (PDT) Received: (mcb@localhost) by miles.greatcircle.com (8.7.4/Miles-951221-1) id AAA07446 for firewalls@greatcircle.com; Sat, 6 Jul 1996 00:27:41 -0700 (PDT) Received: from dagon.megatoon.com (dagon.megatoon.com [205.205.31.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id LAA17291 for ; Wed, 3 Jul 1996 11:13:12 -0700 (PDT) Received: from line108.megatoon.com (line108.megatoon.com [205.205.31.108]) by dagon.megatoon.com (8.6.12/8.6.12) with SMTP id OAA14207 for ; Wed, 3 Jul 1996 14:10:28 -0400 Message-ID: <31DAE11F.54B3@mat.ulaval.ca> Date: Wed, 03 Jul 1996 14:07:43 -0700 From: Martin Blouin X-Mailer: Mozilla 3.0b5Gold (Win16; I) MIME-Version: 1.0 To: Firewalls@greatcircle.com Subject: Help me (DHCP) Dynamic host configuration protocol Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Please help me with the following questions: - DHCP it's safe to use with Internet and my network? - If so, what is the security level? - If i use DHCP so i need a FireWall to secur my network? note: i think use Netware/IP Thanks Martin Blouin From firewalls-owner Sat Jul 6 02:49:15 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id CAA16467 for firewalls-outgoing; Sat, 6 Jul 1996 02:36:58 -0700 (PDT) Received: from gemsgw.med.ge.com (gemsgw.med.ge.com [192.88.230.10]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id CAA16419 for ; Sat, 6 Jul 1996 02:36:37 -0700 (PDT) From: sameer@wiproge.med.ge.com Received: from gemed.med.ge.com (gemed.med.ge.com [3.7.12.4]) by gemsgw.med.ge.com (8.6.12/8.6.12) with ESMTP id EAA21941; Sat, 6 Jul 1996 04:32:07 -0500 Received: from wiproge.med.ge.com (jogin [3.70.200.53]) by gemed.med.ge.com (8.6.12/8.6.12) with SMTP id EAA18948; Sat, 6 Jul 1996 04:34:14 -0500 Received: from everest.wiproge.med.ge.com (nilgiri) by wiproge.med.ge.com (4.1/SMI-4.1) Received: by wiproge.med.ge.com (5.0/SMI-SVR4) Date: Sat, 6 Jul 1996 15:08:28 +0500 Message-Id: <9607062008.AA24102@wiproge.med.ge.com> To: Firewalls@greatcircle.com, mblouin@mat.ulaval.ca Subject: Re: Help me (DHCP) Dynamic host configuration protocol X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi Martin, Correct me if I am wrong but.... DHCP is a host naming protocol basically used so that u can dynamically change ip addresses for ur internal network and not need to update the hosts database.It has no security mechanism inbuilt for the web and so i think you will need a firewall to secure ur network... ...sam *SAM*From firewalls-owner@GreatCircle.COM Sat Jul 6 13:56:30 1996 *SAM*Date: Wed, 03 Jul 1996 14:07:43 -0700 *SAM*From: Martin Blouin *SAM*Mime-Version: 1.0 *SAM*To: Firewalls@greatcircle.com *SAM*Subject: Help me (DHCP) Dynamic host configuration protocol *SAM*Content-Transfer-Encoding: 7bit *SAM* *SAM*Please help me with the following questions: *SAM* *SAM* - DHCP it's safe to use with Internet and my network? *SAM* - If so, what is the security level? *SAM* - If i use DHCP so i need a FireWall to secur my network? *SAM* *SAM*note: i think use Netware/IP *SAM* *SAM*Thanks *SAM* *SAM* Martin Blouin *SAM* From firewalls-owner Sat Jul 6 09:34:14 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA29250 for firewalls-outgoing; Sat, 6 Jul 1996 09:29:26 -0700 (PDT) Received: from interlock.mgh.com (interlock.mgh.com [152.159.1.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id JAA29243 for ; Sat, 6 Jul 1996 09:29:20 -0700 (PDT) From: dnewman@mcgraw-hill.com Received: by interlock.mgh.com id AA07751 Message-Id: <199607061626.AA07751@interlock.mgh.com> Received: by interlock.mgh.com (Protected-side Proxy Mail Agent-1); Date: Sat, 06 Jul 96 12:19:36 edt To: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Actually, I'm not even sure their firewall really runs on OS/2. The Web page talks about OS/2 agents, which makes me wonder if it's really an NT firewall with a Socks-like client for OS/2. Has anyone actually touched Netguard's OS/2 code? dn >Date: Fri, 5 Jul 1996 15:54:47 -0500 >From: randy.witlicki@valley.net (Randy Witlicki) >Subject: RE: OS/2 firewalls? >> Check out Netguard at: >> >> http://www.netguard.com >> >> FW for both NT and OS/2 platforms. > Yikes ! I just looked at their web page and the >slogan there is: > "The Foolproof Internet Firewall System" > Take a deep breath and chant after me: > Computer Security is not Software. > Computer Security is not Hardware. > Computer Security is Wetware. >ObStory: I just finished up a System Admin contract and the >management there asked "Before you leave, could you do a >write-up of all the things you do, in case something goes wrong." - - Randy randy.witlicki@valley.net From firewalls-owner Sat Jul 6 09:49:20 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA29225 for firewalls-outgoing; Sat, 6 Jul 1996 09:27:34 -0700 (PDT) Received: from Grosses-Raetsel-Tor.GeNUA.DE (Grosses-Raetsel-Tor.GeNUA.DE [193.141.169.26]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id JAA29218 for ; Sat, 6 Jul 1996 09:27:27 -0700 (PDT) Received: (from smap@localhost) by Grosses-Raetsel-Tor.GeNUA.DE (8.6.12/8.6.12) id SAA21959; Sat, 6 Jul 1996 18:24:51 +0200 Received: from auryn.genua.de(192.109.217.42) by Grosses-Raetsel-Tor.GeNUA.DE via smap (V1.3) Received: from auryn.genua.de (localhost [127.0.0.1]) by auryn.genua.de (8.7.4/8.7.3) with ESMTP id SAA06359; Sat, 6 Jul 1996 18:24:42 +0200 (MET DST) Message-Id: <199607061624.SAA06359@auryn.genua.de> To: Bill Stout cc: firewalls@greatcircle.com Subject: Re: Secure Virtual Intranets MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-ID: <6356.836670279.1@auryn.genua.de> Date: Sat, 06 Jul 1996 18:24:39 +0200 From: Bernhard Schneck Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > [...] > 2. Certificates on browser and server. > a. Webserver can be outside firewall. > [...] > 3. HTTPS. > a. Webserver can be outside firewall. With these approaches, you make it hard for bad b0yzZ to get at your stuff through the web ... but why bother with http if they can possibly hack your server trough other ways? Best thing would be to put the server behind a firewall, but not on your internal secure net. Depending on your needs, this thing may be a simple filtering router (allow from any to server port 80, deny everything else), an additional interface on your normal firewall or a completely separate box. Also, typical encryption through any exportable software will be weak (this will probably be true for both http and ip encryption). Even though SSL uses 128 bit keys, accessing your data from outside the US will transmit 88 bits of the secret(?!) key in clear. If your stuff should *really* stay secret, put it in an envelope and snailmail it (and hope that noone in the post office is curious :-) YMMV \Bernhard. From firewalls-owner Sat Jul 6 09:55:57 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA29122 for firewalls-outgoing; Sat, 6 Jul 1996 09:21:37 -0700 (PDT) Received: from mail.rc.toronto.on.ca ([207.6.29.231]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id JAA29107 for ; Sat, 6 Jul 1996 09:21:29 -0700 (PDT) Received: from rwcooper.rc.toronto.on.ca ([207.6.29.232]) Received: by rwcooper.rc.toronto.on.ca with Microsoft Mail Message-ID: <01BB6B34.ACF79A00@rwcooper.rc.toronto.on.ca> From: Russ To: "Firewalls@greatcircle.com" Subject: RE: Help me (DHCP) Dynamic host configuration protocol Date: Sat, 6 Jul 1996 12:14:25 -0400 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Uh, well, sorry to correct you Sameer, but... DHCP is an extension of BOOTP, and it is designed to dynamically assign IP configuration information to a device. A device using DHCP sends out a broadcast looking for a DHCP server, the DHCP server responds with an IP address, subnet mask, domain name, etc... see RFC 1533, 1534, 1541, and 1542. DHCP is initiated using a UDP broadcast, so its not possible to force a particular DHCP server to respond. If the DHCP server is on the same segment as the client that does the broadcast, it is eligible to respond. Cisco and other router vendors have ways to get a DHCP broadcast requests across segments to a specific subnet or even a specific DHCP server, but because DHCP is broadcast based, this function is normally turned off on routers segments exposed to the Internet. There is normally no mechanism in clients for DHCP servers to force an update to the information the clients have previously received, and once the request broadcast has been responded, the client has no listening port running for DHCP, so its as secure as a static configuration (assuming the client hasn't had the DHCP request code modified). A "lease" parameter tells the client how long it may have the IP configuration for. At the first boot after the lease has expired, the client will automatically do a DHCP request again, possibly getting a different address than before. Although I'm not sure what you mean by security level, DHCP is normally contained to your own segment, so unless your Internet router is forwarding DHCP broadcasts (or all broadcasts) to the Internet the security risks are within your site. The question about whether or not you need a Firewall is a basic security question, do you have anything that needs to be protected? If you were setting up a lab of machines to surf the net, and they were separated from your in-house LANs, you might not need a Firewall at all if you consider them sacrificial. If, on the other hand, you question is about IP address translation, then yes, you would still need something to hide the IP addresses of your machines. DHCP itself does not provide a way to hide IP addresses, so you will have to give them Internet routable IP addresses (RFC 1918) if you want them to get to the Internet. Hope that makes things a little clearer for you. Cheers, Russ From firewalls-owner Sat Jul 6 10:49:13 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA05845 for firewalls-outgoing; Sat, 6 Jul 1996 10:35:04 -0700 (PDT) Received: from mark.allyn.com (mark.allyn.com [206.114.135.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id KAA05838 for ; Sat, 6 Jul 1996 10:34:58 -0700 (PDT) Received: (from allyn@localhost) by mark.allyn.com (8.7.5/8.7) id KAA14790; Sat, 6 Jul 1996 10:37:11 -0700 (PDT) From: Mark Allyn 206-860-9454 Message-Id: <199607061737.KAA14790@mark.allyn.com> Subject: Re: Secure Virtual Intranets To: Bernhard_Schneck@GeNUA.DE (Bernhard Schneck) Date: Sat, 6 Jul 1996 10:37:10 -0700 (PDT) Cc: bill.stout@hidata.com, firewalls@GreatCircle.COM In-Reply-To: <199607061624.SAA06359@auryn.genua.de> from "Bernhard Schneck" at Jul 6, 96 06:24:39 pm X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk -> If your stuff should *really* stay secret, put it in an envelope and -> snailmail it (and hope that noone in the post office is curious :-) No. the best security is to use a bicycle messenger whom you can trust. It stays in one person's possesion for the entire trip and who is going to bother one of these folks anyways? Mark From firewalls-owner Sat Jul 6 11:49:15 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA09638 for firewalls-outgoing; Sat, 6 Jul 1996 11:39:50 -0700 (PDT) Received: from vpm.com (vpm.com [207.49.29.143]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id LAA09631 for ; Sat, 6 Jul 1996 11:39:44 -0700 (PDT) Received: (from mcs@localhost) by vpm.com (8.6.12/8.6.12) id LAA26046 for firewalls@GreatCircle.COM; Sat, 6 Jul 1996 11:39:17 -0700 From: Mark Stout Message-Id: <199607061839.LAA26046@vpm.com> Subject: Installing a NT Web server on a firewall To: firewalls@GreatCircle.COM Date: Sat, 6 Jul 1996 11:39:16 -0700 (PDT) X-Mailer: ELM [version 2.4 PL24 ME8a] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi All: I'm new to this list, so if this has been discussed to ad nauseum, please forgive. I need to install an NT v3.51 server as a clients primary web server and incorporate it into their existing Internet access structure. That being a firewall to protect the corporate intranet and a proxy server for allowing internal access to the Internet. I'm wondering if there's any documentation that I can get that explains, in detail, how to setup a server to provide external access to the web server form the outside and access to the SMTP server while allowing internal access to the server for maintenance. I believe the web server should reside on the outside of the firewall. Internal access to the Internet in general is provided by a proxy server. My thinking is that externally speaking, I should be able to access the web server, fill out a form and send it to the SMTP gateway just like any other external mail coming in would routed. BTW, the internal mail system is Lotus's cc:Mail. What would be the best solution to allow external access to the server AND allow internal access to the server for maintenance while allow access to the SMTP server for sending processed forms, such as feedback forms. Thanks, Mark -- ========================================================================== Mark Stout | The Village Potpourri Mall: http://www.vpm.com/ ---------------+---------------------------------------------------------- VPM Enterprises; P.O.Box 6427; Folsom, CA 95763-6427 Secured Web Hosting and Secured Discussion Groups Secured Internet Sales, Marketing and Advertising Specialist ========================================================================== From firewalls-owner Sat Jul 6 13:34:13 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA13783 for firewalls-outgoing; Sat, 6 Jul 1996 13:26:11 -0700 (PDT) Received: from morebbs.com ([206.165.150.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id NAA13776 for ; Sat, 6 Jul 1996 13:26:05 -0700 (PDT) From: meowmyx@morebbs.com Received: by morebbs.com Message-ID: <9607060928.0DATT00@morebbs.com> Organization: MORE BBS X-Mailer: TBBS/TIGER v1.0/PRIMP 1.56p Date: Sat, 06 Jul 96 09:28:04 Subject: Real world security To: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Far away from the rarified world of theoretical security considerations on the firewalls list there exists a real world It is called corporate America A friend of mine works for a multinational corporation They get a news feed by FM radio to a NewsEdge server The connection remains secure because it is one way and nothing can get back over the radio People in the network log into the NewsEdge machine to browse the news feed Now a press company lets call it Afilliated Squeeze has come along with a grand idea They want to replace the FM radio link with a direct line from an OS2 server in their own network and to replace the NewsEdge server inside the multinational corporation with an OS2 server The Chief of Information Security in the multinational asked Affilliated Squeeze about the security features in their system Squeeze assured him their network and OS2 machines are secure and nobody can break in The Chief of IS asked them What specific security features does your network and the OS2 server have Squeeze said we will have to check and get back to you on that Now I dont want my buddy to be open to attack by the kinds of tools that are widely available because then he might change his passwords Can somebody give me an idea of what kind of security if any that Affilliated Squeeze might have in place MeOwMyX theDawgEatingCat From firewalls-owner Sat Jul 6 18:19:13 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id SAA23837 for firewalls-outgoing; Sat, 6 Jul 1996 18:07:47 -0700 (PDT) Received: from okjunc.junction.net (okjunc.junction.net [199.166.227.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id SAA23830 for ; Sat, 6 Jul 1996 18:07:42 -0700 (PDT) Received: from sidhe.memra.com (sidhe.memra.com [199.166.227.105]) by okjunc.junction.net (8.6.11/8.6.11) with SMTP id SAA05891 for ; Sat, 6 Jul 1996 18:07:24 -0700 Date: Sat, 6 Jul 1996 18:01:30 -0700 (PDT) From: Michael Dillon To: firewalls@GreatCircle.COM Subject: Re: Secure Virtual Intranets In-Reply-To: <199607061624.SAA06359@auryn.genua.de> Message-ID: Organization: Memra Software Inc. - Internet consulting MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Sat, 6 Jul 1996, Bernhard Schneck wrote: > If your stuff should *really* stay secret, put it in an envelope and > snailmail it (and hope that noone in the post office is curious :-) Actually, you should get it copied to microfilm, cut out the small piece of film with the message and carefully stick it under the stamp on an envelope with a trivial letter inside. Your correspondent can pry out the microfilm and read it at most public libraries. As they say, security is all about wetware and watching old spy movies :-) Michael Dillon ISP & Internet Consulting Memra Software Inc. Fax: +1-604-546-3049 http://www.memra.com E-mail: michael@memra.com From firewalls-owner Sun Jul 7 09:04:16 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA23322 for firewalls-outgoing; Sun, 7 Jul 1996 09:01:41 -0700 (PDT) Received: from relay.infogroup.iunet.it (relay.infogroup.iunet.it [192.106.17.222]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id JAA23315 for ; Sun, 7 Jul 1996 09:01:33 -0700 (PDT) Received: from infogroup.infogroup.it (relay) by relay.infogroup.iunet.it (5.x/SMI-SVR4) Message-Id: <1.5.4.32.19960707160658.00665988@infogroup.it> X-Sender: ic-00006@infogroup.it X-Mailer: Windows Eudora Light Version 1.5.4 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Sun, 07 Jul 1996 18:06:58 +0200 To: firewalls@greatcircle.com From: Iacopo Mazzoni Subject: IRC and Firewalls Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi all. I need your help. I use for IRC the program MIRC 4.0 32 bit for Windows 95. My provider have installed on server a firewall. In the beginning my MIRC was not ok with firewall, so , my provider have ability port 6667 in firewall and now my MIRC is ok, but my DCC commands (send and chat) are not ok because firewall cut this commands. What must my provider ability in firewall for the good function of DCC commands ? Thank You very much. __________________________________________________________________ Iacopo Mazzoni, e-mail mazzoni@infogroup.it c.o. Infogroup S.p.A. - Informatica e Servizi Telematici - Via Santelli 35, 50141 Firenze (Italia) Phone +39-55-4365505 Fax +39-55-4360784 http://www.infogroup.it __________________________________________________________________ From firewalls-owner Sun Jul 7 12:37:38 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA00659 for firewalls-outgoing; Sun, 7 Jul 1996 12:30:52 -0700 (PDT) Received: from lapsene.mii.lu.lv (lapsene.mii.lu.lv [159.148.60.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id MAA00651 for ; Sun, 7 Jul 1996 12:30:45 -0700 (PDT) Received: (from uulda@localhost) by lapsene.mii.lu.lv (8.7.5/8.7.1) id WAA05162 for firewalls@greatcircle.com; Sun, 7 Jul 1996 22:28:09 +0300 (EET DST) X-Authentication-Warning: lapsene.mii.lu.lv: uulda set sender to lda!lda.gov.lv!uldis@lda.gov.lv using -f >Received: by lda.gov.lv (UUPC/@ v5.00, 25Nov92); Received: from lda by lapsene.mii.lu.lv; Sun, 7 Jul 1996 22:28 EET Received: by lda.gov.lv (UUPC/@ v5.00, 25Nov92); Received: by lda.gov.lv (FIDO2UU 1.92d [DOS]); To: firewalls@greatcircle.com From: Uldis Bojars Message-Id: <31E03DDB@lda.gov.lv> Subject: OS/2 firewall Date: Sun, 7 Jul 1996 18:44:43 +0200 Lines: 20 Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Saturday July 06 1996 16:19, dnewman@mcgraw-hill.com wrote to Uldis Bojars: d> Actually, I'm not even sure their firewall really runs on OS/2. d> The Web page talks about OS/2 agents, which makes me wonder if it's d> really an NT firewall with a Socks-like client for OS/2. Has anyone d> actually touched Netguard's OS/2 code? I just received a message from them telling that now trial version for OS/2 is available on the Web, too. I'm eager to try it. I think it must be like WinNT version. Has anyone touched it and can comment it? Uldis ¾ My life is still in BETA test. --- GoldED/386 3.00.Alpha1+ From firewalls-owner Sun Jul 7 13:49:21 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA03390 for firewalls-outgoing; Sun, 7 Jul 1996 13:32:48 -0700 (PDT) Received: from mailbox.neosoft.com (mailbox.neosoft.com [206.109.1.16]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id NAA03383 for ; Sun, 7 Jul 1996 13:32:43 -0700 (PDT) Received: from fw.nmti.com (fw.baileynm.com [206.109.159.11]) by mailbox.neosoft.com (8.7.5/8.7.3) with SMTP id PAA12190; Sun, 7 Jul 1996 15:30:04 -0500 (CDT) Received: from web.nmti.com(198.178.0.201) by fw.nmti.com via smap (V1.3) Received: from sonic.nmti.com (peter@sonic.nmti.com [198.178.0.2]) by web.nmti.com (8.6.12/8.6.9) with SMTP id PAA01767; Sun, 7 Jul 1996 15:23:04 -0500 Received: by sonic.nmti.com; id AA06247; Sun, 7 Jul 1996 15:23:03 -0500 From: peter@baileynm.com (Peter da Silva) Message-Id: <9607072023.AA06247@sonic.nmti.com.nmti.com> Subject: Re: IRC and Firewalls To: mazzoni@infogroup.iunet.it (Iacopo Mazzoni) Date: Sun, 7 Jul 1996 15:23:03 -0500 (CDT) Cc: firewalls@GreatCircle.COM In-Reply-To: <1.5.4.32.19960707160658.00665988@infogroup.it> from "Iacopo Mazzoni" at Jul 7, 96 06:06:58 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > but my DCC commands (send and chat) are not ok because firewall cut this > commands. Good. DCC is a humungous security risk. From firewalls-owner Sun Jul 7 14:20:41 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA05045 for firewalls-outgoing; Sun, 7 Jul 1996 14:14:36 -0700 (PDT) Received: from gatekeeper.nytimes.com (gatekeeper.nytimes.com [199.181.175.201]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id OAA05033 for ; Sun, 7 Jul 1996 14:14:29 -0700 (PDT) Received: from mailgate.nytimes.com by gatekeeper.nytimes.com; (5.65/1.1.8.2/30Mar95-0352PM) Received: from localhost by mailgate.nytimes.com; (5.65/1.1.8.2/25Jul94-1134AM) Date: Sun, 7 Jul 1996 17:15:39 -0400 (EDT) From: Gordy Thompson To: Peter da Silva Cc: Iacopo Mazzoni , firewalls@GreatCircle.COM Subject: Re: IRC and Firewalls In-Reply-To: <9607072023.AA06247@sonic.nmti.com.nmti.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Do you think you could elaborate on this just a bit? In particular, assuming that there is a desire to relay IRC through a firewall (and without arguing the validity of that desire, for the moment at least), is there any approach that could be taken to reduce this risk, short of just not allowing it at all? On Sun, 7 Jul 1996, Peter da Silva wrote: > > but my DCC commands (send and chat) are not ok because firewall cut this > > commands. > > Good. DCC is a humungous security risk. > > -- Gordon T. Thompson gordy@nytimes.com Manager, Internet Services 212-556-1386 The New York Times fax: 212-556-1636 The Times and I have an arrangement: Neither of us speaks for the other. From firewalls-owner Sun Jul 7 14:49:16 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA05754 for firewalls-outgoing; Sun, 7 Jul 1996 14:42:55 -0700 (PDT) Received: from mailbox.neosoft.com (mailbox.neosoft.com [206.109.1.16]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id OAA05747 for ; Sun, 7 Jul 1996 14:42:49 -0700 (PDT) Received: from fw.nmti.com (fw.baileynm.com [206.109.159.11]) by mailbox.neosoft.com (8.7.5/8.7.3) with SMTP id QAA15535; Sun, 7 Jul 1996 16:40:06 -0500 (CDT) Received: from web.nmti.com(198.178.0.201) by fw.nmti.com via smap (V1.3) Received: from sonic.nmti.com (peter@sonic.nmti.com [198.178.0.2]) by web.nmti.com (8.6.12/8.6.9) with SMTP id QAA03725; Sun, 7 Jul 1996 16:32:12 -0500 Received: by sonic.nmti.com; id AA06761; Sun, 7 Jul 1996 16:32:11 -0500 From: peter@baileynm.com (Peter da Silva) Message-Id: <9607072132.AA06761@sonic.nmti.com.nmti.com> Subject: Re: IRC and Firewalls To: gordy@nytimes.com (Gordy Thompson) Date: Sun, 7 Jul 1996 16:32:11 -0500 (CDT) Cc: peter@baileynm.com, mazzoni@infogroup.iunet.it, firewalls@GreatCircle.COM In-Reply-To: from "Gordy Thompson" at Jul 7, 96 05:15:39 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Do you think you could elaborate on this just a bit? In > particular, assuming that there is a desire to relay IRC through a > firewall (and without arguing the validity of that desire, for the moment > at least), is there any approach that could be taken to reduce this risk, > short of just not allowing it at all? First of all, DCC can be from any port to any port. It's a point-to-point connection between clients bypassing the IRC network completely, so you'd have to write a proxy that grokked the protocol and pretended to be the client, like the FTP proxies do, and ran on the firewall... or open up a huge range of ports. Second, it's way open to "social engineering" attacks. That's as big a problem as the technical one. From firewalls-owner Sun Jul 7 15:19:20 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id PAA07402 for firewalls-outgoing; Sun, 7 Jul 1996 15:07:49 -0700 (PDT) Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.76.24]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id PAA07373 for ; Sun, 7 Jul 1996 15:07:40 -0700 (PDT) Message-Id: <199607072207.PAA07373@miles.greatcircle.com> Received: by cheops.anu.edu.au From: Darren Reed Subject: Re: IRC and Firewalls To: mazzoni@infogroup.iunet.it (Iacopo Mazzoni) Date: Mon, 8 Jul 1996 08:04:49 +1000 (EST) Cc: firewalls@GreatCircle.COM In-Reply-To: <1.5.4.32.19960707160658.00665988@infogroup.it> from "Iacopo Mazzoni" at Jul 7, 96 06:06:58 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In some mail from Iacopo Mazzoni, sie said: > > > Hi all. > > I need your help. > > I use for IRC the program MIRC 4.0 32 bit for Windows 95. > > My provider have installed on server a firewall. > > In the beginning my MIRC was not ok with firewall, so , my provider have > ability port 6667 in firewall and now my MIRC is ok, > but my DCC commands (send and chat) are not ok because firewall cut this > commands. > > What must my provider ability in firewall for the good function of DCC > commands ? Allowing DCC to work requires that any TCP connections be able to connect from outside to inside or inside to outside. i.e. almost no point in having a firewall. The most reliable way is to use a proxy which can also initiate proxies for DCC connections when it recognises them being setup. From firewalls-owner Sun Jul 7 16:05:08 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id PAA12693 for firewalls-outgoing; Sun, 7 Jul 1996 15:50:06 -0700 (PDT) Received: from sapa.inka.de (sapa.inka.de [193.197.84.6]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id PAA12681 for ; Sun, 7 Jul 1996 15:49:58 -0700 (PDT) Received: from uu.inka.de (root@[193.197.84.8]) by sapa.inka.de Received: from lina (ecki@lina.inka.de) by uu.inka.de Received: by lina Message-Id: From: ecki@lina.inka.de (Bernd Eckenfels) Subject: Re: IRC and Firewalls To: firewalls@GreatCircle.COM Date: Mon, 8 Jul 1996 00:45:54 +0200 (MET DST) In-Reply-To: from "Gordy Thompson" at Jul 7, 96 05:15:39 pm X-Mailer: ELM [version 2.4 PL25 PGP2] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, > Do you think you could elaborate on this just a bit? In > particular, assuming that there is a desire to relay IRC through a > firewall (and without arguing the validity of that desire, for the moment > at least), is there any approach that could be taken to reduce this risk, > short of just not allowing it at all? Yes, you could use SOCKsiefied Clients or inteligent firewalls which will dynamically open Ports for DCC by understanding the CTCP Request to open a Connection. (Linux ip_masquerade seems to have IRC Support). This is the same problem as with FTP. You might be able to use outgoing dcc in some conditions, though. Greetings Bernd From firewalls-owner Sun Jul 7 23:19:20 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id XAA28912 for firewalls-outgoing; Sun, 7 Jul 1996 23:17:49 -0700 (PDT) Received: from gatekeeper.nytimes.com (gatekeeper.nytimes.com [199.181.175.201]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id XAA28905 for ; Sun, 7 Jul 1996 23:17:42 -0700 (PDT) Received: from mailgate.nytimes.com by gatekeeper.nytimes.com; (5.65/1.1.8.2/30Mar95-0352PM) Received: from localhost by mailgate.nytimes.com; (5.65/1.1.8.2/25Jul94-1134AM) Date: Mon, 8 Jul 1996 02:18:50 -0400 (EDT) From: Gordy Thompson To: firewalls@GreatCircle.COM Subject: Re: IRC and Firewalls In-Reply-To: <9607072132.AA06761@sonic.nmti.com.nmti.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Sun, 7 Jul 1996, Peter da Silva wrote: > First of all, DCC can be from any port to any port. It's a point-to-point > connection between clients bypassing the IRC network completely, so you'd > have to write a proxy that grokked the protocol and pretended to be the > client, like the FTP proxies do, and ran on the firewall... or open up a > huge range of ports. > > Second, it's way open to "social engineering" attacks. That's as big a > problem as the technical one. Understood, and thanks. Evidently DCC isn't part of "standard IRC" (if there is such a thing). Leaving DCC aside, are there known application-specific vulnerabilities in IRC itself? Assume that the protocol itself can be securely relayed through the firewall (via UDP Relay, perhaps, or a custom-built relay) and leave aside "social engineering" threats like sweet-talking a user into executing a bunch of commands. Are the interior hosts running IRC clients (or even those that aren't) still exposed to risks? Is it possible, for example, to read or alter data on the client host via the IRC connection itself, even if the user is operating the client in a "safe" manner? I know a lot depends on the particular implementation of application software, but we're just beginning to explore this issue and I'm looking for anything I can find out. Are there particular implementations of IRC client s/w that are thought to be especially dangerous to use? Are there any that _aren't?_ -- Gordon T. Thompson gordy@nytimes.com Manager, Internet Services 212-556-1386 The New York Times fax: 212-556-1636 The Times and I have an arrangement: Neither of us speaks for the other. From firewalls-owner Mon Jul 8 00:34:16 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id AAA02400 for firewalls-outgoing; Mon, 8 Jul 1996 00:28:44 -0700 (PDT) Received: from mail.marben.com (losgatos.marben.com [206.86.34.51]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id AAA02386 for ; Mon, 8 Jul 1996 00:28:37 -0700 (PDT) Received: (from girsch@localhost) From: girsch@marben.com (Arnaud Girsch) Message-Id: <199607080726.AAA28540@mail.marben.com> Subject: Re: IRC and Firewalls To: gordy@nytimes.com (Gordy Thompson) Date: Mon, 8 Jul 1996 00:26:02 -0700 (PDT) Cc: firewalls@GreatCircle.COM In-Reply-To: from "Gordy Thompson" at Jul 8, 96 02:18:50 am X-Organization: Marben Products, Inc. X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Understood, and thanks. Evidently DCC isn't part of "standard IRC" > (if there is such a thing). See RFC 1459 : "Internet Relay Chat Protocol - J. Oikarinen/D. Reed - May 1993" Arnaud. -- Arnaud Girsch -+- agirsch@marben.com -+- Marben Products, Inc. - San Jose, CA From firewalls-owner Mon Jul 8 00:49:16 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id AAA01921 for firewalls-outgoing; Mon, 8 Jul 1996 00:21:42 -0700 (PDT) Received: from reference.be (ss5.reference.be [194.111.181.3]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id AAA01907 for ; Mon, 8 Jul 1996 00:21:33 -0700 (PDT) Received: by reference.be (SMI-8.6/SMI-SVR4) Date: Mon, 8 Jul 1996 09:18:02 +0200 (MET DST) From: Kristof Van Damme X-Sender: aeneas@ss5 To: Gordy Thompson cc: firewalls@GreatCircle.COM Subject: Re: IRC and Firewalls In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 8 Jul 1996, Gordy Thompson wrote: > Understood, and thanks. Evidently DCC isn't part of "standard IRC" > (if there is such a thing). Leaving DCC aside, are there known > application-specific vulnerabilities in IRC itself? You never know. I wouldn't risk it on a unix system for instance. It's not impossible that via a bug in, say ircii 2.8, an outsider might be able to run shell commands on the machine behind the firewall and then of course you got a problem (well, actually the whole firewall becomes meaningless then ;-). Anyone knows about any security risks in mirc, virc or ws-irc ? Greetings, Aeneas From firewalls-owner Mon Jul 8 01:34:27 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id BAA08689 for firewalls-outgoing; Mon, 8 Jul 1996 01:30:16 -0700 (PDT) Received: from mail.marben.com (losgatos.marben.com [206.86.34.51]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id BAA08581 for ; Mon, 8 Jul 1996 01:29:56 -0700 (PDT) Received: (from girsch@localhost) From: girsch@marben.com (Arnaud Girsch) Message-Id: <199607080827.BAA28622@mail.marben.com> Subject: Re: IRC and Firewalls To: aeneas@ss5.reference.be (Kristof Van Damme) Date: Mon, 8 Jul 1996 01:27:12 -0700 (PDT) Cc: firewalls@GreatCircle.COM In-Reply-To: from "Kristof Van Damme" at Jul 8, 96 09:18:02 am X-Organization: Marben Products, Inc. X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > Understood, and thanks. Evidently DCC isn't part of "standard IRC" > > (if there is such a thing). Leaving DCC aside, are there known > > application-specific vulnerabilities in IRC itself? > You never know. I wouldn't risk it on a unix system for instance. It's not > impossible that via a bug in, say ircii 2.8, an outsider might be able to run > shell commands on the machine behind the firewall and then of course you got > a problem (well, actually the whole firewall becomes meaningless then > ;-). The most spreaded bug in ircII is a *human*. I mean .. someone using IRC, someone else tells him to grab some script of some sort, load it. 80% of the users do it. This script can be nothing, but it can also be something that grab some file on the system, and send it thru e-mail. Or many many other things. Arnaud. -- Arnaud Girsch -+- agirsch@marben.com -+- Marben Products, Inc. - San Jose, CA From firewalls-owner Mon Jul 8 04:19:30 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id EAA15424 for firewalls-outgoing; Mon, 8 Jul 1996 04:09:06 -0700 (PDT) Received: from amsterdam.holding.pi.net (amsterdam.holding.pi.net [145.220.65.41]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id EAA15416 for ; Mon, 8 Jul 1996 04:08:56 -0700 (PDT) Received: from localhost (niels@localhost) by amsterdam.holding.pi.net (8.6.13/8.6.12) with SMTP id MAA03081; Mon, 8 Jul 1996 12:49:45 +0200 Date: Mon, 8 Jul 1996 12:49:45 +0200 (MDT) From: Niels To: Iacopo Mazzoni cc: firewalls@GreatCircle.COM Subject: Re: IRC and Firewalls In-Reply-To: <1.5.4.32.19960707160658.00665988@infogroup.it> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Sun, 7 Jul 1996, Iacopo Mazzoni wrote: > What must my provider ability in firewall for the good function of DCC > commands ? DCC (Direct Client-to-Client) does not use any assigned port number. It binds to the first free port. So your provider should open all ports above 1024, both incoming and outgoing. Niels ---------------------------------------------------------------------- Planet Internet Holding XXTP Support Engineer I do not speak for my employer - they are perfectly able to do that. From firewalls-owner Mon Jul 8 08:04:32 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA23693 for firewalls-outgoing; Mon, 8 Jul 1996 07:54:23 -0700 (PDT) Received: from magneto.acquion.com (magneto.acquion.com [206.154.17.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id HAA23685 for ; Mon, 8 Jul 1996 07:54:17 -0700 (PDT) Received: from wolverine.acquion.com ([206.154.17.12]) Message-Id: <2.2.32.19960708145142.006dc0ac@mail.acquion.com> X-Sender: oolid@mail.acquion.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Mon, 08 Jul 1996 10:51:42 -0400 To: firewalls@greatcircle.com From: oolid@acqic.org (Joseph L. Moll) Subject: Re: IRC and Firewalls Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 12:49 PM 7/8/96 +0200, you wrote: >On Sun, 7 Jul 1996, Iacopo Mazzoni wrote: > >> What must my provider ability in firewall for the good function of DCC >> commands ? > >DCC (Direct Client-to-Client) does not use any assigned port number. >It binds to the first free port. So your provider should open all ports >above 1024, both incoming and outgoing. > Actually... This is what happens. It is not what you would expect. Two machines: IRC-A with nic-a and IRC-B with nic-b. Both machines are connected to IRC servers (not necessarily the same one, BTW), which logs the IRC nic and IP address of the client. For example: nic-a initiates a DCC call to nic-b. To accomplish this, nic-a tells the IRC server that it wants to initiate the session to nic-b. The IRC server then uses it's already established connection to IRC-B and tells nic-b that nic-a wants to initiate a session, then IRC-B initiates the CONNECTION to IRC-A. Catch the triangle forming here? A ----> Server -----> B A ----> Server A -----> Server B ----> B ^ | or ^ | +--<----<----<----<---+ +---<----<----<----<----<----<----<----+ This is the worst possible case WRT security because this allows a type of "highjacking" or "trusted host spoofing" built right in to the protocol. If you allow IRC clients to talk to IRC servers, and allow those same clients to initiate outgoing TCP connections, you are breeched. In this case, however, IRC-B will not be able to complete the initiation of a session with IRC-A since IRC-A will be attempting to initiate a connection to a machine behind your firewall. In short, a machine outside your firewall can cause a machine inside your firewall to contact it as long as it is connected to the IRC server via the DCC connection protocol. Once connected via DCC, files can be exchanged, etc. --- Joseph L. (Joe) Moll, Greenville, SC USA mailto:oolid@acqic.org From firewalls-owner Mon Jul 8 08:37:15 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA24640 for firewalls-outgoing; Mon, 8 Jul 1996 08:19:56 -0700 (PDT) Received: from ACML.COM ([206.218.249.66]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id IAA24620 for ; Mon, 8 Jul 1996 08:19:46 -0700 (PDT) Received: from smtpngw.acml.com by ACML.COM (SMI-8.6/SMI-SVR4) Received: by smtpngw.acml.com (IBM OS/2 SENDMAIL VERSION 1.3.14/2.12um) id AA1757; Mon, 08 Jul 96 11:17:25 -0400 Message-Id: <9607081517.AA1757@smtpngw.acml.com> Received: from ACML with "Lotus Notes Mail Gateway for SMTP" id To: Firewalls-Digest Cc: firewalls-digest From: Rey.LeClerc/New.York/ACMC Date: 8 Jul 96 11:16:43 Subject: Re: Firewalls-Digest V5 #407 X-Lotus-Type: Reply to _All Mime-Version: 1.0 Content-Type: Text/Plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The following are interesting Security Internet sites: Telnet Access to Internet Sites gopher csrc.ncsl.nist.gov (NIST BBS - security bulletins & numerous security audit references) Useful WWW Servers http://www.alw.nih.gov/~jbk/security.html (UNIX security information) http://crimelab.com/bugtraq/bugtraq.html (UNIX/Bugtraq archive) http://www.cs.purdue.edu (extensive security archive/mirror site) http://csrc.ncsl.nist.gov (NIST Information Security Clearning House) http://ww01.dhmc.dartmount.edu (Dartmount Internal Audit BBS) http://www.openmarket.com/info/internet-index/current.html (Internet Facts) http://www.dct.ac.uk/www/books/hacker-crackdown/hacker.html (Hacker Crackdown book) http://www-ns.rutgers.edu/www-security/reference.html (Rutgers WWW Security Reference page) http://www.tansu.com.au/Info/security.html (security reference index) http://www.spy.org (spy BBS) http://www.uhsa.uh.edu/issa FTP Sites csrc.ncsl.nist.gov (NIST security FTP server) decuac.dec.com (routers, firewalls and UNIX tools) ftp.cisco.com (routers and firewalls) ftp.eff.org (Computer Underground Digest) ftp.greatcircle.com (firewalls) ftp.sunet.se (numerous UNIX & TCP/IP security resources) ftp.sura.net (numerous UNIX & TCP/IP security resources) ftp.uu.net (numerous UNIX & TCP/IP security resources; USENIX) info.cert.org (security bulletins, checklist, security tools, VIRUS-L) nasirc.nasa.gov (NASA security bulletins) net.tamu.edu (frewalls & UNIX security tools) nisca.asc.ohio-state.edu (firewalls) nist.ncsl.nist.gov (NIST BBS - security bulletins & numerous security/audit references) research.att.com (firewalls) theta.iis.utokyo.ac.jp:/pub1/securiy (security tools and information) thumper.bellcore.com (numerous UNIX & TCP/IP security resources) tis.com (firewalls) ftp.win.tue.nl (numerous UNIX & TCP/IP security tools and references, including SATAN) Security/Audit Related Usenet Groups alt.2600 alt.2600.debate alt.2600.moderated alt.2600.QnA alt.business.internal-audit alt.crackers alt.cyberbunk.alliance alt.hacker alt.hackers alt.hackers.discuss alt.security alt.security.pgp alt.security.ripem alt.sysadm.recovery comp.protocols.kerberos comp.risks comp.security.announce comp.security.misc comp.security.unix comp.unix.admin comp.unix.wizards comp.virus info.pem.dev misc.security phl.2600 sci.scrypt Security Mailing Lists/E-mail Servers 2600@well.sf.ca.us (hacker related information) bugtraq-request@crimelab.com (UNIX security exposures) cert-advisory-request@cert.org (security bulletins) cert-tools-request@cert.org (security tools forum) docserver@csrc.ncsl.nist.gov (NIST document mail server) mailserv@ds.internic.net (primary Internet RFC repository, *****see below*****) majordomo@alive.ampr.ab.ca (subscribe Hack-L: The Hack Report, Hacker alerts) majordomo@GreatCircle.com (firewalls digest) indicate "subscribe firewall_digest" phrack@well.sf.ca.us (hacker related information) risk-request@CSL.SRI.COM (RISKS digest) listserv@lehigh.edu (urgent virus warnings) listserv@lehigh.edu (discussion group on virus) Useful Internet RFCs RFC1038 Draft Revised IP Security Option RFC1108 Security Options for the Internet RFC1244 Site Security Handbook RFC1352 Security Protocols RFC1446 Security Protocols RFC1455 Physical Link Security RFC1535 Security Problems RFC1579 Firewall-Friendly FTP These are just some RFC to give you a flavor. There are many others. To get RFCs send E-Mail to: mailserv@ds.internic.net document-by-name-above RFCXXXX From firewalls-owner Mon Jul 8 08:50:59 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA26226 for firewalls-outgoing; Mon, 8 Jul 1996 08:46:40 -0700 (PDT) Received: from ftp.com (ftp.com [128.127.2.122]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id IAA26215 for ; Mon, 8 Jul 1996 08:46:31 -0700 (PDT) Received: from ftp.com by ftp.com ; Mon, 8 Jul 1996 11:43:46 -0400 Received: from mailserv-100bs.ftp.com by ftp.com ; Mon, 8 Jul 1996 11:43:46 -0400 Received: by MAILSERV-100BS.FTP.COM (SMI-8.6/SMI-SVR4) Date: Mon, 8 Jul 1996 11:42:34 -0400 Message-Id: <199607081542.LAA23080@MAILSERV-100BS.FTP.COM> To: Russ.Cooper@RC.Toronto.on.ca Subject: RE: Help me (DHCP) Dynamic host configuration protocol From: chip@ftp.com (Chip Sparling) Reply-To: chip@ftp.com Cc: "Firewalls@greatcircle.com" Repository: mailserv-100bs.ftp.com, [message accepted at Mon Jul 8 11:42:25 1996] Originating-Client: slingshot.ftp.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Although I'm not sure what you mean by security level, DHCP is normally >contained to your own segment, so unless your Internet router is forwarding >DHCP broadcasts (or all broadcasts) to the Internet the security risks are >within your site. Not a firewall thing, but a specific dhcp security problem. I exploited a broken Apple dhcp client to completely take over a printer that is now my plaything :-) It is an Apple Laser Writer (LW) 16/600 PS and it took the IP address that I was assigning to another machine with our (ftp software) DHCP server on Windows 95. It seems that if you don't configure IP on the LW, it polls forever with dhcp and then will take any bootp/dhcp response, even if directed at a hardware address other than its own. In this case it grabbed an IP address that I was giving to someone else, then both clients started generating "Duplicate IP address detected" messages. I was tracing all DHCP traffic and thus had the wayward printers hardware address, using the new IP address it grabbed, I telneted to it, logged in (the telnet server had no default password, the first login sets it), printed the configuration page (printed to paper not screen), picked and set a random, but valid IP address and restarted the machine. Then I set about to find the owner of the printer, the telnet login had identified the machine as an Apple, so I set off to find our graphic designers, who happened to be huddled around one of their printers that had magically started printing setup screens and rebooting itself. The final solution was to either have a broken dhcp client forever polling and accepting any responses, or a static ip address, so we now have a machine in our dns called bad-dhcp-client.ftp.com or somesuch. The users only print to it with appletalk, but there is no way to completely turn off the ip protocol (as far as I can tell). chip From firewalls-owner Mon Jul 8 09:49:36 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA00606 for firewalls-outgoing; Mon, 8 Jul 1996 09:43:05 -0700 (PDT) Received: from sapa.inka.de (sapa.inka.de [193.197.84.6]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id JAA00584 for ; Mon, 8 Jul 1996 09:42:54 -0700 (PDT) Received: from uu.inka.de (root@[193.197.84.8]) by sapa.inka.de Received: from lina (ecki@lina.inka.de) by uu.inka.de Received: by lina Message-Id: From: ecki@lina.inka.de (Bernd Eckenfels) Subject: Re: IRC and Firewalls To: gordy@nytimes.com (Gordy Thompson) Date: Mon, 8 Jul 1996 17:58:50 +0200 (MET DST) Cc: firewalls@GreatCircle.COM In-Reply-To: from "Gordy Thompson" at Jul 8, 96 02:18:50 am X-Mailer: ELM [version 2.4 PL25 PGP2] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, > Assume that the protocol itself can be securely relayed through > the firewall (via UDP Relay, perhaps, or a custom-built relay) it's TCP to ports like 6660-66670. > and leave > aside "social engineering" threats like sweet-talking a user into > executing a bunch of commands. Are the interior hosts running IRC clients > (or even those that aren't) still exposed to risks? Yes, there where a few problems in irc clients like buffer overruns. Another problem was dcc get, ppl can send you a bunch of files including a new .rhosts. A much bigger problem is the addiction potential :) > I know a lot depends on the particular implementation of > application software, but we're just beginning to explore this issue and > I'm looking for anything I can find out. Are there particular > implementations of IRC client s/w that are thought to be especially > dangerous to use? Are there any that _aren't?_ I have seen a proxy IRC client which can hide local host and usernames, I will look for the source. It understands the protocol, acts as server to internal clients and acts as client to servers. Greetings Bernd From firewalls-owner Mon Jul 8 10:49:18 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA04196 for firewalls-outgoing; Mon, 8 Jul 1996 10:37:29 -0700 (PDT) Received: from snmpmgr.state.tn.us (snmpmgr.state.tn.us [170.142.1.74]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id KAA04167 for ; Mon, 8 Jul 1996 10:37:17 -0700 (PDT) Received: from langate.tnet.state.tn.us ([170.142.11.126]) by snmpmgr.state.tn.us with SMTP id AA11050 Received: from tn01-Message_Server by langate.tnet.state.tn.us Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Mon, 08 Jul 1996 12:33:21 -0500 From: "Samuel T. Baker" To: firewalls@GreatCircle.COM Subject: Firewall configuration validation Mime-Version: 1.0 Content-Type: text/plain Content-Disposition: inline Sender: firewalls-owner@GreatCircle.COM Precedence: bulk What tools or practices are appropriate/useful for validating the conformance of a firewall configuration to the stated security policy? Samuel T. Baker Director, Computer Operations 615 532-8026 voice 615 734-6459 fax sbaker@mail.state.tn.us Happy Birthday, Tennessee Celebration of the Centuries, 1796-1996 From firewalls-owner Mon Jul 8 11:04:18 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA04272 for firewalls-outgoing; Mon, 8 Jul 1996 10:38:28 -0700 (PDT) Received: from toadflax.cs.ucdavis.edu (toadflax.cs.ucdavis.edu [128.120.56.188]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id KAA04247 for ; Mon, 8 Jul 1996 10:38:15 -0700 (PDT) Received: from nob (nob.cs.ucdavis.edu) by toadflax.cs.ucdavis.edu (4.1/UCD.CS.2.6) Received: by nob (5.x/UCDCS.SECLAB.Solaris2-2.0) Date: Mon, 8 Jul 1996 10:35:23 -0700 From: bishop@cs.ucdavis.edu (Matt Bishop) Message-Id: <9607081735.AA28855@nob> To: firewalls@greatcircle.com Subject: [2nd Posting] CFP: Symposium on Network and Distributed System Security Sender: firewalls-owner@GreatCircle.COM Precedence: bulk CALL FOR PAPERS The Internet Society Symposium on Network and Distributed System Security February 10-11, 1997, San Diego Princess Resort, San Diego, California Submissions due: August 1, 1996 Notification to Authors: October 1, 1996 Camera-Ready Copy due: November 1, 1996 GOAL: The symposium will bring together people who are building hardware and software to provide network and distributed system security services. The symposium is intended for those interested in the practical aspects of network and distributed system security, focusing on actual system design and implementation, rather than theory. We hope to foster the exchange of technical information that will encourage and enable the Internet community to apply, deploy, and advance the state of available security technology. Symposium proceedings will be published by the IEEE Computer Society Press. Topics for the symposium include, but are not limited to, the following: * Design and implementation of communication security services: authentication, integrity, confidentiality, authorization, non-repudiation, and availability. * Design and implementation of security mechanisms, services, and APIs to support communication security services, key management and certification infrastructures, audit, and intrusion detection. * Requirements and designs for securing network information resources and tools -- WorldWide Web (WWW), Gopher, archie, and WAIS. * Requirements and designs for systems supporting electronic commerce -- payment services, fee-for-access, EDI, notary -- endorsement, licensing, bonding, and other forms of assurance. * Design and implementation of measures for controlling network communication -- firewalls, packet filters, application gateways, and user/host authentication schemes. * Requirements and designs for telecommunications security especially for emerging technologies -- very large systems like the Internet, high-speed systems like the gigabit testbeds, wireless systems, and personal communication systems. * Special issues and problems in security architecture, such as interplay between security goals and other goals -- efficiency, reliability, interoperability, resource sharing, and cost. * Integration of security services with system and application security facilities, and application protocols -- including but not limited to message handling, file transport, remote file access, directories, time synchronization, data base management, routing, voice and video multicast, network management, boot services, and mobile computing. GENERAL CHAIR: David Balenson, Trusted Information Systems PROGRAM CHAIRS: Clifford Neuman, University of Southern California Matt Bishop, University of California at Davis PROGRAM COMMITTEE: Steve Bellovin, AT&T Research Tom Berson, Anagram Laboratories Doug Engert, Argonne National Laboratory Warwick Ford, Bell Northern Research Richard Graveman, Bellcore Li Gong, SRI Burt Kaliski, RSA Laboratories Steve Kent, BBN Tom Longstaff, CERT Doug Maughan, National Security Agency Dan Nessett, Sun Microsystems Hilarie Orman, DARPA Michael Roe, Cambridge University Christoph Schuba, Purdue University Jonathan Trostle, CyberSafe Theodore Ts'o, Massachusetts Institute of Technology Doug Tygar, Carnegie Mellon University Vijay Varadharajan, University of W. Sydney Roberto Zamparo, Telia Research LOCAL ARRANGEMENTS CHAIR: Thomas Hutton, San Diego Supercomputer Center PUBLICATIONS CHAIR: Steve Welke, Institute for Defense Analyses REGISTRATIONS CHAIR: Donna Leggett, Internet Society SUBMISSIONS: The committee invites technical papers and panel proposals for topics of technical and general interest. Technical papers should be 10-20 pages in length. Panel proposals should be two pages and should describe the topic, identify the panel chair, explain the format of the panel, and list three to four potential panelists. Technical papers will appear in the proceedings. A description of each panel will appear in the proceedings, and may at the discretion of the panel chair, include written position statements from each panelist. Each submission must contain a separate title page with the type of submission (paper or panel), the title or topic, the names of the author(s), organizational affiliation(s), telephone and FAX numbers, postal addresses, Internet electronic mail addresses, and must list a single point of contact if more than one author. The names of authors, affiliations, and other identifying information should appear only on the separate title page. Submissions must be received by 1 August 1996, and should be made via electronic mail in either PostScript or ASCII format. If the committee is unable to print a PostScript submission, it will be returned and hardcopy requested. Therefore, PostScript submissions should arrive well before 1 August. If electronic submission is difficult, submissions should be sent via postal mail. All submissions and program related correspondence (only) should be directed to the program chair: Clifford Neuman, University of Southern California, Information Sciences Institute, 4676 Admiralty Way, Marina del Rey, California 90292-6695, Phone: +1 (310) 822-1511, FAX: +1 (310) 823-6714, Email: sndss97-submissions@isi.edu. Dates, final call for papers, advance program, and registration information will be available at the URL: http://www.isoc.org/conferences/ndss97. Each submission will be acknowledged by e-mail. If acknowledgment is not received within seven days, please contact the program chair as indicated above. Authors and panelists will be notified of acceptance by 1 October 1996. Instructions for preparing camera-ready copy for the proceedings will be sent at that time. The camera-ready copy must be received by 1 November 1996. From firewalls-owner Mon Jul 8 12:05:57 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA09196 for firewalls-outgoing; Mon, 8 Jul 1996 12:02:13 -0700 (PDT) Received: from ctyme.com (mail.ctyme.com [204.71.97.97]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id MAA09182 for ; Mon, 8 Jul 1996 12:02:06 -0700 (PDT) Received: (from joey@localhost) by ctyme.com (8.6.12/8.6.9) id OAA08415; Mon, 8 Jul 1996 14:00:56 -0500 Date: Mon, 8 Jul 1996 14:00:56 -0500 (CDT) From: Just Dew it! To: firewalls@greatcircle.com Subject: Security Meetings/Symposiums (fwd) Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I would like to get information on some of the Security Meetings/Symposiums that are open to the general public, or even those that would require certain credentials. Please respond in kind! add filter reply 100 flames/32 bitbucket/32 all From firewalls-owner Mon Jul 8 14:04:19 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA13707 for firewalls-outgoing; Mon, 8 Jul 1996 13:37:47 -0700 (PDT) Received: from relay-4.mail.demon.net (relay-4.mail.demon.net [158.152.1.108]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id NAA13693 for ; Mon, 8 Jul 1996 13:37:38 -0700 (PDT) Received: from post.demon.co.uk ([158.152.1.72]) by relay-4.mail.demon.net Received: from tracker.demon.co.uk ([158.152.150.126]) by relay-3.mail.demon.net From: Les Carleton To: firewalls@greatcircle.com Newsgroups: comp.security.firewalls Subject: ROTHERWICK: Whats New? Date: Mon, 08 Jul 1996 20:19:47 GMT Organization: The Rotherwick Firewall Resource Reply-To: les@zeuros.co.uk Message-ID: <31e16767.2104212@news.demon.co.uk> X-Mailer: Forte Agent .99e/32.227 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi folks, First off i'd like to thank publically everyone who's contributed to the Rotherwick Firewall Resource with URLs, papers etc etc etc. You've all been great! Its been a while since we launched the resource to provide a single start point for firewalling information, since then its grown about five-fold to over 700 pointers, papers and links. I will be removing the "beta phase" notes over the next few days. If you haven't been by the resource recently, then it's well worth a visit, we now have a large slice of firewall articles referenced and a Product Matrix which maps all the firewalls we have listed against their platforms (or as close as we could get from the information available!) and a What's New? page which you can bookmark to keep up to date. What we'd like to add to the resource is some form of column(s) about current issues, not in depth technical stuff, just some chat about issues and event in the firewalling community, but we need a couple of folks who are willing to contribute a small article, say, once a month (ish). Is anyone interested? There is no pay and no reward except getting your name in print on the web. I'd love to pay, but since we're not exactly funded, it'd be a bit difficult :-). If you're interested, let me know at les@zeuros.co.uk. Anyways ... this is costing bandwidth, so thanks again to all the contributors! Pop by ... you're all welcome! Cheers! ...Les... Les Carleton at The Rotherwick Firewall Resource http://www.zeuros.co.uk/firewall les@zeuros.co.uk From firewalls-owner Tue Jul 9 06:04:20 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA15391 for firewalls-outgoing; Tue, 9 Jul 1996 05:49:57 -0700 (PDT) Received: from relay6.UU.NET (relay6.UU.NET [192.48.96.16]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id FAA15384 for ; Tue, 9 Jul 1996 05:49:50 -0700 (PDT) From: snoopy@munich.ixos.de Received: from mailhost.ixos.de by relay6.UU.NET with SMTP Received: from polo.ixos.de ixos.de Message-Id: <9607091158.AA17463@polo.ixos.de> Received: from localhost ixos X-Mailer: exmh version 1.6.4 10/10/95 To: firewalls@greatcircle.com Subject: Does smap from the TIS Toolkit speak ESMTP ? Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Date: Tue, 09 Jul 1996 13:58:04 +0200 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi there, we are running a slightly older version of the FWTK and the smap deaemon does not seem to do ESMTP. Is there a version available which speaks ESMTP ? Thanks a lot... Love, Snoopy -- snoopy@munich.ixos.de Every passing hour brings the solar system 43,000 miles closer to globular cluster M13 in Hercules and yet there are still some misfits who insist there is no such thing as progress. - Kurt Vonnegut Jr. From firewalls-owner Tue Jul 9 07:06:04 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA18044 for firewalls-outgoing; Tue, 9 Jul 1996 06:48:21 -0700 (PDT) Received: from valiant.te.CdnAir.CA (valiant.te.CdnAir.CA [142.147.15.8]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id GAA18037 for ; Tue, 9 Jul 1996 06:48:16 -0700 (PDT) Received: by valiant.te.CdnAir.CA id AA24449 Date: Tue, 9 Jul 1996 06:35:39 -0700 (PDT) From: "Grant M. Fengstad" <419450@valiant.te.CdnAir.CA> To: snoopy@munic.ixos.de Cc: firewalls@greatcircle.com Subject: Re: Does smap from the TIS Toolkit speak ESMTP ? Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 9 Jul 1996 snoopy@munich.ixos.de wrote: > > Hi there, > > we are running a slightly older version of the FWTK and the smap deaemon does > not seem to do ESMTP. > > Is there a version available which speaks ESMTP ? > Correct me if I'm wrong, but is not the purpose of SMAP to provide a "bulletproof" front-end to sendmail. If this is the focus, SMAP should be as simple and clean as possible. It would be a mistake to implement lots of functionality and logic in the program. From firewalls-owner Tue Jul 9 09:22:31 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA24033 for firewalls-outgoing; Tue, 9 Jul 1996 09:17:10 -0700 (PDT) Received: from vpm.com (vpm.com [207.49.29.143]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id JAA24026 for ; Tue, 9 Jul 1996 09:17:05 -0700 (PDT) Received: from snoopy (pm28.cwo.com [207.49.29.38]) by vpm.com (8.6.12/8.6.12) with SMTP id JAA07118; Tue, 9 Jul 1996 09:16:34 -0700 Message-Id: <199607091616.JAA07118@vpm.com> X-Sender: mcs@vpm.com X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Tue, 09 Jul 1996 09:11:16 -0700 To: firewalls@GreatCircle.COM From: Mark Stout Subject: Setting up an NT firewall Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi All: I'm looking for information on how best to install a NT server that will serve the Internet as a web server, but allow internal remote access to the NT server. Can anyone provide me with information or some places to look? Thanks, Mark ========================================================================== Mark Stout | The Village Potpourri Mall: http://www.vpm.com/ ---------------+---------------------------------------------------------- VPM Enterprises; P.O.Box 6427; Folsom, CA 95763-6427 Secured Internet Sales, Marketing and Advertising Specialist ========================================================================== From firewalls-owner Tue Jul 9 09:34:33 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA23874 for firewalls-outgoing; Tue, 9 Jul 1996 09:08:49 -0700 (PDT) Received: from apu.connectix.com (apu.connectix.com [204.247.159.242]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id JAA23867 for ; Tue, 9 Jul 1996 09:08:44 -0700 (PDT) Received: from [204.118.199.198] (snowball.connectix.com [204.118.199.198]) by apu.connectix.com (8.7.5/8.6.9) with SMTP id JAA16851 for ; Tue, 9 Jul 1996 09:06:09 -0700 Date: Tue, 9 Jul 1996 09:06:09 -0700 Message-Id: <199607091606.JAA16851@apu.connectix.com> Subject: Threats and Nasty Emails From: Rob Sansom To: Mime-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Although this is not really related to firewalls, I was wondering If anyone had a suggestion for a response to a belligerent individual who has been threatening to 'mail bomb' our site, as well as slander our company in the UK. Apparently , this person is very disatisfied with the performance of the product that they purchased, and the resulting response from tech support. I guess that they got so frustrated that they sent a letter to 'root' at our site, and that's how I got involved. I am wondering if a response to the 'postmaster, or root at their site would be a good idea, or should I just let it be. It's easy to block access from their net, but I would rather not do this. The net in question is 'intonet.co.uk' and I have tried 'whois' on the domain to no avail (to try to contact the net admin, God forbid this person should be the net admin!), and if anyone has any information on a contact at intonet.co.uk, I would greatly appreciarte any information. Thanks in Advance, Rob Sansom Network Admin. Connectix Corp (415) 638-7398 sansom@connectix.com From firewalls-owner Tue Jul 9 09:49:46 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA25273 for firewalls-outgoing; Tue, 9 Jul 1996 09:43:42 -0700 (PDT) Received: from dtcro002.apogee-com.fr (firewall.apogee-com.fr [194.2.187.130]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id JAA25202 for ; Tue, 9 Jul 1996 09:43:17 -0700 (PDT) Received: by dtcro002.apogee-com.fr; id SAA28109; Tue, 9 Jul 1996 18:36:47 +0200 (MET DST) Received: from dtcxs001.apogee-com.fr(10.129.16.1) by firewall.apogee-com.fr via smap (V3.1.1) Received: from ingpc003.apogee-com.fr by dtcxs001.apogee-com.fr.apogee-com.fr (4.1/SMI-4.1) Message-Id: <31E28A92.7552@apogee-com.fr> Date: Tue, 09 Jul 1996 18:36:34 +0200 From: Jean-Francois Zwobada Organization: APOGEE Communications X-Mailer: Mozilla 2.02 (Win95; I) Mime-Version: 1.0 To: firewalls@greatcircle.com, sean.scotvold@rnb.com Subject: split-brain DNS Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi guys (and hello girls :D ) After being away for a long time, I'd like to thank all of you who answered to my questions about split-brain DNS and the 'internal subdomains problem'. I've installed the noforward patch and tested it. This works really great. Many thanks to Blast who pointed me to the right direction: ftp://ftp.vix.com/bind/release/4.9.3/contrib/noforward.tar.gz Cheers, Jean-Francois -- ______________________ Jean-Francois Zwobada ____________________ Apogee Communications Tel : +33 (1) 69 85 56 47 Parc Club Universite Fax : +33 (1) 69 85 56 48 28, rue Jean Rostand 91893 ORSAY Cedex e-mail : zwobada@apogee-com.fr __________________________________________________________________ From firewalls-owner Tue Jul 9 10:04:20 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA25938 for firewalls-outgoing; Tue, 9 Jul 1996 09:51:54 -0700 (PDT) Received: from igubu.saix.co.za (igubu.saix.net [196.25.1.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id JAA25919 for ; Tue, 9 Jul 1996 09:51:40 -0700 (PDT) Received: from afjhb1exch1.aforbes.co.za Received: by afjhb1exch1.aforbes.co.za with Microsoft Exchange (IMC 4.0.837.3) Message-ID: From: Shepherd Rudie To: "'firewalls@greatcircle.com'" Subject: DNS leakage Date: Tue, 9 Jul 1996 18:51:42 +0200 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.837.3 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, I run a TIS FWTK Firewall on a Linux 1.2.13 machine. This machine also runs the DNS server for the "outside". On the "inside" there's an NT machine running BIND for internal DNS. The FW is set up to to use the inside NS for lookups and the inside NS forwards all queries to the FW DNS server. Problem is this: The last time my zone was transferred to my ISP, the INTERNAL names suddenly appeared on the internet! Of course this wrecked e-mail and other things as well, but how is this possible? How can the outside DNS provide the secondary with any information regarding the inside? BTW the inside network is not even accessible from the Internet (and thus the secondary DNS). Any ideas? Rudie From firewalls-owner Tue Jul 9 10:22:31 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA26322 for firewalls-outgoing; Tue, 9 Jul 1996 09:55:50 -0700 (PDT) Received: from cet.cet.com (cet.cet.com [204.227.191.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id JAA26287 for ; Tue, 9 Jul 1996 09:55:40 -0700 (PDT) Received: from cet.cet.com (roberth@cet.cet.com [204.227.191.1]) by cet.cet.com (8.6.12/8.6.12) with SMTP id JAA05964; Tue, 9 Jul 1996 09:52:58 -0700 Date: Tue, 9 Jul 1996 09:52:57 -0700 (PDT) From: Robert Hanson To: Mark Stout cc: firewalls@GreatCircle.COM Subject: Re: Setting up an NT firewall In-Reply-To: <199607091616.JAA07118@vpm.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk www.microsoft.com www.ntworld.com www.emerald.iea.com ---> Robert H. Hanson LAN/WAN Consultant - Internet Service Provider Otis Orchards, Wa. Cutting Edge Communications www.cet.com (509) 927-9541 finger: info@cet.com or email: roberth@cet.com On Tue, 9 Jul 1996, Mark Stout wrote: > Hi All: > > > I'm looking for information on how best to install a NT server that will > serve the Internet as a web server, but allow internal remote access to the > NT server. Can anyone provide me with information or some places to look? > > Thanks, > Mark > ========================================================================== > Mark Stout | The Village Potpourri Mall: http://www.vpm.com/ > ---------------+---------------------------------------------------------- > VPM Enterprises; P.O.Box 6427; Folsom, CA 95763-6427 > Secured Internet Sales, Marketing and Advertising Specialist > ========================================================================== > From firewalls-owner Tue Jul 9 10:34:34 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA26375 for firewalls-outgoing; Tue, 9 Jul 1996 09:56:23 -0700 (PDT) Received: from cet.cet.com (cet.cet.com [204.227.191.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id JAA26335 for ; Tue, 9 Jul 1996 09:56:08 -0700 (PDT) Received: from cet.cet.com (roberth@cet.cet.com [204.227.191.1]) by cet.cet.com (8.6.12/8.6.12) with SMTP id JAA05975; Tue, 9 Jul 1996 09:53:24 -0700 Date: Tue, 9 Jul 1996 09:53:23 -0700 (PDT) From: Robert Hanson To: Mark Stout cc: firewalls@GreatCircle.COM Subject: Re: Setting up an NT firewall In-Reply-To: <199607091616.JAA07118@vpm.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk oh... and try emailing daler@iea.com he is "truly" an nt expert... ---> Robert H. Hanson LAN/WAN Consultant - Internet Service Provider Otis Orchards, Wa. Cutting Edge Communications www.cet.com (509) 927-9541 finger: info@cet.com or email: roberth@cet.com On Tue, 9 Jul 1996, Mark Stout wrote: > Hi All: > > > I'm looking for information on how best to install a NT server that will > serve the Internet as a web server, but allow internal remote access to the > NT server. Can anyone provide me with information or some places to look? > > Thanks, > Mark > ========================================================================== > Mark Stout | The Village Potpourri Mall: http://www.vpm.com/ > ---------------+---------------------------------------------------------- > VPM Enterprises; P.O.Box 6427; Folsom, CA 95763-6427 > Secured Internet Sales, Marketing and Advertising Specialist > ========================================================================== > From firewalls-owner Tue Jul 9 10:49:25 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA00158 for firewalls-outgoing; Tue, 9 Jul 1996 10:27:11 -0700 (PDT) Received: from su1.in.net (su1.in.net [199.0.62.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id KAA00131 for ; Tue, 9 Jul 1996 10:27:01 -0700 (PDT) Received: from pm1-02.in.net by su1.in.net with SMTP (5.65/1.2-eef) Date: Tue, 9 Jul 96 12:22:45 -0400 Message-Id: <9607091622.AA12030@su1.in.net> X-Sender: frankw@in.net X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: Rob Sansom From: Frank Willoughby Subject: Re: Threats and Nasty Emails Cc: firewalls@GreatCircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 09:06 AM 7/9/96 -0700, Rob Sansom allegedly wrote: >Although this is not really related to firewalls, I was wondering If >anyone had a suggestion for a response to a belligerent individual who >has been threatening to 'mail bomb' our site, as well as slander our >company in the UK. Apparently , this person is very disatisfied with the >performance of the product that they purchased, and the resulting >response from tech support. I guess that they got so frustrated that >they sent a letter to 'root' at our site, and that's how I got involved. >I am wondering if a response to the 'postmaster, or root at their site >would be a good idea, or should I just let it be. It's easy to block >access from their net, but I would rather not do this. The net in >question is 'intonet.co.uk' and I have tried 'whois' on the domain to no >avail (to try to contact the net admin, God forbid this person should be >the net admin!), and if anyone has any information on a contact at >intonet.co.uk, I would greatly appreciarte any information. There are two issues here - business & security. In either case, I would not "let it be". Business ======== How companies react to beligerent customers is a good barometer of their commitment to their customers (without which the company would soon fold). If the customer has a legitimate problem, then escalate it through channels to ensure that it is resolved to the customer's satisfaction. It is *very* important that you make the customer aware that the escalation of the problem is a result of normal business operations (ie - customer support) and NOT the result of any threats. If the customer does not have a legitimate complaint, explain to the individual why the complaint is not valid. Try to see the issues from the customer's viewpoint and see if something could be misconstrued to cause the grief he is experiencing. In any case, it is prudent to help a customer with a problem. Not because they make threats or whine, but because it is a good business practice. Security ======== Regarding where you stand, here's my 2 cents worth: Allegedly, the customer made threats to your organization. Proving this in a court of law will be difficult at best. All their lawyer has to do is mumble something about "mail spoofing" and make a feeble attempt to explain what it is and the burden of proof will be on you to prove (to a judge or a lay jury) that the customer did in fact send the mail. Without the cooperation of the local authorities & telecommunications provider, this will not be trivial. If the customer persists after you have notified the local authorities & solicited the assistance of the telecom provider, then you will have more evidence (but you are still left with trying to explain this to a judge/jury). IMHO, if it got to court, a lot of things just went out of controlled. This should be defused long before it reaches the courts. If it was me, I would contact the customer and ask the customer to explain what their problem is and promise to escalate their problem through channels to see that it is resolved one way or another. BTW, please ensure that you carry out your promise - otherwise this will further reflect (negatively) on your organization and the customer may (wrongly so) feel justified in carrying out threats. After the customer has vented some steam by explaining to you what the problem is, politely point out that while you will escalate their problem through channels, you are not doing so as a result of their threats. I would also explain that while he made the threats in anger and proably didn't really wish to carry them out, that your company takes threats seriously and that if the threats persist, that you will contact the person's manager as well as the local authorities and turn over the evidence to them and prosecute to the fullest extent of the law. BTW, make sure that you have the support to back up your stated actions (ascertained by a brief discussion of the incident with management) and you have maintained "chain-of-custody" of the evidence to ensure that it has not been tampered with in any way. Also explain that if he desists in the threats and/or attempts to carry them out that you will drop the incident. You probably already know this, but ensure that you have all of your ducks in a row before the problem gets escalated to management or the authorities. BTW, mentioning the customer's name on the Internet didn't really do very much to defuse the situation. Again, in a lawsuit, the burden of proof will be on you to prove that the person did indeed send the threats to you. Also, we don't have a "need-to-know" who the customer is. Who it is - is irrelevant. What they did isn't. To summarize, speak softly & carry a big stick. Try to help the person as much as you can, but if they persist in the threats, escalate the situation to someone who can better deal with it (managers, authorities, attorneys, etc). >Thanks in Advance, > >Rob Sansom >Network Admin. >Connectix Corp >(415) 638-7398 >sansom@connectix.com I hope the above was of some help to you. Best Regards, Frank Any sufficiently advanced bug is indistinguishable from a feature. -- Rich Kulawiec The opinions expressed above are of the author and may not necessarily be representative of Fortified Networks Inc. Fortified Networks Inc. - Information Security Consulting http://www.fortified.com Phone: (317) 573-0800 FAX: (317) 573-0817 Home of the Free Internet Firewall Evaluation Checklist From firewalls-owner Tue Jul 9 11:40:49 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA06462 for firewalls-outgoing; Tue, 9 Jul 1996 11:28:41 -0700 (PDT) Received: from etamin.brunel.ac.uk (etamin.brunel.ac.uk [134.83.128.61]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id LAA06444 for ; Tue, 9 Jul 1996 11:28:32 -0700 (PDT) Received: from bips50.brunel.ac.uk by etamin.brunel.ac.uk with SMTP (PP); From: R Ghosh-Roy Message-Id: <2645.9607091825@bips50.brunel.ac.uk> Subject: Re: Threats and Nasty Emails To: frankw@in.net (Frank Willoughby) Date: Tue, 9 Jul 1996 19:25:45 +0100 (BST) Cc: sansom@connectix.com, firewalls@GreatCircle.com In-Reply-To: <9607091622.AA12030@su1.in.net> from "Frank Willoughby" at Jul 9, 96 12:22:45 pm X-Mailer: ELM [version 2.4 PL21] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > At 09:06 AM 7/9/96 -0700, Rob Sansom allegedly wrote: > > >Although this is not really related to firewalls, I was wondering If > >anyone had a suggestion for a response to a belligerent individual who > >has been threatening to 'mail bomb' our site, as well as slander our > >company in the UK. Apparently , this person is very disatisfied with the > >performance of the product that they purchased, and the resulting > >response from tech support. I guess that they got so frustrated that > >they sent a letter to 'root' at our site, and that's how I got involved. > >I am wondering if a response to the 'postmaster, or root at their site > >would be a good idea, or should I just let it be. It's easy to block > >access from their net, but I would rather not do this. The net in > >question is 'intonet.co.uk' and I have tried 'whois' on the domain to no > >avail (to try to contact the net admin, God forbid this person should be > >the net admin!), and if anyone has any information on a contact at > >intonet.co.uk, I would greatly appreciarte any information. > > There are two issues here - business & security. In either case, I > would not "let it be". > > Business > ======== > Security > ======== > > To summarize, speak softly & carry a big stick. Try to help the > person as much as you can, but if they persist in the threats, > escalate the situation to someone who can better deal with it > (managers, authorities, attorneys, etc). > As far as I can understand, the problem is not at a *personal* level. Therefore, the guy is arguing on behalf of his company which truly feels cheated. If your product didn't meet their requirements, it could be due to a variety of reasons. As Frank suggests, reason it out! Have a nice day! Rana ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ + R. Ghosh-Roy, Research Fellow @ BIPS + + -- R.Ghosh-Roy@brunel.ac.uk -- Extension 2772 + + --.--.--.--.--.--.--.--.--.--.--.--.--.--.--.--.--.--.--.--.--.--.--.--.-- + + All opinions stated are my own, and don't even vaguely resemble those of + + Brunel University or Brunel Colleges. ;-) + ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ From firewalls-owner Tue Jul 9 11:49:28 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA07256 for firewalls-outgoing; Tue, 9 Jul 1996 11:37:37 -0700 (PDT) Received: from ALABAMA.CF.CS.YALE.EDU (RT-GW.CS.YALE.EDU [128.36.0.13]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id LAA07249 for ; Tue, 9 Jul 1996 11:37:30 -0700 (PDT) From: long-morrow@CS.YALE.EDU Received: from SPARKY.CF.CS.YALE.EDU by ALABAMA.CF.CS.YALE.EDU (8.7.1/res.host.cf-4.0) Received: by SPARKY.CF.CS.YALE.EDU (Sendmail-8.7.1/res.client.cf-4.0) Date: Tue, 9 Jul 1996 14:34:06 -0400 (EDT) Message-Id: <199607091834.OAA23298@SPARKY.CF.CS.YALE.EDU> To: firewalls@greatcircle.com, sansom@connectix.com Subject: Re: Threats and Nasty Emails Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Rob Sansom Network Admin. Connectix Corp wrote: >Although this is not really related to firewalls, I was wondering If >anyone had a suggestion for a response to a belligerent individual who >has been threatening to 'mail bomb' our site, as well as slander our >company in the UK. Apparently , this person is very disatisfied with the >performance of the product that they purchased, and the resulting >response from tech support. I guess that they got so frustrated that >they sent a letter to 'root' at our site, and that's how I got involved. >I am wondering if a response to the 'postmaster, or root at their site >would be a good idea, or should I just let it be. It's easy to block >access from their net, but I would rather not do this. The net in >question is 'intonet.co.uk' and I have tried 'whois' on the domain to no >avail (to try to contact the net admin, God forbid this person should be >the net admin!), and if anyone has any information on a contact at >intonet.co.uk, I would greatly appreciarte any information. 1) Socially, the firs response is always to ask the individual calmly and privately to stop. Sounds like that has already been down in this case. 2) Next step is usually to contact the contact person(s) at their site. I did a telnet to info.ripe.net and found some information about Intonet ltd., their net and ISP. British Telecom is apparently their ISP (bt.net): Interactive RIPE Whois Database server inetnum: 194.73.231.0 netname: BT-CUST-3 descr: intonet ltd. country: GB admin-c: j bunyer tech-c: simon barnett status: ASSIGNED PA changed: Stewart.Mercer@bt.net 960319 source: RIPE route: 194.72.0.0/15 descr: BTnet origin: AS2856 mnt-by: BTNET-MNT changed: peter.willis@bt.net 951018 source: RIPE Here are two contacts at the company (both have the same email address on intonet.co.uk ) and their -- exactly the same -- phone number(s): person: j bunyer address: millbourne house address: 66-70 coombe road address: new malden address: surrey address: uk address: kt3 4qw phone: +44 1819429214 fax-no: +44 1819498033 e-mail: bunny@intonet.co.uk changed: Stewart.Mercer@bt.net 960319 source: RIPE person: simon barnett address: millbourne house address: 66-70 coombe road address: new malden address: surrey address: uk address: kt3 4qw phone: +44 1819429214 fax-no: +44 1819498033 e-mail: bunny@intonet.co.uk changed: Stewart.Mercer@bt.net 960319 source: RIPE 3) If contacting people at Intonet.co.uk doesn't work you might want to contact their ISP. Using the same whois search interface at info.ripe.net I found that the primary administrative contact at BT.NET was Nigel Titley ( Nigel.Titley@bt.net ) and the primary technical contact was Peter Willis ( peter.willis@bt.net ). Here is the information in RIPE whois format for Nigel Titley: person: Nigel Titley address: PP201 address: Network House address: Brindley Way address: Apsley address: Hemel Hempstead address: Herts address: HP3 9RR phone: +44 1442 237674 fax-no: +44 1442 237728 e-mail: Nigel.Titley@bt.net nic-hdl: NT13 notify: Nigel.Titley@bt.net changed: Nigel.Titley@bt.net 950306 changed: Nigel.Titley@bt.net 941223 changed: N.Titley@axion.bt.co.uk 920128 changed: Nigel.Titley@axion.bt.co.uk 940711 changed: dfk@cwi.nl 920129 source: RIPE Here is the information in RIPE whois format for Peter Willis : person: Peter Willis address: PP201 address: Network House address: Brindley Way address: Apsley address: Hemel Hempstead address: Herts address: HP3 9RR address: GB phone: +44 1442 237673 fax-no: +44 1442 237728 e-mail: peter.willis@bt.net nic-hdl: PW19-RIPE changed: nigel.titley@bt.net 950306 changed: peter.willis@bt.net 941118 changed: hostmaster@ripe.net 950815 source: RIPE 4) The next step after talking to an ISP and getting no satisfaction would be to contact your legal staff. Successfully defending yourself against slander from someone on another continent would appear to be a daunting (and expensive) proposition. Perhaps someone with a better knownledge of English law.... 5) As to technical solutions -- if you just want to block someone's email address (they can always change the email address their email comes from though): We've had real problems with obnoxious individuals abusing our e-mail->netnews gateway (subscribing the alias feeds for newsgroups to tens of Internet mailing lists etc. as part of some ongoing flame war in alt.gothic and alt.college.college-bowl, etc.). We created a spam filter which lets us block e-mail from being fed into our local mail2news gateway. It could possibly be adapted to serve a a sendmail->sendmail filter as well (or you can use it to frontend e-mail to aliases for your incoming email). The README file is available via URLs: ftp://ftp.cs.yale.edu/pub/long/src/network/security/spammerjammer-1.2.README http://www.cs.yale.edu/pub/long/src/network/security/spammerjammer-1.2.README The Gzipped tar file is available via URLs: ftp://ftp.cs.yale.edu/pub/long/src/network/security/spammerjammer-1.2.tar.gz http://www.cs.yale.edu/pub/long/src/network/security/spammerjammer-1.2.tar.gz ----- H. Morrow Long, Mgr of Dev., Yale Univ., Comp Sci Dept, 011 AKW, New Haven, CT 06520-8285, VOICE: (203)-432-{1248,1254} FAX: (203)-432-0593 From firewalls-owner Tue Jul 9 12:42:09 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA11587 for firewalls-outgoing; Tue, 9 Jul 1996 12:21:22 -0700 (PDT) Received: from us.checkpoint.com (us.checkpoint.com [206.86.35.130]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id MAA11568 for ; Tue, 9 Jul 1996 12:21:14 -0700 (PDT) Received: from Barbara Jaarsma.us.checkpoint.com ([206.86.35.30]) by us.checkpoint.com (5.x/SMI-SVR4) Message-Id: <31E2B16D.247A@us.checkpoint.com> Date: Tue, 09 Jul 1996 12:22:21 -0700 From: Barbara Jaarsma Organization: CheckPoint Software Technologies, Inc. Technical Services X-Mailer: Mozilla 2.0 (Win95; U) Mime-Version: 1.0 To: sansom@connectix.com Cc: firewalls@greatcircle.com Subject: email bombing Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Rob - This happened to me some months ago at a different company. I immediately escalated it through my management to our CEO, who contacted the CEO of the person who made the threat (and, as it turned out, actually carried it out and brought down our corporate net). He was fired on the spot, and another individual was assigned to work with us to resolve the issues. As it turned out, there *were* no issues - simply a bully who didn't have a clue what he was doing and didn't understand either the manuals or our verbal walk-throughs... These people are bottom feeders and do not belong in positions of authority. There are plenty of windows and toilets to clean, and that is all they're fit for. Note that the preceeding opinion is my own, and the actions were taken by a different employer, and in no way represents the opinions and/or potential actions of my current employer. (But the only way to get rid of a cockroach is to squish it...) -Barb From firewalls-owner Tue Jul 9 12:49:28 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA12466 for firewalls-outgoing; Tue, 9 Jul 1996 12:35:33 -0700 (PDT) Received: from lokkur.dexter.mi.us (lokkur.dexter.mi.us [148.59.2.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id MAA12443 for ; Tue, 9 Jul 1996 12:35:22 -0700 (PDT) Received: (from scs@localhost) by lokkur.dexter.mi.us (8.7.5/8.7.5/lokkur-1.1-scs) id PAA08735; Tue, 9 Jul 1996 15:32:31 -0400 (EDT) To: firewalls@GreatCircle.COM Path: lokkur.dexter.mi.us!not-for-mail From: scs@lokkur.dexter.mi.us (Steve Simmons) Newsgroups: local.firewalls Subject: Re: Threats and Nasty Emails Date: 9 Jul 1996 15:32:31 -0400 Organization: Inland Sea Lines: 22 Distribution: local Message-ID: <4ruc4f$8gs@lokkur.dexter.mi.us> References: <9607091622.AA12030@su1.in.net> X-Newsreader: NN version 6.5.0 CURRENT #2 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Frank Willoughby writes: >At 09:06 AM 7/9/96 -0700, Rob Sansom allegedly wrote: >>Although this is not really related to firewalls, I was wondering If >>anyone had a suggestion for a response to a belligerent individual who >>has been threatening to 'mail bomb' our site, as well as slander our >>company in the UK. . . . Frank writes some good advice, and then says: >If the customer does not have a legitimate complaint, explain to the >individual why the complaint is not valid. . . . Absolutely not. You're a sysadmin, not customer support or a service bureau for outside things. Take the issues to your management, and let them deal with it. You shouldn't in any way contact the customer. -- ``You gotta distinguish between telling a tale for amusement, as in "Well, there I was facing down the crowds at Riotcon...", and telling it for the record, as in "Well, you see, officer, it happened like this...". (Actually, that might not be the best example.)'' -- Chris Clayton, in private email From firewalls-owner Tue Jul 9 15:04:37 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA21147 for firewalls-outgoing; Tue, 9 Jul 1996 14:48:24 -0700 (PDT) Received: from zoltar.cse.ucsc.edu (zoltar.cse.ucsc.edu [128.114.134.133]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id OAA21138 for ; Tue, 9 Jul 1996 14:48:18 -0700 (PDT) Received: (from clay@localhost) by zoltar.cse.ucsc.edu (8.6.10/8.6.9) id OAA24288; Tue, 9 Jul 1996 14:45:48 -0700 Date: Tue, 9 Jul 1996 14:45:47 -0700 (PDT) From: Clay Shields To: Firewalls@GreatCircle.COM Subject: Quality of Service and firewalls Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I was wondering if there has been any discussion about implementing a quality of service guarantee protocol (such as RSVP) on a firewall. It seems to me that a firewall has the potential to become a bottleneck. Because of this the reservation protocol would have to run on the firewall as well, and any connection forming would have to reserve resources at the firewall. This would lead to different priorities of filtering (and perhaps proxying) which might require several passes at the packet - one first to allocate and incoming packet to a priority queue, then others to determine the fate of the packet. In addition, it might enable a "denial of quality of service" attack, in which bombarding the firewall would degrade its performance such that it could not longer provide the level of service required. Are there any vendors addressing these questions? Clay From firewalls-owner Tue Jul 9 17:34:27 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA27956 for firewalls-outgoing; Tue, 9 Jul 1996 17:23:04 -0700 (PDT) Received: from okjunc.junction.net (okjunc.junction.net [199.166.227.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id RAA27949 for ; Tue, 9 Jul 1996 17:22:58 -0700 (PDT) Received: from sidhe.memra.com (sidhe.memra.com [199.166.227.105]) by okjunc.junction.net (8.6.11/8.6.11) with SMTP id RAA25701 for ; Tue, 9 Jul 1996 17:22:53 -0700 Date: Tue, 9 Jul 1996 17:17:04 -0700 (PDT) From: Michael Dillon To: firewalls@GreatCircle.COM Subject: Re: Threats and Nasty Emails In-Reply-To: <9607091622.AA12030@su1.in.net> Message-ID: Organization: Memra Software Inc. - Internet consulting MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 9 Jul 1996, Frank Willoughby wrote: > Allegedly, the customer made threats to your organization. Proving this > in a court of law will be difficult at best. All their lawyer has to do > is mumble something about "mail spoofing" and make a feeble attempt to > explain what it is and the burden of proof will be on you to prove (to > a judge or a lay jury) that the customer did in fact send the mail. This is easier than you think. If you print out copies of all messages with full headers as well as your log files then you may find that the courts accept that as conclusive proof. There have been cases in the USA where such evidence was accepted. You should make sure to do the printouts immediately in front of witnesses and then have them notarized. These have as much legal standing as dated notes taken in your handwriting in conjunction with testimony to the effect that you saw something and then noted it on paper soon after the event took place. On the other hand if you don't do your printouts until the day before the trial, expect them to be given much less serious consideration. BTW I am not a lawyer. > If it was me, I would contact the customer and ask the customer to > explain what their problem is and promise to escalate their problem > through channels to see that it is resolved one way or another. Most people just refund the money, maybe send them some sort of gift as well. Michael Dillon ISP & Internet Consulting Memra Software Inc. Fax: +1-604-546-3049 http://www.memra.com E-mail: michael@memra.com From firewalls-owner Wed Jul 10 02:49:27 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id CAA14703 for firewalls-outgoing; Wed, 10 Jul 1996 02:40:17 -0700 (PDT) Received: from pinelands.oldmutual.com (pinelands.oldmutual.co.za [196.22.118.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id CAA14696 for ; Wed, 10 Jul 1996 02:39:57 -0700 (PDT) Received: by pinelands.oldmutual.com; id AA03732; Wed, 10 Jul 96 11:35:14+020 Received: from mail(160.123.45.3) by pinelands.oldmutual.com via smap (V3.1) Received: from inv735524 ([160.123.1.81]) by internet_mail.oldmutual.com Message-Id: <31E37948.311A@oldmutual.com> Date: Wed, 10 Jul 1996 11:35:04 +0200 From: jbarnes@oldmutual.com (Jay Barnes) Organization: Old Mutual X-Mailer: Mozilla 2.0Eb1-OM (WinNT; I) Mime-Version: 1.0 To: firewalls Subject: Re: Gauntlet - How good is it? References: <9606280743.AA15395@spibm02> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Rolf Weber wrote: > > > > > We run Gauntlet 3.1.1 on a TIS supplied PC. > > We have the following major problems (I'll spare you the list of > > minor troubles we are having.) > > 1) Slow HTTP access (A complicated page read on a machine inside > > the firewall can take 2-4 times longer than the same page read outside the > > firewall) > > 2) Internet Explorer 2.0, on Windows 95 can not be used to access > > most Secure HTTP sites. > > > i'm running the fwtk and don't have such problems. > did you ask TIS for patches? > are you sure the proxy makes it slow and not your net? > are you sure the proxy makes it slow and not your PC? > > another point: > even if you'd be right with your complaints, you're obiously missing > the point of firewalls. > security is the first and foremost goal. > > rolf > --We speeded up internal web serving by several 100% just by configuring the "no proxy for" element in Netscape. Jay From firewalls-owner Wed Jul 10 03:19:29 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id DAA15416 for firewalls-outgoing; Wed, 10 Jul 1996 03:02:53 -0700 (PDT) Received: from sic.se (mailbox.sic.se [194.236.7.200]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id DAA15402 for ; Wed, 10 Jul 1996 03:02:44 -0700 (PDT) Received: from pamela.sic.se (pamela.sic.se [194.236.7.44]) by sic.se (8.7.5/8.7.2) with SMTP id LAA04419 for ; Wed, 10 Jul 1996 11:58:08 +0200 (MET DST) X-Mailer: InterCon tcpCONNECT4 4.0b26 (Macintosh) MIME-Version: 1.0 Message-Id: <9607101200.AA18414@pamela.sic.se> Date: Wed, 10 Jul 1996 12:00:18 +0100 From: "Stefan Berg" To: firewalls@GreatCircle.com Subject: News-proxy for TIS fwtk? Content-Type: Text/Plain; charset=US-ASCII Content-Disposition: Inline Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi there, do you have any information on how to set up a News proxy for the TIS firewall toolkit? /Stefan stefan@sic.se From firewalls-owner Wed Jul 10 03:34:27 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id DAA17113 for firewalls-outgoing; Wed, 10 Jul 1996 03:30:45 -0700 (PDT) Received: from sic.se (mailbox.sic.se [194.236.7.200]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id DAA17100 for ; Wed, 10 Jul 1996 03:30:36 -0700 (PDT) Received: from pamela.sic.se (pamela.sic.se [194.236.7.44]) by sic.se (8.7.5/8.7.2) with SMTP id MAA04520 for ; Wed, 10 Jul 1996 12:26:08 +0200 (MET DST) X-Mailer: InterCon tcpCONNECT4 4.0b26 (Macintosh) MIME-Version: 1.0 Message-Id: <9607101228.AA19529@pamela.sic.se> Date: Wed, 10 Jul 1996 12:28:19 +0100 From: "Stefan Berg" To: firewalls@GreatCircle.com Subject: Re: Gauntlet - How good is it? Content-Type: Text/Plain; charset=US-ASCII Content-Disposition: Inline Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Rolf Weber wrote: > > > > > > We run Gauntlet 3.1.1 on a TIS supplied PC. > > > We have the following major problems (I'll spare you the list of > > > minor troubles we are having.) > > > 1) Slow HTTP access (A complicated page read on a > > > machine inside the firewall can take 2-4 times longer than the > > > same page read outside the firewall) > > > 2) Internet Explorer 2.0, on Windows 95 can not be used > > > to access most Secure HTTP sites. > > > > > i'm running the fwtk and don't have such problems. > > did you ask TIS for patches? > > are you sure the proxy makes it slow and not your net? > > are you sure the proxy makes it slow and not your PC? > > another point: > > even if you'd be right with your complaints, you're obiously missing > > the point of firewalls. > > security is the first and foremost goal. > > rolf > > --We speeded up internal web serving by several 100% just by > configuring the "no proxy for" element in Netscape. > > Jay > We are having the exakt same situation, and increased speed a little by adding the "No proxy for"-option. BUT even before we did so we had quite a small difference in response times and HTTP access in general compared to external sites. My suggestion is that you go through your network in detail to check your DNS configuration. Our biggest advantage was installing a switch to separate different network sections from eachother. Now THAT really gave us better internal speed :) /Stefan From firewalls-owner Wed Jul 10 03:45:15 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id DAA16510 for firewalls-outgoing; Wed, 10 Jul 1996 03:18:43 -0700 (PDT) Received: from mog.ucd.ie (mog.ucd.ie [193.1.143.84]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id DAA16450 for ; Wed, 10 Jul 1996 03:18:22 -0700 (PDT) Message-Id: <199607101018.DAA16450@miles.greatcircle.com> Received: from mog.ucd.ie by mog.ucd.ie id <16488-0@mog.ucd.ie>; To: firewalls-digest@GreatCircle.COM Subject: Re: DNS leakage Cc: ShepherdR@Aforbes.co.za Date: Wed, 10 Jul 1996 11:18:30 +0100 From: Louis Twomey Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, This configuration works fine for me on two Linux 1.2.13 machines running bind-4.9.3-B9. Is there perhaps some reference in your named.boot file, on your external nameserver, to your internal nameserver (e.g. a secondary entry pointing at your internal nameserver) ? The following is the configuration that I use for the site xyz.ie : Proxy server/External nameserver (IP address 1.2.3.4) : ----------------------------------------------------- named.boot : : primary xyz.ie xyz-external.hosts : resolv.conf : domain xyz.ie nameserver 192.168.1.10 Internal nameserver (IP address 192.168.1.10) : --------------------------------------------- named.boot : : primary xyz.ie xyz-internal.hosts secondary xyz.ie 1.2.3.4 xyz-external.hosts : forwarders 1.2.3.4 resolv.conf : domain xyz.ie nameserver 127.0.0.1 While on this topic, I would like to pose my own question. I have the same configuration as above running on two Dec Alpha machines (running Digitial Unix 3.2D), and both machines are running bind-4.9.3-REL. When the internal nameserver loads the data for the secondary (external) domain xyz.ie, this overwrites the data for the primary (internal) domain xyz.ie in memory, and the machine can subsequently no longer resolve queries on this primary domain. Has anyone seen, and resolved, this problem with either this platform or with this version of bind ? I have already addressed this question to the bind-users mailing list twice, but I receive mail only intermittently from this list and either no-one replied or these replies fell through the cracks (except, that is, for a few replies which questioned my sanity for wanting to implement such a named configuration). Regards, Louis Twomey, Computer Centre, University College Dublin, Ireland. > Hi, > > I run a TIS FWTK Firewall on a Linux 1.2.13 machine. This machine also > runs the DNS server for the "outside". On the "inside" there's an NT > machine running BIND for internal DNS. The FW is set up to to use the > inside NS for lookups and the inside NS forwards all queries to the FW > DNS server. > > Problem is this: > The last time my zone was transferred to my ISP, the INTERNAL names > suddenly appeared on the internet! Of course this wrecked e-mail and > other things as well, but how is this possible? How can the outside DNS > provide the secondary with any information regarding the inside? BTW the > inside network is not even accessible from the Internet (and thus the > secondary DNS). Any ideas? > > Rudie From firewalls-owner Wed Jul 10 04:35:33 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id EAA20355 for firewalls-outgoing; Wed, 10 Jul 1996 04:04:07 -0700 (PDT) Received: from stingray.ivision.co.uk (stingray.ivision.co.uk [194.154.62.8]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id EAA20317 for ; Wed, 10 Jul 1996 04:03:52 -0700 (PDT) Received: from stingray.ivision.co.uk [194.154.62.8] Date: Wed, 10 Jul 1996 11:57:09 +0100 (BST) From: Neil A Carson To: Stefan Berg cc: firewalls@GreatCircle.com Subject: Re: News-proxy for TIS fwtk? In-Reply-To: <9607101200.AA18414@pamela.sic.se> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 10 Jul 1996, Stefan Berg wrote: > Hi there, > > do you have any information on how to set up a News proxy > for the TIS firewall toolkit? I assumed with TIS that the way they "intended" to do this on the firewall itself was to use plug-gw to plug the NNTP connection through the firewall to a secure external new server. Yours Aye, Neil * Neil A Carson * Internet Vision Ltd. * E-Mail: neil@ivision.co.uk, Phone: (0171) 589 4500 From firewalls-owner Wed Jul 10 04:49:22 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id EAA23208 for firewalls-outgoing; Wed, 10 Jul 1996 04:39:18 -0700 (PDT) Received: from sic.se (mailbox.sic.se [194.236.7.200]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id EAA23177 for ; Wed, 10 Jul 1996 04:39:02 -0700 (PDT) Received: from pamela.sic.se (pamela.sic.se [194.236.7.44]) by sic.se (8.7.5/8.7.2) with SMTP id NAA04702 for ; Wed, 10 Jul 1996 13:34:33 +0200 (MET DST) X-Mailer: InterCon tcpCONNECT4 4.0b26 (Macintosh) MIME-Version: 1.0 Message-Id: <9607101336.AA44474@pamela.sic.se> Date: Wed, 10 Jul 1996 13:36:44 +0100 From: "Stefan Berg" To: firewalls@GreatCircle.com Subject: Re: News-proxy for TIS fwtk? Content-Type: Text/Plain; charset=US-ASCII Content-Disposition: Inline Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Great thanks to Shepherd Rudie and Jean-Francois Zwobada for your help. My news works just fine now :) /Stefan From firewalls-owner Wed Jul 10 05:04:24 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id EAA22634 for firewalls-outgoing; Wed, 10 Jul 1996 04:27:48 -0700 (PDT) Received: from scruz.net (nic.scruz.net [165.227.1.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id EAA22624 for ; Wed, 10 Jul 1996 04:27:38 -0700 (PDT) Received: from x.pica.army.mil by scruz.net (8.7.3/1.34) Date: Wed, 10 Jul 96 07:32:31 PST From: rich Subject: Looking for "hot shot" - security consultant To: firewalls@greatcircle.com X-PRIORITY: 3 (Normal) X-Mailer: Chameleon 4.6.3, TCP/IP for Windows, NetManage Inc. Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I will make this brief - My company is looking for someone to be a senior security consultant. lots of travel, but really good money. You need to be good at Unix, security, NT, Internet, etc (if you have the experience, you will know!) You must also be a good public speaker, as many times you will be doing seminars and not just consulting. If interested, drop me email for more details. (I did not want to clutter this list too much...) Thanks, Rich Fitzgerald Berntein & Associates (408) 456-0430 -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- ** Remember -- Life is NOT a dress rehearsal! (nor is it a small furry animal with funny feet and floppy ears...) From firewalls-owner Wed Jul 10 05:04:32 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id EAA20896 for firewalls-outgoing; Wed, 10 Jul 1996 04:09:32 -0700 (PDT) Received: from igubu.saix.co.za (igubu.saix.net [196.25.1.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id EAA20868 for ; Wed, 10 Jul 1996 04:09:15 -0700 (PDT) Received: from afjhb1exch1.aforbes.co.za Received: by afjhb1exch1.aforbes.co.za with Microsoft Exchange (IMC 4.0.837.3) Message-ID: From: Shepherd Rudie To: "'Stefan Berg'" Cc: "'firewalls@greatcircle.com'" Subject: RE: News-proxy for TIS fwtk? Date: Wed, 10 Jul 1996 13:08:47 +0200 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.837.3 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Set up a plug-gw to point to your news server and have all your newsreaders point to the firewall as the news server: netperm-table: plug-gw: port nntp *.inside.com -plug-to news.your-isp.com -port nntp Hope it helps! Rudie >---------- >From: Stefan Berg[SMTP:stefan@sic.se] >Sent: Wednesday, July 10, 1996 1:00 PM >To: firewalls@GreatCircle.com >Subject: News-proxy for TIS fwtk? > > >Hi there, > >do you have any information on how to set up a News proxy >for the TIS firewall toolkit? > >/Stefan >stefan@sic.se > > From firewalls-owner Wed Jul 10 05:19:24 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA25010 for firewalls-outgoing; Wed, 10 Jul 1996 05:04:58 -0700 (PDT) Received: from pink.webfactory.ie ([194.106.133.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id FAA24986; Wed, 10 Jul 1996 05:04:37 -0700 (PDT) Received: (from root@localhost) by pink.webfactory.ie (8.7.5/8.7.3) id NAA15149; Wed, 10 Jul 1996 13:02:07 +0100 Received: from blonde.webfactory.ie(194.106.133.194) by pink.webfactory.ie via smap (V1.3) Received: by webfactory.ie (Smail3.1.29.1 #3) Received: from purple.webfactory.ie(194.106.133.195) by blonde.webfactory.ie via smap (V1.3) Date: Wed, 10 Jul 1996 13:03:14 +0100 (BST) From: simon Reply-To: simon Subject: Re: DNS leakage To: firewalls@GreatCircle.COM cc: firewalls-digest@GreatCircle.COM In-Reply-To: <199607101018.DAA16450@miles.greatcircle.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > The following is the configuration that I use for the site xyz.ie : > > Proxy server/External nameserver (IP address 1.2.3.4) : > ----------------------------------------------------- > named.boot : > : > primary xyz.ie xyz-external.hosts > : > > resolv.conf : > domain xyz.ie > nameserver 192.168.1.10 > > > Internal nameserver (IP address 192.168.1.10) : > --------------------------------------------- > named.boot : > : > primary xyz.ie xyz-internal.hosts > secondary xyz.ie 1.2.3.4 xyz-external.hosts > : > forwarders 1.2.3.4 > > resolv.conf : > domain xyz.ie > nameserver 127.0.0.1 > Hi, We also have a similar setup - but with some differences: The named.boot file on the internal server should also contain a "slave" line - so that the internal server does not attempt to contact any other DNS servers, regardless of how slow the external server (1.2.3.4) may be. This situation should also be stregthened by having the relevant packet filters in place - so that the internal server should not be able to contact any servers other than the external 1.2.3.4, and so that no zone transfer can take place from the internal machine to any external hosts. The external server's resolv.conf should have a xfernets directive so that only trusted external hosts can do a zone transfer. I don't think that there is any point in having the internal act as a secondary to the external server. The internal server should have DNS entries for all the machines on the network - and the external one should have just those entries for machines that have direct (ie non-proxied) access to the internet. Hence there is no need for the internal server to act as a secondary for the external server - so the internal data would not be overwritten by the (superfluous) secondary data. > > While on this topic, I would like to pose my own question. I have the same > configuration as above running on two Dec Alpha machines (running Digitial > Unix 3.2D), and both machines are running bind-4.9.3-REL. When the > internal nameserver loads the data for the secondary (external) domain > xyz.ie, this overwrites the data for the primary (internal) domain xyz.ie in > memory, and the machine can subsequently no longer resolve queries on this > primary domain. Has anyone seen, and resolved, this problem with either > this platform or with this version of bind ? I have already addressed this > question to the bind-users mailing list twice, but I receive mail only > intermittently from this list and either no-one replied or these replies > fell through the cracks (except, that is, for a few replies which questioned > my sanity for wanting to implement such a named configuration). > > > > Hi, > > > > I run a TIS FWTK Firewall on a Linux 1.2.13 machine. This machine also > > runs the DNS server for the "outside". On the "inside" there's an NT > > machine running BIND for internal DNS. The FW is set up to to use the > > inside NS for lookups and the inside NS forwards all queries to the FW > > DNS server. > > > > Problem is this: > > The last time my zone was transferred to my ISP, the INTERNAL names > > suddenly appeared on the internet! Of course this wrecked e-mail and > > other things as well, but how is this possible? How can the outside DNS > > provide the secondary with any information regarding the inside? BTW the > > inside network is not even accessible from the Internet (and thus the > > secondary DNS). Any ideas? > > > > Rudie Cheers, Simon Walsh Webfactory Ltd. From firewalls-owner Wed Jul 10 05:24:26 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id EAA20712 for firewalls-outgoing; Wed, 10 Jul 1996 04:07:27 -0700 (PDT) Received: from ns.NL.net (ns.NL.net [193.78.240.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id EAA20688 for ; Wed, 10 Jul 1996 04:07:03 -0700 (PDT) Received: from lcnnl by ns.NL.net via EUnet Received: from ge (ge.lcn.nl [192.168.214.20]) by gate.lcn.nl (8.6.12/8.6.12) with SMTP id MAA10525 for ; Wed, 10 Jul 1996 12:34:53 +0200 Message-Id: <199607101034.MAA10525@gate.lcn.nl> Comments: Authenticated sender is From: "Ge' Weijers" Organization: LCN Planning/Scheduling BV To: Firewalls@GreatCircle.COM Date: Wed, 10 Jul 1996 12:38:20 MET Subject: Re: email bombing Reply-To: g.weijers@lcn.nl X-Mailer: Pegasus Mail for Windows (v2.30) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Date: Tue, 09 Jul 1996 12:22:21 -0700 > From: Barbara Jaarsma > Subject: email bombing > > These people are bottom feeders and do not belong in positions of > authority. There are plenty of windows and toilets to clean, and that > is all they're fit for. People cleaning your company's windows and toilets are a definite security risk. Recruiting misfits does not seem to be the perfect strategy. Ge Ge' Weijers tel. +31-24-3812212 LCN Planning/Scheduling BV fax. +31-24-3238074 E-mail: ge@lcn.nl #include From firewalls-owner Wed Jul 10 05:34:25 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA26281 for firewalls-outgoing; Wed, 10 Jul 1996 05:18:33 -0700 (PDT) Received: from su1.in.net (su1.in.net [199.0.62.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id FAA26255 for ; Wed, 10 Jul 1996 05:18:23 -0700 (PDT) Received: from pm1-16.in.net by su1.in.net with SMTP (5.65/1.2-eef) Date: Wed, 10 Jul 96 07:14:23 -0400 Message-Id: <9607101114.AA14010@su1.in.net> X-Sender: frankw@in.net X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@GreatCircle.com From: Frank Willoughby Subject: Re: Threats and Nasty Emails Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 03:32 PM 7/9/96 -0400, scs@lokkur.dexter.mi.us (Steve Simmons allegedly wrote: >Frank Willoughby writes: >Frank writes some good advice, and then says: > >>If the customer does not have a legitimate complaint, explain to the >>individual why the complaint is not valid. . . . > >Absolutely not. You're a sysadmin, not customer support or a service >bureau for outside things. Take the issues to your management, and >let them deal with it. You shouldn't in any way contact the customer. >-- Steve, is of course, absolutely right on this. I should have said " a customer support representative should explain..." Thanks for clarifying this point. Bset Regards, Frank Any sufficiently advanced bug is indistinguishable from a feature. -- Rich Kulawiec The opinions expressed above are of the author and may not necessarily be representative of Fortified Networks Inc. Fortified Networks Inc. - Information Security Consulting http://www.fortified.com Phone: (317) 573-0800 FAX: (317) 573-0817 Home of the Free Internet Firewall Evaluation Checklist From firewalls-owner Wed Jul 10 05:37:06 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id EAA21903 for firewalls-outgoing; Wed, 10 Jul 1996 04:17:03 -0700 (PDT) Received: from dtcro002.apogee-com.fr (firewall.apogee-com.fr [194.2.187.130]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id EAA21818 for ; Wed, 10 Jul 1996 04:16:29 -0700 (PDT) Received: by dtcro002.apogee-com.fr; id NAA02811; Wed, 10 Jul 1996 13:10:19 +0200 (MET DST) Received: from dtcxs001.apogee-com.fr(10.129.16.1) by firewall.apogee-com.fr via smap (V3.1.1) Received: from ingpc003.apogee-com.fr by dtcxs001.apogee-com.fr (4.1/SMI-4.1) Message-Id: <31E38F8E.7766@apogee-com.fr> Date: Wed, 10 Jul 1996 13:10:06 +0200 From: Jean-Francois Zwobada Organization: APOGEE Communications X-Mailer: Mozilla 2.02 (Win95; I) Mime-Version: 1.0 To: Stefan Berg Cc: firewalls@GreatCircle.com Subject: Re: News-proxy for TIS fwtk? References: <9607101200.AA18414@pamela.sic.se> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Just use the plug-gw as this plug-gw: port nntp InternalNewsServer -plug-to ExternalNewsServer -port nntp plug-gw: port nntp ExternalNewsServer -plug-to InternalNewsServer -port nntp This will allow both servers to initiate a connection on the port 119 restricting this connection to the other server. Make sure you have a plug-gw proxy or netacl running and listening on this port. Jean-Francois -- ______________________ Jean-Francois Zwobada ____________________ Apogee Communications Tel : +33 (1) 69 85 56 47 Parc Club Universite Fax : +33 (1) 69 85 56 48 28, rue Jean Rostand 91893 ORSAY Cedex e-mail : zwobada@apogee-com.fr __________________________________________________________________ From firewalls-owner Wed Jul 10 05:42:12 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id EAA22283 for firewalls-outgoing; Wed, 10 Jul 1996 04:21:24 -0700 (PDT) Received: from mail.marben.com (losgatos.marben.com [206.86.34.51]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id EAA22267 for ; Wed, 10 Jul 1996 04:21:08 -0700 (PDT) Received: (from girsch@localhost) From: girsch@marben.com (Arnaud Girsch) Message-Id: <199607101118.EAA03287@mail.marben.com> Subject: Re: DNS leakage To: twomey@mog.ucd.ie (Louis Twomey) Date: Wed, 10 Jul 1996 04:18:21 -0700 (PDT) Cc: firewalls-digest@GreatCircle.COM In-Reply-To: <199607101018.DAA16450@miles.greatcircle.com> from "Louis Twomey" at Jul 10, 96 11:18:30 am X-Organization: Marben Products, Inc. X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Internal nameserver (IP address 192.168.1.10) : > --------------------------------------------- > named.boot : > : > primary xyz.ie xyz-internal.hosts > secondary xyz.ie 1.2.3.4 xyz-external.hosts > : > forwarders 1.2.3.4 > [...] > Unix 3.2D), and both machines are running bind-4.9.3-REL. When the internal > nameserver loads the data for the secondary (external) domain xyz.ie, this > overwrites the data for the primary (internal) domain xyz.ie in memory, and > the machine can subsequently no longer resolve queries on this primary >domain. Has anyone seen, and resolved, this problem with either this platform > or with this version of bind ? That's normal behaviour, as you shouldn't be both primary and secondary at the same time. The last declaration replaces the first declaration. Both primary and secondary seems buggy, for me. You cna't have both of them on the same NS. This is not a working solution, AFAIK ... Arnaud. -- Arnaud Girsch -+- agirsch@marben.com -+- Marben Products, Inc. - San Jose, CA From firewalls-owner Wed Jul 10 06:04:26 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA27255 for firewalls-outgoing; Wed, 10 Jul 1996 05:25:46 -0700 (PDT) Received: from baldy.worldbit.com (baldy.worldbit.com [199.4.115.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id FAA27177 for ; Wed, 10 Jul 1996 05:25:22 -0700 (PDT) Received: from localhost (blast@localhost) by baldy.worldbit.com (8.7.5/8.7.3) with SMTP id FAA09502; Wed, 10 Jul 1996 05:19:50 -0700 (PDT) Date: Wed, 10 Jul 1996 05:19:50 -0700 (PDT) From: Blast To: Louis Twomey cc: firewalls-digest@GreatCircle.COM, ShepherdR@Aforbes.co.za Subject: Re: DNS leakage In-Reply-To: <199607101018.DAA16450@miles.greatcircle.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 10 Jul 1996, Louis Twomey wrote: [deleted] > > Problem is this: > > The last time my zone was transferred to my ISP, the INTERNAL names > > suddenly appeared on the internet! Of course this wrecked e-mail and > > other things as well, but how is this possible? How can the outside DNS > > provide the secondary with any information regarding the inside? BTW the > > inside network is not even accessible from the Internet (and thus the > > secondary DNS). Any ideas? The there are other places worth talking about here when it comes to internal host names leaking. 1) If you run a News server, most clients, when you do a post will attach the hostname of the user. Unlike the SMTP leak, this includes all PC and Macintoshes on the inside. 2) When you send mail, of course all the evelopes, unless you re-write will contain in the 'Recieved by' the hostnames. 3) Once you have zones that are picked up by a secondary somewhere out on the net, you can consider it disclosed. WHat I mean by this is that there are many ways for someone to get hostnames from your external DNS so just consider it disclosed as most of us have. Point number 1 was all I was going to post and if anyone knows of a way for it to stop leaking, I would like to hear it. Thanks, --blast +--------------------------------------------------------------------+ \ Tim Keanini | "The limits of my language, / / aka blast | are the limits of my world." \ \ | --Ludwig Wittgenstein / \ +================================================/ |Key fingerprint = 7B 68 88 41 A8 74 AB EC F0 37 98 4C 37 F7 40 D6 | / PUB KEY: http://www-swiss.ai.mit.edu/~bal/pks-commands.html \ \ / +--------------------------------------------------------------------+ From firewalls-owner Wed Jul 10 06:22:07 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA04368 for firewalls-outgoing; Wed, 10 Jul 1996 06:04:59 -0700 (PDT) Received: from gatekeeper.glaxo.com (gatekeeper.glaxo.com [192.58.204.201]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id GAA04347 for ; Wed, 10 Jul 1996 06:04:47 -0700 (PDT) Received: by gatekeeper.glaxo.com (5.65/fma-120691); Received: from ussun2f. (ussun2f.glaxo.com) by ussun1d (5.x/) Reply-To: ggh14854@ussun2f.glaxo.com Received: (from ggh14854@localhost) by ussun2f. (8.7.5/8.7.3) id JAA00871; Wed, 10 Jul 1996 09:03:46 -0400 (EDT) Date: Wed, 10 Jul 1996 09:03:44 -0400 (EDT) From: "Gary G. Hull" To: firewalls Subject: Web Server on DMZ Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I realize this is not firewalls related but thought I might get the best answer(s) by asking this group. What would be the security implications of moving our WEB Server to the DMZ? What would be the best way to make it secure? We would like to do this for performance reasons. Would having a box dedicated to WEB traffic located on the DMZ offer added performance to our WEB traffic? Thanks in advance for your assistance, opinions and information. As a corollary to these questions, what is the real throughput one could expect from the TIS Gauntlet for Web Traffic? Again thanks. |/ ---o0o-@@-o0o--------- Gary G. Hull - Technical Consultant From firewalls-owner Wed Jul 10 06:49:57 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA08426 for firewalls-outgoing; Wed, 10 Jul 1996 06:32:09 -0700 (PDT) Received: from relay4.UU.NET (relay4.UU.NET [192.48.96.14]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id GAA08398 for ; Wed, 10 Jul 1996 06:32:00 -0700 (PDT) Received: from netevolve.com by relay4.UU.NET with SMTP Received: from lazar by netevolve.com (4.1/SMI-4.1) Message-Id: <9607101332.AA12409@netevolve.com> Comments: Authenticated sender is From: "Irwin Lazar" Organization: Network Evolutions To: firewalls@greatcircle.com Date: Wed, 10 Jul 1996 09:29:54 +0000 Subject: Well Known Port Numbers Reply-To: lazar@netevolve.com X-Mailer: Pegasus Mail for Windows (v2.23) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Greetings all: I'm trying to find the well known TCP and UDP port numbers to allow access to Usenet and WAIS but can't seem to find them in any of the reference materials I have. Does anyone know of or have this information? Thanks. Irwin M. Lazar Network Evolutions, Inc. lazar@netevolve.com From firewalls-owner Wed Jul 10 07:09:53 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA08484 for firewalls-outgoing; Wed, 10 Jul 1996 06:32:28 -0700 (PDT) Received: from woffice10.welsh-ofce.gov.uk (woffice10.welsh-ofce.gov.uk [194.81.116.3]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id GAA08424 for ; Wed, 10 Jul 1996 06:32:08 -0700 (PDT) Received: from woffice11.welsh-ofce.gov.uk.welsh-ofce.gov.uk (woffice11.welsh-ofce.gov.uk [194.81.116.4]) by woffice10.welsh-ofce.gov.uk (8.7.4/8.6.12) with SMTP id OAA00520 for ; Wed, 10 Jul 1996 14:29:21 +0100 (BST) Date: Wed, 10 Jul 96 14:19:46 PDT From: howells@Welsh-Ofce.gov.uk Subject: RE: Firewalls-Digest V5 #411 To: Firewalls@GreatCircle.COM X-Mailer: Chameleon ENGP1, TCP/IP for Windows, NetManage Inc. Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Rob A quick trip into Netscape - http://www.intonet.co.uk - shows that Intonet is a small UK service provider based in London. It's not clear from your posting what the product this person/company purchased but it is quite possible that the person is nothing to do with Intonet as a company. I would suggest passing the busk to your tech. support people with a note that this guy is not happy while, simultaneously contacting Intonet (with your managements approval) to let them know what is going on (if he is 'internal' it will ring alarm bells with his senior management, while if he is a customer they may wish to monitor the threats he's making). --Original Message-- Date: Tue, 9 Jul 1996 09:06:09 -0700 From: Rob Sansom Subject: Threats and Nasty Emails Although this is not really related to firewalls, I was wondering If anyone had a suggestion for a response to a belligerent individual who has been threatening to 'mail bomb' our site, as well as slander our company in the UK. Apparently , this person is very disatisfied with the performance of the product that they purchased, and the resulting response from tech support. I guess that they got so frustrated that they sent a letter to 'root' at our site, and that's how I got involved. I am wondering if a response to the 'postmaster, or root at their site would be a good idea, or should I just let it be. It's easy to block access from their net, but I would rather not do this. The net in question is 'intonet.co.uk' and I have tried 'whois' on the domain to no avail (to try to contact the net admin, God forbid this person should be the net admin!), and if anyone has any information on a contact at intonet.co.uk, I would greatly appreciarte any information. Thanks in Advance, Rob Sansom Network Admin. Connectix Corp (415) 638-7398 sansom@connectix.com --End of Original Message-- These views are my own and do not represent the views of my Department. Regards Jerry ------------------------------------- Name: Jeremy P Howells E-mail: howells@welsh-ofce.gov.uk Time: 14:19:47 Date: 07/10/96 Tel: (UK) 01222 825754 Fax: (UK) 01222 825852 ------------------------------------ From firewalls-owner Wed Jul 10 07:19:46 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA11884 for firewalls-outgoing; Wed, 10 Jul 1996 07:10:19 -0700 (PDT) Received: from gate1.dttus.com (gate1.dttus.com [205.160.40.75]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id HAA11825 for ; Wed, 10 Jul 1996 07:10:00 -0700 (PDT) Received: from cc1.dttus.com by gate1.dttus.com (5.x/SMI-SVR4) Received: from ccMail by cc1.dttus.com (SMTPLINK V2.11 PreRelease 4) Date: Wed, 10 Jul 96 09:00:00 CST From: "John M. Shaw" Message-Id: <9606108370.AA837014565@cc1.dttus.com> To: firewalls@GreatCircle.com Subject: Newbie Cisco Access-List Question Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Assuming 2 lines with same source, s-mask, dest, and d-mask: access-list 101 permit tcp source s-mask dest d-mask gt 1023 access-list 101 deny tcp source s-mask dest d-mask eq 2049 Which one takes precedence? Does the order matter? Any help would be greatly appreciated? From firewalls-owner Wed Jul 10 07:49:27 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA16239 for firewalls-outgoing; Wed, 10 Jul 1996 07:45:22 -0700 (PDT) Received: from stingray.ivision.co.uk (stingray.ivision.co.uk [194.154.62.8]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id HAA16070 for ; Wed, 10 Jul 1996 07:44:51 -0700 (PDT) Received: from stingray.ivision.co.uk [194.154.62.8] Date: Wed, 10 Jul 1996 15:38:13 +0100 (BST) From: Neil A Carson To: Irwin Lazar cc: firewalls@greatcircle.com Subject: Re: Well Known Port Numbers In-Reply-To: <9607101332.AA12409@netevolve.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 10 Jul 1996, Irwin Lazar wrote: > Greetings all: > > I'm trying to find the well known TCP and UDP port numbers to allow > access to Usenet and WAIS but can't seem to find them in any of the > reference materials I have. Does anyone know of or have this > information? On a unix box, try looking in /etc/services. Or use the NIS services file, by typing ypcat services. This yields z39.50 210/tcp wais #ANSI Z39.50 z39.50 210/udp wais #ANSI Z39.50 nntp 119/tcp usenet #Network News Transfer Protocol nntp 119/udp usenet #Network News Transfer Protocol on a FreeBSD box here. Unless of course you have stripped down the services file (which one would do in building a firewall anyway). Yours Aye, Neil * Neil A Carson * Internet Vision Ltd. * E-Mail: neil@ivision.co.uk, Phone: (0171) 589 4500 From firewalls-owner Wed Jul 10 08:04:38 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA14845 for firewalls-outgoing; Wed, 10 Jul 1996 07:36:17 -0700 (PDT) Received: from zen.com (zen.com [156.70.135.251]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id HAA14764 for ; Wed, 10 Jul 1996 07:35:56 -0700 (PDT) Received: from usuwphmsx03.zen.con (usuwphmsx03.zen.com) by zen.com (4.1/SMI-4.1) Received: by usuwphmsx03.zen.con with Microsoft Exchange (IMC 4.0.837.3) Message-Id: From: Miller Robert RC To: "'firewalls@GreatCircle.COM'" Subject: RE: Threats and Nasty Emails Date: Wed, 10 Jul 1996 10:33:56 -0400 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.837.3 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > >>At 09:06 AM 7/9/96 -0700, Rob Sansom allegedly wrote: > >>>>Although this is not really related to firewalls, I was wondering If >>>>anyone had a suggestion for a response to a belligerent individual who >>>>has been threatening to 'mail bomb' our site, as well as slander our >>>>company in the UK. . . . > >>Frank writes some good advice, and then says: >>>If the customer does not have a legitimate complaint, explain to the >>>individual why the complaint is not valid. . . . Chris responded: >>Absolutely not. You're a sysadmin, not customer support or a service >>bureau for outside things. Take the issues to your management, and >>let them deal with it. You shouldn't in any way contact the customer. What Chris says is absolutely correct! You shouldn't even respond to the persons note without passing it on to your management, Legal Department, PR department, Customer Service Department or whatever (depending on how big your company is). Even then, it should not be for you to respond, but for one of them. Leave that to the people who get paid to deal with the customers... Bob Miller millerrc@zen.com Zeneca Pharmaceuticals, Inc. From firewalls-owner Wed Jul 10 08:20:35 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA17948 for firewalls-outgoing; Wed, 10 Jul 1996 07:59:27 -0700 (PDT) Received: from cet.cet.com (cet.cet.com [204.227.191.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id HAA17941 for ; Wed, 10 Jul 1996 07:59:21 -0700 (PDT) Received: from cet.cet.com (roberth@cet.cet.com [204.227.191.1]) by cet.cet.com (8.6.12/8.6.12) with SMTP id HAA06382; Wed, 10 Jul 1996 07:56:43 -0700 Date: Wed, 10 Jul 1996 07:56:43 -0700 (PDT) From: Robert Hanson To: Irwin Lazar cc: firewalls@GreatCircle.COM Subject: Re: Well Known Port Numbers In-Reply-To: <9607101332.AA12409@netevolve.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk wais 210 nntp 119 ---> Robert H. Hanson LAN/WAN Consultant - Internet Service Provider Otis Orchards, Wa. Cutting Edge Communications www.cet.com (509) 927-9541 finger: info@cet.com or email: roberth@cet.com On Wed, 10 Jul 1996, Irwin Lazar wrote: > Greetings all: > > I'm trying to find the well known TCP and UDP port numbers to allow > access to Usenet and WAIS but can't seem to find them in any of the > reference materials I have. Does anyone know of or have this > information? > > Thanks. > Irwin M. Lazar > Network Evolutions, Inc. > lazar@netevolve.com > From firewalls-owner Wed Jul 10 08:31:01 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA17478 for firewalls-outgoing; Wed, 10 Jul 1996 07:54:41 -0700 (PDT) Received: from achilles.noc.ntua.gr (achilles.noc.ntua.gr [147.102.222.210]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id HAA17391 for ; Wed, 10 Jul 1996 07:54:20 -0700 (PDT) Received: by achilles.noc.ntua.gr via NTUAnet with ESMTP Received: by noc.ntua.gr From: Yiorgos Adamopoulos Message-Id: <199607101451.RAA13089@noc.ntua.gr> Subject: Re: Well Known Port Numbers To: lazar@netevolve.com Date: Wed, 10 Jul 1996 17:51:18 +0300 (EET DST) Cc: firewalls@GreatCircle.COM In-Reply-To: <9607101332.AA12409@netevolve.com> from "Irwin Lazar" at Jul 10, 96 09:29:54 am Organization: NTUA-NOC, National Technical University of Athens, GREECE Reply-To: y.adamopoulos@noc.ntua.gr X-Disclaimer: My opinions do not necessarily represent those of my employer. X-Home-Address: 7 Elvetias St., Agia Paraskevi GR15342, Athens, GREECE X-Home-Phone: +30-1-639-4-638 X-Work-Phone: +30-1-772-1-861 X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > I'm trying to find the well known TCP and UDP port numbers to allow > access to Usenet and WAIS but can't seem to find them in any of the > reference materials I have. Does anyone know of or have this > information? I think you need to read the "Assigned Numbers" RFC (by IANA, can't remember the nuber) and mainly the ports section. -Yiorgos. Y.Adamopoulos@noc.ntua.gr From firewalls-owner Wed Jul 10 08:34:34 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA20598 for firewalls-outgoing; Wed, 10 Jul 1996 08:21:35 -0700 (PDT) Received: from rodan.UU.NET (rodan.UU.NET [153.39.130.10]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id IAA20570 for ; Wed, 10 Jul 1996 08:21:22 -0700 (PDT) Received: from woobie.uu.net by rodan.UU.NET with SMTP Message-ID: <31E3C9D9.167EB0E7@uu.net> Date: Wed, 10 Jul 1996 11:18:49 -0400 From: Mark Krause Organization: UUNET Technologies, Inc. X-Mailer: Mozilla 3.0b5 (X11; I; SunOS 4.1.3_U1 sun4c) MIME-Version: 1.0 To: lazar@netevolve.com CC: firewalls@greatcircle.com Subject: Re: Well Known Port Numbers References: <9607101332.AA12409@netevolve.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Irwin Lazar wrote: > > I'm trying to find the well known TCP and UDP port numbers to allow > access to Usenet and WAIS but can't seem to find them in any of the > reference materials I have. Does anyone know of or have this > information? Both of these are hard to find, since they are usually listed via NNTP (Network News Transfer Protocol) for USENET, and Z39.50 (the standard that WAIS is based on). USENET aka NNTP = TCP 119 WAIS aka Z39.50 = TCP 210 The following are good resources for looking up port numbers. ftp://ds.internic.net/std/std2.txt Assigned Numbers RFC 1700 The strobe.services file in the strobe distribution located at ftp://suburbia.net/pub/strobe.tgz Appendix G "Table of IP Services" in "Practical UNIX & Internet Security" 2nd Edition from O'Reilly & Associates, Inc. -- Mark Krause UUNET Technologies, Inc. http://www.uu.net/ Senior Security Engineer 3060 Williams Drive mkrause@uu.net Fairfax, VA 22031-4648 USA Tel: +1 703 208 5349 Fax: +1 703 206 5493 From firewalls-owner Wed Jul 10 09:49:37 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA28491 for firewalls-outgoing; Wed, 10 Jul 1996 09:42:56 -0700 (PDT) Received: from mailbox.neosoft.com (mailbox.neosoft.com [206.109.1.16]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id JAA28482 for ; Wed, 10 Jul 1996 09:42:50 -0700 (PDT) Received: from fw.nmti.com (fw.baileynm.com [206.109.159.11]) by mailbox.neosoft.com (8.7.5/8.7.3) with SMTP id LAA16432; Wed, 10 Jul 1996 11:40:02 -0500 (CDT) Received: from web.nmti.com(198.178.0.201) by fw.nmti.com via smap (V1.3) Received: from sonic.nmti.com (peter@sonic.nmti.com [198.178.0.2]) by web.nmti.com (8.6.12/8.6.9) with SMTP id LAA04919; Wed, 10 Jul 1996 11:31:49 -0500 Received: by sonic.nmti.com; id AA32200; Wed, 10 Jul 1996 11:31:48 -0500 From: peter@baileynm.com (Peter da Silva) Message-Id: <9607101631.AA32200@sonic.nmti.com.nmti.com> Subject: Re: Well Known Port Numbers To: neil@ivision.co.uk (Neil A Carson) Date: Wed, 10 Jul 1996 11:31:47 -0500 (CDT) Cc: lazar@netevolve.com, firewalls@GreatCircle.COM In-Reply-To: from "Neil A Carson" at Jul 10, 96 03:38:13 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Unless of course you have stripped down the services file (which one would > do in building a firewall anyway). Why? It's the inetd.conf file that controls that stuff, not services. From firewalls-owner Wed Jul 10 10:04:23 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA28197 for firewalls-outgoing; Wed, 10 Jul 1996 09:36:21 -0700 (PDT) Received: from gate1.dttus.com (gate1.dttus.com [205.160.40.75]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id JAA28190 for ; Wed, 10 Jul 1996 09:36:15 -0700 (PDT) Received: from cc1.dttus.com by gate1.dttus.com (5.x/SMI-SVR4) Received: from ccMail by cc1.dttus.com (SMTPLINK V2.11 PreRelease 4) Date: Wed, 10 Jul 96 10:38:05 CST From: "John M. Shaw" Message-Id: <9606108370.AA837020476@cc1.dttus.com> To: firewalls@GreatCircle.com Subject: Re[2]: Newbie Cisco Access-List Question Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Is is the same for "ip route": If I have 2 lines from my ISP hooked up to the serial lines on my router : ip route 0.0.0.0 0.0.0.0 Serial0 ip route 0.0.0.0 0.0.0.0 Serial1 Will anything get sent over Serial1? Is there a way to somewhat balance the load between the 2 lines? TIA jshaw@dttus.com ______________________________ Reply Separator _________________________________ Subject: Re: Newbie Cisco Access-List Question Author: Warren Auld at INTERNET-USA Date: 7/10/96 10:08 AM Hi, Yes, order matters -- the entries in an access list are evaluated sequentially until a match is found at which point the packet is either sent on or rejected. In the example you gave below, all packets addressed to ports higher than 1023 will make it through and the second line will never have any effect. If you reverse the lines, traffic to port 2049 would be denied while everything else above 1023 would get through. Hope this helps.... warren wauld01@mail.state.mo.us On Wed, 10 Jul 1996, John M. Shaw wrote: > > > Assuming 2 lines with same source, s-mask, dest, and d-mask: > > access-list 101 permit tcp source s-mask dest d-mask gt 1023 > access-list 101 deny tcp source s-mask dest d-mask eq 2049 > > Which one takes precedence? > Does the order matter? > > Any help would be greatly appreciated? > > From firewalls-owner Wed Jul 10 10:34:35 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA00672 for firewalls-outgoing; Wed, 10 Jul 1996 10:20:28 -0700 (PDT) Received: from gatekeeper.glaxo.com (gatekeeper.glaxo.com [192.58.204.201]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id KAA00653 for ; Wed, 10 Jul 1996 10:20:20 -0700 (PDT) Received: by gatekeeper.glaxo.com (5.65/fma-120691); Received: from ussun2f. (ussun2f.glaxo.com) by ussun1d (5.x/) Reply-To: ggh14854@ussun2f.glaxo.com Received: (from ggh14854@localhost) by ussun2f. (8.7.5/8.7.3) id NAA01250; Wed, 10 Jul 1996 13:19:21 -0400 (EDT) Date: Wed, 10 Jul 1996 13:19:20 -0400 (EDT) From: "Gary G. Hull" To: firewalls@greatcircle.com Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk REVIEW firewalls by Name From firewalls-owner Wed Jul 10 10:49:57 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA02914 for firewalls-outgoing; Wed, 10 Jul 1996 10:42:05 -0700 (PDT) Received: from lint.cisco.com (lint.cisco.com [171.68.223.44]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id KAA02889 for ; Wed, 10 Jul 1996 10:41:57 -0700 (PDT) Received: from pferguso-pc.cisco.com (c5robo3.cisco.com [171.68.13.131]) by lint.cisco.com (8.6.10/CISCO.SERVER.1.1) with SMTP id KAA28650; Wed, 10 Jul 1996 10:40:27 -0700 Message-Id: <199607101740.KAA28650@lint.cisco.com> X-Sender: pferguso@lint.cisco.com X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 10 Jul 1996 13:39:25 -0400 To: lazar@netevolve.com From: Paul Ferguson Subject: Re: Well Known Port Numbers Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Try RFC-1700. - paul At 09:29 AM 7/10/96 +0000, Irwin Lazar wrote: >Greetings all: > >I'm trying to find the well known TCP and UDP port numbers to allow >access to Usenet and WAIS but can't seem to find them in any of the >reference materials I have. Does anyone know of or have this >information? > >Thanks. >Irwin M. Lazar >Network Evolutions, Inc. >lazar@netevolve.com > -- Paul Ferguson || || Consulting Engineering || || Reston, Virginia USA |||| |||| tel: +1.703.716.9538 ..:||||||:..:||||||:.. e-mail: pferguso@cisco.com c i s c o S y s t e m s From firewalls-owner Wed Jul 10 11:05:02 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA03337 for firewalls-outgoing; Wed, 10 Jul 1996 10:45:09 -0700 (PDT) Received: from lint.cisco.com (lint.cisco.com [171.68.223.44]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id KAA03247 for ; Wed, 10 Jul 1996 10:44:51 -0700 (PDT) Received: from pferguso-pc.cisco.com (c5robo3.cisco.com [171.68.13.131]) by lint.cisco.com (8.6.10/CISCO.SERVER.1.1) with SMTP id KAA29656; Wed, 10 Jul 1996 10:43:21 -0700 Message-Id: <199607101743.KAA29656@lint.cisco.com> X-Sender: pferguso@lint.cisco.com X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 10 Jul 1996 13:42:18 -0400 To: "John M. Shaw" From: Paul Ferguson Subject: Re: Newbie Cisco Access-List Question Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 09:00 AM 7/10/96 CST, John M. Shaw wrote: > Assuming 2 lines with same source, s-mask, dest, and d-mask: > > access-list 101 permit tcp source s-mask dest d-mask gt 1023 > access-list 101 deny tcp source s-mask dest d-mask eq 2049 > > Which one takes precedence? The access-list expressions are parsed linearly, from first-to-last, until a match is made and then no further ACL's are referenced. Also, in the example above, any packet which did not match either ACL would be implicitly denied. - paul > Does the order matter? > > Any help would be greatly appreciated? > -- Paul Ferguson || || Consulting Engineering || || Reston, Virginia USA |||| |||| tel: +1.703.716.9538 ..:||||||:..:||||||:.. e-mail: pferguso@cisco.com c i s c o S y s t e m s From firewalls-owner Wed Jul 10 11:19:42 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA05522 for firewalls-outgoing; Wed, 10 Jul 1996 11:07:11 -0700 (PDT) Received: from gatekeeper.3Com.COM (gatekeeper.3Com.COM [129.213.128.5]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id LAA05486 for ; Wed, 10 Jul 1996 11:06:55 -0700 (PDT) Received: from manzanita.DEV.3Com.COM.noname (manzanita.DEV.3Com.COM) by gatekeeper.3Com.COM with SMTP id AA27708 Received: by manzanita.DEV.3Com.COM.noname (4.1/SMI-4.1) Date: Wed, 10 Jul 96 11:02:56 PDT From: bobk@manzanita.DEV.3Com.COM (Bob Konigsberg) Message-Id: <9607101802.AA02049@manzanita.DEV.3Com.COM.noname> To: Firewalls@GreatCircle.COM, ggh14854@ussun2f.glaxo.com Subject: Re: Web Server on DMZ Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Yes, you can put the web server on your DMZ, but the real answer here is to run TWO firewalls. Like so: --company net ---/Corp-Firewall/---DMZ w/servers---/outer firewall/ --Internet The job of the Corp-Firewall is to protect the company network, the job of the outer firewall is to protect the exposed servers. If necessary, the outer firewall can also be used as a backup corp firewall. Or better yet, to complement it by using a different technology which will help make your network harder to crack into. BobK From firewalls-owner Wed Jul 10 12:23:11 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA12959 for firewalls-outgoing; Wed, 10 Jul 1996 12:12:45 -0700 (PDT) Received: from gate.ups.com (gate.ups.com [198.80.14.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id MAA12925 for ; Wed, 10 Jul 1996 12:12:10 -0700 (PDT) Received: from is.ups.com (smtp.telecom.ups.com) by gate.ups.com with SMTP id AA17374 Received: from butthead.ups.com by is.ups.com (5.x/SMI-SVR4) Received: from localhost by butthead.ups.com (SMI-8.6/SMI-SVR4) Date: Wed, 10 Jul 1996 15:09:06 -0400 (EDT) From: Dave Wreski X-Sender: tel1dvw@butthead To: Bob Konigsberg Cc: Firewalls@GreatCircle.COM, ggh14854@ussun2f.glaxo.com Subject: Re: Web Server on DMZ In-Reply-To: <9607101802.AA02049@manzanita.DEV.3Com.COM.noname> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 10 Jul 1996, Bob Konigsberg wrote: > > The job of the Corp-Firewall is to protect the company network, the > job of the outer firewall is to protect the exposed servers. > > If necessary, the outer firewall can also be used as a backup corp > firewall. Or better yet, to complement it by using a different technology > which will help make your network harder to crack into. What type of different technology do you recommend? This sounds interesting, as this is how we currently implement our firewalls/servers.. Dave > > BobK > From firewalls-owner Wed Jul 10 12:34:38 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA13461 for firewalls-outgoing; Wed, 10 Jul 1996 12:30:13 -0700 (PDT) Received: from ftp.com (ftp.com [128.127.2.122]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id MAA13446 for ; Wed, 10 Jul 1996 12:30:03 -0700 (PDT) Received: from ftp.com by ftp.com ; Wed, 10 Jul 1996 15:27:26 -0400 Received: from mailserv-100bs.ftp.com by ftp.com ; Wed, 10 Jul 1996 15:27:26 -0400 Received: by MAILSERV-100BS.FTP.COM (SMI-8.6/SMI-SVR4) Date: Wed, 10 Jul 1996 15:26:12 -0400 Message-Id: <199607101926.PAA27134@MAILSERV-100BS.FTP.COM> To: lazar@netevolve.com Subject: Re: Well Known Port Numbers From: chip@ftp.com (Chip Sparling) Reply-To: chip@ftp.com Cc: firewalls@greatcircle.com Repository: mailserv-100bs.ftp.com, [message accepted at Wed Jul 10 15:26:02 1996] Originating-Client: slingshot.ftp.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >I'm trying to find the well known TCP and UDP port numbers to allow >access to Usenet and WAIS but can't seem to find them in any of the >reference materials I have. Does anyone know of or have this >information? IANA owns these, the official list can be found at; ftp://venera.isi.edu/in-notes/iana/assignments/port-numbers if you backup one level you'll find all the assigned numbers. chip From firewalls-owner Wed Jul 10 12:52:36 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA12921 for firewalls-outgoing; Wed, 10 Jul 1996 12:12:06 -0700 (PDT) Received: from Grosses-Raetsel-Tor.GeNUA.DE (Grosses-Raetsel-Tor.GeNUA.DE [193.141.169.26]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id MAA12914 for ; Wed, 10 Jul 1996 12:11:56 -0700 (PDT) Received: (from smap@localhost) by Grosses-Raetsel-Tor.GeNUA.DE (8.6.12/8.6.12) id VAA28652; Wed, 10 Jul 1996 21:08:47 +0200 Received: from auryn.genua.de(192.109.217.42) by Grosses-Raetsel-Tor.GeNUA.DE via smap (V1.3) Received: from auryn.genua.de (localhost [127.0.0.1]) by auryn.genua.de (8.7.4/8.7.3) with ESMTP id VAA20793; Wed, 10 Jul 1996 21:08:18 +0200 (MET DST) Message-Id: <199607101908.VAA20793@auryn.genua.de> To: Firewalls@greatcircle.com cc: Shepherd Rudie Subject: Re: DNS leakage In-reply-to: Your message of Wed, 10 Jul 1996 01:00:30 -0700. MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-ID: <20790.837025697.1@auryn.genua.de> Date: Wed, 10 Jul 1996 21:08:17 +0200 From: Bernhard Schneck Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Problem is this: > The last time my zone was transferred to my ISP, the INTERNAL names > suddenly appeared on the internet! Of course this wrecked e-mail and > other things as well, but how is this possible? How can the outside DNS > provide the secondary with any information regarding the inside? BTW the > inside network is not even accessible from the Internet (and thus the > secondary DNS). Any ideas? Make sure you run a (moderately) recent version of BIND, 4.9.3p1 or 4.9.4. Earlier versions may have some problems with cache poisoning even in authoritative zones ... \Bernhard. From firewalls-owner Wed Jul 10 13:04:34 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA14042 for firewalls-outgoing; Wed, 10 Jul 1996 12:45:53 -0700 (PDT) Received: from mis01.micron.net (mis01.micron.net [198.60.253.51]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id MAA14033 for ; Wed, 10 Jul 1996 12:45:43 -0700 (PDT) From: jbarnett@micron.net Received: from 204.134.209.84 by mis01.micron.net with smtp Message-Id: Date: Wed, 10 Jul 96 13:43 MDT Subject: Sidewinder Versus EagleRaptor To: firewalls@GreatCircle.com X-Mailer: AIR Mail 3.X (SPRY, Inc.) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk My organization is finally coming close to making a decision on a firewall product. My question is this: is there anyone in this group who has evaluated both Sidewinder and EagleRaptor within the past year and has: 1) selected EagleRaptor but now wishes they had gone with Sidewinder 2) selected Sidewinder but now wishes they had gone with EagleRaptor 3) selected EagleRaptor for NT and is experiencing difficulties or is elated You can respond privately to me at jbarnett@micron.net, please. Since this is the first time I have tried to post anything to this group (I just joined today), please forgive me if I somehow stepped on any rules for posting. Thanks! jon ######################################################### Jon Barnett jbarnett@micron.net (208) 384-7018 "Colorful ideas are a pigment of your own imagination" ######################################################### From firewalls-owner Wed Jul 10 13:20:08 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA13484 for firewalls-outgoing; Wed, 10 Jul 1996 12:31:35 -0700 (PDT) Received: from morebbs.com (morebbs.com [206.165.150.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id MAA13477 for ; Wed, 10 Jul 1996 12:31:24 -0700 (PDT) From: meowmyx@morebbs.com Received: by morebbs.com Message-ID: <9607101528.0LQZ300@morebbs.com> Organization: MORE BBS X-Mailer: TBBS/TIGER v1.0/PRIMP 1.56p Date: Wed, 10 Jul 96 15:28:54 Subject: Dirty dogs To: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I was browsing through the system files of a web server that sits outside a firewall There were a couple of interesting entries in the access log 960412access:198.69.26.81 - - [12/Apr/1996:04;24;42 -0400] "GET /cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd HTTP/1.0" 404 207 960222access:152.163.192.15 - - [21/Jun/1996:12:19:22 -0400] "GET /cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd HTTP/1.0" 404 207 This didnt work for two reasons One there is no phf program in the system Two the cgi application gateway is running chrooted I am not really very good at understanding this hacking and cracking stuff What else could they have tried that might have worked FlameThrower>> ON The Mayor of White Water, had a very pretty daughter, Her name was Sweet Hillary, she was eager to please. Although lovely Hillary, wore clothes that were billowy, The hairs on her dickey die doe, hung down to her knees. One black one, one white one, and one that Bill caught a trout on, The hairs on her dickey die doe, hung down to her knees. If she were my daughter, I would have cut them much shorter, The hairs on her dickey die doe, hung down to her knees. Ooops Damn Slightly singed left whiskers FlameThrower>> OFF MeOwMyX From firewalls-owner Wed Jul 10 13:24:41 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA16355 for firewalls-outgoing; Wed, 10 Jul 1996 13:04:20 -0700 (PDT) Received: from dsacg1.dsac.dla.mil (dsacg1.dsac.dla.mil [131.78.1.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id NAA16285 for ; Wed, 10 Jul 1996 13:04:03 -0700 (PDT) Received: by dsacg1.dsac.dla.mil (1.38.193.5/1.40 (DSDC Columbus DSDCG1)) From: nto2584@dsacg1.dsac.dla.mil (Steven C. Payne) Message-Id: <9607101754.AA08182@dsacg1.dsac.dla.mil> Subject: Re: Well Known Port Numbers To: lazar@netevolve.com Date: Wed, 10 Jul 96 13:54:32 EDT Cc: firewalls@greatcircle.com In-Reply-To: <9607101332.AA12409@netevolve.com>; from "Irwin Lazar" at Jul 10, 96 9:29 am Mailer: Elm [revision: 70.85.2.1] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > Greetings all: > > I'm trying to find the well known TCP and UDP port numbers to allow > access to Usenet and WAIS but can't seem to find them in any of the > reference materials I have. Does anyone know of or have this > information? from /etc/services nntp 119/tcp readnews untp # Network News Transfer Protocol from the wais paper 5. Add in a z3950 entry to /etc/services on TCP port 210. 6. Add a line like the following to /etc/inetd to cause waisserver to be called when a connection comes in on the z3950 port: z3950 stream tcp nowait nobody " nntp (news) is port 119 wais (z3950) is port 210 both are tcp stevep > > Thanks. > Irwin M. Lazar > Network Evolutions, Inc. > lazar@netevolve.com > From firewalls-owner Wed Jul 10 13:25:18 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA13533 for firewalls-outgoing; Wed, 10 Jul 1996 12:32:51 -0700 (PDT) Received: from halon.sybase.com (halon.sybase.com [192.138.151.33]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id MAA13523 for ; Wed, 10 Jul 1996 12:32:36 -0700 (PDT) Received: from smtp1.sybase.com (sybgate) by halon.sybase.com (5.x/SMI-SVR4/SybFW4.0) Received: from notesgw2.sybase.com by smtp1.sybase.com (4.1/SMI-4.1/SybH3.5-030896) Received: by notesgw2.sybase.com (5.x/SMI-4.1/SybEGW3.3) Message-Id: <9607101929.AA22741@notesgw2.sybase.com> Received: by SybaseNotes (Lotus Notes Mail Gateway for SMTP V1.1) id To: "John M. Shaw" Cc: firewalls From: Ryan.Russell/SYBASE Date: 10 Jul 96 12:22:45 EDT Subject: Re: Re[2]: Newbie Cisco Access-List Question X-Lotus-Type: Reply All Mime-Version: 1.0 Content-Type: Text/Plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk It depends. If the two serials plug into the same router at the other end, then you want a mux, or you'll have to run EIGRP or OSPF...even then, good luck. If they go to two different ISPs, then get route updates for both, and the router will make the best choice for path. However, one of the interfaces will have to be the default, and usage of the two lines will be highly asymmetric. Even if one line fills, it won't overflow to the other. Ryan ---------- Previous Message ---------- To: firewalls cc: From: jshaw @ dttus.com ("John M. Shaw") @ smtp Date: 07/10/96 10:38:05 AM Subject: Re[2]: Newbie Cisco Access-List Question Is is the same for "ip route": If I have 2 lines from my ISP hooked up to the serial lines on my router : ip route 0.0.0.0 0.0.0.0 Serial0 ip route 0.0.0.0 0.0.0.0 Serial1 Will anything get sent over Serial1? Is there a way to somewhat balance the load between the 2 lines? TIA jshaw@dttus.com ______________________________ Reply Separator _________________________________ Subject: Re: Newbie Cisco Access-List Question Author: Warren Auld at INTERNET-USA Date: 7/10/96 10:08 AM Hi, Yes, order matters -- the entries in an access list are evaluated sequentially until a match is found at which point the packet is either sent on or rejected. In the example you gave below, all packets addressed to ports higher than 1023 will make it through and the second line will never have any effect. If you reverse the lines, traffic to port 2049 would be denied while everything else above 1023 would get through. Hope this helps.... warren wauld01@mail.state.mo.us On Wed, 10 Jul 1996, John M. Shaw wrote: > > > Assuming 2 lines with same source, s-mask, dest, and d-mask: > > access-list 101 permit tcp source s-mask dest d-mask gt 1023 > access-list 101 deny tcp source s-mask dest d-mask eq 2049 > > Which one takes precedence? > Does the order matter? > > Any help would be greatly appreciated? > > From firewalls-owner Wed Jul 10 14:13:10 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA22519 for firewalls-outgoing; Wed, 10 Jul 1996 13:41:26 -0700 (PDT) Received: from umbc7.umbc.edu (f-umbc7.umbc.edu [130.85.3.7]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id NAA22471 for ; Wed, 10 Jul 1996 13:41:14 -0700 (PDT) Received: (from pauld@localhost) by umbc7.umbc.edu (8.6.12/Umbc) id QAA10461; Wed, 10 Jul 1996 16:38:42 -0400 Date: Wed, 10 Jul 1996 16:38:42 -0400 (EDT) From: Paul Danckaert To: meowmyx@morebbs.com cc: firewalls@GreatCircle.COM Subject: Re: Dirty dogs In-Reply-To: <9607101528.0LQZ300@morebbs.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 10 Jul 1996 meowmyx@morebbs.com wrote: > > I was browsing through the system files of a web server that sits outside a > firewall There were a couple of interesting entries in the access log > > 960412access:198.69.26.81 - - [12/Apr/1996:04;24;42 -0400] > "GET /cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd HTTP/1.0" 404 207 > > 960222access:152.163.192.15 - - [21/Jun/1996:12:19:22 -0400] > "GET /cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd HTTP/1.0" 404 207 > > This didnt work for two reasons One there is no phf program in the system > Two the cgi application gateway is running chrooted > > I am not really very good at understanding this hacking and cracking stuff > What else could they have tried that might have worked Its pretty common to attack systems via the phf hole right now.. we see a fair ammount of attacks towards that. That format is the same as some of the probes we have seen, so its probably one of the scripts floating around. There is another that hides the "cat /etc/passwd" in the middle of a larger string, trying to make it less obvious, and a third that runs id, to see what uid your web server runs under. Of course, you could always be less kind, and install a quick PHF script on your server that mails you all the information it can about the user connecting to it. Nice for a more real-time response against these probes. As for other CGIs that could have worked, a good reference for this stuff is in the WWW security FAQ, at: http://www.genome.wi.mit.edu/WWW/faqs/www-security-faq.html It lists other vulnerable CGI scripts offhand: AnyForm http://www.uky.edu/~johnr/AnyForm2 FormMail http://alpha.pr1.k12.co.us/~mattw/scripts.html "phf" phone book script, distributed with NCSA httpd and Apache http://hoohoo.ncsa.uiuc.edu/ (There are also vulnerabilities with the novell web server, as well as ones under NT..) In general, you should never have CGI scripts/programs in your cgi-bin directory that you aren't using, or don't trust.. paul From firewalls-owner Wed Jul 10 14:57:52 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA00886 for firewalls-outgoing; Wed, 10 Jul 1996 14:41:31 -0700 (PDT) Received: from halon.sybase.com (halon.sybase.com [192.138.151.33]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id OAA00873 for ; Wed, 10 Jul 1996 14:41:16 -0700 (PDT) Received: from smtp1.sybase.com (sybgate) by halon.sybase.com (5.x/SMI-SVR4/SybFW4.0) Received: from notesgw2.sybase.com by smtp1.sybase.com (4.1/SMI-4.1/SybH3.5-030896) Received: by notesgw2.sybase.com (5.x/SMI-4.1/SybEGW3.3) Message-Id: <9607102138.AA03032@notesgw2.sybase.com> Received: by SybaseNotes (Lotus Notes Mail Gateway for SMTP V1.1) id To: meowmyx Cc: firewalls From: Ryan.Russell/SYBASE Date: 10 Jul 96 14:12:45 EDT Subject: Re: Dirty dogs X-Lotus-Type: Reply All Mime-Version: 1.0 Content-Type: Text/Plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hmm....worth tracking down. I guess whatever they might have succedded at depeneds on any known holes for your web server. You'll probably have better luck tracking down the one hanging off of Sprintnet than AOL. I wouldn't trust AOL to keep any useful records. In any case, if you wanna track them down, the sooner the better. If either site does keep records, better ask before they are gone. Ryan mcorange>trace 198.69.26.81 Type escape sequence to abort. Tracing the route to 198.69.26.81 1 BORDER7-SERIAL1-3.SANFRANCISCO.MCI.NET (204.70.161.17) 4 msec 56 msec 28 mse c 2 CORE2-FDDI-0.SANFRANCISCO.MCI.NET (204.70.158.49) 212 msec 36 msec 32 msec 3 CORE3.SANFRANCISCO.MCI.NET (204.70.4.17) 16 msec 16 msec 32 msec 4 * SOMEROUTER.SPRINTLINK.NET (206.157.77.66) 28 msec 8 msec 5 SL-STK-5-F0/0.SPRINTLINK.NET (144.228.40.5) 20 msec 12 msec 16 msec 6 SL-DC-6-H1/0-T3.SPRINTLINK.NET (144.228.10.1) 84 msec 76 msec 80 msec 7 SL-DC-5-F0/0.SPRINTLINK.NET (144.228.20.5) 80 msec 80 msec 84 msec 8 SL-NIS-1-S0-56K.SPRINTLINK.NET (144.228.25.38) 108 msec 112 msec 108 msec 9 * * * 10 * * ä mcorange>trace 152.163.192.15 Type escape sequence to abort. Tracing the route to WWW-B2.PROXY.AOL.COM (152.163.192.15) 1 BORDER7-SERIAL1-3.SANFRANCISCO.MCI.NET (204.70.161.17) 8 msec 12 msec 8 msec 2 CORE2-FDDI-0.SANFRANCISCO.MCI.NET (204.70.158.49) 12 msec 12 msec 24 msec 3 CORE1.SANFRANCISCO.MCI.NET (204.70.4.169) 24 msec 28 msec 40 msec 4 BORDER2-FDDI0-0.SANFRANCISCO.MCI.NET (204.70.3.162) 12 msec 8 msec 8 msec 5 MFX.CNSS8.SAN-FRANCISCO.T3.ANS.NET (206.157.77.2) 20 msec 8 msec 4 msec 6 FT0.CNSS19.LOS-ANGELES.T3.ANS.NET (140.222.19.1) 16 msec 24 msec 16 msec 7 FT1.CNSS112.ALBUQUERQUE.T3.ANS.NET (140.222.112.2) 52 msec 48 msec 48 msec 8 FT0.CNSS64.HOUSTON.T3.ANS.NET (140.222.64.1) 84 msec 76 msec 68 msec 9 FT1.CNSS104.ATLANTA.T3.ANS.NET (140.222.104.2) 104 msec 100 msec 112 msec 10 FT0.CNSS72.GREENSBORO.T3.ANS.NET (140.222.72.1) 104 msec 100 msec 100 msec 11 FT0.CNSS56.WASHINGTON-DC.T3.ANS.NET (140.222.56.1) 104 msec 96 msec 128 msec 12 F1-0.C56-11.WASHINGTON-DC.T3.ANS.NET (140.222.56.65) 112 msec 100 msec 100 m sec 13 ENSS150.T3.ANS.NET (204.151.29.10) 104 msec 200 msec 132 msec 14 INET3-GW.BLUE.AOL.COM (198.81.0.43) 108 msec 100 msec 104 msec 15 WWW-B2.PROXY.AOL.COM (152.163.192.15) 116 msec 108 msec 100 msec ---------- Previous Message ---------- To: firewalls cc: From: meowmyx @ morebbs.com @ smtp Date: 07/10/96 03:28:54 PM Subject: Dirty dogs I was browsing through the system files of a web server that sits outside a firewall There were a couple of interesting entries in the access log 960412access:198.69.26.81 - - [12/Apr/1996:04;24;42 -0400] "GET /cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd HTTP/1.0" 404 207 960222access:152.163.192.15 - - [21/Jun/1996:12:19:22 -0400] "GET /cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd HTTP/1.0" 404 207 This didnt work for two reasons One there is no phf program in the system Two the cgi application gateway is running chrooted I am not really very good at understanding this hacking and cracking stuff What else could they have tried that might have worked FlameThrower>> ON The Mayor of White Water, had a very pretty daughter, Her name was Sweet Hillary, she was eager to please. Although lovely Hillary, wore clothes that were billowy, The hairs on her dickey die doe, hung down to her knees. One black one, one white one, and one that Bill caught a trout on, The hairs on her dickey die doe, hung down to her knees. If she were my daughter, I would have cut them much shorter, The hairs on her dickey die doe, hung down to her knees. Ooops Damn Slightly singed left whiskers FlameThrower>> OFF MeOwMyX From firewalls-owner Wed Jul 10 15:05:36 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA02260 for firewalls-outgoing; Wed, 10 Jul 1996 14:56:40 -0700 (PDT) Received: from magellan.knight-ridder.com (magellan.knight-ridder.com [206.28.156.34]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id OAA02252 for ; Wed, 10 Jul 1996 14:56:32 -0700 (PDT) Received: by magellan.knight-ridder.com; id OAA08855; Wed, 10 Jul 1996 14:52:26 -0400 Received: from unknown(166.108.10.12) by magellan.knight-ridder.com via smap (g3.0.3) Message-ID: <31E42682.5C54@knight-ridder.com> Date: Wed, 10 Jul 1996 17:54:10 -0400 From: Ricardo de La Fuente Reply-To: lafuente@knight-ridder.com Organization: Knight-Ridder, Inc. X-Mailer: Mozilla 3.0b3Gold (Win95; I) MIME-Version: 1.0 To: Firewalls@GreatCircle.COM Subject: Re: Web Server on DMZ References: <9607101802.AA02049@manzanita.DEV.3Com.COM.noname> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Bob Konigsberg wrote: > > Yes, you can put the web server on your DMZ, but the real answer here > is to run TWO firewalls. > > Like so: > > --company net ---/Corp-Firewall/---DMZ w/servers---/outer firewall/ --Internet > > The job of the Corp-Firewall is to protect the company network, the > job of the outer firewall is to protect the exposed servers. > > If necessary, the outer firewall can also be used as a backup corp > firewall. Or better yet, to complement it by using a different technology > which will help make your network harder to crack into. > > BobK I believe it was Darren Reed who suggested a more elegant and less expensive solution by using a third interface on the firewall thus enabling a third segment for public servers such as a Web server or FTP server. All traffic would have to go through the firewall therefore protecting your web server as well. i.e. Internet Router | | Internal Net----Choke router ----Corp-Firewall ------Web Server, FTP server, etc. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ : > . > _____ :. _____ > \ \ . / / >Ricardo de La Fuente \ \ || / / >Knight-Ridder, Inc. \_ _\ /^^^^^|| /_ _/ >One Herald Plaza \ \ [o]~[o]| / / >Miami, Florida 33132-1693 \ \ \ ^ // / / > / \ \_O=/ / \ > |___|__/ \__|___| / / \ \ -o00o==O________/__/ -------------------------------------- > Stay Cool - Play Coed Underwater Hockey > From firewalls-owner Wed Jul 10 15:20:09 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id PAA04812 for firewalls-outgoing; Wed, 10 Jul 1996 15:12:32 -0700 (PDT) Received: from sapa.inka.de (sapa.inka.de [193.197.84.6]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id PAA04772 for ; Wed, 10 Jul 1996 15:12:14 -0700 (PDT) Received: from uu.inka.de (root@[193.197.84.8]) by sapa.inka.de Received: from lina (ecki@lina.inka.de) by uu.inka.de Received: by lina Message-Id: From: ecki@lina.inka.de (Bernd Eckenfels) Subject: Re: Web Server on DMZ To: ggh14854@ussun2f.glaxo.com Date: Wed, 10 Jul 1996 23:59:39 +0200 (MET DST) Cc: Firewalls@GreatCircle.COM In-Reply-To: from "Gary G. Hull" at Jul 10, 96 09:03:44 am X-Mailer: ELM [version 2.4 PL25 PGP2] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, > What would be the security > implications of moving our WEB Server to the DMZ? The server has to be secure. If the server needs to access data from internal net you might be in trouble. The DMZ router should filter all connections from outside except for the www port. > What would > be the best way to make it secure? Disbale anything you dont need. There should be NO line on "netstat -a" which u dont understand. Open logins only from inside secure net and ensure no ip-spoofing is possible to the dmz. > We would like to do this > for performance reasons. Would having a box dedicated to WEB > traffic located on the DMZ offer added performance to our > WEB traffic? Depends on the solution u have now. if you have a proxying firewall or a non-dedicated web server a dedicated web server with no firewall will be faster anyway. > one could expect from the TIS Gauntlet for Web Traffic? Compared to other Proxie firewalls very high, but Package filter firewalls are generally faster. Sie TIS WWW Page for a speed test in some labs. Greetings Bernd From firewalls-owner Wed Jul 10 15:34:42 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id PAA05078 for firewalls-outgoing; Wed, 10 Jul 1996 15:15:34 -0700 (PDT) Received: from cypress.cycon.com (cypress.CYCON.COM [204.5.16.32]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id PAA05069 for ; Wed, 10 Jul 1996 15:15:26 -0700 (PDT) Received: (from carlson@localhost) by cypress.cycon.com (8.7.5/8.7.3) id SAA14482; Wed, 10 Jul 1996 18:13:47 -0400 Date: Wed, 10 Jul 1996 18:13:47 -0400 (EDT) From: Chris Carlson To: meowmyx@morebbs.com cc: firewalls@GreatCircle.COM Subject: Re: Dirty dogs In-Reply-To: <9607101528.0LQZ300@morebbs.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 10 Jul 1996 meowmyx@morebbs.com wrote: > > I was browsing through the system files of a web server that sits outside a > firewall There were a couple of interesting entries in the access log > > 960412access:198.69.26.81 - - [12/Apr/1996:04;24;42 -0400] > "GET /cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd HTTP/1.0" 404 207 > > 960222access:152.163.192.15 - - [21/Jun/1996:12:19:22 -0400] > "GET /cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd HTTP/1.0" 404 207 > > > MeOwMyX > I found this reference to the cgi-bin program 'phf' at some archive site: - Please disable the cgi-bin application 'phf' (provided in source code - form with the NCSA & Apache httpd server distributions in its cgi-src - directory as the file phf.c) that you have available on your WWW server: - it contains a vulnerability that can be exploited by remote clients as an - avenue through which to read files on your system (e.g. /etc/passwd), execute - arbitrary commands, create and write to files, and to possibly gain - unauthorized interactive (login) access without password authentication - and without leaving a significant system audit trail. - - All of these actions can be accomplished with the effective permissions - of the userid that your httpd daemon runs and services requests under. - - I have confirmed that your particular system is vulnerable to some - degree. Please review your httpd access_log for instances of the string - "phf" to see if attempts have been made to exploit this vulnerability on - your system. - - (You will find instances of that string resulting from connections - initiated by aleph1.mit.edu [18.238.0.138]; this was me verifying - your system's vulnerability during a general survey of its widespread - nature.) - - Thank you, and please pass word of this vulnerability to other WWW - server administrators. - - - Nat Friedman (617-225-6733) - ndf@linux.mit.edu Hope this helps! Chris ******************************************************************** * Chris Carlson email: carlson@cycon.com * * Cypress Consulting, Inc. http://www.cycon.com * * Cycon Labyrinth Firewall - Stateful Inspection, Packet Modifier * ******************************************************************** From firewalls-owner Wed Jul 10 15:49:40 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id PAA08125 for firewalls-outgoing; Wed, 10 Jul 1996 15:39:20 -0700 (PDT) Received: from gatekeeper.3Com.COM (gatekeeper.3Com.COM [129.213.128.5]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id PAA08062 for ; Wed, 10 Jul 1996 15:39:06 -0700 (PDT) Received: from manzanita.DEV.3Com.COM.noname (manzanita.DEV.3Com.COM) by gatekeeper.3Com.COM with SMTP id AA09053 Received: by manzanita.DEV.3Com.COM.noname (4.1/SMI-4.1) Date: Wed, 10 Jul 96 15:35:15 PDT From: bobk@manzanita.DEV.3Com.COM (Bob Konigsberg) Message-Id: <9607102235.AA02245@manzanita.DEV.3Com.COM.noname> To: Firewalls@GreatCircle.COM, lafuente@knight-ridder.com Subject: Re: Web Server on DMZ Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I've seen that solution recommended, and I would agree, it is elegant. The one problem I have with that is that if the machine crashes, you are Out-To-Lunch for connectivity. I prefer having backup systems that can be put into place easily. In addition, if you are running multiple pieces of equipment, they can be configured to a) provide a more difficult-to-get-through firewall config, and b) Back each other up. I'm not knocking the concept, I plan to make use of a variant myself, I just feel that redundancy is the way to go. BobK From firewalls-owner Wed Jul 10 16:19:47 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id QAA12590 for firewalls-outgoing; Wed, 10 Jul 1996 16:06:59 -0700 (PDT) Received: from cet.cet.com (cet.cet.com [204.227.191.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id QAA12562 for ; Wed, 10 Jul 1996 16:06:50 -0700 (PDT) Received: from cet.cet.com (roberth@cet.cet.com [204.227.191.1]) by cet.cet.com (8.6.12/8.6.12) with SMTP id QAA15030; Wed, 10 Jul 1996 16:04:12 -0700 Date: Wed, 10 Jul 1996 16:04:12 -0700 (PDT) From: Robert Hanson To: jbarnett@micron.net cc: firewalls@GreatCircle.COM Subject: Re: Sidewinder Versus EagleRaptor In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk in response to this... without searching the web "i barely have enough time in the day to run to the coffee pot :)... where are these poroducts on the web... thanks! ---> Robert H. Hanson LAN/WAN Consultant - Internet Service Provider Otis Orchards, Wa. Cutting Edge Communications www.cet.com (509) 927-9541 finger: info@cet