From firewalls-owner  Thu Aug  1 00:33:19 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id AAA07855 for firewalls-outgoing; Thu, 1 Aug 1996 00:24:40 -0700 (PDT)
Received: from sic.se (mailbox.sic.se [194.236.7.200]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id AAA07848 for <firewalls@GreatCircle.com>; Thu, 1 Aug 1996 00:24:32 -0700 (PDT)
Received: from pamela.sic.se (pamela.sic.se [194.236.7.44]) by sic.se (8.7.5/8.7.2) with SMTP id JAA00523 for <firewalls@GreatCircle.com>; Thu, 1 Aug 1996 09:21:28 +0200 (MET DST)
X-Mailer: InterCon TCP/Connect II 2.3.1
MIME-Version: 1.0
Message-Id: <9608010921.AA54441@pamela.sic.se>
Date: Thu,  1 Aug 1996 09:21:54 +0100
From: "Stefan Berg" <stefan@sic.se>
To: firewalls@GreatCircle.com
Subject: SSL, port 442, https
Content-Type: Text/Plain; charset=US-ASCII
Content-Disposition: Inline
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk


Hi there,

was just wondering if the W3 Httpd(A) (aka CERN httpd) supports
SSL, or do I have to patch it somehow? Want to use it for proxy.

/Stefan


--
_______________________________________________________
     Stefan Berg
     ISDN Group of Sweden / Swedish InternetCentral
     Phone:  +46-8-6677010
     E-mail: stefan@sic.se
     WWW:    http://www.sic.se/   http://www.isdn.se/
_______________________________________________________
          Recursive; adj. see Recursive

From firewalls-owner  Thu Aug  1 01:05:14 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id AAA08707 for firewalls-outgoing; Thu, 1 Aug 1996 00:47:53 -0700 (PDT)
Received: from inetsrv1.biss.co.uk (inetsrv1.biss.co.uk [193.115.8.97]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id AAA08700 for <firewalls@GreatCircle.COM>; Thu, 1 Aug 1996 00:47:44 -0700 (PDT)
Received: from ccmailgw.biss.co.uk by inetsrv1.biss.co.uk with SMTP
Received: from cc:Mail by ccmailgw.biss.co.uk
Date: Thu, 01 Aug 96 08:29:38 GMT
From: "Steve Betts" <Steve_Betts@ccmailgw.biss.co.uk>
Message-Id: <9607018389.AA838914258@ccmailgw.biss.co.uk>
To: firewalls@GreatCircle.COM, "James Croall" <jcroall@smiley.mitre.org>
Cc: jcroall@mitre.org
Subject: Re: Firewall Java blocking
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

James Croall wrote:

>TIS has announced and is shipping their Java Guard system with Gauntlet 
>3.2, and Raptor has announced support for Java blocking in the next 
>release of their Eagle firewall product.

I understand how a firewall might be configured to block Java or ActiveX 
executable files, by looking at the file extension. How does a firewall 
understand what is JavaScript or VBScript when that code is simply part 
of a comment in an HTML document? Does it now have to be an HTML 
interpreter as well?

Regards.                 ,-.
   /   ) /              <,  )       /  /  NB Opinions are my own and may
  (__  -/---            /_,/      -/--/- not be the same as my employers
/    ) / /7 /7 /7  /7  /  `>  /7  /  / _/7    tel: +44 (0) 1 442 233 366 
\___//(_(/_/ (/ (_(/_/\__ /(_(/_/(_/(_/,_7    fax: +44 (0) 1 442 236 623




From firewalls-owner  Thu Aug  1 01:33:41 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id BAA11364 for firewalls-outgoing; Thu, 1 Aug 1996 01:18:46 -0700 (PDT)
Received: from salsa.gv.ssi1.com (salsa.gv.ssi1.com [146.252.44.194]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id BAA11341 for <firewalls@GreatCircle.COM>; Thu, 1 Aug 1996 01:18:30 -0700 (PDT)
Received: (from gdonl@localhost) by salsa.gv.ssi1.com (8.7.5/8.7.3) id BAA22451; Thu, 1 Aug 1996 01:15:20 -0700 (PDT)
From: Don Lewis <Don.Lewis@tsc.tdk.com>
Message-Id: <199608010815.BAA22451@salsa.gv.ssi1.com>
Date: Thu, 1 Aug 1996 01:15:20 -0700
In-Reply-To: Zachary Roger Amsden <amsden+@andrew.cmu.edu>
X-Mailer: Mail User's Shell (7.2.6 alpha(3) 7/19/95)
To: Zachary Roger Amsden <amsden+@andrew.cmu.edu>, gaarder@actech.com
Subject: Re: How secure is xinetd's binding to specific interfaces
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

On Jul 30,  5:52pm, Zachary Roger Amsden wrote:
} Subject: Re: How secure is xinetd's binding to specific interfaces
} Well, I have looked a little at xinetd's code, but I think it's pretty
} secure.  Basically, it probably does a getsockname() on incoming
} connections to find out what interface they are coming in on.  It then
} would compare the result to an IP address or interface name and make
} sure they match.  I haven't looked in full at the code here, but I would
} place high faith on this part because it is not that tricky to do.  What
} I wouldn't place faith on is the kernel's IP forwarding mechanism.  On
} many BSD based systems, it is possible to ping an inside interface from
} the outside, even with IP forwarding turned off (so I have been told). 

I've seen patches to the BSD networking code that fix this.

--- Forwarded mail from hue@island.com (Pond Scum)

>From firewalls-relay@tus.ssi1.COM Thu Jan 26 15:27:48 1995
Date: Wed, 25 Jan 1995 17:48:56 +0800
From: hue@island.com (Pond Scum)
Message-Id: <9501260148.AA06263@coney.island.com>
To: firewalls@GreatCircle.COM
Subject: Re: IP spoofing vs tcp wrappers and netacl
Sender: firewalls-owner@GreatCircle.COM


Apologies if you are seeing this twice, but I think it didn't make it
out:

> >  Doesn't help at all. The packets are forged to be from the internal
> >network, and this is what getsockname()/getpeername() will say. It you
> >use netacl, to protect telnetd to the firewall. (So the the admin can 
> >login from the internal network), then the attacker can get to
> >telnetd.
> 
> Actually, if the destination is the firewall, it does help, because the
> getsockname tells you the ip-address of the interface that is holding
> up your end of the connection.  You know which ip-address you assign
 
Right, but you can just as easily send to address of the interface on
the internal network from the outside, even with IP forwarding disabled.
To your netacl or tcp wrapper, it looks like a connection to the internal
interface from an internal net.  It was pointed out to me in private
email that the only check in ipintr() (BSD derived systems) is whether
the address matches any of the host's interfaces, there is no check for
which interface the packet came in on (I chopped out some code here,
these are just the relevant parts):
 
 
        /*
         * Check our list of addresses, to see if the packet is for us.
         */
        for (ia = in_ifaddr; ia; ia = ia->ia_next) {
                if (IA_SIN(ia)->sin_addr.s_addr == ip->ip_dst.s_addr)
                        goto ours;
 
But what if you made a small change, making sure the interface with
the address which matches the one in the packet is the interface the
packet was received on:
 
                if (IA_SIN(ia)->sin_addr.s_addr == ip->ip_dst.s_addr)
                        if (ia->ia_ifp == ifp)
                                goto ours;
                        else
                                it came in on the wrong interface, log it and drop it

In that case you could trust getsockname(), because packets sent to the inside
interface from the outside would get dropped.

If your proxies don't allow access to the internal net from the internal net,
it really doesn't matter if someone spoofs the IP address of an inside machine
from the outside.  The proxy would just turn them around and they could only go
back out.  This is probably the easiest way to combat the problem, but it means
you can't "bounce" stuff off the firewall from the inside anymore.  I've gotten
into the lazy habit of doing this with Anarchie on the Macintosh.
 
-Jonathan               hue@island.com
 



--- End of forwarded message from hue@island.com (Pond Scum)

--- Forwarded mail from hue@island.com (Pond Scum)

>From firewalls-relay@tus.ssi1.COM Fri Jan 27 00:48:32 1995
Date: Fri, 27 Jan 1995 00:22:51 +0800
From: hue@island.com (Pond Scum)
Message-Id: <9501270822.AA08991@coney.island.com>
To: firewalls@GreatCircle.COM, patrick@oes.amdahl.com
Subject: Re: IP spoofing vs tcp wrappers and netacl
Sender: firewalls-owner@GreatCircle.COM


> ARGH!!!!! Is this true?  With IP forwarding a packet shouldn't be accepted
> if it's not to the "reachable" interface.  I just tried this out on a
> Sun running Solaris, and an Amdahl machine running UTS, and neither of
> them had this bug.  Is it really true that BSD machines will accept a
> packet addressed to one interface on the other?

Well, it's true on my machine, which is SunOS 4.1.3.  ip_input.c is the one
sent to this list by Brad.Powell@Ebay.sun.com, containing the patch to block
source routed packets.  I think it's safe to assume that the code in question
is the same in 4.1.3 as in his patched version.  I have received email that says
this is the behavior in any BSD distribution.

I ended up trying out that simple change I posted.  The only thing you need to
add is code to make sure you don't drop packets coming back up the loopback
interface.  Once I did that it did what I expected.

-Jonathan		hue@island.com


--- End of forwarded message from hue@island.com (Pond Scum)


			---  Truck

From firewalls-owner  Thu Aug  1 01:48:47 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id BAA12913 for firewalls-outgoing; Thu, 1 Aug 1996 01:34:28 -0700 (PDT)
Received: from salsa.gv.ssi1.com (salsa.gv.ssi1.com [146.252.44.194]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id BAA12823 for <firewalls@GreatCircle.COM>; Thu, 1 Aug 1996 01:34:00 -0700 (PDT)
Received: (from gdonl@localhost) by salsa.gv.ssi1.com (8.7.5/8.7.3) id BAA22459; Thu, 1 Aug 1996 01:30:30 -0700 (PDT)
From: Don Lewis <Don.Lewis@tsc.tdk.com>
Message-Id: <199608010830.BAA22459@salsa.gv.ssi1.com>
Date: Thu, 1 Aug 1996 01:30:29 -0700
In-Reply-To: "Sean Fuller" <c60201@zone.arnold.af.mil>
X-Mailer: Mail User's Shell (7.2.6 alpha(3) 7/19/95)
To: "Sean Fuller" <c60201@zone.arnold.af.mil>, firewalls@GreatCircle.COM
Subject: Re: How secure is xinetd's binding to specific interfaces
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

On Jul 31,  9:13am, "Sean Fuller" wrote:
} Subject: Re: How secure is xinetd's binding to specific interfaces
} On Jul 30,  6:37pm, <firewalls-owner@GreatCircle.COM> wrote:
} 
} getsockname!  Thanks so much for pointing out this wonderful routine.
} I don't know why I never saw it before.  I guess I learned firewall
} programming from the TIS Firewall Toolkit and I never saw this routine
} used to detect the incoming interface.

Except that with most network stacks you can't count on this to detect
the interface that the packet was received on.  If interface A receives
a packet with the destination address that matches interface B,
getsockname() will report interface B's address.  With most networking
stacks, this will happen even if IP forwarding is turned off.  If the
routing table on the host shows that the route to packet's source address
should use interface A (or if there is a source route), I bet it's still
possible to set up a TCP connection even without IP forwarding, but in
this case (lacking the source route) your getpeername() check should be
effective.

			---  Truck

From firewalls-owner  Thu Aug  1 04:48:18 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id EAA24060 for firewalls-outgoing; Thu, 1 Aug 1996 04:39:31 -0700 (PDT)
Received: from mwunix.mitre.org (mwunix.mitre.org [128.29.154.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id EAA24044 for <firewalls@greatcircle.com>; Thu, 1 Aug 1996 04:39:13 -0700 (PDT)
Received: from smiley.sit (smiley.mitre.org [128.29.140.20]) by mwunix.mitre.org (8.6.10/8.6.4) with SMTP id HAA02686; Thu, 1 Aug 1996 07:36:06 -0400
Received: from loghost.mitre.org by smiley.sit (4.1/SMI-4.1)
Message-Id: <9608011134.AA06553@smiley.sit>
To: "Steve Betts" <Steve_Betts@ccmailgw.biss.co.uk>
Cc: firewalls@greatcircle.com
Subject: Re: Firewall Java blocking 
In-Reply-To: Your message of "Thu, 01 Aug 1996 08:29:38 GMT."
Date: Thu, 01 Aug 1996 07:34:23 -0400
From: "James Croall" <jcroall@smiley.mitre.org>
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk


In message <9607018389.AA838914258@ccmailgw.biss.co.uk>, "Steve Betts" writes:
>I understand how a firewall might be configured to block Java or ActiveX 
>executable files, by looking at the file extension. How does a firewall 
>understand what is JavaScript or VBScript when that code is simply part 
>of a comment in an HTML document? Does it now have to be an HTML 
>interpreter as well?

Yes, it has to parse the HTML as well. JavaScript and VBScript aren't merely
inside comments, they also have a <script> tag that tells the client what
language they're written in.

If the server parses the HTML and applys rules to it before handing it to the
client, it can actually remove the <applet>, <object>, and <script> tags as
well as things like JavaScript's event handlers. It certainly does introduce
a performance hit, but if the server can cache these preprocessed files it
may speed things up a bit.

- James

From firewalls-owner  Thu Aug  1 05:03:23 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id EAA24261 for firewalls-outgoing; Thu, 1 Aug 1996 04:46:52 -0700 (PDT)
Received: from Farstar.secapl.com (QS.secapl.com [192.131.69.9]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id EAA24254 for <firewalls@GreatCircle.COM>; Thu, 1 Aug 1996 04:46:44 -0700 (PDT)
Received: from Cookie.secapl.com (Cookie.secapl.com [192.108.247.19]) by Farstar.secapl.com (8.6.12/8.6.12) with SMTP id GAA139258; Thu, 1 Aug 1996 06:33:37 -0500
Received: from Fozzie.secapl.com by Cookie.secapl.com (AIX 3.2/UCB 5.64/4.03)
Received: from localhost by fozzie.secapl.com (AIX 4.1/UCB 5.64/4.03)
Date: Thu, 1 Aug 1996 07:41:54 -0400 (EDT)
From: Tony Iannotti <tony@fozzie.secapl.com>
To: Stefan Berg <stefan@sic.se>
Cc: firewalls@GreatCircle.COM
Subject: Re: SSL, port 442, https
In-Reply-To: <9608010921.AA54441@pamela.sic.se>
Message-Id: <Pine.A32.3.94.960801074059.239844B-100000@fozzie.secapl.com>
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

On Thu, 1 Aug 1996, Stefan Berg wrote:

> was just wondering if the W3 Httpd(A) (aka CERN httpd) supports
> SSL, or do I have to patch it somehow? Want to use it for proxy.

  Not as of v3.0, anyway



From firewalls-owner  Thu Aug  1 05:33:28 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA26900 for firewalls-outgoing; Thu, 1 Aug 1996 05:28:09 -0700 (PDT)
Received: from mclo50.med.navy.mil ([164.167.86.50]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id FAA26800 for <firewalls@greatcircle.com>; Thu, 1 Aug 1996 05:27:29 -0700 (PDT)
Received: from mclo100.med.navy.mil (mclo100.med.navy.mil [164.167.86.100]) by mclo50.med.navy.mil (8.7.4/8.7.3) with SMTP id IAA10720; Thu, 1 Aug 1996 08:13:13 -0400
Message-ID: <3200A022.67B5@mclo10.med.navy.mil>
Date: Thu, 01 Aug 1996 08:16:34 -0400
From: Bob Resino <pnh1rgr@mclo10.med.navy.mil>
Reply-To: pnh1rgr@mclo10.med.navy.mil
Organization: MCLO, HSO, Norfolk, VA (US Navy)
X-Mailer: Mozilla 3.0b5a (Win95; I)
MIME-Version: 1.0
To: endrizzi@master.the-link.com
CC: firewalls@greatcircle.com
Subject: Re: PPTP thoughts anyone?
References: <199608010029.TAA13531@master.the-link.com>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

> Seeing that Microsoft owns 95% of the client market my question is why
> would someone want to use any of the firewall remote client products
> (e.g. Checkpoint Secure Remote, Raptor Nomad,  V-One, SCC Netcruiser)
> when I can get it for basically free from Mr. Gates?  Only reason I can think of
> is for non-NT environments.

Well, 

Consider the case of Xylan, rumor has it that they will be putting
Checkpoint in their hubs.  I guess the idea is to incorporate a firewall
and ATM edge device.  I don't know why, but one of their sales people
keep trying to tell me I can't live without it. :^)

Bob Resino

From firewalls-owner  Thu Aug  1 05:53:15 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA25570 for firewalls-outgoing; Thu, 1 Aug 1996 05:18:23 -0700 (PDT)
Received: from merle.acns.nwu.edu (merle.acns.nwu.edu [129.105.16.57]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id FAA25552 for <firewalls@GreatCircle.COM>; Thu, 1 Aug 1996 05:18:13 -0700 (PDT)
Received: from localhost by merle.acns.nwu.edu with SMTP
Date: Thu, 1 Aug 1996 07:15:53 -0500 (CDT)
From: Brian Hatch <bri@ifokr.org>
X-Sender: bri@merle.acns.nwu.edu
To: Steve Betts <Steve_Betts@ccmailgw.biss.co.uk>
Cc: firewalls@GreatCircle.COM, James Croall <jcroall@smiley.mitre.org>
Subject: Re: Firewall Java blocking
In-Reply-To: <9607018389.AA838914258@ccmailgw.biss.co.uk>
Message-Id: <Pine.HPP.3.93.960801070939.10615L-100000@merle.acns.nwu.edu>
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

 
> I understand how a firewall might be configured to block Java or ActiveX 
> executable files, by looking at the file extension. How does a firewall 
> understand what is JavaScript or VBScript when that code is simply part 
> of a comment in an HTML document? Does it now have to be an HTML 
> interpreter as well?

Each seems to handle this differently, for example some you can
dissable the file extensions (which can be circumvented if you don't
name it .class) whereas others watch the file itself (first few bytes
will give it's type away).  TIS' Gauntlet actually reads the HTML
and can be configured to not pass through anything between an
open tag and it's closing counterpart, thus that section will never
reach the broswer, so they won't request anything from it.

This alone could be circumvented if someone gets the page via other
means than the proxy (brings it from home, ftp's it instead)
I think, but if you can use it in conjunction with extensions/scanning
it seems rather full.

One interesting thing you could do with this however: if you're a 
particularly disorganized person, disable the <ul> and <ol>
tags, or if your corporate policy disallows 'inapropriate' access
of the visual nature, just turn off the <img> tag...   ;-)

						 Bri
--
bri@ifokr.org
Systems and Security Engineer
Onsight, Inc.  http://www.avue.com/


From firewalls-owner  Thu Aug  1 06:03:38 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA29130 for firewalls-outgoing; Thu, 1 Aug 1996 05:53:04 -0700 (PDT)
Received: from rodan.UU.NET (rodan.UU.NET [153.39.130.10]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id FAA29114 for <firewalls@GreatCircle.com>; Thu, 1 Aug 1996 05:52:54 -0700 (PDT)
Received: from woobie.uu.net by rodan.UU.NET with SMTP 
Message-ID: <3200A7E9.13728473@uu.net>
Date: Thu, 01 Aug 1996 08:49:45 -0400
From: Mark Krause <mkrause@UU.NET>
Organization: UUNET Technologies, Inc.
X-Mailer: Mozilla 3.0b5 (X11; I; SunOS 4.1.3_U1 sun4c)
MIME-Version: 1.0
To: Stefan Berg <stefan@sic.se>
CC: firewalls@GreatCircle.com
Subject: Re: SSL, port 442, https
References: <9608010921.AA54441@pamela.sic.se>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Stefan Berg wrote:
> 
> was just wondering if the W3 Httpd(A) (aka CERN httpd) supports
> SSL, or do I have to patch it somehow? Want to use it for proxy.

There is a patch to add SSL located at
http://www.w3.org/pub/WWW/Daemon/User/Patch/SSL.patch

-- 
Mark Krause                UUNET Technologies, Inc.   http://www.uu.net/
Senior Security Engineer   3060 Williams Drive
mkrause@uu.net             Fairfax, VA 22031-4648 USA
Tel: +1 703 208 5349       Fax: +1 703 206 5493

From firewalls-owner  Thu Aug  1 07:03:24 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA03933 for firewalls-outgoing; Thu, 1 Aug 1996 06:46:59 -0700 (PDT)
Received: from tartarus.us.newbridge.com (willard.us.newbridge.com [204.177.219.100]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id GAA03925 for <firewalls@GreatCircle.COM>; Thu, 1 Aug 1996 06:46:51 -0700 (PDT)
Received: from tartarus (tartarus.us.newbridge.com [138.120.108.65]) by tartarus.us.newbridge.com (8.7.5/8.7.3) with SMTP id JAA08975; Thu, 1 Aug 1996 09:41:22 -0400 (EDT)
Date: Thu, 1 Aug 1996 09:41:22 -0400 (EDT)
From: "Roderick Murchison, Jr." <murchiso@vivid.newbridge.com>
X-Sender: murchiso@tartarus
To: Stefan Berg <stefan@sic.se>
cc: firewalls@GreatCircle.COM
Subject: Re: SSL, port 442, https
In-Reply-To: <9608010921.AA54441@pamela.sic.se>
Message-ID: <Pine.SOL.3.95.960801094016.8296A-100000@tartarus>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Documentation on the SSL tunneling patch for CERN httpd can be found at:

http://www.w3.org/pub/WWW/Daemon/User/Patch/SSL.patch

-r


On Thu, 1 Aug 1996, Stefan Berg wrote:

> 
> Hi there,
> 
> was just wondering if the W3 Httpd(A) (aka CERN httpd) supports
> SSL, or do I have to patch it somehow? Want to use it for proxy.
> 
> /Stefan
> 
> 
> --
> _______________________________________________________
>      Stefan Berg
>      ISDN Group of Sweden / Swedish InternetCentral
>      Phone:  +46-8-6677010
>      E-mail: stefan@sic.se
>      WWW:    http://www.sic.se/   http://www.isdn.se/
> _______________________________________________________
>           Recursive; adj. see Recursive
> 

Roderick Murchison, Jr.                      murchiso@vivid.newbridge.com
Newbridge Networks, Inc.                     office: (703) 708-5930
Product Manager - VIVID ACS                     fax: (703) 708-5937
Herndon, VA 22070-5241                       http://www.vivid.newbridge.com


From firewalls-owner  Thu Aug  1 07:33:28 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA06625 for firewalls-outgoing; Thu, 1 Aug 1996 07:23:50 -0700 (PDT)
Received: from mhhaa.compuserve.com (mhhaa.compuserve.com [149.174.214.155]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id HAA06605 for <firewalls-digest@greatcircle.com>; Thu, 1 Aug 1996 07:23:39 -0700 (PDT)
Received: from notes2.compuserve.com ([149.174.221.56]) by mhhaa.compuserve.com (8.7.3/8.6.12) with SMTP id KAA08101.; Thu, 1 Aug 1996 10:20:39 -0400 (EDT)
Received: by notes2.compuserve.com (IBM OS/2 SENDMAIL VERSION 1.3.17/2.0)
Message-Id: <9608011420.AA5326@notes2.compuserve.com>
Received: by External Gateway (Lotus Notes Mail Gateway for SMTP V1.1) id
To: firewalls-digest <firewalls-digest@greatcircle.com>
From: "anthony.sabaj" <anthony.sabaj@awo.com>
Date:  1 Aug 96  9:04:40 
Subject: Logs - Backups
Mime-Version: 1.0
Content-Type: Text/Plain
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Currently we tar and gzip our logs daily and back them off to another machine 
nightly and then run a process on another machine to look for nasty stuff,  
along with swatch running to notify us in real time for really nasty stuff.

The question I have is what people are doing with their firewall logs long 
term, putting them to tape, cd, compressing or archiving them on other 
machine.  How long do you keep them un-archived, how long do you keep them 
(forever, a year...), things like that.

You can respond privately or to the list if you think it is relevant.

Thanks in advance
________________________
Tony Sabaj
anthony.sabaj@awo.com
Andersen Worldwide
312-507-1689
BTW - My opinion are mine and do represent those of my employer - (thank God)
________________________

From firewalls-owner  Thu Aug  1 08:03:24 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA08684 for firewalls-outgoing; Thu, 1 Aug 1996 07:46:45 -0700 (PDT)
Received: from rohan.btg.com (rohan.btg.com [199.29.53.67]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id HAA08612 for <Firewalls@GreatCircle.COM>; Thu, 1 Aug 1996 07:46:26 -0700 (PDT)
Received: from pop.btg.com (shire.btg.com [199.29.53.171]) by rohan.btg.com (8.7.5/8.7.3) with SMTP id KAA19558; Thu, 1 Aug 1996 10:43:32 -0400 (EDT)
Received: (noorder@localhost) by pop.btg.com (8.6.8.1/SCA-6.6) 
From: "Alex Noordergraaf" <noorder@shire.btg.com>
Message-Id: <9608011043.ZM26600@shire.btg.com>
Date: Thu, 1 Aug 1996 10:43:46 -0400
In-Reply-To: Bill Stout <bill.stout@hidata.com>
References: <199608010103.SAA18024@osc.osc.hidata.com>
X-Mailer: Z-Mail (3.2.1 10apr95)
To: Bill Stout <bill.stout@hidata.com>, Firewalls@GreatCircle.COM
Subject: Re: Is any O.S. w/IP enabled C2 certified?
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

On Jul 31,  6:03pm, Bill Stout wrote:
> Subject: Is any O.S. w/IP enabled C2 certified?
> As a firewall platform or not, is _any_ O.S. C2 certified when
> networking (specifically TCP/IP) is turned on?

My experience is mostly with HP-UX 8.X, 9.X, and 10.X with some Sun
Solaris thrown in.  To answer your question they all have C2
compliant or accredited modes.  HP-UX 9.x was compliant, where HP-UX
10.X is in the process of being accredited.  The TCP/IP isn't
a big concern at the C2 level.  At B1 or B2 it is much more of
a concern.  Then you start talking about Max-6 which is beyond this
discussion (I hope :-).

>
> I keep mentioning this C2=a-non-networked-NT-box issue when talking
> about NT firewalls (as a response to NT fan(atics) claiming C2
> certification).  However I am in search of 'truth', and this one
> issue is beginning to sound like a non-rational objection.


I have heard/read that NT has actually been C2 accredited.  There is some
documentation on Microsofts web page.

>
>
> Bill Stout
> _______________________________________________________________________________
> Senior Systems Admin   NT/UNIX/I-net/Routers/Mainframes/Janitor ;)
> Hitachi Data Systems   408-970-4822   ---  Disclaimer:  I speak only for
myself
> ___________"Infowar, Cyber-war, yes, 'they' _are_ out to get
you..."___________
>
>-- End of excerpt from Bill Stout

- Alex Noordergraaf



From firewalls-owner  Thu Aug  1 08:18:19 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA10140 for firewalls-outgoing; Thu, 1 Aug 1996 08:03:17 -0700 (PDT)
Received: from mailbox.neosoft.com (mailbox.neosoft.com [206.109.1.16]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id IAA10121 for <firewalls@GreatCircle.COM>; Thu, 1 Aug 1996 08:03:06 -0700 (PDT)
Received: from fw.nmti.com (fw.baileynm.com [206.109.159.11]) by mailbox.neosoft.com (8.7.5/8.7.3) with SMTP id KAA06153; Thu, 1 Aug 1996 10:00:01 -0500 (CDT)
Received: from web.nmti.com(198.178.0.201) by fw.nmti.com via smap (V1.3)
Received: from sonic.nmti.com (peter@sonic.nmti.com [198.178.0.2]) by web.nmti.com (8.6.12/8.6.9) with SMTP id JAA24612; Thu, 1 Aug 1996 09:51:35 -0500
Received: by sonic.nmti.com; id AA08975; Thu, 1 Aug 1996 09:51:34 -0500
From: peter@baileynm.com (Peter da Silva)
Message-Id: <9608011451.AA08975@sonic.nmti.com.nmti.com>
Subject: Re: PPTP thoughts anyone?
To: Russ.Cooper@RC.Toronto.on.ca (Russ)
Date: Thu, 1 Aug 1996 09:51:33 -0500 (CDT)
Cc: endrizzi@master.the-link.com, peter@baileynm.com
In-Reply-To: <c=US%a=_%p=Toronto%l=MAIL-960801023123Z-4@mail.fred.com> from "Russ" at Jul 31, 96 10:31:23 pm
X-Mailer: ELM [version 2.4 PL23]
Content-Type: text
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

In other words, the protocol allows you to route packets at either end to
connect two networks together over this, but the current implementations
don't. Which answers the question as to why you would want to use a third
party virtual network perimeter product.

From firewalls-owner  Thu Aug  1 08:33:32 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA09182 for firewalls-outgoing; Thu, 1 Aug 1996 07:52:39 -0700 (PDT)
Received: from po9.andrew.cmu.edu (PO9.ANDREW.CMU.EDU [128.2.10.109]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id HAA09144 for <firewalls@greatcircle.com>; Thu, 1 Aug 1996 07:52:18 -0700 (PDT)
Received: (from postman@localhost) by po9.andrew.cmu.edu (8.7.5/8.7.3) id KAA05855; Thu, 1 Aug 1996 10:48:42 -0400
Received: via switchmail; Thu,  1 Aug 1996 10:48:41 -0400 (EDT)
Received: from unix14.andrew.cmu.edu via qmail
Received: from unix14.andrew.cmu.edu via qmail
Received: from mms.4.60.Jun.27.1996.03.02.53.sun4.51.EzMail.2.0.CUILIB.3.45.SNAP.NOT.LINKED.unix14.andrew.cmu.edu.sun4m.54
Message-ID: <km0AD1S00YUq06enM0@andrew.cmu.edu>
Date: Thu,  1 Aug 1996 10:48:33 -0400 (EDT)
From: Zachary Roger Amsden <amsden+@andrew.cmu.edu>
To: firewalls@greatcircle.com, Don Lewis <Don.Lewis@tsc.tdk.com>
Subject: Re: How secure is xinetd's binding to specific interfaces
In-Reply-To: <199608010815.BAA22451@salsa.gv.ssi1.com>
References: <199608010815.BAA22451@salsa.gv.ssi1.com>
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Excerpts from internet.computing.firewalls: 1-Aug-96 Re: How secure is
xinetd's .. by Don Lewis@tsc.tdk.com 
>  
>                 if (IA_SIN(ia)->sin_addr.s_addr == ip->ip_dst.s_addr)
>                         if (ia->ia_ifp == ifp)
>                                 goto ours;
>                         else
>                                 it came in on the wrong interface, log it 

This code would work beautifully if ipintr had ifp, a pointer to the
interface the packet was received on.  Unfortunately, BSD networking
code never records the interface a pakcet was received on.  When an
ethernet packet is received, ether_input never records ifp for future
reference.  This means that any ifp ipintr has must have been derived
from the recieving address, so the check will always pass.  To get this
to work correctly requires a kind of big hack, because the IP code
doesn't even see the ethernet address of the interface.  I see two
options here:

1) Try to have to IP code walk backwards on queued packets to extract
the ethernet address and match it with the interface.  Not good because
we can't guarantee that walking back into the ethernet header will work,
it is low-level protocol dependent.  Also, depending on the
implemtation, the ethernet header may already have been discarded.

2) Add a field to the packet queue which holds the interface the packet
was received on.  This is ok, but means all input mechanisms (SLIP,
loopback, PPP, ethernet) must do this, adding overhead.  In addition, in
systems which support dynamic interfaces (like Linux's IP aliasing), we
can't guarantee that a pointer will work, because the interface may not
exist anymore.  This is, IMHO, the correct behavior.

I am going to implement 2) for Linux, hopefully by the end of 7 days and
7 nights.
 
Zach Amsden
amsden@andrew.cmu.edu 

From firewalls-owner  Thu Aug  1 08:48:32 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA12514 for firewalls-outgoing; Thu, 1 Aug 1996 08:36:19 -0700 (PDT)
Received: from relay4.UU.NET (relay4.UU.NET [192.48.96.14]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id IAA12494 for <firewalls@greatcircle.com>; Thu, 1 Aug 1996 08:36:05 -0700 (PDT)
Received: from netevolve.com by relay4.UU.NET with SMTP 
Received: from lazar by netevolve.com (4.1/SMI-4.1)
Message-Id: <9608011536.AA21602@netevolve.com>
Comments: Authenticated sender is <lazar@netevolve.com>
From: "Irwin Lazar" <lazar@netevolve.com>
Organization: Network Evolutions
To: firewalls@greatcircle.com
Date: Thu, 1 Aug 1996 11:34:35 +0000
Subject: Microsoft Internet Server
Reply-To: lazar@netevolve.com
X-Mailer: Pegasus Mail for Win32 (v2.42)
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Greetings all.
In a recent Network Security class the instructor mentioned that 
there is a known hole in the Microsoft Internet Information Server 
that can be exploited.  He also mentioned that a patch is available 
from Microsoft.  I searched their web site today but couldn't find 
anything.

Does anyone know if this patch is part of their service packs or if 
it has to be seperately installed, and if so, does anyone know where 
to obtain it?

Thanks in advance.
Irwin

From firewalls-owner  Thu Aug  1 09:04:02 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA12958 for firewalls-outgoing; Thu, 1 Aug 1996 08:40:08 -0700 (PDT)
Received: from cbgw3.att.com (cbgw3.att.com [192.20.239.137]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id IAA12860 for <Firewalls@greatcircle.com>; Thu, 1 Aug 1996 08:39:18 -0700 (PDT)
From: mdr@vodka.sse.att.com
Received: from vodka.sse.att.com by cbig3.att.att.com (SMI-8.6/EMS-1.2 sol2)
Message-Id: <199608011530.LAA17642@cbig3.att.att.com>
Subject: Security:  Java vs ActiveX
To: peter@baileynm.com (Peter da Silva)
Date: Thu, 1 Aug 1996 11:35:51 -0400 (EDT)
Cc: Russ.Cooper@RC.Toronto.on.ca, proberts@clark.net
In-Reply-To: <9607311659.AA08534@sonic.nmti.com.nmti.com> from "Peter da Silva" at Jul 31, 96 11:59:21 am
X-Mailer: ELM [version 2.4 PL23-upenn2.7]
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset=US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk


I'd like to give you my thought w.r.t. the relative security of
Java VM and ActiveX.    

First of all, let me say that this is definitely an apples-oranges
comparison.  The two technologies are aimed at different niches in
terms of security functionality, but unfortunately at the _same_
market:  applet security.

ActiveX security model: Reliable delivery
	ActiveX aims to improve security by allowing hosts to
	distinguish between "approved" applets and 
	"non approved" applets.   
	An "approved" applet is not only reliably delivered, it comes
	from a known source, author etc and is "published" software
	similar.  Think of "Code Signing" as "Digital Shrinkwrap".


Java Security model: Encapsulation and Reliable Delivery
	Java aims to improve security by encapsulation.  Rather than 
	running the applet as native code, the applet is interpreted
	via a Java VM.    The Java VM keeps up with the source of 
	the applet and restricts its access to local resources.
	Think of "encapsulation" as "Execution by Proxy".
	
	However remember that Java will probably incorporate code
	signing soon.  So we should really be comparing "Reliable Delivery" vs
	"encapsulation"  rather than Java VS ActiveX.

These two competing security models _both_ have utility.

Let me compare their uses in the following env's
Environments: 
	StandAlone:  My PC or Workstation.

	LAN:  running applications from file servers.

	WAN:  running applications from file servers.

	Internet:  running applications from file servers.
	
	
First what can "Reliable Delivery" do in these?
	StandAlone:  My PC or Workstation. 
		Reliable Delivery is accomplished today by shrinkwrapping
		and packaging and physical delivery to retail outlets.
		"Code Signing" would protect me from the remote chance
		that binaries are altered in transport.

	LAN:  running applications from file servers.
		Protects against binary patching or alterations as
		applications or applets are on the wire.  This is an
		_improvement_ of the technologies currently in wide-spread
		use for file sharing.

	WAN:  running applications from file servers.
		Can protect me from altered binaries, or
		"non-approved" binaries.  Can limit my selection of
		executable file servers

	Internet:  running applications from file servers.
		Can allow me to reliably download software from 
		participating vendors over the internet.  This too is
		a big improvement in security over straight ftp, and a
		big improvement in ease-of-user over PGP.

		The _HUGE_ misconception and potential problem is the
		mistaken belief that this boost in security is enough
		to allow me to download "network aware" applets.  It's
		one think to update my word processor, but quite
		another to download anything that listens to
		anything any where.  Since ActiveX applets are
		essentially network aware COM objects there is a
		potentially huge security hole here.
		
	
Now what can "Reliable Delivery" __NOT__ do in these?
	Protect against unintentional security holes in software.
	Protect against Trojan Horses.
	Protect against Data Content Viruses.
	Protect against Viruses invecting the Vendor.
	Allow safe execution of network aware applets.
	

Secondly what can "Encapsulation" do in these  envs?

	StandAlone:  My PC or Workstation. 
		Encapsulation could provide an excellent boost in
		security here.  Unfortunately the operating systems in
		use on the desktop, Windows, Win95 and WinNT,
		don't provide adequate separation between application
		code and system code.   WinNT goes futher than the
		others but not far enough.
	
		The current Java VM model doesn't help me here, because I
		want to access my local files, and that means running
		java appliCATIONS not Applets.    However the
		technology could be extended to restrict my Java word
		processor to read/write _only_ word processor documents.
		And/or to limit the directories that it would access.

		I don't know if Sun knows what it could do here :)

	LAN:  running applications from file servers.
		If I can completely trust my "Encapsulation" I could
		say "I don't care where this applet comes from or who
		wrote it".    This would be a HUGE improvement in
		security.  Is it realizable?  Maybe.  But it will take
		time to shake all the security bugs out of the Java VM.

		The _dis_advantage is that one java VM bug breaks
		everthing until its fixed.  The _ad_vantage is that
		there is probably a way to fix it.

		However a weaker stance is to allow
		only reliably delivered applets and say "I trust 
		the vendor but thats's not enough"  the vendor may
		have made a mistake.  An esoteric java VM exploit would 
		only work if some
		vendors software happens to allow access to that type
		of exploit.

		This is the "multiple levels of
		security" approach and the one that I advocate.

	WAN:  running applications from file servers.
		same as above

	Internet:  running applications from file servers.
		Pure and perfect encapsulatin would allow me to 
		safely download and execute software from any vendors 
		over the internet.  Combining encapsulation with
		code signing would give unparalleled security.

		A Java wordprocessing vendor could license the
		wordprocessor _AND_ the file storage. The benefit is
		that I have the assuranced that the vendors software
		isn't  mucking with my machine and the vendor controls
		his software distribution and upgrade cost and
		potentially sells new services.  Would people buy it?
		Would you like to be able to fly out of state and
		access your wordprocessor docs from any location in
		the world with just a browser?  All we need is a
		little more bandwidth.

	
Now what can "Encapsulation " __NOT__ do in these?
	-Protect against Data Content Viruses?  

	A java applet of any use is likely to modify persistent data 
	somewhere.  

	If someone writes Word_For_Java, we'll soon have a Word_For_Java version
	of the concept virus.   But then, the VM could restrict access to the 
	global macro files and such when "running" someone elses
	document.  I'll have to think about this one more.

	-Allow safe execution of network aware applets. ?

	Encapsulation goes a long way here.  At least my PC or
	workstation will be safe, but what about other hosts?  Applets
	sending fake email and manipulating other Internet resources are
	a problem that encapsulation alone will not solve.  I advocate
	a security policy authorizing signed applets to access only
	their source machine as verified by a Certificate Authority.

But notice that it does cover the following.
	Protect against Viruses invecting the Vendor.
	Protect against unintentional security holes in software.
	Protect against Trojan Horses.

Conclusions:  
	1. Reliable delievery is a moderate security gain.
	2. Encapsulation has _major_ potential but should be augmented
		with reliable delivery.


Now back to Java vs ActiveX.
	1. Java needs to add reliable delivery and perfect their VM.
	2. ActiveX needs to add encapsulation.
	3. As they stand now, Java's security is superior to ActiveX's for
		intenet downloadable executable content.

What bothers me the most about all of this is that Microsoft seems to
be claiming that ActiveX is has an effective model for downloading network 
aware objects.  It is _NOT_.   

However, I'm not sure if they are making that
claim outright or if others are attributing it to them.  Their FAQ
does however state this:

	From www.microsoft.com ActiveX FAQ

	Is signed code really secure?

	Yes. The security methods used to support this proposal are not new;
	they rely on tried and proven
	technology. The specifications on which the technology is based have
	been used successfully in the
	industry for some time. These include PKCS #7 (encrypted key
	specification), PKCS #10 (electronic
	request forms), X.509 (certificate specification), and SHA and MD5
	hash algorithms.

IMO the above statment is misleading, it equates "secure code" with "signed
code", and is typical of their stance.  However, I'm trying hard to 
see the good in ActiveX w.r.t security inspite of such.

I am also perplexed with the current perception that Java is a
security _problem_ instead of a security _solution_.  The current rash
of Java VM holes is a set of bugs coming from a _single_ program (with
multiple implementations) that is undergoing extensive analysis.  
Imagine what ActiveX will do for us when users want to trust _every_
program to be network aware! 

Mark Riggins
Secure Systems Engineering
AT&T Bell Labs  

Disclaimer: This is my own opinion and not necessarily that of my
employer.


From firewalls-owner  Thu Aug  1 09:18:12 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA14001 for firewalls-outgoing; Thu, 1 Aug 1996 08:52:32 -0700 (PDT)
Received: from rohan.btg.com (rohan.btg.com [199.29.53.67]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id IAA13971 for <firewalls@greatcircle.com>; Thu, 1 Aug 1996 08:52:07 -0700 (PDT)
Received: from pop.btg.com (shire.btg.com [199.29.53.171]) by rohan.btg.com (8.7.5/8.7.3) with SMTP id LAA20457; Thu, 1 Aug 1996 11:49:13 -0400 (EDT)
Received: (noorder@localhost) by pop.btg.com (8.6.8.1/SCA-6.6) 
From: "Alex Noordergraaf" <noorder@shire.btg.com>
Message-Id: <9608011149.ZM27067@shire.btg.com>
Date: Thu, 1 Aug 1996 11:49:27 -0400
In-Reply-To: Darwin Martinez <Darwin_Martinez@INS.COM>
References: <2.2.32.19960801154310.00a1b1f0@ins.com>
X-Mailer: Z-Mail (3.2.1 10apr95)
To: Darwin Martinez <Darwin_Martinez@INS.COM>
Subject: Re: Is any O.S. w/IP enabled C2 certified?
Cc: firewalls@greatcircle.com
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

On Aug 1, 11:43am, Darwin Martinez wrote:
> Subject: Re: Is any O.S. w/IP enabled C2 certified?
> Recall, however, that even though NT/HPUX/etc. may be C@ certified, it is
> certified at the box level only, not the network level.
>

Correct, but that is because the Orange book definition of C-2 doesn't
have any network requirements.  (someone please correct me if I am
wrong)  I didn't think that network requirements came into play until
the B levels, notably B-1.

[...]
>
> ------------------------------------------------------------------------
> Darwin L. Martinez, NSE			Email:	darwin_martinez@ins.com
> Atlanta Office				Site #:	404-843-5954
> International Network Services		Pager:	800-INS-1-INS
>
> "People of the Earth can you hear me?"
> 			Billy Thorpe, 1979
> ------------------------------------------------------------------------
>
>-- End of excerpt from Darwin Martinez



From firewalls-owner  Thu Aug  1 09:33:26 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA13500 for firewalls-outgoing; Thu, 1 Aug 1996 08:47:01 -0700 (PDT)
Received: from lexicon.ins.com (lexicon.ins.com [199.0.193.11]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id IAA13481 for <firewalls@greatcircle.com>; Thu, 1 Aug 1996 08:46:50 -0700 (PDT)
Received: from user_ins.ins.com ([206.98.131.200]) by lexicon.ins.com (8.7.5/8.7.3) with SMTP id IAA19801; Thu, 1 Aug 1996 08:43:15 -0700 (PDT)
Message-Id: <2.2.32.19960801154310.00a1b1f0@ins.com>
X-Sender: martin_d@ins.com
X-Mailer: Windows Eudora Pro Version 2.2 (32)
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Date: Thu, 01 Aug 1996 11:43:10 -0400
To: "Alex Noordergraaf" <noorder@shire.btg.com>
From: Darwin Martinez <Darwin_Martinez@INS.COM>
Subject: Re: Is any O.S. w/IP enabled C2 certified?
Cc: firewalls@greatcircle.com
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Recall, however, that even though NT/HPUX/etc. may be C@ certified, it is
certified at the box level only, not the network level.

At 10:43 AM 8/1/96 -0400, you wrote:
>On Jul 31,  6:03pm, Bill Stout wrote:
>> Subject: Is any O.S. w/IP enabled C2 certified?
>> As a firewall platform or not, is _any_ O.S. C2 certified when
>> networking (specifically TCP/IP) is turned on?
>
>My experience is mostly with HP-UX 8.X, 9.X, and 10.X with some Sun
>Solaris thrown in.  To answer your question they all have C2
>compliant or accredited modes.  HP-UX 9.x was compliant, where HP-UX
>10.X is in the process of being accredited.  The TCP/IP isn't
>a big concern at the C2 level.  At B1 or B2 it is much more of
>a concern.  Then you start talking about Max-6 which is beyond this
>discussion (I hope :-).
>
>>
>> I keep mentioning this C2=a-non-networked-NT-box issue when talking
>> about NT firewalls (as a response to NT fan(atics) claiming C2
>> certification).  However I am in search of 'truth', and this one
>> issue is beginning to sound like a non-rational objection.
>
>
>I have heard/read that NT has actually been C2 accredited.  There is some
>documentation on Microsofts web page.
>
>>
>>
>> Bill Stout
>>
_______________________________________________________________________________
>> Senior Systems Admin   NT/UNIX/I-net/Routers/Mainframes/Janitor ;)
>> Hitachi Data Systems   408-970-4822   ---  Disclaimer:  I speak only for
>myself
>> ___________"Infowar, Cyber-war, yes, 'they' _are_ out to get
>you..."___________
>>
>>-- End of excerpt from Bill Stout
>
>- Alex Noordergraaf
>
>
>
>
------------------------------------------------------------------------
Darwin L. Martinez, NSE			Email:	darwin_martinez@ins.com
Atlanta Office				Site #:	404-843-5954
International Network Services		Pager:	800-INS-1-INS

"People of the Earth can you hear me?"
			Billy Thorpe, 1979
------------------------------------------------------------------------


From firewalls-owner  Thu Aug  1 10:48:43 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA24132 for firewalls-outgoing; Thu, 1 Aug 1996 10:20:47 -0700 (PDT)
Received: from sapa.inka.de (sapa.inka.de [193.197.84.6]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id KAA24089 for <firewalls@GreatCircle.COM>; Thu, 1 Aug 1996 10:19:50 -0700 (PDT)
Received: from uu.inka.de (root@[193.197.84.8]) by sapa.inka.de
Received: from lina (lists@lina.inka.de) by uu.inka.de
Received: by lina
Message-Id: <m0um19j-0004jXC@lina>
From: lists@lina.inka.de (Bernd Eckenfels)
Subject: Re: How secure is xinetd's binding to specific interfaces
To: amsden+@andrew.cmu.edu (Zachary Roger Amsden)
Date: Thu, 1 Aug 1996 19:03:26 +0200 (MET DST)
Cc: firewalls@GreatCircle.COM, Don.Lewis@tsc.tdk.com
In-Reply-To: <km0AD1S00YUq06enM0@andrew.cmu.edu> from "Zachary Roger Amsden" at Aug 1, 96 10:48:33 am
X-Mailer: ELM [version 2.4 PL25 PGP2]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Hi,

> 2) Add a field to the packet queue which holds the interface the packet
> was received on.  This is ok, but means all input mechanisms (SLIP,
> loopback, PPP, ethernet) must do this, adding overhead.  In addition, in
> systems which support dynamic interfaces (like Linux's IP aliasing), we
> can't guarantee that a pointer will work, because the interface may not
> exist anymore.  This is, IMHO, the correct behavior.
> 
> I am going to implement 2) for Linux, hopefully by the end of 7 days and
> 7 nights.

You know that the pointer is already there? Since the ip-firewalling in
Linux can be interface name based. The pointer is valid in linux, since
there are notifier calls if the table would change. Generally I think it is
not a good idea to accept packets only if they are addressed to the right
interface. I think it is much better to insert a firewalling rule if you
dont want to receive packets on the wrong interface. Then the choice is up
to the user without additional kerelbloat.

Greetings
Bernd

From firewalls-owner  Thu Aug  1 10:49:08 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA22762 for firewalls-outgoing; Thu, 1 Aug 1996 10:06:28 -0700 (PDT)
Received: from ereapp.erenj.com (ereapp.ERENJ.COM [159.70.31.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id KAA22730 for <firewalls@GreatCircle.COM>; Thu, 1 Aug 1996 10:06:12 -0700 (PDT)
Received: (from smap@localhost) by ereapp.erenj.com (8.7.4/8.7.3) id NAA01887 for <firewalls@GreatCircle.COM>; Thu, 1 Aug 1996 13:03:02 -0400
Received: from unknown(159.70.37.169) by ereapp.erenj.com via smap (V1.3)
Received: from fpemyforza ([159.70.37.54]) by fpeweb01.ere.exxon.com
Message-ID: <3200DDE8.3545@fpe.erenj.com>
Date: Thu, 01 Aug 1996 12:40:08 -0400
From: myforza@fpe.erenj.com (Forzani,Michele,Y.)
X-Mailer: Mozilla 2.02Gold (WinNT; I)
MIME-Version: 1.0
To: lazar@netevolve.com
CC: firewalls@GreatCircle.COM
Subject: Re: Microsoft Internet Server
References: <9608011536.AA21602@netevolve.com>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

All you need to know can be found at:

http://www.omna.com/msiis/

>In a recent Network Security class the instructor mentioned that
>there is a known hole in the Microsoft Internet Information Server
>that can be exploited.  He also mentioned that a patch is available
>from Microsoft.  I searched their web site today but couldn't find
>anything.

-- 
....Michele

From firewalls-owner  Thu Aug  1 11:05:00 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA25139 for firewalls-outgoing; Thu, 1 Aug 1996 10:34:29 -0700 (PDT)
Received: from seciu.uy (seciu.uy [164.73.128.5]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id KAA25088 for <firewalls@greatcircle.com>; Thu, 1 Aug 1996 10:33:59 -0700 (PDT)
Received: from varela.reu.edu.uy by seciu.uy with smtp
Received: from r44-53.adinet.com.uy by varela.reu.edu.uy id aa08976;
Message-ID: <32012219.60EE@ieee.org>
Date: Thu, 01 Aug 1996 14:31:05 -0700
From: "Ing. Pablo A. Fossati Fischer" <p.fossati@ieee.org>
Organization: Direccion Nacional de Comunicaciones
X-Mailer: Mozilla 2.02 (Win16; I)
MIME-Version: 1.0
To: firewalls@greatcircle.com
Subject: Re: (no subject)
References: <31FFC7E3.515B@telconet.net>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

unsuscript

From firewalls-owner  Thu Aug  1 11:18:24 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA23598 for firewalls-outgoing; Thu, 1 Aug 1996 10:14:39 -0700 (PDT)
Received: from gatekeeper.somerfield.co.uk (gatekeeper.somerfield.co.uk [194.201.87.241]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id KAA23590 for <firewalls@GreatCircle.com>; Thu, 1 Aug 1996 10:14:20 -0700 (PDT)
From: jason.williams@somerfield.co.uk
Received: by gatekeeper.somerfield.co.uk; id SAA06204; Thu, 1 Aug 1996 18:11:54 +0100 (BST)
Received: from mailhost(172.17.11.21) by gatekeeper.somerfield.co.uk via smap (V3.1.1)
Received: (from Unknown UID 0@localhost) by mailhost.somerfield.co.uk (8.6.9/8.6.9) id SAA00129 for firewalls@GreatCircle.com; Thu, 01 Aug 1996 18:10:22 GMT
Date: Thu, 01 Aug 1996 18:10:22 GMT
Message-Id: <199608011810.SAA00129@mailhost.somerfield.co.uk>
Subject:  RE:  Microsoft Internet Server
X-Mailer: MailNet 3.1
Apparently-To: firewalls@GreatCircle.com
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk


If your Internet server is dated later than July it has had the patch 
applied.


 ----------
From: "Irwin Lazar" <lazar
Subject:  Microsoft Internet Server
Date: 01 August 1996 18:00

<<File Attachment: HEADER.TXT>>


Greetings all.
In a recent Network Security class the instructor mentioned that
there is a known hole in the Microsoft Internet Information Server
that can be exploited.  He also mentioned that a patch is available
from Microsoft.  I searched their web site today but couldn't find
anything.

Does anyone know if this patch is part of their service packs or if
it has to be seperately installed, and if so, does anyone know where
to obtain it?

Thanks in advance.
Irwin



From firewalls-owner  Thu Aug  1 11:33:36 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA23045 for firewalls-outgoing; Thu, 1 Aug 1996 10:08:47 -0700 (PDT)
Received: from psa.pencom.com (psa.pencom.com [204.217.199.13]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id KAA23004 for <firewalls@GreatCircle.COM>; Thu, 1 Aug 1996 10:08:21 -0700 (PDT)
Received: (from jesse@localhost) by psa.pencom.com (Hah!/nope) id LAA22988; Thu, 1 Aug 1996 11:59:27 -0500 (CDT)
Date: Thu, 1 Aug 1996 11:59:27 -0500 (CDT)
From: Jesse Whyte <jesse@psa.pencom.com>
To: Irwin Lazar <lazar@netevolve.com>
cc: firewalls@GreatCircle.COM
Subject: Re: Microsoft Internet Server
In-Reply-To: <9608011536.AA21602@netevolve.com>
Message-ID: <Pine.SOL.3.91.960801115839.22408A-100000@psisa.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

If anyone has any more information on the Server hole - technicals and 
maybe an exploit script - please reply back either privately or on the 
list if you think it is appropriate.

Thanx,

Jesse

****************************************************************
Jesse Whyte
Computer/Network Security Consultant
Pencom Systems Administrator
H: (410) 647-9645
W: (410) 908-0991

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.6.2

mQBtAzH9ET0AAAEDAK5KPTS0p7YIc3+gFOGUQXUqYSW9t3kguv4feEIuqda/Wn+y
bcSf4CImrNJqODwcU9D5Gm+e2Qa0l74ezsJjxryvNa4DXwHxH4WRz0BzjdLGkoAH
UXI70eJRNkPFMStixQAFEbQbU29jcmF0ZXMgPGplc3NlQHBlbmNvbS5jb20+
=I+Vd
-----END PGP PUBLIC KEY BLOCK-----

On Thu, 1 Aug 1996, Irwin Lazar wrote:

> Greetings all.
> In a recent Network Security class the instructor mentioned that 
> there is a known hole in the Microsoft Internet Information Server 
> that can be exploited.  He also mentioned that a patch is available 
> from Microsoft.  I searched their web site today but couldn't find 
> anything.
> 
> Does anyone know if this patch is part of their service packs or if 
> it has to be seperately installed, and if so, does anyone know where 
> to obtain it?
> 
> Thanks in advance.
> Irwin
> 

From firewalls-owner  Thu Aug  1 12:03:36 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA26363 for firewalls-outgoing; Thu, 1 Aug 1996 10:52:18 -0700 (PDT)
Received: from hap.arnold.af.mil (smokey.arnold.af.mil [132.45.120.11]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id KAA26333 for <firewalls@greatcircle.com>; Thu, 1 Aug 1996 10:51:59 -0700 (PDT)
Received: from zone.aedc (zone.arnold.af.mil [134.137.226.32]) by hap.arnold.af.mil (8.6.10/8.6.9) with ESMTP id MAA29297 for <@hap.aedc:firewalls@greatcircle.com>; Thu, 1 Aug 1996 12:52:09 -0500
Received: by zone.aedc (940816.SGI.8.6.9/930416.SGI)
From: "Sean Fuller" <c60201@zone.arnold.af.mil>
Message-Id: <9608011248.ZM12237@zone.aedc>
Date: Thu, 1 Aug 1996 12:48:50 -0500
In-Reply-To: <firewalls-owner@GreatCircle.COM>
References: f<838886819ThuCDT.firewalls-owner@GreatCircle.COM>
X-Mailer: Z-Mail (3.2.2 10apr95 MediaMail)
To: firewalls@greatcircle.com
Subject: Re: SSL, port 442, https
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

-----BEGIN PGP SIGNED MESSAGE-----

On Aug 1,  3:06am, <firewalls-owner@GreatCircle.COM> wrote:

> was just wondering if the W3 Httpd(A) (aka CERN httpd) supports
> SSL, or do I have to patch it somehow? Want to use it for proxy.

It requires a PATCH TO WWW COMMON LIBRARY 2.17 AND CERN HTTPD 3.0

Here is the overview:
        This SSL tunneling patch for CERN httpd adds support for the
        CONNECT method used by SSL enhanced clients to open a secure
        tunnel through the proxy.

And the author
        Ari Luotonen, Netscape Communications Corporation, 1995
        <ari@netscape.com>

I can mail it to you if you can't find it.
- -----------------------------------------------------------------------
Sean L. Fuller - fuller@hap.arnold.af.mil - Arnold AFB
The opinions expressed in this message are solely those of the
individual author.  The views and opinions of the author expressed
herein do not constitute an endorsement nor reflect the official
opinion of the Department of Defense, U.S. Air Force, or AEDC.

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBMgDt1cR6EF7/AlFpAQEBZgP/d41WItb8SLPfMeWXyKVFqKqvWsWUKVXZ
3oEgNnOa+QhsOYAod31MBNwiqZN2cigZ+QlTFI6UvNRJfu/phyPKkIr8mUaKyvQ2
1bEwkgYRijmHGQAMZLCpKQJTNHznk/N3mfDx+sI0LWIinD59iMkyAveZan+CSVL+
303W7Mjfad4=
=45Oc
-----END PGP SIGNATURE-----

From firewalls-owner  Thu Aug  1 12:16:46 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA27706 for firewalls-outgoing; Thu, 1 Aug 1996 11:05:24 -0700 (PDT)
Received: from ingr.ingr.com (ingr.ingr.com [129.135.211.100]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id LAA27665 for <firewalls@greatcircle.com>; Thu, 1 Aug 1996 11:04:59 -0700 (PDT)
Received: from hq14.pcmail.ingr.com by ingr.ingr.com (5.65c/1.920611)
Received: by hq14.pcmail.ingr.com with Microsoft Exchange (IMC 4.0.838.14)
Message-Id: <c=US%a=_%p=INTERGRAPH%l=HQ9-960801161552Z-17800@hq14.pcmail.ingr.com>
From: "Jarmon, Don R" <drjarmon@ingr.com>
To: "'lazar@netevolve.com'" <lazar@netevolve.com>
Cc: "'firewalls@greatcircle.com'" <firewalls@greatcircle.com>
Subject: RE: Microsoft Internet Server
Date: Thu, 1 Aug 1996 11:15:52 -0500
X-Mailer:  Microsoft Exchange Server Internet Mail Connector Version 4.0.838.14
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

http://www.microsoft.com./infoserv/iisservpack.htm

>----------
>From: 	Irwin Lazar[SMTP:lazar@netevolve.com]
>Sent: 	Thursday, August 01, 1996 6:34 AM
>To: 	firewalls@greatcircle.com
>Subject: 	Microsoft Internet Server
>
>Greetings all.
>In a recent Network Security class the instructor mentioned that 
>there is a known hole in the Microsoft Internet Information Server 
>that can be exploited.  He also mentioned that a patch is available 
>from Microsoft.  I searched their web site today but couldn't find 
>anything.
>
>Does anyone know if this patch is part of their service packs or if 
>it has to be seperately installed, and if so, does anyone know where 
>to obtain it?
>
>Thanks in advance.
>Irwin
>

From firewalls-owner  Thu Aug  1 12:20:39 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA27748 for firewalls-outgoing; Thu, 1 Aug 1996 11:06:06 -0700 (PDT)
Received: from beach.sctc.com (beach.sctc.com [192.55.214.50]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id LAA27709 for <firewalls@greatcircle.com>; Thu, 1 Aug 1996 11:05:34 -0700 (PDT)
Received: from beach.sctc.com (root@localhost) by beach.sctc.com (8.7.5/8.7.3) with ESMTP id NAA13980; Thu, 1 Aug 1996 13:08:07 -0500 (CDT)
Received: from sphinx.sctc.com (sphinx.sctc.com [172.17.192.3]) by beach.sctc.com (8.7.5/8.7.3) with ESMTP id NAA13976; Thu, 1 Aug 1996 13:08:07 -0500 (CDT)
Received: from shade.sctc.com (shade.sctc.com [172.17.192.48]) by sphinx.sctc.com (8.7.5/8.7.3) with SMTP id NAA27290; Thu, 1 Aug 1996 13:03:59 -0500 (CDT)
Received: (from smith@localhost) by shade.sctc.com (8.6.12/8.6.9) id NAA07736; Thu, 1 Aug 1996 13:03:59 -0500
Date: Thu, 1 Aug 1996 13:03:59 -0500
From: Rick Smith <smith@sctc.com>
Message-Id: <199608011803.NAA07736@shade.sctc.com>
To: noorder@shire.btg.com
Cc: firewalls@greatcircle.com, smith@sctc.com
Subject: Re: Is any O.S. w/IP enabled C2 certified?
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

On Aug 1, 11:43am, Darwin Martinez wrote:

>> Recall, however, that even though NT/HPUX/etc. may be C@ certified, it is
>> certified at the box level only, not the network level.

"Alex Noordergraaf" <noorder@shire.btg.com> replied:

>Correct, but that is because the Orange book definition of C-2 doesn't
>have any network requirements.  (someone please correct me if I am
>wrong)  I didn't think that network requirements came into play until
>the B levels, notably B-1.

The "B" and "C" have nothing to do with networking.

The original TCSEC applied to "systems" as in the old timesharing or
batch world. You could do a TCSEC evaluation on a device with network
interfaces, but most vendors don't. I think Sun did a CMW evaluation
that way a few years back. There's also the "Trusted Network
Interpretation" that's supposed to better apply to networked devices.

The "B" level indicates that the system contains mandatory access
control that enforces a multilevel security policy on data in the
system. This is intended to protect against sophisticated "outsider"
attacks. 

The "C" level indicates that the the system can keep relatively honest
"insiders" from improperly accessing each others' files. So don't get
overly impressed by a "C2" evaluation. It indicates that some third
party reviewed the device relative to some specific criteria, not that
it's strong enough to protect your data.

Rick.
smith@sctc.com         secure computing corporation

From firewalls-owner  Thu Aug  1 12:49:24 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA05345 for firewalls-outgoing; Thu, 1 Aug 1996 12:05:59 -0700 (PDT)
Received: from hap.arnold.af.mil (smokey.arnold.af.mil [132.45.120.11]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id MAA05183 for <firewalls@GreatCircle.COM>; Thu, 1 Aug 1996 12:05:21 -0700 (PDT)
Received: from zone.aedc (zone.arnold.af.mil [134.137.226.32]) by hap.arnold.af.mil (8.6.10/8.6.9) with ESMTP id OAA01022 for <@hap.aedc:firewalls@GreatCircle.COM>; Thu, 1 Aug 1996 14:05:31 -0500
Received: by zone.aedc (940816.SGI.8.6.9/930416.SGI)
From: "Sean Fuller" <c60201@zone.arnold.af.mil>
Message-Id: <9608011402.ZM12336@zone.aedc>
Date: Thu, 1 Aug 1996 14:02:12 -0500
In-Reply-To: <firewalls-owner@GreatCircle.COM>
References: f<838921322ThuCDT.firewalls-owner@GreatCircle.COM>
X-Mailer: Z-Mail (3.2.2 10apr95 MediaMail)
To: firewalls@GreatCircle.COM
Subject: Re: Logs - Backups
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

anthony.sabaj@awo.com writes:
>The question I have is what people are doing with their firewall logs long
>term, putting them to tape, cd, compressing or archiving them on other
>machine.  How long do you keep them un-archived, how long do you keep them
>(forever, a year...), things like that.

I archive ours to an STK mass storage silo.  I just started in January, so
I don't have any plans yet to delete them.  We have a 50 terabyte liscense,
so we probably won't be hurting for space for at least a week.  ;)

----------
Sean L. Fuller <fuller@hap.arnold.af.mil>

From firewalls-owner  Thu Aug  1 13:03:12 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA06723 for firewalls-outgoing; Thu, 1 Aug 1996 12:14:04 -0700 (PDT)
Received: from vtserf.cc.vt.edu (vtserf.CC.VT.EDU [128.173.4.6]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id MAA06643 for <firewalls-digest@greatcircle.com>; Thu, 1 Aug 1996 12:13:25 -0700 (PDT)
From: marchany@vtserf.cc.vt.edu
Received: by vtserf.cc.vt.edu (5.65/DEC-Ultrix/4.3)
Message-Id: <9608011909.AA00685@vtserf.cc.vt.edu>
To: "anthony.sabaj" <anthony.sabaj@awo.com>
Cc: firewalls-digest <firewalls-digest@greatcircle.com>
Subject: Re: Logs - Backups  
In-Reply-To: Your message of "01 Aug 96 09:04:40."
Date: Thu, 01 Aug 96 15:09:09 -0400
X-Mts: smtp
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

We take all of our logs and burn them on CD. The CD can be read by any box that 
has a cd player, is permanent, not modifiable and easy to store. Good CD burners 
are under $2k and take about 20 minutes or so for 600MB of data. I think we're 
using a Sony CD burner connected to a Mac at the moment.

	-Randy Marchany
	VA Tech Computing Center
	Blacksburg, VA 24060

Blacksburg Electronic Village: www.bev.net


From firewalls-owner  Thu Aug  1 14:30:43 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA29453 for firewalls-outgoing; Thu, 1 Aug 1996 11:25:08 -0700 (PDT)
Received: from loki.aetc.af.mil ([131.44.48.119]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id LAA29354 for <firewalls@greatcircle.com>; Thu, 1 Aug 1996 11:24:29 -0700 (PDT)
Received: by loki.aetc.af.mil (Smail3.1.29.1 #1)
Message-Id: <m0um2FB-0004wzC@loki.aetc.af.mil>
Date: Thu, 1 Aug 96 13:13 CDT
From: jturner@loki.aetc.af.mil (John "J.T." Turner - HQ AETC/SCTS)
To: Darwin_Martinez@INS.COM, noorder@shire.btg.com
Subject: Re: Is any O.S. w/IP enabled C2 certified?
Cc: firewalls@greatcircle.com
X-Sun-Charset: US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

> On Aug 1, 11:43am, Darwin Martinez wrote:
> > Subject: Re: Is any O.S. w/IP enabled C2 certified?
> > Recall, however, that even though NT/HPUX/etc. may be C@ certified, it is
> > certified at the box level only, not the network level.
> >
> 
> Correct, but that is because the Orange book definition of C-2 doesn't
> have any network requirements.  (someone please correct me if I am
> wrong)  I didn't think that network requirements came into play until
> the B levels, notably B-1.

Actually, there is a different book entirely that deals with the network:
"Trusted Network Interpretation" (NCSG-TG-005) and "Trusted Network Interpretation
Environments Guideline - Guidance for applying the Trusted Network Interpretation" 
(NCSC-TG-011), commonly known as the "Red Book".  (As far as which one is the "Red"
book, they're both red and essentially deal with the same subject.)

--
John Turner, jturner@loki.aetc.af.mil
"But if they called them 'Sad Meals', kids wouldn't buy them!" - PATB

From firewalls-owner  Thu Aug  1 14:42:02 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA29306 for firewalls-outgoing; Thu, 1 Aug 1996 11:23:42 -0700 (PDT)
Received: from main.geminisecure.com (main.geminisecure.com [205.179.16.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id LAA29283 for <firewalls@GreatCircle.COM>; Thu, 1 Aug 1996 11:23:28 -0700 (PDT)
Received: (from leonard@localhost) by main.geminisecure.com (8.6.9/8.6.9) id LAA10441; Thu, 1 Aug 1996 11:21:12 -0700
Date: Thu, 1 Aug 1996 11:21:12 -0700 (PDT)
From: Leonard Miyata <leonard@geminisecure.com>
To: Alex Noordergraaf <noorder@shire.btg.com>
cc: Darwin Martinez <Darwin_Martinez@INS.COM>, firewalls@GreatCircle.COM
Subject: Re: Is any O.S. w/IP enabled C2 certified?
In-Reply-To: <9608011149.ZM27067@shire.btg.com>
Message-ID: <Pine.BSD/.3.91.960801111733.10436A-100000@main.geminisecure.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

I belive that a version of Netware does have a C2 network
rating (this requires special ethernet hardware). You'll
have to check with Novell for the details

The TCSEC (Orange Book) does not have any network requirements,
but the TNI (Red Book) title is 'TRUSTED NETWORK INTERPETATIONS' of 
TCSEC

Personal Opinions provided by
Leonard Miyata
aka leonard@geminisecure.com
GEMINI COMPUTERS Inc.
http://www.geminisecure.com
 
On Thu, 1 Aug 1996, Alex Noordergraaf wrote:

> On Aug 1, 11:43am, Darwin Martinez wrote:
> > Subject: Re: Is any O.S. w/IP enabled C2 certified?
> > Recall, however, that even though NT/HPUX/etc. may be C@ certified, it is
> > certified at the box level only, not the network level.
> >
> 
> Correct, but that is because the Orange book definition of C-2 doesn't
> have any network requirements.  (someone please correct me if I am
> wrong)  I didn't think that network requirements came into play until
> the B levels, notably B-1.
> 
> [...]
> >
> > ------------------------------------------------------------------------
> > Darwin L. Martinez, NSE			Email:	darwin_martinez@ins.com
> > Atlanta Office				Site #:	404-843-5954
> > International Network Services		Pager:	800-INS-1-INS
> >
> > "People of the Earth can you hear me?"
> > 			Billy Thorpe, 1979
> > ------------------------------------------------------------------------
> >
> >-- End of excerpt from Darwin Martinez
> 
> 
> 

From firewalls-owner  Thu Aug  1 15:18:45 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA22134 for firewalls-outgoing; Thu, 1 Aug 1996 14:46:38 -0700 (PDT)
Received: from salsa.gv.ssi1.com (salsa.gv.ssi1.com [146.252.44.194]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id OAA21967 for <firewalls@GreatCircle.COM>; Thu, 1 Aug 1996 14:45:37 -0700 (PDT)
Received: (from gdonl@localhost) by salsa.gv.ssi1.com (8.7.5/8.7.3) id OAA23684; Thu, 1 Aug 1996 14:41:38 -0700 (PDT)
From: Don Lewis <Don.Lewis@tsc.tdk.com>
Message-Id: <199608012141.OAA23684@salsa.gv.ssi1.com>
Date: Thu, 1 Aug 1996 14:41:38 -0700
In-Reply-To: Zachary Roger Amsden <amsden+@andrew.cmu.edu>
X-Mailer: Mail User's Shell (7.2.6 alpha(3) 7/19/95)
To: Zachary Roger Amsden <amsden+@andrew.cmu.edu>, firewalls@GreatCircle.COM
Subject: Re: How secure is xinetd's binding to specific interfaces
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

On Aug 1, 10:48am, Zachary Roger Amsden wrote:
} Subject: Re: How secure is xinetd's binding to specific interfaces
} Excerpts from internet.computing.firewalls: 1-Aug-96 Re: How secure is
} xinetd's .. by Don Lewis@tsc.tdk.com 
} >  
} >                 if (IA_SIN(ia)->sin_addr.s_addr == ip->ip_dst.s_addr)
} >                         if (ia->ia_ifp == ifp)
} >                                 goto ours;
} >                         else
} >                                 it came in on the wrong interface, log it 
} 
} This code would work beautifully if ipintr had ifp, a pointer to the
} interface the packet was received on.  Unfortunately, BSD networking
} code never records the interface a pakcet was received on.

Apparently it did at one time.  The included patch was relative to a
replacement ip_input.c for SunOS that disables source routing that
was posted to this list by Brad.Powell@EBay.Sun.COM quite a while ago.
The SunOS ipintr() calls the macro IF_DEQUEUEIF(ifq, m, ifp) which
returns the interface pointer.  I would imagine that Sun picked this
up from an older BSD IP stack (4.2 or 4.3).

It looks like folks using up to date BSD stacks are out of luck as
far as easy patches.


			---  Truck

From firewalls-owner  Thu Aug  1 15:53:21 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id PAA25678 for firewalls-outgoing; Thu, 1 Aug 1996 15:16:53 -0700 (PDT)
Received: from salsa.gv.ssi1.com (salsa.gv.ssi1.com [146.252.44.194]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id PAA25637 for <firewalls@GreatCircle.COM>; Thu, 1 Aug 1996 15:16:36 -0700 (PDT)
Received: (from gdonl@localhost) by salsa.gv.ssi1.com (8.7.5/8.7.3) id PAA23703; Thu, 1 Aug 1996 15:12:55 -0700 (PDT)
From: Don Lewis <Don.Lewis@tsc.tdk.com>
Message-Id: <199608012212.PAA23703@salsa.gv.ssi1.com>
Date: Thu, 1 Aug 1996 15:12:55 -0700
In-Reply-To: lists@lina.inka.de (Bernd Eckenfels)
X-Mailer: Mail User's Shell (7.2.6 alpha(3) 7/19/95)
To: lists@lina.inka.de (Bernd Eckenfels)
Subject: Re: How secure is xinetd's binding to specific interfaces
Cc: firewalls@GreatCircle.COM, Don.Lewis@tsc.tdk.com
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

On Aug 1,  7:03pm, Bernd Eckenfels wrote:
} Subject: Re: How secure is xinetd's binding to specific interfaces
} Generally I think it is
} not a good idea to accept packets only if they are addressed to the right
} interface. I think it is much better to insert a firewalling rule if you
} dont want to receive packets on the wrong interface.

I agree with this if IP forwarding is enabled.  If it is not, then it
seems counterintuitive that the kernal is "forwarding" the packet from
the interface on one net to the interface on another, then accepting it.
That's not how it's implemented, but that's what it looks like from the
outside.

If IP forwarding is off, you could even dispense with the loop, which
would improve performance if you had a lot of interfaces.

			---  Truck

From firewalls-owner  Thu Aug  1 16:03:43 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id PAA27715 for firewalls-outgoing; Thu, 1 Aug 1996 15:44:55 -0700 (PDT)
Received: from morebbs.com (pop3.morebbs.com [206.165.150.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id PAA27697 for <firewalls@greatcircle.com>; Thu, 1 Aug 1996 15:44:44 -0700 (PDT)
From: potlicker@morebbs.com
Received: by morebbs.com
Message-ID: <9608011841.0Q99V00@morebbs.com>
Organization: MORE BBS
X-Mailer: TBBS/TIGER v1.0/PRIMP 1.56p
Date: Thu, 01 Aug 96 18:41:27 
Subject: Tis or not to tis?
To: firewalls@greatcircle.com
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk


Had a go at a couple of TIS Gauntlets   Tried to set SMTP debug on
Got   Debug set - NOT!    Some programmer has a twisted sense of humor

Anyway I hear that one large company on the US East Coast has maxed out a
couple of Pentiums running TIS Gauntlet   It is now looking to run TIS 
Gauntlet on an HP 9000 with HP-UX 10.01, 128 MB RAM and endless disk space
This is a completely new area for me to research   If anyone has experience
with Gauntlet on HP-UX I would like to hear what their experience was -
regardless of good or bad   If it was bad it can kept to e-mail

BSDI is pretty tight from a security point of view but HP UX depends mainly
on the site that installed it   
What do you mean are the patches up to date?   What patches?   
That stack of small boxes over in the corner   
Oh them   We get them all the time
                                                PoT_LiCkEr

 ===   Clinton/Dole welfare reform -- you hatch em,  you feed em    ===

From firewalls-owner  Thu Aug  1 16:42:59 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA08432 for firewalls-outgoing; Thu, 1 Aug 1996 12:30:18 -0700 (PDT)
Received: from mbagate.mba.com ([206.235.208.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id MAA08414 for <Firewalls@GreatCircle.COM>; Thu, 1 Aug 1996 12:30:02 -0700 (PDT)
Received: (from mail@localhost) by mbagate.mba.com (8.6.9/8.6.9) id MAA25901; Thu, 1 Aug 1996 12:42:26 -0700
Received: from den17.computek.net(204.181.109.36) by mbagate.mba.com via smap (V1.3)
Message-Id: <1.5.4.32.19960801193115.0068e8c8@mbagate.mba.com>
X-Sender: cxh@mbagate.mba.com
X-Mailer: Windows Eudora Light Version 1.5.4 (32)
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Date: Thu, 01 Aug 1996 12:31:15 -0700
To: Firewalls@GreatCircle.COM
From: Cynthia He <cxh@mba.com>
Subject: Re: ftpd in FWTK not working for 'dir' command?
Cc: michael@iis.net, fwtk-users@tis.com
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

At 09:58 PM 7/31/96 -0700, I posted the following message:

>I recently compiled ftpd that came with FWTK to take advantage of its
>one-time password awareness. Unfortunately I couldn't get it quite working.
>After I login using one-time password, a 'dir' command will cause the remote
>host to close the connection (at least that's the message I got after
>'dir'). Can anyone help me with that? I really need to get it working as
>soon as possible.

Here is more  info about the situation:

1. I am just trying to use one-time password with this ftpd when users ftp
into the machine. They don't have to go thru any proxies.

2. The following is in the debug log on server side:

Aug  1 12:13:46 ftp authsrv[1798]: AUTHENTICATE cxh (ftpd den17.computek.net)
Aug  1 12:13:38 ftp ftpd[1797]: auth_recv Authsrv ready. (V1.3)
... (more authentication stuff here)
Aug  1 12:13:46 ftp ftpd[1797]: User cxh logged in.
Aug  1 12:13:47 ftp ftpd[1797]: command: PWD^M
Aug  1 12:13:47 ftp ftpd[1797]: <--- 257
Aug  1 12:13:47 ftp ftpd[1797]: "/home/cxh" is current directory.
Aug  1 12:13:47 ftp ftpd[1797]: command: SYST^M
Aug  1 12:13:47 ftp ftpd[1797]: <--- 215
Aug  1 12:13:47 ftp ftpd[1797]: UNIX Type: L8
Aug  1 12:13:48 ftp ftpd[1797]: command: PORT 204,181,109,36,4,40^M
Aug  1 12:13:48 ftp ftpd[1797]: <--- 200
Aug  1 12:13:48 ftp ftpd[1797]: PORT command successful.
Aug  1 12:13:48 ftp ftpd[1797]: command: LIST^M

LIST was the last command seen and nothing after that appeared in the log.

3. The following is in the debug log on ws_ftp client:

connecting to 206.235.208.6 ...
Connected to 206.235.208.6 port 21
220 ftp FTP server (Version 5.60auth/mjr) ready.
USER cxh
331 Skey Challenge: s/key 635 ft26212
PASS (hidden)
230 User cxh logged in.
PWD
257 "/home/cxh" is current directory.
SYST
215 UNIX Type: L8
Host type (2): UNIX (standard)
PORT 204,181,109,36,4,42
200 PORT command successful.
LIST 

DoDirList returned 0

4. the system is a 486 running Linux 1.2.0 with fwtk v1.2 (according the
CHANGES file)

Can someone help me to solve the mystery? Thanks again.

Cynthia


From firewalls-owner  Thu Aug  1 17:03:36 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id QAA01922 for firewalls-outgoing; Thu, 1 Aug 1996 16:18:21 -0700 (PDT)
Received: from carnival.com (NS.CARNIVAL.COM [151.124.250.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id QAA01872 for <Firewalls@GreatCircle.COM>; Thu, 1 Aug 1996 16:18:03 -0700 (PDT)
Received: from carnival-pdc.carnival.com by carnival.com (5.65/1.35)
Message-Id: <9608012314.AA12555@carnival.com>
Received: from fiji ([151.124.5.238]) by carnival-pdc.carnival.com
From: "Bowman Hall" <bowman@carnival.com>
To: <Firewalls@GreatCircle.COM>
Cc: <jesse@psa.pencom.com>
Subject: Re: IIS Security hole
Date: Thu, 1 Aug 1996 19:17:08 -0400
X-Msmail-Priority: Normal
X-Priority: 3
X-Mailer: Microsoft Internet Mail 4.70.1085
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

If you go to any directory below the server root, you have access to the
entire volume
that IIS runs on via ../.. tricks.
e.g.
http://www.victim.com/images/../../../mssql/customer.database

The URL for the fix was published on the list.
-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Bowman Hall MCSE   bowman@carnival.com
Systems Analyst         (305) 599 2600 x1844
Carnival Cruise Lines  http://www.carnival.com

> 
> Date: Thu, 1 Aug 1996 11:59:27 -0500 (CDT)
> From: Jesse Whyte <jesse@psa.pencom.com>
> Subject: Re: Microsoft Internet Server
> 
> If anyone has any more information on the Server hole - technicals and 
> maybe an exploit script - please reply back either privately or on the 
> list if you think it is appropriate.
> 
> Thanx,
> 
> Jesse
> 
> ****************************************************************
> Jesse Whyte
> Computer/Network Security Consultant
> Pencom Systems Administrator
> H: (410) 647-9645
> W: (410) 908-0991
> 


From firewalls-owner  Thu Aug  1 17:13:51 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id PAA28576 for firewalls-outgoing; Thu, 1 Aug 1996 15:50:35 -0700 (PDT)
Received: from cyb (cyb.alaska.net [204.17.139.166]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id PAA28279 for <firewalls@greatcircle.com>; Thu, 1 Aug 1996 15:47:42 -0700 (PDT)
Received: from mail.fred.com by cyb with smtp
Received: by mail.fred.com with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.993.5)
Message-ID: <c=US%a=_%p=Toronto%l=MAIL-960801224139Z-10@mail.fred.com>
From: Russ <Russ.Cooper@RC.Toronto.on.ca>
To: "'Darwin Martinez'" <Darwin_Martinez@INS.COM>
Cc: "'firewalls@greatcircle.com'" <firewalls@greatcircle.com>
Subject: REL: Is any O.S. w/IP enabled C2 certified?
Date: Thu, 1 Aug 1996 18:41:39 -0400
X-Mailer:  Microsoft Exchange Server Internet Mail Connector Version 4.0.993.5
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Alex Noordergraaf said...
>"Correct, but that is because the Orange book definition of C-2 doesn't have
>any network requirements.  (someone please correct me if I am wrong)  I
>didn't think that network requirements came into play until the B levels,
notably B-1."

Given that the ability of the system to enforce its security is
dependent on the allowable methods of access, any evaluation of a system
which included networking components would have to evaluate the
capabilities of securing those network connections. Since NT doesn't get
into a decent authentication method until you use NT Server (with its
domain model), evaluating NT with network components without an NT
Server would most likely fail scrutiny. Hence the NT C2 configuration
tool from Microsoft removes all networking components from an installed
system.

NTS is supposedly being evaluated at Red Book level, which I believe
tests Network Operating Systems (client and server)...please correct me
if my terminology is wrong here. If I'm correct, this is still C2, but
C2 for NOS??

The only claim Microsoft can realistically make about NT on a network is
that they designed it to meet C2 criteria, as opposed to adding it on
afterwards. Obviously this statement is very weak what with all the
patches and changes that have been made to NT over the past 5 years,
like modifications to the kernel to move functionality lower (it wasn't
designed to have the GDI in the kernel, so the design was obviously
reconsidered when they decided to move it there).

This doesn't mean that *I* think its insecure, but its a far more
>realistic statement about its security than is generally spoken.

Cheers,
Russ
...eek, quick, someone give me some broken software, I'm suffering beta
withdrawals...
>

From firewalls-owner  Thu Aug  1 17:33:17 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id QAA00470 for firewalls-outgoing; Thu, 1 Aug 1996 16:05:39 -0700 (PDT)
Received: from netgw.umb.com ([207.92.54.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id QAA00431 for <Firewalls@GreatCircle.COM>; Thu, 1 Aug 1996 16:05:22 -0700 (PDT)
Received: from netgw.umb.com (daemon@localhost) by netgw.umb.com (8.7.2/8.7.2) with ESMTP id SAA12762 for <Firewalls@GreatCircle.COM>; Thu, 1 Aug 1996 18:04:35 -0500 (CDT)
Received: from umbsmtp.umb.com (umbsmtp.umb.com [192.168.3.2]) by netgw.umb.com (8.7.2/8.7.2) with SMTP id SAA12758 for <Firewalls@GreatCircle.COM>; Thu, 1 Aug 1996 18:04:35 -0500 (CDT)
Received: by umbsmtp.umb.com; Thu, 1 Aug 96 18:09:07 -0500
Date: Thu, 1 Aug 96 18:08:44 CDT
Message-ID: <vines.S149+wXH+mA@umbsmtp.umb.com>
X-Priority: 3 (Normal)
To: <Firewalls@GreatCircle.COM>
From: <j_markus@umb.com> (Joel S. Markus)
Subject: re: Firewalls-Digest V5 #446
X-Incognito-SN: 3032
X-Incognito-Format: VERSION=2.01a ENCRYPTED=NO
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

I will be out of the bank until August 5th. Your message has been forwarded 
to Jim Taylor (ext. 1001) for any necessary action. Thank you.
-------------
Original Text
>From firewalls-digest-owner@GreatCircle.COM (Firewalls-Digest), on 8/1/96 
12:26 PM:
Beyond Mail (TM). This message is too large to be displayed entirely in the 
message body. Please see the attachment beyond.txt.

From firewalls-owner  Thu Aug  1 17:48:19 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA11807 for firewalls-outgoing; Thu, 1 Aug 1996 17:36:29 -0700 (PDT)
Received: from hidata.com (hidata.com [205.158.61.34]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id RAA11800 for <Firewalls@GreatCircle.COM>; Thu, 1 Aug 1996 17:36:16 -0700 (PDT)
Received: by hidata.com; id AA08249; Thu, 1 Aug 96 17:28:12 PDT
Received: from osc.hidata.com(205.158.62.10) by hds-gw.hidata.com via smap (V3.1.1)
Received: from enterprise by osc.osc.hidata.com (SMI-8.6/SMI-SVR4)
Date: Thu, 1 Aug 1996 17:27:00 -0700
Message-Id: <199608020027.RAA23112@osc.osc.hidata.com>
X-Sender: bstout@osc.hidata.com
X-Mailer: Windows Eudora Pro Version 2.1.2
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
To: Firewalls@GreatCircle.COM
From: Bill Stout <bill.stout@hidata.com>
Subject: Thanks for the replies
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

     "I haven't had this much attention in years!  People actually listen 
     to me!  I'm sombody!  I'm somebody!  I'm skipping around, waving the 
     yellow pages in the air...Nah.  My boss thinks mailing-lists are amateur 
     hour.  Grumble grumble.  Now for the next six-pack..."

Seriously, thanks for the replies to my last few questions.  Sorry I haven't 
got around to answering many very good personal replies.  Eudora, you know.  
Read it once, and it's marked as read.  It is good to receive much hard 
technical 'evidence' above the noise level, like this message is a part of.

Anyway thanks.

                    ##Please don't reply to this noise##


From firewalls-owner  Thu Aug  1 18:33:23 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id SAA16897 for firewalls-outgoing; Thu, 1 Aug 1996 18:29:49 -0700 (PDT)
Received: from dg-rtp.dg.com (dg-rtp.rtp.dg.com [128.222.1.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id SAA16890 for <firewalls@greatcircle.com>; Thu, 1 Aug 1996 18:29:37 -0700 (PDT)
Received: from splinter.rtp.dg.com by dg-rtp.dg.com (5.4R3.10/dg-rtp-v02)
Received: by splinter.rtp.dg.com (8.6.10/200.15.1.2)
From: spencerj@dg-rtp.dg.com (Jon Spencer)
Message-Id: <199608020125.VAA06014@splinter.rtp.dg.com>
Subject: Re: Is any O.S. w/IP enabled C2 certified?
To: leonard@geminisecure.com (Leonard Miyata)
Date: Thu, 1 Aug 1996 21:25:07 -0400 (EDT)
Cc: noorder@shire.btg.com, Darwin_Martinez@ins.com, firewalls@greatcircle.com
In-Reply-To: <Pine.BSD/.3.91.960801111733.10436A-100000@main.geminisecure.com> from "Leonard Miyata" at Aug 1, 96 11:21:12 am
X-Mailer: ELM [version 2.4 PL23]
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Data General's B2/E4 DG/UX is currently in evaluation at B2 in the US and
E4 (ITSEC) in Europe.  We are doing a Red Book B2 eval with IP in a
heterogeneous environment (mixed sets of systems connected - trusted and
untrusted).  This is a full commercial OS (Unix) with built in firewall,
virus prevention, SMP, failover, RAID disk and tape, etc.  The next release
(this fall) has transparent proxies and  address translation (built in and
in the evaluation).  NSA will be using it for their classified server
connected to the Internet (with Web server).

> 
> I belive that a version of Netware does have a C2 network
> rating (this requires special ethernet hardware). You'll
> have to check with Novell for the details
> 
> The TCSEC (Orange Book) does not have any network requirements,
> but the TNI (Red Book) title is 'TRUSTED NETWORK INTERPETATIONS' of 
> TCSEC
> 
> Personal Opinions provided by
> Leonard Miyata
> aka leonard@geminisecure.com
> GEMINI COMPUTERS Inc.
> http://www.geminisecure.com
>  
> On Thu, 1 Aug 1996, Alex Noordergraaf wrote:
> 
> > On Aug 1, 11:43am, Darwin Martinez wrote:
> > > Subject: Re: Is any O.S. w/IP enabled C2 certified?
> > > Recall, however, that even though NT/HPUX/etc. may be C@ certified, it is
> > > certified at the box level only, not the network level.
> > >
> > 
> > Correct, but that is because the Orange book definition of C-2 doesn't
> > have any network requirements.  (someone please correct me if I am
> > wrong)  I didn't think that network requirements came into play until
> > the B levels, notably B-1.
> > 
> > [...]
> > >
> > > ------------------------------------------------------------------------
> > > Darwin L. Martinez, NSE			Email:	darwin_martinez@ins.com
> > > Atlanta Office				Site #:	404-843-5954
> > > International Network Services		Pager:	800-INS-1-INS
> > >
> > > "People of the Earth can you hear me?"
> > > 			Billy Thorpe, 1979
> > > ------------------------------------------------------------------------
> > >
> > >-- End of excerpt from Darwin Martinez
> > 
> > 
> > 
> 


-- 
Jon F. Spencer   spencerj@rtp.dg.com  (uunet!rtp.dg.com!spencerj)
Data General Corp.                  Phone : (919)248-6246
62 T.W. Alexander Dr, MS #119       FAX   : (919)248-6108
Research Triangle Park, NC  27709   Office RTP 121/9

	Reality is an illusion - perception is what counts.

	No success can compensate for failure at home.
			President David O. McKay

***** UCC 1-207 ********

From firewalls-owner  Thu Aug  1 18:48:28 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id SAA17665 for firewalls-outgoing; Thu, 1 Aug 1996 18:40:02 -0700 (PDT)
Received: from dg-rtp.dg.com (dg-rtp.rtp.dg.com [128.222.1.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id SAA17647 for <firewalls@greatcircle.com>; Thu, 1 Aug 1996 18:39:49 -0700 (PDT)
Received: from splinter.rtp.dg.com by dg-rtp.dg.com (5.4R3.10/dg-rtp-v02)
Received: by splinter.rtp.dg.com (8.6.10/200.15.1.2)
From: spencerj@dg-rtp.dg.com (Jon Spencer)
Message-Id: <199608020135.VAA06038@splinter.rtp.dg.com>
Subject: Re: Is any O.S. w/IP enabled C2 certified?
To: jturner@loki.aetc.af.mil (John "J.T." Turner - HQ AETC/SCTS)
Date: Thu, 1 Aug 1996 21:35:19 -0400 (EDT)
Cc: Darwin_Martinez@ins.com, noorder@shire.btg.com, firewalls@greatcircle.com
In-Reply-To: <m0um2FB-0004wzC@loki.aetc.af.mil> from "John "J.T." Turner - HQ AETC/SCTS" at Aug 1, 96 01:13:00 pm
X-Mailer: ELM [version 2.4 PL23]
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

> 
> > On Aug 1, 11:43am, Darwin Martinez wrote:
> > > Subject: Re: Is any O.S. w/IP enabled C2 certified?
> > > Recall, however, that even though NT/HPUX/etc. may be C@ certified, it is
> > > certified at the box level only, not the network level.
> > >
> > 
> > Correct, but that is because the Orange book definition of C-2 doesn't
> > have any network requirements.  (someone please correct me if I am
> > wrong)  I didn't think that network requirements came into play until
> > the B levels, notably B-1.
> 
> Actually, there is a different book entirely that deals with the network:
> "Trusted Network Interpretation" (NCSG-TG-005) and "Trusted Network
> Interpretation Environments Guideline - Guidance for applying the Trusted
> Network Interpretation" (NCSC-TG-011), commonly known as the "Red Book".
> (As far as which one is the "Red" book, they're both red and essentially
> deal with the same subject.)
> --
> John Turner, jturner@loki.aetc.af.mil
> 

The TNI (005) is the Red Book.

The Orange Book deals only with base concepts not specifically addressing
networking or databases at any level (C1-C2-B1-B2-B3-A1).  The TNI gives
the explanation of what it means to apply the TCSEC (Orange) criteria to
networking environments.  Originally, in practice the TNI only applied to
homogeneous networks (basically, all the systems the same).
The B2 and above requirements, especially "covert channels", caused lots of
headaches.  However, they extended this cover real-world situations (i.e.,
networks of different systems).

Note that the only official criteria are stated in the TCSEC, and the TNI
is only an interpretation for networks (and the TDI - Trusted Database
Interpretation - an interpretation for databases, where they have fun
problems associated with aggregation of data and inferences).

So you can have a C2 TCSEC eval or C2 TNI eval or a C2 TDI eval.  We are
in a B2 TNI eval and our partner is in a B2 TDI eval on top of ours.  And
yes, I believe that C2 NT includes IP, but does not include the floppy disk
and lots of other real world things.


-- 
Jon F. Spencer   spencerj@rtp.dg.com  (uunet!rtp.dg.com!spencerj)
Data General Corp.                  Phone : (919)248-6246
62 T.W. Alexander Dr, MS #119       FAX   : (919)248-6108
Research Triangle Park, NC  27709   Office RTP 121/9

	Reality is an illusion - perception is what counts.

	No success can compensate for failure at home.
			President David O. McKay

***** UCC 1-207 ********

From firewalls-owner  Thu Aug  1 23:45:25 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id XAA28943 for firewalls-outgoing; Thu, 1 Aug 1996 23:08:39 -0700 (PDT)
Received: (mcb@localhost) by miles.greatcircle.com (8.7.4/Miles-951221-1) id XAA28894 for firewalls@greatcircle.com; Thu, 1 Aug 1996 23:08:04 -0700 (PDT)
Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id WAA01754 for <firewalls@miles>; Tue, 30 Jul 1996 22:23:47 -0700 (PDT)
Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123)
Received: from unknown(207.6.29.231) by mycroft via smap (V1.3mjr)
Received: by mail.rc.toronto.on.ca with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.993.5)
Message-ID: <c=US%a=_%p=Toronto%l=MAIL-960731022546Z-18@mail.rc.toronto.on.ca>
From: Russ <Russ.Cooper@RC.Toronto.on.ca>
To: "'Peter da Silva'" <peter@baileynm.com>
Cc: "'dlancaster@raptor.com'" <dlancaster@raptor.com>
Subject: RE: Sidewinder Versus EagleRaptor
Date: Tue, 30 Jul 1996 22:25:46 -0400
X-Mailer:  Microsoft Exchange Server Internet Mail Connector Version 4.0.993.5
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Let me see if I can shed some light here.

1. In the scenario described, the Domain Controllers that the Firewall
can defer authentication to are inside the Firewall, so any attempts at
getting either between the Firewall and the DCs requires a breach in the
Firewall first. So if you're trying to get in between them to get a
password, why bother, you're already between them if you can see any of
the exchange so just go off and do whatever damage you're trying to
do...;-]

2. I'm not exactly sure how they've implemented this, but I'm aware of
two possibilities;

a) The first is to have the Firewall act as an "untrusted" domain
connected to the internal domains. This means that none of the accounts
established on the Firewall are valid on the internal domains. The
Firewall would then "trust" the internal domains. This doesn't confer
administrator status to the internal domain's administrators, but it
means that the Firewall could then send authentication requests to the
internal domain for validation. It would do this via an encrypted RPC
channel established at boot time between the Firewall and a domain
controller (not necessarily the Primary Domain Controller) for each of
the internal domains that it trusts. This encrypted channel is based on
a number of things, including an unknown password, a security
descriptor, a machine name, and the domain name. Unlike mere account
authentication, this method of authentication is not susceptible to the
limitations of normal accounts (which only require Lan Manager type
authentication).

This encrypted channel doesn't permit the Firewall access to the
internal domain's Security Access Manager (SAM), but instead simply
allows the Firewall to accept authentication requests and pass them
along to the internal domain for authentication. If authenticated, a
"nonce", a one time key is created identifying the authenticated user
(or object), and the list of access rights are returned to the Firewall
in the form of a set of keys. The Firewall would then compare the list
of keys with the key it created when it permitted the user (or a group
that the user is a member of) access to a particular resource (i.e. a
service, a port, whatever the Firewall wants to define rights for). If
the key exists in the set of keys returned for the user ID, then access
can be permitted, if not, then it is denied.

This could be used to do denial of service, but no more than any device
which uses a third party for authentication. If the Firewall is going to
authenticate against a third party, its has to pass the authentication
request on to another device, as is the case with a trusted domain.

Once again, to forge this you would somehow have to be able to place
packets on the network link between the Firewall's internal adapter and
the trusted NT server. Since this isn't a constantly listening two way
channel, just stuffing packets wouldn't be of any use. You would have to
get the Firewall to want to authenticate you, and then stuff the packets
in place of the packets its actually sending or receiving. Since the
channel is encrypted, and the whole process associated with a
time-limited key created between the Firewall and NT Server when the
Firewall booted, forging this would be quite a challenge.

b) I was also aware of some sort of HTTPS channel being used between the
Firewall and the NT Server to replace the encrypted channel used by the
trust relationship. This would allow Raptor more control over this
channel, and possibly more integrity with the communications from their
perspective (since its their's, and not MS). They could then provide a
service to be placed on a PDC to interact with the MS Login process to
handle the challenge and return a simple "Yes/No" response. Rather than
speculate too much about this, maybe Dale can tell us if this is so.

3. As Peter pointed out, you don't rely on a PDC to do authentication.
In an NT world, the PDC is the sole place where the user database can be
modified, but Backup Domain Controllers (BDCs) have complete copies of
the entire user database, and offer the ability to use them as a logon
source. They are capable of doing complete authentication including
returning the keys for all the groups, rights, etc... that the user has
access to. So if the PDC fell over, first of all, automatically another
BDC on the network (either on the same LAN or across a WAN link if its
part of the same domain) will assume the role of PDC and promote itself
to this role. It then becomes the sole location for the user database
modifications.

Now if Raptor has used method 2.b. above, then there is the possibility
that losing your PDC could render your Firewall inoperative (I'm sure it
would fail closed, or maybe just be unable to authenticate access and
therefore deny access to valid users), but the loss of a PDC in any NT
environment is no small occurrence, and if all it takes is to install a
service on the new PDC, this would probably not take very long to
arrange (i.e. there might be a small window of denial). If its using
method 2.a. above, then the change would be transparent to the Firewall.

4. John Betts proposed that the sniffed password on the Internal network
would be as valid as the real password, presumably using this sniffed
password to fool the Firewall into allowing you access to resources.

This is dreaming John...;-] The user ID and password combination are
first OWF encrypted, and then recombined and encrypted with either DES
or RSA, depending on what type of client you have. While its true that
the data that is stored in the SAM (and what is used to compare against
the encrypted user ID/password combination) could be recreated from the
OWF, the problem is that you have to somehow get the Firewall to issue
the authentication request and then stick your sniffed information into
the packets that it is sending to the NT box. If you don't do that, then
having the information doesn't serve you any purpose. In addition, the
information sent via the encrypted channel between the Firewall and the
NT box is sent in the clear (inside the encrypted channel), so your
sniffed information is not what is inside the encrypted channel.

In addition, these user ID's can't access the Firewall itself, but are
used as authentication for Firewall services, so no matter what you do
you could not use this information to log into the Firewall and change
permissions. The Firewall, in either case, is using its own, local, user
ID's for its own administration, not accounts from the Internal domain
(although you could probably enable this unless Raptor has specifically
denied that ability, in which case you would have to be careful about
the clients you used to administer the Firewall...that's assuming they
used this method to enable remote administration, and I have no
knowledge that they have done this...)

5. Paul asked, "what makes a PDC authentic?". Basically, in real simple
terms, there is a key in the encrypted registry that tells the NT box
that it is the PDC, and a different one that tells each BDC that they
are a BDC, and so on. This key can be changed by a user that has
Administrative rights on the box, but if they did change it, then they
would only have access to their local SAM, not the SAM on other machines
(unless their Administrator account was already the domain's
administrator account). So, yes, I can make any machine I want into a
PDC, and I can even make it the PDC of an existing domain. This will
only result in denial of service of any kind if I make a valid BDC of a
domain into the PDC of the same domain, since their SAMs, and therefore
the security keys, are the same. If I was to install a completely new
machine and just tell it that its the PDC of an existing domain, no
existing machine on the network would consider it as such. New machines
being added to the network might get confused, and possibly become
members of the forged domain, but this would be plainly obvious to a
reasonably knowledgeable NT administrator and be easily traceable.

As to failover due to router problems, these are an issue with NT. If we
assume model 2.a above, where there is a trust relationship, the loss of
the route to a valid DC for a domain which has been trusted will result
in the collapse of the trust. There is a timeout period, where the
Firewall would continue to attempt to reestablish the trust, but after
this period has completed, the trust is broken and would have to be
reestablished through administrator intervention. Because of the
distributed nature of domains, you could have valid DCs for a single
domain on multiple subnets, in which case, as long as one of these can
be reached the trust will persist. NT doesn't care which one of multiple
DCs for a domain it is connecting to.

Most recommended domain configurations will have at least one DC on each
network segment, physical or protocol, although more cost effective
solutions can be found if necessary. Since a DC could also be used as a
workstation, they can be transparently placed in many locations, albeit
with a higher level of risk.

The process of creating a valid BDC in an existing domain requires the
presence of the PDC, it cannot be done without it. As I said earlier,
you could forge the domain altogether by dropping the existing PDC (and
all its associated BDCs because one of them will immediately become PDC)
and creating a new PDC with the old domain name. However, if you did
this, the trust between the Firewall and the domain would be broken, as
you would not have the keys to validate the trust with the Firewall (its
more than just a password and domain name). By the way, the same thing
is true if you delete a user account that has files associated with it
through NTFS permissions. Once you delete the account, even if you
create a new account with the same name in the same domain, it still
will not be able to access the files.

As for looping routes and such, maybe you could explain that thought a
little more since I'm not sure what you're describing there. There is
some under-the-covers kind of authentication going on, however.

Cheers,
Russ
...due to licensing restrictions, this message can only be read by 10
people within 10 minutes...
>


From firewalls-owner  Thu Aug  1 23:48:20 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id XAA28958 for firewalls-outgoing; Thu, 1 Aug 1996 23:08:48 -0700 (PDT)
Received: (mcb@localhost) by miles.greatcircle.com (8.7.4/Miles-951221-1) id XAA28925 for firewalls@greatcircle.com; Thu, 1 Aug 1996 23:08:24 -0700 (PDT)
Received: from mail.rc.toronto.on.ca ([207.6.29.231]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id HAA28682 for <firewalls@GreatCircle.COM>; Wed, 31 Jul 1996 07:20:43 -0700 (PDT)
Received: by mail.rc.toronto.on.ca with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.993.5)
Message-ID: <c=US%a=_%p=Toronto%l=MAIL-960731141502Z-29@mail.rc.toronto.on.ca>
From: Russ <Russ.Cooper@RC.Toronto.on.ca>
To: "'Firewalls'" <firewalls@GreatCircle.COM>
Subject: FW: Sidewinder Versus EagleRaptor
Date: Wed, 31 Jul 1996 10:15:02 -0400
X-Mailer:  Microsoft Exchange Server Internet Mail Connector Version 4.0.993.5
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

>Let me see if I can shed some light here.
>
>1. In the scenario described, the Domain Controllers that the Firewall can
>defer authentication to are inside the Firewall, so any attempts at getting
>either between the Firewall and the DCs requires a breach in the Firewall
>first. So if you're trying to get in between them to get a password, why
>bother, you're already between them if you can see any of the exchange so
>just go off and do whatever damage you're trying to do...;-]
>
>2. I'm not exactly sure how they've implemented this, but I'm aware of two
>possibilities;
>
>a) The first is to have the Firewall act as an "untrusted" domain connected
>to the internal domains. This means that none of the accounts established on
>the Firewall are valid on the internal domains. The Firewall would then
>"trust" the internal domains. This doesn't confer administrator status to the
>internal domain's administrators, but it means that the Firewall could then
>send authentication requests to the internal domain for validation. It would
>do this via an encrypted RPC channel established at boot time between the
>Firewall and a domain controller (not necessarily the Primary Domain
>Controller) for each of the internal domains that it trusts. This encrypted
>channel is based on a number of things, including an unknown password, a
>security descriptor, a machine name, and the domain name. Unlike mere account
>authentication, this method of authentication is not susceptible to the
>limitations of normal accounts (which only require Lan Manager type
>authentication).
>
>This encrypted channel doesn't permit the Firewall access to the internal
>domain's Security Access Manager (SAM), but instead simply allows the
>Firewall to accept authentication requests and pass them along to the
>internal domain for authentication. If authenticated, a "nonce", a one time
>key is created identifying the authenticated user (or object), and the list
>of access rights are returned to the Firewall in the form of a set of keys.
>The Firewall would then compare the list of keys with the key it created when
>it permitted the user (or a group that the user is a member of) access to a
>particular resource (i.e. a service, a port, whatever the Firewall wants to
>define rights for). If the key exists in the set of keys returned for the
>user ID, then access can be permitted, if not, then it is denied.
>
>This could be used to do denial of service, but no more than any device which
>uses a third party for authentication. If the Firewall is going to
>authenticate against a third party, its has to pass the authentication
>request on to another device, as is the case with a trusted domain.
>
>Once again, to forge this you would somehow have to be able to place packets
>on the network link between the Firewall's internal adapter and the trusted
>NT server. Since this isn't a constantly listening two way channel, just
>stuffing packets wouldn't be of any use. You would have to get the Firewall
>to want to authenticate you, and then stuff the packets in place of the
>packets its actually sending or receiving. Since the channel is encrypted,
>and the whole process associated with a time-limited key created between the
>Firewall and NT Server when the Firewall booted, forging this would be quite
>a challenge.
>
>b) I was also aware of some sort of HTTPS channel being used between the
>Firewall and the NT Server to replace the encrypted channel used by the trust
>relationship. This would allow Raptor more control over this channel, and
>possibly more integrity with the communications from their perspective (since
>its their's, and not MS). They could then provide a service to be placed on a
>PDC to interact with the MS Login process to handle the challenge and return
>a simple "Yes/No" response. Rather than speculate too much about this, maybe
>Dale can tell us if this is so.
>
>3. As Peter pointed out, you don't rely on a PDC to do authentication. In an
>NT world, the PDC is the sole place where the user database can be modified,
>but Backup Domain Controllers (BDCs) have complete copies of the entire user
>database, and offer the ability to use them as a logon source. They are
>capable of doing complete authentication including returning the keys for all
>the groups, rights, etc... that the user has access to. So if the PDC fell
>over, first of all, automatically another BDC on the network (either on the
>same LAN or across a WAN link if its part of the same domain) will assume the
>role of PDC and promote itself to this role. It then becomes the sole
>location for the user database modifications.
>
>Now if Raptor has used method 2.b. above, then there is the possibility that
>losing your PDC could render your Firewall inoperative (I'm sure it would
>fail closed, or maybe just be unable to authenticate access and therefore
>deny access to valid users), but the loss of a PDC in any NT environment is
>no small occurrence, and if all it takes is to install a service on the new
>PDC, this would probably not take very long to arrange (i.e. there might be a
>small window of denial). If its using method 2.a. above, then the change
>would be transparent to the Firewall.
>
>4. John Betts proposed that the sniffed password on the Internal network
>would be as valid as the real password, presumably using this sniffed
>password to fool the Firewall into allowing you access to resources.
>
>This is dreaming John...;-] The user ID and password combination are first
>OWF encrypted, and then recombined and encrypted with either DES or RSA,
>depending on what type of client you have. While its true that the data that
>is stored in the SAM (and what is used to compare against the encrypted user
>ID/password combination) could be recreated from the OWF, the problem is that
>you have to somehow get the Firewall to issue the authentication request and
>then stick your sniffed information into the packets that it is sending to
>the NT box. If you don't do that, then having the information doesn't serve
>you any purpose. In addition, the information sent via the encrypted channel
>between the Firewall and the NT box is sent in the clear (inside the
>encrypted channel), so your sniffed information is not what is inside the
>encrypted channel.
>
>In addition, these user ID's can't access the Firewall itself, but are used
>as authentication for Firewall services, so no matter what you do you could
>not use this information to log into the Firewall and change permissions. The
>Firewall, in either case, is using its own, local, user ID's for its own
>administration, not accounts from the Internal domain (although you could
>probably enable this unless Raptor has specifically denied that ability, in
>which case you would have to be careful about the clients you used to
>administer the Firewall...that's assuming they used this method to enable
>remote administration, and I have no knowledge that they have done this...)
>
>5. Paul asked, "what makes a PDC authentic?". Basically, in real simple
>terms, there is a key in the encrypted registry that tells the NT box that it
>is the PDC, and a different one that tells each BDC that they are a BDC, and
>so on. This key can be changed by a user that has Administrative rights on
>the box, but if they did change it, then they would only have access to their
>local SAM, not the SAM on other machines (unless their Administrator account
>was already the domain's administrator account). So, yes, I can make any
>machine I want into a PDC, and I can even make it the PDC of an existing
>domain. This will only result in denial of service of any kind if I make a
>valid BDC of a domain into the PDC of the same domain, since their SAMs, and
>therefore the security keys, are the same. If I was to install a completely
>new machine and just tell it that its the PDC of an existing domain, no
>existing machine on the network would consider it as such. New machines being
>added to the network might get confused, and possibly become members of the
>forged domain, but this would be plainly obvious to a reasonably
>knowledgeable NT administrator and be easily traceable.
>
>As to failover due to router problems, these are an issue with NT. If we
>assume model 2.a above, where there is a trust relationship, the loss of the
>route to a valid DC for a domain which has been trusted will result in the
>collapse of the trust. There is a timeout period, where the Firewall would
>continue to attempt to reestablish the trust, but after this period has
>completed, the trust is broken and would have to be reestablished through
>administrator intervention. Because of the distributed nature of domains, you
>could have valid DCs for a single domain on multiple subnets, in which case,
>as long as one of these can be reached the trust will persist. NT doesn't
>care which one of multiple DCs for a domain it is connecting to.
>
>Most recommended domain configurations will have at least one DC on each
>network segment, physical or protocol, although more cost effective solutions
>can be found if necessary. Since a DC could also be used as a workstation,
>they can be transparently placed in many locations, albeit with a higher
>level of risk.
>
>The process of creating a valid BDC in an existing domain requires the
>presence of the PDC, it cannot be done without it. As I said earlier, you
>could forge the domain altogether by dropping the existing PDC (and all its
>associated BDCs because one of them will immediately become PDC) and creating
>a new PDC with the old domain name. However, if you did this, the trust
>between the Firewall and the domain would be broken, as you would not have
>the keys to validate the trust with the Firewall (its more than just a
>password and domain name). By the way, the same thing is true if you delete a
>user account that has files associated with it through NTFS permissions. Once
>you delete the account, even if you create a new account with the same name
>in the same domain, it still will not be able to access the files.
>
>As for looping routes and such, maybe you could explain that thought a little
>more since I'm not sure what you're describing there. There is some
>under-the-covers kind of authentication going on, however.
>
>Cheers,
>Russ
>...eek, quick, someone give me some broken software, I'm suffering beta
>withdrawls...
>
>
>


From firewalls-owner  Fri Aug  2 00:18:30 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id XAA28996 for firewalls-outgoing; Thu, 1 Aug 1996 23:09:44 -0700 (PDT)
Received: (mcb@localhost) by miles.greatcircle.com (8.7.4/Miles-951221-1) id XAA28986 for firewalls@greatcircle.com; Thu, 1 Aug 1996 23:09:30 -0700 (PDT)
Received: from mail.rc.toronto.on.ca ([207.6.29.231]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id LAA14672 for <firewalls@GreatCircle.COM>; Wed, 31 Jul 1996 11:00:02 -0700 (PDT)
Received: by mail.rc.toronto.on.ca with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.993.5)
Message-ID: <c=US%a=_%p=Toronto%l=MAIL-960731175417Z-37@mail.rc.toronto.on.ca>
From: Russ <Russ.Cooper@RC.Toronto.on.ca>
To: "'ray@rayk.com'" <ray@rayk.com>
Cc: "'Firewalls'" <firewalls@GreatCircle.COM>
Subject: RE: Java security - long, but relevant
Date: Wed, 31 Jul 1996 13:54:17 -0400
X-Mailer:  Microsoft Exchange Server Internet Mail Connector Version 4.0.993.5
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

previously, Russ said...
>>To me, the inherent insecurity of Java is that it is supposed to be viewed
>>as secure.
>
and Ray replied...
>"I disagree.  Java is only as secure as its architecture / design /
implementation /environment permit."

	Sorry Ray, but I find these kinds of statements pretty condescending.
It applies to everything everywhere. Of course, any *thing* is only
going to be as secure as its
architecture/design/implementation/environment permit, so what's your
point. The Java applet is meant to run inside a reference VM that is
supposed to be secure. If it isn't secure, its not by design, its by
fault. Where that fault lies is irrelevant, JavaSoft say that the VM
should be trusted to the extent that, if properly implemented, it cannot
be broken out of. They say that I can trust a Java applet not to be
malicious, but so far, the implementations of the VM have not been able
to live up to that expectation. JavaSoft still says that they will be
able to assure us of the VM, eventually. Netscape keeps putting out
versions that say they have fixed the VM to prevent malicious applet
>problems.

	ActiveX, on the other hand, doesn't claim any responsibility whatsoever
for what an object can or cannot do. They do not try to give you a
sandbox, you have to make that yourself.

	The inherent integrity check is part of what proving ownership is all
about. They are able to prove that the object has not been tampered
with, which is what I assume you are referring to when you say "inherent
integrity check". They cannot prove that the object will not be
malicious, or that it will not contain a virus, only that it is the same
as the one they put the signature on in the first place. If the original
object had a virus in it when it was signed, then you will get infected
with a virus, period. What I'd like to see are additional signatures
from third parties telling me that the object has been checked and
deemed not malicious, or secure, or virus free, or whatever...something
more than just "its from Microsoft so trust it". So yes, the signature
is made from a hash of the object.
>
Ray said...
>"Ahhh, another hot topic.  Seems to me that this is an implementation
>question that everyone faces.  Dealing with certificate revocation is a
>handfull.  Seems to me that checking with the CA each time is an
implementation option in most schemems?  Can anyone comment?"

	Its not an option in IE 3.0b2, nor is it intended (at this point) to be
an option in any MS implementation of the API (according to their
>evangelists).
>
Ray said...
>"As I believe is always the case unless: 1) The CA always checks it's
revocation list or maintains an active list of ALL certiciates - and /
or - 2) The client always asks the CA to do so.  True?"

	If #2 doesn't happen, #1 is only useful for clients that have never
>accessed the object before.
>
Ray said...
>"From my read of implementor's concerns with making increased security
available, the performance hit of such things as having the client ask
>the CA to check upon every access - although I'll bone up on ActiveX and
figure this out."

	I have many ideas of how to solve this problem, but I am trying to make
them into a commercial product. Performance doesn't have to be an issue
>at all.
>
>previously, Russ said...
>>This doesn't represent a problem for the sale of software, but it obviously
>>represents a problem if ActiveX objects are used the way Java applets are
>>used.
>
>and Ray replied...
Not necessarily, me thinks.  Looking at the Java 1.1 Security API
>(shipping late Summer or early Fall) it looks like these are all
>implementation choices.

	Well, the Security API is not released on JavaSoft's web page, so any
idea where I can get a copy? By the way, we are talking apples and
oranges here. My issues with Java have to do with the Virtual Machine,
not the Java language. The VM imposes restrictions on what language
components you can use in an applet. I suspect that the Security API may
allow better implementations of the VM to be created, but who knows when
or how well. Today, in the VM, we simply get a SecurityException thrown,
which some VMs ignore, or alert yet proceed. A list of constraints the
VM imposes on applets can be seen at;

	http://java.sun.com/books/Series/Tutorial/applet/security/security.html

>previously, Russ said...
>>I agree that securing the VM should be possible, but so far, its been
>>impossible to guarantee. Sun and Netscape may be very security conscious,
>>but the simple reality is "can we ever completely trust them?".
>
and Ray replied...
"No, and they say so - explicitly.  All they say: if you follow these
>rules, you'll have X level of security (modulo the bugs, implementation
>errors, and brain fade in application of the technology to the problem at
hand, deployment, operations, and management, of course.) Just like the
>sane firewall vendors and any other sane security product vendors.

	To quote from the VM Security Restrictions page from JavaSoft's web
site; "One of the main goals of the Java environment is to make browser
users feel secure running any applet. To achieve this goal, we've
started out conservatively, restricting capabilities perhaps more than
necessary. As time passes, applets will probably get more and more
abilities. "

	This sounds diametrically opposed to your statement of what Sun has
supposedly said.

Ray said...
>"I disagree.  If you want to be secure, you can be.  Its all in the defintion
>of what this means to each organization and wheather they will pay the price
to meet their goals."

	Come on Ray, the Security API is not yet published, let alone
implemented on a reference platform, let alone included in a commercial
product, so what do you mean you can be secure? You could pay the price
to have someone program you a way to screen applets, and you could also
pay the price to implement full desktop security covering everything
from soup-to-nuts. Bottom line is that if you want to feel totally
secure with Java applets (or ActiveX objects) today, you have to screen
them out, period. Give me one example of a completely secure,
commercially available, browser available today that will run Java
applets, or even a combination of browser and some kind of screening
server that will give me complete security. The price is irrelevant, if
my goal is to be able to trust Java applets, as Sun says I should be
>able to, I cannot meet it today.
>
Ray said...
>"I disagree.  It will be as scure as you make it.  If there are ActiveX
>defficiencies, those who want to use it will have to ensure that those
defficiencies do not defeat their security goals - just like firewalls
and any other security product."

	You must be talking about a completely in-house environment here,
otherwise how can I ever *ensure* that a third-party object does not
contain deficiencies that compromise my security goals, with technology
available today? Even with future technology, unless both Java applets
and ActiveX objects include far more identifiable information in them
(bit patterns, or whatever else it takes for something to determine what
an object is going to do before it executes), then how will I be able to
>enforce my security goals?
>
Ray said...
"The OS's protection mechanisms must allow implementers to protect the
>comm protocols stack, applications.... - as they choose - past the basic
>design requirements of the OS's protection mechanisms.  That is, in some
>cases, the basic design requirements of the OS's protection mechanisms
*preclude* everything except a very, very narrow set of comm protocol
>stack, application... functions.  In other cases, the basic design
>requirements of the OS's protection mechanisms *allow* everything.  The
>balance point is found in building an OS that offers a variety of protection
>mechanisms. Unless I'm on a diferent planet here, these are calledSingle
Level (security) Systems and Multi Level (security) Systems,
respectively."

	Next to the former Vice-President of Liberia's request for a room to
bonk his girlfriend in, that has to be the most confusing paragraph I
have ever read. I'm sure you had a point there, but for the life of me I
>have no idea what it was.
>
>previously, Russ said...
>>Something developed for Netscape stays in their Browser (until they release
>>a complete OS that is), and so the scope of the product is somewhat more
>>limited (IMO). Products like Nortel's eNTrust can be extended to have the
>>ability to do far more than just handle objects arriving via the browser.
>
and Ray replied...
"Ummm - IMHO, both (and all others) rely on the afore-mentioned
>property: the OS must support and protect the security mechanisms that use
>them - they can not stand on their own.  Sorta like a house of cards in my
view."

	Ummm, isn't this just like the VM that Sun says will protect you from
rogue applets? Of course, and once again you state the obvious here, any
security mechanism that is put on or into an OS is going to have to
integrate itself with the OS sufficiently to secure it, and anything
else its intended to secure. The success or failure of a security
mechanism will depend greatly on the original design of the OS, and how
the OS allows security mechanisms to interface with it. However, so far
no implementation of a completely secure OS has been anything other than
user hostile (IMO), so its not yet commercially viable to do complete
>security on a widespread basis.
>
>previously, Russ said...
>>The Java language, on the other hand, is a very different animal than Java
>>applets.
>
and Ray replied...
"Yes - language vs program, true?"

	No - program vs. applet that runs in a VM! Both use the Java language,
>but they are very different animals.
>
Ray said...
"IMHO they can't be seperated.  If the language does not support
>security features, programs written in them - more of less by definition -
can not be secure."

	As virus in DOS have proven over and over again, if I intercept
acceptable calls and redirect them somewhere else, I can change the
basic functionality of the environment. So if I intercept all calls to a
disk drive and respond properly with malicious information, the OS does
not know the difference. In the case of applets, the VM prevents
normally acceptable Java language functionality. In this case, its the
security and integrity of the VM, not the language. I agree, however,
that in writing the VM the security features of the language are
incredibly important, as is the security features of the underlying OS,
>although Sun believes they can make a secure VM on most OS'.
>
Ray said...
"Agreed.  Further, I assert that this can not be done w/o an OS that can
properly protect those security mechanisms."

	You're article has seemed to have shifted focus from Java to operating
systems. Java is intended as an open language capable of being
>implemented on any OS, don't forget that.
>
>Cheers,
>Russ
>...eek, quick, someone give me some broken software, I'm suffering beta
>withdrawals...
>


From firewalls-owner  Fri Aug  2 00:35:52 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id XAA29084 for firewalls-outgoing; Thu, 1 Aug 1996 23:11:03 -0700 (PDT)
Received: (mcb@localhost) by miles.greatcircle.com (8.7.4/Miles-951221-1) id XAA29047 for firewalls@greatcircle.com; Thu, 1 Aug 1996 23:10:38 -0700 (PDT)
Received: from alaska.net (calvino.alaska.net [206.149.65.3]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id TAA16941 for <firewalls@GreatCircle.COM>; Wed, 31 Jul 1996 19:58:31 -0700 (PDT)
Received: from mail.fred.com ([207.6.29.231]) by alaska.net (5.x/SMI-SVR4)
Received: by mail.fred.com with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.993.5)
Message-Id: <c=US%a=_%p=Toronto%l=MAIL-960801025205Z-6@mail.fred.com>
From: Russ <Russ.Cooper@RC.Toronto.on.ca>
To: "'Firewalls'" <firewalls@GreatCircle.COM>
Subject: FW: Java security - long, but relevant
Date: Wed, 31 Jul 1996 22:52:05 -0400
X-Mailer:  Microsoft Exchange Server Internet Mail Connector Version 4.0.993.5
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

>previously, Russ said...
>>To me, the inherent insecurity of Java is that it is supposed to be viewed
>>as secure.
>
>and Ray replied...
>"I disagree.  Java is only as secure as its architecture / design /
>implementation /environment permit."
>
>	Sorry Ray, but I find these kinds of statements pretty condescending. It
>applies to everything everywhere. Of course, any *thing* is only going to be
>as secure as its architecture/design/implementation/environment permit, so
>what's your point. The Java applet is meant to run inside a reference VM that
>is supposed to be secure. If it isn't secure, its not by design, its by
>fault. Where that fault lies is irrelevant, JavaSoft say that the VM should
>be trusted to the extent that, if properly implemented, it cannot be broken
>out of. They say that I can trust a Java applet not to be malicious, but so
>far, the implementations of the VM have not been able to live up to that
>expectation. JavaSoft still says that they will be able to assure us of the
>VM, eventually. Netscape keeps putting out versions that say they have fixed
>the VM to prevent malicious applet problems.
>
>	ActiveX, on the other hand, doesn't claim any responsibility whatsoever for
>what an object can or cannot do. They do not try to give you a sandbox, you
>have to make that yourself.
>
>	The inherent integrity check is part of what proving ownership is all about.
>They are able to prove that the object has not been tampered with, which is
>what I assume you are referring to when you say "inherent integrity check".
>They cannot prove that the object will not be malicious, or that it will not
>contain a virus, only that it is the same as the one they put the signature
>on in the first place. If the original object had a virus in it when it was
>signed, then you will get infected with a virus, period. What I'd like to see
>are additional signatures from third parties telling me that the object has
>been checked and deemed not malicious, or secure, or virus free, or
>whatever...something more than just "its from Microsoft so trust it". So yes,
>the signature is made from a hash of the object.
>
>Ray said...
>"Ahhh, another hot topic.  Seems to me that this is an implementation
>question that everyone faces.  Dealing with certificate revocation is a
>handfull.  Seems to me that checking with the CA each time is an
>implementation option in most schemems?  Can anyone comment?"
>
>	Its not an option in IE 3.0b2, nor is it intended (at this point) to be an
>option in any MS implementation of the API (according to their evangelists).
>
>Ray said...
>"As I believe is always the case unless: 1) The CA always checks it's
>revocation list or maintains an active list of ALL certiciates - and / or -
>2) The client always asks the CA to do so.  True?"
>
>	If #2 doesn't happen, #1 is only useful for clients that have never accessed
>the object before.
>
>Ray said...
>"From my read of implementor's concerns with making increased security
>available, the performance hit of such things as having the client ask the CA
>to check upon every access - although I'll bone up on ActiveX and figure this
>out."
>
>	I have many ideas of how to solve this problem, but I am trying to make them
>into a commercial product. Performance doesn't have to be an issue at all.
>
>previously, Russ said...
>>This doesn't represent a problem for the sale of software, but it obviously
>>represents a problem if ActiveX objects are used the way Java applets are
>>used.
>
>and Ray replied...
>Not necessarily, me thinks.  Looking at the Java 1.1 Security API (shipping
>late Summer or early Fall) it looks like these are all implementation
>choices.
>
>	Well, the Security API is not released on JavaSoft's web page, so any idea
>where I can get a copy? By the way, we are talking apples and oranges here.
>My issues with Java have to do with the Virtual Machine, not the Java
>language. The VM imposes restrictions on what language components you can use
>in an applet. I suspect that the Security API may allow better
>implementations of the VM to be created, but who knows when or how well.
>Today, in the VM, we simply get a SecurityException thrown, which some VMs
>ignore, or alert yet proceed. A list of constraints the VM imposes on applets
>can be seen at;
>
>	http://java.sun.com/books/Series/Tutorial/applet/security/security.html
>
>previously, Russ said...
>>I agree that securing the VM should be possible, but so far, its been
>>impossible to guarantee. Sun and Netscape may be very security conscious,
>>but the simple reality is "can we ever completely trust them?".
>
>and Ray replied...
>"No, and they say so - explicitly.  All they say: if you follow these rules,
>you'll have X level of security (modulo the bugs, implementation errors, and
>brain fade in application of the technology to the problem at hand,
>deployment, operations, and management, of course.) Just like the sane
>firewall vendors and any other sane security product vendors.
>
>	To quote from the VM Security Restrictions page from JavaSoft's web site;
>"One of the main goals of the Java environment is to make browser users feel
>secure running any applet. To achieve this goal, we've started out
>conservatively, restricting capabilities perhaps more than necessary. As time
>passes, applets will probably get more and more abilities. "
>
>	This sounds diametrically opposed to your statement of what Sun has
>supposedly said.
>
>Ray said...
>"I disagree.  If you want to be secure, you can be.  Its all in the defintion
>of what this means to each organization and wheather they will pay the price
>to meet their goals."
>
>	Come on Ray, the Security API is not yet published, let alone implemented on
>a reference platform, let alone included in a commercial product, so what do
>you mean you can be secure? You could pay the price to have someone program
>you a way to screen applets, and you could also pay the price to implement
>full desktop security covering everything from soup-to-nuts. Bottom line is
>that if you want to feel totally secure with Java applets (or ActiveX
>objects) today, you have to screen them out, period. Give me one example of a
>completely secure, commercially available, browser available today that will
>run Java applets, or even a combination of browser and some kind of screening
>server that will give me complete security. The price is irrelevant, if my
>goal is to be able to trust Java applets, as Sun says I should be able to, I
>cannot meet it today.
>
>Ray said...
>"I disagree.  It will be as scure as you make it.  If there are ActiveX
>defficiencies, those who want to use it will have to ensure that those
>defficiencies do not defeat their security goals - just like firewalls and
>any other security product."
>
>	You must be talking about a completely in-house environment here, otherwise
>how can I ever *ensure* that a third-party object does not contain
>deficiencies that compromise my security goals, with technology available
>today? Even with future technology, unless both Java applets and ActiveX
>objects include far more identifiable information in them (bit patterns, or
>whatever else it takes for something to determine what an object is going to
>do before it executes), then how will I be able to enforce my security goals?
>
>Ray said...
>"The OS's protection mechanisms must allow implementers to protect the comm
>protocols stack, applications.... - as they choose - past the basic design
>requirements of the OS's protection mechanisms.  That is, in some cases, the
>basic design requirements of the OS's protection mechanisms *preclude*
>everything except a very, very narrow set of comm protocol stack,
>application... functions.  In other cases, the basic design requirements of
>the OS's protection mechanisms *allow* everything.  The balance point is
>found in building an OS that offers a variety of protection mechanisms.
>Unless I'm on a diferent planet here, these are calledSingle Level (security)
>Systems and Multi Level (security) Systems, respectively."
>
>	Next to the former Vice-President of Liberia's request for a room to bonk
>his girlfriend in, that has to be the most confusing paragraph I have ever
>read. I'm sure you had a point there, but for the life of me I have no idea
>what it was.
>
>previously, Russ said...
>>Something developed for Netscape stays in their Browser (until they release
>>a complete OS that is), and so the scope of the product is somewhat more
>>limited (IMO). Products like Nortel's eNTrust can be extended to have the
>>ability to do far more than just handle objects arriving via the browser.
>
>and Ray replied...
>"Ummm - IMHO, both (and all others) rely on the afore-mentioned property: the
>OS must support and protect the security mechanisms that use them - they can
>not stand on their own.  Sorta like a house of cards in my view."
>
>	Ummm, isn't this just like the VM that Sun says will protect you from rogue
>applets? Of course, and once again you state the obvious here, any security
>mechanism that is put on or into an OS is going to have to integrate itself
>with the OS sufficiently to secure it, and anything else its intended to
>secure. The success or failure of a security mechanism will depend greatly on
>the original design of the OS, and how the OS allows security mechanisms to
>interface with it. However, so far no implementation of a completely secure
>OS has been anything other than user hostile (IMO), so its not yet
>commercially viable to do complete security on a widespread basis.
>
>previously, Russ said...
>>The Java language, on the other hand, is a very different animal than Java
>>applets.
>
>and Ray replied...
>"Yes - language vs program, true?"
>
>	No - program vs. applet that runs in a VM! Both use the Java language, but
>they are very different animals.
>
>Ray said...
>"IMHO they can't be seperated.  If the language does not support security
>features, programs written in them - more of less by definition - can not be
>secure."
>
>	As virus in DOS have proven over and over again, if I intercept acceptable
>calls and redirect them somewhere else, I can change the basic functionality
>of the environment. So if I intercept all calls to a disk drive and respond
>properly with malicious information, the OS does not know the difference. In
>the case of applets, the VM prevents normally acceptable Java language
>functionality. In this case, its the security and integrity of the VM, not
>the language. I agree, however, that in writing the VM the security features
>of the language are incredibly important, as is the security features of the
>underlying OS, although Sun believes they can make a secure VM on most OS'.
>
>Ray said...
>"Agreed.  Further, I assert that this can not be done w/o an OS that can
>properly protect those security mechanisms."
>
>	You're article has seemed to have shifted focus from Java to operating
>systems. Java is intended as an open language capable of being implemented on
>any OS, don't forget that.
>
>Cheers,
>Russ
>...eek, quick, someone give me some broken software, I'm suffering beta
>withdrawals...


From firewalls-owner  Fri Aug  2 00:48:45 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id XAA28976 for firewalls-outgoing; Thu, 1 Aug 1996 23:09:20 -0700 (PDT)
Received: (mcb@localhost) by miles.greatcircle.com (8.7.4/Miles-951221-1) id XAA28968 for firewalls@greatcircle.com; Thu, 1 Aug 1996 23:09:07 -0700 (PDT)
Received: from skypoint.com (mirage.skypoint.com [199.86.32.7]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id JAA04627 for <Firewalls@GreatCircle.COM>; Wed, 31 Jul 1996 09:02:27 -0700 (PDT)
Received: from [199.86.33.4] ([199.86.33.139]) by skypoint.com
X-Sender: ray@mirage.skypoint.com
Message-Id: <v01510105ae25151e0c5a@[199.86.33.4]>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Date: Wed, 31 Jul 1996 10:58:23 -0500
To: Russ <Russ.Cooper@RC.Toronto.on.ca>
From: ray@rayk.com (Ray Kaplan)
Subject: RE: Java security - long, but relveant
Cc: Firewalls@GreatCircle.COM
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk


>On Tue, 30 Jul 1996 19:40:17 -0400 Russ <Russ.Cooper@RC.Toronto.on.ca> wrote:

>I just want to be clear here, I was stating the obvious in my original
>post. AFAIK, the VM is not supposed to be dependent on the OS to
>maintain its security, however, it does depend on the implementation of
>the VM.

Actually, there are several parts.  Until I'm done wading through it all
and provide pointers to relevant references, consider that there are at
least the following 4 parts:

        - The applet (the application)
        - The VM
        - The OS
        - The comm protocol suite - e.g., TCP/IP

If any of these are not "secure", the applet can not be.

>To me, the inherent insecurity of Java is that it is supposed to be
>viewed as secure.

I disagree.  Java is only as secure as its architecture / design /
implementation /environment permit.

>ActiveX should not be viewed as secure by anyone,
>anytime.

Again, I disagree. ActiveX is only as secure as its architecture / design /
implementation /environment permit.

Anyone have a side-by-side comparison of these two approaches?  (Another
to-do item for my long list, I suppose.)

>This is a big difference in my mind. Microsoft is not
>attempting to state the security of ActiveX, and its use of digital
>signatures is intended only to the extent that it allows them to prove
>that they were the originators of the applet so they can sell software
>across the net.

Does anyone who does digital signatures implicitly omit the inherent
integrity check?  I don't think so.  Since I have not looked at the ActiveX
spec, I can't say what Microsoft has done. However, given what I know of
the security people working there, I'd be surprised if they implicitly
omitted the integrity check that seems to be built-in to most digital
signature schemems.  Or, am I off in the weeds here, folks?

>If they were attempting to do any further security, the
>WinVerifyTrust API implementation would be checking the signature
>against the CA every time the object was accessed.

Ahhh, another hot topic.  Seems to me that this is an implementation
question that everyone faces.  Dealing with certificate revocation is a
handfull.  Seems to me that checking with the CA each time is an
implementation option in most schemems?  Can anyone comment?

>The way its
>implemented, this check is done once and recorded, subsequent access
>check first to see if its been previously authorized, and if so, it will
>use the object. So if a CA invalidates an object (say, because the
>author was found to be a malicious hacker), anyone who had previously
>accessed the object would continue to use the malicious object without
>question.

As I believe is always the case unless: 1) The CA always checks it's
revocation list or maintains an active list of ALL certiciates - and / or -
2) The client always asks the CA to do so.  True?

>From my read of implementor's concerns with making increased security
available, the performance hit of such things as having the client ask the
CA to check upon every access - although I'll bone up on ActiveX and figure
this out.

>This doesn't represent a problem for the sale of software, but it
>obviously represents a problem if ActiveX objects are used the way Java
>applets are used.

Not necessarily, me thinks.  Looking at the Java 1.1 Security API (shipping
late Summer or early Fall) it looks like these are all implementation
choices.

So far, here is what I'm looking at:

        - http://java.sun.com:80/products/apiOverview.html

        - http://java.sun.com:80/products/commerce/

        - The details in the Java SDK - found under the Developer's page at
        java.sun.com... BTW - Sun deserves the highest kudos for this
        documentation effort.  When you check it out, you'll find a
        complete, downloadable, self-installing / self-decompressing,
        documentation library.  Cool.

Am I misreading these?

>Clearly Microsoft is leaving it up to other folk to do
>something to secure ActiveX objects for more widespread use than what MS
>intends (IMO).

As is Sun with Java, I believe.  The full Java spec is a wonder to behold -
most will not elieve how comperhensive it is.  Top-down, soup-to-nuts map
to the future.

>Microsoft also sees ActiveX widely used on an IntrAnet,
>where the security of objects (in many environments) is less of an
>issue. I'm not promoting that idea, but its my interpretation of what MS
>believes.

Again, as is Sun with Java, I believe.  The IntrAnet / IntERnet question
necessarily is a matter of policy and the ability of the afore-mentioned
heirarchy of "trust" (if you will) to enforce that policy.  It appears that
Java currently can't support this, but will in V1.1 (with their new
security API), however (like ActiveX), I believe that this are ALL
implementation options.

Sun tells me the same thing that Netscape, others, and my experience do:
There is a huge shock factor when one implements or deploys serious
security.  A shock factor that most readers of this list are quite familiar
with ;)  They are doing everything that they can do to offer implementors
choices so the end users don't see their work simply grind to a stop (e.g.,
the things that support it: applications / systems / nets / firewalls...)
I can't belive that Microsoft is ignoring this.

>I agree that securing the VM should be possible, but so far, its been
>impossible to guarantee. Sun and Netscape may be very security
>conscious, but the simple reality is "can we ever completely trust
>them?".

No, and they say so - explicitly.  All they say: if you follow these rules,
you'll have X level of security (modulo the bugs, implementation errors,
and brain fade in application of the technology to the problem at hand,
deployment, operations, and management, of course.) Just like the sane
firewall vendors and any other sane security product vendors.

>I would say, gauging by the activity by companies trying to find
>ways to screen or proxy applets, it would seem the answer is no for
>some. I doubt that we'll be in a position to consider it safe for quite
>some time to come.

I disagree.  If you want to be secure, you can be.  Its all in the
defintion of what this means to each organization and wheather they will
pay the price to meet their goals.

>The same is true with ActiveX objects, so don't think
>I'm saying that one is better than the other. At least with an ActiveX
>object I'm not struggling to decide if its secure, I just assume it
>isn't.

I disagree.  It will be as scure as you make it.  If there are ActiveX
defficiencies, those who want to use it will have to ensure that those
defficiencies do not defeat their security goals - just like firewalls and
any other security product.

>ActiveX has longer legs in the PC marketplace because it is more closely
>integrated into the OS.

Ahhh - finally, the basic problem!  The OS / comm protocol stack MUST BE
ABLE to support and protect the security mechanisms that depend on them.
This, I believe, is the most profound challenge: how can we trust the OS's
/ comm protocol stack's support and protection mechanisms?  Not a trivial
question.

>While this may present a greater challenge for
>developers, it means that a security product developed to deal with
>ActiveX objects can also be used to handle a substantial amount of OS
>security as well.

NO!  A thousand times NO!  Ahhhh!

The OS's protection mechanisms must allow implementers to protect the comm
protocols stack, applications.... - as they choose - past the basic design
requirements of the OS's protection mechanisms.  That is, in some cases,
the basic design requirements of the OS's protection mechanisms *preclude*
everything except a very, very narrow set of comm protocol stack,
application... functions.  In other cases, the basic design requirements of
the OS's protection mechanisms *allow* everything.  The balance point is
found in building an OS that offers a variety of protection mechanisms.
Unless I'm on a diferent planet here, these are calledSingle Level
(security) Systems and Multi Level (security) Systems, respectively.

>Something developed for Netscape stays in their
>Browser (until they release a complete OS that is), and so the scope of
>the product is somewhat more limited (IMO). Products like Nortel's
>eNTrust can be extended to have the ability to do far more than just
>handle objects arriving via the browser.

Ummm - IMHO, both (and all others) rely on the afore-mentioned property:
the OS must support and protect the security mechanisms that use them -
they can not stand on their own.  Sorta like a house of cards in my view.

>The Java language, on the other hand, is a very different animal than
>Java applets.

Yes - language vs program, true?

>When it comes to security, the issues are completely
>different and shouldn't be confused.

IMHO they can't be seperated.  If the language does not support security
features, programs written in them - more of less by definition - can not
be secure.

>The Java language, like any
>language, is not constrained by VM's or Sandboxes, or whatever.

I disagree. The language's security features *depend* on everything else
(e.g., the OS's ability to protect them.)

>You can
>develop whatever security implementation you chose in the Java language,
>as you could in C.

Agreed.

>Applets are the fun, neat, easy to implement version
>of Java, but its not the Java language.

Agreed.

>As an example, you will be able to write ActiveX objects with J++ (MS'
>name for their implementation of the Java language), and then script it
>with the JavaScript language if you want.
>
>This all boils down to a desperate need to build better security at the
>desktop, together with better tools for Firewall administrators to
>define permissions for those desktops through gateways to less trusted
>networks (assuming we adhere to the idea that there are "trusted" and
>"untrusted" networks). With better tools at the desktop we can implement
>user policies to define permissions regardless of where they are, and
>what their doing.

Agreed.  Further, I assert that this can not be done w/o an OS that can
properly protect those security mechanisms.

>For all those who think that filtering Java applets are the way to go,
>think of this. I set my Netscape cache to never expire. I take my
>portable home and access the Internet through my private connection and
>download a malicious applet. I go back into the office to show everyone
>this neat new applet I've found. Bingo, the applet can run despite the
>wonderful filter on the Firewall. I'm not even trying to be malicious,
>I'm just an uneducated user...;-]

Indeed - sounds like the old virus problem, eh?  Lack of control over
transitivity between security domains.  In the perfect world, when you
attempt to run the applet that you brought in, the current security domain
will disallow it's execution unless it is recognized as being worthy of
trust according to the domain's security policy.

Hence, viri scanning and applet filtering all fall short.  The controls
have to be built into the lowest levels of the infrastructure and
ruthlessly enforced.  That is, when you attept to execute the rogue applet
anywhere in the "trusted" security domain, the policy enforcement
mechanisms are called into play to approve that action.  If the applet can
not be identified as "trustworthy" accoding to the domain's security
policy, it must be prevented from execution.  Of course, in the perfect
world, the policy enforcement mechanism also notifies the security officer
that you tried to ignore the policy.

>We need a way to turn off what we consider insecure, and prevent it from
>being turned on again by the user.

Bzzzt!  If I accept this philosophy, they I will have to personally look at
everything that wants to execute - no thanks.  I want what security
engineering promises: a security domain-wide policy enforcement mechanism
that does this for me. This ain't firewalls or applet filters as they
merely keep certain beasties from getting into the security domain through
a specific channel (most often, only *one* of the Internetwork connection
points ;) )

Before you jump on me, I do recognize reality:  given the mess of most
infrastructures, firewalls, viri scanning, applet filters... are needed -
despertately!   Moreover,  they will continue to be needed.  However, don't
get this mixed up with the basic problem.  The need for firewalls, viri
scanning, applet filters... is merely an artifact of our inattention to the
basics. A complete (sufficient, correct...) policy enforcement mechanism
must exist at the most basic level of the infrastructure.  The continuing
lack of it requires firewalls, viri scanning, applet filters...

Take a look at the total picture that is presented by the work of the IETF
and Java's specs. IMO, these are just specific examples of how current
trends are following the general lay of the traditional security landscape.
A security domain's policy enforcement mechanism must be capable of
supporting what is depending on it. Anything else is an incongruity that
will result in killer security holes that can't be easily fixed.
Firewalls, viri scanning, applet filters... only mediate the significant
residual risk that is left over these days.

>This doesn't exist in any browser
>that I've seen so far, but it will be more possible when the browser and
>the OS are the same thing, when we can use authentication servers to
>provide permission profiles back to the OS.

Agreed, but again: the problem is not the browsers or the browser / OS
combination.  Its the underlying policy enforcement mechanism's abilities.

Mean while, back to our regular programming on this channel: dealing with
the current mess of trying to get firewalls to do the things that each
infrastructure's policy enforcement mechanism should do internally.

Synically yours,

RayK

RayK 8)         Ray Kaplan
Security Services - P.O Box 23210 - Richfield, MN USA 55423
(612) 861-7198 - FAX (612) 861-3736 - www: http://www.rayk.com/rayk
ray@rayk.com - Not an expert, just a battered vet.




From firewalls-owner  Fri Aug  2 01:33:41 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id BAA05578 for firewalls-outgoing; Fri, 2 Aug 1996 01:03:25 -0700 (PDT)
Received: from online.no (pat.online.no [193.212.1.13]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id BAA05546 for <firewalls@GreatCircle.COM>; Fri, 2 Aug 1996 01:03:01 -0700 (PDT)
Received: from flash (oslo406.telepost.no [193.214.0.84]) by online.no (8.7.5/8.7.3) with SMTP id JAA19853; Fri, 2 Aug 1996 09:56:25 +0200 (MET DST)
Message-ID: <3201B4EA.8A7@online.no>
Date: Fri, 02 Aug 1996 09:57:30 +0200
From: "Tor I. Wilhelmsen" <toriw@online.no>
X-Mailer: Mozilla 3.0b4 (Win16; I)
MIME-Version: 1.0
To: endrizzi@master.the-link.com
CC: firewalls@GreatCircle.COM
Subject: Re: PPTP thoughts anyone? 
References: <199608010029.TAA13531@master.the-link.com>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

endrizzi@master.the-link.com wrote:
> 
> Seeing that Microsoft owns 95% of the client market my question is why
> would someone want to use any of the firewall remote client products
> (e.g. Checkpoint Secure Remote, Raptor Nomad,  V-One, SCC Netcruiser)
> when I can get it for basically free from Mr. Gates?  Only reason I can think of
> is for non-NT environments.
> 

The other is: Why trust a Jack-of-all-trades software supplier to make 
good, specialized software? It's like buying a generic "cake" for $3 
at a grocery instead of going to the award-winning _conditorie_, where 
cakes start at $10 but where you _know_ that 1) they know their business, 
since baking cakes _is_ their business, and 2) they value their customers 
because if they didn't, the customers would settle for the $3 bland 
stuff.

Plus, I wouldn't put network security into the hands of 
"let's-tweak-this-standard-until-it-screams" companies like Microsoft.

BTW, is there a relation between the Raptor Nomad mentioned above and the 
Raptor EagleRemote client?

- Tor Iver

From firewalls-owner  Fri Aug  2 09:07:44 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id CAA13615 for firewalls-outgoing; Fri, 2 Aug 1996 02:10:19 -0700 (PDT)
Received: from mail.crl.com (mail.crl.com [165.113.1.22]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id CAA13575 for <Firewalls@GreatCircle.COM>; Fri, 2 Aug 1996 02:09:57 -0700 (PDT)
Received: from [192.0.2.1] (crl10.crl.com) by mail.crl.com with SMTP id AA06354
Message-Id: <199608020906.AA06354@mail.crl.com>
X-Sender: jhue@mail.crl.com
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Date: Fri, 2 Aug 1996 02:06:40 -0700
To: Firewalls@GreatCircle.COM
From: jhue@crl.com (Jonathan Hue)
Subject: Re: How secure is xinetd's binding to specific interfaces
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk


>>                 if (IA_SIN(ia)->sin_addr.s_addr == ip->ip_dst.s_addr)
>>                         if (ia->ia_ifp == ifp)
>>                                 goto ours;
>>                         else
>>                                 it came in on the wrong interface, log it 
>From: Zachary Roger Amsden <amsden+@andrew.cmu.edu>
>This code would work beautifully if ipintr had ifp, a pointer to the
>interface the packet was received on.  Unfortunately, BSD networking
>code never records the interface a pakcet was received on.  When an
>ethernet packet is received, ether_input never records ifp for future
>reference.  This means that any ifp ipintr has must have been derived
>from the recieving address, so the check will always pass.  To get this

Be careful there.  While what you said may be true of BSD-based networking
code in just about every currently shipping OS, it certainly isn't true
for SunOS 4.1.x, which is what I was writing about when I sent that message
to this list in early 1995.  If your ipintr() has a line of code in it like:

                IF_DEQUEUEIF(m, &ifreq, &ifp)

then you do have an ifp you can trust, as it was sitting right before the
IP packet and IF_DEQUEUEIF adjusted the mbuf to point past it.  I've tried
this, sitting outside a dual-homed bastion with an attack machine, with a
static route to an inside network pointing at the bastion, and watched the
kernel log and drop packets that came in on the wrong interface. I ended
up tossing in code to send an ICMP network unreachable when this happened
and it all worked the way I expected.

Jonathan Hue              jhue@crl.com



From firewalls-owner  Fri Aug  2 10:28:27 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA16621 for firewalls-outgoing; Fri, 2 Aug 1996 10:09:36 -0700 (PDT)
Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id JAA04242 for <firewalls-digest@miles>; Fri, 2 Aug 1996 09:20:41 -0700 (PDT)
Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123)
Received: from pegase.total.fr(146.249.152.2) by mycroft via smap (V1.3mjr)
Received: from tidtest.total.fr (tidtest.total.fr [146.249.165.73]) by pegase.total.fr (8.6.8/8.6.6) with SMTP id MAA21236; Fri, 2 Aug 1996 12:10:36 +0200
Received: by tidtest.total.fr (4.1/SMI-4.1)
Message-Id: <9608021007.AA08548@tidtest.total.fr>
To: marchany@vtserf.cc.vt.edu
Cc: "anthony.sabaj" <anthony.sabaj@awo.com>
Subject: Re: Logs - Backups 
In-Reply-To: Your message of "Thu, 01 Aug 1996 15:09:09 EDT."
X-Cuse: "The dog ate my network"
Date: Fri, 02 Aug 1996 12:06:32 +0100
From: Michel Lavondes <lavondes@tidtest.total.fr>
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk


In message <9608011909.AA00685@vtserf.cc.vt.edu>, marchany@vtserf.cc.vt.edu wri
tes:
> We take all of our logs and burn them ...

We too burn logs, but only during winter, and not all of them :-)

Michel Lavondes (lavondes@tidtest.total.fr)
#include <disclaimer.h>
Governments are guilty until proved innocent

From firewalls-owner  Fri Aug  2 10:37:46 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA17026 for firewalls-outgoing; Fri, 2 Aug 1996 10:13:28 -0700 (PDT)
Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id JAA04254 for <firewalls@miles>; Fri, 2 Aug 1996 09:20:42 -0700 (PDT)
Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123)
Received: from pat.online.no(193.212.1.13) by mycroft via smap (V1.3mjr)
Received: from flash (oslo513.telepost.no [193.214.0.107]) by online.no (8.7.5/8.7.3) with SMTP id MAA02054; Fri, 2 Aug 1996 12:11:00 +0200 (MET DST)
Message-ID: <3201D44D.495D@online.no>
Date: Fri, 02 Aug 1996 12:11:25 +0200
From: "Tor I. Wilhelmsen" <toriw@online.no>
X-Mailer: Mozilla 3.0b4 (Win16; I)
MIME-Version: 1.0
To: Brian Murrell <Brian_Murrell@bctel.net>
CC: j_markus@umb.com, Firewalls@GreatCircle.COM
Subject: Re: re[2]: Firewalls-Digest V5 #444
References: <199608010029.RAA11810@mocha.bctel.net>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

> 
> Ooooo.  The cat's away.
> 
> Just what I want.  To be a (the ??) security administrator at a bank, not
> be there for a while, and tell 15,000 or so people - some of which most
> certainly are hackers!!

... which raises the question whether vacation style programs are more of a 
"social engineering attack" aid than actually useful for the originator.

I also noticed that the autoresponder reply was kind enough to tell the world 
what mail system the company were using.

- Tor Iver

From firewalls-owner  Fri Aug  2 11:00:56 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA18486 for firewalls-outgoing; Fri, 2 Aug 1996 10:22:09 -0700 (PDT)
Received: from mail.Clark.Net (mail.clark.net [168.143.0.10]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id KAA18468 for <firewalls@greatcircle.com>; Fri, 2 Aug 1996 10:21:58 -0700 (PDT)
Received: from clark.net (mjr@clark.net [168.143.0.7]) by mail.Clark.Net (8.7.3/8.6.5) with ESMTP id NAA11277 for <firewalls@greatcircle.com>; Fri, 2 Aug 1996 13:18:31 -0400 (EDT)
From: "Marcus J. Ranum" <mjr@clark.net>
Received: (from mjr@localhost) by clark.net (8.7.1/8.7.1) id NAA14748 for firewalls@greatcircle.com; Fri, 2 Aug 1996 13:18:30 -0400 (EDT)
Message-Id: <199608021718.NAA14748@clark.net>
Subject: Re: Tis or not tis?
To: firewalls@greatcircle.com
Date: Fri, 2 Aug 1996 13:18:29 -0400 (EDT)
Reply-To: mjr@v-one.com
Organization: V-One Corporation, Baltimore, MD Office
Phone: 410-889-8569
X-Mailer: ELM [version 2.4 PL24alpha3]
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

potlicker@morebbs.com writes:
>
>Had a go at a couple of TIS Gauntlets   Tried to set SMTP debug on
>Got   Debug set - NOT!    Some programmer has a twisted sense of humor

	Why thank you! :)

	I once had a site call me in a lather about that because
pingware screamed bloody murder that there was a security hole, and
I had damage control to do.

mjr.

-- 
Chief Scientist, V-ONE Corporation  --  "Security for a connected world"
work            http://www.v-one.com
personal        http://www.clark.net/pub/mjr/mjr-top.html

From firewalls-owner  Fri Aug  2 11:02:51 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA18056 for firewalls-outgoing; Fri, 2 Aug 1996 10:19:12 -0700 (PDT)
Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id KAA17516 for <firewalls@miles>; Fri, 2 Aug 1996 10:17:47 -0700 (PDT)
Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123)
Received: from iidev.inhouse.compuserve.com(149.174.72.212) by mycroft via smap (V1.3mjr)
Received: (from uucp@localhost) by iidev.inhouse.compuserve.com (8.6.12/8.6.12) id HAA03514; Fri, 2 Aug 1996 07:26:04 -0400
Received: from gjones.inhouse.compuserve.com(149.174.150.20) by iidev.inhouse.compuserve.com via smap (V1.3)
Date: Fri, 2 Aug 1996 07:35:10 -0400 (EDT)
From: "George M. Jones" <George.Jones@compuserve.net>
Reply-To: "George M. Jones" <George.Jones@compuserve.net>
Subject: Re: PPTP Information
To: Greg Otto <gdo@shellus.com>
cc: firewalls@GreatCircle.COM
In-Reply-To: <199607312156.QAA12852@blake.shell.com>
Message-ID: <ML-2.2.838985710.3978.gjones@gjones.inhouse.compuserve.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; CHARSET=US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

> I am looking for any information on PPTP.  The stuff I have found so
> far does not give me a real good idea of what it is and what it does.
>      
> Any directions to more information would be greatly appreciated.     
> 
> 
> Thanks,
> Greg Otto  

Try:

  http://ds.internic.net/internet-drafts/draft-ietf-pppext-pptp-00.txt

---George Jones
CompuServe Internet Security
Email: George.Jones@CompuServe.NET
Voice: +1 614 538 4052, Fax: +1 614 457 0348
Snail Mail: 5000 Arlington Centre Blvd., Columbus, Ohio 43220 USA


From firewalls-owner  Fri Aug  2 11:22:52 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA25163 for firewalls-outgoing; Fri, 2 Aug 1996 11:17:52 -0700 (PDT)
Received: from cyb (cyb.alaska.net [204.17.139.166]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id LAA25108 for <firewalls@GreatCircle.COM>; Fri, 2 Aug 1996 11:17:35 -0700 (PDT)
Received: from mail.fred.com by cyb with smtp
Received: by mail.fred.com with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.993.5)
Message-ID: <c=US%a=_%p=Toronto%l=MAIL-960802181111Z-24@mail.fred.com>
From: Russ <Russ.Cooper@RC.Toronto.on.ca>
To: "'peter@baileynm.com'" <peter@baileynm.com>
Cc: "'firewalls@GreatCircle.COM'" <firewalls@GreatCircle.COM>
Subject: FW: Java security - long, but relevant
Date: Fri, 2 Aug 1996 14:11:11 -0400
X-Mailer:  Microsoft Exchange Server Internet Mail Connector Version 4.0.993.5
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

>> 	ActiveX, on the other hand, doesn't claim any responsibility whatsoever
>> for what an object can or cannot do. They do not try to give you a
>> sandbox, you have to make that yourself.
>
>	"That is simply not true in any practical sense. Microsoft is pushing
>ActiveX and signing as a solution to the security problem. The masses are
>getting the message "Microsoft says ActiveX is secure". Microsoft is not
>saying precisely that, I grant you, but what they're saying is close enough
>that that's the message that's being delivered."
>
>I have said it many times before publically, and I'll restate it here, IMO
>ActiveX is not secure, IMO it is not intended to be secure, IMO Microsoft are
>misleading people with their statements, IMO third-parties are going to make
>ActiveX-bearing environments secure against ActiveX's insecurity.
>
>Clear enough for everyone?
>
>The code-signing has its values for software distribution, but as Russian
>Mark (mdr@vodka...) pointed out, reliability does not make a security
>solution.
>
>My point is only that to anyone who looks at the two technologies with some
>technical knowledge (which is what we all are here) will see quite clearly
>that ActiveX does not provide security in the form necessary to open your
>system up to it. It doesn't have any components in it that are supposed to
>provide that network-aware security, it simply has this code-signing part
>that does reliability. Java applets, and the VM, OTOH, do come with security
>implied and delivered.
>
>> 	The inherent integrity check is part of what proving ownership is all
>> about.
>
>	"Sure, go ahead and sign the applets. That allows you *some* control over
>what's installed (but you're not going to refuse Microsoft's signature, are
>you?), but you still have to assume that any applet that uses data provided
>by an external source is potentially another security hole."
>
>You're repeating what I'm saying, obviously in a far better way than I.
>
>> 	You must be talking about a completely in-house environment here,
>> otherwise how can I ever *ensure* that a third-party object does not
>> contain deficiencies that compromise my security goals, with technology
>> available today?
>
>	"You can't. But with normal applications you can remove them and they stay
>removed. If there's a bug in Microsoft Geewhiz 3.4 you never know when you'll
>hit a page that'll download it to you again."
>
>Well, sorry, but this isn't true either. I can't remove what my employee
>installs on his portable at home. You can write a policy for it, but that's
>not going to protect you. Heck, most of the time its impossible to guarantee
>that a program doesn't get installed in the office, unless you've removed the
>floppy drives (mind telling me how you do that with most portables?). So
>applets are no different than programs that are delivered on disks, CDs, or
>any other media.
>
>> 	As virus in DOS have proven over and over again, if I intercept
>> acceptable calls and redirect them somewhere else, I can change the
>> basic functionality of the environment. So if I intercept all calls to a
>> disk drive and respond properly with malicious information, the OS does
>> not know the difference.
>
>"Of course in NT you're not supposed to be able to do that. And if NTFS
>security was up to snuff you couldn't. Or rather... NTFS security seems to be
>pretty good, but as shipped by Microsoft it's largely disabled."
>
>Well, I was trying to show how it would be possible to seperate the security
>of the OS from the security of an application. If the VM doesn't permit
>applets to do things to the OS, by intercepting calls, it can attempt to be
>secure.
>
>Cheers,
>Russ
>...eek, give me some broken software, I'm going into beta withdrawal...
>
>
>

From firewalls-owner  Fri Aug  2 11:37:45 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA25322 for firewalls-outgoing; Fri, 2 Aug 1996 11:18:42 -0700 (PDT)
Received: from phoenix.iss.net (phoenix.iss.net [204.241.60.5]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id LAA25288 for <firewalls@greatcircle.com>; Fri, 2 Aug 1996 11:18:28 -0700 (PDT)
Received: (from cklaus@localhost) by phoenix.iss.net (8.6.13/8.6.12) id OAA25474 for firewalls@greatcircle.com; Fri, 2 Aug 1996 14:13:16 -0400
From: Christopher Klaus <cklaus@iss.net>
Message-Id: <199608021813.OAA25474@phoenix.iss.net>
Subject: Info World Firewall Articles
To: firewalls@greatcircle.com
Date: Fri, 2 Aug 1996 14:13:16 -0400 (EDT)
X-Mailer: ELM [version 2.4 PL24 PGP2]
Content-Type: text
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk


In this weeks InfoWorld, they have done a comparision of many of the commercial
firewalls.  Might be worthwhile to take a look at if you are going to buy a
firewall.

There's also an article in InfoWorld , July 29, 1996 Issue, on Page 79
with Marcus Ranum & I discussing 'Does scanning for vulnerabilities mean your 
firewall is safe?'  

Thought it might be worth taking a look at if you missed it.

-- 
Christopher William Klaus	     Voice: (404)252-7270. Fax: (404)252-2427
Internet Security Systems, Inc.                        "Internet Scanner finds
Ste. 115, 5871 Glenridge Dr, Atlanta, GA 30328     your network security holes
Web: http://iss.net/  Email: cklaus@iss.net            before the hackers do."

From firewalls-owner  Fri Aug  2 11:52:45 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA28949 for firewalls-outgoing; Fri, 2 Aug 1996 11:44:39 -0700 (PDT)
Received: from mercury.Sun.COM (mercury.Sun.COM [192.9.25.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id LAA28937 for <firewalls@GreatCircle.COM>; Fri, 2 Aug 1996 11:44:32 -0700 (PDT)
From: giff@traveller.East.Sun.COM
Received: by mercury.Sun.COM (Sun.COM)
Received: from congress.East.Sun.COM by East.Sun.COM (5.x/SMI-5.3)
Received: from traveller.East.Sun.COM by congress.East.Sun.COM (4.1/SMI-4.1)
Received: from world by traveller.East.Sun.COM (SMI-8.6/SMI-SVR4)
Date: Fri, 2 Aug 1996 14:40:48 -0400 (EDT)
Reply-To: <giff@traveller.East.Sun.COM>
Subject: Re: PPTP Information
To: "George M. Jones" <George.Jones@compuserve.net>
Cc: firewalls@GreatCircle.COM
In-Reply-To: "Your message with ID" <ML-2.2.838985710.3978.gjones@gjones.inhouse.compuserve.com>
Message-Id: <Roam 0.9.1.839011248.29469.giff@traveller.east.Sun.COM>
Content-Type: text
X-Sun-Text-Type: ascii
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

=> > I am looking for any information on PPTP.  The stuff I have found so
=> > far does not give me a real good idea of what it is and what it does.
=> >      
=> > Any directions to more information would be greatly appreciated.     
=> > 
=> > 
=> > Thanks,
=> > Greg Otto  
=> 
=> Try:
=> 
=>   http://ds.internic.net/internet-drafts/draft-ietf-pppext-pptp-00.txt
=> 


You know, I've been looking at it too. I even downloaded the ietf draft.
Now I'm trying to correlate what the draft says it is and what M$ is selling?

Are there two PPTP's?

giff

From firewalls-owner  Fri Aug  2 12:20:43 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA29042 for firewalls-outgoing; Fri, 2 Aug 1996 11:45:20 -0700 (PDT)
Received: from mailbox.neosoft.com (mailbox.neosoft.com [206.109.1.16]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id LAA28994 for <firewalls@GreatCircle.COM>; Fri, 2 Aug 1996 11:45:02 -0700 (PDT)
Received: from fw.nmti.com (fw.baileynm.com [206.109.159.11]) by mailbox.neosoft.com (8.7.5/8.7.3) with SMTP id NAA17452; Fri, 2 Aug 1996 13:40:05 -0500 (CDT)
Received: from web.nmti.com(198.178.0.201) by fw.nmti.com via smap (V1.3)
Received: from sonic.nmti.com (peter@sonic.nmti.com [198.178.0.2]) by web.nmti.com (8.6.12/8.6.9) with SMTP id NAA16671; Fri, 2 Aug 1996 13:38:16 -0500
Received: by sonic.nmti.com; id AA16104; Fri, 2 Aug 1996 13:38:15 -0500
From: peter@baileynm.com (Peter da Silva)
Message-Id: <9608021838.AA16104@sonic.nmti.com.nmti.com>
Subject: Re: FW: Java security - long, but relevant
To: Russ.Cooper@RC.Toronto.on.ca (Russ)
Date: Fri, 2 Aug 1996 13:38:15 -0500 (CDT)
Cc: peter@baileynm.com, firewalls@GreatCircle.COM, ray@rayk.com
In-Reply-To: <c=US%a=_%p=Toronto%l=MAIL-960802181111Z-24@mail.fred.com> from "Russ" at Aug 2, 96 02:11:11 pm
X-Mailer: ELM [version 2.4 PL23]
Content-Type: text
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

> I have said it many times before publically, and I'll restate it here, IMO
> ActiveX is not secure, IMO it is not intended to be secure, IMO Microsoft are
> misleading people with their statements, IMO third-parties are going to make
> ActiveX-bearing environments secure against ActiveX's insecurity.
> 
> Clear enough for everyone?

Thank you. We are in violent agreement.

The real problem with Java is that they took a general purpose language with
a fast lightweight interpreter, and tried to secure it by keeping dangerous
instructions away from the interpreter. The way to secure a system like this,
really, is to simply not provide any path in the interpreter to dangerous
things. This means (a) your interpreter has to be heavier, because you need
to do more bounds checking and the like at that level, and (b) your runtime
is going to be larger, because you can't implement stateful mechanisms and I/O
in it because it doesn't include any in the language proper.

That's the approach Safe Tcl uses. It builds an interpreter that simply
doesn't have any "dangerous" commands in its symbol table, so there's no
mechanism from Tcl to access routines like "open".

In any case, the problems in Java don't indicate problems with "sandboxing"
in general.

From firewalls-owner  Fri Aug  2 12:42:23 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA07112 for firewalls-outgoing; Fri, 2 Aug 1996 12:34:15 -0700 (PDT)
Received: from telxon (telxon.mis.telxon.com [149.23.2.4]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id MAA07094 for <firewalls@greatcircle.com>; Fri, 2 Aug 1996 12:34:06 -0700 (PDT)
Received: from exchange.mis.telxon.com by telxon (SMI-8.6/SMI-SVR4)
Received: by exchange.mis.telxon.com with Microsoft Exchange (IMC 4.0.838.14)
Message-ID: <c=US%a=_%p=TELXON%l=EXCHANGE-960802193058Z-18@exchange.mis.telxon.com>
From: "Wojno, Jim" <jwojn@telxon.com>
To: "'firewalls@greatcircle.com'" <firewalls@greatcircle.com>
Subject: RE: Info World Firewall Articles
Date: Fri, 2 Aug 1996 15:30:58 -0400
X-Mailer:  Microsoft Exchange Server Internet Mail Connector Version 4.0.838.14
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

To All:

In regards to the article in Info World, it mentions that Firewall-1 has
what would seem to be a serious design flaw. At boot time, the in.routed
router daemon was started before the firewall software, creating a
window of opportunity (2 to 3 seconds ?) in which the internal network
is exposed. This was especially surprising to me, as it states in the
manual to not use extended IP access lists on the router to filter
traffic, but to rather route *all* incoming traffic to the firewall. I
quote: "Use routers to provide proper network connectivity. Use a
firewalled gateway behind the router to perform the filtering
functions."

We are currently considering Firewall-1, because of it's flexibility and
it's "Stateful Packet Inspection" of protocols such as UDP. I am very
curious to know how anyone on the list has resolved this issue. I would
think that one would only need to change the order in which these things
are started by editing the startup scripts. If not, what did others out
there do to address this?

If this is a topic that has already been discussed, please feel free to
contact me directly.

Thanks in advance for your help,

Jim Wojno
Systems Administrator
Telxon Corporation
jwojn@telxon.com

>----------
>From: 	Christopher Klaus[SMTP:cklaus@iss.net]
>Sent: 	Friday, August 02, 1996 2:13 PM
>To: 	firewalls@greatcircle.com
>Subject: 	Info World Firewall Articles
>
>
>In this weeks InfoWorld, they have done a comparision of many of the
>commercial
>firewalls.  Might be worthwhile to take a look at if you are going to
>buy a
>firewall.
>
>There's also an article in InfoWorld , July 29, 1996 Issue, on Page 79
>with Marcus Ranum & I discussing 'Does scanning for vulnerabilities
>mean your 
>firewall is safe?'  
>
>Thought it might be worth taking a look at if you missed it.
>
>-- 
>Christopher William Klaus	     Voice: (404)252-7270. Fax: (404)252-2427
>Internet Security Systems, Inc.                        "Internet
>Scanner finds
>Ste. 115, 5871 Glenridge Dr, Atlanta, GA 30328     your network
>security holes
>Web: http://iss.net/  Email: cklaus@iss.net            before the
>hackers do."
>

From firewalls-owner  Fri Aug  2 13:22:51 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA11213 for firewalls-outgoing; Fri, 2 Aug 1996 13:10:30 -0700 (PDT)
Received: from ALABAMA.CF.CS.YALE.EDU (RT-GW.CS.YALE.EDU [128.36.0.13]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id NAA11182 for <firewalls@greatcircle.com>; Fri, 2 Aug 1996 13:10:15 -0700 (PDT)
From: long-morrow@CS.YALE.EDU
Received: from SPARKY.CF.CS.YALE.EDU by ALABAMA.CF.CS.YALE.EDU (8.7.1/res.host.cf-4.0)
Received: by SPARKY.CF.CS.YALE.EDU (Sendmail-8.7.1/res.client.cf-4.0)
Date: Fri, 2 Aug 1996 16:06:44 -0400 (EDT)
Message-Id: <199608022006.QAA06528@SPARKY.CF.CS.YALE.EDU>
To: cklaus@iss.net, firewalls@greatcircle.com
Subject: Re:  Info World Firewall Articles
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk


>In this weeks InfoWorld, they have done a comparision of many of the commercial
>firewalls.  ..............................................................

Many?  They only test three in the version online 
( http://www.infoworld.com/pageone/testcenter/tcenter.htm ):

	Checkpoint Firewall-1 2.0
	TIS Gauntlet 3.1 
	Harris CyberGuard 2.1.2

You have to be registered (ie. check out http://www.infoworld.com/ )
to read the above article (ie. URL) online.

>There's also an article in InfoWorld , July 29, 1996 Issue, on Page 79
>with Marcus Ranum & I discussing 'Does scanning for vulnerabilities mean your 
>firewall is safe?'  

Couldn't find that one in the online edition (InfoWorld Electric).

- Morrow


From firewalls-owner  Fri Aug  2 14:31:12 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA14975 for firewalls-outgoing; Fri, 2 Aug 1996 13:53:41 -0700 (PDT)
Received: from web.net (web.net [142.75.1.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id NAA14960 for <Firewalls@GreatCircle.COM>; Fri, 2 Aug 1996 13:53:26 -0700 (PDT)
Received: from ingen.cigb.edu.cu by web.net
Received: from scorpio.cigb.edu.cu by ingen.cigb.edu.cu with smtp
Received: from serverdos.cigb.edu.cu by scorpio.cigb.edu.cu with smtp
Received: from SERVERDOS/SpoolDir by serverdos.cigb.edu.cu (Mercury 1.21);
Received: from SpoolDir by SERVERDOS (Mercury 1.21); 2 Aug 96 14:41:33 EST5EDT
From: "Viena Garcia Acosta" <Viena.Garcia@cigb.edu.cu>
Organization: C.I.G.B.
To: Firewalls@GreatCircle.COM
Date: Fri, 2 Aug 1996 14:41:25 ESTD5
Subject: Security lists?
Reply-to: Viena.Garcia@cigb.edu.cu
X-mailer: Pegasus Mail for Windows (v2.40)
Message-ID: <1966A7A53B0@serverdos.cigb.edu.cu>
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Hi! 

Anybody can suggest me a good and serious list about security topics, including 
cryptography, Netscape's and Java's  security, or something like that?

Thanks and bye,
Viena


Viena Garcia Acosta
Network Security & Information Systems
CIGBnet
Viena.Garcia@cigb.edu.cu

From firewalls-owner  Fri Aug  2 16:22:38 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id QAA25218 for firewalls-outgoing; Fri, 2 Aug 1996 16:11:58 -0700 (PDT)
Received: from ALABAMA.CF.CS.YALE.EDU (RT-GW.CS.YALE.EDU [128.36.0.13]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id QAA25211 for <firewalls@greatcircle.com>; Fri, 2 Aug 1996 16:11:52 -0700 (PDT)
From: long-morrow@CS.YALE.EDU
Received: from SPARKY.CF.CS.YALE.EDU by ALABAMA.CF.CS.YALE.EDU (8.7.1/res.host.cf-4.0)
Received: by SPARKY.CF.CS.YALE.EDU (Sendmail-8.7.1/res.client.cf-4.0)
Date: Fri, 2 Aug 1996 19:08:27 -0400 (EDT)
Message-Id: <199608022308.TAA06874@SPARKY.CF.CS.YALE.EDU>
To: firewalls@greatcircle.com
Subject: Seattle Software Labs WatchGuard(tm) - Dynamic PF plus Trans Proxies
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk


Noticed that another firewall just came out (they seem to be coming out
every other day now).  Disclaimer: I have no relationship with Seattle
Software Labs.

Seattle Software Labs (founded this year via a merger with Mazama
Software Labs -- which was founded by ex-Networx engineers) is 
claiming to have the first combined hardware (PC) and software
firewall solution at a price starting under $3,000.

	http://www.sealabs.com/

The firewall looks like a hybrid which builds in a number of new
features (which all firewalls vendors appear to be scrambling to
add to their products) on top of the original Mazama Packet Filter
product.

Here is my take on the WatchGuard features/specs at a glance:

	o	Dynamic Packet Filtering (aka 'stateful inspection').

	o	Transparent Proxies (for various applications such as
			FTP and SMTP).  They also call them "intelligent
			proxies).

	o	NAT (they're claiming Network Address Translation, but their
			"IP Masquerading~ configuration screen shot and
			the description of it on the same Web page make it
			appear to me that all internal addresses are
			re-mapped to the public IP address of the firewall
			rather than to a class C or range of pooled public
			addresses ala RFC 1631.  Perhaps there is another
			setup option screen somewhere?  Or not?)

	o	Embedded Real-Time OS (should provide less latency and
			higher throughput than conventional OSes???).

	o	Configuration Management
		-	Intelligent Configuration Management
			(expert system testing and verifications of rules)
		-	Point and click GUI configuration.
		-	Administration console is a separate (not included)
			remote (LAN or RS232 connection)
			NT, Win95 or Linux machine w/ GUI client interface.

	o	Monitoring/Reporting:
		-	Alarm/Event Notification ( incl. probe detection:
			port & address scan detection & auto blocking)
		-	Fails 'shut' if it detects tampering (hmm...
			   it must cryptographically checksum its own software).
		-	Log Viewer with search and zoom.

                   [The following 2 appear to cost extra $$$]
		-	Historical Reporting
			(ie. suspicious activity reports )
		-	Real-Time Graphical Monitor
			(activated-service icons & color-coded connections.
			 Also meters and bar charts for bandwidth stats)

	o	IP Spoofing protection
		-	address
		-	options
		-	fragment

	o	Hardware (or you can use your own 486 or greater PC)
		-	Pentium Processor ( what Mhz???)
		-	16 MB RAM
		-	3 10Base-T connections
		-	When bundled with the Watchguard SMS software
			the incremental cost of purchasing the PC box
			appears to be only about $500 ( $2,995 vs.
			$2,495 without the PC).

	o	Availability:
		-	August 15 for PC (Firebox) and Watchguard std software.
		-	August 29 for (Hist Rpt and Graphic Monitor s/w options)
		-	They are claiming Q4 '96 availability for add'l options:
			*	Authentication
			*	VPNs
			*	Central Console

2nd Disclaimer: I have no relationship with Seattle Software Labs.

- Morrow


From firewalls-owner  Fri Aug  2 18:07:34 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id SAA02167 for firewalls-outgoing; Fri, 2 Aug 1996 18:03:15 -0700 (PDT)
Received: from morebbs.com (morebbs.com [206.165.150.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id SAA02160 for <firewalls@greatcircle.com>; Fri, 2 Aug 1996 18:03:09 -0700 (PDT)
From: potlicker@morebbs.com
Received: by morebbs.com
Message-ID: <9608022059.0THTW00@morebbs.com>
Organization: MORE BBS
X-Mailer: TBBS/TIGER v1.0/PRIMP 1.56p
Date: Fri, 02 Aug 96 20:59:44 
Subject: Re:tis or not ...
To: firewalls@greatcircle.com
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk


Several folks expressed scepticism about two Pentiums running TIS Gauntlet
being maxed out   I dont work for the company concerned so I dont have any
first hand information   However my friend who works there says the two
Pentium P60 machines get maxed out between 1030 am and 12 noon and again
from 230 pm to 330 pm   They get maxed out because 730 users are accessing
Internet through one while the other one is pumping through 20000 (twenty
thousand) e-mail messages a day

I would still like to hear first hand experience from someone who is
running TIS Gauntlet on HP-UX   So far the folks who responded dont run 
that kind of setup

To the others who asked about my background  - I dont got no background - 
I just got hemorrhoids (Middle English emeroudis for you Limeys) from 
sitting in front of this VT-100 terminal too long   Please stick to firewall
matters   Do as I say not as I do   
                                                 Pot_LiCkEr


From firewalls-owner  Fri Aug  2 19:37:40 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id TAA07471 for firewalls-outgoing; Fri, 2 Aug 1996 19:30:08 -0700 (PDT)
Received: from sapa.inka.de (sapa.inka.de [193.197.84.6]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id TAA07461 for <firewalls@greatcircle.com>; Fri, 2 Aug 1996 19:29:58 -0700 (PDT)
Received: from uu.inka.de (root@[193.197.84.8]) by sapa.inka.de
Received: from lina (lists@lina.inka.de) by uu.inka.de
Received: by lina
Message-Id: <m0umWOS-0004jXC@lina>
From: lists@lina.inka.de (Bernd Eckenfels)
Subject: Re: Is any O.S. w/IP enabled C2 certified?
To: spencerj@dg-rtp.dg.com (Jon Spencer)
Date: Sat, 3 Aug 1996 04:24:43 +0200 (MET DST)
Cc: jturner@loki.aetc.af.mil, Darwin_Martinez@ins.com, noorder@shire.btg.com
In-Reply-To: <199608020135.VAA06038@splinter.rtp.dg.com> from "Jon Spencer" at Aug 1, 96 09:35:19 pm
X-Mailer: ELM [version 2.4 PL25 PGP2]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Hi,

> So you can have a C2 TCSEC eval or C2 TNI eval or a C2 TDI eval.  We are
> in a B2 TNI eval and our partner is in a B2 TDI eval on top of ours.  And
> yes, I believe that C2 NT includes IP, but does not include the floppy disk
> and lots of other real world things.

Since C2 doesnt require verifying the code (which is nearly impossible
anyway), C2 only covers how it 'should' ork, not how it 'does' work. This
means buffer overruns, shell escape and all that stuff introduced by bugs
will not be covered from C2 Certification.

I thin B recommendation are slightly more detailed in verifying
implementations, right?

Greetings
Bernd
-- 
  (OO)      -- Bernd_Eckenfels@Wittumstrasse13.76646Bruchsal.de --
 ( .. )  ecki@lina.{inka.de,ka.sub.org}  http://home.pages.de/~eckes/
  o--o     *plush*  2048/A2C51749  eckes@irc  +4972573817  *plush*
(O____O)       If privacy is outlawed only Outlaws have privacy

From firewalls-owner  Fri Aug  2 20:52:41 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id UAA10582 for firewalls-outgoing; Fri, 2 Aug 1996 20:37:10 -0700 (PDT)
Received: from psa.pencom.com (psa.pencom.com [204.217.199.13]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id UAA10575 for <firewalls@greatcircle.com>; Fri, 2 Aug 1996 20:37:04 -0700 (PDT)
Received: (from chk@localhost) by psa.pencom.com (Hah!/nope) id WAA26617; Fri, 2 Aug 1996 22:33:39 -0500 (CDT)
Message-Id: <199608030333.WAA26617@psa.pencom.com>
Subject: Re: Is any O.S. w/IP enabled C2 certified?
To: lists@lina.inka.de (Bernd Eckenfels)
Date: Fri, 2 Aug 1996 22:33:39 -0500 (CDT)
Cc: firewalls@greatcircle.com
In-Reply-To: <m0umWOS-0004jXC@lina> from "Bernd Eckenfels" at Aug 3, 96 04:24:43 am
From: chk@psa.pencom.com (Christian Kuhtz)
X-Mailer: ELM [version 2.4 PL24]
Content-Type: text
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk



Nothing in the Orange book says anything about networking, so can we please
stop this silly discussion?  Or rename the subject and stop talking about
C, B etc levels in conjunction with networking..

Thanks guys, I like keeping my sanity :)

Regards,
Chris

> 
> Hi,
> 
> > So you can have a C2 TCSEC eval or C2 TNI eval or a C2 TDI eval.  We are
> > in a B2 TNI eval and our partner is in a B2 TDI eval on top of ours.  And
> > yes, I believe that C2 NT includes IP, but does not include the floppy disk
> > and lots of other real world things.

--___  ____ __ 
 | _ \/ __/|  \   Christian Kuhtz <chk@psa.pencom.com>
 |  _/\__ \| \ \  Pencom Systems Administration, (512) 343-1111
 |_|  /___/|_|__\ on-site @ National Instruments, Austin, TX
 "Whattaya _MEAN_ you don't have any more pets??!?!?!?!?!!!!!!" - Wayne Schmidt

From firewalls-owner  Fri Aug  2 21:22:39 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id VAA12087 for firewalls-outgoing; Fri, 2 Aug 1996 21:10:32 -0700 (PDT)
Received: from dg-rtp.dg.com (dg-rtp.rtp.dg.com [128.222.1.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id VAA12078 for <firewalls@greatcircle.com>; Fri, 2 Aug 1996 21:10:21 -0700 (PDT)
Received: from splinter.rtp.dg.com by dg-rtp.dg.com (5.4R3.10/dg-rtp-v02)
Received: by splinter.rtp.dg.com (8.6.10/200.15.1.2)
From: spencerj@dg-rtp.dg.com (Jon Spencer)
Message-Id: <199608030405.AAA07128@splinter.rtp.dg.com>
Subject: Re: Is any O.S. w/IP enabled C2 certified?
To: lists@lina.inka.de (Bernd Eckenfels)
Date: Sat, 3 Aug 1996 00:05:27 -0400 (EDT)
Cc: spencerj@dg-rtp.dg.com, jturner@loki.aetc.af.mil, Darwin_Martinez@ins.com
In-Reply-To: <m0umWOS-0004jXC@lina> from "Bernd Eckenfels" at Aug 3, 96 04:24:43 am
X-Mailer: ELM [version 2.4 PL23]
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

> 
> Hi,
> 
> > So you can have a C2 TCSEC eval or C2 TNI eval or a C2 TDI eval.  We are
> > in a B2 TNI eval and our partner is in a B2 TDI eval on top of ours.  And
> > yes, I believe that C2 NT includes IP, but does not include the floppy disk
> > and lots of other real world things.
> 
> Since C2 doesnt require verifying the code (which is nearly impossible
> anyway), C2 only covers how it 'should' ork, not how it 'does' work. This
> means buffer overruns, shell escape and all that stuff introduced by bugs
> will not be covered from C2 Certification.
> 
> I thin B recommendation are slightly more detailed in verifying
> implementations, right?
> 
> Greetings
> Bernd

This is a bit long, but as short as I could make it and still have some
meaningful information content.  :-)

FIrst off, just to let you know where this is coming from, I am the
Security Architect for our B2/E4 DG/UX system.  So far, we have been at it
for about 6 years, plus 5 years before I came to DG where the staff wrote
their own kernel from scratch using high assurance techniques.  Our
standard product and B2/E4 product are built from the same source code
without #ifdefs - it's in the linking and is table driven.  It was the only
way we could afford to maintain the trusted product and keep it in sync
with the standard product.

B1 is not much more than C2 in terms of assurance (i.e., do I know that it
works?).  The hard part of B1 is adding a new security policy (Mandatory
Access Control - MAC).  For the record, MAC is used by all real commercial
enterprises.  You have unrestricted information, company confidential,
company confidential restricted, etc (hierarchies).  And only a few people
are authorized to see payroll or personel information, only a few can
see strategic marketing plans, etc (categories).  But that is an entirely
different discussion!

B1 code is not looked at.  A RM (see below) is not needed.  The code can be
spaghetti code.  Not all objects must be protected by the system.  The info
below for B2 is all above and beyond B1 requirements (and E3 requirements
for the ITSEC).

B2 is where the first real jump in assurance comes.  ALL security relevant
code, and in a full comercial OS there is a ton of this, must be modular,
coded to a single coding standard (well, one standard for the kernel,
another for layered code), no unused or dangling or obtuse code, all
completely documented, all with detailed and high level design specs that
match each other and that match the user and administrative documentation.

There must be both an informal and a formal model for the security policy.
There must be a reference monitor (RM) - a single piece of code that handles
ALL accesses to ALL objects by ALL subjects.  The RM must be small enough
to be verified correct, must be tamperproof, and must ALWAYS be invoked -
ya gotta prove this.  (We also are formally proving our formal model and
tracing all claims throughout the code, design and model.)

There must be a covert storage channel analysis done of the system, looking
for "covert channels."  A covert channel is a method of bypassing the
security policy by using normal approved system mechanisms (huh????).
The best example of this is the base MAC policy that says information can
only flow upward (e.g., from unclassified to secret is OK, but not the
other way around).  This seems reasonable.  So you should be able to open a
file with a "higher" classification for writing.  Information only flows
upward - right?  Well, not right.  You see, the problem is that when you do
a write, you get a return code - it succeeded or failed.  If someone is
manipulating the permission bits on the file, then you could succeed (a
"one bit") and then fail (a "zero bit").  By this manipulation, the secret
user could signal information to the unclassified user and the system would
never know it.   This is a covert channel.  All covert channels must be
limited to less than 100 bits/minute, and must be auditable if over 10
bits/minute.  Any covert channel over 100 bits/minute must be closed.  It
can be closed by slowing it down or by eliminating it.  This can take a LOT
of interfaces out of the system and/or really slow the system down
if some new approach to covert channels isn't used (we have such an
approach - but again, this is not the forum for that discussion).

EVERYTHING must be tested from every angle.  The NSA folks do a several
month penetration study (they try to break in having the source code at
their disposal).  There is a lot more as well.  Actually getting the system
to run is a very small part of the B2 evaluation (about 5%).

THEN, on top of all this, your development process has to be such that you
can keep this same high level of assurance for any modifications you make
to the OS (patches, new releases) or the new system loses its rating.  This
is called RAMP (RAtings Maintenance Phase).  NSA can and does perform
random audits of anything in the OS.  Every change must be documented and
approved and monitored for security relevance.  If a change is made in a
user doc, it must be traceable from the change in the doc to the place in
the code or whatever that generated the change.  And vice versa.

WHen a new release of the OS is proposed, all changes must be approved by
NSA and the changes must be defended in from of a panel of NSA experts
(many are actually from private industry, since they pay more than the
gov't).  You better have done it all correctly!  If NSA discovers any
messup in following the RAMP planm (which they must approve) they can
remove your B2 rating from any of the releases or prior releases that may
have been affected.  And if NSA discovers that you have been negligent or
tried to sneak one by them, well I don't want to scare the weak at heart.

BUT ..... there is a major payoff from this.  Although you pay a high up
front cost, the quality that results from high assurance is astounding!
Back in 1970, Dykstra, Hoare, et al published "STructured Programming".
Since then, lots of lip service (watch out for the drool!) has been given
to these concepts, but when the rubber meets the road it goes out the
window.  Our experience shows a tremendous payoff in MTBF and other things.

So, that's B2.  :-)

-- 
Jon F. Spencer   spencerj@rtp.dg.com  (uunet!rtp.dg.com!spencerj)
Data General Corp.                  Phone : (919)248-6246
62 T.W. Alexander Dr, MS #119       FAX   : (919)248-6108
Research Triangle Park, NC  27709   Office RTP 121/9

	Reality is an illusion - perception is what counts.

	No success can compensate for failure at home.
			President David O. McKay

***** UCC 1-207 ********

From firewalls-owner  Fri Aug  2 22:22:36 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id WAA17781 for firewalls-outgoing; Fri, 2 Aug 1996 22:15:40 -0700 (PDT)
Received: from park.interport.net (park.interport.net [199.184.165.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id WAA17774 for <firewalls@GreatCircle.COM>; Fri, 2 Aug 1996 22:15:34 -0700 (PDT)
From: mitaliani@gtinteractive.com
Received: from interport.net (uucp@madison.nfs.interport.net [205.161.144.1]) by park.interport.net (8.7.3/8.7.3) with ESMTP id BAA02074 for <firewalls@GreatCircle.COM>; Sat, 3 Aug 1996 01:12:10 -0400 (EDT)
Received: (from uucp@localhost) by interport.net (8.7.5/8.7.3) with UUCP id BAA14773 for firewalls@GreatCircle.COM; Sat, 3 Aug 1996 01:12:04 -0400 (EDT)
Received:  by relay.gtinteractive.com (UUPC/extended 1.12k);
Message-ID: <32025d8f.gtint@relay.gtinteractive.com>
To: firewalls@GreatCircle.COM
Subject: Networking mailing lists
X-Charset: us-ascii
Date:      Fri, 02 Aug 1996 15:57:03 -0500
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Hello everyone,

I've enjoyed all of this firewall banter, but I am in need of some of the 
basics. Does anyone out there know of any good mailing lists associated with 
networks. Ethernet. 10BaseT. Hubs. Switched and otherwise. Unix. NT. 
Routers. Hardware. And Software. I think I have to go backwards in order to 
go forwards. Any leads would be appreciated.

Thanks.


 ---------------------


Michael Italiani
Advanced Technology
GTInteractive Software



From firewalls-owner  Sat Aug  3 11:37:36 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA25327 for firewalls-outgoing; Sat, 3 Aug 1996 11:35:37 -0700 (PDT)
Received: from pinky.junction.net (pinky.junction.net [199.166.227.12]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id LAA25320 for <firewalls@GreatCircle.COM>; Sat, 3 Aug 1996 11:35:31 -0700 (PDT)
Received: from sidhe.memra.com (sidhe.memra.com [199.166.227.105]) by pinky.junction.net (8.6.12/8.6.12) with ESMTP id KAA29876 for <firewalls@GreatCircle.COM>; Sat, 3 Aug 1996 10:43:12 -0700
Received: from localhost (michael@localhost) by sidhe.memra.com (8.6.12/8.6.12) with SMTP id LAA27248 for <firewalls@GreatCircle.COM>; Sat, 3 Aug 1996 11:27:57 -0700
Date: Sat, 3 Aug 1996 11:27:56 -0700 (PDT)
From: Michael Dillon <michael@memra.com>
To: firewalls@GreatCircle.COM
Subject: Another wide-open security hole from Microsoft
In-Reply-To: <199607292046.GAA11940@suburbia.net>
Message-ID: <Pine.BSI.3.93.960803112618.26549A-100000@sidhe.memra.com>
Organization: Memra Software Inc. - Internet consulting
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk


Microsoft has a new product coming out that makes the company LAN wide
open to intruders. Read all about it at
http://techweb.cmp.com:80/techweb/crn/sections/columnist/portia17.htm

Michael Dillon                   -               ISP & Internet Consulting
Memra Software Inc.              -                  Fax: +1-604-546-3049
http://www.memra.com             -               E-mail: michael@memra.com


From firewalls-owner  Sat Aug  3 19:52:36 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id TAA20760 for firewalls-outgoing; Sat, 3 Aug 1996 19:37:30 -0700 (PDT)
Received: from morebbs.com (morebbs.com [206.165.150.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id TAA20753 for <firewalls@greatcircle.com>; Sat, 3 Aug 1996 19:37:24 -0700 (PDT)
From: potlicker@morebbs.com
Received: by morebbs.com
     id 0VPB700G Sat, 03 Aug 96 22:34:02 
Message-ID: <9608032234.0VPB700@morebbs.com>
Organization: MORE BBS
X-Mailer: TBBS/TIGER v1.0/PRIMP 1.56p
Date: Sat, 03 Aug 96 22:34:02 
Subject: What
To: firewalls@greatcircle.com
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk


*.What the phuc does the xmtcDmlog button do

Flash dont screw with that   Its going to send our log to the last address
we e-mailed to   That silly bastard will see what we are doing 

*.O phuc too late Sorry d00d

Dont worry Flash   He was just a lamer asking for a a sun system hack
Wants to run rootkit   I cant remember where the hell we stashed it
Hey man lets quit this shit and go over to Ramdada Inn  Jump off the 
balcony and pop a paper bag and belly flop into the swimming pool   
Just like TWA 800

*.Right on d00d You gotta teach me how to swim

Wake up Flash   The Dawg taught you how to swim last year at that skinny 
dipping pool up at New Paltz    Where those skinny SUNY chicks were

*.Yeah Right I forgot

@&lawg.phile
Enter password >>
Time out ...
Disconected...
  

From firewalls-owner  Sun Aug  4 06:22:40 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA10143 for firewalls-outgoing; Sun, 4 Aug 1996 06:20:34 -0700 (PDT)
Received: from emout09.mail.aol.com (emout09.mx.aol.com [198.81.11.24]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id GAA10129 for <firewalls@greatcircle.com>; Sun, 4 Aug 1996 06:20:29 -0700 (PDT)
From: MayoIino@aol.com
Received: by emout09.mail.aol.com (8.6.12/8.6.12) id JAA11718 for firewalls@greatcircle.com; Sun, 4 Aug 1996 09:19:47 -0400
Date: Sun, 4 Aug 1996 09:19:47 -0400
Message-ID: <960804091947_252438278@emout09.mail.aol.com>
To: firewalls@greatcircle.com
Subject: Re:What
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

I sincerely apologize for my last posting on firewalls

We were drinking mead brewed by a witch and Flash sent
the message by accident

It was not our intention to annoy anyone or to hurt anyones
feelings     We certainly did not want to hurt the feelings of
anyone directly affected by the incident 
Once again I sincerely apologize

This message was sent from AOL because the other system
mysteriously crashed   Do not reply to the AOL address

                                                                 PoT_LiCkEr









                                                        POTLICKER@morebbs.com


From firewalls-owner  Sun Aug  4 07:22:37 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA14321 for firewalls-outgoing; Sun, 4 Aug 1996 07:19:42 -0700 (PDT)
Received: from pwylie.amberhill (pa1dsp16.nr.infi.net [208.128.85.40]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id HAA14314 for <firewalls@GreatCircle.COM>; Sun, 4 Aug 1996 07:19:33 -0700 (PDT)
Received: from pwylie (root@localhost [127.0.0.1]) by pwylie.amberhill (8.6.12/8.6.9) with SMTP id KAA00236; Sun, 4 Aug 1996 10:09:18 -0400
Message-ID: <3204AF0A.295E1057@nr.infi.net>
Date: Sun, 04 Aug 1996 10:09:14 -0400
From: Phil Wylie <pwylie@nr.infi.net>
X-Mailer: Mozilla 3.0b5a (X11; U; Linux 1.2.13 i486)
MIME-Version: 1.0
To: leonard@geminisecure.com
CC: spencerj@dg-rtp.dg.com, firewalls@GreatCircle.COM
Subject: Re: Is any O.S. w/IP enabled C2 certified?
References: <199608020125.VAA06014@splinter.rtp.dg.com>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Jon wrote:

>Data General's B2/E4 DG/UX is currently in evaluation at B2 in the US and
>E4 (ITSEC) in Europe.  We are doing a Red Book B2 eval with IP in a
>heterogeneous environment (mixed sets of systems connected - trusted and
>untrusted).  This is a full commercial OS (Unix) with built in firewall,
>virus prevention, SMP, failover, RAID disk and tape, etc.  The next release
>(this fall) has transparent proxies and  address translation (built in and
>in the evaluation).  NSA will be using it for their classified server
>connected to the Internet (with Web server).

We are currently configuring this OS (DG-UX 4.11 B2) as our sorpporate
firewall.
Using the B2 DSO from DG and Cybershield from BDM International.

The system is being used as a firewall although it offers many features
that we 
are not using if we were in a Trusted/Untrusted environment.

As Jon wrote the OS and Networking are currently being evaluated at B2
and the X11 product at B1.

So far we have been pleased with the performance and operation. As of
this time, it has undergone
one independent intrusion test. Management is pleased and plans are to
begin a trial roll-out to 
a group of corporate users.

We are using the BDM authenticated http and ftp proxies for most of our
services. The proxies 
provide for virus checking and authentication. The users never login in
to the firewall.

All in all, I have been pleased with the level of support from both DG
and BDM.

Phil Wylie

From firewalls-owner  Sun Aug  4 12:17:54 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA26249 for firewalls-outgoing; Sun, 4 Aug 1996 11:54:23 -0700 (PDT)
Received: from morebbs.com (morebbs.com [206.165.150.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id LAA26242 for <firewalls@greatcircle.com>; Sun, 4 Aug 1996 11:54:17 -0700 (PDT)
From: potlicker@morebbs.com
Received: by morebbs.com
     id 0KUWB001 Sun, 04 Aug 96 14:50:51 
Message-ID: <9608041450.0KUWB00@morebbs.com>
Organization: MORE BBS
X-Mailer: TBBS/TIGER v1.0/PRIMP 1.56p
Date: Sun, 04 Aug 96 14:50:51 
Subject: Performance
To: firewalls@greatcircle.com
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk


Image is everything
Last year a TISLady told us that all we do is boast and swagger
That is true   But swaggering is hard   You have to _look_ like
you know what you are talking about   When my friend at BigCo
brings up his TIS Gauntlet on HP-UX I want to tell him how to
check his system performance   Not the other way around

I did some web searches on peformance and found stuff by Marcus Ranum 
and Evi Nemeth and Trent Hein   This what I came up with

-={ church_of_the_Dead_meow Unix System Performance Measurement }=-

Load averages - use uptime - a load averagoe of .50 to .60 shows the
system is short of some resource

CPU Utilization
vmstat - watch idle time
Paging
vmstat - if runnable but swapped is not zero then system need more memory
       - KB on free list should not be less than 3 percent of total memory
       - constant page outs means not enough memory

Memory Usage
swapinfo - watch swap info
vmstat - high scan rate means memory problems

Disk I/O Analysis
iostat - watch sectors transferred per second/total transfers per second
         high is good   low is bad

I know there are plenty of Unix wizards on the list   What have I missed?

                                                         PoT_LiCkEr


From firewalls-owner  Sun Aug  4 17:22:38 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA14864 for firewalls-outgoing; Sun, 4 Aug 1996 17:12:58 -0700 (PDT)
Received: from tartarus.us.newbridge.com (willard.us.newbridge.com [204.177.219.100]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id RAA14849 for <firewalls@GreatCircle.COM>; Sun, 4 Aug 1996 17:12:51 -0700 (PDT)
Received: from tartarus (tartarus.us.newbridge.com [138.120.108.65]) by tartarus.us.newbridge.com (8.7.5/8.7.3) with SMTP id UAA23001; Sun, 4 Aug 1996 20:06:17 -0400 (EDT)
Date: Sun, 4 Aug 1996 20:06:17 -0400 (EDT)
From: "Roderick Murchison, Jr." <murchiso@vivid.newbridge.com>
X-Sender: murchiso@tartarus
To: "Wojno, Jim" <jwojn@telxon.com>
cc: "'firewalls@greatcircle.com'" <firewalls@GreatCircle.COM>
Subject: RE: Info World Firewall Articles
In-Reply-To: <c=US%a=_%p=TELXON%l=EXCHANGE-960802193058Z-18@exchange.mis.telxon.com>
Message-ID: <Pine.SOL.3.95.960804200332.22993A-100000@tartarus>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

We picked this up and did some tweaking to secure us from the "window of
opportunity".  The product has worked great for us over the past cople
years, but you should definately investigate what is happening during boot
time to nail down any openings.

-r

On Fri, 2 Aug 1996, Wojno, Jim wrote:

> To All:
> 
> In regards to the article in Info World, it mentions that Firewall-1 has
> what would seem to be a serious design flaw. At boot time, the in.routed
> router daemon was started before the firewall software, creating a
> window of opportunity (2 to 3 seconds ?) in which the internal network
> is exposed. This was especially surprising to me, as it states in the
> manual to not use extended IP access lists on the router to filter
> traffic, but to rather route *all* incoming traffic to the firewall. I
> quote: "Use routers to provide proper network connectivity. Use a
> firewalled gateway behind the router to perform the filtering
> functions."
> 
> We are currently considering Firewall-1, because of it's flexibility and
> it's "Stateful Packet Inspection" of protocols such as UDP. I am very
> curious to know how anyone on the list has resolved this issue. I would
> think that one would only need to change the order in which these things
> are started by editing the startup scripts. If not, what did others out
> there do to address this?
> 
> If this is a topic that has already been discussed, please feel free to
> contact me directly.
> 
> Thanks in advance for your help,
> 
> Jim Wojno
> Systems Administrator
> Telxon Corporation
> jwojn@telxon.com
> 
> >----------
> >From: 	Christopher Klaus[SMTP:cklaus@iss.net]
> >Sent: 	Friday, August 02, 1996 2:13 PM
> >To: 	firewalls@greatcircle.com
> >Subject: 	Info World Firewall Articles
> >
> >
> >In this weeks InfoWorld, they have done a comparision of many of the
> >commercial
> >firewalls.  Might be worthwhile to take a look at if you are going to
> >buy a
> >firewall.
> >
> >There's also an article in InfoWorld , July 29, 1996 Issue, on Page 79
> >with Marcus Ranum & I discussing 'Does scanning for vulnerabilities
> >mean your 
> >firewall is safe?'  
> >
> >Thought it might be worth taking a look at if you missed it.
> >
> >-- 
> >Christopher William Klaus	     Voice: (404)252-7270. Fax: (404)252-2427
> >Internet Security Systems, Inc.                        "Internet
> >Scanner finds
> >Ste. 115, 5871 Glenridge Dr, Atlanta, GA 30328     your network
> >security holes
> >Web: http://iss.net/  Email: cklaus@iss.net            before the
> >hackers do."
> >
> 



From firewalls-owner  Mon Aug  5 01:08:12 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id BAA04278 for firewalls-outgoing; Mon, 5 Aug 1996 01:02:04 -0700 (PDT)
Received: from mail.transpac.net (nic.transpac.net [194.52.1.10]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id BAA04271 for <firewalls-digest@GreatCircle.COM>; Mon, 5 Aug 1996 01:01:57 -0700 (PDT)
Received: from alf.ihc.se (alf.ihc.se [194.52.187.254]) by mail.transpac.net (8.7.5/8.7.3) with SMTP id KAA14114 for <firewalls-digest@GreatCircle.COM>; Mon, 5 Aug 1996 10:01:54 +0200 (MET DST)
Received: by alf.ihc.se; (5.65v3.2/1.3/10May95) id AA32240; Mon, 5 Aug 1996 10:04:35 +0200
Message-Id: <9608050803.AA31246@ns.ihc.se>
To: "firewalls-digest@GreatCircle.COM" <firewalls-digest@GreatCircle.COM>
Subject: Re: Is any O.S. w/IP enabled C2 certified?
Date: Mon, 05 Aug 96 10:03:04 -0500
From: "Mattias Lindstr\vm" <mattias.lindstrom@ihc.se>
X-Mailer: E-Mail Connection v2.5.03
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

-- [ From: Mattias Lindström * EMC.Ver #2.5.02 ] --

Bill Stout wrote:

>Subject: Is any O.S. w/IP enabled C2 certified?
>
>As a firewall platform or not, is _any_ O.S. C2 certified when  networking 
(specifically TCP/IP) is turned on?  
>
>I keep mentioning this C2=a-non-networked-NT-box issue when talking  about
NT firewalls (as a response to NT fan(atics) >claiming C2  certification). 
However I am in search of 'truth', and this one issue is beginning to sound
like a non-rational >objection.
>
>Bill Stout

C2 certification specification tells that "networking must be disabled".
Don´t know if that means that you could have network components installed
and disabled or if you can´t have any networking installed what so ever, I
would think the latter but I am not sure.
Hmm. Does the above matter (installed and disabled or not installed) ?
I mean, if you don´t have any networking capabilities, you can´t access the
box. Then you need console access to the box and then your password policy
has more impact than anything else.

Anyway.

To all Windows NT, UNIX and other NOS fan(atic)s, including myself :-),
If you put a box on a network, internet or intranet or just a plain net, you
will not be able to meet the C2 certification standards. 
And, your installation will never be C2 certified if you don´t pay the
certification fee and the certification authority agrees to test the
installation. 

Windows NT:
Windows NT is an OS that is designed to be C2 certified, and it has been
certified, but only in certain configurations. Don´t remember the specifics
but I think that it was a Compaq something with NT 3.51 and SP3, also some
Alpha AXP systems where also certified.
You can certify your own installation but you probably wan´t to stay out of
it. It is expensive!, both in cash and time.  

Unix:
Don´t know for sure (read: think I know but isn´t sure enough to yell about
it here:-)) but there must be vendors that have C2 and B2 certified
installations.

Novell:
I think Novell started a B2 certification whay back, at least a year ago <G>
, but I haven´t heard anything since.

How is it with B2 certification, do you really certify a complete network,
or was the coffie level in my veins to low when I read the specs?

Well, guess that it´s like C2, more commercial and marketing gimmick to be
certified than for real world usage.
I know, some environments really need the certification but the Joe Schmoo
installation doesn´t have thoose requirements.

TTYL,

--
Mattias Lindstrom              
NT and Security Consultant     

This email is for the use of authorized users only. Individuals using this
email without authority, or in excess of their authority, are subject to
having all of their activities monitored and recorded by systempersonnel.


From firewalls-owner  Mon Aug  5 02:22:47 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id CAA10072 for firewalls-outgoing; Mon, 5 Aug 1996 02:08:03 -0700 (PDT)
Received: from mari.co.uk ([195.92.37.208]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id CAA10001 for <Firewalls@GreatCircle.COM>; Mon, 5 Aug 1996 02:07:36 -0700 (PDT)
Received: by firewall.mari.co.uk id <4359>; Mon, 5 Aug 1996 10:09:36 +0100
From: iea@kronos (Ian.Alder)
Message-Id: <96Aug5.100936bst.4359@firewall.mari.co.uk>
Subject: testing
To: Firewalls@GreatCircle.COM
Date: Fri, 2 Aug 1996 13:51:56 +0100
In-Reply-To: <199608010800.BAA09566@miles.greatcircle.com> from "Firewalls-Digest" at Aug 1, 96 09:00:45 am
X-Mailer: ELM [version 2.4 PL24]
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

i think my email is down. this is just testing

no flames please

From firewalls-owner  Mon Aug  5 05:52:57 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA19950 for firewalls-outgoing; Mon, 5 Aug 1996 05:42:15 -0700 (PDT)
Received: from dax.sai.com (dax.sai.com [198.137.245.66]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id FAA19942 for <Firewalls@GreatCircle.COM>; Mon, 5 Aug 1996 05:42:09 -0700 (PDT)
Received: from dax.sai.com by dax.sai.com with smtp
	(Smail3.1.29.1 #2) id m0unOyz-003pN5C; Mon, 5 Aug 96 08:42 EDT
Date: Mon, 5 Aug 1996 08:42:04 -0400 (EDT)
From: Darryl Wagoner <darryl@sai.com>
To: "Ian.Alder" <kronos!iea@uunet.uu.net>
cc: Firewalls@GreatCircle.COM
Subject: Re: testing
In-Reply-To: <96Aug5.100936bst.4359@firewall.mari.co.uk>
Message-ID: <Pine.SUN.3.91.960805084121.23189B-100000@dax.sai.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

On Fri, 2 Aug 1996, Ian.Alder wrote:

> i think my email is down. this is just testing

If you want to test your email then use:

	bouncer@bbnplanet.com

--
Darryl Wagoner		darryl@sai.com   http://www.sai.com/
Office: 603.672.0736   		Fax: 603-672-4846
Beware of self-styled experts: an ex is a has-been, and a spurt is a
drip under pressure.



From firewalls-owner  Mon Aug  5 06:47:19 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA23503 for firewalls-outgoing; Mon, 5 Aug 1996 06:24:00 -0700 (PDT)
Received: from novell.com (nj-ums.fpk.novell.com [147.2.128.54]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id GAA23467 for <firewalls@greatcircle.com>; Mon, 5 Aug 1996 06:23:50 -0700 (PDT)
Date: Mon, 5 Aug 1996 06:23:50 -0700 (PDT)
From: cjc@novell.com
Message-Id: <199608051323.GAA23467@miles.greatcircle.com>
Received: from INET-NJ-Message_Server by novell.com
	with Novell_GroupWise; Mon, 05 Aug 1996 08:23:54 -0400
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

>From cjc Mon Aug  5 09:20 EDT 1996 remote from fpk
Content-Length: 3835
Message-Id: <s205af9a.043@novell.com>
Date: Mon, 05 Aug 1996 09:20:00 -0400
From: Chris Calabrese  <cjc@novell.com>
To: firewalls@greatcircle.com
Subject: Announcing the "Harden" security hardening package

Announcing the "Harden" security hardening package for UnixWare 2.x and
Solaris 2.x.

Both versions are available from
ftp://ftp.freebird.org/unixware/freebird/internet/systools/harden.

>From the README file:


  This is the distribution of the 'harden' package by Chris
  Calabrese of Novell Information Services and Technology (cjc@novell.com).

  This is a software tool to "harden" a system to be a secure
  Internet/Intranet/Parnter-Net server.


  The software distribution is Copyright (c) 1995, 1996 Novell, Inc.
  All rights reserved.

  Redistribution and use in source and binary forms are permitted
  provided that this entire copyright notice is duplicated in all such
  copies.  No charge, other than an "at-cost" distribution fee, may be
  charged for copies, derivations, or distributions of this material
  without the express written consent of the copyright holder.

  This software is provided "as is" and without any expressed or implied
  warranties, including, without limitation, the implied warranties of
  merchantability and fitness for any particular purpose.


  Before you can load 'harden', you must first load TCP Wrappers version
  6.x or 7.x.  UnixWare folks might also want to load Novell's
  Paranoid FTP Daemon.

  Some cavaets about harden:
	o it only runs on UnixWare 2.x and Solaris 2.x (two different
	  distributions, though)
	o it requires wrappers be installed first
	o it should be installed before you start customizing the machine
	  (since it does nasty things like rewite inetd.conf and hosts.allow)
	o it doesn't handle log watching or log forwarding
	o it doesn't play well with NIS

  What this software does:
	o it has 5 hardening profiles:
		1. Internet Mail Server (Internet DMZ E-mail hub, or UMX)
			- no r-daemons (rsh, rlogin), printing, or backups
			- may have UUCP
			- uses very paranoid ftp if Novell's Paranoid
			  FTP daemon is installed
		2. Internet Information Server (Internet DMZ FTP or WWW server)
			As above but no UUCP and may have backups
		3. Partner-Net (TPN) Server (for a private link to a business
		   partner)
			As above but
			- has r-daemons (rsh, rlogin) and printing
			- has NFS running
		4. Intranet Server
			Same features as 2.
		5. Custom Setup

	o it checks for unrecognized system packages (helps insure
	  minimal system configuration)

	o it removes some unwanted files and chmod's some "overpriveleged"
	  executables.  See the install/preinstall script for the details.

	o it restricts some services using SAF (UnixWare only):
		- removes "tcp" if no uucp
		- removes nvt, and spx (NetWare versions of telnet)


	o it removes unneeded logins:
		- if no uucp, uucp and nuucp
		- always removes sysadm

	o it removes the newsyslog crontab entry from the UnixWare
	  tcpwrappers package (replaced with something better)

	o it modifies the following:
		- /etc/inet/config to start syslogd (UnixWare only)
		- adds the following to /etc/inet/ftpusers:
			adm bin daemon listen lp mail noaccess nobody
			nuucp root smtp sys sysadm uucp

	o it installs the following:
		- appropriatetely constructed mail configuration files
		  (/etc/mail/names and /etc/mail/mailcnfg for UnixWare
		  and /etc/mail/aliases for Solaris).
		- appropriately constructed /etc/motd
		- appropriately constructed /etc/Backup and /etc/Ignore
		  files (UnixWare only)
		- appropriately constructed TCP Wrapper config files
		  (/etc/inet/hosts.allow and /etc/inet/hosts.deny)
		  plus logging/reporting on Wrapper denies.
		- appropriately constructed /etc/inet/inetd.conf
		  and  /etc/inet/syslog.conf files
		- /opt/sbin/make-crontabs, circumvents the crontb -e bug
		  An appropriate crontab is created too.
		- simple /usr/sbin/in.fingerd replacement script

--
Chris Calabrese
Security Architect
Novell Information Services and Technology
cjc@novell.com



From firewalls-owner  Mon Aug  5 07:22:51 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA28369 for firewalls-outgoing; Mon, 5 Aug 1996 07:20:40 -0700 (PDT)
Received: from mailbox.neosoft.com (mailbox.neosoft.com [206.109.1.16]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id HAA28339 for <firewalls-digest@GreatCircle.COM>; Mon, 5 Aug 1996 07:20:30 -0700 (PDT)
Received: from fw.nmti.com (fw.baileynm.com [206.109.159.11]) by mailbox.neosoft.com (8.7.5/8.7.3) with SMTP id JAA14238; Mon, 5 Aug 1996 09:20:16 -0500 (CDT)
Received: from web.nmti.com(198.178.0.201) by fw.nmti.com via smap (V1.3)
	id sma020718; Mon Aug  5 09:15:18 1996
Received: from sonic.nmti.com (peter@sonic.nmti.com [198.178.0.2]) by web.nmti.com (8.6.12/8.6.9) with SMTP id JAA09933; Mon, 5 Aug 1996 09:15:16 -0500
Received: by sonic.nmti.com; id AA13569; Mon, 5 Aug 1996 09:15:15 -0500
From: peter@baileynm.com (Peter da Silva)
Message-Id: <9608051415.AA13569@sonic.nmti.com.nmti.com>
Subject: Re: Is any O.S. w/IP enabled C2 certified?
To: mattias.lindstrom@ihc.se (Mattias Lindstr_vm)
Date: Mon, 5 Aug 1996 09:15:15 -0500 (CDT)
Cc: firewalls-digest@GreatCircle.COM
In-Reply-To: <9608050803.AA31246@ns.ihc.se> from "Mattias Lindstr\vm" at Aug 5, 96 10:03:04 am
X-Mailer: ELM [version 2.4 PL23]
Content-Type: text
X-Bogus-To: mattias.lindstrom@ihc.se (Mattias Lindstr\vm)
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

> To all Windows NT, UNIX and other NOS fan(atic)s, including myself :-),
> If you put a box on a network, internet or intranet or just a plain net, you
> will not be able to meet the C2 certification standards. 

That is not true. Sorry. All this means is that Microsoft has not had an
NT installation certified with networking enabled. Given the problems with
NT networking, I'm not surprised they decided not to go for the gold ring.

The NT resource kit has a utility that puts your system into the same state
as they had their installtion certified under. I recommend you don't try it
on a system you need to get work done on.


From firewalls-owner  Mon Aug  5 07:38:11 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA29372 for firewalls-outgoing; Mon, 5 Aug 1996 07:31:20 -0700 (PDT)
Received: from cbisinet.cbis.com (cbisinet.cbis.com [206.230.22.18]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id HAA29350 for <Firewalls-digest@GreatCircle.COM>; Mon, 5 Aug 1996 07:31:10 -0700 (PDT)
Received: from Notes.cbis.com by cbisinet.cbis.com (5.x/SMI-SVR4)
	id AA28117; Mon, 5 Aug 1996 10:31:09 -0400
Received: by Notes.cbis.com (IBM OS/2 SENDMAIL VERSION 1.3.17/2.12um) id AA1486; Mon, 05 Aug 96 10:33:32 -0400
Message-Id: <9608051433.AA1486@Notes.cbis.com>
Received: from CBIS with "Lotus Notes Mail Gateway for SMTP" id
  E6672DD0A6E0724E8525637D0043FF08; Mon,  5 Aug 96 10:33:31 
To: Firewalls-digest <Firewalls-digest@GreatCircle.COM>
From: Warren Moore <warren.moore@cbis.com>
Date:  5 Aug 96 10:23:36 
Subject: Find the Hole, please!
X-Importance: High
Mime-Version: 1.0
Content-Type: Text/Plain
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Folks:

As I've stated before, I'm not a networking/UNIX guru...just have to try and 
stay on top of the security holes/issues.

One of our development groups ('SystemX') has this marvelous idea...use a 
dedicated connection between us and an external client to send/receive test 
information to/from an external client.  OK by me, but only if secured.  My 
feeling is that since I have no idea as to how well the client has secured 
their network, this whole thing should be treated just like an Internet 
connection.  Here's their idea (everything between the quotes):

"The following diagram shows a typical 'SystemX' production environment. The 
'SystemX' servers are connected to a class C network that is used only for a 
single 'SystemX' customer. A proxy server box will be connected to the class C 
network segment and to our internal WAN.

*---------------*
|  External     |
|  System       |
*---------------*
        |
        |
*---------------*
|  Customer     |
|  Router       | 
|  222.222.y.z  |
*---------------*
        |
        |
*---------------*
|  Our          |
|  Router       |
*---------------*
        |
        |    Subnet dedicated to single 
        |    Customer
//-------------------------------------------------//
       |                |                |
       |                |                |
*-------------*  *-------------*  *-------------*
| Production  |  | Production  |  | Proxy       |
| 'SystemX'   |  | 'SystemX'   |  | Server      |  
| Server      |  | Server      |  |             |
*-------------*  *-------------*  *-------------*
                                         |
                                         |
                                  *-------------*
                                  | OUR         |
                                  | WAN (111.11)|
                                  *-------------*

The following describes how network traffic flows from our test system to the 
external system through the proxy server:

1. The internal test system opens a TCP connection to a proxy server process 
running on the Proxy Server box.

2. The proxy server process then opens a connection to the external system. The 
IP address and port number of the external system was specified when the proxy 
process was originally started. Multiple proxy server processes can be running 
on the Proxy Server box to handle other external systems.

3. The proxy server will direct all non-company network traffic through the 
class C subnet interface and the customer router will then route the traffic to 
the external system.

4. Network traffic coming back from the external system will return through the 
same route, passing through the proxy server and back to our test system.

Here is an example of how a proxy could be used for an ftp session between our 
box at address 111.11.2.3 and a customer box at 222.222.4.5 using a proxy 
server at address 111.11.7.8:

1. Start the proxy server process specifying 222.222.4.5 for the host address 
and 21 (FTP service) as the host port number and 4021 as the proxy listen port 
(this can be any unique port number above 1024)

2. start ftp on our box specifying 111.11.7.8 as the IP address and 4021 as the 
port number

3. the ftp session communicates directly with the proxy and the proxy will 
forward the messages to and from the 222.222.4.5 host."

OK...outside of IP spoofing, sendmail holes, access to privileged ports, etc., 
what sort of problems do any of you see with this setup?  Would a complete 
firewall between 'us' and 'them' at the proxy server be indicated?  Any and all 
advice would be appreciated.  Unless you think there'd be general interest in 
this, and to keep the signal/noise ratio down, please reply via e-mail rather 
than to the list.

Many Thanks,
---
Warren S. Moore, CISSP
<warren.moore@cbis.com>
Information Security Specialist
Cincinnati Bell Information Systems Inc.

From firewalls-owner  Mon Aug  5 09:08:01 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA07260 for firewalls-outgoing; Mon, 5 Aug 1996 08:54:28 -0700 (PDT)
Received: from psa.pencom.com (psa.pencom.com [204.217.199.13]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id IAA07253 for <firewalls-digest@GreatCircle.COM>; Mon, 5 Aug 1996 08:54:21 -0700 (PDT)
Received: (from chk@localhost) by psa.pencom.com (Hah!/nope) id KAA15080; Mon, 5 Aug 1996 10:53:48 -0500 (CDT)
Message-Id: <199608051553.KAA15080@psa.pencom.com>
Subject: Re: Is any O.S. w/IP enabled C2 certified?
To: peter@baileynm.com (Peter da Silva)
Date: Mon, 5 Aug 1996 10:53:47 -0500 (CDT)
Cc: mattias.lindstrom@ihc.se, firewalls-digest@GreatCircle.COM
In-Reply-To: <9608051415.AA13569@sonic.nmti.com.nmti.com> from "Peter da Silva" at Aug 5, 96 09:15:15 am
From: chk@psa.pencom.com (Christian Kuhtz)
X-Mailer: ELM [version 2.4 PL24]
Content-Type: text
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

> 
> > To all Windows NT, UNIX and other NOS fan(atic)s, including myself :-),
> > If you put a box on a network, internet or intranet or just a plain net, you
> > will not be able to meet the C2 certification standards. 
> 
> That is not true. Sorry. All this means is that Microsoft has not had an
> NT installation certified with networking enabled. Given the problems with
> NT networking, I'm not surprised they decided not to go for the gold ring.

Guys, C2 according to the orange book doesn't say jack about networking.
Alright?  Go read it, and lets burn this silly discussion .

In other words, it is completely *irrelevant* whether or not you have a 
network.  Besides the military's idea of a secured network is...
an argon filled pipe in a tripple faraday cage... etc etc.. So, if that's
really what you want to talk about, read the right books and *not* the
orange book which is about host security only.

Chris

--___  ____ __ 
 | _ \/ __/|  \   Christian Kuhtz <chk@psa.pencom.com>
 |  _/\__ \| \ \  Pencom Systems Administration, (512) 343-1111
 |_|  /___/|_|__\ on-site @ National Instruments, Austin, TX
 "Whattaya _MEAN_ you don't have any more pets??!?!?!?!?!!!!!!" - Wayne Schmidt

From firewalls-owner  Mon Aug  5 10:09:07 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA12453 for firewalls-outgoing; Mon, 5 Aug 1996 09:57:30 -0700 (PDT)
Received: from main.geminisecure.com (main.geminisecure.com [205.179.16.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id JAA12440 for <firewalls-digest@GreatCircle.COM>; Mon, 5 Aug 1996 09:57:24 -0700 (PDT)
Received: (from leonard@localhost) by main.geminisecure.com (8.6.9/8.6.9) id KAA29000; Mon, 5 Aug 1996 10:02:57 -0700
Date: Mon, 5 Aug 1996 10:02:57 -0700 (PDT)
From: Leonard Miyata <leonard@geminisecure.com>
To: Christian Kuhtz <chk@psa.pencom.com>
cc: firewalls-digest@GreatCircle.COM
Subject: Re: Is any O.S. w/IP enabled C2 certified?
In-Reply-To: <199608051553.KAA15080@psa.pencom.com>
Message-ID: <Pine.BSD/.3.91.960805095801.28975B-100000@main.geminisecure.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk



On Mon, 5 Aug 1996, Christian Kuhtz wrote:

> 
> Guys, C2 according to the orange book doesn't say jack about networking.
> Alright?  Go read it, and lets burn this silly discussion .
> 
Please!, the C2 requirements are in the Red book (TNI) that supplements
the orange book. High security networking has been demonstrated in
the past, as Boing has a certified (GASP!) A1 network.

What needs to be discussed is if the additional expense of a 
certifed network is worth it in the commerical world

Personal opinions provided by
Leonard Miyata
aka leonard@geminisecure.com
GEMIMI COMPUTERS Inc

From firewalls-owner  Mon Aug  5 13:22:41 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA23386 for firewalls-outgoing; Mon, 5 Aug 1996 13:15:04 -0700 (PDT)
Received: from dg-rtp.dg.com (dg-rtp.rtp.dg.com [128.222.1.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id NAA23361 for <firewalls-digest@greatcircle.com>; Mon, 5 Aug 1996 13:14:53 -0700 (PDT)
Received: from splinter.rtp.dg.com by dg-rtp.dg.com (5.4R3.10/dg-rtp-v02)
	id AA17698; Mon, 5 Aug 1996 16:14:47 -0400
Received: by splinter.rtp.dg.com (8.6.10/200.15.1.2)
	id QAA08710; Mon, 5 Aug 1996 16:13:25 -0400
From: spencerj@dg-rtp.dg.com (Jon Spencer)
Message-Id: <199608052013.QAA08710@splinter.rtp.dg.com>
Subject: Re: Is any O.S. w/IP enabled C2 certified?
To: chk@psa.pencom.com (Christian Kuhtz)
Date: Mon, 5 Aug 1996 16:13:21 -0400 (EDT)
Cc: peter@baileynm.com, mattias.lindstrom@ihc.se,
        firewalls-digest@greatcircle.com
In-Reply-To: <199608051553.KAA15080@psa.pencom.com> from "Christian Kuhtz" at Aug 5, 96 10:53:47 am
X-Mailer: ELM [version 2.4 PL23]
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

> 
> Guys, C2 according to the orange book doesn't say jack about networking.
> Alright?  Go read it, and lets burn this silly discussion .
> 
> In other words, it is completely *irrelevant* whether or not you have a 
> network.  Besides the military's idea of a secured network is...
> an argon filled pipe in a tripple faraday cage... etc etc.. So, if that's
> really what you want to talk about, read the right books and *not* the
> orange book which is about host security only.
> 
> Chris

Unfortunately, the Orange Book (TCSEC) is generally misunderstood, as is
the military's point of view of security (well, those in the military who
care and have a brain - and I have met quite a few of them world-wide).

The TCSEC is **not** limited to host security.  It was created in the late
70's and early 80's, at a time when networking was still relatively
expensive.  In fact, if you look at the TCSEC, you will see quite a bit of
discussion of "export".  Translate this into any transfer of information
out of the system (disk, tape, network, terminal), although terminals have
some special handling.

>From my perspective, the most valuable contribution of the TCSEC is the
concept of assurance.  Security doesn't come from features - it comes from
proper implementation of features.  Any of the readers who have created
software or hardware (or frankly, made about anything) knows the difficulty
involved in completely modeling, designing, implementing, testing,
documenting and maintaining.  And yet if all those steps are not performed
correctely, the product will be of relatively lower quality.

I have one sentence that sums up, from my experience, the TCSEC requirements
for B2 and above.  "TCSEC high assurance is nothing more than good
software engineering."  Whatever the technological advances of the future,
high assurance methodologies can be applied to creating products
incorporating them, so you will have a pretty good diea that the stuff
works out of the box.  This includes networking and databases.  (Remember,
the TNI and TDI interpret the criteria of the TCSEC as they apply to
networking and databases respectively.  They are not a new or extended set
of requirements.)

It should always be kept in mind that the military are operating under very
strict laws and regulations.  I acknowledge that there are some - many many
- in the military (and in education and in computer companies ....) who are
just simply jerks.  But what if you were responsible for setting up a
computer network in your company where if any of the information passing
along the wires were compromised, you would be fired, fined and blackballed
in the industry, and your company would suffer significant losses.  IN THAT
CASE, I bet that you would be pretty proud that you came up with the idea
of a gas filled pipe in which the wires ran so that no one could tap into
your network.

I have had some direct experience with the military regarding
computers.  Area B at Wright-Patterson AFB in the early 80's was filled
with very inovative and far-sighted men and women who, other than their
uniforms and haircuts, could have passed at a member of any advanced
computer technology team in the world.  They were fun and exciting to work
with.  And a little closer to home, my father-in-law, a retired 2-star
general, was responsible for the first major acquisition and use of
computers in the US military - to manage the logistics of the Marshall Plan
in about 1950.  He is one of the finest men I know (and he raised a pretty
nice daughter in the bargin!).

Another common misconception is that the military has braindead rules for
no reason and won't change (I think that I once believed that as well!).
'Tain't so.  The military would like to have commercial off the shelf
commodity items that provided a high assurance environment, where they
didn't have to pay an arm and a leg for the stuff.  Oh yes - they have to
work as well.

Yet ANOTHER common misconception is that military computers are somehow
"special" and different from commercial computers in the threats that they
face.  I don't care if the computer is at Citibank headquarters or the
Pentagon, I will break into it in the same manner (assuming the same
system).  And I would guess that the information at most companies is of
equal value to the companies survival as the military information is to the
survival of the country.  In this day and age, maybe the corporate
information is of greater value in many cases to the survival of the
country.

The government has invested a significant amount of capital in
developing current security technology - all should make use of it.
What doesn't apply doesn't apply.  Correctness of operation, integrity
of data, confidentiality of sensitive (competitive, whatever)
information, availability of information and process - all of these are
vitally important to commercial and non-commercial environments alike.
Do you want you hospital care controlled by a low assurance computer?
Do you want your banking transactions handled by a low assurance
system?  As Home Alone would say, "I don't think so."  :-)  The
conventional wisdom that C2 is good enough for the commercial world is
a laugh - I consider it more dangerous in many cases than havhaving no
security in your OS.  At least in the latter case, you KNOW you have no
security and hopefully take some measures to guard against threats.  If
someone thinks that C2 actually does something effective, then they
might relax their guard, to their own detriment.  The base policy of
NSA, the agency that evaluates computer security technology, will not
let anyone get near a C2 or B1 system unless they already have
clearance for ALL information that exists on the system.  In other
words, they don't trust the system to function properly.

If you are running a C2 system/firewall with some extra features like
ACLs, you can say "Hey! I've got user accounts and passwords and
auditing and access control lists and I'm just fat and happy.  Sure, I
don't know whether or not they work, and they probably don't, and I'm
not protected against the major threats to my systems (viruses and
insiders), but C2 is good enough for me!"  Take that statement with you to
your next job interview after your company suffers a major loss, or someone
alters your web page to include pornographic material or false claims or
whatever.

I guess I'm just a high assurance biggot.

-- 
Jon F. Spencer   spencerj@rtp.dg.com  (uunet!rtp.dg.com!spencerj)
Data General Corp.                  Phone : (919)248-6246
62 T.W. Alexander Dr, MS #119       FAX   : (919)248-6108
Research Triangle Park, NC  27709   Office RTP 121/9

	Reality is an illusion - perception is what counts.

	No success can compensate for failure at home.
			President David O. McKay

***** UCC 1-207 ********

From firewalls-owner  Mon Aug  5 14:22:47 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA27099 for firewalls-outgoing; Mon, 5 Aug 1996 14:09:07 -0700 (PDT)
Received: from lists (alfalfa.sips.state.nc.us [149.168.11.11]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id OAA27092 for <firewalls-digest@greatcircle.com>; Mon, 5 Aug 1996 14:09:00 -0700 (PDT)
Received: from everett.pitt.cc.nc.us by lists (SMI-8.6/SMI-SVR4)
	id RAA20153; Mon, 5 Aug 1996 17:01:09 -0400
Received: from EVERETT/SpoolDir by everett.pitt.cc.nc.us (Mercury 1.21);
    5 Aug 96 17:17:56 EST5EDT
Received: from SpoolDir by EVERETT (Mercury 1.30); 5 Aug 96 17:17:39 EST5EDT
From: "Jim Leo" <ADMIN@everett.pitt.cc.nc.us>
Organization:  Pitt Community College
To: spencerj@dg-rtp.dg.com (Jon Spencer), peter@baileynm.com,
        mattias.lindstrom@ihc.se, firewalls-digest@greatcircle.com
Date:          Mon, 5 Aug 1996 17:17:32 EST5EDT
MIME-Version:  1.0
Content-type: text/plain; charset=US-ASCII
Content-transfer-encoding: 7BIT
Subject:       Re: Is any O.S. w/IP enabled C2 certified?
Reply-to: admin@everett.pitt.cc.nc.us
X-mailer: Pegasus Mail for Windows (v2.01)
Message-ID: <F2BF9D02DF@everett.pitt.cc.nc.us>
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

On  5 Aug 96 at 16:13, Jon Spencer wrote concerning Re: Is any O.S. 
w/IP enabled C2 cer

snip...

> If you are running a C2 system/firewall with some extra features like
> ACLs, you can say "Hey! I've got user accounts and passwords and
> auditing and access control lists and I'm just fat and happy.  Sure, I
> don't know whether or not they work, and they probably don't, and I'm
> not protected against the major threats to my systems (viruses and
> insiders), but C2 is good enough for me!"  Take that statement with you to
> your next job interview after your company suffers a major loss, or someone
> alters your web page to include pornographic material or false claims or
> whatever.
> 

I think that kind of nailed that down.....

Jim Leo
admin@everett.pitt.cc.nc.us

From firewalls-owner  Mon Aug  5 14:37:42 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA28238 for firewalls-outgoing; Mon, 5 Aug 1996 14:33:23 -0700 (PDT)
Received: from us.checkpoint.com (us.checkpoint.com [206.86.35.130]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id OAA28231 for <firewalls@greatcircle.com>; Mon, 5 Aug 1996 14:33:17 -0700 (PDT)
Received: from Barbara Jaarsma.us.checkpoint.com (barbara-pc) by  us.checkpoint.com (5.x/SMI-SVR4)
	id AA18167; Mon, 5 Aug 1996 14:34:07 -0700
Message-Id: <32066928.1297@us.checkpoint.com>
Date: Mon, 05 Aug 1996 14:35:36 -0700
From: Barbara Jaarsma <barbara@us.checkpoint.com>
Organization: CheckPoint Software Technologies, Inc. Technical Services
X-Mailer: Mozilla 2.0 (Win95; U)
Mime-Version: 1.0
To: Christopher Klaus <cklaus@iss.net>
Cc: firewalls@greatcircle.com
Subject: Re: Info World Firewall Articles
References: <199608021813.OAA25474@phoenix.iss.net>
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Christopher -
The following is Checkpoint's official response to your query re: the 
InfoWorld article.  -Barb
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Barbara Jaarsma, Sr. Technical Support Engineer - x250    800-429-4391
                                                          415-562-0400
CheckPoint Software Technologies, Inc.            
400 Seaport Court - Suite 105                barbara@us.checkpoint.com
Redwood City, California  95063              http://www.checkpoint.com
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Dear Check Point Resellers & Customers,

A product comparison of firewall products which included CheckPoint
FireWall-1 appeared in the July 29 issue of InfoWorld magazine.  While
the review was overall highly favorable, it incorrectly stated that
during the system boot process, the system is vulnerable to attack.  We
would like to assure you that this information is inaccurate and that we
reached agreement with InfoWorld to print a correction in next week’s
issue.

During the testing process, the InfoWorld reviews staff did not follow
the company’s recommended boot procedures which are specified on 
pages 16-3 and 16-4 in the in the CheckPoint FireWall-1 user manual.  
When installing the product, the publication’s reviews staff did not 
turn off the IP forwarding function.


Under these circumstances, IP addressing forwards packets before the
system boots.  This occurrence is easily addressable by following the
company’s  recommended boot procedures which are outlined in the 
manual.


The review incorrectly stated that Check Point Software was unaware
that this activity could occur and should have indicated that these 
issues do not arise when users follow the company’s recommended boot 
procedures as stated in the user manual.   This is incorrect as 
evidenced by the fact that the Check Point user manual specifically 
addresses how to avoid security risks during boot procedures.

We are committed to offering you, our business partners and customers, 
the best possible service and product performance.  We will keep you 
aware of any and all issues raised regarding our company or our products 
and we thank you for your continued support of Check Point Software 
Technologies.  If you have any further questions concerning this matter, 
we encourage you to contact us. 
______________________________________________

Jessica Johannes, Public Relations Specialist
CheckPoint Software Technologies
400 Seaport Court, Suite 105
Redwood City, CA 94063
415-562-0400 x 236
jessica@us.checkpoint.com
http://www.checkpoint.com










Christopher Klaus wrote:
> 
> In this weeks InfoWorld, they have done a comparision of many of the commercial
> firewalls.  Might be worthwhile to take a look at if you are going to buy a
> firewall.
> 
> There's also an article in InfoWorld , July 29, 1996 Issue, on Page 79
> with Marcus Ranum & I discussing 'Does scanning for vulnerabilities mean your
> firewall is safe?'
> 
> Thought it might be worth taking a look at if you missed it.
> 
> --
> Christopher William Klaus            Voice: (404)252-7270. Fax: (404)252-2427
> Internet Security Systems, Inc.                        "Internet Scanner finds
> Ste. 115, 5871 Glenridge Dr, Atlanta, GA 30328     your network security holes
> Web: http://iss.net/  Email: cklaus@iss.net            before the hackers do."

--

From firewalls-owner  Mon Aug  5 14:52:43 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA29911 for firewalls-outgoing; Mon, 5 Aug 1996 14:49:00 -0700 (PDT)
Received: from mhhaa.compuserve.com (mhhaa.compuserve.com [149.174.214.155]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id OAA29884 for <firewalls-digest@greatcircle.com>; Mon, 5 Aug 1996 14:48:50 -0700 (PDT)
Received: from notes2.compuserve.com ([149.174.221.56]) by mhhaa.compuserve.com (8.7.3/8.6.12) with SMTP id RAA24729.; Mon, 5 Aug 1996 17:48:50 -0400 (EDT)
Received: by notes2.compuserve.com (IBM OS/2 SENDMAIL VERSION 1.3.17/2.0)
	  id AA2918; Mon, 05 Aug 96 17:48:48 -0400
Message-Id: <9608052148.AA2918@notes2.compuserve.com>
Received: by External Gateway (Lotus Notes Mail Gateway for SMTP V1.1) id
  0FE62F0BA11700008625637D006824B1; Mon,  5 Aug 96 17:48:48 
To: firewalls-digest <firewalls-digest@greatcircle.com>
From: "anthony.sabaj" <anthony.sabaj@awo.com>
Date:  5 Aug 96 16:23:25 
Subject: Logs -Backup Part II
Mime-Version: 1.0
Content-Type: Text/Plain
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

At the beginning of the month I posted a messages about what people are doing 
with their logs.  Thanks to everybody who responded.  A lot of people asked me 
to post a summary of the responses so here it goes: 

Most people kept the logs locally until the file system was near capacity and 
did one of the following:
 Burned them on a CD
 Moved them to DAT
 Moved them to floppies
 Stored them on a remote machine.

About half of the people kept the removable media and stored them forever. The 
other half used some cycle to backup (1 month, 6 months, a year ...) and then 
wrote over the old backups.

One person said the they just wipe out their logs every once and a while, I 
hope he was kidding, but you never know.

I have decided to start burning them to CD,  does any body have any good/bad 
experience with write-able CDs (WORM).
Tony

From firewalls-owner  Mon Aug  5 16:22:45 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id QAA07799 for firewalls-outgoing; Mon, 5 Aug 1996 16:17:37 -0700 (PDT)
Received: from morebbs.com (morebbs.com [206.165.150.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id QAA07781 for <firewalls@greatcircle.com>; Mon, 5 Aug 1996 16:17:30 -0700 (PDT)
From: potlicker@morebbs.com
Received: by morebbs.com
     id 0R3HM005 Mon, 05 Aug 96 19:17:18 
Message-ID: <9608051917.0R3HM00@morebbs.com>
Organization: MORE BBS
X-Mailer: TBBS/TIGER v1.0/PRIMP 1.56p
Date: Mon, 05 Aug 96 19:17:18 
Subject: Syns against web
To: firewalls@greatcircle.com
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk


This afternoon three of us were watching a d00d have a go at a web server
He was spoofing IP and using stolen account information of a diplomat
No problem there   Damn near impossible to trace

But he was also constantly hitting a large web server with SYN packets on
every port that he could reach   After about 15 minutes the web server
crashed   I thought SYNs were used against routers and gateways   What was
this intrepid exlorer trying to do?
                                              PoT_LiCkEr

-=           mead tastes great but really gets you popping              =-
-= Ye Olden Days must more accurately have been Ye Fraygrant Olden Days =-

From firewalls-owner  Mon Aug  5 16:40:42 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id QAA07363 for firewalls-outgoing; Mon, 5 Aug 1996 16:08:14 -0700 (PDT)
Received: from typhoon.dial.pipex.net (typhoon.dial.pipex.net [158.43.128.46]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id QAA07356 for <firewalls@greatcircle.com>; Mon, 5 Aug 1996 16:08:06 -0700 (PDT)
Received:  from unknown by typhoon.dial.pipex.net (8.7.5/)
	id AAA17094; Tue, 6 Aug 1996 00:08:11 +0100 (BST)
Message-ID: <MAPI.Id.0016.00713530202020203836314330303036@MAPI.to.RFC822>
In-Reply-To: <199608052013.QAA08710@splinter.rtp.dg.com>
References: Conversation <199608051553.KAA15080@psa.pencom.com> with last message <199608052013.QAA08710@splinter.rtp.dg.com>
To: Firewall List <firewalls@GreatCircle.COM>
MIME-Version: 1.0
From: Ian Johnstone-Bryden <ianj-b@dial.pipex.com>
Subject: Re: Is any O.S. w/IP enabled C2 certified?
Date: Tue, 06 Aug 96 00:03:44 GMT
Content-Type: text/plain; charset=US-ASCII; X-MAPIextension=".TXT"
Content-Transfer-Encoding: 7bit
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Jon made some sound points and ended:
> I guess I'm just a high assurance biggot.
> 

Well its politically correct to demure to the most vocal lobby even if 
they are wrong.

The fact is that most people are just discovering computer security and 
its a strange world with a new language and that nice Mr Gates comes along 
and says 'Hey you're right and I just discovered it also - so trust me and 
keep buying Microsoft, and p.s we would get round to fixing the bugs in 
DOS 2.4 but theres no demand for it'. (that may be a small misquote - I 
think Bill said that no significant customers expressed less than total 
satisfaction in Microsoft products. Or maybe it was No significant numbers 
of users, or something like that - I'm sure someone knows the answer and 
will post it)

Then theres folk who have been working on IT security for 20 years and 
more and they have a different view of life. Theyve been there before and 
theyve seen others get burned - and sometimes got burned themselves.

TCSEC started out as much a procurement methodology as a security 
criteria. Most vendors werent really interested and most commercial users 
never heard about it.

Today we cant avoid security but most CFOs dont want to pay the bill. 
Thats fine and they have no trouble finding a scapegoat in MIS when they 
do get burned.

There is an assumption that the military have unique requirements - THEY 
DONT REALLY. Their problems are much the same as anyone else. The language 
is different, but no more different than petro chemicals as against 
commodity brokers. They have purchasing departments that can be a real 
pain and they have budget problems too. The $800 hammer has happened but 
then commercial corporations make stupid mistakes - they just hide them 
better. The main difference is that the military and other parts of 
governments have to meet certain security requirements in a formal way and 
that sometimes means that the bean counters cant refuse to hand over the 
money.

C2 is fine if thats all your risk policy requires. No firewall is fine if 
thats in the risk requirements. OTOH if you want to counter external and 
internal threats you need something very much better. Buying certified 
product may not be as much fun as taking Solaris or something and second 
guessing the authors, stripping out bits that dont seem to do much and 
hoping you didnt take out anything vital. Then there are some people of 
course who have read a book and know they can do better than anyone else. 
It takes all sorts to make a world.
Ian J-B.

From firewalls-owner  Mon Aug  5 23:01:24 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id WAA28368 for firewalls-outgoing; Mon, 5 Aug 1996 22:49:58 -0700 (PDT)
Received: (mcb@localhost) by miles.greatcircle.com (8.7.4/Miles-951221-1) id WAA28351 for firewalls@greatcircle.com; Mon, 5 Aug 1996 22:49:53 -0700 (PDT)
Received: from ns1.pupr.edu (ns1.pupr.edu [199.75.236.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id KAA23621 for <Firewalls@GreatCircle.COM>; Sat, 3 Aug 1996 10:34:54 -0700 (PDT)
Received: (from linux@localhost) by ns1.pupr.edu (8.6.12/8.6.9) id NAA29107; Sat, 3 Aug 1996 13:39:36 -0400
Date: Sat, 3 Aug 1996 13:39:36 -0400 (GMT-0400)
From: Linux Mailing List <linux@ns1.pupr.edu>
To: Firewalls@GreatCircle.COM
Subject: Help! IPFADM
Message-ID: <Pine.LNX.3.91.960803133421.26662A-100000@ns1.pupr.edu>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Hello all!

How can I use ipfadm with netmask 255.255.255.192?

Where can I find detailed documentation on ipfadm?

Thanks in advanced...




From firewalls-owner  Tue Aug  6 00:49:19 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id AAA04579 for firewalls-outgoing; Tue, 6 Aug 1996 00:05:48 -0700 (PDT)
Received: from uvt.utc.sk (uvt.utc.sk [158.193.48.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id AAA04529 for <firewalls-digest@greatcircle.com>; Tue, 6 Aug 1996 00:04:56 -0700 (PDT)
From: "<"<@varias.utc.sk:gil@varias.sk>
Message-Id: <199608060704.AAA04529@miles.greatcircle.com>
Date: Tue, 6 Aug 96 09:03 EDT
To: firewalls-digest@greatcircle.com
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

>From uucp Tue Aug  6 08:49 GMT 1996 remote from varias
>From gil Mon Aug  5 15:20:13 + 1996 remote from varias.sk
Received: from varias by uvt.utc.sk; Tue,  6 Aug 1996 09:03 EDT
Received: from varias.sk by varias.varias.sk; Tue,  6 Aug 1996 08:49 GMT
Received: by client.varias.sk with Microsoft Mail
	id <01BB82E1.9A83C500@client.varias.sk>; Mon, 5 Aug 1996 15:20:15 +-200
Message-ID: <01BB82E1.9A83C500@client.varias.sk>
From: Gil Arumi <gil@varias.sk>
To: 'Firewall-digest Mailing list' <firewalls-digest@greatcircle.com@uvt>
Subject: 
Date: Mon, 5 Aug 1996 15:20:13 +-200
Return-Receipt-To: <gil@varias.sk>
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"
Content-Length: 326

subscribe firewalls-digest

-------------------------------------------------
Gil Arumi               e-mail: gil@casal.upc.es
(Catalonia)                     gil@varias.sk                    
currently working for:  http://casal.upc.es/~gil/          
VARIAS a.s (Slovakia)
-------------------------------------------------


From firewalls-owner  Tue Aug  6 04:10:47 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id EAA22258 for firewalls-outgoing; Tue, 6 Aug 1996 04:04:16 -0700 (PDT)
Received: from mail1.mnsinc.com (mail1.mnsinc.com [206.55.3.18]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id EAA22248 for <firewalls@greatcircle.com>; Tue, 6 Aug 1996 04:04:06 -0700 (PDT)
From: rwm@mnsinc.com
Received: from wpd.serc.saic.com (rwm.mnsinc.com [206.239.128.170]) by mail1.mnsinc.com (8.6.5/8.7.1) with SMTP id HAA18024 for <firewalls@greatcircle.com>; Tue, 6 Aug 1996 07:02:59 -0400
Message-Id: <199608061102.HAA18024@mail1.mnsinc.com>
Comments: Authenticated sender is <rwm@mailhost.mnsinc.com>
To: firewalls@greatcircle.com
Date: Tue, 6 Aug 1996 07:02:28 +0000
Subject: Interlock Firewall
X-mailer: Pegasus Mail for Win32 (v2.41)
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

We are about to install an Interlock firewall where I work.  I would 
like to get smart on Interlock firewalls.  Does anyone know of any 
good sources of information, to include confirguration, problems and 
vulnerabilities.  I would appreciate any information you can provide.

Thanks,
RWM


From firewalls-owner  Tue Aug  6 06:38:09 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA29420 for firewalls-outgoing; Tue, 6 Aug 1996 06:28:16 -0700 (PDT)
Received: from dns.eng.auburn.edu (dns.eng.auburn.edu [131.204.10.13]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id GAA29413 for <firewalls@greatcircle.com>; Tue, 6 Aug 1996 06:28:09 -0700 (PDT)
Received: from netman.eng.auburn.edu (netman.eng.auburn.edu [131.204.12.24]) by dns.eng.auburn.edu (8.7.5/8.6.4) with ESMTP id IAA11077; Tue, 6 Aug 1996 08:28:10 -0500 (CDT)
From: Doug Hughes <Doug.Hughes@Eng.Auburn.EDU>
Received: (doug@localhost) by netman.eng.auburn.edu (SMI-8.6/8.6.4) id IAA00934; Tue, 6 Aug 1996 08:28:09 -0500
Date: Tue, 6 Aug 1996 08:28:09 -0500
Subject: Re: Syns against web 
To: potlicker@morebbs.com
Cc: firewalls@greatcircle.com
Message-Id: <doug-960806082809.A03852@netman.eng.auburn.edu>
X-Mailer: TkMail 4.0beta6
In-Reply-To: <9608051917.0R3HM00@morebbs.com> 
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

>
>This afternoon three of us were watching a d00d have a go at a web server
>He was spoofing IP and using stolen account information of a diplomat
>No problem there   Damn near impossible to trace
>
>But he was also constantly hitting a large web server with SYN packets on
>every port that he could reach   After about 15 minutes the web server
>crashed   I thought SYNs were used against routers and gateways   What was
>this intrepid exlorer trying to do?


Sounds to me like a probe to see what services the server was running.
SYNS are immune to detection from most host-based probe detectors
(like klaxon, tcp_wrappers, anything running out of inetd)

We supplement the host-based probe detectors with network based probe
detectors that detect SYN packets to unused service ports. Several
tools are available that do this. Courtney, tocsin, and I believe gabriel
does this too. (Some people just use tcpdump)

--
____________________________________________________________________________
Doug Hughes					Engineering Network Services
System/Net Admin  				Auburn University
			doug@eng.auburn.edu



From firewalls-owner  Tue Aug  6 07:12:02 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA01502 for firewalls-outgoing; Tue, 6 Aug 1996 07:04:38 -0700 (PDT)
Received: from newfed.FRB.GOV (newfed.frb.gov [198.3.221.5]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id HAA01493 for <firewalls@greatcircle.com>; Tue, 6 Aug 1996 07:04:31 -0700 (PDT)
Received: from FRB.GOV by newfed.FRB.GOV (4.1/SMI-4.0)
	id AA06145; Tue, 6 Aug 96 10:05:00 EDT
Received: from kryten.frb.gov by frbgate.FRB.GOV (4.1/SMI-4.0)
	id AA00968; Tue, 6 Aug 96 10:04:16 EDT
Received: from localhost.frb.gov (localhost.frb.gov [127.0.0.1]) by kryten.frb.gov (8.6.12/8.6.12) with SMTP id KAA22980; Tue, 6 Aug 1996 10:02:07 -0400
Message-Id: <199608061402.KAA22980@kryten.frb.gov>
X-Authentication-Warning: kryten.frb.gov: Host localhost.frb.gov didn't use HELO protocol
X-Mailer: exmh version 1.6.5 12/11/95
To: potlicker@morebbs.com
Cc: firewalls@greatcircle.com
Subject: Re: Syns against web 
In-Reply-To: Your message of "Mon, 05 Aug 1996 19:17:18."
             <9608051917.0R3HM00@morebbs.com> 
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Date: Tue, 06 Aug 1996 10:02:06 -0400
From: "Jonathan M. Bresler" <jmb@FRB.GOV>
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk


>
>This afternoon three of us were watching a d00d have a go at a web server
>He was spoofing IP and using stolen account information of a diplomat
>No problem there   Damn near impossible to trace
>
>But he was also constantly hitting a large web server with SYN packets on
>every port that he could reach   After about 15 minutes the web server
>crashed   I thought SYNs were used against routers and gateways   What was
>this intrepid exlorer trying to do?

	read stevens tcp/ip illustrated vol 3 chap 14, the section about
the SYN_RCVD bug.  the first SYN creates a "proto" connection and sets the
tcp control block timer to 75 seconds (TCPTV_KEEP_IDLE). the second
SYN (without ACK) set the timer to 2 hours (tcp_keepidle)--even though the 
connection has *not* been established.

	hammering the server with SYN's (2 per association <server ip>,
<server port>, <client ip>, <client port>) slowly chews thru memory. ;(
the code is in tcp_input.c

        /*              
         * Segment received on connection.
         * Reset idle time and keep-alive timer.
         */     
        tp->t_idle = 0;
        tp->t_timer[TCPT_KEEP] = tcp_keepidle;      <--------

	should be qualified with "if ( tp->t_state == TCPS_ESTABLISHED )"
	or at least "if ( tp->t_state != TCPS_SYN_RECEIVED )"
	WARNING: i have not tested this throughly enough to allay my
		paranoia ;)
                     
jmb

-- 
Jonathan M. Bresler             202-452-2831                 breslerj@frb.gov
MS-169          Federal Reserve Board of Governors        Washington DC 20551
Speaking for myself.  Others speak for the Federal Reserve Board of Governors



From firewalls-owner  Tue Aug  6 07:42:27 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA04159 for firewalls-outgoing; Tue, 6 Aug 1996 07:28:58 -0700 (PDT)
Received: from dtcro002.apogee-com.fr (firewall.apogee-com.fr [194.2.187.130]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id HAA04143 for <firewalls@greatcircle.com>; Tue, 6 Aug 1996 07:28:48 -0700 (PDT)
Received: by dtcro002.apogee-com.fr; id QAA24969; Tue, 6 Aug 1996 16:28:45 +0200 (MET DST)
Received: from dtcxs001.apogee-com.fr(10.129.16.1) by firewall.apogee-com.fr via smap (V3.1.1)
	id xma024967; Tue, 6 Aug 96 16:28:32 +0200
Received: from ingpc003.apogee-com.fr by dtcxs001.apogee-com.fr (4.1/SMI-4.1)
	id AA01227; Tue, 6 Aug 96 16:22:18 +0200
Message-Id: <32075597.20EF@apogee-com.fr>
Date: Tue, 06 Aug 1996 16:24:23 +0200
From: Jean-Francois Zwobada <zwobada@apogee-com.fr>
Organization: APOGEE Communications
X-Mailer: Mozilla 2.02 (Win95; I)
Mime-Version: 1.0
To: firewalls@greatcircle.com
Subject: Re: Syns against web 
References: <doug-960806082809.A03852@netman.eng.auburn.edu>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Tell me if I am wrong, but I saw somewhere that some TCP/IP stacks
were buggy and would explode when receiving SYN packets at a
sufficient high rate.

Probing do not need several SYN packet per port.

Some inetd daemons close a port when SYN packets are coming too
fast.

Jean-Francois
-- 
______________________ Jean-Francois Zwobada ____________________

Apogee Communications              Tel    : +33 (1) 69 85 56 47
Parc Club Orsay Universite         Fax    : +33 (1) 69 85 56 48
28, rue Jean Rostand
91893 ORSAY Cedex                  e-mail : zwobada@apogee-com.fr
__________________________________________________________________

From firewalls-owner  Tue Aug  6 08:30:01 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA07831 for firewalls-outgoing; Tue, 6 Aug 1996 08:13:32 -0700 (PDT)
Received: from answerman.mindspring.com (answerman.mindspring.com [204.180.128.8]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id IAA07778 for <firewalls@GreatCircle.COM>; Tue, 6 Aug 1996 08:13:15 -0700 (PDT)
Received: from borg.mindspring.com (borg.mindspring.com [204.180.128.14]) by answerman.mindspring.com (8.6.12/8.6.12) with ESMTP id LAA10240 for <firewalls@GreatCircle.COM>; Tue, 6 Aug 1996 11:13:01 -0400
Received: from assassin.mindspring (user-168-121-49-186.dialup.mindspring.com [168.121.49.186]) by borg.mindspring.com (8.6.12/8.6.12) with ESMTP id LAA10895 for <firewalls@GreatCircle.COM>; Tue, 6 Aug 1996 11:12:56 -0400
Message-Id: <199608061512.LAA10895@borg.mindspring.com>
From: "Justin Rossetti" <assassin@mindspring.com>
To: <firewalls@GreatCircle.COM>
Date: Tue, 6 Aug 1996 11:12:46 -0400
X-MSMail-Priority: Normal
X-Priority: 3
X-Mailer: Microsoft Internet Mail 4.70.1136
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

We are about to start using NeXT at my office.  I would 
like to get smart on NeXT firewalls.  Does anyone know of any 
good sources of information, to include confirguration, problems and 
vulnerabilities.  I would appreciate any information you can provide.


Justin

From firewalls-owner  Tue Aug  6 08:55:32 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA10181 for firewalls-outgoing; Tue, 6 Aug 1996 08:46:56 -0700 (PDT)
Received: from husc.harvard.edu (husc.harvard.edu [140.247.30.45]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id IAA10151 for <Firewalls@GreatCircle.COM>; Tue, 6 Aug 1996 08:46:45 -0700 (PDT)
Received: from husc7.harvard.edu by husc.harvard.edu with ESMTP id LAA04310; Tue, 6 Aug 1996 11:47:05 -0400 (EDT)
Received: from localhost by husc7.harvard.edu with SMTPid LAA20629; Tue, 6 Aug 1996 11:46:46 -0400
Date: Tue, 6 Aug 1996 11:46:45 -0400 (EDT)
From: Jason Chen <jechen@husc.harvard.edu>
X-Sender: jechen@husc7.harvard.edu
To: Firewalls@GreatCircle.COM
Subject: transparancy: what exactly does it entail?
In-Reply-To: <199608030800.BAA25004@miles.greatcircle.com>
Message-ID: <Pine.ULT.3.95.960806114402.20390A-100000@husc7.harvard.edu>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Hi,

I've been doing some research on firewalls, and was curious as to what it
exactly means.  Does a fully transparant firewall mean that you don't need
to enter any passwords, like a basic packet filter?  Does a non
transparant firewall mean that every action will take a longer time, or is
transparancy simply an effect that a user will feel?

Thanks in advance.

Jason


From firewalls-owner  Tue Aug  6 09:58:15 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA15870 for firewalls-outgoing; Tue, 6 Aug 1996 09:48:34 -0700 (PDT)
Received: from ALABAMA.CF.CS.YALE.EDU (RT-GW.CS.YALE.EDU [128.36.0.13]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id JAA15863 for <Firewalls@GreatCircle.COM>; Tue, 6 Aug 1996 09:48:28 -0700 (PDT)
From: long-morrow@CS.YALE.EDU
Received: from SPARKY.CF.CS.YALE.EDU by ALABAMA.CF.CS.YALE.EDU (8.7.1/res.host.cf-4.0)
	with ESMTP id MAA15675; Tue, 6 Aug 1996 12:48:27 -0400 (EDT) sender long-morrow@CS.YALE.EDU for 
Received: by SPARKY.CF.CS.YALE.EDU (Sendmail-8.7.1/res.client.cf-4.0)
	id MAA17222; Tue, 6 Aug 1996 12:48:25 -0400 (EDT)
Date: Tue, 6 Aug 1996 12:48:25 -0400 (EDT)
Message-Id: <199608061648.MAA17222@SPARKY.CF.CS.YALE.EDU>
To: Firewalls@GreatCircle.COM, jechen@husc.harvard.edu
Subject: Re:  transparancy: what exactly does it entail?
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk


>I've been doing some research on firewalls, and was curious as to what it
>exactly means.  Does a fully transparant firewall mean that you don't need
>to enter any passwords, like a basic packet filter?  Does a non
>transparant firewall mean that every action will take a longer time, or is
>transparancy simply an effect that a user will feel?

Generally transparency means that the user doesn't notice anything
different (when using an Internet application) as a result of accessing
the Internet from behind a firewall than they would if there was no
firewall.

This means usually that there is no 'modified procedure' or manual
steps that the user has to take in order to use Internet clients
obtained from the Net (or shrink-wrapped from the local computer
store).

There are now 'transparent proxies' supplied in some new commercial
firewalls which handle data (both incoming and outgoing) at the
application layer via application-specific and aware gateway code, but
neither the client user nor machine is aware that an app level proxy is
actually handling (and in many cases modifying and rewriting data) the
TCP socket connections used -- they think that the firewall is just an
IP router to which they route their IP datagrams.

More subject to debate however is whether you can consider to be 'transparent':

	o	administrator configured (via network admin kits)
		Web browser set to use proxy caching HTTP servers.

	o	installing and configuring the Microsoft Catapult
		RWS (Remote Windows Sockets) or a 'Socks' shim on
		top of client PC's winsock.dll

They are not usually considered to be 'transparent', because though
they are transparent to the user they are not transparent to the
application or machine.

- Morrow


From firewalls-owner  Tue Aug  6 10:38:27 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA18328 for firewalls-outgoing; Tue, 6 Aug 1996 10:25:00 -0700 (PDT)
Received: from uu.psi.com (uu.psi.com [136.161.128.3]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id KAA18281 for <firewalls@GreatCircle.COM>; Tue, 6 Aug 1996 10:24:47 -0700 (PDT)
Received: from flash.UUCP by uu.psi.com (5.65b/4.0.061193-PSI/PSINet) via UUCP;
        id AA29270 for ; Tue, 6 Aug 96 13:17:37 -0400
Received: from hermes by sgc.com (4.1/SMI-4.1)
	id AA01250; Tue, 6 Aug 96 12:56:36 EDT
Received: from loulou.sgc.com by hermes (4.1/SMI-4.1)
	id AA23036; Tue, 6 Aug 96 13:01:57 EDT
From: beatrice@hermes.sgc.com (Beatrice Mukantabana)
Message-Id: <9608061701.AA23036@hermes>
Subject: authentication software
To: firewalls@GreatCircle.COM
Date: Tue, 6 Aug 96 13:01:55 EDT
X-Mailer: ELM [version 2.3 PL11]
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

 Hi,

 I am looking for an advanced authentication software to use on a modelpool server
to protect dial-in logins (something like a modempool firewall).

The modempoll server is a  SUN machine running SunOS.

Thanks for your help.


Beatrice


From firewalls-owner  Tue Aug  6 10:52:56 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA19672 for firewalls-outgoing; Tue, 6 Aug 1996 10:39:00 -0700 (PDT)
Received: from bmv.com.mx (mail.bmv.com.mx [200.13.112.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id KAA19653 for <Firewalls@GreatCircle.COM>; Tue, 6 Aug 1996 10:38:49 -0700 (PDT)
Received: by firewall.bmv.com.mx id <14977>; Tue, 6 Aug 1996 12:35:43 -0600
Date: Tue, 6 Aug 1996 09:40:27 -0600
From: Hector Casavantes <hcasav@bmv.com.mx>
X-Mailer: Mozilla 2.02 (X11; I; HP-UX B.10.01 9000/819)
MIME-Version: 1.0
To: Firewalls@GreatCircle.COM
Subject: Multiple Protected Networks
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <96Aug6.123543cst.14977@firewall.bmv.com.mx>
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk


Hello Firewallers

I have more than 30 Different Networks (Clients) connected to a principal backone. 
At this moment only this backbone is protected by a bastion firewall against the internet.
It is connected between a little router and my swicth.

But, my clients are needing to connect to internet by themselves and i feel unsafe about 
that because they connect directly to my router. I can buy another firewall and put it
between my big router and the principal backbone switch (with FDDI interfaces) but I think
this is a expensive solution.

Borderware doesn't permit more than 3 network interfaces, but other products let it.
What firewall product do you recommend me to handle all security for my networks in only
one hardware module?

Maybe someone have the same configuration, thanks for your help...

Hector Casavantes

From firewalls-owner  Tue Aug  6 11:43:40 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA25134 for firewalls-outgoing; Tue, 6 Aug 1996 11:26:00 -0700 (PDT)
Received: from lafsun. (lafsun.lafayette.edu [139.147.8.7]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id LAA25092 for <firewalls@greatcircle.com>; Tue, 6 Aug 1996 11:25:48 -0700 (PDT)
Received: from localhost by lafsun. (SMI-8.6/SMI-SVR4)
	id OAA01596; Tue, 6 Aug 1996 14:22:30 -0400
Date: Tue, 6 Aug 1996 14:22:29 -0400 (EDT)
From: John Mulligan <mulligan@lafsun.lafayette.edu>
To: firewalls@greatcircle.com
Subject: Mode 666 files... executable?
Message-ID: <Pine.SOL.3.93.960806141909.1593A-100000@lafsun.lafayette.edu>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk


If software creates mode 666 files (read and write by all) and owned by
root, is it possible for a third party to edit the file (provided it is
text) and do a `sh <filename>` to run it as root?  I know it is possible
to edit it and run it, but it runs setuid to the third party user, not
root.

Remeber that files do not need the -x- in the permissions to be executable
as scripts.

Any comments?

 

John P. Mulligan <mulligaj@lafayette.edu>
PGP Public Key available at http://www.lafayette.edu/~mulligaj
Excitement. Adventure. A Jedi craves not these things. 
                                     -- Silent Bob



From firewalls-owner  Tue Aug  6 11:46:51 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA25709 for firewalls-outgoing; Tue, 6 Aug 1996 11:30:03 -0700 (PDT)
Received: from interlock.mgh.com (interlock.mgh.com [152.159.1.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id LAA25688 for <firewalls@greatcircle.com>; Tue, 6 Aug 1996 11:29:56 -0700 (PDT)
From: arager@mcgraw-hill.com
Received: by interlock.mgh.com id AA08427
  (InterLock SMTP Gateway 3.0 for firewalls@greatcircle.com);
  Tue, 6 Aug 1996 14:29:54 -0400
Message-Id: <199608061829.AA08427@interlock.mgh.com>
Received: by interlock.mgh.com (Protected-side Proxy Mail Agent-1);
  Tue, 6 Aug 1996 14:29:54 -0400
Date: Tue, 06 Aug 96 11:52:05 edt
To: firewalls@greatcircle.com
Subject: NT 3.51 FTP authentication bug
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

     Hello All,
     
     Here is a bug I found in the NT 3.51 FTP server......I would be 
     careful with the FTP server.  
     
     It seems that the FTP Server user authentication does not follow the 
     same rules as other NT user authentications...If you have have 
     intruder detection set for your system, the FTP server seems to ignore 
     it.  Try this:
     
     1. With the NT User Manager tool enable intruder detection and set 
     your intruder detection to 3 trys, with a really long lockout period.
     2. Pick a userid (administrator will do -- just remember that you are 
     going to lock this account out for a while!) and try to log into FTP 
     with invalid passwords at least 4-5 times
     4. Check the userid with the User Manager tool.....it should be locked 
     out.
     3. Try an FTP logon again with the correct password....and it will let 
     you in....even though the User Manager tool says it's locked out!!!
     
     (I tested this in NT3.51 workstation -- will try 4.0b next to see if 
     it was fixed)
     
     
     I would be careful with the NT FTP server ---  No lockout means 
     someone can try as many times as they like to break your passwords. I 
     wonder what else is broken???
     
     This was mentioned a few days ago, but also keep in mind that NT uses 
     the local user database for authentication, so will allow the 'Guest' 
     user to log-in even if you have FTP guest access disabled (two 
     different guest users with very different access rights.) -- By 
     default NT creates a 'Guest' user, and does not assign a password!  
     The default NT 'Guest' user will get almost full filesystem 
     rights....This means no CHROOT from FTP!  I recommend disabling the NT 
     'Guest' account..or least assigning it a good password and limiting 
     filesystem access. (remember....no intruder detection & stupid 
     password=easy find with password scanner, and they can delete most of 
     your hard-drive with the default permissions!)
     
     
     Like someone said -- C2 is meaningless on a network!
     
     
     All for now,
     
     Anton Rager
     arager@McGraw-Hill.com


From firewalls-owner  Tue Aug  6 12:08:07 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA27386 for firewalls-outgoing; Tue, 6 Aug 1996 11:53:16 -0700 (PDT)
Received: from apu.connectix.com (apu.connectix.com [204.247.159.242]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id LAA27324 for <firewalls@greatcircle.com>; Tue, 6 Aug 1996 11:53:05 -0700 (PDT)
Received: from [204.118.199.198] (snowball.connectix.com [204.118.199.198]) by apu.connectix.com (8.7.5/8.6.9) with SMTP id LAA25483 for <firewalls@greatcircle.com>; Tue, 6 Aug 1996 11:53:20 -0700
Date: Tue, 6 Aug 1996 11:53:20 -0700
Message-Id: <199608061853.LAA25483@apu.connectix.com>
Subject: Solaris 2.5 ports > 32000?
From: Rob Sansom <sansom@connectix.com>
To: <firewalls@greatcircle.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

After a quick scan of a Sol 2.5 server, I noticed these ports responding

Port 32771 opened.
Port 32772 opened.
Port 32773 opened.
Port 32774 opened.


Anyone know what they are (they are not listed in /etc/services) ??

Rob Sansom
Network Admin.
Connectix Corp
(415) 638-7398
sansom@connectix.com


From firewalls-owner  Tue Aug  6 12:23:50 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA27587 for firewalls-outgoing; Tue, 6 Aug 1996 11:56:43 -0700 (PDT)
Received: from relay.rv.tis.com (gauntlet-1.trusted.com [204.254.155.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id LAA27558 for <Firewalls@GreatCircle.COM>; Tue, 6 Aug 1996 11:56:22 -0700 (PDT)
Received: by relay.rv.tis.com; id PAA12490; Tue, 6 Aug 1996 15:15:41 -0400
Received: from hilo.trusted.com(10.0.1.126) by gauntlet-1.trusted.com via smap (V3.1.1)
	id xma012486; Tue, 6 Aug 96 15:15:11 -0400
Received: from freds.trusted.com by hilo.trusted.com with SMTP
	(1.37.109.4/16.2) id AA00916; Tue, 6 Aug 96 14:57:35 -0400
Date: Tue, 6 Aug 96 14:57:35 -0400
Message-Id: <2.2.16.19960806145425.5307b8ca@pop.trusted.com>
X-Sender: avolio@pop.trusted.com
X-Mailer: Windows Eudora Pro Version 2.2 (16)
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
To: Jason Chen <jechen@husc.harvard.edu>, Firewalls@GreatCircle.COM
From: Frederick M Avolio <avolio@tis.com>
Subject: Re: transparancy: what exactly does it entail?
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

At 11:46 AM 8/6/96 -0400, Jason Chen wrote:
>Hi,
>
>I've been doing some research on firewalls, and was curious as to what it
>exactly means.  

Transparency usually means that from one side of the firewall to another, as
long as a user doesn't try to do something the firewall specifically blocks,
the user can issue commands just as if he or she is directly connected to
the other side of the firewall (for example connecting from a private
network to the Internet).  This should, I think, imply no changes to client
software also.

Everything in brackets [] is my opinion:

Some people achieve transparency by using dynamic IP filters. By its very
nature, this sort of firewall is transparent, [although some would argue --
including me -- at the cost of security].  Others put filters on an
application gateway firewall. [I'd also argue that security is a strong as
the weakest link, in this case filtering.]  Others provide transparency with
SOCKS, basically a circuit gateway, requiring modifications to the client
software. [If you have to make people run certain versions of applications
rather than others, it is not transparent.] Our firewall (Gauntlet) has
transparency without loss of security. In all cases, application gateway
software (proxies) are invoked.  The firewall is set up to grab connections
meant for the outside of the firewall and invoke the proper proxy software
on the behalf of the inside user.

In a proxy-based firewall, without transparency (FWTK is an example) the
user has to connect to the firewall proxy software and tell it where it
wants to go. 

Fred


---
(voice) +1 301-947-7101; (fax) +1 301-527-0482, 
TIS, 15204 Omega Drive, Rockville, MD 20850


From firewalls-owner  Tue Aug  6 12:44:04 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA01124 for firewalls-outgoing; Tue, 6 Aug 1996 12:27:21 -0700 (PDT)
Received: from ALABAMA.CF.CS.YALE.EDU (RT-GW.CS.YALE.EDU [128.36.0.13]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id MAA01117 for <firewalls@greatcircle.com>; Tue, 6 Aug 1996 12:27:13 -0700 (PDT)
From: long-morrow@CS.YALE.EDU
Received: from SPARKY.CF.CS.YALE.EDU by ALABAMA.CF.CS.YALE.EDU (8.7.1/res.host.cf-4.0)
	with ESMTP id PAA07824; Tue, 6 Aug 1996 15:27:12 -0400 (EDT) sender long-morrow@CS.YALE.EDU for 
Received: by SPARKY.CF.CS.YALE.EDU (Sendmail-8.7.1/res.client.cf-4.0)
	id PAA17604; Tue, 6 Aug 1996 15:27:10 -0400 (EDT)
Date: Tue, 6 Aug 1996 15:27:10 -0400 (EDT)
Message-Id: <199608061927.PAA17604@SPARKY.CF.CS.YALE.EDU>
To: firewalls@greatcircle.com, sansom@connectix.com
Subject: Re:  Solaris 2.5 ports > 32000?
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk


sansom@connectix.com wrote:
>After a quick scan of a Sol 2.5 server, I noticed these ports responding
>
>Port 32771 opened.
>Port 32772 opened.
>Port 32773 opened.
>Port 32774 opened.
>
>
>Anyone know what they are (they are not listed in /etc/services) ??

They are most likely SunRPC (aka ONC+ RPC) services.  I'd bet
that one of the above is ypbind, another is the status service,
another rquotad, rusersd, mountd, etc.

Do an 'rpcinfo -p hostname' against the host to see what RPC
services are registered and advertised for those ports:

(4)% rpcinfo -p foobar
   program vers proto   port  service
    100000    4   tcp    111  rpcbind
    100000    3   tcp    111  rpcbind
    100000    2   tcp    111  rpcbind
    100000    4   udp    111  rpcbind
    100000    3   udp    111  rpcbind
    100000    2   udp    111  rpcbind
    100007    3   udp  32774  ypbind
    100007    2   udp  32774  ypbind
    100007    1   udp  32774  ypbind
    100007    3   tcp  32771  ypbind
    100007    2   tcp  32771  ypbind
    100007    1   tcp  32771  ypbind
    100024    1   udp  32779  status
    100024    1   tcp  32772  status
    100021    1   udp   4045  nlockmgr
    100021    2   udp   4045  nlockmgr
    100021    3   udp   4045  nlockmgr
    100021    4   udp   4045  nlockmgr
    100021    1   tcp   4045  nlockmgr
    100021    2   tcp   4045  nlockmgr
    100021    3   tcp   4045  nlockmgr
    100021    4   tcp   4045  nlockmgr
    100232   10   udp  32783  sadmind
    100011    1   udp  32786  rquotad
    100002    2   udp  32789  rusersd
    100002    3   udp  32789  rusersd
    100002    2   tcp  32779  rusersd
    100002    3   tcp  32779  rusersd
    100012    1   udp  32797  sprayd
    100008    1   udp  32805  walld
    100001    2   udp  32812  rstatd
    100001    3   udp  32812  rstatd
    100001    4   udp  32812  rstatd
    100068    2   udp  32826
    100068    3   udp  32826
    100068    4   udp  32826
    100083    1   tcp  32790
    100221    1   tcp  32792
    100003    2   udp   2049  nfs
    100003    3   udp   2049  nfs
    100227    2   udp   2049  nfs_acl
    100005    1   udp  32905  mountd
    100227    3   udp   2049  nfs_acl
    100005    2   udp  32905  mountd
    100005    3   udp  32905  mountd
    100005    1   tcp  32795  mountd
    100003    2   tcp   2049  nfs
    100003    3   tcp   2049  nfs
    100227    2   tcp   2049  nfs_acl
    100227    3   tcp   2049  nfs_acl
    100005    2   tcp  32795  mountd
    100005    3   tcp  32795  mountd
(5)% 


---------------
H. Morrow Long, Mgr of Dev., Yale Univ., Comp Sci Dept, 011 AKW, New Haven, CT
06520-8285,	VOICE:	(203)-432-{1248,1254}		FAX:	(203)-432-0593
INET: Long-Morrow@CS.Yale.EDU UUCP: yale!Long-Morrow BITNET: Long-Morrow@YaleCS
WWW:	http://www.cs.yale.edu/users/long-morrow.html


From firewalls-owner  Tue Aug  6 12:52:54 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA02908 for firewalls-outgoing; Tue, 6 Aug 1996 12:39:06 -0700 (PDT)
Received: from sapa.inka.de (sapa.inka.de [193.197.84.6]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id MAA02797 for <firewalls@greatcircle.com>; Tue, 6 Aug 1996 12:38:33 -0700 (PDT)
Received: from uu.inka.de (root@[193.197.84.8]) by sapa.inka.de
	 with smtp (S3.1.29.1) id <m0unrwK-000LCpC>; Tue, 6 Aug 96 21:37 MET DST
Received: from lina (lists@lina.inka.de) by uu.inka.de
	 with bsmtp (S3.1.29.1) id <m0unrwJ-001l5jC>; Tue, 6 Aug 96 21:37 MET DST
Received: by lina
	id m0unrsv-0004jSC
	(Debian /\oo/\ Smail3.1.29.1 #29.37); Tue, 6 Aug 96 21:33 MET DST
Message-Id: <m0unrsv-0004jSC@lina>
From: lists@lina.inka.de (Bernd Eckenfels)
Subject: Re: Syns against web
To: zwobada@apogee-com.fr (Jean-Francois Zwobada)
Date: Tue, 6 Aug 1996 21:33:44 +0200 (MET DST)
Cc: firewalls@greatcircle.com
In-Reply-To: <32075597.20EF@apogee-com.fr> from "Jean-Francois Zwobada" at Aug 6, 96 04:24:23 pm
X-Mailer: ELM [version 2.4 PL25 PGP2]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Hello,

> Some inetd daemons close a port when SYN packets are coming too
> fast.
Most Unix Implementations will fill the listen() backlog with waiting
connections and make all the ports of the ystem unuseable. This is usually
used to shut off a well known server to replace it with a fake.

Greetings
Bernd

From firewalls-owner  Tue Aug  6 13:08:39 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA02006 for firewalls-outgoing; Tue, 6 Aug 1996 12:33:26 -0700 (PDT)
Received: from merle.acns.nwu.edu (merle.acns.nwu.edu [129.105.16.57]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id MAA01942 for <firewalls@greatcircle.com>; Tue, 6 Aug 1996 12:33:09 -0700 (PDT)
Received: from localhost by merle.acns.nwu.edu with SMTP
	(1.40.112.4/16.2) id AA244530031; Tue, 6 Aug 1996 14:33:51 -0500
Date: Tue, 6 Aug 1996 14:33:51 -0500 (CDT)
From: Brian Hatch <bri@ifokr.org>
X-Sender: bri@merle.acns.nwu.edu
To: John Mulligan <mulligan@lafsun.lafayette.edu>
Cc: firewalls@greatcircle.com
Subject: Re: Mode 666 files... executable?
In-Reply-To: <Pine.SOL.3.93.960806141909.1593A-100000@lafsun.lafayette.edu>
Message-Id: <Pine.HPP.3.93.960806142455.1849B-100000@merle.acns.nwu.edu>
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk


+ If software creates mode 666 files (read and write by all) and owned by
+ root, is it possible for a third party to edit the file (provided it is
+ text) and do a `sh <filename>` to run it as root?  

A root owned file wo the suid bit set will run under the calling
user's uid, so one couldn't modify this file and execute it themselves
to get root access.

However, if this is a script that is called by root (via an unthinking
sysadmin, cron job, other program) then there could certainly be a 
problem.  I've often seen programs that are group or world writable
that are called from cron because the admin doesn't want to have to 
su to edit them.  This of course is a bad thing, and various
host security programs will notice and flag this.

Note also that on many machines you can disable the ability to run
suid shell scripts, ie it runs as the calling user regardless of the
suid bit.  This is a good configuration, IMHO, since there are too
many problems with suid shell scripts anyway.


						 Brian Hatch
--
bri@ifokr.org
Systems and Security Engineer
Onsight, Inc.  http://www.avue.com/


From firewalls-owner  Tue Aug  6 13:23:09 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA08719 for firewalls-outgoing; Tue, 6 Aug 1996 13:10:41 -0700 (PDT)
Received: from NetComm.IE (csa018.emirates.net.ae [194.170.2.18]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id NAA08656 for <firewalls@greatcircle.com>; Tue, 6 Aug 1996 13:10:17 -0700 (PDT)
Received: from [129.156.240.33] (kevin-mac [129.156.240.33]) by NetComm.IE (8.7.5/8.7) with SMTP id AAA08651; Wed, 7 Aug 1996 00:10:05 +0400
X-Sender: kevinbr@129.156.240.1
Message-Id: <ae2d66500b021004ef3f@[129.156.240.33]>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Date: Wed, 7 Aug 1996 00:17:16 +0300
To: Rob Sansom <sansom@connectix.com>
From: kevinbr@NetComm.IE (Kevin Brown)
Subject: Re: Solaris 2.5 ports > 32000?
Cc: firewalls@greatcircle.com
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Hi,


Can you send the output of rpcinfo -p , so we can see the program number.
Port numbers are dynamic in this instance. Potthis high are not well known
services, and will not be listed in the services file. Try the /etc/rpc
file.....



Kevin

>After a quick scan of a Sol 2.5 server, I noticed these ports responding
>
>Port 32771 opened.
>Port 32772 opened.
>Port 32773 opened.
>Port 32774 opened.
>
>
>Anyone know what they are (they are not listed in /etc/services) ??
>
>Rob Sansom
>Network Admin.
>Connectix Corp
>(415) 638-7398
>sansom@connectix.com

////////////////////////////////////////////////////////////
     Kevin Brown            | N \  We operate in Ireland
       NetComm              | e /  and the Middle East
Unix Training, Consultancy  | t \  --IRELAND--
     Networking             | C /  Voice: 353-1-282-7342
                            | o \  Fax: 353-1-282-7342
                            | m /  --DUBAI--
  We will design and        | m \  Voice: 971-4-491476
 construct your Web Site.   |   /  Fax: 971-4-492957
Install a firewall Today!   |   \  email: kevinbr@netcomm.ie
                            |   /           (Internet)
                            |   \

\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\



From firewalls-owner  Tue Aug  6 13:23:37 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA02036 for firewalls-outgoing; Tue, 6 Aug 1996 12:33:41 -0700 (PDT)
Received: from NetComm.IE (csa028.emirates.net.ae [194.170.2.28]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id MAA01994 for <firewalls@greatcircle.com>; Tue, 6 Aug 1996 12:33:19 -0700 (PDT)
Received: from [129.156.240.33] (kevin-mac [129.156.240.33]) by NetComm.IE (8.7.5/8.7) with SMTP id XAA08591; Tue, 6 Aug 1996 23:32:30 +0400
X-Sender: kevinbr@129.156.240.1
Message-Id: <ae2d5d3c0a021004cd41@[129.156.240.33]>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Date: Tue, 6 Aug 1996 23:39:41 +0300
To: John Mulligan <mulligan@lafsun.lafayette.edu>
From: kevinbr@NetComm.IE (Kevin Brown)
Subject: Re: Mode 666 files... executable?
Cc: firewalls@greatcircle.com
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

No, this is not posible......chmod defers to the owner of the file, so if
it owned by root, then root must make it suid.

Remember though, beware of the dreaded suid hack with Solaris 1.X and the
Bourn shell ( the infamous link to -i on a suid root owned Bourne Shell
script)

Does this hack work anywher anymore? ( the -i)

kevin



>If software creates mode 666 files (read and write by all) and owned by
>root, is it possible for a third party to edit the file (provided it is
>text) and do a `sh <filename>` to run it as root?  I know it is possible
>to edit it and run it, but it runs setuid to the third party user, not
>root.
>
>Remeber that files do not need the -x- in the permissions to be executable
>as scripts.
>
>Any comments?
>
>
>
>John P. Mulligan <mulligaj@lafayette.edu>
>PGP Public Key available at http://www.lafayette.edu/~mulligaj
>Excitement. Adventure. A Jedi craves not these things.
>                                     -- Silent Bob

////////////////////////////////////////////////////////////
     Kevin Brown            | N \  We operate in Ireland
       NetComm              | e /  and the Middle East
Unix Training, Consultancy  | t \  --IRELAND--
     Networking             | C /  Voice: 353-1-282-7342
                            | o \  Fax: 353-1-282-7342
                            | m /  --DUBAI--
  We will design and        | m \  Voice: 971-4-491476
 construct your Web Site.   |   /  Fax: 971-4-492957
Install a firewall Today!   |   \  email: kevinbr@netcomm.ie
                            |   /           (Internet)
                            |   \

\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\



From firewalls-owner  Tue Aug  6 13:51:01 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA11036 for firewalls-outgoing; Tue, 6 Aug 1996 13:29:24 -0700 (PDT)
Received: from www.steldyn.com (www.steldyn.com [198.68.45.121]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id NAA10989 for <firewalls@greatcircle.com>; Tue, 6 Aug 1996 13:29:10 -0700 (PDT)
Received: from juneau.steldyn.com (172.16.31.1) by www.steldyn.com
 (EMWAC SMTPRS 0.81) with SMTP id <B0000002466@www.steldyn.com>;
 Tue, 06 Aug 1996 14:35:03 -0600
Received: by juneau.steldyn.com with Microsoft Exchange (IMC 4.0.837.3)
	id <01BB83A3.D06CCDC0@juneau.steldyn.com>; Tue, 6 Aug 1996 14:30:28 -0600
Message-ID: <c=US%a=_%p=Stellar_Dynamics%l=JUNEAU-960806203024Z-677@juneau.steldyn.com>
From: Chris Pugrud <ChrisP@steldyn.com>
To: Firewalls Mailing list <firewalls@greatcircle.com>,
        "'arager@mcgraw-hill.com'" <arager@mcgraw-hill.com>
Subject: RE: NT 3.51 FTP authentication bug
Date: Tue, 6 Aug 1996 14:30:24 -0600
X-Mailer:  Microsoft Exchange Server Internet Mail Connector Version 4.0.837.3
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

One point to remember about the administrator user in NT is that it can
not be locked out!  Yet another reason to rename the administrator to
something obscure but usable.  The guest account should always be
disabled (I wish it could be deleted!).  In NT 4.0 they were smart
enough that is disabled by default (as of the latest RC - I don't have
the final gold yet)

Chris

>----------
>From: 	arager@mcgraw-hill.com[SMTP:arager@mcgraw-hill.com]
>Sent: 	Tuesday, August 06, 1996 5:52 AM
>To: 	Firewalls Mailing list
>Subject: 	NT 3.51 FTP authentication bug
>
>     Hello All,
>     
>     Here is a bug I found in the NT 3.51 FTP server......I would be 
>     careful with the FTP server.  
>     
>     It seems that the FTP Server user authentication does not follow
>the 
>     same rules as other NT user authentications...If you have have 
>     intruder detection set for your system, the FTP server seems to
>ignore 
>     it.  Try this:
>     
>     1. With the NT User Manager tool enable intruder detection and set
>
>     your intruder detection to 3 trys, with a really long lockout
>period.
>     2. Pick a userid (administrator will do -- just remember that you
>are 
>     going to lock this account out for a while!) and try to log into
>FTP 
>     with invalid passwords at least 4-5 times
>     4. Check the userid with the User Manager tool.....it should be
>locked 
>     out.
>     3. Try an FTP logon again with the correct password....and it will
>let 
>     you in....even though the User Manager tool says it's locked
>out!!!
>     
>     (I tested this in NT3.51 workstation -- will try 4.0b next to see
>if 
>     it was fixed)
>     
>     
>     I would be careful with the NT FTP server ---  No lockout means 
>     someone can try as many times as they like to break your
>passwords. I 
>     wonder what else is broken???
>     
>     This was mentioned a few days ago, but also keep in mind that NT
>uses 
>     the local user database for authentication, so will allow the
>'Guest' 
>     user to log-in even if you have FTP guest access disabled (two 
>     different guest users with very different access rights.) -- By 
>     default NT creates a 'Guest' user, and does not assign a password!
> 
>     The default NT 'Guest' user will get almost full filesystem 
>     rights....This means no CHROOT from FTP!  I recommend disabling
>the NT 
>     'Guest' account..or least assigning it a good password and
>limiting 
>     filesystem access. (remember....no intruder detection & stupid 
>     password=easy find with password scanner, and they can delete most
>of 
>     your hard-drive with the default permissions!)
>     
>     
>     Like someone said -- C2 is meaningless on a network!
>     
>     
>     All for now,
>     
>     Anton Rager
>     arager@McGraw-Hill.com
>
>

From firewalls-owner  Tue Aug  6 14:08:31 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA15734 for firewalls-outgoing; Tue, 6 Aug 1996 13:53:18 -0700 (PDT)
Received: from vtserf.cc.vt.edu (vtserf.CC.VT.EDU [128.173.4.6]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id NAA15539 for <firewalls@greatcircle.com>; Tue, 6 Aug 1996 13:52:35 -0700 (PDT)
From: marchany@vtserf.cc.vt.edu
Received: by vtserf.cc.vt.edu (5.65/DEC-Ultrix/4.3)
	id AA00628; Tue, 6 Aug 1996 16:52:12 -0400
Message-Id: <9608062052.AA00628@vtserf.cc.vt.edu>
To: Rob Sansom <sansom@connectix.com>
Cc: <firewalls@greatcircle.com>, marchany@vtserf.cc.vt.edu
Subject: Re: Solaris 2.5 ports > 32000?  
In-Reply-To: Your message of "Tue, 06 Aug 96 11:53:20 PDT."
             <199608061853.LAA25483@apu.connectix.com> 
Date: Tue, 06 Aug 96 16:52:05 -0400
X-Mts: smtp
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

use the lsof utility (freeware) to verify who owns the processes that are 
listening on the ports but those are usually controlled by the Sun  license 
manager daemon.

	-Randy Marchany
	VA Tech Computing Center
	Blacksburg, VA 24060

From firewalls-owner  Tue Aug  6 14:23:01 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA19152 for firewalls-outgoing; Tue, 6 Aug 1996 14:13:42 -0700 (PDT)
Received: from hidata.com (hidata.com [205.158.61.34]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id OAA19139 for <Firewalls@GreatCircle.COM>; Tue, 6 Aug 1996 14:13:35 -0700 (PDT)
Received: by hidata.com; id AA24041; Tue, 6 Aug 96 14:13:38 PDT
Received: from osc.hidata.com(205.158.62.10) by hds-gw.hidata.com via smap (V3.1.1)
	id xma024039; Tue, 6 Aug 96 14:13:34 -0700
Received: from enterprise by osc.osc.hidata.com (SMI-8.6/SMI-SVR4)
	id OAA12553; Tue, 6 Aug 1996 14:13:33 -0700
Date: Tue, 6 Aug 1996 14:13:33 -0700
Message-Id: <199608062113.OAA12553@osc.osc.hidata.com>
X-Sender: bstout@osc.hidata.com
X-Mailer: Windows Eudora Pro Version 2.1.2
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
To: Firewalls@GreatCircle.COM
From: Bill Stout <bill.stout@hidata.com>
Subject: NT 4.0 beta bypasses NT security
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Warning to the list - NT 4.0 beta CDs _may_ allow unauthorized access
to NT systems!

My apologies if I am wrong, this is a FYI on a _suspected_ security 
hole on NT systems.  Anyone from MS is welcome to correct me.

I _strongly_ suspect that anyone with a NT 4.0 beta CD can bypass 
existing NT security, and access network resources.

I experienced an NT 4.0 workstation seeing 'secured' network files and
directories.  See my previous messages about NT security.  Service pack 
4 on NT 3.51 server fixes this.  I don't know about NT workstation
security fixes or security holes.

NT 4.0 was slightly delayed because MS forgot to fix this(?) security bug.

See:  http://www.pcweek.com/news/0805/06mnt.html

Keep your beta NT 4.0 CDs locked up!


Bill Stout
_______________________________________________________________________________
Senior Systems Admin   NT/UNIX/I-net/Routers/Mainframes/Janitor ;)
Hitachi Data Systems   408-970-4822   ---  Disclaimer:  I speak only for myself
___________"Infowar, Cyber-war, yes, 'they' _are_ out to get you..."___________


From firewalls-owner  Tue Aug  6 14:42:54 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA20197 for firewalls-outgoing; Tue, 6 Aug 1996 14:24:32 -0700 (PDT)
Received: from ihgw2.att.com (ihgw2.att.com [207.19.48.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id OAA20190 for <Firewalls@greatcircle.com>; Tue, 6 Aug 1996 14:24:20 -0700 (PDT)
From: mdr@vodka.sse.att.com
Received: from vodka.sse.att.com by ihig2.att.att.com (SMI-8.6/EMS-1.2 sol2)
	id QAA06665; Tue, 6 Aug 1996 16:12:34 -0500
Message-Id: <199608062112.QAA06665@ihig2.att.att.com>
Subject: Re: Security:  Java vs ActiveX (Part 1)
To: Russ.Cooper@RC.Toronto.on.ca (Russ)
Date: Tue, 6 Aug 1996 17:20:10 -0400 (EDT)
Cc: mdr@vodka.sse.att.com, Firewalls@GreatCircle.COM
In-Reply-To: <c=US%a=_%p=Toronto%l=MAIL-960805155520Z-2@mail.RC.Toronto.on.ca> from "Russ" at Aug 5, 96 11:55:20 am
X-Mailer: ELM [version 2.4 PL23-upenn2.7]
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset=US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Russ,

Thanks for the posting, for a minute there I thought that no one cared :)

> I think that "approved" is a far stronger word than I would use.
> "Approved" implies that the code has been tested by the internal
> organization and been "approved" for use. It certainly hasn't. If a
> company "approved" a word processor, they would do so on the basis of a
> number of factors, mostly to do with testing its compatibility,
> reliability, supportability, blah blah blah. None of this testing can be
> done, and even if it could, this approval cannot be limited to a
> specific version of an ActiveX object, or even to one object from a
> company vs. another object from the same company.
> 
> I'd say that Reliable delivery means "branding", a word I've heard used
> by the code signing evangelist from MS . You know you are not getting a

It was my understanding that the mechanism was capable of 
distinguishing between various appliacatins as well.  In other words
that I could configure my host to accept "Pizza Maker" from PizzaH_t but
"Quick_n" from Intu_t and not vice versa although both might be _brand names_.
But I may have read too much into the spec.  If the spec doesn't cover
this, its definitely incomplete.  One could argue that PizzaHut wouldn't
try to give me a new quicken applet, but suppose they get hacked. The
probability that some vendor somewhere gets hacked is IMO almost 1.
I know that the above sounds hokey, but the MS site mentions being able
to configure the browser to accept all signed code card blanc.  I
suspect that a page can reference and load an applet without launching
it, and the applets are all stored in a permanent cache.

So I'd stick with "approved" over "branding" if the functionality is
supported.  Otherwise I'd say "back to the drawing board."


> Mark said...
> >Java Security model: Encapsulation and Reliable Delivery
> >	Java aims to improve security by encapsulation.  Rather than 
> >	running the applet as native code, the applet is interpreted
> >	via a Java VM.    The Java VM keeps up with the source of 
> >	the applet and restricts its access to local resources.
> >	Think of "encapsulation" as "Execution by Proxy".
> >	
> >	However remember that Java will probably incorporate code
> >	signing soon.  So we should really be comparing "Reliable Delivery" vs
> >	"encapsulation"  rather than Java VS ActiveX.
> 
> so Russ replied...
> Encapsulation is not a bad idea, but unless there is a way to enforce
> the implementation of the VM, its subject to the abilities and failings
> (or brilliant ideas) of whoever is doing the implementation. If someone

An extra layer of protection is just that: an extra layer.  
Poor implementations make it thinner but not without value. Also the
idea of having a way to "enforce" is exactly what a VM is for.  Java 
bytecodes don't run native anywhere (ok, maybe a java chip someday),
so the java program on my PC is absolutely _always_ subject to some form of
encapsulation by virtue of being interpreted.  Now JIT complicates
this issue for sure, but again the java VM gets to decide what can and
cannot be JIT compiled and in what way.  But the point is that the
bytecodes have no power of their own except that which is given them
by the interpreter.  (which vaguely reminds me of a scripture somewhere :) )

Now a "bad interpreter" is exactly what we currently have.  The
current Java VM is incapable of containing its applets.  I assert that
that will not always be the case, and that as bugs are shaken out that
it well get tougher to break.  (CAVEAT: New features will require new
shakedowns).

We have to avoid the temptation of placing too much trust in the 
VM (just like how someone with air bags in their auto might drive 
too fast). But I'd rather have something worth _some_ security and build
architectures that rely upon it in a reasonable fashion than to
have no means at all.


> wanted to implement more, or less, of the Java application language in
> their implementation of a VM, what's stopping them? Some implementers
> may feel they can better address security issues by doing the
> enforcement at a different level (i.e. by incorporating it with some
> other security environment present on their target platform). At that
> point you are no longer talking about the security of the VM, but
> instead, the security of the implementation.

If I care about security I won't use them.  That's what we have to do
today for the current java VM.

> 
> If we're going to talk theoretically, fine, let's talk encapsulation
> w.r.t. Java applets, but in my mind, reality says we have to talk
> specifics about particular implementations rather than the "open"
> specification of the language. Code signing doesn't suffer from this

Theoretical advantages are a fulcrum upon which to leverage real
security gains.  Schemes without adequte theory to cover the risks
have no chance at all; they can't even theoreticaly solve the
problems.  But given a good theory the next challenge is to put it 
into practice.

Mark Riggins
Secure Systems Engineering
AT&T Bell Labs

From firewalls-owner  Tue Aug  6 15:08:20 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA24331 for firewalls-outgoing; Tue, 6 Aug 1996 14:51:51 -0700 (PDT)
Received: from tera.bctel.net (tera.bctel.net [204.174.64.252]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id OAA24235 for <firewalls@GreatCircle.COM>; Tue, 6 Aug 1996 14:51:31 -0700 (PDT)
Received: (from nobody@localhost) by tera.bctel.net (8.7.4/8.7.1) id OAA08260; Tue, 6 Aug 1996 14:48:03 -0700 (PDT)
Received: from mocha.bctel.net(204.174.66.5) by tera via smap (V1.3)
	id sma008251; Tue Aug  6 14:47:50 1996
Received: (from murrell@localhost) by mocha.bctel.net (8.7.5/8.7.3) id OAA15530; Tue, 6 Aug 1996 14:47:49 -0700 (PDT)
From: Brian Murrell <Brian_Murrell@bctel.net>
Message-Id: <199608062147.OAA15530@mocha.bctel.net>
Date: Tue, 6 Aug 1996 14:47:45 -0700 (PDT)
To: barbara@us.checkpoint.com
Cc: cklaus@iss.net, firewalls@GreatCircle.COM
Subject: Re[2]: Info World Firewall Articles
In-Reply-To: <32066928.1297@us.checkpoint.com>
X-Mailer: Ishmail 1.2.2-960610-sol24 <http://www.halsoft.com/products/ishmail>
MIME-Version: 1.0
Content-Type: multipart/mixed;
 boundary="----------38ljgzotm2oda2ny4yotk5mi5iehz5y212c2jhqgjjdgvslm5l"
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

*************************************************************************
* This message has been formatted as a MIME message.  If you are reading
* this, your mail reader does not support MIME.  To display the non-text
* portions of this message you will need a MIME-capable mail reader such
* as Ishmail (info@halsoft.com).
*************************************************************************

------------38ljgzotm2oda2ny4yotk5mi5iehz5y212c2jhqgjjdgvslm5l
Content-Type: text/enriched
Content-Transfer-Encoding: quoted-printable

from the quill of Barbara Jaarsma <<barbara@us.checkpoint.com> on scroll
<<32066928.1297@us.checkpoint.com>

<Excerpt>During the testing process, the InfoWorld reviews staff did not
follow

the company=92s recommended boot procedures which are specified on =


pages 16-3 and 16-4 in the in the CheckPoint FireWall-1 user manual.  =


When installing the product, the publication=92s reviews staff did not =


turn off the IP forwarding function.

</Excerpt>

Could you print that section of those of us who bought the Sun version
of Firewall-1 and don't have that information??


Thanx,

b.


------------38ljgzotm2oda2ny4yotk5mi5iehz5y212c2jhqgjjdgvslm5l
Content-Description: Signature
Content-Type: text/enriched



--


------------38ljgzotm2oda2ny4yotk5mi5iehz5y212c2jhqgjjdgvslm5l--

From firewalls-owner  Tue Aug  6 15:37:59 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id PAA29608 for firewalls-outgoing; Tue, 6 Aug 1996 15:26:07 -0700 (PDT)
Received: from sapa.inka.de (sapa.inka.de [193.197.84.6]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id PAA29581 for <Firewalls@GreatCircle.COM>; Tue, 6 Aug 1996 15:25:54 -0700 (PDT)
Received: from uu.inka.de (root@[193.197.84.8]) by sapa.inka.de
	 with smtp (S3.1.29.1) id <m0unuRB-000LEhC>; Wed, 7 Aug 96 00:17 MET DST
Received: from lina (lists@lina.inka.de) by uu.inka.de
	 with bsmtp (S3.1.29.1) id <m0unuRA-001l5jC>; Wed, 7 Aug 96 00:17 MET DST
Received: by lina
	id m0unuI4-0004jUC
	(Debian /\oo/\ Smail3.1.29.1 #29.37); Wed, 7 Aug 96 00:07 MET DST
Message-Id: <m0unuI4-0004jUC@lina>
From: lists@lina.inka.de (Bernd Eckenfels)
Subject: Re: Help! IPFADM
To: linux@ns1.pupr.edu (Linux Mailing List)
Date: Wed, 7 Aug 1996 00:07:50 +0200 (MET DST)
Cc: Firewalls@GreatCircle.COM
In-Reply-To: <Pine.LNX.3.91.960803133421.26662A-100000@ns1.pupr.edu> from "Linux Mailing List" at Aug 3, 96 01:39:36 pm
X-Mailer: ELM [version 2.4 PL25 PGP2]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Hi,

> How can I use ipfadm with netmask 255.255.255.192?

with /26.

> Where can I find detailed documentation on ipfadm?
In the man page.

Greetings
Bernd

From firewalls-owner  Tue Aug  6 15:53:59 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id PAA00275 for firewalls-outgoing; Tue, 6 Aug 1996 15:32:02 -0700 (PDT)
Received: from nsco.network.com (nsco.network.com [129.191.1.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id PAA00211 for <firewalls@greatcircle.com>; Tue, 6 Aug 1996 15:31:22 -0700 (PDT)
Received: from mnbp.network.com (ushub.network.com) by nsco.network.com (4.1/1.34)
	id AA15696; Tue, 6 Aug 96 17:37:42 CDT
Received: by mnbp.network.com with Microsoft Mail
	id <3207C6C3@mnbp.network.com>; Tue, 06 Aug 96 17:27:15 CDT
From: Greg Brennan <brenngp@onto.network.com>
To: firewalls mailing list <firewalls@greatcircle.com>
Subject: Transparency: New Question
Date: Tue, 06 Aug 96 17:27:00 CDT
Message-Id: <3207C6C3@mnbp.network.com>
X-Mailer: Microsoft Mail V3.0
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk


I too have recently been confused by use of the term "transparent" , when 
it's applied to proxy-based firewalls.

I have always understood that a proxy gateway maintains its security by 
turning IP forwarding "off"
in the kernel of the platform that it is running on.  Thus, *all* packets 
that hit the outside or "dirty" interface are forced up to the appropriate 
proxy application , and if allowed by the rules of the proxy, the proxy 
copies the packet to the inside or "clean" interface.  No packet ever gets 
to travel directly from one interface to the other. (Of course, the same is 
true of packets travelling in the reverse direction).

I can see the security benefits of this approach since a proxy could be 
configured to look for *anything* in the packet contents and make decisions 
about what to allow or disallow.  Allow FTP 'gets' but not 'puts' for 
instance.

Recently, I have been told by an industry 'expert' that traditional proxy 
gateways that claim to be "transparent", achieve this transparency by only 
forcing the 'connect' packets through the proxy, and all other packets 
associated with that connection move directly from one interface to the 
other.  (I have always understood this to be called a 'circuit level 
gateway').  Of course, authentication schemes become critical here, but I 
don't understand how this could be used to prevent an "authenticated" user 
from sending some nasty commands within an application that they are 
"allowed" to use.

Can someone please clarify this for me?  How is TIS transparent for example, 
and yet maintain the security of an application proxy that checks *every* 
packet?

Regards
 - Greg Brennan
greg.brennan@network.com
_______________
>I've been doing some research on firewalls, and was curious as to what it
>exactly means.  Does a fully transparant firewall mean that you don't need
>to enter any passwords, like a basic packet filter?  Does a non
>transparant firewall mean that every action will take a longer time, or is
>transparancy simply an effect that a user will feel?

Generally transparency means that the user doesn't notice anything
different (when using an Internet application) as a result of accessing
the Internet from behind a firewall than they would if there was no
firewall.

This means usually that there is no 'modified procedure' or manual
steps that the user has to take in order to use Internet clients
obtained from the Net (or shrink-wrapped from the local computer
store).

There are now 'transparent proxies' supplied in some new commercial
firewalls which handle data (both incoming and outgoing) at the
application layer via application-specific and aware gateway code, but
neither the client user nor machine is aware that an app level proxy is
actually handling (and in many cases modifying and rewriting data) the
TCP socket connections used -- they think that the firewall is just an
IP router to which they route their IP datagrams.

More subject to debate however is whether you can consider to be
'transparent':

        o       administrator configured (via network admin kits)
                Web browser set to use proxy caching HTTP servers.

        o       installing and configuring the Microsoft Catapult
                RWS (Remote Windows Sockets) or a 'Socks' shim on
                top of client PC's winsock.dll

They are not usually considered to be 'transparent', because though
they are transparent to the user they are not transparent to the
application or machine.

 - Morrow


From firewalls-owner  Tue Aug  6 17:57:43 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA13032 for firewalls-outgoing; Tue, 6 Aug 1996 17:43:06 -0700 (PDT)
Received: from mail.RC.Toronto.on.ca ([207.6.29.231]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id RAA12983 for <Firewalls@GreatCircle.COM>; Tue, 6 Aug 1996 17:42:38 -0700 (PDT)
Received: by mail.RC.Toronto.on.ca with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.993.5)
	id <01BB83D7.64A828D0@mail.RC.Toronto.on.ca>; Tue, 6 Aug 1996 20:39:41 -0400
Message-ID: <c=US%a=_%p=Toronto%l=MAIL-960807003938Z-10@mail.RC.Toronto.on.ca>
From: Russ <Russ.Cooper@RC.Toronto.on.ca>
To: "'mdr@vodka.sse.att.com'" <mdr@vodka.sse.att.com>
Cc: "'Firewalls@GreatCircle.COM'" <Firewalls@GreatCircle.COM>
Subject: REL: Security:  Java vs ActiveX (Part 1)
Date: Tue, 6 Aug 1996 20:39:38 -0400
X-Mailer:  Microsoft Exchange Server Internet Mail Connector Version 4.0.993.5
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Mark said...
"Thanks for the posting, for a minute there I thought that no one cared 
:)"

Russ replied...
I'm still not sure if anyone cares much...either their on vacation or they 
figure we should be having this discussion somewhere else (although 
nobody's said that yet)...;-]

Mark said...
"It was my understanding that the mechanism was capable of distinguishing 
between various appliacatins as well.  In other words that I could 
configure my host to accept "Pizza Maker" from PizzaH_t but "Quick_n" from 
Intu_t and not vice versa although both might be _brand names_. But I may 
have read too much into the spec.  If the spec doesn't cover this, its 
definitely incomplete.  One could argue that PizzaHut wouldn't try to give 
me a new quicken applet, but suppose they get hacked. The probability that 
some vendor somewhere gets hacked is IMO almost 1. I know that the above 
sounds hokey, but the MS site mentions being able to configure the browser 
to accept all signed code card blanc.  I suspect that a page can reference 
and load an applet without launching it, and the applets are all stored in 
a permanent cache."

Russ replied...
I can accept signatures by "company x", and I can designate who I will 
accept to have those signatures verified, but I can't say I will only 
accept signatures for "product y from company x, and no other products from 
company x". You accept code from Microsoft and you accept all of their 
signed code.

You can set IE 3.0b2 to ask you whether you want to accept each and every 
ActiveX object (a neat side-effect is that it will also ask you about 
Cookies, and show you their contents and expiration dates...amazing how 
many companies are placing expirations dates into the next century...). 
This, however, is hardly worthwhile to anyone other than the likes of us 
who are interested in this information. This does present the opportunity, 
though, to have some other application control what to do with this 
information (i.e the interface exists to build in some corporate control 
over these actions).

Mark said...
"So I'd stick with "approved" over "branding" if the functionality is 
supported.  Otherwise I'd say "back to the drawing board.""

Russ replied....
I guess its back to the drawing board then...but as I said, all Microsoft 
is interested in today is "branding", so it serves their purposes.

Mark said...
"An extra layer of protection is just that: an extra layer. Poor 
implementations make it thinner but not without value. Also the idea of 
having a way to "enforce" is exactly what a VM is for.  Java bytecodes 
don't run native anywhere (ok, maybe a java chip someday), so the java 
program on my PC is absolutely _always_ subject to some form of 
encapsulation by virtue of being interpreted.  Now JIT complicates this 
issue for sure, but again the java VM gets to decide what can and cannot be 
JIT compiled and in what way.  But the point is that the bytecodes have no 
power of their own except that which is given them by the interpreter. 
 (which vaguely reminds me of a scripture somewhere :) )"

Russ replied...
One of my constant assertions is that the VM will never be adequately 
secure to allow us to build on it. Until there is a proper "exercisor" for 
the Java VM, one that will allow us to test its ability to contain itself, 
we will never be able to trust its implementation in the code we are 
running. We should not think that we will only have to worry about 
Netscape's implementation in Navigator (or Atlas or whatever). The Java VM, 
like HTML interpretation, is going to be added to more and more 
applications in order to leverage the boom of the web. The Lotus Notes 
environment, with its internal web browsing abilities, browsing from Word 
with Internet Assistant, and on and on. Every one of these implementations 
of the VM will have to be tested. For this reason, we will never be able to 
adequately trust a product which says it executes bytecodes in a "Java VM", 
IMO.

As for the chip, don't forget Java's roots, it was intended, at one point, 
to be an OS for set-top devices. I suspect the chip already exists.

"We have to avoid the temptation of placing too much trust in the VM (just 
like how someone with air bags in their auto might drive too fast). But I'd 
rather have something worth _some_ security and build architectures that 
rely upon it in a reasonable fashion than to have no means at all."

Precisely what speed do air bags become ineffective? How strong an impact 
can the front end of your car withstand without causing the engine to end 
up in your lap? Don't know? This is precisely the dilemma we are faced with 
in trying to decide how much we can trust the VM. So if I was going to 
build a "safer" car, and couldn't precisely identify the above two factors, 
how could I properly manufacture sufficient seat belts, or a practical 
steering column. I will end up over-engineering, duplicating spheres of 
trust, in order to accommodate my lack of trust in the other components.

Since we're at the beginning here, why not engineer something new which can 
be all encompassing? Look how long it took to get mandatory seat belts, or 
even air bags for that matter. This because they were additions to an 
existing design. What if we took the approach that we need to start with 
the most secure environment, and then figure out how to make it user 
friendly and functional, rather than the pre-assumption that we have to 
augment, transparently, our existing environments with patchy security here 
and there?

"If I care about security I won't use them.  That's what we have to do 
today for the current java VM."

But the problem is that you will not know you are using one that extends 
functionality unless JavaSoft maintains some kind of discretionary control 
over the implementations (which they don't, I believe?).

"Theoretical advantages are a fulcrum upon which to leverage real security 
gains.  Schemes without adequte theory to cover the risks have no chance at 
all; they can't even theoreticaly solve the problems.  But given a good 
theory the next challenge is to put it into practice."

True, so let's make the VM, or encapsulation, wider in scope to encompass 
more than just Java bytecode. Let's all call for its model to be applied to 
all OS'.

Mark Riggins
Secure Systems Engineering
AT&T Bell Labs
Cheers,
Russ
...eek, quick, someone give me some broken software, I'm suffering beta 
withdrawals...



From firewalls-owner  Tue Aug  6 18:52:59 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id SAA17945 for firewalls-outgoing; Tue, 6 Aug 1996 18:40:20 -0700 (PDT)
Received: from mailbox.neosoft.com (mailbox.neosoft.com [206.109.1.16]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id SAA17938 for <Firewalls@GreatCircle.COM>; Tue, 6 Aug 1996 18:40:13 -0700 (PDT)
Received: from fw.nmti.com (fw.baileynm.com [206.109.159.11]) by mailbox.neosoft.com (8.7.5/8.7.3) with SMTP id UAA21063; Tue, 6 Aug 1996 20:40:06 -0500 (CDT)
Received: from web.nmti.com(198.178.0.201) by fw.nmti.com via smap (V1.3)
	id sma003085; Tue Aug  6 20:34:15 1996
Received: from sonic.nmti.com (peter@sonic.nmti.com [198.178.0.2]) by web.nmti.com (8.6.12/8.6.9) with SMTP id UAA17234; Tue, 6 Aug 1996 20:34:13 -0500
Received: by sonic.nmti.com; id AA23199; Tue, 6 Aug 1996 20:34:12 -0500
From: peter@baileynm.com (Peter da Silva)
Message-Id: <9608070134.AA23199@sonic.nmti.com.nmti.com>
Subject: Re: REL: Security:  Java vs ActiveX (Part 1)
To: Russ.Cooper@RC.Toronto.on.ca (Russ)
Date: Tue, 6 Aug 1996 20:34:12 -0500 (CDT)
Cc: mdr@vodka.sse.att.com, Firewalls@GreatCircle.COM
In-Reply-To: <c=US%a=_%p=Toronto%l=MAIL-960807003938Z-10@mail.RC.Toronto.on.ca> from "Russ" at Aug 6, 96 08:39:38 pm
X-Mailer: ELM [version 2.4 PL23]
Content-Type: text
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

> Russ replied...
> One of my constant assertions is that the VM will never be adequately 
> secure to allow us to build on it.

You can't make that claim, Russ. You can only make the claim that the
present implementation of the Java VM can not be adequately secured
without (1) run-time security management, or (2) security implemented
outside the Java VM.

To claim that the VM can't be adequately secured begs the question of why
you think HTML is adequately secure.

> Precisely what speed do air bags become ineffective? How strong an impact 
> can the front end of your car withstand without causing the engine to end 
> up in your lap? Don't know? This is precisely the dilemma we are faced with 
> in trying to decide how much we can trust the VM. So if I was going to 
> build a "safer" car, and couldn't precisely identify the above two factors, 
> how could I properly manufacture sufficient seat belts, or a practical 
> steering column. I will end up over-engineering, duplicating spheres of 
> trust, in order to accommodate my lack of trust in the other components.

Exactly. Defense in depth. It's how we all do security. What else, after all,
is a firewall for anyway?

And, Russ, could you do me a favor... use normal quoting. It's often quite
hard to keep track of the exchange when you're involved. Thanks much.

From firewalls-owner  Tue Aug  6 19:14:17 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id TAA19246 for firewalls-outgoing; Tue, 6 Aug 1996 19:03:03 -0700 (PDT)
Received: (mcb@localhost) by miles.greatcircle.com (8.7.4/Miles-951221-1) id TAA19208 for firewalls@greatcircle.com; Tue, 6 Aug 1996 19:02:49 -0700 (PDT)
Received: from ihgw2.att.com (ihgw2.att.com [207.19.48.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id PAA29087 for <Firewalls@greatcircle.com>; Tue, 6 Aug 1996 15:22:19 -0700 (PDT)
From: mdr@vodka.sse.att.com
Received: from vodka.sse.att.com by ihig2.att.att.com (SMI-8.6/EMS-1.2 sol2)
	id RAA14168; Tue, 6 Aug 1996 17:16:32 -0500
Message-Id: <199608062216.RAA14168@ihig2.att.att.com>
Subject: Re: Security:  Java vs ActiveX (Part 2)
To: Russ.Cooper@RC.Toronto.on.ca (Russ)
Date: Tue, 6 Aug 1996 18:24:08 -0400 (EDT)
Cc: mdr@vodka.sse.att.com, Firewalls@GreatCircle.COM
In-Reply-To: <c=US%a=_%p=Toronto%l=MAIL-960805164549Z-4@mail.RC.Toronto.on.ca> from "Russ" at Aug 5, 96 12:45:49 pm
X-Mailer: ELM [version 2.4 PL23-upenn2.7]
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset=US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Russ writes more:

> Mark said...
> >First what can "Reliable Delivery" do in these?
> <snip>
> >		The _HUGE_ misconception and potential problem is the
> >		mistaken belief that this boost in security is enough
> >		to allow me to download "network aware" applets.  
[snip]
> 
> so Russ replied...
> Yes, I agree that "Reliable Delivery" can help, and that there is a
> _HUGE_ *potential* for misconception and mistaken beliefs. There is some
> "boost* in security to downloading network aware applets *if you can
> control the accepted signatures lists* at the clients. Since we cannot
> do that yet, there is no boost today. If such a mechanism did exist,
> however, it would be no different than permitting users to purchase and
> install applications on their machines without prior approval from the
> security folk. Since most companies do allow this to happen (or maybe
> cannot prevent it from happening), the signatures could be used to
> permit this to be done across the Internet.

Yes I agree it happens and yes its bad for security.  I wonder if we'll
start seeing disclaimers on certificates "not suitable for systems
connected to the Internet"

> 
> Of course, the other aspect that is not widely spoken is that these
> digital signatures can be used internally by a machine to ensure it has
> not had its code altered. 

Yes, but it requires OS support.

> Once again, however, the failing in current
> signature methods is the lack of reverification. Signatures are verified
> once only, and never again, thereby leaving code open to alteration
> after its been downloaded and installed. To me, this represents the
> signing company's desire to avoid taking responsibility for their code
> once its installed on the users machine. They say, "we'll get it to you
> safely, but after that you're on your own." It would not take a great
> deal of work to go beyond that, but companies, particularly Microsoft,
> are unwilling to commit themselves to that. I'm sure a bunch of lawyers
> have advised that this would not be a good move, but the reality of
> today's computing environment, IMO, means we have to put something like
> this in place at the client level to be able to successfully move
> forward with these technologies. The lack of these facilities means that
> we're left with an "all or nothing" approach to these objects, most
> likely nothing...

Yes Certificate revocation is problematic.  However I think that it
could be addresed (but not solved) by creating certificates with short 
life times.  Notice that the vendors are trying to avoid liability for
the security of their code.  But the the applet is network aware, then
it must have security ramifications.

> 
> Mark said...
> >Now what can "Reliable Delivery" __NOT__ do in these?
> >	Protect against unintentional security holes in software.
> >	Protect against Trojan Horses.
> >	Protect against Data Content Viruses.
> >	Protect against Viruses invecting the Vendor.
> >	Allow safe execution of network aware applets.
> 
> so Russ replied...
> I would add to your list;
> 
> Protect breaches in policy (security, corporate, whatever)

no software can ever solve all of the people problems. The best that
we can hope for is to enable our users with the software that provides
them the means to do the right thing and still get their _main_ job
done in time.  The rest is education.

[snip]
> Mark said...
> >Secondly what can "Encapsulation" do in these  envs?
> <much good stuff snipped>
> 
> so Russ replied...
> Encapsulation *might* do lots of things, but if its not a part of the
> underlying OS (i.e. is not integrated into all functionality of an OS),
> then its benefits are very limited. If the VM doesn't check itself to

The two could definitely complement one another.  I'm a big fan of OS
security, but OS security has its limits.  There's a real need for
application level security.  For example a B1 database provides
important control over data that a secure OS is _incapable_ of
providing. That's because the OS sees the database as a collection of
files or possibly a raw partition.  OS security doesn't understand
tables, fields and views etc.   But I wouldn't say that its benefits
are "very limitied" without OS support.   Under that classification 
SSL would be of "very limited" benefit.


> If the VM doesn't check itself to
> see if its been altered, then what's stopping someone from altering the
> behavior of the VM? 

The VM really can't "check itself", only the OS could provide that 
assurance.
But we still get an extra layer of security because an applet will have 
to break the VM to alter the VM.  Not necessarily impossible, but 
it does represent a layer of security.   

> If the Word Processor documents are not clearly
> identified as such, and a method employed to prevent other documents
> from masquerading as WP documents, then what use is it to have the Java
> WP read and write only WP documents? Since the VM doesn't control the
> surrounding file system, this wouldn't be that difficult to usurp. If,
> on the other hand, the encapsulation was part of the OS (or more closely
> integrated), you could have it enforce its restrictions on file types...

If a user wanted to, they could trick the Java Word Processor into opening
/etc/passwd by creating a symlink called passwd.doc.  The real question
is more like this.  If I were able to configure the VM to restrict
write access for this java Word Processor to '*.doc'  would a macro within
the document be able to write to 'master.dot' or some other
template file without my knowledge.  Answer:  not without breaking the VM.  
So its definitely a security layer.   Now a good OS could definitely augment
this by using manditory access controls to protect the 'master.dot'
file.  Another potential policy would be to restrict a documents
macros to the document itself.  The idea has merit.

> Once again, IMO, the VM is an island surrounded by tsunami's, being
> constantly assailed and eroded by all that goes on around it. The island
> itself may be, or become, perfectly safe, but if the surrounding
> undercurrents erode its foundation, it will collapse.

All levels are attackable -- that's why we need more than one.
Believe me I wish the most popular desktop OS's were secure.   I
recently posted to sci.crypt an article entitled "castles in the
clouds" pondering if encryption were ultimately useful without the
foundation of securing the workstation.


> Mark said...
> >		However a weaker stance is to allow
> >		only reliably delivered applets and say "I trust 
> >		the vendor but thats's not enough"  the vendor may
> >		have made a mistake.  An esoteric java VM exploit would 
> >		only work if some
> >		vendors software happens to allow access to that type
> >		of exploit.
> >
> >		This is the "multiple levels of
> >		security" approach and the one that I advocate.
> 
> so Russ replied...
> Multiple levels are good, but they are also very difficult to attain
> with compatibility, speed, ease of use, etc... 

Performance is an issue.  Thankfully, every year processors get
faster.  I'm doing my part as a programmer to ensure that they'll
never be fast enough  :) 

> So while advocating that
> more is better, it may not be more realizable. I agree, however, that
> signatures are a must on Java applets, but I wouldn't advocate that this
> combination would be enough to satisfy me.

So would you advocate more levels still?

I'd like to say "run only signed applets running in a VM running in a
sandbox on a secure server", but I can't point to a commercial
implementation.    Perhaps a UNIX browser running chrooted or on a
secure UNIX -- but most users want PC's

W.r.t speed.  That's a real issue.  The java VM is 20-30 times slower
than native code (some say). That's OK for some applications that basically sit
around waiting for the user to type something or move the mouse, but
its not good enough for a real word processor.  (Printing long
documents comes to mind).


> >
> Mark said...
> >		A Java wordprocessing vendor could license the
> >		wordprocessor _AND_ the file storage. The benefit is
> >		that I have the assuranced that the vendors software
> >		isn't  mucking with my machine and the vendor controls
> >		his software distribution and upgrade cost and
> >		potentially sells new services.  Would people buy it?
> >		Would you like to be able to fly out of state and
> >		access your wordprocessor docs from any location in
> >		the world with just a browser?  All we need is a
> >		little more bandwidth.
> 
> so Russ replied...
> Ah ha! The Internet PC eh? Just point my remote control at my TV set and
> call up my email from some service bureau's storage site...yeah, but
> who's verifying that my mail hasn't already been read by the service
[snip]

I think that java on the Internet PC has the potential to become a
platform.  But don't look for it on the internet PC.  I predict it 
will be on the Sony Playstation or some similar product first.

> 
> Use the Internet PC as a component of a complete PC, where the Internet
> PC is used to establish secured channels to trusted systems, and the
> complete PC is used to access non-trusted environments for fun and
> entertainment. Do you really want to move to an era where everything you
> do is done through some centralized system, such that their monitoring
> shows that you are in this newsgroup or that website? Not for me.

I think that we can have it both ways.  The question is not what would
you or I do, but what other people will be willing to accept at a given
price.   Would I participate in the above scenario if the total cost
were $30 a month and I always had the latest software, could cruise
the internet etc from my TV?  Absolutely.  But I'd also do my
proprietary work somewhere else.

> >
> Mark said...
> >Conclusions:  
> >	1. Reliable delievery is a moderate security gain.
> >	2. Encapsulation has _major_ potential but should be augmented
> >		with reliable delivery.
> 
> so Russ replied...
> all in all I agree, but IMO neither are complete.

I think we're in pretty close agreement on these two technologies
too.

> >
> Mark said...
> >	From www.microsoft.com ActiveX FAQ
> >
> >	Is signed code really secure?
> >
> >	Yes. The security methods used to support this proposal are not new;
> >	they rely on tried and proven
> >	technology. The specifications on which the technology is based have
> >	been used successfully in the
> >	industry for some time. These include PKCS #7 (encrypted key
> >	specification), PKCS #10 (electronic
> >	request forms), X.509 (certificate specification), and SHA and MD5
> >	hash algorithms.
> >
> >IMO the above statment is misleading, it equates "secure code" with "signed
> >code", and is typical of their stance.  However, I'm trying hard to 
> >see the good in ActiveX w.r.t security inspite of such.
> 
> so Russ replied...
> The way it was explained to me when Code Signing was announced at TechEd
> '96 was that the "signatures" are secure, as is the method for
> validating those "signatures", not that objects that were signed were
> secure. It was explained thoroughly exactly what Code Signing did,
> namely, that it guaranteed that the object was written by whomever
> registered the signature, and that it was not altered from the time the
> signature was generated, nothing more and nothing less.

Then why is it being pushed as an acceptible architecture for
secure Internet applets?   Clearly its not up to that task.

> >
> Mark said...
> >I am also perplexed with the current perception that Java is a
> >security _problem_ instead of a security _solution_.  The current rash
> >of Java VM holes is a set of bugs coming from a _single_ program (with
> >multiple implementations) that is undergoing extensive analysis.  
> >Imagine what ActiveX will do for us when users want to trust _every_
> >program to be network aware! 
> 
> so Russ replied...
> ActiveX is a security problem as well, nobody should think otherwise.

Both are currently security problems.  Java may be fixable given time.
Do you see a fix for ActiveX?  I don't see a foundation upon which to
build a fix for ActiveX, other than perhaps a B1 or higher WinNT  
(although thats probably the wrong granularity.)


Mark Riggins
Secure Systems Engineering
AT&T Bell Labs



From firewalls-owner  Tue Aug  6 19:17:12 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id SAA18870 for firewalls-outgoing; Tue, 6 Aug 1996 18:59:54 -0700 (PDT)
Received: (mcb@localhost) by miles.greatcircle.com (8.7.4/Miles-951221-1) id SAA18853 for firewalls@greatcircle.com; Tue, 6 Aug 1996 18:59:44 -0700 (PDT)
Received: from dagon.megatoon.com (dagon.megatoon.com [205.205.31.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id GAA28338 for <Firewalls@greatcircle.com>; Tue, 6 Aug 1996 06:03:53 -0700 (PDT)
Received: from line94.megatoon.com (line94.megatoon.com [205.205.31.94]) by dagon.megatoon.com (8.6.12/8.6.12) with SMTP id JAA12334 for <Firewalls@greatcircle.com>; Tue, 6 Aug 1996 09:03:52 -0400
Message-ID: <32076C48.12DC@mat.ulaval.ca>
Date: Tue, 06 Aug 1996 09:01:12 -0700
From: Martin Blouin <mblouin@mat.ulaval.ca>
X-Mailer: Mozilla 3.0b4Gold (Win16; I)
MIME-Version: 1.0
To: Firewalls@greatcircle.com
Subject: Help me please to the following questions
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Here is our situation:

  - Network =  Novell
  - Used protocol: -IPX
                   -IP to address the router
                   -IP for the server
                   -IP for SMNP

Need:
  - Give an Internet access to our employes.
  - No sever web or news on our network.

  - Knowing that we dont want , in any case, to use a FireWall like
    BorderWare,FireWall 1 ... because it is much too expensive. 

Please help me with the following questions:

  - Do you know any software or hardware to make our nerwork the 
    less vulnerable possible?

  - What do you think of the following solution?
      - Use a router CISCO 1004 with an Internet Junction
      - Use the new gateway IPeXchange of CISCO

  - Since the IP is in the IPx, to which point would we be vulnerable?
 
  - Since the IP is in the IPX, is the decelaration is considerable?

  - If an outside person would do a telnet on one of our IP address, 
    would she have access to our network?


Thanks in advance

              Martin Blouin


From firewalls-owner  Tue Aug  6 19:46:20 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id TAA22107 for firewalls-outgoing; Tue, 6 Aug 1996 19:26:05 -0700 (PDT)
Received: from relay.rv.tis.com (gauntlet-1.trusted.com [204.254.155.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id TAA22090 for <firewalls@greatcircle.com>; Tue, 6 Aug 1996 19:25:56 -0700 (PDT)
Received: by relay.rv.tis.com; id WAA18144; Tue, 6 Aug 1996 22:45:17 -0400
Received: from hilo.trusted.com(10.0.1.126) by gauntlet-1.trusted.com via smap (V3.1.1)
	id xma018140; Tue, 6 Aug 96 22:45:14 -0400
Received: from localhost by hilo.trusted.com with SMTP
	(1.37.109.4/16.2) id AA19138; Tue, 6 Aug 96 22:27:34 -0400
Message-Id: <9608070227.AA19138@hilo.trusted.com>
To: Greg Brennan <brenngp@onto.network.com>
Cc: firewalls mailing list <firewalls@greatcircle.com>, rick@hilo.trusted.com
Subject: Re: Transparency: New Question 
In-Reply-To: Your message of "Tue, 06 Aug 1996 17:27:00 EDT."
             <3207C6C3@mnbp.network.com> 
Date: Tue, 06 Aug 1996 22:27:34 EDT
From: "Rick Murphy" <rick@trusted.com>
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

>Recently, I have been told by an industry 'expert' that traditional proxy 
>gateways that claim to be "transparent", achieve this transparency by only 
>forcing the 'connect' packets through the proxy, and all other packets 
>associated with that connection move directly from one interface to the 
>other.

At least in the Gauntlet case, this "expert" is wrong - all packets pass 
through the proxy.
	-Rick

From firewalls-owner  Tue Aug  6 20:53:07 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id UAA00856 for firewalls-outgoing; Tue, 6 Aug 1996 20:41:19 -0700 (PDT)
Received: from uu9.psi.com (uu9.psi.com [38.145.107.9]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id UAA00848 for <firewalls@GreatCircle.COM>; Tue, 6 Aug 1996 20:41:12 -0700 (PDT)
Received: from infosys.inf.COM by uu9.psi.com (5.65b/4.0.071791-PSI/PSINet) via SMTP;
        id AA19994 for firewalls@GreatCircle.COM; Tue, 6 Aug 96 23:41:13 -0400
Received: by Inf.COM (4.1/SMI-4.1)
	id AA03541; Tue, 6 Aug 96 23:36:25 EDT
Received: from unknown(204.4.54.122) by infosys.inf.COM via smap (V1.3)
	id sma003528aaa; Tue Aug  6 23:35:58 1996
Received: from cc:Mail by ccgate.inf.com
	id AA839434523; Wed, 07 Aug 96 09:00:05 IST
Date: Wed, 07 Aug 96 09:00:05 IST
From: "pdmallya" <pdmallya@inf.com>
Message-Id: <9607078394.AA839434523@ccgate.inf.com>
To: firewalls@GreatCircle.COM
Subject: Re[2]: transparancy: what exactly does it entail?
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

    Hi,
    
    Another issue is that it is not entirely transparent if the firewall does 
    user authentication. The firewall proxy can ".. grab connections meant for 
    the outside of the firewall and invoke the proper proxy software on the 
    behalf of the inside user", but the firewall can ask the users for 
    authentication before it does so - this means that the client software has 
    to do an additional authentication before accessing the server.
    
    Regards
    
    P D Mallya
    
    --------------------------
    Prabhakar D. Mallya
    Infosys Technologies Limited, Bangalore, India
    Phone : 91-80-8520261   e-mail : pdmallya@inf.com

______________________________ Reply Separator _________________________________
Subject: Re: transparancy: what exactly does it entail?
Author:  Frederick M Avolio <avolio@tis.com> at SMTP_GW
Date:    6/8/96 2:57 PM


At 11:46 AM 8/6/96 -0400, Jason Chen wrote: 
>Hi,
>
>I've been doing some research on firewalls, and was curious as to what it 
>exactly means.  
    
Transparency usually means that from one side of the firewall to another, as 
long as a user doesn't try to do something the firewall specifically blocks, 
the user can issue commands just as if he or she is directly connected to 
the other side of the firewall (for example connecting from a private 
network to the Internet).  This should, I think, imply no changes to client 
software also.
    
Everything in brackets [] is my opinion:
    
Some people achieve transparency by using dynamic IP filters. By its very 
nature, this sort of firewall is transparent, [although some would argue -- 
including me -- at the cost of security].  Others put filters on an 
application gateway firewall. [I'd also argue that security is a strong as 
the weakest link, in this case filtering.]  Others provide transparency with 
SOCKS, basically a circuit gateway, requiring modifications to the client 
software. [If you have to make people run certain versions of applications 
rather than others, it is not transparent.] Our firewall (Gauntlet) has 
transparency without loss of security. In all cases, application gateway 
software (proxies) are invoked.  The firewall is set up to grab connections 
meant for the outside of the firewall and invoke the proper proxy software 
on the behalf of the inside user.
    
In a proxy-based firewall, without transparency (FWTK is an example) the 
user has to connect to the firewall proxy software and tell it where it 
wants to go. 
    
Fred
    
    
---
(voice) +1 301-947-7101; (fax) +1 301-527-0482, 
TIS, 15204 Omega Drive, Rockville, MD 20850
    


From firewalls-owner  Tue Aug  6 22:37:51 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id WAA07243 for firewalls-outgoing; Tue, 6 Aug 1996 22:27:42 -0700 (PDT)
Received: from hlc (hlc.net [205.214.51.13]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id WAA07236 for <firewalls@GreatCircle.COM>; Tue, 6 Aug 1996 22:27:36 -0700 (PDT)
Received: from joe1.integrinet.com by hlc with smtp
	(Smail3.1.29.1 #2) id m0unzEG-000TQpC; Tue, 6 Aug 96 22:24 PDT
Message-Id: <2.2.32.19960807051634.006876b0@hlc.net>
X-Sender: jviz@hlc.net
X-Mailer: Windows Eudora Pro Version 2.2 (32)
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Date: Tue, 06 Aug 1996 22:16:34 -0700
To: firewalls@GreatCircle.COM
From: Joseph Viz <jviz@integrinet.com>
Subject: NetGuard
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

        Looking for firewall solution to protect a small NT bas network.
Basiclly - let internal users to use Internet services ( WWW , FTP, mail and..)
and give them a protection from hacking and so. I found a firewall solution
for NT called NetGuard at http://www.netguard.com/ - looks good on the paper .
Does anybody have any recomendations or tips ?
Thank 
J.V.
Joseph Viz
MicroAge of Van Nuys


From firewalls-owner  Tue Aug  6 23:40:05 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id XAA11609 for firewalls-outgoing; Tue, 6 Aug 1996 23:35:37 -0700 (PDT)
Received: from ram.chiswick.anprod.csiro.au (ram.chiswick.anprod.CSIRO.AU [192.138.100.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id XAA11602 for <firewalls@greatcircle.com>; Tue, 6 Aug 1996 23:35:25 -0700 (PDT)
Received: by ram.chiswick.anprod.csiro.au id AA27820
  (5.65c/IDA-1.4.4 for firewalls@greatcircle.com); Wed, 7 Aug 1996 16:32:31 +1000
Date: Wed, 7 Aug 1996 16:32:31 +1000
From: John Lax <john@chiswick.anprod.CSIRO.AU>
Message-Id: <199608070632.AA27820@ram.chiswick.anprod.csiro.au>
To: marchany@vtserf.cc.vt.edu, sansom@connectix.com
Subject: Re: Solaris 2.5 ports > 32000?
Cc: firewalls@greatcircle.com
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

	These ports are usually involved in network services with tcp and udp 
for things like ypbind, status, nlockmgr, rquotad, rusersd, rstatd , mountd
  



==============================================================================
John Lax
C.S.I.R.O.
Division of Animal Production               Ph:  +61 67 761 376             
Private Bag,                               Fax:  +61 67 761 333    
Armidale NSW. 2350                       Email: john@chiswick.anprod.CSIRO.AU
Australia
==============================================================================


From firewalls-owner  Wed Aug  7 02:26:58 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id CAA19298 for firewalls-outgoing; Wed, 7 Aug 1996 02:00:57 -0700 (PDT)
Received: from surf.delmar.edu (surf.delmar.edu [204.56.132.185]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id CAA19263 for <firewalls@greatcircle.com>; Wed, 7 Aug 1996 02:00:38 -0700 (PDT)
Received: (from walt@localhost) by surf.delmar.edu (8.7.4/8.7.3) id EAA04205; Wed, 7 Aug 1996 04:03:30 -0500 (CDT)
Date: Wed, 7 Aug 1996 04:03:30 -0500 (CDT)
From: Walter <walt@surf.delmar.edu>
To: firewalls@greatcircle.com
Subject: Audio ports
Message-ID: <Pine.BSI.3.91.960807035249.4164A-100000@surf.delmar.edu>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Is there a Cisco filter that can be used to block live
audio from being received. Do they all use the same port?
Maybe also C-U-C-ME and IP-PHONE. Much of our bandwidth
seems to be getting burned by all day audio and other
un-authorized projects. Thanks.



From firewalls-owner  Wed Aug  7 02:53:31 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id CAA21325 for firewalls-outgoing; Wed, 7 Aug 1996 02:45:22 -0700 (PDT)
Received: from typhoon.dial.pipex.net (typhoon.dial.pipex.net [158.43.128.46]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id CAA21300 for <firewalls@greatcircle.com>; Wed, 7 Aug 1996 02:45:05 -0700 (PDT)
Received:  from unknown by typhoon.dial.pipex.net (8.7.5/)
	id KAA27966; Wed, 7 Aug 1996 10:45:13 +0100 (BST)
Message-ID: <MAPI.Id.0016.00713530202020203643443030303044@MAPI.to.RFC822>
In-Reply-To: <3207C6C3@mnbp.network.com>
References: Conversation <3207C6C3@mnbp.network.com> with last message <3207C6C3@mnbp.network.com>
To: Firewall List <firewalls@GreatCircle.COM>
MIME-Version: 1.0
From: Ian Johnstone-Bryden <ianj-b@dial.pipex.com>
Subject: Re: Transparency: New Question
Date: Wed, 07 Aug 96 10:30:09 GMT
Content-Type: text/plain; charset=US-ASCII; X-MAPIextension=".TXT"
Content-Transfer-Encoding: 7bit
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk


Greg Brennan wrote in part:- 
> I too have recently been confused by use of the term "transparent" , 
when 
> it's applied to proxy-based firewalls.
>[stuff deleted] 

The danger is that this industry uses a particular term to mean several 
different things so its always best to ask each vendor what THEY mean by a 
particular term like 'transparent'.

Generally though, 'transparent' should simply mean that the communicator 
does not see the security device. There are many techniques which could be 
deployed to achieve this. 

That can go a stage further in that someone coming in from outside may 
only (should only) see an environment which is the security device. He has 
no visibility of the private networks. In this case, its not 'transparent' 
because the communicator is not seeing what he is really trying to 
contact, but an illusion projected by the security device.
Ian J-B.

From firewalls-owner  Wed Aug  7 03:53:09 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id DAA26119 for firewalls-outgoing; Wed, 7 Aug 1996 03:47:56 -0700 (PDT)
Received: from lexicon.ins.com (lexicon.ins.com [199.0.193.11]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id DAA26112 for <firewalls@greatcircle.com>; Wed, 7 Aug 1996 03:47:44 -0700 (PDT)
Received: from user_ins.ins.com ([206.98.131.200]) by lexicon.ins.com (8.7.5/8.7.3) with SMTP id DAA20940 for <firewalls@greatcircle.com>; Wed, 7 Aug 1996 03:47:45 -0700 (PDT)
Message-Id: <2.2.32.19960807104722.006de004@ins.com>
X-Sender: martin_d@ins.com
X-Mailer: Windows Eudora Pro Version 2.2 (32)
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Date: Wed, 07 Aug 1996 06:47:22 -0400
To: firewalls@greatcircle.com
From: Darwin Martinez <Darwin_Martinez@INS.COM>
Subject: FireWall-1 2.1
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

All:

About two to three weeks ago I upgraded my HPUX D210 machine from 2.0c to
2.1. The HP platform is running 10.10 code. Shortly after the upgrade, the
HP machine started rebooting maybe once a day, sometimes twice a day,
sometimes not at all. This was not happening when 2.0c was running. I sent a
DAT to HP with the crash information. They have advised me that what is
crashing is an unknown code, caused by some application outside of HP's
realm (control). HP "suspects" that the application (Firewall-1) is causing
the HP machine to crash. From the information on the crash DAT, it appears
that the stack may have been altered, thus eventually leading up to a reboot. 

Has anyone ran into this problem? There are no other apps running on this
machine. Two interface cards active, one inactive. Any suggestions??

Much thanks.
------------------------------------------------------------------------
Darwin L. Martinez, NSE			Email:	darwin_martinez@ins.com
Atlanta Office				Site #:	404-843-5954
International Network Services		Pager:	800-INS-1-INS

"People of the Earth can you hear me?"
			Billy Thorpe, 1979
------------------------------------------------------------------------


From firewalls-owner  Wed Aug  7 04:08:01 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id DAA26095 for firewalls-outgoing; Wed, 7 Aug 1996 03:45:53 -0700 (PDT)
Received: from lexicon.ins.com (lexicon.ins.com [199.0.193.11]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id DAA26088 for <firewalls@greatcircle.com>; Wed, 7 Aug 1996 03:45:42 -0700 (PDT)
Received: from user_ins.ins.com ([206.98.131.200]) by lexicon.ins.com (8.7.5/8.7.3) with SMTP id DAA20870; Wed, 7 Aug 1996 03:45:25 -0700 (PDT)
Message-Id: <2.2.32.19960807104503.0069c250@ins.com>
X-Sender: martin_d@ins.com
X-Mailer: Windows Eudora Pro Version 2.2 (32)
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Date: Wed, 07 Aug 1996 06:45:03 -0400
To: Walter <walt@surf.delmar.edu>
From: Darwin Martinez <Darwin_Martinez@INS.COM>
Subject: Re: Audio ports
Cc: firewalls@greatcircle.com
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Real Audio (tcp) uses port 7070. With our firewall, if the user has real
audio ver 2.0, we had to enable "receive audio via tcp" instead of udp. With
receiving via udp, a random udp port was being assigned, and thus being
blocked by our firewall since it appeared the outside server was attempting
to establish this connection. CU-SeeMe uses port 7648, and uses both tcp and
udp (same port #) during the "conversation". Not sure what IP-PHONE is,
perhaps cool talk? An access list could be constructed disabling these port
numbers from passing.

At 04:03 AM 8/7/96 -0500, you wrote:
>Is there a Cisco filter that can be used to block live
>audio from being received. Do they all use the same port?
>Maybe also C-U-C-ME and IP-PHONE. Much of our bandwidth
>seems to be getting burned by all day audio and other
>un-authorized projects. Thanks.
>
>
>
>
------------------------------------------------------------------------
Darwin L. Martinez, NSE			Email:	darwin_martinez@ins.com
Atlanta Office				Site #:	404-843-5954
International Network Services		Pager:	800-INS-1-INS

"People of the Earth can you hear me?"
			Billy Thorpe, 1979
------------------------------------------------------------------------


From firewalls-owner  Wed Aug  7 04:23:52 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id DAA25999 for firewalls-outgoing; Wed, 7 Aug 1996 03:38:17 -0700 (PDT)
Received: from ritig1.rit.reuters.com (ritig1.rit.reuters.com [199.171.195.11]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id DAA25900 for <firewalls@greatcircle.com>; Wed, 7 Aug 1996 03:37:56 -0700 (PDT)
Received: from ritig4.rit.reuters.com by ritig1.rit.reuters.com; (5.65v3.2/1.1.8.2/14Sep94-0947PM)
	id AA06886; Wed, 7 Aug 1996 06:42:16 -0400
Received: from mr.rit.reuters.com by RITIG4.RIT.REUTERS.COM (PMDF V5.0-7 #7805)
 id <01I7ZGVBQ31S002GQ1@RITIG4.RIT.REUTERS.COM> for firewalls@greatcircle.com;
 Wed, 07 Aug 1996 06:38:38 -0400 (EDT)
Received: with PMDF-MR; Wed, 07 Aug 1996 11:37:49 -0400 (EDT)
Mr-Received: by mta REC.MUAS; Relayed; Wed, 07 Aug 1996 11:37:49 -0400
Mr-Received: by mta RE6; Relayed; Wed, 07 Aug 1996 11:37:50 -0400
Mr-Received: by mta RITIG4; Relayed; Wed, 07 Aug 1996 11:38:36 -0400
Disclose-Recipients: prohibited
Date: Wed, 07 Aug 1996 11:37:49 -0400 (EDT)
From: malcolm melville +44 171 542 8472 <malcolm.melville@reuters.com>
Subject: Intelligent networks
To: firewalls <firewalls@greatcircle.com>
Message-Id: <7149371107081996/A09764/RE6/11A83AE53000*@MHS>
Autoforwarded: false
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; CHARSET=US-ASCII
Content-Transfer-Encoding: 7BIT
Importance: normal
Sensitivity: Company-Confidential
Ua-Content-Id: 11A83AE53000
X400-Mts-Identifier: [;7149371107081996/A09764/RE6]
Hop-Count: 2
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Was asked some questions about intelligent networks and security. Seemed to me
that no-one involved agreed on a definition of an intelligent network - so it
proved impossible to agree on the implications for security. 

So I thought I would pose the same questions here and see if anyone has a view
(I guess so) and even some terms associated with what I take to be a marketing
phrase which has no firm definition.

One point of debate was whether the telcos have a different view of what an
intelligent network is from data network providers, component suppliers, etc.
And whether LAN, MAN, WAN issues affect your definitions.

I would be grateful if anyone can point at reference documents or articles.

The questions were as follows:
Do intelligent networks aid network managers in the quest for a secure
environment within the internet? 
Which service providers offer such networks and how is the security specified
and guaranteed? (Since we are in the UK I guess this may be unanswerable by and
large.)

thanks
malcolm


From firewalls-owner  Wed Aug  7 04:52:57 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id EAA01541 for firewalls-outgoing; Wed, 7 Aug 1996 04:48:30 -0700 (PDT)
Received: from lint.cisco.com (lint.cisco.com [171.68.223.44]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id EAA01504 for <firewalls@GreatCircle.COM>; Wed, 7 Aug 1996 04:48:20 -0700 (PDT)
Received: from pferguso-pc.cisco.com (c1robo2.cisco.com [171.68.13.2]) by lint.cisco.com (8.6.12/CISCO.SERVER.1.1) with SMTP id EAA23813; Wed, 7 Aug 1996 04:49:31 -0700
Message-Id: <199608071149.EAA23813@lint.cisco.com>
X-Sender: pferguso@lint.cisco.com
X-Mailer: Windows Eudora Pro Version 2.1.2
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Date: Wed, 07 Aug 1996 07:48:21 -0400
To: malcolm melville +44 171 542 8472 <malcolm.melville@reuters.com>
From: Paul Ferguson <pferguso@cisco.com>
Subject: Re: Intelligent networks
Cc: firewalls <firewalls@GreatCircle.COM>
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

What the heck is an 'intelligent' network?

Or rather, what the heck is an 'unintelligent' network?

- paul

ps. Sounds like marketing bravo sierra to me.  :-)

At 11:37 AM 8/7/96 -0400, malcolm melville +44 171 542 8472 wrote:

>Was asked some questions about intelligent networks and security. Seemed to me
>that no-one involved agreed on a definition of an intelligent network - so it
>proved impossible to agree on the implications for security. 
>
>So I thought I would pose the same questions here and see if anyone has a view
>(I guess so) and even some terms associated with what I take to be a marketing
>phrase which has no firm definition.
>
>One point of debate was whether the telcos have a different view of what an
>intelligent network is from data network providers, component suppliers, etc.
>And whether LAN, MAN, WAN issues affect your definitions.
>
>I would be grateful if anyone can point at reference documents or articles.
>
>The questions were as follows:
>Do intelligent networks aid network managers in the quest for a secure
>environment within the internet? 
>Which service providers offer such networks and how is the security specified
>and guaranteed? (Since we are in the UK I guess this may be unanswerable by and
>large.)
>
>thanks
>malcolm
>

--
Paul Ferguson                                           ||        ||
Consulting Engineering                                  ||        ||
Reston, Virginia   USA                                 ||||      ||||
tel: +1.703.716.9538                               ..:||||||:..:||||||:..
e-mail: pferguso@cisco.com                         c i s c o S y s t e m s


From firewalls-owner  Wed Aug  7 07:22:57 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA13059 for firewalls-outgoing; Wed, 7 Aug 1996 07:06:42 -0700 (PDT)
Received: from pegase.total.fr (pegase.total.fr [146.249.152.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id HAA13051 for <firewalls@greatcircle.com>; Wed, 7 Aug 1996 07:06:26 -0700 (PDT)
Received: from tidtest.total.fr (tidtest.total.fr [146.249.165.73]) by pegase.total.fr (8.6.8/8.6.6) with SMTP id QAA12579; Wed, 7 Aug 1996 16:06:56 +0200
Received: by tidtest.total.fr (4.1/SMI-4.1)
	id AA04253; Wed, 7 Aug 96 16:05:23 +0200
Message-Id: <9608071405.AA04253@tidtest.total.fr>
To: Michael Dillon <michael@memra.com>
Cc: firewalls@greatcircle.com
Subject: Re: Another wide-open security hole from Microsoft 
In-Reply-To: Your message of "Sat, 03 Aug 1996 11:27:56 PDT."
             <Pine.BSI.3.93.960803112618.26549A-100000@sidhe.memra.com> 
X-Cuse: "The dog ate my network"
Date: Wed, 07 Aug 1996 16:05:18 +0100
From: Michel Lavondes <lavondes@tidtest.total.fr>
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk


In message <Pine.BSI.3.93.960803112618.26549A-100000@sidhe.memra.com>, Michael 
Dillon writes:
> 
> Microsoft has a new product coming out that makes the company LAN wide
> open to intruders. Read all about it at
> http://techweb.cmp.com:80/techweb/crn/sections/columnist/portia17.htm
> 
What bothers me most is not the risks associated with the product
or the protocol(s) involved, but the "firewalls are installed by
anal-retentive spoil-sports to prevent you from playing with neat
toys, but here's the work-around" part.

Just my $0.02

Michel Lavondes (lavondes@tidtest.total.fr)
#include <disclaimer.h>
Governments are guilty until proved innocent

From firewalls-owner  Wed Aug  7 08:28:13 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA17685 for firewalls-outgoing; Wed, 7 Aug 1996 08:10:19 -0700 (PDT)
Received: from mailbox.neosoft.com (mailbox.neosoft.com [206.109.1.16]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id IAA17667 for <Firewalls@GreatCircle.COM>; Wed, 7 Aug 1996 08:10:03 -0700 (PDT)
Received: from fw.nmti.com (fw.baileynm.com [206.109.159.11]) by mailbox.neosoft.com (8.7.5/8.7.3) with SMTP id KAA13843; Wed, 7 Aug 1996 10:10:04 -0500 (CDT)
Received: from web.nmti.com(198.178.0.201) by fw.nmti.com via smap (V1.3)
	id sma005762; Wed Aug  7 10:02:44 1996
Received: from sonic.nmti.com (peter@sonic.nmti.com [198.178.0.2]) by web.nmti.com (8.6.12/8.6.9) with SMTP id KAA10278; Wed, 7 Aug 1996 10:02:44 -0500
Received: by sonic.nmti.com; id AA32528; Wed, 7 Aug 1996 10:02:42 -0500
From: peter@baileynm.com (Peter da Silva)
Message-Id: <9608071502.AA32528@sonic.nmti.com.nmti.com>
Subject: Re: Security:  Java vs ActiveX (Part 2)
To: mdr@vodka.sse.att.com
Date: Wed, 7 Aug 1996 10:02:42 -0500 (CDT)
Cc: Russ.Cooper@RC.Toronto.on.ca, Firewalls@GreatCircle.COM
In-Reply-To: <199608062216.RAA14168@ihig2.att.att.com> from "mdr@vodka.sse.att.com" at Aug 6, 96 06:24:08 pm
X-Mailer: ELM [version 2.4 PL23]
Content-Type: text
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

> file.  Another potential policy would be to restrict a documents
> macros to the document itself.  The idea has merit.

Another would be to have the primitive "open file for writing" always
present the user with a file selection dialog (browser). The mechanism
Safe Tcl uses is that there is no open file primitive. File opening is
handled outside the secured interpreter and open files are passed in
at the direction of the surrounding application.

> All levels are attackable -- that's why we need more than one.
> Believe me I wish the most popular desktop OS's were secure.   I
> recently posted to sci.crypt an article entitled "castles in the
> clouds" pondering if encryption were ultimately useful without the
> foundation of securing the workstation.

I don't read that group. I'd be interested in seeing this article if
you don't mind sending me a copy.

> I'd like to say "run only signed applets running in a VM running in a
> sandbox on a secure server", but I can't point to a commercial
> implementation.    Perhaps a UNIX browser running chrooted or on a
> secure UNIX -- but most users want PC's

Chroot isn't good enough because network access doesn't go through the UNIX
security layer (the file system).

Personally I'd like to extend the client-server model into my PC. So my word
processor would accept already opened files from the browser, and talk to my
display server, and my file server and so on, through similar channels. So if
you wanted to create a "jail" you'd simply start up the word processor with
a proxy between it and the file system or between it and the real file
system, and let the proxy implement whatever policy it wanted.

The big problem is that the communication channels would need to be simple
enough to encourage the development of proxies by hobbyists, with a relatively
small number of messages and an ability to test-drive an interface easily
without breaking everything. The Amiga operating system did a pretty good
job of this, but it had absolutely no security so an application could go
around it with little trouble. Plan 9 is an interesting model, too, but of
course it doesn't play well in single computers.

From firewalls-owner  Wed Aug  7 08:47:30 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA18673 for firewalls-outgoing; Wed, 7 Aug 1996 08:24:31 -0700 (PDT)
Received: from gumby.dsd.TRW.COM (gumby.dsd.TRW.COM [129.193.72.50]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id IAA18666 for <Firewalls@GreatCircle.COM>; Wed, 7 Aug 1996 08:24:25 -0700 (PDT)
Received: from avitale.sp.TRW.COM by gumby.dsd.TRW.COM (4.1/SMI-4.1)
	id AA02213; Wed, 7 Aug 96 08:24:12 PDT
From: avv@gumby.sp.TRW.COM (Anthony V. Vitale)
To: Firewalls@GreatCircle.COM
Subject: CERN V3.0A Release Notes
Date: Wed, 07 Aug 1996 15:23:17 GMT
Organization: TRW
Reply-To: avv@gumby.sp.TRW.COM
Message-Id: <3208b0e0.70194425@gumby.sp.trw.com>
X-Mailer: Forte Agent .99e/32.227
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Thank you very much to all those who responded to my query for the release notes
to the CERN httpd V3.0A.

 If you have not already found them, they can be found at the follownig URL:

       http://www.w3.org/pub/WWW/Daemon/User/ReleaseNotes.html

Anthony
-------------------------------------------------------------------------
Anthony V. Vitale       "The opinions expressed are entirely those of the
avv@gumby.sp.trw.com     the author."
-------------------------------------------------------------------------

From firewalls-owner  Wed Aug  7 09:12:47 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA21596 for firewalls-outgoing; Wed, 7 Aug 1996 09:04:46 -0700 (PDT)
Received: from cannon.ecf.toronto.edu (cannon.ecf.toronto.edu [128.100.8.5]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id JAA21532 for <firewalls@greatcircle.com>; Wed, 7 Aug 1996 09:04:24 -0700 (PDT)
Received: by cannon.ecf.toronto.edu id <9791>; Wed, 7 Aug 1996 12:04:12 -0400
From: Steve Kotsopoulos <steve@ecf.toronto.edu>
To: firewalls@greatcircle.com
In-Reply-To: <32066928.1297@us.checkpoint.com>
References: <199608021813.OAA25474@phoenix.iss.net>
Organization: University of Toronto, Engineering Computing Facility
Subject: Re: Info World Firewall Articles
Message-Id: <96Aug7.120412edt.9791@cannon.ecf.toronto.edu>
Date: 	Wed, 7 Aug 1996 12:04:11 -0400
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

In article <32066928.1297@us.checkpoint.com> Barbara Jaarsma wrote:
>The following is Checkpoint's official response to your query re: the=20
>InfoWorld article.  -Barb
>
>Dear Check Point Resellers & Customers,
>
>A product comparison of firewall products which included CheckPoint
>FireWall-1 appeared in the July 29 issue of InfoWorld magazine.  While
>the review was overall highly favorable, it incorrectly stated that
>during the system boot process, the system is vulnerable to attack.  We
>would like to assure you that this information is inaccurate and that we
>reached agreement with InfoWorld to print a correction in next week=92s
>issue.
>
>During the testing process, the InfoWorld reviews staff did not follow
>the company=92s recommended boot procedures which are specified on=20
>pages 16-3 and 16-4 in the in the CheckPoint FireWall-1 user manual. =20
>When installing the product, the publication=92s reviews staff did not=20
>turn off the IP forwarding function.

I would seriously question the security of a firewall that
has IP forwarding turned on by default, and requires you to
DO SOMETHING to turn it off. Common wisdom would have it disabled by
default (at least), or even rip the code out from the kernel (preferred).

Most Unix systems are unfortunately insecure out of the box.
We should expect all good firewalls to be highly secure out of the box.
-- 
Steve Kotsopoulos  M.Eng.                         steve@ecf.toronto.edu
Systems Analyst   Engineering Computing Facility, University of Toronto
http://www.ecf.toronto.edu/~steve/

From firewalls-owner  Wed Aug  7 09:26:52 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA22576 for firewalls-outgoing; Wed, 7 Aug 1996 09:17:14 -0700 (PDT)
Received: from ns1.eds.com (ns1.eds.com [192.85.154.78]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id JAA22569 for <firewalls@GreatCircle.COM>; Wed, 7 Aug 1996 09:17:04 -0700 (PDT)
Received: by ns1.eds.com (hello)
	id MAA18202; Wed, 7 Aug 1996 12:16:56 -0400
Received: from plan9.itp.eds.com (plan9.itp.eds.com [204.230.136.185]) by nnsa.eds.com (8.7.5/8.7.3) with ESMTP id MAA03840 for <firewalls@GreatCircle.COM>; Wed, 7 Aug 1996 12:16:25 -0400 (EDT)
Received: from josh.itp.eds.com (josh.itp.eds.com [204.230.136.189]) by plan9.itp.eds.com (8.6.12/8.6.9) with SMTP id MAA11151 for <firewalls@GreatCircle.COM>; Wed, 7 Aug 1996 12:25:00 -0400
Message-Id: <1.5.4.32.19960807161909.006ae8ac@mail.itp.eds.com>
X-Sender: josh@mail.itp.eds.com
X-Mailer: Windows Eudora Light Version 1.5.4 (32)
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Date: Wed, 07 Aug 1996 12:19:09 -0400
To: firewalls <firewalls@GreatCircle.COM>
From: Joshua Cole <josh@itp.eds.com>
Subject: Re: Intelligent networks
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Malcolm Melville wrote:
>>The questions were as follows:
>>Do intelligent networks aid network managers in the quest for a secure
>>environment within the internet? 
>>Which service providers offer such networks and how is the security specified
>>and guaranteed? (Since we are in the UK I guess this may be unanswerable
by >>and large.)

Paul Ferguson wrote:
>What the heck is an 'intelligent' network?
>
>Or rather, what the heck is an 'unintelligent' network?

A network is only as intelligent as the way it's been designed and
implemented. It's a combination of the path determination software running
on the devices and within the protocols that make up the network. It's the
policies that dictate how and where the traffic is to flow. The security
implications of all of this are no more and no less complex than policy
enforcement in today's network security world.

Who provides a service that "guarantees" network security? No one, I hope -
there is no guarantee, only steps to lower your exposure. How is it
specified, well, it stands to reason that the service provider would (read:
should) ask you what your policies are, or help you to develop them.

I hope that this helps! Maybe ITU will start a committee to define
"intelligent networks" for us poor souls who don't muck in "marketing bravo
sierra" (I like that phrase). ;-)

--Joshua Cole


From firewalls-owner  Wed Aug  7 10:05:19 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA24907 for firewalls-outgoing; Wed, 7 Aug 1996 09:33:16 -0700 (PDT)
Received: from vtserf.cc.vt.edu (vtserf.CC.VT.EDU [128.173.4.6]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id JAA24869 for <firewalls@greatcircle.com>; Wed, 7 Aug 1996 09:33:05 -0700 (PDT)
From: marchany@vtserf.cc.vt.edu
Received: by vtserf.cc.vt.edu (5.65/DEC-Ultrix/4.3)
	id AA06903; Wed, 7 Aug 1996 12:32:55 -0400
Message-Id: <9608071632.AA06903@vtserf.cc.vt.edu>
To: Steve Kotsopoulos <steve@ecf.toronto.edu>
Cc: firewalls@greatcircle.com, marchany@vtserf.cc.vt.edu
Subject: Re: Info World Firewall Articles  
In-Reply-To: Your message of "Wed, 07 Aug 96 12:04:11 EDT."
             <96Aug7.120412edt.9791@cannon.ecf.toronto.edu> 
Date: Wed, 07 Aug 96 12:32:49 -0400
X-Mts: smtp
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

>Most Unix systems are unfortunately insecure out of the box.
>We should expect all good firewalls to be highly secure out of the box.

I agree 100%. The true test of a firewall package is to see what it does when 
you DON't follow the vendor recommended procedures. How does it handle stupid 
user tricks? What state does it leave your network when something like that 
happens? There's a gap between the people who really read the instructions and those who 
just scan the instructions. Unfortunately, I believe the scanners outnumber the 
readers...:-).


	-Randy Marchany
	VA Tech Computing Center
	Blacksburg, VA 24060.

From firewalls-owner  Wed Aug  7 10:14:20 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA25950 for firewalls-outgoing; Wed, 7 Aug 1996 09:39:04 -0700 (PDT)
Received: from morebbs.com (morebbs.com [206.165.150.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id JAA25908 for <firewalls@greatcircle.com>; Wed, 7 Aug 1996 09:38:49 -0700 (PDT)
From: potlicker@morebbs.com
Received: by morebbs.com
     id 0HQ1S005 Wed, 07 Aug 96 12:36:58 
Message-ID: <9608071236.0HQ1S00@morebbs.com>
Organization: MORE BBS
X-Mailer: TBBS/TIGER v1.0/PRIMP 1.56p
Date: Wed, 07 Aug 96 12:36:58 
Subject: Icmp originator
To: firewalls@greatcircle.com
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk


I was watching a machine 159.226.45.61 try to use ICMP redirects to
get a firewall to redirect its mail through his 159.x.x.x machine to 
the mails destination   The redirects didnt work but what was interesting 
was that the machine 159.226.45.61 somehow got through or around a router 
in front of the firewall that was explicitly set up to block ICMP 
redirects to the subnet the firewall is on 

Does anyone know who this 159 machine belongs to

Does anyone know if it is possible to tunnel ICMP redirects through a
router that is set up to block them
                                                 

From firewalls-owner  Wed Aug  7 10:43:22 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA28261 for firewalls-outgoing; Wed, 7 Aug 1996 09:54:43 -0700 (PDT)
Received: from morebbs.com (morebbs.com [206.165.150.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id JAA28214 for <firewalls@greatcircle.com>; Wed, 7 Aug 1996 09:54:17 -0700 (PDT)
From: potlicker@morebbs.com
Received: by morebbs.com
     id 0I3L6006 Wed, 07 Aug 96 12:53:02 
Message-ID: <9608071253.0I3L600@morebbs.com>
Organization: MORE BBS
X-Mailer: TBBS/TIGER v1.0/PRIMP 1.56p
Date: Wed, 07 Aug 96 12:53:02 
Subject: Authentication
To: firewalls@greatcircle.com
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk


I hear that some companies have a problem with e-mail sent from web browsers
used by internal users   When the mail is sent from the web browser there 
is no way that the addressees can tell if it really came from the person
whose name is given as the sender   This is a sharp contrast with the
corporate mail mail system where the sender is authenticated

Consider the following message

To Mailing List, Accounts Division
>From Help Desk

The Help Desk is trying to identify performance problems in the backend
database of the accounting system   It is important for users to cooperate
with us in identifying the cause of this problem  The Help Desk may contact
you and ask for your user id and password as they try to pin down the 
problem affecting particular users    We apologize for this inconvenience
and we are very grateful for your assistance
                                                  Help Desk

Of course the person who phones the users in Accounts Division does not
work for the Help Desk   In fact they dont even work for the same company

1)   If some users are using Netscape to send mail while others are using
cc:Mail how can this kind of scenario be prevented?

2)   Someone said that SmartGate from V-One could be run on a TIS Gauntlet
to provide authentication of messages from web clients   True or false?

                                                 PoT_LiCkEr

From firewalls-owner  Wed Aug  7 11:46:59 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA08702 for firewalls-outgoing; Wed, 7 Aug 1996 11:28:24 -0700 (PDT)
Received: from anchorsteam (anchorsteam.unifiedtech.com [38.251.136.100]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id LAA08683 for <firewalls@greatcircle.com>; Wed, 7 Aug 1996 11:28:15 -0700 (PDT)
Received: from bass.com. by anchorsteam (SMI-8.6/SMI-SVR4)
	id OAA04651; Wed, 7 Aug 1996 14:23:55 -0400
Received: by bass.com. (SMI-8.6/SMI-SVR4)
	id OAA01385; Wed, 7 Aug 1996 14:27:14 -0400
Date: Wed, 7 Aug 1996 14:27:14 -0400
From: jonesmd@unifiedtech.com (Mike Jones)
Message-Id: <199608071827.OAA01385@bass.com.>
To: steve@ecf.toronto.edu, marchany@vtserf.cc.vt.edu
Subject: Re: Info World Firewall Articles
Cc: firewalls@greatcircle.com
X-Sun-Charset: US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Randy Marchany writes...
>Steve Kotsopoulos writes...
> >Most Unix systems are unfortunately insecure out of the box.
> >We should expect all good firewalls to be highly secure out of the box.
> I agree 100%. The true test of a firewall package is to see what it does when 
> you DON't follow the vendor recommended procedures. How does it handle stupid 
> user tricks? What state does it leave your network when something like that 
> happens? There's a gap between the people who really read the instructions and those who 
> just scan the instructions. Unfortunately, I believe the scanners outnumber the 
> readers...:-).

I'm sorry, I disagree 100%. There are dabblers, and there are professionals.
Dabblers always just scan the instructions. Professionals do, too, but
they know when they need to go back and read them. If you don't follow
the recommended procedures, you assume some of the responsibility for the
consequenses. Or would you rather all UNIX systems shipped with a random
root password so you don't have to worry about forgetting to set one?

--
	Mike.Jones@unifiedtech.com
Make no mistake about it: Operation Desert Storm truly was a victory
of good over evil, of freedom over tyranny, of peace over war.
	- Dan Quayle, in remarks at Arlington National Cemetary

From firewalls-owner  Wed Aug  7 11:53:49 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA08418 for firewalls-outgoing; Wed, 7 Aug 1996 11:24:50 -0700 (PDT)
Received: from bywater.songbird.com (songbird.com [206.14.4.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id LAA08269 for <firewalls@GreatCircle.COM>; Wed, 7 Aug 1996 11:24:24 -0700 (PDT)
Received: (from kent@localhost) by bywater.songbird.com (8.6.9/8.6.9) id LAA17563; Wed, 7 Aug 1996 11:23:02 -0700
From: Kent Crispin <kent@bywater.songbird.com>
Message-Id: <199608071823.LAA17563@bywater.songbird.com>
Subject: Re: Icmp originator
To: potlicker@morebbs.com
Date: Wed, 7 Aug 1996 11:23:02 -0700 (PDT)
Cc: firewalls@GreatCircle.COM
In-Reply-To: <9608071236.0HQ1S00@morebbs.com> from "potlicker@morebbs.com" at Aug 7, 96 12:36:58 pm
X-Mailer: ELM [version 2.4 PL23]
Content-Type: text
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

potlicker@morebbs.com allegedly said:
> 
> 
> I was watching a machine 159.226.45.61 try to use ICMP redirects to
> get a firewall to redirect its mail through his 159.x.x.x machine to 
> the mails destination   The redirects didnt work but what was interesting 
> was that the machine 159.226.45.61 somehow got through or around a router 
> in front of the firewall that was explicitly set up to block ICMP 
> redirects to the subnet the firewall is on 
> 
> Does anyone know who this 159 machine belongs to

Perhaps
B/home/kent[6]whois 159.226
[rs.internic.net]
The Computer Network Center Chinese Academy of Sciences (NET-NCFC)
   P.O. Box 2704-10,
   Institute of Computing Technology Chinese Academy of Sciences
   Beijing 100080, China

   Netname: NCFC
   Netnumber: 159.226.0.0

   Coordinator:
      Qian, Haulin  (QH3)  hlqian@NS.CNC.AC.CN
      +86 1 2569960

   Domain System inverse mapping provided by:

   NS.CNC.AC.CN                 159.226.1.1
   GINGKO.ICT.AC.CN             159.226.40.1

   Record last updated on 25-Jul-94.

Certainly very curious, if true.

> Does anyone know if it is possible to tunnel ICMP redirects through a
> router that is set up to block them
>                                                  
> 


-- 
Kent Crispin				"No reason to get excited",
kent@songbird.com			the thief he kindly spoke...
kc@llnl.gov	5A 16 DA 04 31 33 40 1E  87 DA 29 02 97 A3 46 2F

From firewalls-owner  Wed Aug  7 12:12:08 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA10735 for firewalls-outgoing; Wed, 7 Aug 1996 11:48:51 -0700 (PDT)
Received: from telxon (telxon.mis.telxon.com [149.23.2.4]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id LAA10653 for <firewalls@greatcircle.com>; Wed, 7 Aug 1996 11:48:19 -0700 (PDT)
Received: from exchange.mis.telxon.com by telxon (SMI-8.6/SMI-SVR4)
	id OAA03073; Wed, 7 Aug 1996 14:48:23 -0400
Received: by exchange.mis.telxon.com with Microsoft Exchange (IMC 4.0.838.14)
	id <01BB846F.92F50CB0@exchange.mis.telxon.com>; Wed, 7 Aug 1996 14:49:02 -0400
Message-ID: <c=US%a=_%p=TELXON%l=EXCHANGE-960807184900Z-774@exchange.mis.telxon.com>
From: "Wojno, Jim" <jwojn@telxon.com>
To: "'firewalls@greatcircle.com'" <firewalls@greatcircle.com>
Subject: RE: Another wide-open security hole from Microsoft 
Date: Wed, 7 Aug 1996 14:49:00 -0400
X-Mailer:  Microsoft Exchange Server Internet Mail Connector Version 4.0.838.14
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk


Begin included text from Michel Lavondes..............................

>What bothers me most is not the risks associated with the product
>or the protocol(s) involved, but the "firewalls are installed by
>anal-retentive spoil-sports to prevent you from playing with neat
>toys, but here's the work-around" part.

End included
text...................................................................

Amen to that. I noticed that right after giving this "expert advise",
the author mentions that "Even Microsoft is still locked inside its
firewall, which doesn't support T.120 and H.323 yet." Hello! Anybody
home? 

I would think that any reasonably intelligent person would look at this
and say," Humm, Microsoft made it, but won't let it through their
firewall. I suppose there's a good reason for that."

Oh well, these are the same folks who will be paying a *huge* invoice
for consulting work, once someone trashes their systems, so I guess I
should be thankful. :-).

Jim Wojno
Systems Administrator
Telxon Corporation
jwojn@telxon.com


From firewalls-owner  Wed Aug  7 12:23:16 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA11538 for firewalls-outgoing; Wed, 7 Aug 1996 11:57:32 -0700 (PDT)
Received: from lintjr.cisco.com (lintjr.cisco.com [171.68.223.45]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id LAA11519 for <firewalls@GreatCircle.COM>; Wed, 7 Aug 1996 11:57:24 -0700 (PDT)
Received: (karyn@localhost) by lintjr.cisco.com (8.6.12/CISCO.SERVER.1.1) id LAA21941; Wed, 7 Aug 1996 11:56:40 -0700
From: Karyn Pichnarczyk <karyn@cisco.com>
Message-Id: <199608071856.LAA21941@lintjr.cisco.com>
Subject: Re: Authentication
To: potlicker@morebbs.com
Date: Wed, 7 Aug 1996 11:56:40 -0700 (PDT)
Cc: firewalls@GreatCircle.COM
In-Reply-To: <9608071253.0I3L600@morebbs.com> from "potlicker@morebbs.com" at Aug 7, 96 12:53:02 pm
X-Mailer: ELM [version 2.4 PL25]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk


 > I hear that some companies have a problem with e-mail sent from web browsers
 > used by internal users   When the mail is sent from the web browser there 
 > is no way that the addressees can tell if it really came from the person
 > whose name is given as the sender   This is a sharp contrast with the
 > corporate mail mail system where the sender is authenticated

I believe that your comment that corporate mail is authenticated is in
error.  What system are you using that authenticates the sender?  I
don't know of any company that has *guaranteed* authentication of
senders.  If you have it, I'd like to know how you have accomplished
it. 

I say this because this is not merely a "email sent from browsers"
problem, it is a problem with any kind of email in general.  You can
fake the "from" line in virtually ANY mail program, but some are more
amenable to fakage than others (the user interface to change your
"From" line is nicer, AND you don't have to be logged in to a specific
account to send a message).  Netscape is not the only program that
makes this easy; Eudora makes this simple as well.  This is one of the
main reasons why PGP is around: to encrypt but to also AUTHENTICATE
the sender.

karyn


From firewalls-owner  Wed Aug  7 12:40:54 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA10746 for firewalls-outgoing; Wed, 7 Aug 1996 11:48:56 -0700 (PDT)
Received: from sumsun9.bellcore.com (sumsun9.bellcore.com [192.4.7.151]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id LAA10687 for <firewalls@greatcircle.com>; Wed, 7 Aug 1996 11:48:30 -0700 (PDT)
Received: from sumsun9 (localhost [127.0.0.1]) by sumsun9.bellcore.com (8.6.9/8.6.10) with ESMTP id OAA04993 for <firewalls@greatcircle.com>; Wed, 7 Aug 1996 14:48:11 -0400
Message-Id: <199608071848.OAA04993@sumsun9.bellcore.com>
To: firewalls@greatcircle.com
Subject: Re: Info World Firewall Articles 
In-reply-to: Your message of "Wed, 07 Aug 1996 12:32:49 EDT."
             <9608071632.AA06903@vtserf.cc.vt.edu> 
Date: Wed, 07 Aug 1996 14:48:09 -0400
From: "David M. Martin Jr." <dm@bellcore.com>
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Your message dated: Wed, 07 Aug 1996 12:32:49 EDT
> >Most Unix systems are unfortunately insecure out of the box.
> >We should expect all good firewalls to be highly secure out of the box.
> 
> I agree 100%. The true test of a firewall package is to see what it does when
> you DON't follow the vendor recommended procedures. How does it handle stupid
> user tricks? What state does it leave your network when something like that 
> happens? There's a gap between the people who really read the instructions an
>d those who 
> just scan the instructions. Unfortunately, I believe the scanners outnumber t
>he 
> readers...:-).

I'll agree, sort of: software that's hard to configure incorrectly is
better than software that's easy to configure incorrectly.

But puh-lease, we're talking about a $18,000 piece of software that touches
every packet in or out of a network!  I think it's fair to require an
installer to read the manual, and even---shudder---to require that they
follow its (apparently loud) instructions if they want the software to
work.

Again: foolproof indeed GOOD; installing extravagant expensive network
bottleneck without reading its instructions BAD.  (And, not completely
foolproof combined with "I know how this thing works"-type-testers who
don't read the manual because they're on a deadline UNFORTUNATE.)

From firewalls-owner  Wed Aug  7 12:53:11 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA16586 for firewalls-outgoing; Wed, 7 Aug 1996 12:37:29 -0700 (PDT)
Received: from halon.sybase.com (halon.sybase.com [192.138.151.33]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id MAA16473 for <firewalls@greatcircle.com>; Wed, 7 Aug 1996 12:36:59 -0700 (PDT)
Received: from smtp1.sybase.com (sybgate) by halon.sybase.com (5.x/SMI-SVR4/SybFW4.0)
	id AA01025; Wed, 7 Aug 1996 12:38:18 -0700
Received: from notesgw2.sybase.com by smtp1.sybase.com (4.1/SMI-4.1/SybH3.5-030896)
	id AA13656; Wed, 7 Aug 96 12:37:00 PDT
Received: by notesgw2.sybase.com (5.x/SMI-4.1/SybEGW3.3)
	id AA25811; Wed, 7 Aug 1996 12:36:53 -0700
Message-Id: <9608071936.AA25811@notesgw2.sybase.com>
Received: by SybaseNotes (Lotus Notes Mail Gateway for SMTP V1.1) id
  349BB29A98D19E8D8825637F006B9524; Wed,  7 Aug 96 12:36:52 EDT
To: Steve Kotsopoulos <steve@sybase.com>
Cc: firewalls <firewalls@sybase.com>
From: Ryan Russell/SYBASE
  <Ryan.Russell@sybase.com>
Date:  7 Aug 96 12:37:36 EDT
Subject: Re: Info World Firewall Articles
X-Lotus-Type: Reply All
Mime-Version: 1.0
Content-Type: Text/Plain
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

It might be nice if the Firewall-1 install program 
prompted you to make the change, or automatically
made it for you.

However, the IP forwarding thing is Sun's fault, not Checkpoint's.

Yes, a Sun machine will automatically forward packets
for you, even if it only has one interface.

     Ryan

---------- Previous Message ----------
To: firewalls
cc: 
From: steve @ ecf.toronto.edu (Steve Kotsopoulos) @ smtp
Date: 08/07/96 12:04:11 PM
Subject: Re: Info World Firewall Articles

In article <32066928.1297@us.checkpoint.com> Barbara Jaarsma wrote:
>The following is Checkpoint's official response to your query re: the=20
>InfoWorld article.  -Barb
>
>Dear Check Point Resellers & Customers,
>
>A product comparison of firewall products which included CheckPoint
>FireWall-1 appeared in the July 29 issue of InfoWorld magazine.  While
>the review was overall highly favorable, it incorrectly stated that
>during the system boot process, the system is vulnerable to attack.  We
>would like to assure you that this information is inaccurate and that we
>reached agreement with InfoWorld to print a correction in next week=92s
>issue.
>
>During the testing process, the InfoWorld reviews staff did not follow
>the company=92s recommended boot procedures which are specified on=20
>pages 16-3 and 16-4 in the in the CheckPoint FireWall-1 user manual. =20
>When installing the product, the publication=92s reviews staff did not=20
>turn off the IP forwarding function.

I would seriously question the security of a firewall that
has IP forwarding turned on by default, and requires you to
DO SOMETHING to turn it off. Common wisdom would have it disabled by
default (at least), or even rip the code out from the kernel (preferred).

Most Unix systems are unfortunately insecure out of the box.
We should expect all good firewalls to be highly secure out of the box.
-- 
Steve Kotsopoulos  M.Eng.                         steve@ecf.toronto.edu
Systems Analyst   Engineering Computing Facility, University of Toronto
http://www.ecf.toronto.edu/~steve/




From firewalls-owner  Wed Aug  7 12:55:03 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA16091 for firewalls-outgoing; Wed, 7 Aug 1996 12:34:44 -0700 (PDT)
Received: from relay.ashton.csc.com (relay.ashton.csc.com [20.2.54.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id MAA16063 for <firewalls@GreatCircle.COM>; Wed, 7 Aug 1996 12:34:33 -0700 (PDT)
Received: by relay.ashton.csc.com; id PAA01617; Wed, 7 Aug 1996 15:36:18 -0400
Received: from ckostick.sed.csc.com(20.2.53.154) by relay.ashton.csc.com via smap (g3.0.1)
	id sma001615; Wed, 7 Aug 96 15:35:53 -0400
Received: by ckostick.sed.csc.com with Microsoft Mail
	id <01BB8475.C813C700@ckostick.sed.csc.com>; Wed, 7 Aug 1996 15:33:28 -0400
Message-ID: <01BB8475.C813C700@ckostick.sed.csc.com>
From: Chris Kostick <ckostick@csc.com>
To: "'Mike Jones'" <jonesmd@unifiedtech.com>
Cc: "firewalls@GreatCircle.COM" <firewalls@GreatCircle.COM>
Subject: Firewall Installation (was RE: Info World Firewall Articles)
Date: Wed, 7 Aug 1996 15:33:26 -0400
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Mike Jones[SMTP:jonesmd@unifiedtech.com] wrote:
> Randy Marchany writes...
> >Steve Kotsopoulos writes...
> > >Most Unix systems are unfortunately insecure out of the box.
> > >We should expect all good firewalls to be highly secure out of the box.
> > I agree 100%. The true test of a firewall package is to see what it does when 
> > you DON't follow the vendor recommended procedures. How does it handle stupid 
> > user tricks? What state does it leave your network when something like that 
> > happens? There's a gap between the people who really read the instructions and those who 
> > just scan the instructions. Unfortunately, I believe the scanners outnumber the 
> > readers...:-).
> 
> I'm sorry, I disagree 100%. There are dabblers, and there are professionals.
> Dabblers always just scan the instructions. Professionals do, too, but
> they know when they need to go back and read them. If you don't follow
> the recommended procedures, you assume some of the responsibility for the
> consequenses.

Think about the difference between a router and a commercial firewall. A router will
allow all traffic through by default and an administrator will selectively filter
everything out. A firewall (in theory anyway based on this thread) will have all services
turned off so that an administrator will selectively turn things on. So, why not
have a firewall install *highly* secure and have it changed later. The firewall should
take care operating system bugs and flaws, and if you want the bug back, you have to
do it yourself.

A recent example of this for myself was the difference I noticed when installing DEC's
AltaVista Firewall for NT and Firewall-1's NT version. AltaVista popped a little
box saying it was removing all services unless I disagreed. Firewall-1 just installed
without regard to what was already loaded or running. As it turned out, the NT box
that Firewall-1 loaded on had SNMP already running. Imagine my surprise when I was
probing the services and found it running. Even when it was explicitly filtered!

> Or would you rather all UNIX systems shipped with a random
> root password so you don't have to worry about forgetting to set one?

Don't tempt me, I might like this idea if I thought about it long enough. :)

--
chris


From firewalls-owner  Wed Aug  7 13:30:14 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA22385 for firewalls-outgoing; Wed, 7 Aug 1996 13:12:57 -0700 (PDT)
Received: from manukau.govt.nz ([202.14.82.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id NAA22378 for <Firewalls@GreatCircle.COM>; Wed, 7 Aug 1996 13:12:49 -0700 (PDT)
Received: by kotuku.manukau.govt.nz id <35720>; Thu, 8 Aug 1996 08:48:23 +1200
Message-Id: <96Aug8.084823nzst.35720@kotuku.manukau.govt.nz>
From: Matthew Thompson <mthomps1@kiwitech.co.nz>
To: "Firewalls@GreatCircle.COM" <Firewalls@GreatCircle.COM>,
        "'Bill Stout'" <bill.stout@hidata.com>
Subject: RE: NT 4.0 beta bypasses NT security
Date: Fri, 9 Aug 1996 02:59:33 +1200
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk


>Warning to the list - NT 4.0 beta CDs _may_ allow unauthorized access
>to NT systems!

MS-DOS (via the debug utility) allows unauthorised access to NT systems, be 
sure to make sure to lock up all copies of MS-DOS in the world as well, (or 
lock up the NT box)





From firewalls-owner  Wed Aug  7 14:52:36 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA01390 for firewalls-outgoing; Wed, 7 Aug 1996 14:14:49 -0700 (PDT)
Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id OAA01324 for <firewalls@miles>; Wed, 7 Aug 1996 14:14:30 -0700 (PDT)
Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123)
	id OAA09602; Wed, 7 Aug 1996 14:06:17 -0700
From: jminie@earthlink.net
Received: from greece-c.it.earthlink.net(206.85.92.38) by mycroft via smap (V1.3mjr)
	id sma009591; Wed Aug  7 14:05:34 1996
Received: from default (pool055.Max1.St-Louis.MO.DYNIP.ALTER.NET [153.37.140.55]) by greece.it.earthlink.net (8.7.5/8.7.3) with SMTP id OAA26952 for <firewalls@greatcircle.com>; Wed, 7 Aug 1996 14:04:18 -0700 (PDT)
Message-Id: <2.2.32.19960807210742.00697ca4@earthlink.net>
X-Sender: jminie@earthlink.net
X-Mailer: Windows Eudora Pro Version 2.2 (32)
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Date: Wed, 07 Aug 1996 16:07:42 -0500
To: firewalls@greatcircle.com
Subject: Re: Info World Firewall Articles
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

>> >Most Unix systems are unfortunately insecure out of the box.
>> >We should expect all good firewalls to be highly secure out of the box.

>> I agree 100%. The true test of a firewall package is to see what it does
when 
>> you DON't follow the vendor recommended procedures. How does it handle
stupid 
>> user tricks? What state does it leave your network when something like that 
>> happens? There's a gap between the people who really read the
instructions and those who 
>> just scan the instructions. Unfortunately, I believe the scanners
outnumber the 
>> readers...:-).
>
>I'm sorry, I disagree 100%. There are dabblers, and there are professionals.
>Dabblers always just scan the instructions. Professionals do, too, but
>they know when they need to go back and read them. If you don't follow
>the recommended procedures, you assume some of the responsibility for the
>consequenses. Or would you rather all UNIX systems shipped with a random
>root password so you don't have to worry about forgetting to set one?

We're aware of how insecure UNIX is natively.  The point here is that a
firewall should be as close to 100% secure as possible out-of-the-box,
removing the possibility that human intervention (or human NON-intervention,
for that matter) doesn't create or allow ANY holes for ANY length of time.

A couple of UNIX-based firewall vendors DO address the issue of the
non-secure kernel.  If kernel insecurity is addressed at the vendor level,
(i.e. - the guys making the money) the argument about customer-level
'professional' versus 'scanner' firewall users should be non-existent.  I
truly believe in the concept that, without a hardened kernel there is no way
to guarantee a truly secure firewall.

--jam


From firewalls-owner  Wed Aug  7 14:53:40 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA04414 for firewalls-outgoing; Wed, 7 Aug 1996 14:37:43 -0700 (PDT)
Received: from ALABAMA.CF.CS.YALE.EDU (RT-GW.CS.YALE.EDU [128.36.0.13]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id OAA02317 for <firewalls@greatcircle.com>; Wed, 7 Aug 1996 14:21:44 -0700 (PDT)
From: long-morrow@CS.YALE.EDU
Received: from SPARKY.CF.CS.YALE.EDU by ALABAMA.CF.CS.YALE.EDU (8.7.1/res.host.cf-4.0)
	with ESMTP id RAA10999; Wed, 7 Aug 1996 17:21:29 -0400 (EDT) sender long-morrow@CS.YALE.EDU for 
Received: by SPARKY.CF.CS.YALE.EDU (Sendmail-8.7.1/res.client.cf-4.0)
	id RAA20787; Wed, 7 Aug 1996 17:21:26 -0400 (EDT)
Date: Wed, 7 Aug 1996 17:21:26 -0400 (EDT)
Message-Id: <199608072121.RAA20787@SPARKY.CF.CS.YALE.EDU>
To: firewalls@greatcircle.com, potlicker@morebbs.com
Subject: Re:  Authentication
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk


potlicker@morebbs.com wrote:
>I hear that some companies have a problem with e-mail sent from web browsers
>used by internal users   When the mail is sent from the web browser there 
>is no way that the addressees can tell if it really came from the person
>whose name is given as the sender   This is a sharp contrast with the
>corporate mail mail system where the sender is authenticated

You can use a standard telnet client (connect to an intranet or Internet
SMTP server and type in a few SMTP commands and the body of a message
followed by a period on a line all by itself) to do the same thing.

- Morrow


From firewalls-owner  Wed Aug  7 15:15:15 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA00136 for firewalls-outgoing; Wed, 7 Aug 1996 14:02:15 -0700 (PDT)
Received: from manukau.govt.nz ([202.14.82.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id OAA29969 for <firewalls@GreatCircle.COM>; Wed, 7 Aug 1996 14:01:42 -0700 (PDT)
Received: by kotuku.manukau.govt.nz id <35717>; Thu, 8 Aug 1996 09:37:12 +1200
Message-Id: <96Aug8.093712nzst.35717@kotuku.manukau.govt.nz>
From: Matthew Thompson <mthomps1@kiwitech.co.nz>
To: "'Mike Jones'" <jonesmd@unifiedtech.com>,
        "'Chris Kostick'" <ckostick@csc.com>
Cc: "firewalls@GreatCircle.COM" <firewalls@GreatCircle.COM>
Subject: RE: Firewall Installation (was RE: Info World Firewall Articles)
Date: Fri, 9 Aug 1996 09:01:40 +1200
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk


> Or would you rather all UNIX systems shipped with a random
> root password so you don't have to worry about forgetting to set one?

Yes, and don't tell the customer what it is, That'll slow down the 
configuration by a few minutes while someone removes the root password from 
the box, an give the customer a good practical demonstration of how secure 
their system really is when someone has physical access to it. The 
techniques to do this are simple, quick and would become well known in a 
short space of time.





From firewalls-owner  Wed Aug  7 15:23:09 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA26204 for firewalls-outgoing; Wed, 7 Aug 1996 13:37:08 -0700 (PDT)
Received: from balder-int.ssds.com (balder.ssds.com [204.131.72.62]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id NAA26141 for <firewalls@GreatCircle.COM>; Wed, 7 Aug 1996 13:36:47 -0700 (PDT)
Received: by balder-int.ssds.com; id AA09294; Wed, 7 Aug 96 14:36:36 MDT
Received: from austin.ssds.com(134.127.24.1) by balder.ssds.com via smap (V3.1.1)
	id xma009288; Wed, 7 Aug 96 14:36:22 -0600
Received: by austin.ssds.com id PAA00402; Wed, 7 Aug 1996 15:36:58 -0500 (CDT)
Message-Id: <2.2.32.19960807213550.006b73dc@austin.ssds.com>
X-Sender: jdm@austin.ssds.com
X-Mailer: Windows Eudora Pro Version 2.2 (32)
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Date: Wed, 07 Aug 1996 16:35:50 -0500
To: Michel Lavondes <lavondes@tidtest.total.fr>,
        Michael Dillon <michael@memra.com>
From: Jeff Maddox <jeff.maddox@ssds.com>
Subject: Re: Another wide-open security hole from Microsoft 
Cc: firewalls@GreatCircle.COM
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Why? It looks accurate to me and, in fact, I think I'll get a T-shirt made
with that as my logo.

DATA SECURITY
ANAL-RETENTIVE SPOIL-SPORTS WHO WANT TO PREVENT YOUR PLAYING WITH NEAT TOYS
THAT WILL PROBABLY KILL YOU.

BLACK ICE IS COMMING! SOON!


At 04:05 PM 8/7/96 +0100, Michel Lavondes wrote:
>
>In message <Pine.BSI.3.93.960803112618.26549A-100000@sidhe.memra.com>, Michael 
>Dillon writes:
>> 
>> Microsoft has a new product coming out that makes the company LAN wide
>> open to intruders. Read all about it at
>> http://techweb.cmp.com:80/techweb/crn/sections/columnist/portia17.htm
>> 
>What bothers me most is not the risks associated with the product
>or the protocol(s) involved, but the "firewalls are installed by
>anal-retentive spoil-sports to prevent you from playing with neat
>toys, but here's the work-around" part.
>
>Just my $0.02
>
>Michel Lavondes (lavondes@tidtest.total.fr)
>#include <disclaimer.h>
>Governments are guilty until proved innocent
>
>

	There is no truly native american criminal class
         		except, of course, Congress
		        (Mark Twain)


Jeff Maddox
SSDS Inc., Austin
(Known Center Of The Universe) Galaxies Moved, Free Estimates 
3102 Bee Caves Rd Suite A
Austin, TX 78746
Phone   (512) 329-5731
FAX     (512) 329-5726
Pager   (800) 506-5617
E-Mail  jeff.maddox@ssds.com


From firewalls-owner  Wed Aug  7 16:23:08 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id QAA15558 for firewalls-outgoing; Wed, 7 Aug 1996 16:17:39 -0700 (PDT)
Received: from zippy.radian.com (zippy.radian.com [129.160.16.4]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id QAA15483 for <firewalls@GreatCircle.COM>; Wed, 7 Aug 1996 16:17:17 -0700 (PDT)
Received: from itchy.radian.com (itchy.radian.com [129.160.16.10]) by zippy.radian.com (8.6.12/8.6.5) with ESMTP id SAA14009; Wed, 7 Aug 1996 18:16:43 -0500
Received: by itchy.radian.com (SMI-8.6/SMI-SVR4)
	id SAA20829; Wed, 7 Aug 1996 18:13:22 -0500
From: rtwood@radian.com (Ryan Wood)
Message-Id: <199608072313.SAA20829@itchy.radian.com>
Subject: Re:  Authentication
To: long-morrow@CS.YALE.EDU
Date: Wed, 7 Aug 96 18:13:22 CDT
Cc: firewalls@GreatCircle.COM, potlicker@morebbs.com
In-Reply-To: <199608072121.RAA20787@SPARKY.CF.CS.YALE.EDU>; from "long-morrow@CS.YALE.EDU" at Aug 7, 96 5:21 pm
X-Mailer: ELM [version 2.3 PL11]
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

> potlicker@morebbs.com wrote:
> >I hear that some companies have a problem with e-mail sent from web browsers
> >used by internal users   When the mail is sent from the web browser there 
> >is no way that the addressees can tell if it really came from the person
> >whose name is given as the sender   This is a sharp contrast with the
> >corporate mail mail system where the sender is authenticated
> 
> You can use a standard telnet client (connect to an intranet or Internet
> SMTP server and type in a few SMTP commands and the body of a message
> followed by a period on a line all by itself) to do the same thing.
> 
> - Morrow

Correct me if I'm wrong (and the way today has been going, I probably
am), but the telnet to the SMTP port is traceable since the originating
host's IP address will be in the header.  Therefore it is possible to
identify a fake mail from that method.  Can the same be done for people
using the web browser to send fake mail?

Ryan
----
Ryan T. Wood, Scientist     |~~~~~\  /~~\  |~~~~~\ |~|  /~~\  |~\_|~| 
rtwood@radian.com           |  ~  / / /\ \ | [~_] || | / /\ \ | \ \ | 
(512) 419-5941              |_|~|_\/_|~~|_\|_____/ |_|/_|~~|_\|_|\__|
                           I  N  T  E  R  N  A  T  I  O  N  A  L,  LLC

All the opinions, typos, and errors are my own, not those of Radian!

Important Events:
   2 .. days till we close on the house, theoretically.
  17 .. days till the start of Aggie Football 1996, WHOOP!
 114 .. days till t.u. gets beat in football by A&M!!!!!

From firewalls-owner  Wed Aug  7 16:38:22 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id QAA15445 for firewalls-outgoing; Wed, 7 Aug 1996 16:17:02 -0700 (PDT)
Received: from dg-rtp.dg.com (dg-rtp.rtp.dg.com [128.222.1.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id QAA15437 for <firewalls@greatcircle.com>; Wed, 7 Aug 1996 16:16:54 -0700 (PDT)
Received: from splinter.rtp.dg.com by dg-rtp.dg.com (5.4R3.10/dg-rtp-v02)
	id AA11269; Wed, 7 Aug 1996 19:16:54 -0400
Received: by splinter.rtp.dg.com (8.6.10/200.15.1.2)
	id TAA11208; Wed, 7 Aug 1996 19:15:33 -0400
From: spencerj@dg-rtp.dg.com (Jon Spencer)
Message-Id: <199608072315.TAA11208@splinter.rtp.dg.com>
Subject: Re: Info World Firewall Articles
To: jonesmd@unifiedtech.com (Mike Jones)
Date: Wed, 7 Aug 1996 19:15:30 -0400 (EDT)
Cc: steve@ecf.toronto.edu, marchany@vtserf.cc.vt.edu,
        firewalls@greatcircle.com
In-Reply-To: <199608071827.OAA01385@bass.com.> from "Mike Jones" at Aug 7, 96 02:27:14 pm
X-Mailer: ELM [version 2.4 PL23]
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

This issue (proper installation and administration) is not unique to Unix
systems.  I can give you a perfectly secure system (no nits here please! :-)
and if it is not administered properly, it will not work.  Period.

To add to my list of misconceptions, a BIGGIE is that a single security
policy will work for a large proportion of the world.  Security policies
are composed of MUCH more than the configuration of the system.  They are
primarily dependent upon the makeup and mission of the organization.  One
size won't fit all.  If this fact is not recognized, then the site will
probably not be secure.

HOWEVER, there are some basic issues that should be dealt with by vendors
(including us, sigh ....).  These include:

   o  If the proper functioning of the firewall requires that an OS
      parameter have a certain value, then the installation procedure
      should ask to set it to thatr value, explaining the ramifications (or
      pointing you to the page that explains the ramification in the
      installation manual).

   o  Administration tools should embed the security specific knowledge
      into the management tools, and set up the system security policy
      based upon business considerations in a language that meer mortals
      can understand (would you guess that one of these is on the way??? :-)

> 
> Randy Marchany writes...
> >Steve Kotsopoulos writes...
> > >Most Unix systems are unfortunately insecure out of the box.
> > >We should expect all good firewalls to be highly secure out of the box.
> > I agree 100%. The true test of a firewall package is to see what it does when 
> > you DON't follow the vendor recommended procedures. How does it handle stupid 
> > user tricks? What state does it leave your network when something like that 
> > happens? There's a gap between the people who really read the instructions and those who 
> > just scan the instructions. Unfortunately, I believe the scanners outnumber the 
> > readers...:-).
> 
> I'm sorry, I disagree 100%. There are dabblers, and there are professionals.
> Dabblers always just scan the instructions. Professionals do, too, but
> they know when they need to go back and read them. If you don't follow
> the recommended procedures, you assume some of the responsibility for the
> consequenses. Or would you rather all UNIX systems shipped with a random
> root password so you don't have to worry about forgetting to set one?
> 
> --
> 	Mike.Jones@unifiedtech.com
> Make no mistake about it: Operation Desert Storm truly was a victory
> of good over evil, of freedom over tyranny, of peace over war.
> 	- Dan Quayle, in remarks at Arlington National Cemetary
> 


-- 
Jon F. Spencer   spencerj@rtp.dg.com  (uunet!rtp.dg.com!spencerj)
Data General Corp.                  Phone : (919)248-6246
62 T.W. Alexander Dr, MS #119       FAX   : (919)248-6108
Research Triangle Park, NC  27709   Office RTP 121/9

	Reality is an illusion - perception is what counts.

	No success can compensate for failure at home.
			President David O. McKay

***** UCC 1-207 ********

From firewalls-owner  Wed Aug  7 17:10:20 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA20036 for firewalls-outgoing; Wed, 7 Aug 1996 17:03:28 -0700 (PDT)
Received: from noc.belwue.de (noc.BelWue.DE [129.143.2.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id RAA19712 for <firewalls@GreatCircle.COM>; Wed, 7 Aug 1996 17:00:51 -0700 (PDT)
Received: from info2.rus.uni-stuttgart.de (info2.rus.uni-stuttgart.de [129.69.18.15]) by noc.belwue.de with SMTP id BAA16344
  (8.6.13/IDA-1.6); Thu, 8 Aug 1996 01:58:14 +0200
Received: by info2.rus.uni-stuttgart.de (AIX 3.2/UCB 5.64/BelWue-1.3AIXRS) id AA39230; Thu, 8 Aug 1996 01:58:14 +0200
Message-Id: <9608072358.AA39230@info2.rus.uni-stuttgart.de>
Subject: Re: Authentication
To: rtwood@radian.com (Ryan Wood)
Date: Thu, 8 Aug 1996 01:58:13 +0200 (MST)
Cc: long-morrow@CS.YALE.EDU, firewalls@GreatCircle.COM, potlicker@morebbs.com
In-Reply-To: <199608072313.SAA20829@itchy.radian.com> from "Ryan Wood" at Aug 7, 96 06:13:22 pm
From: Helmut Springer <delta@RUS.Uni-Stuttgart.DE>
Organization: Stuttgart University, FRG
X-Pgp-Fingerprint: AE 42 C3 2C A1 3E 55 6D  B3 AC 3C D2 F3 CF FF E7
X-Phone:      +49 711 685-2003q
X-Fax:        +49 711 685-2043
X-Mailer: ELM [version 2.4 PL25 PGP6]
Content-Type: text
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

hi,

Ryan Wood wrote:
> Correct me if I'm wrong (and the way today has been going, I probably
> am), but the telnet to the SMTP port is traceable since the originating
> host's IP address will be in the header.  Therefore it is possible to
> identify a fake mail from that method.  Can the same be done for people
> using the web browser to send fake mail?
the receiving sendmail doesn't see any difference between telnet or
web browser. 

it just logs the ip-address of the client (and maybe the result of 
an ident-lookup according to RFC1413) in the header. or it doesn't 
if old or misconfigured enough. 

regards
  delta

-- 
helmut 'delta' springer             Unix/Net Consulting, InfoSystems, StudBox
delta@RUS.Uni-Stuttgart.DE                          Stuttgart University, FRG
http://home.pages.de/~delta/
phone : +49 711 685-2003                    If you've got to do it,
FAX   : +49 711 685-2043                      do it with cold blood...

From firewalls-owner  Wed Aug  7 17:38:11 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA21489 for firewalls-outgoing; Wed, 7 Aug 1996 17:23:50 -0700 (PDT)
Received: from sapa.inka.de (sapa.inka.de [193.197.84.6]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id RAA21298 for <firewalls@GreatCircle.COM>; Wed, 7 Aug 1996 17:20:28 -0700 (PDT)
Received: from uu.inka.de (root@[193.197.84.8]) by sapa.inka.de
	 with smtp (S3.1.29.1) id <m0uoIoi-000L4fC>; Thu, 8 Aug 96 02:19 MET DST
Received: from lina (lists@lina.inka.de) by uu.inka.de
	 with bsmtp (S3.1.29.1) id <m0uoIoi-001l65C>; Thu, 8 Aug 96 02:19 MET DST
Received: by lina
	id m0uoIcz-0004jUC
	(Debian /\oo/\ Smail3.1.29.1 #29.37); Thu, 8 Aug 96 02:07 MET DST
Message-Id: <m0uoIcz-0004jUC@lina>
From: lists@lina.inka.de (Bernd Eckenfels)
Subject: Re: Authentication
To: rtwood@radian.com (Ryan Wood)
Date: Thu, 8 Aug 1996 02:07:04 +0200 (MET DST)
Cc: long-morrow@CS.YALE.EDU, firewalls@GreatCircle.COM, potlicker@morebbs.com
In-Reply-To: <199608072313.SAA20829@itchy.radian.com> from "Ryan Wood" at Aug 7, 96 06:13:22 pm
X-Mailer: ELM [version 2.4 PL25 PGP2]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Hi,

> Correct me if I'm wrong (and the way today has been going, I probably
> am), but the telnet to the SMTP port is traceable since the originating
> host's IP address will be in the header.  Therefore it is possible to
> identify a fake mail from that method.  Can the same be done for people
> using the web browser to send fake mail?

Yes, of course. But usually you have PCs without userauthentification.
Therefore you only need to go to any PC and use telnet to fake mails
untraceable.

There is a solution, "XTEND XMIT" is a pop 3 anhancement where you can
'post' mails to the mailserver via an pop connection. Since the pop
connection is authentificated with a password, the sender can be rewritten
and therefore secure. (Of course POP passwords are usually not secure
against all kind of net snooping or trojans). 

Does anybody know a SSL-SMTP/POP client, which will do authentification and
privacy for mail-transfers? Even  netscape is missing that feature (I always
wonder why there is SSL-http but no SSL-POPd).

Greetings
Bernd
-- 
  (OO)      -- Bernd_Eckenfels@Wittumstrasse13.76646Bruchsal.de --
 ( .. )  ecki@lina.{inka.de,ka.sub.org}  http://home.pages.de/~eckes/
  o--o     *plush*  2048/A2C51749  eckes@irc  +4972573817  *plush*
(O____O)       If privacy is outlawed only Outlaws have privacy

From firewalls-owner  Wed Aug  7 18:42:01 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id SAA26314 for firewalls-outgoing; Wed, 7 Aug 1996 18:09:11 -0700 (PDT)
Received: from relay.hp.com (relay.hp.com [15.255.152.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id SAA26296 for <firewalls@GreatCircle.COM>; Wed, 7 Aug 1996 18:09:03 -0700 (PDT)
Received: from hpss0.sgp.hp.com by relay.hp.com with ESMTP
	(1.37.109.16/15.5+ECS 3.3) id AA130466544; Wed, 7 Aug 1996 18:09:05 -0700
Received: by hpss0.sgp.hp.com
	(1.37.109.16/15.5+ECS 3.3) id AA211638221; Thu, 8 Aug 1996 09:07:01 +0730
From: Mathew Lim <mbl@hpss0.sgp.hp.com>
Message-Id: <199608080137.AA211638221@hpss0.sgp.hp.com>
Subject: Re: Authentication
To: karyn@cisco.com (Karyn Pichnarczyk)
Date: Thu, 8 Aug 96 9:07:01 SST
Cc: potlicker@morebbs.com, firewalls@GreatCircle.COM
In-Reply-To: <199608071856.LAA21941@lintjr.cisco.com>; from "Karyn Pichnarczyk" at Aug 7, 96 11:56 am
Mailer: Elm [revision: 70.85]
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

> 
> I believe that your comment that corporate mail is authenticated is in
> error.  What system are you using that authenticates the sender?  I
> don't know of any company that has *guaranteed* authentication of
> senders.  If you have it, I'd like to know how you have accomplished
> it. 
> 
Lotus Notes mail does authentication, authorisation and encryption based
on a user's ID (which is stored in a file and may be carried around - 
and lost :-( by the user). The problem, of course is that it is a closed
system - you need Lotus Notes at both ends to use these features.

--
Mathew Lim, Consultant                  | Tel    : +65 291 9088
Hewlett-Packard (Sales) Singapore       | DID    : +65 290 6495
150 Beach Road #29-00, Gateway West     | Fax    : +65 296 8864
Singapore 189720                        | e-mail : M.Lim@hpss0.sgp.hp.com

From firewalls-owner  Wed Aug  7 18:54:17 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id SAA29194 for firewalls-outgoing; Wed, 7 Aug 1996 18:42:19 -0700 (PDT)
Received: (mcb@localhost) by miles.greatcircle.com (8.7.4/Miles-951221-1) id SAA29175 for firewalls@greatcircle.com; Wed, 7 Aug 1996 18:42:07 -0700 (PDT)
Received: from www.steldyn.com (www.steldyn.com [198.68.45.121]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id PAA08339 for <firewalls@greatcircle.com>; Wed, 7 Aug 1996 15:20:35 -0700 (PDT)
Received: from juneau.steldyn.com (172.16.31.1) by www.steldyn.com
 (EMWAC SMTPRS 0.81) with SMTP id <B0000002669@www.steldyn.com>;
 Wed, 07 Aug 1996 16:26:37 -0600
Received: by juneau.steldyn.com with Microsoft Exchange (IMC 4.0.837.3)
	id <01BB847C.707AAE80@juneau.steldyn.com>; Wed, 7 Aug 1996 16:21:08 -0600
Message-ID: <c=US%a=_%p=Stellar_Dynamics%l=JUNEAU-960807222104Z-714@juneau.steldyn.com>
From: Chris Pugrud <ChrisP@steldyn.com>
To: "'potlicker@morebbs.com'" <potlicker@morebbs.com>,
        "'Karyn Pichnarczyk'"
	 <karyn@cisco.com>
Cc: Firewalls Mailing list <firewalls@greatcircle.com>
Subject: RE: Authentication
Date: Wed, 7 Aug 1996 16:21:04 -0600
X-Mailer:  Microsoft Exchange Server Internet Mail Connector Version 4.0.837.3
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Actually some newer systems do make it difficult to spoof internally. 
mSexChange (err MS Exchange) allows you to change your "from" line, but
it checks and it will not let you change the from to an internal address
unless you have explicit permission to "Send As" that internal address.
On the other side Exchange has a nasty habit that if you fake mail
externally (as in SMTP spoofing) and the "From" address is internal, it
changes the "from" to the Internal friendly name.

six of one, half a dozen of the other... I guess that's progress ;->

Chris

>----------
>From: 	Karyn Pichnarczyk[SMTP:karyn@cisco.com]
>Sent: 	Wednesday, August 07, 1996 12:56 PM
>To: 	potlicker@morebbs.com
>Cc: 	Firewalls Mailing list
>Subject: 	Re: Authentication
>
>
> > I hear that some companies have a problem with e-mail sent from web
>browsers
> > used by internal users   When the mail is sent from the web browser
>there 
> > is no way that the addressees can tell if it really came from the
>person
> > whose name is given as the sender   This is a sharp contrast with
>the
> > corporate mail mail system where the sender is authenticated
>
>I believe that your comment that corporate mail is authenticated is in
>error.  What system are you using that authenticates the sender?  I
>don't know of any company that has *guaranteed* authentication of
>senders.  If you have it, I'd like to know how you have accomplished
>it. 
>
>I say this because this is not merely a "email sent from browsers"
>problem, it is a problem with any kind of email in general.  You can
>fake the "from" line in virtually ANY mail program, but some are more
>amenable to fakage than others (the user interface to change your
>"From" line is nicer, AND you don't have to be logged in to a specific
>account to send a message).  Netscape is not the only program that
>makes this easy; Eudora makes this simple as well.  This is one of the
>main reasons why PGP is around: to encrypt but to also AUTHENTICATE
>the sender.
>
>karyn
>
>


From firewalls-owner  Wed Aug  7 22:08:14 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id VAA11806 for firewalls-outgoing; Wed, 7 Aug 1996 21:58:47 -0700 (PDT)
Received: from KLSE.COM.MY (smtp.klse.com.my [202.190.12.202]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id VAA11798 for <firewalls@greatcircle.com>; Wed, 7 Aug 1996 21:58:27 -0700 (PDT)
Received: from GPO#u#DOMAIN-Message_Server by KLSE.COM.MY
	with Novell_GroupWise; Thu, 08 Aug 1996 13:09:17 +0800
Message-Id: <s209e6fc.035@KLSE.COM.MY>
X-Mailer: Novell GroupWise 4.1
Date: Thu, 08 Aug 1996 13:06:17 +0800
From: MOHAMED HABIB MOHAMED EUSOFF <habib@KLSE.COM.MY>
To: firewalls@greatcircle.com
Subject:  If I understand corectly,  smtp mail can be forged. One way
          "IP Spoof technique", in addition the
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

If I understand corectly,  smtp mail can be forged. One way "IP Spoof technique", in addition the
message transfer agents (MTA - the one receive mails and forward mails) within MTS (mail
transfer system) has no appli-layer mechanism for MTA-MTA authentication. As a result, any
email that you received might have come from someone other than you think.

Is there any other way this forgery could be done?? Any reply would be appreciated.

thanks.



From firewalls-owner  Wed Aug  7 22:40:25 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id WAA12260 for firewalls-outgoing; Wed, 7 Aug 1996 22:06:11 -0700 (PDT)
Received: from dollar.firstpac.com.au (firstpac.com.au [203.61.7.10]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id WAA12246 for <firewalls@GreatCircle.COM>; Wed, 7 Aug 1996 22:05:58 -0700 (PDT)
Received: from shekel.firstpac.com.au (shekel [203.61.14.12]) by dollar.firstpac.com.au (8.7.5/firstpac/0.99) with ESMTP id PAA18225; Thu, 8 Aug 1996 15:03:19 +1000 (EST)
Received: (from matt@localhost) by shekel.firstpac.com.au (8.7.2/8.7.2/firstpac) id KAA16649; Thu, 8 Aug 1996 10:31:16 +1000 (EST)
Message-Id: <199608080031.KAA16649@shekel.firstpac.com.au>
Subject: Re: Security:  Java vs ActiveX (Part 2)
To: peter@baileynm.com (Peter da Silva)
Date: Thu, 8 Aug 1996 10:31:15 +1000 (EST)
Cc: firewalls@GreatCircle.COM (Firewalls Mailing List)
In-Reply-To: <9608071502.AA32528@sonic.nmti.com.nmti.com> from "Peter da Silva" at Aug 7, 96 10:02:42 am
X-Ph: ph: +61 2 394 4320   fax: +61 2 394 4398   home: +61 2 9929 0717
X-Pgp: pub  2047/DFA91FA1 1996/05/01 Matthew Keenan <matt@firstpac.com.au>
X-Pgp: Key fingerprint =  36 09 88 84 FA 11 82 82  D7 E7 B8 23 6E B0 22 BB
From: Matthew Keenan <matt@firstpac.com.au>
X-Mailer: ELM [version 2.4 PL23]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Peter da Silva wrote this...

>> I'd like to say "run only signed applets running in a VM running in a
>> sandbox on a secure server", but I can't point to a commercial
>> implementation.    Perhaps a UNIX browser running chrooted or on a
>> secure UNIX -- but most users want PC's

> Chroot isn't good enough because network access doesn't go through
> the UNIX security layer (the file system).

does on Solaris. typically it is only BSD's that are affected this
way.

			Matt
-- 
Matthew Keenan    Network Administrator    First Pacific Stockbrokers
			  Sydney,  Australia

From firewalls-owner  Wed Aug  7 22:49:37 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id WAA12259 for firewalls-outgoing; Wed, 7 Aug 1996 22:06:08 -0700 (PDT)
Received: from dollar.firstpac.com.au (firstpac.com.au [203.61.7.10]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id WAA12243 for <firewalls@GreatCircle.COM>; Wed, 7 Aug 1996 22:05:57 -0700 (PDT)
Received: from shekel.firstpac.com.au (shekel [203.61.14.12]) by dollar.firstpac.com.au (8.7.5/firstpac/0.99) with ESMTP id PAA18221; Thu, 8 Aug 1996 15:03:16 +1000 (EST)
Received: (from matt@localhost) by shekel.firstpac.com.au (8.7.2/8.7.2/firstpac) id KAA16696; Thu, 8 Aug 1996 10:47:38 +1000 (EST)
Message-Id: <199608080047.KAA16696@shekel.firstpac.com.au>
Subject: Re: Info World Firewall Articles
To: Ryan.Russell@sybase.com (Ryan Russell/SYBASE)
Date: Thu, 8 Aug 1996 10:47:37 +1000 (EST)
Cc: firewalls@GreatCircle.COM (Firewalls Mailing List)
In-Reply-To: <9608071936.AA25811@notesgw2.sybase.com> from "Ryan Russell/SYBASE" at Aug 7, 96 12:37:36 pm
X-Ph: ph: +61 2 394 4320   fax: +61 2 394 4398   home: +61 2 9929 0717
X-Pgp: pub  2047/DFA91FA1 1996/05/01 Matthew Keenan <matt@firstpac.com.au>
X-Pgp: Key fingerprint =  36 09 88 84 FA 11 82 82  D7 E7 B8 23 6E B0 22 BB
From: Matthew Keenan <matt@firstpac.com.au>
X-Mailer: ELM [version 2.4 PL23]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Ryan Russell/SYBASE wrote this...

> It might be nice if the Firewall-1 install program prompted you to
> make the change, or automatically made it for you.

> However, the IP forwarding thing is Sun's fault, not Checkpoint's.

> Yes, a Sun machine will automatically forward packets for you, _even
> if it only has one interface._

(underscores are mine)

eh? thats not the way it works on the machines i have installed. but
then i have always added a entry in defaultrouter.

			Matt
-- 
Matthew Keenan    Network Administrator    First Pacific Stockbrokers
			  Sydney,  Australia

From firewalls-owner  Wed Aug  7 23:26:30 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id XAA20985 for firewalls-outgoing; Wed, 7 Aug 1996 23:20:24 -0700 (PDT)
Received: from Concord01.POP.InterNex.Net (Concord01.POP.InterNex.Net [205.158.3.82]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id XAA20938 for <firewalls@GreatCircle.COM>; Wed, 7 Aug 1996 23:20:06 -0700 (PDT)
Message-Id: <199608080620.XAA20938@miles.greatcircle.com>
Received: from [205.158.182.130] by Concord01.POP.InterNex.Net
          (post.office MTA v1.7 ID# 0-11026) with SMTP id AAA20512;
          Wed, 7 Aug 1996 23:20:09 -0700
Subject: Re: Re[2]: Info World Firewall Articles
Date: Wed, 7 Aug 96 23:20:12 -0700
x-sender: INX-10108b@Concord01.POP.InterNex.Net
x-mailer: Claris Emailer 1.1
From: Bill Husler <Bill@Husler.xo.com>
To: "Brian Murrell" <Brian_Murrell@bctel.net>, <barbara@us.checkpoint.com>
cc: <cklaus@iss.net>, <firewalls@GreatCircle.COM>
Mime-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Brian,
  I saw a number of responses, but nobody providing the info you asked 
for. I have the referenced manual and would be happy to FAX the indicated 
pages (there's a section for each of about half a dozen different systems 
on how to disable forwarding IP on boot). If you are interested, eMail me 
your FAX number and I'll be happy to send them along. I don't  work for 
checkpoint, but since this has to do with the underlying system and they 
still get credit, I don't think I should have any problem with it.
Bill

From firewalls-owner  Wed Aug  7 23:44:47 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id XAA20986 for firewalls-outgoing; Wed, 7 Aug 1996 23:20:25 -0700 (PDT)
Received: from Concord01.POP.InterNex.Net (Concord01.POP.InterNex.Net [205.158.3.82]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id XAA20953 for <firewalls@GreatCircle.COM>; Wed, 7 Aug 1996 23:20:09 -0700 (PDT)
Message-Id: <199608080620.XAA20953@miles.greatcircle.com>
Received: from [205.158.182.130] by Concord01.POP.InterNex.Net
          (post.office MTA v1.7 ID# 0-11026) with SMTP id AAB20512;
          Wed, 7 Aug 1996 23:20:12 -0700
Subject: Re: Authentication
Date: Wed, 7 Aug 96 23:20:14 -0700
x-sender: INX-10108b@Concord01.POP.InterNex.Net
x-mailer: Claris Emailer 1.1
From: Bill Husler <Bill@Husler.xo.com>
To: "Karyn Pichnarczyk" <karyn@cisco.com>, <potlicker@morebbs.com>
cc: <firewalls@GreatCircle.COM>
Mime-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Well, ccMail for one requires that the user supply their account and 
passwords. I haven't seend anywhere that it allows you to override the 
from: address.
Bill

From firewalls-owner  Thu Aug  8 00:23:40 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id AAA26304 for firewalls-outgoing; Thu, 8 Aug 1996 00:10:18 -0700 (PDT)
Received: from online.no (pat.online.no [193.212.1.13]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id AAA26296 for <Firewalls@GreatCircle.COM>; Thu, 8 Aug 1996 00:10:09 -0700 (PDT)
Received: from flash (oslo1401.telepost.no [193.214.1.1]) by online.no (8.7.5/8.7.3) with SMTP id JAA00540; Thu, 8 Aug 1996 09:09:49 +0200 (MET DST)
Message-ID: <32099314.3782@online.no>
Date: Thu, 08 Aug 1996 09:11:16 +0200
From: "Tor I. Wilhelmsen" <toriw@online.no>
X-Mailer: Mozilla 3.0b5a (Win16; I)
MIME-Version: 1.0
To: Martin Blouin <mblouin@mat.ulaval.ca>
CC: Firewalls@GreatCircle.COM
Subject: Re: Help me please to the following questions
References: <32076C48.12DC@mat.ulaval.ca>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Have a look at the NOV*IX product from Firefox/FTP Software.

http://www.firefox.com/

Caveat: Yes, I work for one of their distributors.

- Tor Iver, Qualified Firefox Engineer (cool title, huh? :-) )

From firewalls-owner  Thu Aug  8 01:39:11 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id BAA01926 for firewalls-outgoing; Thu, 8 Aug 1996 01:24:42 -0700 (PDT)
Received: from dxmint.cern.ch (dxmint.cern.ch [137.138.26.76]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id BAA01893; Thu, 8 Aug 1996 01:24:26 -0700 (PDT)
From: gamble@dxcoms.cern.ch
Received: from dxcoms.cern.ch (dxcoms.cern.ch [137.138.28.176]) by dxmint.cern.ch 
	with SMTP id KAA15994; Thu, 8 Aug 1996 10:24:30 +0200 (MET DST)
Received: from localhost.cern.ch by dxcoms.cern.ch; (5.65v3.0/1.1.8.2/28Jul95-0949AM)
	id AA13372; Thu, 8 Aug 1996 10:24:29 +0200
Message-Id: <9608080824.AA13372@dxcoms.cern.ch>
To: firewalls-owner@GreatCircle.COM
Cc: firewalls@GreatCircle.COM, gamble@dxcoms.cern.ch
Subject: Re: Icmp originator  
In-Reply-To: Your message of "Wed, 07 Aug 96 19:28:10 +0200."
             <199608071728.TAA05644@dxmint.cern.ch> 
Date: Thu, 08 Aug 96 10:24:29 +0200
X-Mts: smtp
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

> Does anyone know who this 159 machine belongs to

The RIPE database says ....


route:       159.226.0.0/16
descr:       Institute of Computing Technology Chinese Academy of Sciences
descr:       P.O. Box 2704-10
descr:       Beijing
descr:       100080
descr:       CHINA
origin:      AS1239
comm-list:   COMM_NSFNET
advisory:    AS690 1:1239 2:1800
mnt-by:      MAINT-AS1239
changed:     selina@ans.net 951009
source:      RADB

inetnum:     159.226.0.0 - 159.226.255.255
remarks:     this network is assigned by the InterNIC
remarks:     please query whois.internic.net for more information.
changed:     hostmaster@internic.net 920611
changed:     ripe-dbm@ripe.net 960710
source:      INTERNIC


John.

From firewalls-owner  Thu Aug  8 06:53:26 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA18779 for firewalls-outgoing; Thu, 8 Aug 1996 06:47:06 -0700 (PDT)
Received: from mailsrv1.pcy.mci.net ([204.71.0.43]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id GAA18770 for <firewalls@GreatCircle.COM>; Thu, 8 Aug 1996 06:47:00 -0700 (PDT)
Received: from [204.189.153.166] (usr3-dialup38.Washington.mci.net)
 by MAIL-CLUSTER.PCY.MCI.NET (PMDF V5.0-7 #10045)
 id <01I811O2IDNK9I6WQM@MAIL-CLUSTER.PCY.MCI.NET> for
 firewalls@GreatCircle.COM; Thu, 08 Aug 1996 09:45:18 -0400 (EDT)
Received: from [204.189.153.166] (usr3-dialup38.Washington.mci.net)
 by MAIL-CLUSTER.PCY.MCI.NET (PMDF V5.0-7 #10044)
 id <01I811MPBI1Y9JDUJY@MAIL-CLUSTER.PCY.MCI.NET> for
 firewalls@GreatCircle.COM; Thu, 08 Aug 1996 09:44:11 -0400 (EDT)
Date: Thu, 08 Aug 1996 09:49:18 -0500
From: Steve Keefe <Steve.Keefe@internetmci.com>
Subject: Security Scanners
To: "firewalls@GreatCircle.COM" <firewalls@GreatCircle.COM>
Message-id: <01I811MPT9KA9JDUJY@MAIL-CLUSTER.PCY.MCI.NET>
MIME-version: 1.0
X-Mailer: e-mailMCI v2.3
Content-type: TEXT/PLAIN; CHARSET=US-ASCII
Content-transfer-encoding: 7BIT
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

-- [ From: Steve Keefe * EMC.Ver #2.3 ] --

looking for feedback on security scanners especially 
"Internet Scanner 3.2" by Internet Security Systems out
of Atlanta.

Is it any good?  How expensive? How does it compare to Satan?

and does it run on BSDI?


Steve Keefe
Patriot Technologies

From firewalls-owner  Thu Aug  8 07:08:30 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA18907 for firewalls-outgoing; Thu, 8 Aug 1996 06:52:47 -0700 (PDT)
Received: from balder-int.ssds.com (balder.ssds.com [204.131.72.62]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id GAA18900 for <firewalls@GreatCircle.COM>; Thu, 8 Aug 1996 06:52:39 -0700 (PDT)
Received: by balder-int.ssds.com; id AA21585; Thu, 8 Aug 96 07:52:25 MDT
Received: from baltimore.ssds.com(134.127.34.1) by balder.ssds.com via smap (V3.1.1)
	id xma021576; Thu, 8 Aug 96 07:51:54 -0600
Received: by baltimore.ssds.com id JAA07520; Thu, 8 Aug 1996 09:52:26 -0400 (EDT)
Date: Thu, 8 Aug 1996 09:52:26 -0400 (EDT)
From: "Mike \"Will tame Cisco's for food\" Malik" <mike.malik@ssds.com>
X-Sender: mam@baltimore
To: Ryan Wood <rtwood@radian.com>
Cc: long-morrow@CS.YALE.EDU, firewalls@GreatCircle.COM, potlicker@morebbs.com
Subject: Re:  Authentication
In-Reply-To: <199608072313.SAA20829@itchy.radian.com>
Message-Id: <Pine.SUN.3.93.960808095037.7330E-100000@baltimore>
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk


On Wed, 7 Aug 1996, Ryan Wood wrote:

 
> 
> Correct me if I'm wrong (and the way today has been going, I probably
> am), but the telnet to the SMTP port is traceable since the originating
> host's IP address will be in the header.  Therefore it is possible to
> identify a fake mail from that method.  Can the same be done for people
> using the web browser to send fake mail?
> 
Ok how do you get a packet down the stack with out IP ?? Seems to me you
are always leaving some kind of trail. (Yes you can make it hadr to track)
Mike


From firewalls-owner  Thu Aug  8 07:27:40 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA20099 for firewalls-outgoing; Thu, 8 Aug 1996 07:12:44 -0700 (PDT)
Received: from hp01.vak12ed.edu (hp01.vak12ed.edu [141.104.150.251]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id HAA20085 for <firewalls@greatcircle.com>; Thu, 8 Aug 1996 07:12:37 -0700 (PDT)
Message-Id: <199608081412.HAA20085@miles.greatcircle.com>
Received: by hp01.vak12ed.edu
	(1.37.109.18/16.2) id AA297203445; Thu, 8 Aug 1996 10:10:45 -0400
From: "W.C. Epperson" <epperson@vak12ed.edu>
Subject: Re: Info World Firewall Articles
To: firewalls@greatcircle.com
Date: Thu, 08 Aug 1996 10:10:45 EDT
In-Reply-To: <96Aug7.120412edt.9791@cannon.ecf.toronto.edu>; from "Steve Kotsopoulos" at Aug 7, 96 12:04 (noon)
X-Mailer: Elm [revision: 109.18]
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Steve K. is alleged to have commented:
> 
> Most Unix systems are unfortunately insecure out of the box.
> We should expect all good firewalls to be highly secure out of the box.
Most _systems_ are unfortunately insecure out of the box.  Whether
a "highly secure out of the box" expectation of a firewall product is
reasonable depends largely on whether you're building or buying.  There
are, of course, other factors as well.
--
W.C. Epperson			"You can't go in there:       
Senior SE                        there's a flashing red light."       
Information Security Officer            --Firesign Theatre--
DBA Emeritus
Curmudgeon-for-Life
Virginia Dept. of Education	        
epperson@pen.k12.va.us

From firewalls-owner  Thu Aug  8 07:55:29 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA22661 for firewalls-outgoing; Thu, 8 Aug 1996 07:35:44 -0700 (PDT)
Received: from denmark.it.earthlink.net (denmark-c.it.earthlink.net [206.85.92.22]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id HAA22508 for <firewalls@greatcircle.com>; Thu, 8 Aug 1996 07:35:13 -0700 (PDT)
From: jminie@earthlink.net
Received: from default (pool025.Max1.St-Louis.MO.DYNIP.ALTER.NET [153.37.140.25]) by denmark.it.earthlink.net (8.7.5/8.7.3) with SMTP id HAA09467 for <firewalls@greatcircle.com>; Thu, 8 Aug 1996 07:34:21 -0700 (PDT)
Message-Id: <2.2.32.19960808143729.006a94f8@earthlink.net>
X-Sender: jminie@earthlink.net
X-Mailer: Windows Eudora Pro Version 2.2 (32)
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Date: Thu, 08 Aug 1996 09:37:29 -0500
To: firewalls@greatcircle.com
Subject: Re: Info World Firewall Articles
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

>I expect firewall software to not create any holes. I don't expect
>it to think it knows more than I do about what I want or don't want
>in my system configuration files.

You restated my point almost exactly.  The software should begin in a secure
state, (kernel and firewall inclusive) and allow the 'knowledgeable
operator' to set up the rules.  Not the other way around ...


From firewalls-owner  Thu Aug  8 08:09:10 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA24718 for firewalls-outgoing; Thu, 8 Aug 1996 07:50:49 -0700 (PDT)
Received: from mailbox.neosoft.com (mailbox.neosoft.com [206.109.1.16]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id HAA24678 for <firewalls@GreatCircle.COM>; Thu, 8 Aug 1996 07:50:30 -0700 (PDT)
Received: from fw.nmti.com (fw.baileynm.com [206.109.159.11]) by mailbox.neosoft.com (8.7.5/8.7.3) with SMTP id JAA08247; Thu, 8 Aug 1996 09:50:25 -0500 (CDT)
Received: from web.nmti.com(198.178.0.201) by fw.nmti.com via smap (V1.3)
	id sma012344; Thu Aug  8 09:48:06 1996
Received: from sonic.nmti.com (peter@sonic.nmti.com [198.178.0.2]) by web.nmti.com (8.6.12/8.6.9) with SMTP id JAA25633; Thu, 8 Aug 1996 09:48:05 -0500
Received: by sonic.nmti.com; id AA16577; Thu, 8 Aug 1996 09:48:04 -0500
From: peter@baileynm.com (Peter da Silva)
Message-Id: <9608081448.AA16577@sonic.nmti.com.nmti.com>
Subject: Re: Security:  Java vs ActiveX (Part 2)
To: matt@firstpac.com.au (Matthew Keenan)
Date: Thu, 8 Aug 1996 09:48:04 -0500 (CDT)
Cc: peter@baileynm.com, firewalls@GreatCircle.COM
In-Reply-To: <199608080031.KAA16649@shekel.firstpac.com.au> from "Matthew Keenan" at Aug 8, 96 10:31:15 am
X-Mailer: ELM [version 2.4 PL23]
Content-Type: text
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

> >> I'd like to say "run only signed applets running in a VM running in a
> >> sandbox on a secure server", but I can't point to a commercial
> >> implementation.    Perhaps a UNIX browser running chrooted or on a
> >> secure UNIX -- but most users want PC's

> > Chroot isn't good enough because network access doesn't go through
> > the UNIX security layer (the file system).

> does on Solaris. typically it is only BSD's that are affected this
> way.

It only does so half way. It requires access to the file system to open a
socket, but once you have that you can open *any* socket (as root) or any
non-privileged socket (as user). What I'm talking about is having a pseudo
file system like "/dev/socket/whatever" that's normally (virtually) fully
populated but in the chrooted environment you only have (say) "/dev/socket/20"
and "/dev/socket/66.66.66.66/25" existing, so the only thing your sendmail can
do is open a connection to your ISP's SMTP port.

Turning off *ALL* network access for a browser is less than useful.

And of course System V IPC is as big a screwup, with its magic namespace out
of the file system.

From firewalls-owner  Thu Aug  8 08:32:35 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA27100 for firewalls-outgoing; Thu, 8 Aug 1996 08:09:22 -0700 (PDT)
Received: from drawbridge.ascend.com (drawbridge.ascend.com [198.4.92.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id IAA27080 for <firewalls@GreatCircle.COM>; Thu, 8 Aug 1996 08:09:09 -0700 (PDT)
Received: from spud.ascend.com (fw-ext.ascend.com [198.4.92.5]) 
	by drawbridge.ascend.com (8.6.12/8.6.12) with ESMTP 
	id IAA00484 for <firewalls@GreatCircle.COM>; Thu, 8 Aug 1996 08:09:11 -0700
Received: from Mail-gw.ascend.com (mail-gw.ascend.com [192.207.23.142]) 
	by spud.ascend.com (8.6.12/8.6.12) with SMTP 
	id IAA17752 for <@spud.ascend.com:firewalls@GreatCircle.COM>; Thu, 8 Aug 1996 08:09:06 -0700
Received: by Mail-gw.ascend.com (IBM OS/2 SENDMAIL VERSION 1.3.14/1.0)
	  id AA2435; Thu, 08 Aug 96 08:06:40 -0700
Message-Id: <9608081506.AA2435@Mail-gw.ascend.com>
Received: from Ascend with "Lotus Notes Mail Gateway for SMTP" id
  A8F0012D5B3A8BA088256380005059AA; Thu,  8 Aug 96 08:06:38 
To: MOHAMED HABIB MOHAMED EUSOFF <habib@KLSE.COM.MY>
Cc: firewalls <firewalls@GreatCircle.COM>
From: Gary Wong/Ascend/US <Gary_Wong@ascend.com>
Date:  8 Aug 96  8:08:38 
Subject: Re: If I understand corectly, smtp mail can be forged. One way
  "IP Spoof technique", in addition the
Mime-Version: 1.0
Content-Type: Text/Plain
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

habib :

One way to do it is "telnet x.x.x.x 25" where x.x.x.x is an Ip address. 
Normally, I will know where or which machine you are coming from although I 
have no idea who you are. May be I can guess who you are from wtmp or utmp 
files on the machine you are sending mail from.

You can prevent people from sending forge mail from your UNIX workstation by 
enabling TCP-wrapper(tcpd) in inetd for smtp.

Gary


===================================================================================



	habib @ KLSE.COM.MY (MOHAMED HABIB MOHAMED EUSOFF) 
08/08/96 01:06 PM
To: firewalls @ GreatCircle.COM 
cc:  
Subject: If I understand corectly,  smtp mail can be forged. One way          
"IP Spoof technique", in addition the


If I understand corectly,  smtp mail can be forged. One way "IP Spoof 
technique", in addition the
message transfer agents (MTA - the one receive mails and forward mails) within 
MTS (mail
transfer system) has no appli-layer mechanism for MTA-MTA authentication. As a 
result, any
email that you received might have come from someone other than you think.

Is there any other way this forgery could be done?? Any reply would be 
appreciated.

thanks.







From firewalls-owner  Thu Aug  8 09:10:33 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA02885 for firewalls-outgoing; Thu, 8 Aug 1996 08:59:42 -0700 (PDT)
Received: from merlin.incae.ac.cr (merlin.incae.ac.cr [163.178.160.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id IAA02827; Thu, 8 Aug 1996 08:58:12 -0700 (PDT)
Received: by merlin.incae.ac.cr (AIX 3.2/UCB 5.64/4.03)
          id AA16491; Thu, 8 Aug 1996 09:57:40 -0600
Date: Thu, 8 Aug 1996 09:57:40 -0600
From: carvajae@merlin.incae.ac.cr (Erick Carvajal Gonzalez)
Message-Id: <9608081557.AA16491@merlin.incae.ac.cr>
To: firewalls@GreatCircle.COM
Subject: How insecure can be a Unix System
Cc: firewalls-digest@GreatCircle.COM
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk


I want to know how insecure can be a Unix System. Therefore if you have examples of problems of security in Unix system, please send me.

8
Thanks

Erick Carvajal
carvajae@merlin.incae.ac.cr

From firewalls-owner  Thu Aug  8 09:45:37 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA05788 for firewalls-outgoing; Thu, 8 Aug 1996 09:30:14 -0700 (PDT)
Received: from isgate.is (isgate.is [193.4.58.51]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id JAA05775 for <firewalls@GreatCircle.COM>; Thu, 8 Aug 1996 09:30:07 -0700 (PDT)
Received: from linda.if.is by isgate.is (8.7.5-M/ISnet/14-10-91); Thu, 8 Aug 1996 16:30:03 GMT
Received: by linda.if.is (Secure/IFnet/24-07-96); Thu, 8 Aug 1996 16:30:12 GMT
From: gunni@if.is (Gunnar Ingvi Thorisson)
Message-Id: <199608081630.QAA30710@linda.if.is>
Subject: Single IP IP filter
To: firewalls@GreatCircle.COM
Date: Thu, 8 Aug 1996 16:30:12 +0000 (GMT)
X-Mailer: ELM [version 2.4 PL24]
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Someone know if DrawBrigde is able to filter IP packets for one IP 
address rather than the while subnet? I'm looking for a product that is 
able to pick up a packet if it matches the IP of a single host and router 
it to another ethernet network.


    Network A      |   Network B               |        Network C
                   |                           |
                   |                           |
             .-----------.             .----------------.
             | IP filter | --------->  | Firewall/Proxy |
             `-----------'             `----------------'
             eth0  | eth1         eth0=        | eth1 = 192.168.100.200
  Network =        |              192.168.1.1  | 
  192.168.1.0      |                           |

The IP filter shouldn't have to have any IP addresses, if it sees a packet 
that is addressed to the firewalls eth interface 0 (192.168.1.1) that is 
running on 192.168.1.0 network (IP filters eth0) it copies the packet to 
the eth1 interface and vise versa. Uses an access-list. Does such a 
product exist? Is it possible by the way?


best regards, Gunni

=========================================================================
 Gunnar Ingvi Þórisson                      E-Mail address:  gunni@if.is
=========================================================================


From firewalls-owner  Thu Aug  8 09:53:55 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA07024 for firewalls-outgoing; Thu, 8 Aug 1996 09:44:08 -0700 (PDT)
Received: from dg-rtp.dg.com (dg-rtp.rtp.dg.com [128.222.1.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id JAA07004; Thu, 8 Aug 1996 09:43:55 -0700 (PDT)
Received: from splinter.rtp.dg.com by dg-rtp.dg.com (5.4R3.10/dg-rtp-v02)
	id AA19493; Thu, 8 Aug 1996 12:43:58 -0400
Received: by splinter.rtp.dg.com (8.6.10/200.15.1.2)
	id MAA12197; Thu, 8 Aug 1996 12:42:37 -0400
From: spencerj@dg-rtp.dg.com (Jon Spencer)
Message-Id: <199608081642.MAA12197@splinter.rtp.dg.com>
Subject: Re: How insecure can be a Unix System
To: carvajae@merlin.incae.ac.cr (Erick Carvajal Gonzalez)
Date: Thu, 8 Aug 1996 12:42:34 -0400 (EDT)
Cc: firewalls@greatcircle.com, firewalls-digest@greatcircle.com
In-Reply-To: <9608081557.AA16491@merlin.incae.ac.cr> from "Erick Carvajal Gonzalez" at Aug 8, 96 09:57:40 am
X-Mailer: ELM [version 2.4 PL23]
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

> I want to know how insecure can be a Unix System. Therefore if you have examples of problems of security in Unix system, please send me.
> 
> Erick Carvajal

Start with "Practical Unix Security" by Gene Spafford.  The look on CERT
(what's the email address?).  Then read up promiscuous IP, Berkeley Packet
Filter, sendmail, ...

BUT, NT is also full of holes.  Most OS's are.  Anything that (1) wasn't
designed from the ground up with security in mind, (2) isn't built with
excellent software engineering practices, and isn't maintained in the same
manner will be fairly easy to break.


-- 
Jon F. Spencer   spencerj@rtp.dg.com  (uunet!rtp.dg.com!spencerj)
Data General Corp.                  Phone : (919)248-6246
62 T.W. Alexander Dr, MS #119       FAX   : (919)248-6108
Research Triangle Park, NC  27709   Office RTP 121/9

	Reality is an illusion - perception is what counts.

	No success can compensate for failure at home.
			President David O. McKay

***** UCC 1-207 ********

From firewalls-owner  Thu Aug  8 10:12:41 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA08659 for firewalls-outgoing; Thu, 8 Aug 1996 10:00:17 -0700 (PDT)
Received: from pdx1 (pdx1.world.net [192.243.32.18]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id KAA08597 for <firewalls@greatcircle.com>; Thu, 8 Aug 1996 10:00:05 -0700 (PDT)
Received: from suburbia.net (suburbia.net [203.4.184.1]) by pdx1 (8.6.9/8.6.9) with ESMTP id KAA07325 for <firewalls@greatcircle.com>; Thu, 8 Aug 1996 10:02:06 -0700
Received: (proff@localhost) by suburbia.net (8.7.4/Proff-950810) id CAA03826 for firewalls@greatcircle.com; Fri, 9 Aug 1996 02:59:50 +1000
From: Julian Assange <proff@suburbia.net>
Message-Id: <199608081659.CAA03826@suburbia.net>
Subject: call for papers
To: firewalls@greatcircle.com
Date: Fri, 9 Aug 1996 02:59:49 +1000 (EST)
X-Mailer: ELM [version 2.4 PL23]
Content-Type: text
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk


This is a call for calls for papers ;)

If there are currently any international air-ticket spending conferences
still open for speakers presenting papers in the realm of enlightening
papers on cryptographic/implimentation/protocol weaknesses in token
based authentication systems, please let me know.

-- 
"Of all tyrannies a tyranny sincerely  exercised for the good of its victims  
 may be the most  oppressive.  It may be better to live under  robber barons  
 than  under  omnipotent  moral busybodies,  The robber baron's  cruelty may  
 sometimes sleep,  his cupidity may at some point be satiated; but those who  
 torment us for own good  will torment us  without end,  for they do so with 
 the approval of their own conscience."    -   C.S. Lewis, _God in the Dock_ 
+---------------------+--------------------+----------------------------------+
|Julian Assange RSO   | PO Box 2031 BARKER | Secret Analytic Guy Union        |
|proff@suburbia.net   | VIC 3122 AUSTRALIA | finger for PGP key hash ID =     |
|proff@gnu.ai.mit.edu | FAX +61-3-98199066 | 0619737CCC143F6DEA73E27378933690 |
+---------------------+--------------------+----------------------------------+

From firewalls-owner  Thu Aug  8 11:16:03 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA16512 for firewalls-outgoing; Thu, 8 Aug 1996 11:01:06 -0700 (PDT)
Received: from iai-gate.iai.com (iai.tiac.net [199.3.128.47]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id LAA16483 for <firewalls@GreatCircle.COM>; Thu, 8 Aug 1996 11:00:41 -0700 (PDT)
Received: (from uucp@localhost) by iai-gate.iai.com (8.6.12/8.6.9) id NAA17440 for <firewalls@GreatCircle.COM>; Thu, 8 Aug 1996 13:59:23 -0400
Received: from milford.iai.com(192.206.185.2) by iai-gate.iai.com via smap (V1.3)
	id sma017438; Thu Aug  8 13:58:56 1996
Received: by milford.iai.com (AIX 3.2/UCB 5.64/4.03)
          id AA30094; Thu, 8 Aug 1996 13:58:55 -0400
From: jegan@milford.iai.com (James P. Egan)
Message-Id: <9608081758.AA30094@milford.iai.com>
Subject: OnGuard
To: firewalls@GreatCircle.COM
Date: Thu, 8 Aug 1996 13:58:55 -0400 (EDT)
Reply-To: jegan@milford.iai.com
Organization: Integrated Architectures, Inc.
Pgp-Fingerprint: 64 47 DC 51 D9 11 1D FF  31 43 9C 4C E2 A1 FC 04
Pgp-Public-Key: public-key-server@martigny.ai.mit.edu (subject: GET jegan) 
X-Mailer: ELM [version 2.4 PL24 ME5a]
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

I am interested in opinions on the OnGuard product.
Please email to jegan@iai.com.  TIA.

/Jim/
--
James P. Egan                   | jegan@iai.com 
Integrated Architectures, Inc.  | http://www.iai.com 
300 East Main Street, Suite 207 | Tel: 508-634-3200 x209
Milford, MA  01757              | Fax: 508-634-8381
Use PGP for more secure email

From firewalls-owner  Thu Aug  8 11:24:49 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA16560 for firewalls-outgoing; Thu, 8 Aug 1996 11:01:45 -0700 (PDT)
Received: from gatekeeper.marben.be (gatekeeper.marben.be [194.78.27.10]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id LAA16542 for <firewalls@GreatCircle.COM>; Thu, 8 Aug 1996 11:01:29 -0700 (PDT)
Received: (from smap@localhost) by gatekeeper.marben.be (8.6.12/8.6.9) id UAA07705 for <@gatekeeper.marben.be:firewalls@GreatCircle.COM>; Thu, 8 Aug 1996 20:11:16 +0200
Received: from tarifa.marben.be(172.20.0.254) by gatekeeper.marben.be via smap (V1.3)
	id sma007703; Thu Aug  8 20:10:56 1996
Received: from tarifa.marben.be by tarifa via SMTP (940816.SGI.8.6.9/940406.SGI.AUTO)
	for <firewalls@GreatCircle.COM> id TAA03144; Thu, 8 Aug 1996 19:51:25 +0200
Message-ID: <320A291D.794B@marben.be>
Date: Thu, 08 Aug 1996 19:51:25 +0200
From: Jean-Pierre Morant <jpm@marben.be>
Organization: Marben SA-NV
X-Mailer: Mozilla 3.0b5aGold (X11; I; IRIX 5.3 IP22)
MIME-Version: 1.0
To: firewalls@GreatCircle.COM
Subject: Netscape Gold publishing and FWTK
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

I'm trying to use Netscape Gold's publication features through my
fwtk-based firewall, with mild success so far.

Has anyone succeeded in doing this ?


Until now, I've been trying to publish using the ftp method.
If the proxy for FTP is set to port 80, I receive an error message
from the http-gw that says :
=========================================
>Error uploading files

>The server responded:

>Error ----------------------------------------
>No default server configured to handle your request PUT
>ftp://jpm:IsoIso@zebra.marben.be/incoming/jobOpportunities.html
>HTTP/1.0 
============

If I use the port 21 (ftp-gw), then Netscape opens a little (error?)
window, closes it immediately, and does nothing on the network ...


Any idea ????

-- 
Jean-Pierre Morant
c/o MARBEN S.A./N.V.			La vie serait tellement 
Boulevard du Souverain,400, Vorstlaan	plus facile	 
1160	Bruxelles			Si seulement
Belgium					nous avions les sources....
+ 32 2 663 1130	(phone)
+ 32 2 663 1199 (fax)
http://www.marben.be
jpm@marben.be

From firewalls-owner  Thu Aug  8 11:38:34 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA18439 for firewalls-outgoing; Thu, 8 Aug 1996 11:29:44 -0700 (PDT)
Received: from vqgjx.oxy.com (vqgjx.oxy.com [199.248.165.130]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id LAA18422 for <firewalls@GreatCircle.COM>; Thu, 8 Aug 1996 11:29:33 -0700 (PDT)
Received: by vqgjx.oxy.com; id NAA10234; Thu, 8 Aug 1996 13:23:45 -0500 (CDT)
Received: from unknown(155.224.11.33) by vqgjx.oxy.com via smap (V3.1)
	id xma010085; Thu, 8 Aug 96 13:23:20 -0500
Received: from ccMail by oxymail.oxy.com
  (IMA Internet Exchange 2.02 Enterprise) id 20A313E0; Thu, 8 Aug 96 13:26:06 -0500
Mime-Version: 1.0
Date: Thu, 8 Aug 1996 13:19:45 -0500
Message-ID: <20A313E0.1239@oxy.com>
From: Messages_Roswell@oxy.com (Messages Roswell)
Subject: Interpretation/Analysis of TIS Gauntlett Firewall Log
To: firewalls@GreatCircle.COM
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Content-Description: cc:Mail note part
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

     Does anyone know if there are programs/products available to analyze, 
     statisticize, summarize and report on the TIS Gauntlet Firewall 
     messages log.  There are entries for authentication server, security 
     alerts, http, ftp, sendmail, kernel ,logon, nntp, smap, named, etc.  
     The http information spans multiple records, which are not necessarily 
     sequential, linked by a UNIX process id.  The sendmail information 
     also spans multiple records linked by some sort of sendmail 
     identifier.  All parameters are positional keyword and require a 
     parser to interpret into a machine readable metric. 
     
     There are some UNIX scripts for daily and weekly processing which do 
     some summarization. But, surely someone has developed a product to 
     analyze firewall logs.  What is available?  Which products do you like 
     best and recommend?
     
     Thanks,
     Bill Roswell
     Occidental Petroleum Corporation
     Bill_Roswell@oxy.com
     918/561-1437

From firewalls-owner  Thu Aug  8 11:40:11 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA15993 for firewalls-outgoing; Thu, 8 Aug 1996 10:54:58 -0700 (PDT)
Received: from halon.sybase.com (halon.sybase.com [192.138.151.33]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id KAA15986 for <firewalls@GreatCircle.COM>; Thu, 8 Aug 1996 10:54:51 -0700 (PDT)
Received: from smtp1.sybase.com (sybgate) by halon.sybase.com (5.x/SMI-SVR4/SybFW4.0)
	id AA08789; Thu, 8 Aug 1996 10:56:17 -0700
Received: from notesgw2.sybase.com by smtp1.sybase.com (4.1/SMI-4.1/SybH3.5-030896)
	id AA15966; Thu, 8 Aug 96 10:54:47 PDT
Received: by notesgw2.sybase.com (5.x/SMI-4.1/SybEGW3.3)
	id AA29596; Thu, 8 Aug 1996 10:54:39 -0700
Message-Id: <9608081754.AA29596@notesgw2.sybase.com>
Received: by SybaseNotes (Lotus Notes Mail Gateway for SMTP V1.1) id
  8EE465B8D0B73A63882563800060D65C; Thu,  8 Aug 96 10:54:38 EDT
To: Matthew Keenan <matt@sybase.com>
Cc: Firewalls Mailing List <firewalls@sybase.com>
From: Ryan Russell/SYBASE
  <Ryan.Russell@sybase.com>
Date:  8 Aug 96 10:55:44 EDT
Subject: Re: Info World Firewall Articles
X-Lotus-Type: Reply All
Mime-Version: 1.0
Content-Type: Text/Plain
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk


>From what I've read (can't say I've tried it personally)
Even on a Sun with 1 interface, if an IP packet gets to
it that is not intended for it, and it knows where it should
go, it sends it right back out the same interface.

Of course, the link where I remember reading this is
down at the moment...

http://madhaus.utcs.utoronto.ca/links/ftp/doc/introductory_documents/ipforward-fix.txt

After poking around a bit with Alta Vista, it seems that it depends on
the version of SunOS etc.. so YMMV.  Hopefully someone on
the list who knows what they are talking about can clarify :)


      Ryan
---------- Previous Message ----------
To: Ryan.Russell
cc: firewalls
From: matt @ firstpac.com.au (Matthew Keenan) @ smtp
Date: 08/08/96 10:47:37 AM
Subject: Re: Info World Firewall Articles

Ryan Russell/SYBASE wrote this...

> It might be nice if the Firewall-1 install program prompted you to
> make the change, or automatically made it for you.

> However, the IP forwarding thing is Sun's fault, not Checkpoint's.

> Yes, a Sun machine will automatically forward packets for you, _even
> if it only has one interface._

(underscores are mine)

eh? thats not the way it works on the machines i have installed. but
then i have always added a entry in defaultrouter.

   Matt
-- 
Matthew Keenan    Network Administrator    First Pacific Stockbrokers
     Sydney,  Australia





From firewalls-owner  Thu Aug  8 11:53:50 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA20620 for firewalls-outgoing; Thu, 8 Aug 1996 11:50:00 -0700 (PDT)
Received: from phoenix.iss.net (phoenix.iss.net [204.241.60.5]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id LAA20561 for <firewalls@GreatCircle.COM>; Thu, 8 Aug 1996 11:49:43 -0700 (PDT)
Received: from alexf.iss.net (alexf.iss.net [204.241.60.98]) by phoenix.iss.net (8.6.13/8.6.12) with SMTP id OAA23763; Thu, 8 Aug 1996 14:48:21 -0400
Message-Id: <199608081848.OAA23763@phoenix.iss.net>
Comments: Authenticated sender is <alexf@[204.241.60.5]>
From: "Alex F" <alexf@iss.net>
Organization: Internet Security Systems, Inc.
To: "firewalls@GreatCircle.COM" <firewalls@GreatCircle.COM>,
        Steve Keefe <Steve.Keefe@internetmci.com>
Date: Thu, 8 Aug 1996 14:49:57 +0000
MIME-Version: 1.0
Content-type: text/plain; charset=US-ASCII
Content-transfer-encoding: 7BIT
Subject: Re: Security Scanners
Reply-to: alexf@iss.net
X-mailer: Pegasus Mail for Win32 (v2.32a)
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

> -- [ From: Steve Keefe * EMC.Ver #2.3 ] --
> 
> looking for feedback on security scanners especially 
> "Internet Scanner 3.2" by Internet Security Systems out
> of Atlanta.
> 
> Is it any good?  How expensive? How does it compare to Satan?
> 
> and does it run on BSDI?
> 
> 
> Steve Keefe
> Patriot Technologies
> 
> 
=-=-=-=-=-=-=-=-=-=-=-=-=-
Alex F    alexf@iss.net
Marketing Specialist
Internet Security Systems
=-=-=-=-=-=-=-=-=-=-=-=-=-

From firewalls-owner  Thu Aug  8 12:15:31 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA22323 for firewalls-outgoing; Thu, 8 Aug 1996 12:01:32 -0700 (PDT)
Received: from phoenix.iss.net (phoenix.iss.net [204.241.60.5]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id MAA22295 for <firewalls@GreatCircle.COM>; Thu, 8 Aug 1996 12:01:19 -0700 (PDT)
Received: from alexf.iss.net (alexf.iss.net [204.241.60.98]) by phoenix.iss.net (8.6.13/8.6.12) with SMTP id PAA23951; Thu, 8 Aug 1996 15:00:12 -0400
Message-Id: <199608081900.PAA23951@phoenix.iss.net>
Comments: Authenticated sender is <alexf@[204.241.60.5]>
From: "Alex F" <alexf@iss.net>
Organization: Internet Security Systems, Inc.
To: "firewalls@GreatCircle.COM" <firewalls@GreatCircle.COM>,
        Steve Keefe <Steve.Keefe@internetmci.com>
Date: Thu, 8 Aug 1996 15:01:52 +0000
MIME-Version: 1.0
Content-type: text/plain; charset=US-ASCII
Content-transfer-encoding: 7BIT
Subject: Re: Security Scanners
Reply-to: alexf@iss.net
X-mailer: Pegasus Mail for Win32 (v2.32a)
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk


> "Internet Scanner 3.2" by Internet Security Systems out
> of Atlanta.

The current version of the Scanner is 3.3.2

Plans are to release 4.0 soon.  By the end of the summer.  There is a 
big jump in the version number for good reason as well.  You can get 
the latest info on the current version from the web site 
(www.iss.net).

> Is it any good?  How expensive? How does it compare to Satan?

Is better than good :)

Price?  It all depends.  We offer perpetual licenses, 30 
subscriptions, etc., etc.  It all depends on how much you want (from 
single IP to a class A) and for how long (perpetual, 30 days).  I 
don't want to hazard a guess as to the pricing structure, esp. when 
4.0 comes out.  I don't know.  Your best bet would be to download the 
eval copy (fully functional, but only scans localhost) and try it for 
yourself.  If you are satisfied with the product you may then call us 
and get a key for however many addresses you want.  In the near 
future we hope to be able to offer online ordering of our products, 
at which time we will have extensive price lists on the web.

No, we do not have any BSD versions.  We also do not have a Solaris 
x86 version either, which seems to be more in demand than the BSD 
variants.

We offer versions for:

HP-UX 9.X +
AIX 3.25 +
Linux
SunOS 4.x +
Solaris 2.5

with a port to Windows NT coming soon.

If you or anyone else on the list have any more questions you are 
welcome to email me.

Thanks,

Alex F
(alexf@iss.net)

> 
> and does it run on BSDI?
> 
=-=-=-=-=-=-=-=-=-=-=-=-=-
Alex F    alexf@iss.net
Marketing Specialist
Internet Security Systems
=-=-=-=-=-=-=-=-=-=-=-=-=-

From firewalls-owner  Thu Aug  8 14:29:48 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA05216 for firewalls-outgoing; Thu, 8 Aug 1996 13:52:46 -0700 (PDT)
Received: from syr.edu (syr.EDU [128.230.1.49]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id NAA05209; Thu, 8 Aug 1996 13:52:39 -0700 (PDT)
Received: from peterm.syr.edu by syr.edu (8.7.5/CNS)
	id QAA17365; Thu, 8 Aug 1996 16:53:50 -0400 (EDT)
Message-ID: <320A7DA7.8CC@syr.edu>
Date: Thu, 08 Aug 1996 16:52:07 -0700
From: Peter Morrissey <ppmorris@syr.edu>
Organization: Syracuse University
X-Mailer: Mozilla 2.0 (Win95; I; 16bit)
MIME-Version: 1.0
To: Firewalls@GreatCircle.COM, firewalls-digest@GreatCircle.COM
Subject: Book on Policy and law
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Can anyone suggest a good book and/or other resources 
regarding practicle guidance on setting up security 
policy.
I'm also looking for a book that would address steps that
can be taken in order to facilitate prosecution of security
violations.

Thanks,
_Pete Morrissey

From firewalls-owner  Thu Aug  8 14:42:51 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA08014 for firewalls-outgoing; Thu, 8 Aug 1996 14:31:51 -0700 (PDT)
Received: from cannon.ecf.toronto.edu (cannon.ecf.toronto.edu [128.100.8.5]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id OAA07981 for <firewalls@greatcircle.com>; Thu, 8 Aug 1996 14:31:31 -0700 (PDT)
Received: by cannon.ecf.toronto.edu id <10103>; Thu, 8 Aug 1996 17:31:01 -0400
From: Steve Kotsopoulos <steve@ecf.toronto.edu>
To: firewalls@greatcircle.com
In-Reply-To: <2.2.32.19960807210742.00697ca4@earthlink.net>
Organization: University of Toronto, Engineering Computing Facility
Subject: Re: Info World Firewall Articles
Message-Id: <96Aug8.173101edt.10103@cannon.ecf.toronto.edu>
Date: 	Thu, 8 Aug 1996 17:30:58 -0400
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

jminie@earthlink.net wrote:
>We're aware of how insecure UNIX is natively.  The point here is that a
>firewall should be as close to 100% secure as possible out-of-the-box,
>removing the possibility that human intervention (or human NON-intervention,
>for that matter) doesn't create or allow ANY holes for ANY length of time.
>
>A couple of UNIX-based firewall vendors DO address the issue of the
>non-secure kernel.  If kernel insecurity is addressed at the vendor level,
>(i.e. - the guys making the money) the argument about customer-level
>'professional' versus 'scanner' firewall users should be non-existent.  I
>truly believe in the concept that, without a hardened kernel there is no way
>to guarantee a truly secure firewall.

I agree. Here are my new definitions, which may be of use to others:

A 'firewall' is a system that if configured correctly by professionals
 (who have read all the manuals from cover to cover), and notwithstanding
 hardware or software bugs or problems, protects your network.

A 'good firewall' is a system that protects your network.
 It must have defense in depth, so that in the event of a failure (such
 as after the discovery of new bugs), other mechanisms will protect you.
 It must have a fail-safe design, for protection in the event of
 hardware/software problems or administrative errors. Instead of letting
 attackers in when there is a failure, fail-safe systems deny access to
 both attackers and legitimate users. Failure to read the manual may result
 in you not being able to turn a service on, instead of the service being
 wide open without protection, and possibly making your internal network
 vulnerable.

If I wanted to protect my network, I would buy a 'good firewall'.

Since so many people wanted to talk about the necessity of completely
reading the manuals, I searched the FireWall-1 web site to see what
they had to say about it. The closest I could find was the "Ease of Use"
paragraph at http://www.checkpoint.com/brochure/page10.html
It starts with  "FireWall-1 was designed to be easily installed,
configured and managed.", then talks about the easy to use GUI,
and the integrity checking that reduces the chance of operator error.
I couldn't find any mention of a manual.
-- 
Steve Kotsopoulos  M.Eng.                         steve@ecf.toronto.edu
Systems Analyst   Engineering Computing Facility, University of Toronto
http://www.ecf.toronto.edu/~steve/

From firewalls-owner  Thu Aug  8 15:59:53 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id PAA12549 for firewalls-outgoing; Thu, 8 Aug 1996 15:09:46 -0700 (PDT)
Received: from mcfeely.bsfs.org (mcfeely.bsfs.org [204.91.13.34]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id PAA12510; Thu, 8 Aug 1996 15:09:23 -0700 (PDT)
Received: (from wombat@localhost) by mcfeely.bsfs.org (8.6.12/8.6.12) id WAA17594; Thu, 8 Aug 1996 22:05:26 -0400
Date: Thu, 8 Aug 1996 22:05:22 -0400 (EDT)
From: Rabid Wombat <wombat@mcfeely.bsfs.org>
To: Peter Morrissey <ppmorris@syr.edu>
cc: Firewalls@GreatCircle.COM, firewalls-digest@GreatCircle.COM
Subject: Re: Book on Policy and law
In-Reply-To: <320A7DA7.8CC@syr.edu>
Message-ID: <Pine.BSF.3.91.960808220032.17564A-100000@mcfeely.bsfs.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk



On Thu, 8 Aug 1996, Peter Morrissey wrote:

> Can anyone suggest a good book and/or other resources 
> regarding practicle guidance on setting up security 
> policy.
> I'm also looking for a book that would address steps that
> can be taken in order to facilitate prosecution of security
> violations.


This one's fairly basic, but has info on how to help w/ prosecuting:

Computer Crime: A Crimefighter's Handbook
Icove, Seger & VonStorch
O'Reilly and Assoc. (http://www.ora.com)
ISBN# 1-56592-806-4

- r.w.


From firewalls-owner  Thu Aug  8 16:16:31 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id PAA12491 for firewalls-outgoing; Thu, 8 Aug 1996 15:08:59 -0700 (PDT)
Received: from pegase.total.fr (pegase.total.fr [146.249.152.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id PAA12480; Thu, 8 Aug 1996 15:08:49 -0700 (PDT)
Received: from tidtest.total.fr (tidtest.total.fr [146.249.165.73]) by pegase.total.fr (8.6.8/8.6.6) with SMTP id AAA21204; Fri, 9 Aug 1996 00:09:18 +0200
Received: by tidtest.total.fr (4.1/SMI-4.1)
	id AA09354; Fri, 9 Aug 96 00:07:45 +0200
Message-Id: <9608082207.AA09354@tidtest.total.fr>
To: Peter Morrissey <ppmorris@syr.edu>
Cc: Firewalls@greatcircle.com, firewalls-digest@greatcircle.com
Subject: Re: Book on Policy and law 
In-Reply-To: Your message of "Thu, 08 Aug 1996 16:52:07 PDT."
             <320A7DA7.8CC@syr.edu> 
X-Cuse: "The dog ate my network"
Date: Fri, 09 Aug 1996 00:07:45 +0100
From: Michel Lavondes <lavondes@tidtest.total.fr>
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk


In message <320A7DA7.8CC@syr.edu>, Peter Morrissey writes:
> Can anyone suggest a good book and/or other resources 
> regarding practicle guidance on setting up security 
> policy.
> I'm also looking for a book that would address steps that
> can be taken in order to facilitate prosecution of security
> violations.
>
The "Site Security Handbook" RFC (sorry, don't remember the number
off-hand) should have enough of what you want to get you started. 

Michel Lavondes (lavondes@tidtest.total.fr)
#include <disclaimer.h>
Governments are guilty until proved innocent

From firewalls-owner  Thu Aug  8 16:40:48 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA10874 for firewalls-outgoing; Thu, 8 Aug 1996 14:53:49 -0700 (PDT)
Received: from pony-express.ims.advantis.com (pony-express.ims.advantis.com [165.87.194.144]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id OAA10867; Thu, 8 Aug 1996 14:53:42 -0700 (PDT)
Received: (from Unknown UID 5@localhost) by pony-express.ims.advantis.com (8.6.9/95.10.11) id RAA05965; Thu, 8 Aug 1996 17:54:39 -0400
Received: from gandalf.ims.advantis.com(164.120.178.27) by pony-express.ims.advantis.com via smap (V1.3)
	id sma008263; Thu Aug  8 17:54:30 1996
Received: by gandalf.ims.advantis.com (AIX 3.2/UCB 5.64/950921)
          id AA21035; Thu, 8 Aug 1996 17:59:03 -0400
Date: Thu, 8 Aug 1996 17:59:02 -0400 (EDT)
From: "Henry W. Farkas" <hfarkas@ims.advantis.com>
To: Peter Morrissey <ppmorris@syr.edu>
Cc: Firewalls@GreatCircle.COM, firewalls-digest@GreatCircle.COM
Subject: Re: Book on Policy and law
In-Reply-To: <320A7DA7.8CC@syr.edu>
Message-Id: <Pine.A32.3.91.960808175449.14879E-100000@gandalf.ims.advantis.com>
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

On Thu, 8 Aug 1996, Peter Morrissey wrote:

> Can anyone suggest a good book and/or other resources 
> regarding practicle guidance on setting up security 
> policy.
Practical Unix and Internet Security, 2nd edition
   Simson Garfinkel and Gene Spafford
   O'Reilly

Firewalls and Internet Security
   William Cheswick and Steven Bellovin
   Addison-Wesley

These books are a good start.

> I'm also looking for a book that would address steps that
> can be taken in order to facilitate prosecution of security
> violations.
Computer Crime
   Icove, Seger and VonStorch
   O'Reilly

===========================================================================
 "We must all turn our backs upon the horrors of the past. We must look to
  the future.  We cannot afford to drag forward, across the years that are
  to come, the hatreds and revenges which have sprung from the injuries of
  the past." - Winston Churchill -  http://newstand.ims.advantis.com/henry
    PGP fingerprint AA D0 F5 44 C1 8C 11 52 - B3 80 34 1C CE 38 EC 53


From firewalls-owner  Thu Aug  8 17:14:40 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA26761 for firewalls-outgoing; Thu, 8 Aug 1996 17:00:26 -0700 (PDT)
Received: from citecuh.citec.qld.gov.au (citecuh.citec.qld.gov.au [203.5.10.10]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id QAA26594 for <firewalls@greatcircle.com>; Thu, 8 Aug 1996 16:59:50 -0700 (PDT)
Received: (from mail@localhost) by citecuh.citec.qld.gov.au (8.7.5/8.7.3) id JAA02886; Fri, 9 Aug 1996 09:59:41 +1000 (EST)
Received: from guru.citec.qld.gov.au(147.132.20.47) by citecuh.citec.qld.gov.au via smap (V1.3)
	id /mail/incoming/sma002877; Fri Aug  9 09:59:16 1996
Received: (from sgcccdc@localhost) by guru.citec.qld.gov.au (8.6.12/8.6.12) id JAA02679; Fri, 9 Aug 1996 09:59:49 +1000
From: Colin Campbell <sgcccdc@citec.qld.gov.au>
Message-Id: <199608082359.JAA02679@guru.citec.qld.gov.au>
Subject: Re: Book on Policy and law
To: ppmorris@syr.edu (Peter Morrissey)
Date: Fri, 9 Aug 1996 09:59:48 +1000 (EST)
Cc: firewalls@greatcircle.com
In-Reply-To: <320A7DA7.8CC@syr.edu> from "Peter Morrissey" at Aug 8, 96 04:52:07 pm
X-Mailer: ELM [version 2.4 PL24]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

My mailer thinks Peter Morrissey said:
> 
> Can anyone suggest a good book and/or other resources 
> regarding practicle guidance on setting up security 
> policy.
> I'm also looking for a book that would address steps that
> can be taken in order to facilitate prosecution of security
> violations.
> 
Here's some info I once received.

Colin

Information Security Policies Made Easy (ISPME) is the most comprehensive
collection of information security policies available.  Written by
internationally known security consultant Charles Cresson Wood, ISPME
contains 600+ already-written policies. Available in both hardcopy and
floppy disk form, this product allows you to use your favorite word
processing package to "cut and paste" to create a set of policies relevant
to your computing environment.  While most people use key-word search
facilities in their word processor, ISPME includes several indexes to help
locate the information of interest to you.  Policies cover the following
topics:  PC's, LAN's, E-Mail, Internet and more!

ISPME also provides extensive sections addressing: (1) how to write
information security policies, (2) how to gain management support, and
(3) how to identify standards that can be used to implement policies.

ISPME is available for the IBM-PC or Macintosh: MS Word and Word Perfect
for the IBM-PC, MS Word for the Macintosh, as well as ASCII flat files for
any other word processing package.

We accept VISA/MC and AMEX as well as Purchase Orders within the US and
Canada.  We request prepayment for all international orders.

Visit our website (address below) or we would be happy to fax you sample
pages along ordering information.  Please contact us at:

Baseline Software, Inc. tel#:415-332-7763 or 800-829-9955(USA/CAN)
P. O. Box 1219                  fax#:           415-332-8032.
Sausalito, CA 94966-1219                E-mail: info@baselinesoft.com
Website: www.baselinesoft.com/people/infosec


From firewalls-owner  Thu Aug  8 17:43:28 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA00246 for firewalls-outgoing; Thu, 8 Aug 1996 17:29:07 -0700 (PDT)
Received: from extol.com.my (portal.extol.com.my [202.185.238.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id RAA00228; Thu, 8 Aug 1996 17:28:55 -0700 (PDT)
Received: from pclow.extol.com.my ([10.1.2.1]) by portal.extol.com.my with SMTP id <24322>; Fri, 9 Aug 1996 08:29:58 +0800
Message-ID: <320A8715.4281@pc.jaring.my>
Date: Fri, 9 Aug 1996 08:32:21 +0800
From: pclow <pclow@pc.jaring.my>
Reply-To: pclow@pc.jaring.my
X-Mailer: Mozilla 3.0b5a (Win95; I)
MIME-Version: 1.0
To: Michel Lavondes <lavondes@tidtest.total.fr>
CC: Peter Morrissey <ppmorris@syr.edu>, Firewalls@GreatCircle.COM,
        firewalls-digest@GreatCircle.COM
Subject: Re: Book on Policy and law
References: <9608082207.AA09354@tidtest.total.fr>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Michel Lavondes wrote:
> The "Site Security Handbook" RFC (sorry, don't remember the number
> off-hand) should have enough of what you want to get you started.

I think it is RFC 1244.

From firewalls-owner  Thu Aug  8 18:07:39 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA01036 for firewalls-outgoing; Thu, 8 Aug 1996 17:35:37 -0700 (PDT)
Received: from hobbes.polymer.uakron.edu (hobbes.polymer.uakron.edu [130.101.8.78]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id RAA00978 for <Firewalls@GreatCircle.COM>; Thu, 8 Aug 1996 17:35:19 -0700 (PDT)
Received: from localhost (chris@localhost) by hobbes.polymer.uakron.edu (8.7.4/8.7.3) with SMTP id UAA19034 for <Firewalls@GreatCircle.COM>; Thu, 8 Aug 1996 20:34:31 -0400
X-Authentication-Warning: hobbes.polymer.uakron.edu: chris owned process doing -bs
Date: Thu, 8 Aug 1996 20:34:30 -0400 (EDT)
From: Chris Cole <chris@polymer.uakron.edu>
To: Firewalls@GreatCircle.COM
Subject: Tacacs vs. Radius
Message-ID: <Pine.LNX.3.94.960808203120.19020A-100000@hobbes.polymer.uakron.edu>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Does anybody have an opinion as to whether or not Tacacs/Tacacs+ is
superior to Radius?  We are looking at the Livingston Portmaster 2E, and
understand that Radius is "the authentication package" to run.  Is this
true?  Can the Livingston Portmaster support Tacacs?

	Thanks,
	-Chris Cole

+-->>> Chris Cole <<<----+----------------------------------------------------+
|/voice: (330) 972-6104 \|   eMail: chris@polymer.uakron.edu               /=/|
|\  fax: (330) 972-5396 /|    http: www.polymer.uakron.edu/users/chris     \=\|
| \/\/\/\/\/\/\/\/\/\/\/ |     ftp: ftp.polymer.uakron.edu/users/chris     /=/|
| Experience is something you don't get until just after you need it.      \=\|
+------------------------+----------------------------------<<<OOOOOOOOOO>>>--+


From firewalls-owner  Thu Aug  8 18:37:55 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id SAA08396 for firewalls-outgoing; Thu, 8 Aug 1996 18:28:06 -0700 (PDT)
Received: from morebbs.com (morebbs.com [206.165.150.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id SAA08374 for <firewalls@greatcircle.com>; Thu, 8 Aug 1996 18:27:53 -0700 (PDT)
From: potlicker@morebbs.com
Received: by morebbs.com
     id 0U5JC00Q Thu, 08 Aug 96 21:27:52 
Message-ID: <9608082127.0U5JC00@morebbs.com>
Organization: MORE BBS
X-Mailer: TBBS/TIGER v1.0/PRIMP 1.56p
Date: Thu, 08 Aug 96 21:27:52 
Subject: Thanks
To: firewalls@greatcircle.com
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk


Thank You   to everyone who answered my questions on SYN  ICMP  and 
Authentication   The replies were very helpful   I passed them on to BigCo

A french dude said
I can hardly believe you cant get that info by yourself

There was an old fart called Einstein who said that what you see depends 
on where you stand   That seems to be true of the Internet as well 
>From some service providers you can see a great deal   From others you
can see very little   The same command in different parts of the Internet
produces widely different results   The old fart was right   

The french dude was wrong
                                                 PoT_LiCkeR

- Thank you too Limeys for your historic contribution of poisoning Napoleon -

From firewalls-owner  Thu Aug  8 19:37:55 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id TAA16216 for firewalls-outgoing; Thu, 8 Aug 1996 19:26:57 -0700 (PDT)
Received: from merak.idola.net.id (merak.IdOLA.net.id [202.152.0.4]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id TAA16202 for <Firewalls@GreatCircle.COM>; Thu, 8 Aug 1996 19:26:49 -0700 (PDT)
Received: from nuri.IdOLA.net.id by merak.idola.net.id; (5.65v3.2/1.1.8.2/22Mar96-0518PM)
	id AA10958; Fri, 9 Aug 1996 09:28:35 +0700
Date: Fri, 9 Aug 1996 09:28:35 +0700
Message-Id: <9608090228.AA10958@merak.idola.net.id>
X-Sender: aries@elang.idola.net.id (Unverified)
X-Mailer: Windows Eudora Light Version 1.5.2
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
To: Firewalls@GreatCircle.COM
From: Yohannes Aries <aries@idola.net.id>
Subject: RADIUS
Cc: cisco@spot.colorado.edu
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Hi,...
Does anyone know if cisco support Radius??
If the answer is YES, how can I configure the cisco to make it possible to
communicate with Radius Server??
TIA,

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Yohannes Aries Sulistyono	Phone : +6221-2302345
Internet Service Division	Fax   : +6221-2303883
PT Aplikanusa Lintasarta	email : aries@idola.net.id
Menara Thamrin 12th Floor	http://www.idola.net.id/~aries
Jl. MH Thamrin kav 3
JAKARTA - 10340
INDONESIA
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^


From firewalls-owner  Thu Aug  8 19:52:55 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id TAA17102 for firewalls-outgoing; Thu, 8 Aug 1996 19:46:55 -0700 (PDT)
Received: from hal-pc.org (hal-pc.org [204.52.135.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id TAA17084; Thu, 8 Aug 1996 19:46:44 -0700 (PDT)
Received: from pm5-50.hal-pc.org (pm5-50.hal-pc.org [206.222.161.50]) by hal-pc.org (8.7.5/8.6.9) with SMTP id VAA06100; Thu, 8 Aug 1996 21:46:46 -0500 (CDT)
Message-Id: <199608090246.VAA06100@hal-pc.org>
Comments: Authenticated sender is <robertp@mail.hal-pc.org>
From: "robertp@hal-pc.org" <robertp@hal-pc.org>
Organization:  hal-pc.org
To: Firewalls@GreatCircle.COM, firewalls-digest@GreatCircle.COM,
        Peter Morrissey <ppmorris@syr.edu>
Date:          Thu, 8 Aug 1996 21:38:32 +0000
MIME-Version:  1.0
Content-type: text/plain; charset=US-ASCII
Content-transfer-encoding: 7BIT
Subject:       Re: Book on Policy and law
X-mailer: Pegasus Mail for Windows (v2.01)
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

In addition to RFC1244 (which, while extremely valuable I believe 
it's a 1991 edition), you may wish to check the Internet Draft of the 
Network Working Group from Internic - "Site Security Handbook" dated 
December, 1995.
Also,
the Internet Draft -" Catalogue of Network Training Materials", - 
same source

Site Security Policy Development by Rob McMillan at 
R.McMillan@its.gu.edu.au

> Can anyone suggest a good book and/or other resources 
> regarding practicle guidance on setting up security 
> policy.

 
Bob Plaumann
It is difficult to say what is impossible for the dream 
of yesterday is the reality of tomorrow - Dr. Robert H. 
Goddard

From firewalls-owner  Thu Aug  8 22:52:58 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id WAA25091 for firewalls-outgoing; Thu, 8 Aug 1996 22:43:10 -0700 (PDT)
Received: from relay.xlink.net (relay.xlink.net [193.141.40.5]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id WAA25076 for <firewalls@greatcircle.com>; Thu, 8 Aug 1996 22:43:03 -0700 (PDT)
Received: from 192.109.203.51 by relay.xlink.net id <121109-0@relay.xlink.net>;
          Fri, 9 Aug 1996 07:42:57 +0000
Received: by nemo.baltic.de (Linux Smail3.1.28.1 #1) id m0uokqf-000A9EC;
          Fri, 9 Aug 96 08:15 MET DST
Received: (from ft@localhost) by amber.baltic.de (8.6.12/8.6.9) id HAA03480 
          for firewalls@greatcircle.com; Fri, 9 Aug 1996 07:45:21 +0200
Date: Fri, 9 Aug 1996 07:45:21 +0200
From: Frank Tegtmeyer <ft@amber.baltic.de>
Message-Id: <199608090545.HAA03480@amber.baltic.de>
To: firewalls@greatcircle.com
Subject: Re: If I understand corectly, smtp mail can be forged. One way "IP
Organization: private Linux site in Rostock, Germany
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

> You can prevent people from sending forge mail from your UNIX workstation by 
> enabling TCP-wrapper(tcpd) in inetd for smtp.

This is not useable for machines with high traffic. Better to patch
sendmail or use another MTA that has this already.
Also this solution limits your incoming connections to some MX hosts
that collect your mail first. This means you have to split your mail
system at least into a sending and a receiving site.
Anyway this solution does not prevent forging at any site in the world.
Even the sender's IP address could be forged.

Frank.

From firewalls-owner  Fri Aug  9 00:22:55 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id AAA28701 for firewalls-outgoing; Fri, 9 Aug 1996 00:15:24 -0700 (PDT)
Received: from zeus ([194.242.64.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id AAA28693 for <Firewalls@GreatCircle.COM>; Fri, 9 Aug 1996 00:15:16 -0700 (PDT)
Received: (from root@localhost) by zeus (8.6.11/8.6.9) id JAA00122 for <Firewalls@GreatCircle.COM>; Fri, 9 Aug 1996 09:17:12 +0100
Received: from pc_erik(172.16.10.232) by zeus via smap (V2.0alpha)
	id sma000120; Fri Aug  9 09:16:51 1996
Message-ID: <320AE44A.167D@labs.emea.att.com>
Date: Fri, 09 Aug 1996 09:10:02 +0200
From: Erik BEAUVALOT <erik@labs.emea.att.com>
Reply-To: erik@labs.emea.att.com
X-Mailer: Mozilla 3.0b5a (Win95; I)
MIME-Version: 1.0
To: GreatCircle <Firewalls@GreatCircle.COM>
Subject: Re: RADIUS
References: <9608090228.AA10958@merak.idola.net.id>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Yohannes Aries wrote:
> 
> Hi,...
> Does anyone know if cisco support Radius??
> If the answer is YES, how can I configure the cisco to make it possible to
> communicate with Radius Server??
> TIA,
> 

 The last Version of the OS support RADIUS V11.1
 But the better is V11.1(4) on the other you have
 some probleme with some attribute (Session Timeout ...).

 To configure it : aaa ...  
 You must configure the authorization, authentification,

  aaa authentification if-needed radius
  aaa authorization exec radius

  I don't remenber if there is other special things .

  But In the CISCO CDROM you have everything to configure it
  It's not very hard .
-- 
-------------------------------------------------
Erik BEAUVALOT AT&T R&D Lab Manager of Paris/EMEA
Tel : +(33)1 47 67 46 06   GSM: +(33) 09 48 32 11
E-Mail : ebeauvalot@attmail.com
http://www.labs.emea.att.com/~erik
-------------------------------------------------

From firewalls-owner  Fri Aug  9 02:41:36 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id CAA07579 for firewalls-outgoing; Fri, 9 Aug 1996 02:22:48 -0700 (PDT)
Received: from gatekeeper.nodeca.mil.no (gatekeeper.nodeca.mil.no [158.36.141.66]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id CAA07572 for <Firewalls@GreatCircle.COM>; Fri, 9 Aug 1996 02:22:40 -0700 (PDT)
Received: by gatekeeper.nodeca.mil.no (5.x/SMI-SVR4)
	id AA16431; Fri, 9 Aug 1996 11:23:05 +0200
Received: from mailhost.ftd.mil.no(144.84.44.141) by ebon via smap (V1.3)
	id sma016405; Fri Aug  9 11:22:01 1996
Received: from nt-u by mailhost.ftd.mil.no (SMI-8.6/SMI-SVR4)
	id KAA23488; Fri, 9 Aug 1996 10:18:54 -0100
Date: Fri, 9 Aug 1996 10:18:54 -0100
Message-Id: <199608091118.KAA23488@mailhost.ftd.mil.no>
X-Sender: valper@nodeca.mil.no
X-Mailer: Windows Eudora Light Version 1.5.2
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
To: Firewalls@GreatCircle.COM
From: Per-Henning Valderhaug <valper@nodeca.mil.no>
Subject: Firewall and NOS integration (NetWare and NT)
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

I'm looking for firewalls that can be integrated into the network operating
system (NOS) in Novell NetWare or Windows NT environments.

Novell NetWare
For NetWare I want the firewall to read the users ID from the NDS. The
firewall should then give the user access to communicate to defined hosts
using defined services based on the users groupmemberships in the NDS. E.g.
if a user is a member of the NDS group TELNET_TO_HOST1, the user should be
able to run a telnet session to HOST1 and all other services should be
blocked by the user. The firewall should not prompt the user for name and
password, since the user is authenticated towards NDS.

Windows NT
Same as NetWare, exept that NDS is substituted by the NT domain (at least
until Novell or Microsoft ports the entire NDS to NT).


I have done some testing of NOV*IX from Firefox, and it works the way I
want. I also believe IWare Connect from Quarterdeck supports this functionality.

Do you know if there are other firewalls supporting the functionality I have
described here? What are your opinions of these products?



The very best regards
Per-Henning Valderhaug

-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-

 Per-Henning Valderhaug	      
 Forsvarets Tele- og Datatjeneste    
 Oslo mil/Akershus		      
 N-0015 OSLO			      
 NORWAY			      
 				      
 Phone: 	+47 22 40 24 00	      
 Direct line: 	+47 22 40 26 88           
 Telefax:	+47 22 40 29 97           
 				      
 e-mail: 	valper@nodeca.mil.no  

-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-


From firewalls-owner  Fri Aug  9 03:38:22 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id DAA11055 for firewalls-outgoing; Fri, 9 Aug 1996 03:27:19 -0700 (PDT)
Received: from services.com (IRCWEST1.SERVICES.COM [199.183.20.10]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id DAA11048; Fri, 9 Aug 1996 03:27:13 -0700 (PDT)
Received: from [199.183.20.221] (IMGLAP2.SERVICES.COM [199.183.20.221]) by services.com (8.6.5/8.6.5) with SMTP id FAA05249; Fri, 9 Aug 1996 05:39:57 -0400
Message-Id: <199608090939.FAA05249@services.com>
To: Peter Morrissey <ppmorris@syr.edu>
Subject: Re: Book on Policy and law
Date: Fri, 09 Aug 96 06:31:46 -0500
From: "Carlos M. Recalde" <carlos@services.com>
X-Mailer: E-Mail Connection v2.5.03
CC: "Firewalls@GreatCircle.COM" <Firewalls@GreatCircle.COM>,
        Firewalls-Digest <firewalls-digest-owner@GreatCircle.COM>
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

-- [ From: Carlos M. Recalde * EMC.Ver #2.5.02 ] --


In message <320A7DA7.8CC@syr.edu>, Peter Morrissey writes:
> Can anyone suggest a good book and/or other resources 
> regarding practicle guidance on setting up security 
> policy.

I found what looks like a really good starting point if you're willing to
spend a few dollars.  Check out
http://www.baselinesoft.com/
They are offering a book plus a complete set of pre-written policies with
instructions on how to tweak them for your own purposes.  I have not seen
the actual product, but their brochure looks good.  I am working with a
large client that thinks this is worth the money and is ordering a copy.

-
Carlos M. Recalde
The Internet Marketing Group, Inc.



From firewalls-owner  Fri Aug  9 04:40:18 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id EAA13951 for firewalls-outgoing; Fri, 9 Aug 1996 04:29:19 -0700 (PDT)
Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.76.24]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id EAA13944 for <firewalls@GreatCircle.COM>; Fri, 9 Aug 1996 04:29:11 -0700 (PDT)
Message-Id: <199608091129.EAA13944@miles.greatcircle.com>
Received: by cheops.anu.edu.au
	(1.37.109.16/16.2) id AA059030142; Fri, 9 Aug 1996 21:29:02 +1000
From: Darren Reed <avalon@coombs.anu.edu.au>
Subject: Re: Single IP IP filter
To: gunni@if.is (Gunnar Ingvi Thorisson)
Date: Fri, 9 Aug 1996 21:29:01 +1000 (EST)
Cc: firewalls@GreatCircle.COM
In-Reply-To: <199608081630.QAA30710@linda.if.is> from "Gunnar Ingvi Thorisson" at Aug 8, 96 04:30:12 pm
X-Mailer: ELM [version 2.4 PL23]
Content-Type: text
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

In some mail from Gunnar Ingvi Thorisson, sie said:
> 
> Someone know if DrawBrigde is able to filter IP packets for one IP 
> address rather than the while subnet? I'm looking for a product that is 
> able to pick up a packet if it matches the IP of a single host and router 
> it to another ethernet network.
> 
> 
>     Network A      |   Network B               |        Network C
>                    |                           |
>                    |                           |
>              .-----------.             .----------------.
>              | IP filter | --------->  | Firewall/Proxy |
>              `-----------'             `----------------'
>              eth0  | eth1         eth0=        | eth1 = 192.168.100.200
>   Network =        |              192.168.1.1  | 
>   192.168.1.0      |                           |
> 
> The IP filter shouldn't have to have any IP addresses, if it sees a packet 
> that is addressed to the firewalls eth interface 0 (192.168.1.1) that is 
> running on 192.168.1.0 network (IP filters eth0) it copies the packet to 
> the eth1 interface and vise versa. Uses an access-list. Does such a 
> product exist? Is it possible by the way?

Sounds like you're after a bridge with IP filtering capabilities.

However, I suspect that IP Filter _may_ be able to work this way but you'd
need to setup fake ARP entries in your kernels/routers.  How can it do
this ?  It can do limited bridging/routing so long as the packets come
in the interface in non-promiscous mode (and are IP).  I don't know of
anyone using that exact scenario, but it allows this to make it
invisible to traceroute style tools.  It runs best on a FreeBSD or NetBSD
Unix box and has fully fledged access control lists for TCP/IP filtering.

http://coombs.anu.edu.au/~avalon/ip-filter.html

Darren

From firewalls-owner  Fri Aug  9 05:38:28 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA17464 for firewalls-outgoing; Fri, 9 Aug 1996 05:35:06 -0700 (PDT)
Received: from unix.intermedia.com (unix.intermedia.com [162.47.1.20]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id FAA17450 for <Firewalls@greatcircle.com>; Fri, 9 Aug 1996 05:35:00 -0700 (PDT)
Received: from speedy (speedy.intermedia.com [162.47.1.100]) by unix.intermedia.com (8.7.5/8.7.3) with SMTP id IAA20198; Fri, 9 Aug 1996 08:34:33 -0400 (EDT)
Date: Fri, 9 Aug 1996 08:34:33 -0400 (EDT)
From: Ian Blenke <ianb@unix.intermedia.com>
X-Sender: ianb@speedy
To: Yohannes Aries <aries@idola.net.id>
cc: Firewalls@greatcircle.com, cisco@spot.colorado.edu
Subject: Re: RADIUS
In-Reply-To: <9608090228.AA10958@merak.idola.net.id>
Message-ID: <Pine.SOL.3.93.960809082840.8502B-100000@speedy>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

On Fri, 9 Aug 1996, Yohannes Aries wrote:

> Hi,...
> Does anyone know if cisco support Radius??
> If the answer is YES, how can I configure the cisco to make it possible to
> communicate with Radius Server??

Yes. RTFM ;)

Only the latest IOS v11.3 (I believe) includes RADIUS support. Your best
bet at documentation is via the UniverCD pages - the latest CDROM is
always mounted at:

	http://www.cisco.com/univercd/home/home.htm

Enjoy!

- Ian Blenke <ianb@intermedia.com> Unix administrator
"You are only given a little madness, you mustn't lose it."-- Robin Williams

My comments and opinions do not reflect those of my employer. 


From firewalls-owner  Fri Aug  9 06:23:23 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA20330 for firewalls-outgoing; Fri, 9 Aug 1996 06:13:57 -0700 (PDT)
Received: from catios.udea.edu.co (catios.udea.edu.co [200.24.18.20]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id GAA20295; Fri, 9 Aug 1996 06:13:41 -0700 (PDT)
Received: (from alcides@localhost) by catios.udea.edu.co (8.6.12/8.6.9) id HAA00524; Fri, 9 Aug 1996 07:40:39 -0500
Date: Fri, 9 Aug 1996 07:40:37 -0500 (GMT-0500)
From: Alcides Montoya Can~ola <alcides@catios.udea.edu.co>
To: "Henry W. Farkas" <hfarkas@ims.advantis.com>
cc: Peter Morrissey <ppmorris@syr.edu>, Firewalls@GreatCircle.COM,
        firewalls-digest@GreatCircle.COM
Subject: Re: Book on Policy and law
In-Reply-To: <Pine.A32.3.91.960808175449.14879E-100000@gandalf.ims.advantis.com>
Message-ID: <Pine.LNX.3.91.960809073855.490A-100000@catios.udea.edu.co>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

A good book is:
PRACTICAL UNIX SECURITY
Simson Garfinkel and Gene Spafford.
O'Reilly&Associates,Inc.



  		############################################
	                    Alcides Montoya C.
			   Departamento de Fisica
		oficina: Centro de CapacitaciOn Internet
		Biblioteca Central- Universidad de Antioquia
		e-mail: alcides@catios.udea.edu.co
			alcides@vlsi.udea.edu.co
                ############################################

			                |                 __o         o
			                |               _ \<_        <\
				        | __/\o_       (_)/(_)       />
				        |
				        |  swim          bike       run

    



From firewalls-owner  Fri Aug  9 06:40:45 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA20906 for firewalls-outgoing; Fri, 9 Aug 1996 06:23:20 -0700 (PDT)
Received: from aic.net (AIC.NET [194.67.30.65]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id GAA20749 for <Firewalls@GreatCircle.COM>; Fri, 9 Aug 1996 06:21:17 -0700 (PDT)
Received: by aic.net (8.7.3/8.7.3) id RAA04509; Fri, 9 Aug 1996 17:15:44 +0400 (AMT)
From: "Edgar Der-Danieliantz [ET22]" <edd@aic.net>
X-AMNIC-URL: http://www.nic.am (will soon change to www.amnic.net)
X-AMNIC-Telephone: +374 2 28 14 25 (will change)
X-AMNIC-FAX: +374 2 28 50 82 (will change)
Message-Id: <199608091315.RAA04509@aic.net>
Subject: Re: RADIUS
To: ianb@unix.intermedia.com (Ian Blenke)
Date: Fri, 9 Aug 1996 17:15:44 +0400 (AMT)
Cc: aries@idola.net.id, Firewalls@GreatCircle.COM, cisco@spot.colorado.edu
In-Reply-To: <Pine.SOL.3.93.960809082840.8502B-100000@speedy> from "Ian Blenke" at Aug 9, 96 08:34:33 am
Content-Type: text
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

> 
> On Fri, 9 Aug 1996, Yohannes Aries wrote:
> 
> > Hi,...
> > Does anyone know if cisco support Radius??
> > If the answer is YES, how can I configure the cisco to make it possible to
> > communicate with Radius Server??
> 
> Yes. RTFM ;)
> 
> Only the latest IOS v11.3 (I believe) includes RADIUS support. Your best

11.3??? There is no such thing. The latest is 11.1, 11.2 is expected in Sep/Oct....

-edd

From firewalls-owner  Fri Aug  9 07:23:03 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA26291 for firewalls-outgoing; Fri, 9 Aug 1996 07:19:50 -0700 (PDT)
Received: from unix.intermedia.com (unix.intermedia.com [162.47.1.20]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id HAA26260 for <Firewalls@GreatCircle.COM>; Fri, 9 Aug 1996 07:19:35 -0700 (PDT)
Received: from speedy (speedy.intermedia.com [162.47.1.100]) by unix.intermedia.com (8.7.5/8.7.3) with SMTP id KAA20805; Fri, 9 Aug 1996 10:17:56 -0400 (EDT)
Date: Fri, 9 Aug 1996 10:17:56 -0400 (EDT)
From: Ian Blenke <ianb@unix.intermedia.com>
X-Sender: ianb@speedy
To: "Edgar Der-Danieliantz [ET22]" <edd@aic.net>
cc: Ian Blenke <ianb@unix.intermedia.com>, Firewalls@GreatCircle.COM,
        cisco@spot.colorado.edu
Subject: Re: RADIUS
In-Reply-To: <199608091315.RAA04509@aic.net>
Message-ID: <Pine.SOL.3.93.960809101322.8502G-100000@speedy>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

On Fri, 9 Aug 1996, Edgar Der-Danieliantz [ET22] wrote:

> 11.3??? There is no such thing. The latest is 11.1, 11.2 is expected in Sep/Oct....

OMIF (Open Mouth Insert Foot)

11.3 is a fictional release, probably due to my past recollection of 10.3
and 11.1, and a bit of a nasty hangover and/or sleep deprivation.

My bad... 11.1(4), as an earlier poster suggested, is the correct release
to fix the RADIUS timeout problem. 

My apologies.

- Ian Blenke <ianb@intermedia.com> Unix administrator
"You are only given a little madness, you mustn't lose it."-- Robin Williams

My comments and opinions do not reflect those of my employer. 


From firewalls-owner  Fri Aug  9 07:38:06 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA27035 for firewalls-outgoing; Fri, 9 Aug 1996 07:35:10 -0700 (PDT)
Received: from aic.net (AIC.NET [194.67.30.65]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id HAA26911 for <Firewalls@GreatCircle.COM>; Fri, 9 Aug 1996 07:31:55 -0700 (PDT)
Received: by aic.net (8.7.3/8.7.3) id SAA04969; Fri, 9 Aug 1996 18:21:26 +0400 (AMT)
From: "Edgar Der-Danieliantz [ET22]" <edd@aic.net>
X-AMNIC-URL: http://www.nic.am (will soon change to www.amnic.net)
X-AMNIC-Telephone: +374 2 28 14 25 (will change)
X-AMNIC-FAX: +374 2 28 50 82 (will change)
Message-Id: <199608091421.SAA04969@aic.net>
Subject: Re: RADIUS
To: ianb@unix.intermedia.com (Ian Blenke)
Date: Fri, 9 Aug 1996 18:21:26 +0400 (AMT)
Cc: edd@AIC.NET, ianb@unix.intermedia.com, Firewalls@GreatCircle.COM,
        cisco@spot.colorado.edu
In-Reply-To: <Pine.SOL.3.93.960809101322.8502G-100000@speedy> from "Ian Blenke" at Aug 9, 96 10:17:56 am
Content-Type: text
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

> > 11.3??? There is no such thing. The latest is 11.1, 11.2 is expected in Sep/Oct....
> 
> 11.3 is a fictional release, probably due to my past recollection of 10.3
> and 11.1, and a bit of a nasty hangover and/or sleep deprivation.
> My bad... 11.1(4), as an earlier poster suggested, is the correct release
> to fix the RADIUS timeout problem. 
> My apologies.

No problem - I'm waiting for 11.2 too! :-)

-edd


From firewalls-owner  Fri Aug  9 07:54:45 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA26594 for firewalls-outgoing; Fri, 9 Aug 1996 07:25:42 -0700 (PDT)
Received: from aic.net (AIC.NET [194.67.30.65]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id HAA26531 for <Firewalls@GreatCircle.COM>; Fri, 9 Aug 1996 07:24:23 -0700 (PDT)
Received: by aic.net (8.7.3/8.7.3) id SAA04969; Fri, 9 Aug 1996 18:21:26 +0400 (AMT)
From: "Edgar Der-Danieliantz [ET22]" <edd@aic.net>
X-AMNIC-URL: http://www.nic.am (will soon change to www.amnic.net)
X-AMNIC-Telephone: +374 2 28 14 25 (will change)
X-AMNIC-FAX: +374 2 28 50 82 (will change)
Message-Id: <199608091421.SAA04969@aic.net>
Subject: Re: RADIUS
To: ianb@unix.intermedia.com (Ian Blenke)
Date: Fri, 9 Aug 1996 18:21:26 +0400 (AMT)
Cc: edd@AIC.NET, ianb@unix.intermedia.com, Firewalls@GreatCircle.COM,
        cisco@spot.colorado.edu
In-Reply-To: <Pine.SOL.3.93.960809101322.8502G-100000@speedy> from "Ian Blenke" at Aug 9, 96 10:17:56 am
Content-Type: text
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

> > 11.3??? There is no such thing. The latest is 11.1, 11.2 is expected in Sep/Oct....
> 
> 11.3 is a fictional release, probably due to my past recollection of 10.3
> and 11.1, and a bit of a nasty hangover and/or sleep deprivation.
> My bad... 11.1(4), as an earlier poster suggested, is the correct release
> to fix the RADIUS timeout problem. 
> My apologies.

No problem - I'm waiting for 11.2 too! :-)

-edd


From firewalls-owner  Fri Aug  9 07:57:03 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA26124 for firewalls-outgoing; Fri, 9 Aug 1996 07:17:54 -0700 (PDT)
Received: from smartwall.v-one.com (smartwall.v-one.com [206.205.89.11]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id HAA26095 for <firewalls@GreatCircle.COM>; Fri, 9 Aug 1996 07:17:42 -0700 (PDT)
Received: by smartwall.v-one.com; id KAA00814; Fri, 9 Aug 1996 10:15:09 -0400 (EDT)
Received: from mail.v-one.com(198.69.135.6) by smartwall.v-one.com via smap (V3.1.1)
	id xma000772; Fri, 9 Aug 96 10:14:41 -0400
Received: (from csample@localhost) by mail.v-one.com (8.7.3/8.7.3) id KAA01225; Fri, 9 Aug 1996 10:11:14 -0400 (EDT)
Date: Fri, 9 Aug 1996 10:11:13 -0400 (EDT)
From: char <csample@v-one.com>
To: Steve Kotsopoulos <steve@ecf.toronto.edu>
cc: firewalls@GreatCircle.COM
Subject: Re: Info World Firewall Articles
In-Reply-To: <96Aug8.173101edt.10103@cannon.ecf.toronto.edu>
Message-ID: <Pine.BSI.3.91.960809095831.506E-100000@mail.v-one.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

On Thu, 8 Aug 1996, Steve Kotsopoulos wrote:

> jminie@earthlink.net wrote:
> >We're aware of how insecure UNIX is natively.  The point here is that a
> >firewall should be as close to 100% secure as possible out-of-the-box,
> >removing the possibility that human intervention (or human NON-intervention,
> >for that matter) doesn't create or allow ANY holes for ANY length of time.
> >
> >A couple of UNIX-based firewall vendors DO address the issue of the
> >non-secure kernel.  If kernel insecurity is addressed at the vendor level,
> >(i.e. - the guys making the money) the argument about customer-level
> >'professional' versus 'scanner' firewall users should be non-existent.  I
> >truly believe in the concept that, without a hardened kernel there is no way
> >to guarantee a truly secure firewall.
> 
> I agree. Here are my new definitions, which may be of use to others:
> 
> A 'firewall' is a system that if configured correctly by professionals
>  (who have read all the manuals from cover to cover), and notwithstanding
>  hardware or software bugs or problems, protects your network.

And I'd like to modify your definations:
A "firewall" is an access control device. It can be used to protect your 
network, a small group of hosts w/in your network or even a single host.

A good firewall is determined not only by its architecture, but also by it's
ability to protect both itself and the trusted host(s) located "behind" it.

> 
> A 'good firewall' is a system that protects your network.
>  It must have defense in depth, so that in the event of a failure (such
>  as after the discovery of new bugs), other mechanisms will protect you.

This is but one paradigm.  A perimeter defense is the other and is the 
preferred defense paradigm among network security consultants.  Generally, 
spreading out your defense (especially in large networks) can be a nightmare
for system administrators.  However, if you like the defense in depth 
paradigm and if you have anything worthwhile on you trusted network be 
prepared for uninvited guests.

>  It must have a fail-safe design, for protection in the event of
>  hardware/software problems or administrative errors. Instead of letting
>  attackers in when there is a failure, fail-safe systems deny access to
>  both attackers and legitimate users. Failure to read the manual may result
>  in you not being able to turn a service on, instead of the service being
>  wide open without protection, and possibly making your internal network
>  vulnerable.
> 
> If I wanted to protect my network, I would buy a 'good firewall'.

I would buy a "good firewall" but I think I'd differ from your definition.
> 
> Since so many people wanted to talk about the necessity of completely
> reading the manuals, I searched the FireWall-1 web site to see what
> they had to say about it. The closest I could find was the "Ease of Use"
> paragraph at http://www.checkpoint.com/brochure/page10.html
> It starts with  "FireWall-1 was designed to be easily installed,
> configured and managed.", then talks about the easy to use GUI,
> and the integrity checking that reduces the chance of operator error.
> I couldn't find any mention of a manual.

I don't want to get into vendor product endorsement or advertising here, but
I would not make a blanket statement like that.  The firewall you select for
your site should be determined by your site security policy first.

char
+---------------------------------------------------------------------------+
 char sample	/* that really is my name */
 e-mail: char@v-one.com
+---------------------------------------------------------------------------+

From firewalls-owner  Fri Aug  9 09:38:06 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA06194 for firewalls-outgoing; Fri, 9 Aug 1996 09:33:11 -0700 (PDT)
Received: from labs-n.bbn.com (LABS-N.BBN.COM [128.89.0.100]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id JAA06180 for <Firewalls@greatcircle.com>; Fri, 9 Aug 1996 09:33:04 -0700 (PDT)
Message-Id: <199608091633.JAA06180@miles.greatcircle.com>
Date:     Fri, 9 Aug 96 12:32:43 EDT
From: Michael Laufer <mlaufer@BBN.COM>
To: Yohannes Aries <aries@idola.net.id>
cc: Firewalls@greatcircle.com, cisco@spot.colorado.edu
Subject:  Re:  RADIUS
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

We have been recently working with Radius on a Cisco.  We started with 11.1.3
and just moved to 11.1.4.  We set up Radius for both user authentication and
accounting.  We added the following into the router config to support this:

aaa new-model
aaa authentication local-override
aaa authentication login default radius line none
aaa authentication ppp default radius
aaa authorization commands 0 radius if-authenticated
aaa authorization network radius if-authenticated
aaa accounting exec start-stop radius
aaa accounting commands 0 start-stop radius
aaa accounting network start-stop radius tacacs+
aaa accounting connection start-stop radius
aaa accounting system start-stop radius

Michael Laufer
mlaufer@bbn.com

From firewalls-owner  Fri Aug  9 10:02:40 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA05985 for firewalls-outgoing; Fri, 9 Aug 1996 09:25:23 -0700 (PDT)
Received: from relay2.cospo.osis.gov (relay2.cospo.osis.gov [198.81.186.194]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id JAA05978 for <Firewalls@GreatCircle.COM>; Fri, 9 Aug 1996 09:25:17 -0700 (PDT)
Received: by relay2.cospo.osis.gov (4.1/SMI-4.1)
	id AA09655; Fri, 9 Aug 96 12:15:47 EDT
Message-Id: <9608091615.AA09655@relay2.cospo.osis.gov>
Received: from washington.cospo.osis.gov(198.81.161.68) by relay2.cospo.osis.gov via smap (V1.3)
	id sma009653; Fri Aug  9 12:15:42 1996
Received: by washington.cospo.osis.gov
	(1.38.193.4/16.2) id AA06768; Fri, 9 Aug 1996 12:24:35 -0400
Date: Fri, 9 Aug 1996 12:24:35 -0400
From: "Joseph S. D. Yao" <jsdy@cospo.osis.gov>
To: Firewalls@GreatCircle.COM
Subject: Re:  authentication software
Cc: beatrice@hermes.sgc.com
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

> Date: Tue, 6 Aug 96 13:01:55 EDT
> From: beatrice@hermes.sgc.com (Beatrice Mukantabana)
> Subject: authentication software
>
>  I am looking for an advanced authentication software to use on a modelpool server
> to protect dial-in logins (something like a modempool firewall).
> The modempoll server is a  SUN machine running SunOS.

We're using a Xylogics Annex terminal server, with S/Key hosted on a
SunOS system on the same outer network, for both character-based and
PPP IP network dial-in connections.  Should also work with a SunOS
terminal server, if you have the software set up right.  I'd have to
think a while to be sure how to do that.  Can you afford a separate
terminal server?

--
Joe Yao				jsdy@cospo.osis.gov - Joseph S. D. Yao
COSPO Computer Support						EMT-A/B
-----------------------------------------------------------------------
	PLEASE ... send or Cc: all "COSPO Computer Support" mail to
			sys-adm@cospo.osis.gov

From firewalls-owner  Fri Aug  9 10:09:13 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA06217 for firewalls-outgoing; Fri, 9 Aug 1996 09:33:52 -0700 (PDT)
Received: from relay2.cospo.osis.gov (relay2.cospo.osis.gov [198.81.186.194]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id JAA06197 for <Firewalls@GreatCircle.COM>; Fri, 9 Aug 1996 09:33:41 -0700 (PDT)
Received: by relay2.cospo.osis.gov (4.1/SMI-4.1)
	id AA09669; Fri, 9 Aug 96 12:24:18 EDT
Message-Id: <9608091624.AA09669@relay2.cospo.osis.gov>
Received: from washington.cospo.osis.gov(198.81.161.68) by relay2.cospo.osis.gov via smap (V1.3)
	id sma009667; Fri Aug  9 12:24:09 1996
Received: by washington.cospo.osis.gov
	(1.38.193.4/16.2) id AA06788; Fri, 9 Aug 1996 12:33:03 -0400
Date: Fri, 9 Aug 1996 12:33:03 -0400
From: "Joseph S. D. Yao" <jsdy@cospo.osis.gov>
To: Firewalls@GreatCircle.COM
Subject: Re:  Info World Firewall Articles
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

> Date: Thu, 8 Aug 1996 17:30:58 -0400
> From: Steve Kotsopoulos <steve@ecf.toronto.edu>
> Subject: Re: Info World Firewall Articles
> 
> jminie@earthlink.net wrote:
> >We're aware of how insecure UNIX is natively.  ...

Let's clarify this.  Unix is an operating system that allows you great
latitude in how you set it up.  It is neither secure nor insecure
"natively" (whatever that means).  It can be set up as Ken and Dennis
did initially, in a "friendly" environment, so that everybody can do
anything.  In these days, probably a very very bad idea.  It can also
be set up quite tightly, so that it's about as secure as any operating
system NOT SPECIFICALLY DESIGNED FOR HIGH-LEVEL SECURITY can get.  This
should, preferably, be done by REAL systems professionals, not "I just
graduated from college, and have read all of Microsoft's and Sun's
press releases, and therefore know everything there is to know about
computer security" types.  (To everyone: NO, I am NOT talking about
YOU; but you do know someone something like that, don't you?  ;-))

This is why the majority of real software security specialists started
their secure systems and firewall systems on some variant of Unix.
Please note that I said "the majority", and not "all": this is not
meant to start a flaming contest or any other sort of contest.

--
Joe Yao				jsdy@cospo.osis.gov - Joseph S. D. Yao
COSPO Computer Support						EMT-A/B
-----------------------------------------------------------------------
	PLEASE ... send or Cc: all "COSPO Computer Support" mail to
			sys-adm@cospo.osis.gov

From firewalls-owner  Fri Aug  9 10:18:48 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA06149 for firewalls-outgoing; Fri, 9 Aug 1996 09:31:47 -0700 (PDT)
Received: from fionn.lbl.gov (fionn.lbl.gov [128.3.128.60]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id JAA06142 for <firewalls@GreatCircle.COM>; Fri, 9 Aug 1996 09:31:42 -0700 (PDT)
Received: (mike@localhost) by fionn.lbl.gov (LBNLMWH3/LBNLCF) id JAA04923; Fri, 9 Aug 1996 09:31:32 -0700 (PDT)
Message-Id: <199608091631.JAA04923@fionn.lbl.gov>
From: mike@fionn.lbl.gov (Michael Helm)
Date: Fri, 9 Aug 1996 09:31:31 PDT
In-Reply-To: Frank Tegtmeyer <ft@amber.baltic.de>
       "Re: If I understand corectly, smtp mail can be forged. One way "IP" (Aug  9,  7:45am)
Reply-To: mike@fionn.lbl.gov
X-Mailer: Mail User's Shell (7.2.3 5/22/91)
To: Frank Tegtmeyer <ft@amber.baltic.de>, firewalls@GreatCircle.COM
Subject: Re: If I understand corectly, smtp mail can be forged. One way "IP
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

On Aug 9,  7:45am, Frank Tegtmeyer wrote:
> > You can prevent people from sending forge mail from your UNIX
> > workstation by enabling TCP-wrapper(tcpd) in inetd for smtp.

> This is not useable for machines with high traffic. Better to patch
> sendmail or use another MTA that has this already.

There's a patch for sendmail-875:
ftp://ftp.win.tue.nl:/pub/security/sendmail-tcpd.patch
(dated July 11).  I haven't had a chance to try it myself.
The idea is you build sendmail against the libwrap.a library,
like Wietse Venema's logdaemon tools.   Then sendmail itself can
use /etc/hosts.allow|deny for connection permissions &c.
Discussed recently sendmail newsgroup.

Running sendmail with tcpd from inetd is a very bad idea for
busy mail hosts, like you say.  Been there & done that!

> Also this solution limits your incoming connections to some MX hosts

Depends on your security design & other issues.  Your major
mail servers ("some MX hosts") will have to be pretty open.
But you may still find the idea of tcp wrappers useful.

> Anyway this solution does not prevent forging at any site in the world.
> Even the sender's IP address could be forged.

I believe tcp wrappers can protect you from this, if you choose.
You're not invulnerable to various kinds of dns or yp spoofing,
however.  You cannot prevent smtp forwarding (mail
user%hos1%host2@host3) this way -- you'll have to modify sendmail
source to get at this problem.  This has been discussed recently on
the sendmail news group.  Also, tcp wrappers is more of a logging &
after-the-fact block for servers that by necessity must open to
connections everywhere.

It seems like this would be a lot easier if mta's did a public/private
key negotiation when connecting; then you could have various standards
of authentication, & apply appropriate policies.

From firewalls-owner  Fri Aug  9 12:10:52 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA18441 for firewalls-outgoing; Fri, 9 Aug 1996 12:07:02 -0700 (PDT)
Received: from hidata.com (hidata.com [205.158.61.34]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id MAA18432 for <Firewalls@GreatCircle.COM>; Fri, 9 Aug 1996 12:06:55 -0700 (PDT)
Received: by hidata.com; id AA09455; Fri, 9 Aug 96 12:07:02 PDT
Received: from osc.hidata.com(205.158.62.10) by hds-gw.hidata.com via smap (V3.1.1)
	id xma009439; Fri, 9 Aug 96 12:06:48 -0700
Received: from enterprise by osc.osc.hidata.com (SMI-8.6/SMI-SVR4)
	id JAA24701; Fri, 9 Aug 1996 09:16:58 -0700
Date: Fri, 9 Aug 1996 09:16:58 -0700
Message-Id: <199608091616.JAA24701@osc.osc.hidata.com>
X-Sender: bstout@osc.hidata.com
X-Mailer: Windows Eudora Pro Version 2.1.2
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
To: Firewalls@GreatCircle.COM
From: Bill Stout <bill.stout@hidata.com>
Subject: HERF stuff
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

I believe you all may be interested in this, though firewall related is
stretching it.

In today's 8/9/96 San Jose Mercury News (AP wire):
"The border patrol in San Diego and Chula Vista will be testing 'electronic 
wireless vehicle disabling devices' as a result of well-publicized high-speed 
chases" (and beatings).

Hack?  Who needs to hack to retaliate against perceived wrongdoing from; 
hospital/airline/courts/IRS/police/cityhall/compeditors/MS/Intel/subway/
abortion clinic etc?  Just click the 'phaser gun' button every time you 
drive by their data center/ICU/traffic control/office/landing strip...

The HERF wars begin.


Bill Stout
_______________________________________________________________________________
Senior Systems Admin   NT/UNIX/I-net/Routers/Mainframes/Janitor ;)
Hitachi Data Systems   408-970-4822   ---  Disclaimer:  I speak only for myself
___________"Infowar, Cyber-war, yes, 'they' _are_ out to get you..."___________


From firewalls-owner  Fri Aug  9 13:08:28 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA22254 for firewalls-outgoing; Fri, 9 Aug 1996 13:04:51 -0700 (PDT)
Received: from po9.andrew.cmu.edu (PO9.ANDREW.CMU.EDU [128.2.10.109]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id NAA22245 for <firewalls@greatcircle.com>; Fri, 9 Aug 1996 13:04:37 -0700 (PDT)
Received: (from postman@localhost) by po9.andrew.cmu.edu (8.7.5/8.7.3) id QAA14152 for firewalls@greatcircle.com; Fri, 9 Aug 1996 16:04:28 -0400
Received: via switchmail; Fri,  9 Aug 1996 16:04:24 -0400 (EDT)
Received: from unix26.andrew.cmu.edu via qmail
          ID </afs/andrew.cmu.edu/service/mailqs/q001/QF.0m2tZa200YUd00qVU0>;
          Fri,  9 Aug 1996 16:02:46 -0400 (EDT)
Received: from unix26.andrew.cmu.edu via qmail
          ID </afs/andrew.cmu.edu/usr15/amsden/.Outgoing/QF.0m2tZT200YUd0I90w0>;
          Fri,  9 Aug 1996 16:02:39 -0400 (EDT)
Received: from mms.4.60.Jun.27.1996.03.09.33.hp700.EzMail.2.0.CUILIB.3.45.SNAP.NOT.LINKED.unix26.andrew.cmu.edu.HP9000.777
          via MS.5.6.unix26.andrew.cmu.edu.hp700;
          Fri,  9 Aug 1996 16:02:39 -0400 (EDT)
Message-ID: <0m2tZT200YUd0I90o0@andrew.cmu.edu>
Date: Fri,  9 Aug 1996 16:02:39 -0400 (EDT)
From: Zachary Roger Amsden <amsden+@andrew.cmu.edu>
To: firewalls@greatcircle.com
Subject: FWTK interface detection
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

This patch to /lib/nama.c of the firewall toolkit allows you to specify
an interface to match on incoming connections.  To use it, add a /if
after any source IP address pattern.  Ex:

permit-hosts good.guy.net/eth0
will only allow good.guy.net if the connection comes in on interface eth0

Will not be guaranteed to work if you can't trust your TCP/IP code.


*** nama.c.old	Mon Jun 10 13:58:50 1996
--- nama.c	Mon Jul  8 12:58:05 1996
***************
*** 8,27 ****
  
  /*
   *	Author: Marcus J. Ranum, Trusted Information Systems, Inc.
   */
  static	char	RcsId[] = "$Header:
/usr/home/rick/fwtk1.5/fwtk/lib/RCS/nama.c,v 1.4 1996/03/28 03:46:29
rick Exp $";
  
! #include	<stdio.h>
! #include	<sys/types.h>
! #include	<sys/socket.h>
! #include	<netinet/in.h>
! #include	<netdb.h>
! #include	<syslog.h>
! #include	<ctype.h>
  
  extern	char	*inet_ntoa();
  extern	long	inet_addr();
! 
  
  #include	"firewall.h"
  
--- 8,40 ----
  
  /*
   *	Author: Marcus J. Ranum, Trusted Information Systems, Inc.
+  *	Modified: Zachary R. Amsden, Aavid Thermal Technologies
   */
+ 
  static	char	RcsId[] = "$Header:
/usr/home/rick/fwtk1.5/fwtk/lib/RCS/nama.c,v 1.4 1996/03/28 03:46:29
rick Exp $";
  
! #include <sys/types.h>
! #include <sys/socket.h>
! #include <sys/ioctl.h>
! #include <sys/syslog.h>
! #include <linux/netdevice.h>
! #include <linux/if.h>
! #include <linux/if_arp.h>
! #include <linux/if_ether.h>
! #include <linux/in.h>
! #include <stdio.h>
! #include <errno.h>
! #include <fcntl.h>
! #include <ctype.h>
! #include <stdlib.h>
! #include <string.h>
! #include <unistd.h>
! #include <netdb.h>
  
  extern	char	*inet_ntoa();
  extern	long	inet_addr();
! extern	int	errno;
! extern	char	*sys_errlist[];
  
  #include	"firewall.h"
  
***************
*** 187,192 ****
--- 200,289 ----
  	return 0;
  }
  
+ /*
+  * Returns true if socket s is bound to same address as that assigned to
+  * interface ifname, false otherwise.
+  */
+ static int
+ cameinon(s, ifname)
+ int s;
+ char *ifname;
+ {
+   Cfg *cf;
+   int skfd = -1;
+   struct ifreq ifr;
+   struct sockaddr_in addr;
+   struct sockaddr_in saddr;
+   int len;
+  
+     /* Create a channel to the NET kernel. */
+     if ((skfd = socket(PF_INET, SOCK_DGRAM,0)) < 0) {
+        syslog(LLEV,"fwtksyserr: socket failed: %s\n", sys_errlist[errno]);
+ 	return(0);
+     }
+     memset(&ifr, 0, sizeof(struct ifreq));
+     strcpy(ifr.ifr_name, ifname);
+     ifr.ifr_addr.sa_family = AF_INET;
+     if (ioctl(skfd, SIOCGIFADDR, &ifr) < 0)  {
+         syslog (LLEV, "fwtk: %s is an unknown interface", ifname);
+         return(0);
+     }
+     memcpy(&addr, &(ifr.ifr_addr), sizeof (struct sockaddr_in));
+     close(skfd);
+ #ifdef DEBUG
+     syslog (LLEV, "address for %s is %d\n", ifname, addr.sin_addr.s_addr);
+ #endif
+     len = sizeof(saddr);
+     if (getsockname(s, &saddr, &len) < 0)
+     {
+       syslog(LLEV, "fwtksyserr: getsockname() failed: %s\n",
sys_errlist[errno]);
+       return(0);
+     }
+ #ifdef DEBUG
+     syslog(LLEV, "ftwk: getsockname returned %d\n", saddr.sin_addr.s_addr);
+ #endif
+    if (addr.sin_addr.s_addr != saddr.sin_addr.s_addr)  {
+       syslog(LLEV, "fwtk: possible spoof to if %s, not from %s",
inet_ntoa(saddr.sin_addr.s_addr), ifname);
+       return(0);
+    }
+    return(1);
+ }
+ 
+ /*
+  * Like hostmatch, but also test which interface packet came in on.
+  */
+ hostmatch(pattern,name)
+ char  *pattern;
+ char  *name;
+ {
+     char *p, pat[512];
+     int x;
+     /* copy into private area because we might modify it */
+     if ((x = strlen(pattern)) >= sizeof(pat))
+     {
+       syslog(LLEV,"fwtkcfgerr: pattern %s too long!",pattern);
+       return(0);
+     }
+     strcpy(pat,pattern);
+     /*
+      * Check to see if someone tacked something like "/le0" onto the
+      * end of the name.  If so, check socket to make sure packet came
+      * in on the interface with that name.
+      *
+      * Note: This test is worthless if you can't trust the results of
+      * getsockname(), and kernel hacks are required with BSD-based
+      * systems in order to trust the results of getsockname().
+      */
+     if (p = strrchr(pat, '/'))
+     {
+       *p = '\0';              /* terminate string there */
+        if (!cameinon(0, ++p))
+           return(0);          /* came in on non-matching I/F, return false */
+     }
+     /* received on matching I/F, now do regular checking */
+     return(hostmatchreal(pat, name));
+ }
+ 
  
  
  
***************
*** 293,300 ****
  	return 0;
  }
  
! 
! hostmatch(pattern,name)
  char	*pattern;
  char	*name;
  {
--- 390,397 ----
  	return 0;
  }
  
! int
! hostmatchreal(pattern,name)
  char	*pattern;
  char	*name;
  {


From firewalls-owner  Fri Aug  9 13:23:26 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA22587 for firewalls-outgoing; Fri, 9 Aug 1996 13:12:25 -0700 (PDT)
Received: from po9.andrew.cmu.edu (PO9.ANDREW.CMU.EDU [128.2.10.109]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id NAA22553 for <firewalls@greatcircle.com>; Fri, 9 Aug 1996 13:12:02 -0700 (PDT)
Received: (from postman@localhost) by po9.andrew.cmu.edu (8.7.5/8.7.3) id QAA14401 for firewalls@greatcircle.com; Fri, 9 Aug 1996 16:12:05 -0400
Received: via switchmail; Fri,  9 Aug 1996 16:12:04 -0400 (EDT)
Received: from unix26.andrew.cmu.edu via qmail
          ID </afs/andrew.cmu.edu/service/mailqs/q001/QF.0m2tgS200YUd00qVY0>;
          Fri,  9 Aug 1996 16:10:06 -0400 (EDT)
Received: from unix26.andrew.cmu.edu via qmail
          ID </afs/andrew.cmu.edu/usr15/amsden/.Outgoing/QF.0m2tgR200YUd0I91g0>;
          Fri,  9 Aug 1996 16:10:05 -0400 (EDT)
Received: from mms.4.60.Jun.27.1996.03.09.33.hp700.EzMail.2.0.CUILIB.3.45.SNAP.NOT.LINKED.unix26.andrew.cmu.edu.HP9000.777
          via MS.5.6.unix26.andrew.cmu.edu.hp700;
          Fri,  9 Aug 1996 16:10:05 -0400 (EDT)
Message-ID: <0m2tgR200YUd0I91Y0@andrew.cmu.edu>
Date: Fri,  9 Aug 1996 16:10:05 -0400 (EDT)
From: Zachary Roger Amsden <amsden+@andrew.cmu.edu>
To: firewalls@greatcircle.com
Subject: Linux IP fix
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

This is really three patches in one.  Three new kernel features, to
ignore ICMP redirects, ICMP pings, and to associate addresses with
interfaces strictly.  This allows getsockname() to return reliable
results, and for interface detection to be trustworthy.  The patches are
against kernel 2.0.11, but should work for most newer kernels.


*** Config.in.orig	Tue Aug  6 12:04:49 1996
--- Config.in	Tue Aug  6 13:39:20 1996
***************
*** 41,44 ****
--- 41,47 ----
  bool 'IP: Disable Path MTU Discovery (normally enabled)'
CONFIG_NO_PATH_MTU_DISCOVERY
  #bool 'IP: Disable NAGLE algorithm (normally enabled)' CONFIG_TCP_NAGLE_OFF
  bool 'IP: Drop source routed frames' CONFIG_IP_NOSR
+ bool 'IP: Strict Interface addressing (for firewalls)' CONFIG_IP_STRICT_ADDR
+ bool 'IP: Ignore ICMP redirects' CONFIG_IP_NOREDIR
+ bool 'IP: Ignore ICMP echo' CONFIG_IP_IGNORE_ECHO_REQUESTS
  bool 'IP: Allow large windows (not recommended if <16Mb of memory)'
CONFIG_SKB_LARGE
*** icmp.c.orig	Tue Aug  6 12:04:51 1996
--- icmp.c	Tue Aug  6 13:36:37 1996
***************
*** 801,810 ****
  	 *	When using no routing protocol, we MAY follow redirects. (RFC
1812, 5.2.7.2)
  	 */
  
! #if defined(CONFIG_IP_FORWARD) && !defined(CONFIG_IP_DUMB_ROUTER)
! 	NETDEBUG(printk(KERN_INFO "icmp: ICMP redirect ignored. dest = %lX, "
  	       "orig gw = %lX, \"new\" gw = %lX, device = %s.\n", ntohl(ip),
! 		ntohl(source), ntohl(icmph->un.gateway), dev->name));
  #else	
  	switch(icmph->code & 7) 
  	{
--- 801,810 ----
  	 *	When using no routing protocol, we MAY follow redirects. (RFC
1812, 5.2.7.2)
  	 */
  
! #if ((defined(CONFIG_IP_FORWARD) && !defined(CONFIG_IP_DUMB_ROUTER))
|| defined(CONFIG_IP_NOREDIR))
! 	printk(KERN_INFO "icmp: ICMP redirect ignored. dest = %lX, "
  	       "orig gw = %lX, \"new\" gw = %lX, device = %s.\n", ntohl(ip),
! 		ntohl(source), ntohl(icmph->un.gateway), dev->name);
  #else	
  	switch(icmph->code & 7) 
  	{
*** ip_input.c.orig	Tue Aug  6 13:36:57 1996
--- ip_input.c	Tue Aug  6 13:50:25 1996
***************
*** 430,439 ****
--- 430,448 ----
  	/*
  	 *	ip_chksock adds still more overhead for forwarded traffic...
  	 */
+ #ifdef CONFIG_IP_STRICT_ADDR
+ 	if ( iph->daddr == skb->dev->pa_addr || skb->redirport || ip_chksock(skb))
+ #else
  	if ( iph->daddr == skb->dev->pa_addr || skb->redirport || (brd =
ip_chk_addr(iph->daddr)) != 0 || ip_chksock(skb))
+ #endif
+    
+ #else
+ #ifdef CONFIG_IP_STRICT_ADDR
+ 	if ( iph->daddr == skb->dev->pa_addr )
  #else
  	if ( iph->daddr == skb->dev->pa_addr || (brd =
ip_chk_addr(iph->daddr)) != 0)
  #endif
+ #endif
  	{
  		if (opt && opt->srr) 
  	        {
***************
*** 441,446 ****
--- 450,458 ----
  			__u32 nexthop;
  			unsigned char * optptr = ((unsigned char *)iph) + opt->srr;
  
+ #ifdef CONFIG_IP_STRICT_ADDR
+ 			brd = ip_chk_addr(iph->daddr);
+ #endif
  			if (brd != IS_MYADDR || skb->pkt_type != PACKET_HOST) 
  			{
  				kfree_skb(skb, FREE_WRITE);


From firewalls-owner  Fri Aug  9 13:57:07 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA25116 for firewalls-outgoing; Fri, 9 Aug 1996 13:46:14 -0700 (PDT)
Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.76.24]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id NAA25087 for <firewalls@GreatCircle.COM>; Fri, 9 Aug 1996 13:46:04 -0700 (PDT)
Message-Id: <199608092046.NAA25087@miles.greatcircle.com>
Received: by cheops.anu.edu.au
	(1.37.109.16/16.2) id AA182693555; Sat, 10 Aug 1996 06:45:55 +1000
From: Darren Reed <avalon@coombs.anu.edu.au>
Subject: Re: Linux IP fix
To: amsden+@andrew.cmu.edu (Zachary Roger Amsden)
Date: Sat, 10 Aug 1996 06:45:55 +1000 (EST)
Cc: firewalls@GreatCircle.COM
In-Reply-To: <0m2tgR200YUd0I91Y0@andrew.cmu.edu> from "Zachary Roger Amsden" at Aug 9, 96 04:10:05 pm
X-Mailer: ELM [version 2.4 PL23]
Content-Type: text
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

In some mail from Zachary Roger Amsden, sie said:
> 
> This is really three patches in one.  Three new kernel features, to
> ignore ICMP redirects, ICMP pings, and to associate addresses with
> interfaces strictly.  This allows getsockname() to return reliable
> results, and for interface detection to be trustworthy.  The patches are
> against kernel 2.0.11, but should work for most newer kernels.
[...]
> + bool 'IP: Ignore ICMP redirects' CONFIG_IP_NOREDIR
> + bool 'IP: Ignore ICMP echo' CONFIG_IP_IGNORE_ECHO_REQUESTS
[...]

I'm surprised you need compile time options to make these work, given that
Linux has "ip firewalling".

If "ip_fw" (and ipfwadm) were up to scratch on filtering IP packets, you
wouldn't need these.

Having said such, I'd recommended that since this functionality doesn't
yet exist, you (or someone else who does Linux) invest some time in it.

Cheers,
Darren

From firewalls-owner  Fri Aug  9 15:11:48 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id PAA01719 for firewalls-outgoing; Fri, 9 Aug 1996 15:05:21 -0700 (PDT)
Received: from relay2.cospo.osis.gov (relay2.cospo.osis.gov [198.81.186.194]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id PAA01712 for <Firewalls@GreatCircle.COM>; Fri, 9 Aug 1996 15:05:14 -0700 (PDT)
Received: by relay2.cospo.osis.gov (4.1/SMI-4.1)
	id AA10203; Fri, 9 Aug 96 17:55:41 EDT
Message-Id: <9608092155.AA10203@relay2.cospo.osis.gov>
Received: from washington.cospo.osis.gov(198.81.161.68) by relay2.cospo.osis.gov via smap (V1.3)
	id sma010201; Fri Aug  9 17:55:22 1996
Received: by washington.cospo.osis.gov
	(1.38.193.4/16.2) id AA08020; Fri, 9 Aug 1996 18:04:16 -0400
Date: Fri, 9 Aug 1996 18:04:16 -0400
From: "Joseph S. D. Yao" <jsdy@cospo.osis.gov>
To: Firewalls@GreatCircle.COM
Subject: Re:  Book on Policy and law
Cc: ppmorris@syr.edu
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

> Date: Thu, 08 Aug 1996 16:52:07 -0700
> From: Peter Morrissey <ppmorris@syr.edu>
> Subject: Book on Policy and law
> 
> Can anyone suggest a good book and/or other resources 
> regarding practicle guidance on setting up security 
> policy.
> I'm also looking for a book that would address steps that
> can be taken in order to facilitate prosecution of security
> violations.

Three good books from O'Reilly & Associates (http://www.ora.com):
	Russell/Gangemi		Computer Security Basics
	Garfinkel/Spafford	Practical Unix Security
	Icove/Seger/VonStorch	Computer Crime

Check for the latest versions - Garfinkel & Spaf's book has a new
version out, I think.

--
Joe Yao				jsdy@cospo.osis.gov - Joseph S. D. Yao
COSPO Computer Support						EMT-A/B
-----------------------------------------------------------------------
	PLEASE ... send or Cc: all "COSPO Computer Support" mail to
			sys-adm@cospo.osis.gov

From firewalls-owner  Fri Aug  9 16:39:17 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id QAA05981 for firewalls-outgoing; Fri, 9 Aug 1996 16:30:34 -0700 (PDT)
Received: from gozer.inri.com (gozer.inri.com [199.165.146.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id QAA05974 for <Firewalls@GreatCircle.com>; Fri, 9 Aug 1996 16:30:28 -0700 (PDT)
Received: from ses216.nn.inri.com (ses216.nn.inri.com [198.180.218.216]) by gozer.inri.com (8.7.5/8.7.3) with SMTP id TAA24616; Fri, 9 Aug 1996 19:31:57 -0400 (EDT)
Message-Id: <199608092331.TAA24616@gozer.inri.com>
X-Sender: mwm@popmail.nn.inri.com
X-Mailer: Windows Eudora Pro Version 2.1.2
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Date: Fri, 09 Aug 1996 19:47:43 -0400
To: Firewalls@GreatCircle.com
From: Mark Maughan <mmaughan@inri.com>
Subject: Re: HERF stuff
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Bill,
At 09:16 AM 8/9/96 -0700, you wrote:
>I believe you all may be interested in this, though firewall related is
>stretching it.
>
>In today's 8/9/96 San Jose Mercury News (AP wire):
>"The border patrol in San Diego and Chula Vista will be testing 'electronic 
>wireless vehicle disabling devices' as a result of well-publicized high-speed 
>chases" (and beatings).
>
>Hack?  Who needs to hack to retaliate against perceived wrongdoing from; 
>hospital/airline/courts/IRS/police/cityhall/compeditors/MS/Intel/subway/
>abortion clinic etc?  Just click the 'phaser gun' button every time you 
>drive by their data center/ICU/traffic control/office/landing strip...
>
>The HERF wars begin.
>
>
>Bill Stout
>_______________________________________________________________________________
>Senior Systems Admin   NT/UNIX/I-net/Routers/Mainframes/Janitor ;)
>Hitachi Data Systems   408-970-4822   ---  Disclaimer:  I speak only for myself
>___________"Infowar, Cyber-war, yes, 'they' _are_ out to get you..."___________


I found this very interesting myself...Having just read the following article:

  The Director of the CIA last week said the US will set up a defense center
  to combat the growing threat of terrorist and criminals out to bring down
  vital network systems.
 
  C1A Director John Deutch said teh threat of organised information warfare
  is likely to grow, raising the prospect of an "electronic Pearl Harbor".

  In fact, reports arenow circulating in Europe and the US that since 1993,
  banks in the UK have paid millions of dollars in at least four attacks from
  black-mailers who showed they could crash computer systems at will.

  Although skeptics doubt the reports, some experts back the claims.  Winn
  Schwarau, president of security consultancy Interpact, Inc, said two banking
  officials at the recent International Banking Information Technology Forum
  in Basel, Switzerland, told him that four banks have together paid the 
  equivelent of $100 million to cyber-bandits who brought down computer systems.

  Another security expert, who asked for anonymity, claimed that one bank in
  Cornwall, England had its teller terminals and CRT screen blanked out or
  garbled for three days by bandits who pointed High-Energy Radio Frequency
  (HERF) devices at them.  Microwave-based HERF guns were developed by the
  military to disrupt computer systems.
  
  The security expert also said he was now at a Las Vagas casino, where he is
  now investigating what appears to be a HERF attack cyber-bandits there.

  --- Article called C1A director calls for cyber-war defense center
      by Ellen Messmer (Washington DC)  in Network World
      (printed w/o perms)


From firewalls-owner  Fri Aug  9 19:25:09 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id TAA12664 for firewalls-outgoing; Fri, 9 Aug 1996 19:18:44 -0700 (PDT)
Received: from sapa.inka.de (sapa.inka.de [193.197.84.6]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id TAA12650 for <firewalls@GreatCircle.COM>; Fri, 9 Aug 1996 19:18:34 -0700 (PDT)
Received: from uu.inka.de (root@[193.197.84.8]) by sapa.inka.de
	 with smtp (S3.1.29.1) id <m0up3cr-000KzKC>; Sat, 10 Aug 96 04:18 MET DST
Received: from lina (lists@lina.inka.de) by uu.inka.de
	 with bsmtp (S3.1.29.1) id <m0up3cq-001l6PC>; Sat, 10 Aug 96 04:18 MET DST
Received: by lina
	id m0up3M9-0004jTC
	(Debian /\oo/\ Smail3.1.29.1 #29.37); Sat, 10 Aug 96 04:00 MET DST
Message-Id: <m0up3M9-0004jTC@lina>
From: lists@lina.inka.de (Bernd Eckenfels)
Subject: Re: Linux IP fix
To: avalon@coombs.anu.edu.au (Darren Reed)
Date: Sat, 10 Aug 1996 04:00:48 +0200 (MET DST)
Cc: amsden+@andrew.cmu.edu, firewalls@GreatCircle.COM
In-Reply-To: <199608092046.NAA25087@miles.greatcircle.com> from "Darren Reed" at Aug 10, 96 06:45:55 am
X-Mailer: ELM [version 2.4 PL25 PGP2]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Hi,

> I'm surprised you need compile time options to make these work, given that
> Linux has "ip firewalling".
> 
> If "ip_fw" (and ipfwadm) were up to scratch on filtering IP packets, you
> wouldn't need these.

ipfwadm can of course reject ICMP packets of certain types, like:

ipfwad -I -a deny -P icmp -S 0/0 5 8 -D 0/0

5=redirect, 8=echo

Greetings
Bernd

PS:of course removing the redir and echo code from kernel is safe :))
-- 
  (OO)      -- Bernd_Eckenfels@Wittumstrasse13.76646Bruchsal.de --
 ( .. )  ecki@lina.{inka.de,ka.sub.org}  http://home.pages.de/~eckes/
  o--o     *plush*  2048/A2C51749  eckes@irc  +4972573817  *plush*
(O____O)       If privacy is outlawed only Outlaws have privacy

From firewalls-owner  Fri Aug  9 22:37:56 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id WAA17924 for firewalls-outgoing; Fri, 9 Aug 1996 22:23:23 -0700 (PDT)
Received: from mcfeely.bsfs.org (mcfeely.bsfs.org [204.91.13.34]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id WAA17917 for <Firewalls@GreatCircle.COM>; Fri, 9 Aug 1996 22:23:16 -0700 (PDT)
Received: (from wombat@localhost) by mcfeely.bsfs.org (8.6.12/8.6.12) id FAA22199; Sat, 10 Aug 1996 05:18:35 -0400
Date: Sat, 10 Aug 1996 05:18:32 -0400 (EDT)
From: Rabid Wombat <wombat@mcfeely.bsfs.org>
To: "Edgar Der-Danieliantz [ET22]" <edd@aic.net>
cc: Ian Blenke <ianb@unix.intermedia.com>, aries@idola.net.id,
        Firewalls@GreatCircle.COM, cisco@spot.colorado.edu
Subject: Re: RADIUS
In-Reply-To: <199608091315.RAA04509@aic.net>
Message-ID: <Pine.BSF.3.91.960810051649.22149C-100000@mcfeely.bsfs.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk


On Fri, 9 Aug 1996, Edgar Der-Danieliantz [ET22] wrote:

> > 
> > On Fri, 9 Aug 1996, Yohannes Aries wrote:
> > 
> > > Hi,...
> > > Does anyone know if cisco support Radius??
> > > If the answer is YES, how can I configure the cisco to make it possible to
> > > communicate with Radius Server??
> > 
> > Yes. RTFM ;)
> > 
> > Only the latest IOS v11.3 (I believe) includes RADIUS support. Your best
> 
> 11.3??? There is no such thing. The latest is 11.1, 11.2 is expected in Sep/Oct....
> 
> -edd
> 

Ooops - someone's off RTFMing  :)

I think he meant 11.1(3), but look for info on 11.1(4) on the Cisco web 
server.

- r.w.


From firewalls-owner  Sat Aug 10 02:18:37 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id BAA26439 for firewalls-outgoing; Sat, 10 Aug 1996 01:25:31 -0700 (PDT)
Received: (mcb@localhost) by miles.greatcircle.com (8.7.4/Miles-951221-1) id BAA26328 for firewalls@greatcircle.com; Sat, 10 Aug 1996 01:24:54 -0700 (PDT)
Received: from shell.scsti.ac.cn. ([168.160.75.88]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id AAA28493 for <firewalls@GreatCircle.COM>; Fri, 9 Aug 1996 00:01:28 -0700 (PDT)
Received: from info.scsti.ac.cn (info [168.160.75.89]) by shell.scsti.ac.cn. (8.7.3/8.6.11) with SMTP id PAA02613 for <firewalls@GreatCircle.COM>; Fri, 9 Aug 1996 15:01:45 +0900 (CDT)
Date: Fri, 9 Aug 1996 14:59:53 +0900 (CDT)
From: Su Yunfei <syf@info.scsti.ac.cn>
To: firewalls@GreatCircle.COM
Subject: Help, accounting in a LAN
In-Reply-To: <9608071253.0I3L600@morebbs.com>
Message-ID: <Pine.SUN.3.91.960809144740.2929A-100000@info.scsti.ac.cn>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk


   Cheer All:

	I have a LAN with several computers and such computer has a 
valide IP address can directly communicate with Internet. Now I want to 
account to every computer, even in time or in data flowing.

	I have a CISCO 2501, and I think I must to set up a firewall on 
the outport. 
       If account in time, before a computer will use internet, it 
must login the firewall to get enough previlige, but if it will exit, it 
must logout from firewall, so I can get the difference time between in 
and out.

      If account in data flowing, nothing need to do in the client 
computer.

  	Would someone tell me how can I setup this firewall or configure 
the CISCO router. 


		Thanks at advance.


						Su Yunfei
   



From firewalls-owner  Sat Aug 10 06:43:15 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA11629 for firewalls-outgoing; Sat, 10 Aug 1996 06:33:56 -0700 (PDT)
Received: from mail.RC.Toronto.on.ca ([207.6.29.231]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id GAA11620 for <firewalls@greatcircle.com>; Sat, 10 Aug 1996 06:33:49 -0700 (PDT)
Received: by mail.RC.Toronto.on.ca with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.993.5)
	id <01BB869E.9F9E7F60@mail.RC.Toronto.on.ca>; Sat, 10 Aug 1996 09:30:52 -0400
Message-ID: <c=US%a=_%p=Toronto%l=MAIL-960810133050Z-8@mail.RC.Toronto.on.ca>
From: Russ <Russ.Cooper@RC.Toronto.on.ca>
To: "'firewalls@greatcircle.com'" <firewalls@greatcircle.com>,
        "'potlicker@morebbs.com'" <potlicker@morebbs.com>
Subject: REL: Authentication
Date: Sat, 10 Aug 1996 09:30:50 -0400
X-Mailer:  Microsoft Exchange Server Internet Mail Connector Version 4.0.993.5
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

I read, with interest, a bunch of replies to Potlicker's question, but it 
seems a couple of obvious things are being overlooked.

The scenario described is only useful if you are inside BigCo, have access 
to the mail address of BigCo's help desk people, and have access to BigCo's 
internal users mailing addresses, right?

If you're not inside BigCo;

- then you don't know the email addresses for BigCo's help desk people as, 
surely, the help desk peoples internal mailing address is different from 
their external mailing address (big duh if they aren't).

- let say you somehow figure out who BigCo's help desk people are, and they 
use the same mail address inside and out, now what, you're setting up a 
bogus web site waiting for one of them to visit and click on something that 
invokes their browser's mail function??? Might be waiting a while, no?

- O.k, miracle of miracles, a known help desk person from BigCo has 
actually clicked on your SendBadMail button, wow, after the shock of the 
unlikelihood of this event, now you wonder, "hmm, now who are the internal 
users in BigCo to send this mail to!". If you send it to a single person, 
you will, almost positively, create suspicion since that lone person will 
almost probably ask co-workers if they received similar mail (everyone is 
paranoid that they are being singled out by help desk people, its a natural 
reaction...;-]). If you're planning on sending it to some internal mailing 
list, how'd you find out about the internal mailing list and how do you get 
the mailing list to be expanded from an inbound SMTP mail from the 
Internet?

Now if you are inside BigCo;

- you probably know the help desk people mailing address for internal use

- you can probably get them to check a "flaky" web page you have set up 
(really your bogus web page) to get them to invoke their mailer

- you probably know the internal mailing addresses to send your message to, 
although you still have the problems of suspicion if you only send it to 
one person

So, as you can see, its much more difficult to do this hack outside of 
BigCo than inside, so the obvious question then is whether or not all 
internal mail is passing through whatever Firewall you have, hopefully it 
isn't (just for performance reasons if nothing else).

In both cases you have some other problems to overcome though.

1. You can only do this once, and it has to be done by someone from your 
help desk. If someone else happens along it before a help desk person, 
everyone you are sending this mail to will receive the same message from 
this other person, obviously raising alarms.

2. Whoever sends the mail may have also set their mailing to cc themselves 
on any mail sent (a sensible configuration to help catch these types of 
problems), so depending on how long it is before their check their inbox, 
you may not have a very big window of opportunity (presumably they would 
immediately send out a message saying the previous message was a fraud).

3. This assumes that the users have never been told of one of the first 
tennants of email, which is, never give any account information to someone 
who asks for it over email. If the help desk really wanted to ask you for 
your password they would simply pick up the phone and call you...(security 
policy 101). I do realize that this is not failsafe, but its something that 
all users should have been told, and reminded of, at various times. Most 
forums on CompuServe carry this warning when you join them, for example.

So unless I am missing something, I'd say the hack doesn't have a useful 
place in a hacker's toolkit.

Cheers,
Russ
...eek, quick, someone give me some broken software, I'm suffering beta 
withdrawals...



From firewalls-owner  Sat Aug 10 08:23:01 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA15683 for firewalls-outgoing; Sat, 10 Aug 1996 08:07:42 -0700 (PDT)
Received: from surfer-1.getonthe.net (ftpweb2.getonthe.net [204.71.96.177]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id IAA15667 for <firewalls@greatcircle.com>; Sat, 10 Aug 1996 08:07:35 -0700 (PDT)
Received: from [206.29.101.117] by surfer-1.getonthe.net (NTMail 3.02.07) with ESMTP id va008445 for <firewalls@greatcircle.com>; Sat, 10 Aug 1996 10:07:30 +0100
Message-Id: <1.5.4.32.19960810150820.006afc74@mail.getonthe.net>
X-Sender: joey@mail.getonthe.net
X-Mailer: Windows Eudora Light Version 1.5.4 (32)
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Date: Sat, 10 Aug 1996 10:08:20 -0500
To: Mark Maughan <mmaughan@inri.com>
From: Joe Smith <joey@getonthe.net>
Subject: Re: HERF stuff
Cc: firewalls@greatcircle.com
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

>  Although skeptics doubt the reports, some experts back the claims.  Winn
>  Schwarau, president of security consultancy Interpact, Inc, said two banking
>  officials at the recent International Banking Information Technology Forum
>  in Basel, Switzerland, told him that four banks have together paid the 
>  equivelent of $100 million to cyber-bandits who brought down computer
systems.
>
>  Another security expert, who asked for anonymity, claimed that one bank in
>  Cornwall, England had its teller terminals and CRT screen blanked out or
>  garbled for three days by bandits who pointed High-Energy Radio Frequency
>  (HERF) devices at them.  Microwave-based HERF guns were developed by the
>  military to disrupt computer systems.
>  
>  The security expert also said he was now at a Las Vagas casino, where he is
>  now investigating what appears to be a HERF attack cyber-bandits there.


Didn't MacGyver disable one of these things years ago in one of his
episodes?  Looks like a market for a whole new breed of "firewalls".



Joe Smith                    Network Manager
Springfield, MO USA     St John's Health System
joey@getonthe.net        "In Touch, with Care" 


From firewalls-owner  Sat Aug 10 14:08:26 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA28112 for firewalls-outgoing; Sat, 10 Aug 1996 14:01:56 -0700 (PDT)
Received: from discover.discover-net.net (discover-net.net [205.243.215.3]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id OAA28105 for <firewalls@GreatCircle.COM>; Sat, 10 Aug 1996 14:01:51 -0700 (PDT)
Date: Sat, 10 Aug 1996 14:01:51 -0700 (PDT)
From: mceachrn@discover-net.net
Received: from ppp-79-pm2.discover-net.net by discover.discover-net.net
          id aa09705; 10 Aug 96 15:57 PST
To: firewalls@GreatCircle.COM
Subject: games
Message-ID:  <9608101557.aa09705@discover.discover-net.net>
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk


From firewalls-owner  Sun Aug 11 09:42:47 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA02336 for firewalls-outgoing; Sun, 11 Aug 1996 09:28:37 -0700 (PDT)
Received: from relay2.UU.NET (relay2.UU.NET [192.48.96.7]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id JAA02023 for <firewalls@greatcircle.com>; Sun, 11 Aug 1996 09:27:41 -0700 (PDT)
Received: from gate.leissner.se by relay2.UU.NET with SMTP 
	(peer crosschecked as: gate.leissner.se [193.45.192.34])
	id QQbchm25772; Sun, 11 Aug 1996 08:36:02 -0400 (EDT)
Received: (from nobody@localhost) by gate.leissner.se (8.6.12/8.6.9) id MAA04818; Sun, 11 Aug 1996 12:33:25 GMT
Received: from unknown(192.71.29.17) by gate.leissner.se via smap (V1.3)
	id sma004816; Sun Aug 11 12:32:55 1996
Message-Id: <2.2.32.19960811123258.009fa330@lda>
X-Sender: pol@lda
X-Mailer: Windows Eudora Pro Version 2.2 (32)
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
Date: Sun, 11 Aug 1996 14:32:58 +0200
To: Zachary Roger Amsden <amsden+@andrew.cmu.edu>
From: Peter Olsson <pol@leissner.se>
Subject: Re: FWTK interface detection
Cc: firewalls@greatcircle.com
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

> Date: Fri,  9 Aug 1996 16:02:39 -0400 (EDT)
> From: Zachary Roger Amsden <amsden+@andrew.cmu.edu>
> To: firewalls@greatcircle.com
> Subject: FWTK interface detection
> 
> This patch to /lib/nama.c of the firewall toolkit allows you to specify

-- 8< --

>   /*
>    *	Author: Marcus J. Ranum, Trusted Information Systems, Inc.
>    */
>   static	char	RcsIdÄÅ = "$Header:
> /usr/home/rick/fwtk1.5/fwtk/lib/RCS/nama.c,v 1.4 1996/03/28 03:46:29
> rick Exp $";

This appears to be version 1.5 of TIS fwtk!! We only have version 1.3 and
we were under the impression that there is no further development on
TIS fwtk. Is fwtk 1.5 freely available? Where? If it's not free, where can
we get more information about it?

Thanks for your time!

Peter Olsson    pol@leissner.se


From firewalls-owner  Sun Aug 11 09:59:01 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA04122 for firewalls-outgoing; Sun, 11 Aug 1996 09:40:33 -0700 (PDT)
Received: from relay5.UU.NET (relay5.UU.NET [192.48.96.15]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id JAA04110 for <firewalls@greatcircle.com>; Sun, 11 Aug 1996 09:40:25 -0700 (PDT)
Received: from typhoon.dial.pipex.net by relay5.UU.NET with ESMTP 
	(peer crosschecked as: typhoon.dial.pipex.net [158.43.128.46])
	id QQbchj20636; Sun, 11 Aug 1996 07:59:46 -0400 (EDT)
Received:  from unknown by typhoon.dial.pipex.net (8.7.5/)
	id MAA04528; Sun, 11 Aug 1996 12:52:56 +0100 (BST)
Message-ID: <MAPI.Id.0016.00713530202020204345393130303030@MAPI.to.RFC822>
In-Reply-To: <1.5.4.32.19960810150820.006afc74@mail.getonthe.net>
References: Conversation <1.5.4.32.19960810150820.006afc74@mail.getonthe.net> with last message <1.5.4.32.19960810150820.006afc74@mail.getonthe.net>
To: Joe Smith <joey@getonthe.net>, Mark Maughan <mmaughan@inri.com>
Cc: firewalls@GreatCircle.COM
MIME-Version: 1.0
From: Ian Johnstone-Bryden <ianj-b@dial.pipex.com>
Subject: Re: HERF stuff
Date: Sun, 11 Aug 96 12:48:38 GMT
Content-Type: text/plain; charset=US-ASCII; X-MAPIextension=".TXT"
Content-Transfer-Encoding: 7bit
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk


Joe responded to earlier postings:
> 
> 
> Didn't MacGyver disable one of these things years ago in one of his
> episodes?  Looks like a market for a whole new breed of 
"firewalls".
> 

The question of whether HERF guns exist and if so whether they work 
is less important in some respects than the fact that several 
incidents have involved claims by extortionists that convinced the 
victims to part with money.

What is still conjecture is how many victims have been hit and how 
much they paid for 'protection'. At least one police force would like 
to know the answers in their area of jurisdiction. As with many 
incidents of extortion, victims are very reluctant to admit that they 
have been targeted and that they have paid. One reason for that is 
that they dont want to look vulnerable and stupid, but another good 
reason is that they dont want to encourage further attacks.

HERF gunning is outside the scope of firewalling but it is an issue 
to be addressed as an Infosec concern, - except that of course a 
firewall could be targeted, and therefore it might be regarded as a 
variation in 'denial of service attacks'.

HERF research and testing has been around for some time and dates 
back at least to the 1930s. Countermeasures research and testing has 
also been around for some time. Like most concepts, its not that 
difficult to develop for at least lab testing once someone else has 
come up with the concept. 

An extortionist doesnt have to have real technology, provided he 
knows more than the victim about the subject and can provide a 
demonstration which appears to prove that he has the ability to do 
what he threatens in the event of money not becoming available as 
demanded.

Commercial computer systems are vulnerable to a very wide range of 
threats simply because vendors and customers were quite happy to 
ignor them in the interests of getting third rate technology cheap 
and fast.

Firewalling and virus protection has come about because the fear of 
attack became fairly widespread. In the early days the reality of 
attack was pretty low but started to increase as users began to 
devote resource to countermeasures - its one of the laws of security 
that increased effort in building countermeasures generates 
increased development on the part of criminals and makes the crime 
popular amonst a wider criminal fraternity. 

The same process is likely to develop in other areas like HERF guns. 
The real solution may prove to be simple but cost money and require 
the development of skills. One thing to remember is that the handheld 
HERF gun with a range of 20 miles might not exist, but someone 
attacking a static target over a much shorter distance may be able to 
assemble a bulky if primitive device and use mains power to drive it.

There is a story which used to be told by an early pioneer of 
American radio broadcasting of how he got fired by the phone company 
and thrown out of the YMCA because he used miles of overhead phone 
cables and the YMCA power distribution system to power a transmitter 
during a competition for long range transmission of voice (in 
compensation, he did win the competition). The attempt caused several 
unforeseen side effects including jamming lifts (elevators) over 
several blocks. A concept can be exploited in many different ways.

Some years ago western intelligence agencies acquired some Soviet 
avionics equipment and the first reaction was that it demonstrated 
how far behind the Soviets were technically. Its open to debate as to 
whether the design was a different and deliberate approach, or just 
designers having to live within their available technology. What 
wiped the smiles of the intelligence faces was the discovery that the 
Soviet equipment was significantly more resistant to Electro Magnetic 
Pulses and could therefore survive very much better on a nuclear 
battlefield.
Ian J-B.

From firewalls-owner  Sun Aug 11 10:13:17 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA07052 for firewalls-outgoing; Sun, 11 Aug 1996 10:04:18 -0700 (PDT)
Received: from relay6.UU.NET (relay6.UU.NET [192.48.96.16]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id KAA07042 for <Firewalls@GreatCircle.COM>; Sun, 11 Aug 1996 10:04:11 -0700 (PDT)
Received: from io.org by relay6.UU.NET with SMTP 
	(peer crosschecked as: io.org [198.133.36.1])
	id QQbcfw21429; Sat, 10 Aug 1996 22:07:44 -0400 (EDT)
Received: from Taurus (eagle.net4.io.org [199.166.239.227]) by io.org (8.6.12/8.6.12) with SMTP id WAA11305 for <Firewalls@GreatCircle.COM>; Sat, 10 Aug 1996 22:04:00 -0400
Date: Sat, 10 Aug 1996 22:04:00 -0400
Message-Id: <199608110204.WAA11305@io.org>
X-Sender: jeffm@io.org
X-Mailer: Windows Eudora Light Version 1.5.2
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
To: Firewalls@GreatCircle.COM
From: "Jefferson M. Mousseau" <jeffm@io.org>
Subject: Firewall-1 FTP Proxy Question
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Is there any way to configure Firewall-1 to act as an FTP proxy? I've got a
web server on a secure segment that I'd like people to be able to update
files on but I'd prefer to have them send the files to the firewall?

Regards

jeffm@io.org


From firewalls-owner  Sun Aug 11 10:27:51 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA09253 for firewalls-outgoing; Sun, 11 Aug 1996 10:18:14 -0700 (PDT)
Received: from relay2.UU.NET (relay2.UU.NET [192.48.96.7]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id KAA09223 for <Firewalls@GreatCircle.COM>; Sun, 11 Aug 1996 10:18:02 -0700 (PDT)
Received: from InfoWest.COM by relay2.UU.NET with SMTP 
	(peer crosschecked as: infowest.com [204.17.177.10])
	id QQbcfr27355; Sat, 10 Aug 1996 20:55:01 -0400 (EDT)
Received: from infowest.com (Attila.infowest.com [204.17.177.93]) by InfoWest.COM (8.6.12/8.6.9) with SMTP id SAA20251; Sat, 10 Aug 1996 18:53:10 -0600
Message-Id: <199608110053.SAA20251@InfoWest.COM>
X-Mailer: Post Road Mailer (Green Edition Ver 1.03a)
From: attila <attila@primenet.com>
To: Firewalls@GreatCircle.COM
To: "Joseph S. D. Yao" <jsdy@cospo.osis.gov>
Date: Sun, 11 Aug 1996 00:52:25 GMT
Reply-To: attila@primenet.com
Subject: unix security over 30 years (was Info World....)
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Addressed to: Firewalls@GreatCircle.COM
              Joseph S. D. Yao <jsdy@cospo.osis.gov>


** Reply to note from Joseph S. D. Yao <jsdy@cospo.osis.gov> 

= --------------------------------------------------------------------
= 	PLEASE ... send or Cc: all "COSPO Computer Support" mail to  
= 			sys-adm@cospo.osis.gov 
= --------------------------------------------------------------------
= Date: Fri, 9 Aug 1996 12:33:03 -0400  
= From: "Joseph S. D. Yao" <jsdy@cospo.osis.gov>
= To: Firewalls@GreatCircle.COM  
=   
= Subject: Re:  Info World Firewall Articles  
=   
= > Date: Thu, 8 Aug 1996 17:30:58 -0400  
= > From: Steve Kotsopoulos <steve@ecf.toronto.edu>  
= > Subject: Re: Info World Firewall Articles  
= >   
= > jminie@earthlink.net wrote:  
= > >We're aware of how insecure UNIX is natively.  ...  
=   
= Let's clarify this.  Unix is an operating system that allows you 
= great latitude in how you set it up.  It is neither secure nor 
= insecure "natively" (whatever that means).
=
        absolutely; agreed!

        the statement "We're aware of how insecure UNIX is natively" 
    shows a BLATANT lack of intellectual prowess and mouth freedom 
    reminiscent of Bill Gates' statements and advertising in the 80s
    when he was trying to promote what is best described as a boot
    sector virus as THE opertaing system of the future --operating 
    system?  well, maybe a program loader, as was CPM.

        the point is simple: once *you* are operating on a closed and
    unreceptive mind, you're no better than a school child who covers 
    his ears as he raises his hand to gain attention to talk.

        by _today's_ full blown inter/intranet requirements, Ritchie 
    and Thompson's *_original_* version of UNIX, which like DEC's VMS 
    is a derivative of Multix, is insecure --BUT THAT WAS ALMOST 30 
    YEARS AGO!

        or are you of the equivalent of Bill Gates, who claims only
    Bills' shit don't stink?

        ALL SYSTEMS EVOLVE OVER TIME.  or, they are not being used...

        However, *unlike* Gates who is notorious for never-fixed bugs 
    and gaping security holes opened by each successive massive
    incompatible rewrite, the *_concept_* of unix STILL is the same,
    30 YEARS LATER.

        and, unlike Gates who guards his precious source code as his 
    mansion (probably since most of the code is so bad it would be bad 
    PR for MS for you to see it), unix source code has always been 
    available; and, 30 years of tweaking have made unix' open and 
    friendly system even more flexible --AND, hand in hand, more 
    secure.

        UNIX has been expanded with the same conceptual visions
    (other than commercial companies who listened to their marketing
    sleeze trying to be unique and are mostly history) by generations 
    of practicioners who *understand* the unix kernel and concepts.

= It can be set up as Ken and Dennis  
= did initially, in a "friendly" environment, so that everybody can do  
= anything.  In these days, probably a very very bad idea.  It can also  
= be set up quite tightly, so that it's about as secure as any 
= operating system NOT SPECIFICALLY DESIGNED FOR HIGH-LEVEL SECURITY 
= can get.   
= 
	agreed!  

        and flavours of UNIX with restricted functions and trust are
    _very_secure_ when properly installed. We have almost 30 years
    of finding the week spots; and, an updated 20 year old 'routed' 
    and 'gated' as a two machine master firewall is _very_ secure.      
    [PAY me enough money and I will show you HOW TO build a REAL 
    secure system for CHEAP].
 
        and, given enough background, you quickly understand WHY there
    is no perfect software, no perfect operating system [except in Bill 
    Gates' dreams], and _no_ secure kernel in a multi-user, 
    multi-tasking, multi-machine environment if the user(s) expect 
    access other than by batched punch cards, &c.

        in other words, "security" and "friendly" are diametrically 
    opposed: the more you improved the client space for friendly
    access and sharing of information on a single machine or on a
    network, the less the security. 

        A "perfectly" secure machine is therefore "perfectly"
    unusable.

        having been extensively involved during the 70s and 80s as a
    consultant to both Western Electric and Labs and taught college 
    level courses on security , I, and others, have traveled through
    through these same problems  --and, remember, R, T, and K 
    constructed unix _in their spare time_  --for a DEC 11/45 which 
    was limited to 64K data and 64K program.

        given that unix started out presuming 3 things:

        1.  unlimited trust
        2.  perfect disks (no error correction provided)
        3.  unlimited time

    which is fine in a low usage research environment, but    
    commercially (government) it just was not acceptable. At that
    point, the conundrum roars onto the playing field.

        So, somebody hacked error management routines into the disk 
    drivers, and Berkeley contributed 'bad144' and so on. uucp had 
    security holes; everybody chipped in and they are mostly gone 
    (knock on wood),  shadow password files were added, &c.  and, now 
    we have SSL &c. for secure tcp/ip...

        Again, why is unix stable, secure, friendly, and consistent? 
    SIMPLE: open systems, source code and intelligent, thinking power
    users and perfectionists (who live in the dark except for the 
    glow of a CRT).
 
= This  
= should, preferably, be done by REAL systems professionals, not "I  
just  
= graduated from college, and have read all of Microsoft's and Sun's  
= press releases, and therefore know everything there is to know about  
= computer security" types.  (To everyone: NO, I am NOT talking about  
= YOU; but you do know someone something like that, don't you?  ;-))  
= 
        want to swap blacklists?  <g>
  
= This is why the majority of real software security specialists 
= started their secure systems and firewall systems on some variant of 
= Unix. Please note that I said "the majority", and not "all": this is 
= not meant to start a flaming contest or any other sort of contest.  
= 
        does not need to be a contest...  it's a fact, and about the 
    only way to learn, both then and now.  there is no source code for 
    today's proprietary firewalls, anymore than there has ever been.

        I, for one, refuse to use either firewall or cryptographic 
    products I can not see the source.  I do not need to have NSA 
    embedded routines for their pleasure in hardware/software systems 
    I design.

        just remember: talking is $$$ --have your wallet handy.

                attila  <attila@primenet.com>
 

--
In the interests of a drug-free world it is perhaps time for Britain
and other Western democracies to consider banning President Clinton
from visiting their countries.
        --Ambrose Evans-Pritchard


From firewalls-owner  Sun Aug 11 14:42:43 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA28458 for firewalls-outgoing; Sun, 11 Aug 1996 14:40:14 -0700 (PDT)
Received: from mail13.digital.com (mail13.digital.com [192.208.46.30]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id OAA28451 for <Firewalls@GreatCircle.COM>; Sun, 11 Aug 1996 14:40:07 -0700 (PDT)
Received: from vanna.ljo.dec.com by mail13.digital.com (8.7.5/UNX 1.2/1.0/WV)
	id RAA11694; Sun, 11 Aug 1996 17:33:39 -0400 (EDT)
Received: from isbu-mail.ljo.dec.com by vanna.ljo.dec.com; (5.65/1.1.8.2/10Oct94-8.2MPM)
	id AA23460; Sun, 11 Aug 1996 17:31:33 -0400
Received: from tun-24.imc.das.dec.com [16.136.208.24]
	(HELO jimlester)
	by isbu-mail.ljo.dec.com (AltaVista Mail V1.0/1.0 BL17 listener)
	id 0000_0036_320e_51ff_ff19;
	Sun, 11 Aug 1996 17:34:55 -0400
Message-Id: <1.5.4.32.19960811223450.006b967c@isbu-mail.ljo.dec.com>
X-Sender: jim.lester@isbu-mail.ljo.dec.com
X-Mailer: Windows Eudora Light Version 1.5.4 (32)
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Date: Sun, 11 Aug 1996 17:34:50 -0500
To: Firewalls@GreatCircle.COM
From: Jim Lester <jim.lester@ljo.dec.com>
Subject: Re: Firewalls-Digest V5 #455
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

I am pretty sure the Digital firewall will meet your needs.  Download it at
http://altavista.software.digital.com

At 01:00 AM 8/10/96 -0700, you wrote:
>
>
>Date: Fri, 9 Aug 1996 10:18:54 -0100
>From: Per-Henning Valderhaug <valper@nodeca.mil.no>
>Subject: Firewall and NOS integration (NetWare and NT)
>
>I'm looking for firewalls that can be integrated into the network operating
>system (NOS) in Novell NetWare or Windows NT environments.
>
>Novell NetWare
>For NetWare I want the firewall to read the users ID from the NDS. The
>firewall should then give the user access to communicate to defined hosts
>using defined services based on the users groupmemberships in the NDS. E.g.
>if a user is a member of the NDS group TELNET_TO_HOST1, the user should be
>able to run a telnet session to HOST1 and all other services should be
>blocked by the user. The firewall should not prompt the user for name and
>password, since the user is authenticated towards NDS.
>
>Windows NT
>Same as NetWare, exept that NDS is substituted by the NT domain (at least
>until Novell or Microsoft ports the entire NDS to NT).
>
>
>I have done some testing of NOV*IX from Firefox, and it works the way I
>want. I also believe IWare Connect from Quarterdeck supports this
functionality.
>
>Do you know if there are other firewalls supporting the functionality I have
>described here? What are your opinions of these products?
>
>
>
>The very best regards
>Per-Henning Valderhaug
>
>- -_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-
>
> Per-Henning Valderhaug	      
> Forsvarets Tele- og Datatjeneste    
> Oslo mil/Akershus		      
> N-0015 OSLO			      
> NORWAY			      
> 				      
> Phone: 	+47 22 40 24 00	      
> Direct line: 	+47 22 40 26 88           
> Telefax:	+47 22 40 29 97           
> 				      
> e-mail: 	valper@nodeca.mil.no  
>
>


From firewalls-owner  Sun Aug 11 23:57:45 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id XAA17482 for firewalls-outgoing; Sun, 11 Aug 1996 23:48:36 -0700 (PDT)
Received: from InfoWest.COM (infowest.com [204.17.177.10]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id XAA17475 for <firewalls@greatcircle.com>; Sun, 11 Aug 1996 23:48:30 -0700 (PDT)
Received: from infowest.com (Attila.infowest.com [204.17.177.93]) by InfoWest.COM (8.6.12/8.6.9) with SMTP id AAA21245; Mon, 12 Aug 1996 00:50:13 -0600
Message-Id: <199608120650.AAA21245@InfoWest.COM>
X-Mailer: Post Road Mailer (Green Edition Ver 1.03a)
From: attila <attila@primenet.com>
To: amolitor@anubis.network.com
To: firewalls@greatcircle.com
Date: Mon, 12 Aug 1996 06:48:24 GMT
Reply-To: attila@primenet.com
Subject: Re:  unix security over 30 years (was Info World....)
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Addressed to: amolitor@anubis.network.com
              firewalls@greatcircle.com

** Reply to note from amolitor@anubis.network.com 08/11/96  1:12pm CDT  


= Well, I'm not convinced that security and friendliness are
= strictly bound togther in an inverse relationship. It's simply more
= difficult to retain the same level of friendliness while making
= things more secure.
=
	the linearity of the inverse relationship is certainly 
    debatable, <g> but you make the point yourself as well that 
   friendliness often suffers with increased security.


= 	I'm a little unclear on what Bill Gates has to do with anything,
= but that's ok.
= 
	90& of the attacks on unix' "insecurity" have been 
    generated by Lord Bill and his acolytes as part of Bill's 
    campaign to destroy unix.

	bill had a license with Labs for Unix V7 that was 
    practically exclusive. bill, pure and simple, was a unix ]
    freak.  bill vowed revenge when AT&T refused to give him 
    the same exclusivity when System III released --and I mean 
    "vowed revenge" very literally  

	--I happened to have been an outside bit player in 
    the debacle.  

	Once Bill moves you from friend (read dominatable) 
    to the opposing function of his bipolar mind, the turf 
    turns treacherous and dangerous.


= 		Andrew


--
  "Bill Gates is greedy because he has amassed a fortune of
        US$ 15,000,000,000 ($15 billion)
   but the US Government is a helpful Village because it takes
        US$ 1,400,000,000,000 ($1.4 trillion) from us each year
        and does good things with it."
                --Hillary Clinton



From firewalls-owner  Mon Aug 12 02:04:31 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id BAA24977 for firewalls-outgoing; Mon, 12 Aug 1996 01:48:52 -0700 (PDT)
Received: from eldron.forwiss.uni-passau.de (eldron.forwiss.uni-passau.de [132.231.20.11]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id BAA24763 for <firewalls@greatcircle.com>; Mon, 12 Aug 1996 01:46:46 -0700 (PDT)
Received: from meriadoc.forwiss.uni-passau.de by eldron.forwiss.uni-passau.de with SMTP id AA10421
  (5.67b8/IDA-1.5 for <firewalls@greatcircle.com>); Mon, 12 Aug 1996 10:46:15 +0200
From: Michael Gengenbach <gengenba@forwiss.uni-passau.de>
Received: (gengenba@localhost) by meriadoc.forwiss.uni-passau.de (SMI-8.6/8.6.12) id KAA14287 for firewalls@greatcircle.com; Mon, 12 Aug 1996 10:46:14 +0200
Message-Id: <199608120846.KAA14287@meriadoc.forwiss.uni-passau.de>
Subject: tcp_wrapper problems (getsockname: Invalid argument)
To: firewalls@greatcircle.com
Date: Mon, 12 Aug 1996 10:46:09 +0200 (MET DST)
X-Mailer: ELM [version 2.4ME+ PL22 (25)]
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Hi,

I have a problem with the tcp_wrapper program. I tried finding clues
in the WWW and the documentation for a while, but didn't succeed.

The problem is, that I have rejected connections from unknown or from
address 0.0.0.0. In the log I get the following types of messages:

Aug  7 11:01:04 frodo http-gw[13530]: warning: can't get client address: Connec
tion reset by peer
Aug  7 11:01:04 frodo http-gw[13530]: refused connect from unknown

or

Aug  6 15:47:50 frodo http-gw[11349]: warning: getsockname: Invalid argument
Aug  6 15:47:50 frodo http-gw[11349]: refused connect from 0.0.0.0

I am running tcp_wrappers_7.2 on SunOS 4.1.4. (I've looked through the
CHANGES of version 7.4 but it didn't mention a problem like that so I
haven't upgraded yet).

As of now all the checking in /etc/hosts.allow is based on IP
addresses. I will add my hosts.allow and hosts.deny at the end.

Do you have any ideas or suggestions?

Best wishes

   Michael

From firewalls-owner  Mon Aug 12 03:12:50 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id DAA01358 for firewalls-outgoing; Mon, 12 Aug 1996 03:07:09 -0700 (PDT)
Received: from dtcro002.apogee-com.fr (firewall.apogee-com.fr [194.2.187.130]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id DAA01349 for <firewalls@greatcircle.com>; Mon, 12 Aug 1996 03:06:59 -0700 (PDT)
Received: by dtcro002.apogee-com.fr; id MAA27582; Mon, 12 Aug 1996 12:07:36 +0200 (MET DST)
Received: from dtc-ocal1.apogee-com.fr(10.129.16.1) by firewall.apogee-com.fr via smap (V3.1.1)
	id xma027580; Mon, 12 Aug 96 12:07:23 +0200
Received: from ingpc003.apogee-com.fr by dtcxs001.apogee-com.fr (4.1/SMI-4.1)
	id AA10219; Mon, 12 Aug 96 12:00:19 +0200
Message-Id: <320F0129.54F5@apogee-com.fr>
Date: Mon, 12 Aug 1996 12:02:17 +0200
From: Jean-Francois Zwobada <zwobada@apogee-com.fr>
Organization: APOGEE Communications
X-Mailer: Mozilla 2.02Gold (Win95; I)
Mime-Version: 1.0
To: Michael Gengenbach <gengenba@forwiss.uni-passau.de>
Cc: firewalls@greatcircle.com
Subject: Re: tcp_wrapper problems (getsockname: Invalid argument)
References: <199608120846.KAA14287@meriadoc.forwiss.uni-passau.de>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

You can notice you have these messages for HTTP most of the time.
I got these messages too, and get worried for nothing.
In fact, your tcp_wrapper does not have enough time to collect informations
about the new connection before the client shuts it down. The problem is
I don't know what could cause your web browser to kill a connection so fast,
except when it pops up a window telling you that your application will be
terminated :) Thanks Bill G. :)

Jean-Francois

-- 
_____ Jean-Francois Zwobada (mailto:zwobada@apogee-com.fr) _______

Apogee Communications              Tel    : +33 (1) 69 85 56 47
			           Fax    : +33 (1) 69 85 56 48
"      ### Retrieving "Murphy's Law" record in database ###
  perror: Unknown error code. Refer to the Unlucky User's Guide"
__________________________________________________________________

From firewalls-owner  Mon Aug 12 04:27:46 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id EAA05932 for firewalls-outgoing; Mon, 12 Aug 1996 04:18:27 -0700 (PDT)
Received: from nutspgw.nutec.com.br ([200.246.248.99]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id EAA05876 for <firewalls@greatcircle.com>; Mon, 12 Aug 1996 04:18:08 -0700 (PDT)
Received: (uucp@localhost) by nutspgw.nutec.com.br (8.6.9/8.6.5) id IAA02420 for <firewalls@greatcircle.com>; Mon, 12 Aug 1996 08:15:06 -0300
Message-Id: <199608121115.IAA02420@nutspgw.nutec.com.br>
Received: from unknown(200.246.248.32) by nutspgw.nutec.com.br via smap (g3.0.3)
	id xma002402; Mon, 12 Aug 96 08:14:43 -0300
Comments: Authenticated sender is <silveira@nutspgw.sao.nutecnet.com.br>
From: "Fernando da Silveira Montenegro" <silveira@nutec.com.br>
Organization: Nutec Informsstica
To: firewalls@greatcircle.com
Date: Mon, 12 Aug 1996 08:22:39 -0300
Subject: Re: Another wide-open security hole from Microsoft 
Reply-to: silveira@nutpagw.nutec.com.br
X-mailer: Pegasus Mail for Win32 (v2.42a)
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Hi everybody!

Is it my poor English or did I just read a columnist SUGGESTING 
people bypass firewalls with dialup connections?

>From the Computer Reseller News article
(http://techweb.cmp.com:80/techweb/crn/sections/columnist/portia17.htm) : 

"... And just as you have your own clandestine fax machine with its
dedicated telephone line so you don't have to wait for internal fax
distribution, you can get your own direct Internet account via a
dedicated telephone line. You, too, can have a big sleek pipe to the
Net without being put through the backroads, dams and firewalls of
complex, internal, proprietary networks burdened with armor locked in
by enterprise applications from the pre-Net ages..."

Fernando
--
Fernando da Silveira Montenegro        E-mail: silveira@nutec.com.br
Nutec Informatica S.A.                 Phone.: +55-11-505-5728
Rua Florida, 1821/11th floor           Fax...: +55-11-505-1918
Sao Paulo, SP BRAZIL 04565-001         WWW: http://www.nutec.com.br

From firewalls-owner  Mon Aug 12 06:27:42 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA11086 for firewalls-outgoing; Mon, 12 Aug 1996 06:17:34 -0700 (PDT)
Received: from smartwall.v-one.com (smartwall.v-one.com [206.205.89.11]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id GAA11079 for <firewalls@greatcircle.com>; Mon, 12 Aug 1996 06:17:28 -0700 (PDT)
Received: by smartwall.v-one.com; id JAA24191; Mon, 12 Aug 1996 09:14:46 -0400 (EDT)
Received: from mail.v-one.com(198.69.135.6) by smartwall.v-one.com via smap (V3.1.1)
	id xma024187; Mon, 12 Aug 96 09:14:40 -0400
Received: from intern12.v-one.com ([198.69.135.175]) by mail.v-one.com (8.7.3/8.7.3) with SMTP id JAA19724 for <firewalls@greatcircle.com>; Mon, 12 Aug 1996 09:11:07 -0400 (EDT)
Date: Mon, 12 Aug 1996 09:11:07 -0400 (EDT)
Message-Id: <199608121311.JAA19724@mail.v-one.com>
X-Sender: smoubray@mail.v-one.com
X-Mailer: Windows Eudora Version 2.0.3
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
To: firewalls@greatcircle.com
From: smoubray@v-one.com (Steve Moubray)
Subject: RE:Firewall and NOS integration (NetWare and NT)
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Novell has recently released their own IPX/IP gateway.  I think that it's
QDeck's product but you can get Novell's support and it probably costs less.
Remember tht these products are gateways and are not fully functional firewalls.

~ Steve
----------------------------------------
Virtual Open Network Environment
Security for the Connected World (tm)


From firewalls-owner  Mon Aug 12 06:47:57 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA10925 for firewalls-outgoing; Mon, 12 Aug 1996 06:12:24 -0700 (PDT)
Received: from relay2.cospo.osis.gov (relay2.cospo.osis.gov [198.81.186.194]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id GAA10914 for <firewalls@greatcircle.com>; Mon, 12 Aug 1996 06:12:16 -0700 (PDT)
Received: by relay2.cospo.osis.gov (4.1/SMI-4.1)
	id AA21669; Mon, 12 Aug 96 09:02:41 EDT
Message-Id: <9608121302.AA21669@relay2.cospo.osis.gov>
Received: from washington.cospo.osis.gov(198.81.161.68) by relay2.cospo.osis.gov via smap (V1.3)
	id sma021667; Mon Aug 12 09:02:18 1996
Received: by washington.cospo.osis.gov
	(1.38.193.4/16.2) id AA11191; Mon, 12 Aug 1996 09:11:23 -0400
Date: Mon, 12 Aug 1996 09:11:23 -0400
From: "Joseph S. D. Yao" <jsdy@cospo.osis.gov>
To: attila@primenet.com
Subject: Re:  unix security over 30 years (was Info World....)
Cc: firewalls@greatcircle.com
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Thanks for the support.  I hadn't wanted to be quite so assertive; I
think you went a little beyond what I wanted to say.

One little nit: Unix was first written for a PDP-7.  The PDP-11/45
wasn't invented or supported for quite a while.  We didn't have split
I&D, at first!

--
Joe Yao				jsdy@cospo.osis.gov - Joseph S. D. Yao
COSPO Computer Support						EMT-A/B
-----------------------------------------------------------------------
	PLEASE ... send or Cc: all "COSPO Computer Support" mail to
			sys-adm@cospo.osis.gov

From firewalls-owner  Mon Aug 12 08:47:11 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA18176 for firewalls-outgoing; Mon, 12 Aug 1996 08:39:15 -0700 (PDT)
Received: from laptev.imonics.com (laptev.imonics.com [205.139.208.13]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id IAA18160 for <firewalls@GreatCircle.COM>; Mon, 12 Aug 1996 08:38:55 -0700 (PDT)
Received: from mage.imonics.com (mage [205.139.208.41]) by laptev.imonics.com (8.7.3/8.7.3) with SMTP id LAA06584 for <firewalls@GreatCircle.COM>; Mon, 12 Aug 1996 11:38:42 -0400 (EDT)
From: Matthew Stier - Imonics Corporation <matthew.stier@imonics.com>
Received: by mage.imonics.com (5.x/SMI-SVR4)
	id AA03949; Mon, 12 Aug 1996 11:38:43 -0400
Date: Mon, 12 Aug 1996 11:38:43 -0400
Message-Id: <9608121538.AA03949@mage.imonics.com>
To: firewalls@GreatCircle.COM
Subject: Trying to understand packet pair.
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk


I've completed installing FireWall-1 over the weekend, and now I'm 
logging the following packet pairs attempting to reach hosts within
my network.  Anyone have any hints, outside of RFC1700?

134/udp
6500/tcp

The 134/udp, followed within a few seconds the 6500. (From/to the 
same hosts of course.)
--
Matthew.Stier@imonics.com         |
Unix Systems Administrator        |
BSG Corporation                   |       "Wisconsin Escapee"
Cary, NC 27511, (919) 461-6000    |

From firewalls-owner  Mon Aug 12 08:57:40 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA18338 for firewalls-outgoing; Mon, 12 Aug 1996 08:43:04 -0700 (PDT)
Received: from laptev.imonics.com (laptev.imonics.com [205.139.208.13]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id IAA18324 for <firewalls@GreatCircle.COM>; Mon, 12 Aug 1996 08:42:55 -0700 (PDT)
Received: from mage.imonics.com (mage [205.139.208.41]) by laptev.imonics.com (8.7.3/8.7.3) with SMTP id LAA07220 for <firewalls@GreatCircle.COM>; Mon, 12 Aug 1996 11:42:41 -0400 (EDT)
From: Matthew Stier - Imonics Corporation <matthew.stier@imonics.com>
Received: by mage.imonics.com (5.x/SMI-SVR4)
	id AA03962; Mon, 12 Aug 1996 11:42:41 -0400
Date: Mon, 12 Aug 1996 11:42:41 -0400
Message-Id: <9608121542.AA03962@mage.imonics.com>
To: firewalls@GreatCircle.COM
Subject: Supporting Internet Relay Chat CTCP and DCC.
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk


I have a few users that, on their free time, like to chat on the IRC.

Now that our site has replaced its packet filtering, with FireWall-1,
these users are have trouble with DCC and CTCP protocols from within
thier IRC clients.

I have been looking for the port/protocol specifications for these
so a solution can be implemented.

--
Matthew.Stier@imonics.com         |
Unix Systems Administrator        |
BSG Corporation                   |       "Wisconsin Escapee"
Cary, NC 27511, (919) 461-6000    |

From firewalls-owner  Mon Aug 12 09:15:59 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA18849 for firewalls-outgoing; Mon, 12 Aug 1996 08:55:59 -0700 (PDT)
Received: from Cee-Jay ([199.126.187.170]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id IAA18842 for <firewalls@greatcircle.com>; Mon, 12 Aug 1996 08:55:52 -0700 (PDT)
Received: Smail 3.1.29.1 running on Cee-Jay        - router: match_mx_hosts - transport: smtp) 
	Message size: 1487 
	Mesage-ID: m0upzwv-000A8jC 
	Processed at: Mon, 12 Aug 96 11:34 CDT
Date: Mon, 12 Aug 1996 11:34:41 -0500 (CDT)
From: N D Ghaznavi <ndg@Ghaznavi.com>
X-Sender: ndg@Cee-Jay.4Office.com
To: Jean-Francois Zwobada <zwobada@apogee-com.fr>
cc: Michael Gengenbach <gengenba@forwiss.uni-passau.de>,
        firewalls@greatcircle.com
Subject: Re: tcp_wrapper problems (getsockname: Invalid argument)
In-Reply-To: <320F0129.54F5@apogee-com.fr>
Message-ID: <Pine.LNX.3.91.960812113402.5986F-100000@Cee-Jay.4Office.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

On Mon, 12 Aug 1996, Jean-Francois Zwobada wrote:

> You can notice you have these messages for HTTP most of the time.
> I got these messages too, and get worried for nothing.
> In fact, your tcp_wrapper does not have enough time to collect informations
> about the new connection before the client shuts it down. The problem is
> I don't know what could cause your web browser to kill a connection so fast,
> except when it pops up a window telling you that your application will be
> terminated :) Thanks Bill G. :)

I had this error as well, but found that upgrading my version of BIND 
seemed to solve it.  You might want to check the version you're running 
against what's available.

		cheers,

			nadim

--N D Ghaznavi-----------------------------------------------------------
  Unix System Administrator                             ndg@CADlink.com   
--CADlink.com--------Reachit.com--------Ghaznavi.com--------Apparel.org--


From firewalls-owner  Mon Aug 12 09:27:18 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA18114 for firewalls-outgoing; Mon, 12 Aug 1996 08:37:25 -0700 (PDT)
Received: from paris.esoft.co.uk (paris.esoft.co.uk [194.200.22.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id IAA18107 for <firewalls@greatcircle.com>; Mon, 12 Aug 1996 08:37:19 -0700 (PDT)
Received: by paris.esoft.co.uk (SMI-8.6/PIPEX simple 1.26)
	id QAA28159; Mon, 12 Aug 1996 16:36:16 +0100
Date: Mon, 12 Aug 1996 16:36:16 +0100
Message-Id: <199608121536.QAA28159@paris.esoft.co.uk>
From: Paul Harrison <pah@esoft.co.uk>
To: firewalls@greatcircle.com
Subject: To Subnet or not?
Reply-To: pah@esoft.co.uk
X-Face: 3o`'57-fT]/T(l3@GCRX<vM]mAn19Z*--wA.1_qc'R8s|6Y,z[|\T=Z@Wf5&$7)"[6[_m+V
 riXS-##Odx/(jT'EM+ph+Dp<i}})<e'N2]j!7>;_6CQs.EEbFM3v(0=9y<[X
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

I'm sure that this is blindingly obvious, but I have not been able to find any
references to it...

I have a class C address for my network - As part of my firewall I will have a
dual homed sparc 5 running Solaris 2.5. I want to forward packets from one
interface to the other - am I allowed to use netmask 255.255.255.0 with both
interfaces in the same subnet e.g.

192.100.100.1 and the other on 192.100.100.2

I have tried to set routing up for this up and failed so the question is

Do I have to subnet a class C address to achieve packet forwarding or is there
some trick in the routing that I am missing??

All the references on this soft of setup assume that you are doing packet
forwarding from something like 192.100.100.1 to 192.100.99.1, but I only have a
class C from my ISP and cannot affort to loose the half my IP addresses that
subnetting would cause.

Paul.
-- 

-------------
Paul Harrison                       Tel:  +44 (0)161 776 4498      
Engineering Software Ltd            Fax:  +44 (0)161 776 2680      
Carrington Business Park          Email:  paul.harrison@esoft.co.uk
Manchester M31 4XL                  WWW:  http://www.esoft.co.uk
=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=

From firewalls-owner  Mon Aug 12 09:42:44 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA22163 for firewalls-outgoing; Mon, 12 Aug 1996 09:33:06 -0700 (PDT)
Received: from gozer.inri.com (gozer.inri.com [199.165.146.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id JAA22109 for <firewalls@GreatCircle.COM>; Mon, 12 Aug 1996 09:32:51 -0700 (PDT)
Received: from ses216.nn.inri.com (ses216.nn.inri.com [198.180.218.216]) by gozer.inri.com (8.7.5/8.7.3) with SMTP id MAA02054; Mon, 12 Aug 1996 12:27:39 -0400 (EDT)
Message-Id: <199608121627.MAA02054@gozer.inri.com>
X-Sender: mwm@popmail.nn.inri.com
X-Mailer: Windows Eudora Pro Version 2.1.2
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Date: Mon, 12 Aug 1996 12:43:41 -0400
To: mhartgrove@inri.com, scochran@inri.com, pgermain@inri.com,
        blanders@inri.com, mprice@inri.com, ramos@inri.com,
        reitmand@ns.langley.af.mil,
        thomasr@cs355.dm.af.mil (SrA Randal Thomas 355CS/SCBD),
        scherdej@cs355.dm.af.mil (TSgt Joe Scherden 355CS/SCBD),
        egbutt@ccgate.hac.com,
        kowalskg@ns.langley.af.mil (Kowalski G TSgt 1CS/SCCOW),
        Howelld@cs355.dm.af.mil, dennyc@hq12af.dm.af.mil,
        knightk@cs355.dm.af.mil, foremanj@cs355.dm.af.mil, dgrubbs@inri.com,
        davem@pacifier.com
From: Mark Maughan <mmaughan@inri.com>
Subject: Re: HERF stuff
Cc: firewalls@GreatCircle.COM
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk


Joe responded to earlier postings:
> 
> 
> Didn't MacGyver disable one of these things years ago in one of his
> episodes?  Looks like a market for a whole new breed of 
"firewalls".
> 

The question of whether HERF guns exist and if so whether they work 
is less important in some respects than the fact that several 
incidents have involved claims by extortionists that convinced the 
victims to part with money.

What is still conjecture is how many victims have been hit and how 
much they paid for 'protection'. At least one police force would like 
to know the answers in their area of jurisdiction. As with many 
incidents of extortion, victims are very reluctant to admit that they 
have been targeted and that they have paid. One reason for that is 
that they dont want to look vulnerable and stupid, but another good 
reason is that they dont want to encourage further attacks.

HERF gunning is outside the scope of firewalling but it is an issue 
to be addressed as an Infosec concern, - except that of course a 
firewall could be targeted, and therefore it might be regarded as a 
variation in 'denial of service attacks'.

HERF research and testing has been around for some time and dates 
back at least to the 1930s. Countermeasures research and testing has 
also been around for some time. Like most concepts, its not that 
difficult to develop for at least lab testing once someone else has 
come up with the concept. 

An extortionist doesnt have to have real technology, provided he 
knows more than the victim about the subject and can provide a 
demonstration which appears to prove that he has the ability to do 
what he threatens in the event of money not becoming available as 
demanded.

Commercial computer systems are vulnerable to a very wide range of 
threats simply because vendors and customers were quite happy to 
ignor them in the interests of getting third rate technology cheap 
and fast.

Firewalling and virus protection has come about because the fear of 
attack became fairly widespread. In the early days the reality of 
attack was pretty low but started to increase as users began to 
devote resource to countermeasures - its one of the laws of security 
that increased effort in building countermeasures generates 
increased development on the part of criminals and makes the crime 
popular amonst a wider criminal fraternity. 

The same process is likely to develop in other areas like HERF guns. 
The real solution may prove to be simple but cost money and require 
the development of skills. One thing to remember is that the handheld 
HERF gun with a range of 20 miles might not exist, but someone 
attacking a static target over a much shorter distance may be able to 
assemble a bulky if primitive device and use mains power to drive it.

There is a story which used to be told by an early pioneer of 
American radio broadcasting of how he got fired by the phone company 
and thrown out of the YMCA because he used miles of overhead phone 
cables and the YMCA power distribution system to power a transmitter 
during a competition for long range transmission of voice (in 
compensation, he did win the competition). The attempt caused several 
unforeseen side effects including jamming lifts (elevators) over 
several blocks. A concept can be exploited in many different ways.

Some years ago western intelligence agencies acquired some Soviet 
avionics equipment and the first reaction was that it demonstrated 
how far behind the Soviets were technically. Its open to debate as to 
whether the design was a different and deliberate approach, or just 
designers having to live within their available technology. What 
wiped the smiles of the intelligence faces was the discovery that the 
Soviet equipment was significantly more resistant to Electro Magnetic 
Pulses and could therefore survive very much better on a nuclear 
battlefield.
Ian J-B.



From firewalls-owner  Mon Aug 12 10:13:11 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA25749 for firewalls-outgoing; Mon, 12 Aug 1996 09:59:42 -0700 (PDT)
Received: from relay1.UU.NET (relay1.UU.NET [192.48.96.5]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id JAA25739 for <firewalls@GreatCircle.COM>; Mon, 12 Aug 1996 09:59:34 -0700 (PDT)
Received: from netevolve.com by relay1.UU.NET with SMTP 
	(peer crosschecked as: [206.136.48.11])
	id QQbclv07091; Mon, 12 Aug 1996 12:59:26 -0400 (EDT)
Received: from lazar by netevolve.com (4.1/SMI-4.1)
	id AA02057; Mon, 12 Aug 96 13:02:20 EDT
Message-Id: <9608121702.AA02057@netevolve.com>
Comments: Authenticated sender is <lazar@netevolve.com>
From: "Irwin Lazar" <lazar@netevolve.com>
Organization: Network Evolutions
To: firewalls@GreatCircle.COM,
        Matthew Stier - Imonics Corporation <matthew.stier@imonics.com>
Date: Mon, 12 Aug 1996 13:01:04 +0000
Subject: Re: Trying to understand packet pair.
Reply-To: lazar@netevolve.com
X-Mailer: Pegasus Mail for Win32 (v2.42)
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

134 is listed as INGRES.  I couldn't find anything on 6500.  Perhaps  
someone from outside is trying to access an INGRES database within
your company.

Hope this helps.
Irwin

> 
> I've completed installing FireWall-1 over the weekend, and now I'm 
> logging the following packet pairs attempting to reach hosts within
> my network.  Anyone have any hints, outside of RFC1700?
> 
> 134/udp
> 6500/tcp
> 
> The 134/udp, followed within a few seconds the 6500. (From/to the 
> same hosts of course.)
> --
> Matthew.Stier@imonics.com         |
> Unix Systems Administrator        |
> BSG Corporation                   |       "Wisconsin Escapee"
> Cary, NC 27511, (919) 461-6000    |
> 
> 
Irwin M. Lazar
Network Evolutions, Inc.
lazar@netevolve.com
http://www.netevolve.com

From firewalls-owner  Mon Aug 12 10:30:52 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA26278 for firewalls-outgoing; Mon, 12 Aug 1996 10:02:34 -0700 (PDT)
Received: from scifi.squawk.com (scifi.emi.net [204.181.45.10]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id KAA26258 for <firewalls@GreatCircle.COM>; Mon, 12 Aug 1996 10:02:19 -0700 (PDT)
Received: (from njs@localhost) by scifi.squawk.com (8.6.11/8.6.9) id MAA27984; Mon, 12 Aug 1996 12:57:46 -0400
Date: Mon, 12 Aug 1996 12:57:46 -0400 (EDT)
From: Nick Simicich <njs@scifi.squawk.com>
To: Matthew Stier - Imonics Corporation <matthew.stier@imonics.com>
cc: firewalls@GreatCircle.COM
Subject: Re: Supporting Internet Relay Chat CTCP and DCC.
In-Reply-To: <9608121542.AA03962@mage.imonics.com>
Message-ID: <Pine.LNX.3.91.960812124735.8570Z-100000@scifi.squawk.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

On Mon, 12 Aug 1996, Matthew Stier - Imonics Corporation wrote:

> I have a few users that, on their free time, like to chat on the IRC.
> 
> Now that our site has replaced its packet filtering, with FireWall-1,
> these users are have trouble with DCC and CTCP protocols from within
> thier IRC clients.
> 
> I have been looking for the port/protocol specifications for these
> so a solution can be implemented.

DCC (especially) and CTCP work like FTP in that they open a port and do a
bind to a random non-priv port (not root, after all, and multiple users are
allowed on a single machine so they can't use a single port), a getsockname()
to discover what they happened to bind, and then the client sends the port
number and address in a private protocol message to the other party, who then
attempts to connect to the backchannel. 

You need either a proxy, a socksified IRC client, or some such.  To open this
up on a filtering router requires leaving a *huge* hole.  But even a proxy is
not likely to help if your users are using random clients.  A socksified
client might work, as you will then report the address of the port on the
socks host, on the outside of the firewall. 

FW-1 should provide a proxy, or recognition as they try to do with FTP 
that they need to open a path from the contacted host to a backchannel.

But you probably do not want to open up a path from random hosts to large 
port ranges on systems inside your firewall.  If you do that, you might 
as well not bother with a firewall at all.

Eat a package of natto first thing in the morning and nothing worse can happen  to you for the rest of the day.
Nick Simicich-njs@scifi.squawk.com 
(last choice)-nick_simicich@bocaraton.ibm.com
http://scifi.squawk.com/njs.html -- Stop by and Light Up The World!


From firewalls-owner  Mon Aug 12 10:47:18 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA29631 for firewalls-outgoing; Mon, 12 Aug 1996 10:38:36 -0700 (PDT)
Received: from typhoon.dial.pipex.net (typhoon.dial.pipex.net [158.43.128.46]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id KAA29616 for <firewalls@greatcircle.com>; Mon, 12 Aug 1996 10:38:28 -0700 (PDT)
Received:  from progpc11.central.oa by typhoon.dial.pipex.net (8.7.5/)
	id SAA08098; Mon, 12 Aug 1996 18:36:59 +0100 (BST)
Message-Id: <199608121736.SAA08098@typhoon.dial.pipex.net>
Comments: Authenticated sender is <ac141@pop.dial.pipex.com>
From: "Ben Goodyear" <Ben.Goodyear@dial.pipex.com>
Organization: Carlton UK Television
To: pah@esoft.co.uk
Date: Mon, 12 Aug 1996 18:38:40 +0000
Subject: Re: To Subnet or not?
CC: firewalls@greatcircle.com
X-mailer: Pegasus Mail for Windows (v2.23)
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk


> I'm sure that this is blindingly obvious, but I have not been able to find any
> references to it...
> 
> I have a class C address for my network - As part of my firewall I will have a
> dual homed sparc 5 running Solaris 2.5. I want to forward packets from one
> interface to the other - am I allowed to use netmask 255.255.255.0 with both
> interfaces in the same subnet e.g.
> 
> 192.100.100.1 and the other on 192.100.100.2
> 
> I have tried to set routing up for this up and failed so the question is
> 
> Do I have to subnet a class C address to achieve packet forwarding or is there
> some trick in the routing that I am missing??
> 
> All the references on this soft of setup assume that you are doing packet
> forwarding from something like 192.100.100.1 to 192.100.99.1, but I only have a
> class C from my ISP and cannot affort to loose the half my IP addresses that
> subnetting would cause.
> 
> Paul.
> -- 
> 

Yes you do have to use subnetting to implement routing on a single 
class "c" address.

To route between two networks, the two networks have to have a 
different network number (or else, how would it know when to route?). 
To get different network numbers on a class "c" you have to use 
subnetting.  

e.g.

use subnet 255.255.255.192

this will give you four networks of 64 hosts:

x.x.x.0-63, x.x.x.64-127, x.x.x.128-191, x.x.x.192-255

Set one interface to: 192.100.100.65
Set the other to:       192.100.100.129

(don't use the first or last address in each subnet as these are the 
network and broadcast addresses for that subnet).

I always believed that you couldn't use the first or last subnet 
(i.e. 0-63 and 192-255) - but recently I heard that this was OK so 
long as your routers were new enough(!) and you follow the rule above 
(i.e. don't use first or last address in the subnet).  I'd be 
interested in any opinions on this....

Regards (and good luck Paul),

Ben




From firewalls-owner  Mon Aug 12 10:58:09 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA00385 for firewalls-outgoing; Mon, 12 Aug 1996 10:45:12 -0700 (PDT)
Received: from tartarus (willard.us.newbridge.com [204.177.219.100]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id KAA00364 for <firewalls@GreatCircle.COM>; Mon, 12 Aug 1996 10:45:04 -0700 (PDT)
Received: from tartarus (tartarus.us.newbridge.com [138.120.108.65]) by tartarus (8.7.5/8.7.3) with SMTP id NAA02248 for <firewalls@GreatCircle.COM>; Mon, 12 Aug 1996 13:42:27 -0400 (EDT)
Date: Mon, 12 Aug 1996 13:42:27 -0400 (EDT)
From: "Roderick Murchison, Jr." <murchiso@vivid.newbridge.com>
X-Sender: murchiso@tartarus
To: firewalls@GreatCircle.COM
Subject: which port(s) for an MBone tunnel?
Message-ID: <Pine.SOL.3.95.960812133750.1989B-100000@tartarus>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Has anybody here gone through the process of creating an MBone tunnel
through their firewall?  I'm specifically looking for information on what
port(s) need to be allowed, and any security concerns over allowing MBone
feeds in general.

Thanks,

-r


From firewalls-owner  Mon Aug 12 11:13:07 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA01021 for firewalls-outgoing; Mon, 12 Aug 1996 10:50:15 -0700 (PDT)
Received: from InfoWest.COM (infowest.com [204.17.177.10]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id KAA00954 for <firewalls@greatcircle.com>; Mon, 12 Aug 1996 10:49:54 -0700 (PDT)
Received: from infowest.com (Attila.infowest.com [204.17.177.93]) by InfoWest.COM (8.6.12/8.6.9) with SMTP id LAA05128; Mon, 12 Aug 1996 11:51:34 -0600
Message-Id: <199608121751.LAA05128@InfoWest.COM>
X-Mailer: Post Road Mailer (Green Edition Ver 1.03a)
From: attila <attila@primenet.com>
To: "Joseph S. D. Yao" <jsdy@cospo.osis.gov>
To: firewalls@greatcircle.com
To: sys-adm@cospo.osis.gov
Date: Mon, 12 Aug 1996 17:49:43 GMT
Reply-To: attila@primenet.com
Subject: Re:  unix security over 30 years (was Info World....)
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Addressed to: Joseph S. D. Yao <jsdy@cospo.osis.gov>
              firewalls@greatcircle.com
              sys-adm@cospo.osis.gov

** Reply to note from Joseph S. D. Yao <jsdy@cospo.osis.gov> 
	08/12/96 09:11am -0400


= Thanks for the support.  I hadn't wanted to be quite so assertive; I 
= think you went a little beyond what I wanted to say.
=
	probably so...

= One little nit: Unix was first written for a PDP-7.  The PDP-11/45
= wasn't invented or supported for quite a while.  We didn't have split
= I&D, at first!
=
	yes, my mistake  --the PDP-7 was not on the road to history 
    for almost 10 years --paper tape reader, teletype, and all!  
    remember the joy at the arrival of the ADM-2?

	Western Electric government division of Labs was using 
    11/45s followed by 11/70s before it was ported to the 3B20 
    (noisy sucker) which was designed to run unix.

	split I&D was a godsend at that time!  made 64K+64K 
    possible. like to see anyone fit much of anything in that 
    space again!

	could cover a few more war stories on other vendors'
    problems with memory restrictions and lack of stack...   
    but this is not the time or place....

	attila

--
In the interests of a drug-free world it is perhaps time for Britain
and other Western democracies to consider banning President Clinton
from visiting their countries.
        --Ambrose Evans-Pritchard


From firewalls-owner  Mon Aug 12 11:27:50 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA03809 for firewalls-outgoing; Mon, 12 Aug 1996 11:11:41 -0700 (PDT)
Received: from mcfeely.bsfs.org (mcfeely.bsfs.org [204.91.13.34]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id LAA03801 for <firewalls@GreatCircle.COM>; Mon, 12 Aug 1996 11:11:34 -0700 (PDT)
Received: (from wombat@localhost) by mcfeely.bsfs.org (8.6.12/8.6.12) id SAA26508; Mon, 12 Aug 1996 18:07:12 -0400
Date: Mon, 12 Aug 1996 18:07:08 -0400 (EDT)
From: Rabid Wombat <wombat@mcfeely.bsfs.org>
To: Irwin Lazar <lazar@netevolve.com>
cc: firewalls@GreatCircle.COM,
        Matthew Stier - Imonics Corporation <matthew.stier@imonics.com>
Subject: Re: Trying to understand packet pair.
In-Reply-To: <9608121702.AA02057@netevolve.com>
Message-ID: <Pine.BSF.3.91.960812180239.26303I-100000@mcfeely.bsfs.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk



On Mon, 12 Aug 1996, Irwin Lazar wrote:

> 134 is listed as INGRES.  I couldn't find anything on 6500.  Perhaps  
> someone from outside is trying to access an INGRES database within
> your company.

134 TCP is Ingres-net service. Is 134 UDP ?

Also - 6500 is not on the IANA list.

http://www.con.wesleyan.edu/~triemer/network/regports.html

Anybody know if this is a common mud/mush port?

- r.w.

> 
> Hope this helps.
> Irwin
> 
> > 
> > I've completed installing FireWall-1 over the weekend, and now I'm 
> > logging the following packet pairs attempting to reach hosts within
> > my network.  Anyone have any hints, outside of RFC1700?
> > 
> > 134/udp
> > 6500/tcp
> > 
> > The 134/udp, followed within a few seconds the 6500. (From/to the 
> > same hosts of course.)
> > --
> > Matthew.Stier@imonics.com         |
> > Unix Systems Administrator        |
> > BSG Corporation                   |       "Wisconsin Escapee"
> > Cary, NC 27511, (919) 461-6000    |
> > 
> > 
> Irwin M. Lazar
> Network Evolutions, Inc.
> lazar@netevolve.com
> http://www.netevolve.com
> 

From firewalls-owner  Mon Aug 12 11:49:40 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA06935 for firewalls-outgoing; Mon, 12 Aug 1996 11:33:50 -0700 (PDT)
Received: from mail.rmsbus.com ([204.126.30.50]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id LAA06899 for <firewalls@GreatCircle.COM>; Mon, 12 Aug 1996 11:33:42 -0700 (PDT)
Message-Id: <199608121833.LAA06899@miles.greatcircle.com>
Received: from oz.rmsbus.com by mail.rmsbus.com with SMTP
	(1.38.193.5/16.2) id AA23171; Mon, 12 Aug 1996 13:41:20 -0500
Date: Mon, 12 Aug 96 13:33:31 0600
From: Chris Michael <cm@rmsbus.com>
Mime-Version: 1.0
Cc: firewalls@GreatCircle.COM
Subject: RE: Supporting Internet Relay Chat CTCP and DCC.
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Nick Simicich[SMTP:njs@scifi.squawk.com] wrote:
>On Mon, 12 Aug 1996, Matthew Stier - Imonics Corporation wrote:
>
>> I have a few users that, on their free time, like to chat on the IRC.

<snip>

>FW-1 should provide a proxy, or recognition as they try to do with FTP 
>that they need to open a path from the contacted host to a backchannel.

A solution that was suggested to me (and which I pass along practically unexamined) might be to run an IRC server on the firewall.  

Good luck

Chris


chris michael / <cm@rmsbus.com>

From firewalls-owner  Mon Aug 12 12:13:02 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA09752 for firewalls-outgoing; Mon, 12 Aug 1996 11:56:48 -0700 (PDT)
Received: from lexicon.ins.com (lexicon.ins.com [199.0.193.11]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id LAA09710 for <firewalls@greatcircle.com>; Mon, 12 Aug 1996 11:56:37 -0700 (PDT)
Received: from user_ins.ins.com (dmartin.ins.com [199.0.194.34]) by lexicon.ins.com (8.7.5/8.7.3) with SMTP id LAA15233; Mon, 12 Aug 1996 11:55:52 -0700 (PDT)
Message-Id: <2.2.32.19960812185507.00a8c3d0@ins.com>
X-Sender: martin_d@ins.com
X-Mailer: Windows Eudora Pro Version 2.2 (32)
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Date: Mon, 12 Aug 1996 14:55:07 -0400
To: Rabid Wombat <wombat@mcfeely.bsfs.org>
From: Darwin Martinez <Darwin_Martinez@INS.COM>
Subject: Re: Trying to understand packet pair.
Cc: firewalls@greatcircle.com
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Service 6500 is Cooltalk, an internet type of phone conversation. Relatively
decent. 

At 06:07 PM 8/12/96 -0400, you wrote:
>
>
>On Mon, 12 Aug 1996, Irwin Lazar wrote:
>
>> 134 is listed as INGRES.  I couldn't find anything on 6500.  Perhaps  
>> someone from outside is trying to access an INGRES database within
>> your company.
>
>134 TCP is Ingres-net service. Is 134 UDP ?
>
>Also - 6500 is not on the IANA list.
>
>http://www.con.wesleyan.edu/~triemer/network/regports.html
>
>Anybody know if this is a common mud/mush port?
>
>- r.w.
>
>> 
>> Hope this helps.
>> Irwin
>> 
>> > 
>> > I've completed installing FireWall-1 over the weekend, and now I'm 
>> > logging the following packet pairs attempting to reach hosts within
>> > my network.  Anyone have any hints, outside of RFC1700?
>> > 
>> > 134/udp
>> > 6500/tcp
>> > 
>> > The 134/udp, followed within a few seconds the 6500. (From/to the 
>> > same hosts of course.)
>> > --
>> > Matthew.Stier@imonics.com         |
>> > Unix Systems Administrator        |
>> > BSG Corporation                   |       "Wisconsin Escapee"
>> > Cary, NC 27511, (919) 461-6000    |
>> > 
>> > 
>> Irwin M. Lazar
>> Network Evolutions, Inc.
>> lazar@netevolve.com
>> http://www.netevolve.com
>> 
>
>
------------------------------------------------------------------------
Darwin L. Martinez, NSE			Email:	darwin_martinez@ins.com
Atlanta Office				Site #:	770-729-9885
International Network Services		Pager:	800-INS-1-INS

"Providing the Power of Operable Networks."
------------------------------------------------------------------------


From firewalls-owner  Mon Aug 12 12:28:00 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA13041 for firewalls-outgoing; Mon, 12 Aug 1996 12:20:18 -0700 (PDT)
Received: from westie.gi.net (westie.gi.net [198.247.250.16]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id MAA12956 for <firewalls@greatcircle.com>; Mon, 12 Aug 1996 12:19:54 -0700 (PDT)
Received: (from alan@localhost) by westie.gi.net (8.7.5/8.7.1) id OAA18515; Mon, 12 Aug 1996 14:19:39 -0500 (CDT)
From: Alan Hannan <alan@gi.net>
Message-Id: <199608121919.OAA18515@westie.gi.net>
Subject: Re: Supporting Internet Relay Chat CTCP and DCC.
To: cm@rmsbus.com (Chris Michael)
Date: Mon, 12 Aug 1996 14:19:39 -0500 (CDT)
Cc: firewalls@greatcircle.com
In-Reply-To: <199608121833.LAA06899@miles.greatcircle.com> from "Chris Michael" at Aug 12, 96 01:33:31 pm
X-Mailer: ELM [version 2.4 PL23]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk


  Running servers on a firewall is not for the amateur.  In fact, if
  you can help it, don't.

  Another option is to run the irc server _outside_ the firewall, or
  just tell your users, IRC from an external account. :)

  -alan

.........  Chris Michael is rumored to have said:
] 
] Nick Simicich[SMTP:njs@scifi.squawk.com] wrote:
] >On Mon, 12 Aug 1996, Matthew Stier - Imonics Corporation wrote:
] >
] >> I have a few users that, on their free time, like to chat on the IRC.
] 
] <snip>
] 
] >FW-1 should provide a proxy, or recognition as they try to do with FTP 
] >that they need to open a path from the contacted host to a backchannel.
] 
] A solution that was suggested to me (and which I pass along practically unexamined) might be to run an IRC server on the firewall.  
] 
] Good luck
] 
] Chris
] 
] 
] chris michael / <cm@rmsbus.com>
] 


From firewalls-owner  Mon Aug 12 12:57:57 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA17015 for firewalls-outgoing; Mon, 12 Aug 1996 12:50:03 -0700 (PDT)
Received: from dfw-ix9.ix.netcom.com (dfw-ix9.ix.netcom.com [206.214.98.9]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id MAA17004 for <firewalls@greatcircle.com>; Mon, 12 Aug 1996 12:49:57 -0700 (PDT)
Received: from  (jac-fl1-21.ix.netcom.com [204.31.245.53]) by dfw-ix9.ix.netcom.com (8.6.13/8.6.12) with SMTP id MAA05537 for <firewalls@greatcircle.com>; Mon, 12 Aug 1996 12:49:54 -0700
Date: Mon, 12 Aug 1996 12:49:54 -0700
Message-Id: <199608121949.MAA05537@dfw-ix9.ix.netcom.com>
From: clp2@ix.netcom.com (Carol pollard )
Subject: Statistics on hacker attempts/attacks
To: firewalls@greatcircle.com
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Where can I obtain stats on network penetrations, attacks, attempts,	
etc., if firewalls were in use or not, methods used, successful or
not.....that kind of stuff.  Any references or info is greatly
appreciated!		

Carol Pollard
Barnett Technologies

From firewalls-owner  Mon Aug 12 13:13:25 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA18555 for firewalls-outgoing; Mon, 12 Aug 1996 13:02:35 -0700 (PDT)
Received: from scifi.squawk.com (scifi.emi.net [204.181.45.10]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id NAA18547 for <firewalls@GreatCircle.COM>; Mon, 12 Aug 1996 13:02:27 -0700 (PDT)
Received: (from njs@localhost) by scifi.squawk.com (8.6.11/8.6.9) id PAA06184; Mon, 12 Aug 1996 15:58:12 -0400
Date: Mon, 12 Aug 1996 15:58:12 -0400 (EDT)
From: Nick Simicich <njs@scifi.squawk.com>
To: Alan Hannan <alan@gi.net>
cc: Chris Michael <cm@rmsbus.com>, firewalls@GreatCircle.COM
Subject: Re: Supporting Internet Relay Chat CTCP and DCC.
In-Reply-To: <199608121919.OAA18515@westie.gi.net>
Message-ID: <Pine.LNX.3.91.960812155657.8570f-100000@scifi.squawk.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

> ] A solution that was suggested to me (and which I pass along practically
> ] unexamined) might be to run an IRC server on the firewall.  

It won't work.  This is direct client to client communication.  The server is
not involved. 

Eat a package of natto first thing in the morning and nothing worse can happen  to you for the rest of the day.
Nick Simicich-njs@scifi.squawk.com 
(last choice)-nick_simicich@bocaraton.ibm.com
http://scifi.squawk.com/njs.html -- Stop by and Light Up The World!


From firewalls-owner  Mon Aug 12 13:30:32 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA17426 for firewalls-outgoing; Mon, 12 Aug 1996 12:52:46 -0700 (PDT)
Received: from mro41.mro.usace.army.mil (mro41.mro.usace.army.mil [155.77.110.40]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id MAA17383 for <firewalls@greatcircle.com>; Mon, 12 Aug 1996 12:52:35 -0700 (PDT)
Received: from mroim_36988.mro.usace.army.mil by mro41.mro.usace.army.mil (5.61/1.34) id AA06753; Mon, 12 Aug 96 14:52:31 -0500
Received: by mro.usace.army.mil (5.x/SMI-SVR4)
	id AA25553; Mon, 12 Aug 1996 14:58:37 -0500
Date: Mon, 12 Aug 1996 14:58:37 -0500
From: mikep@gismaster.mro.usace.army.mil (Mike Penny)
Message-Id: <9608121958.AA25553@mro.usace.army.mil>
To: firewalls@greatcircle.com
Subject: HERF etc
X-Sun-Charset: US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Since were talking firewalls/ HERF guns etc I thought this article 
might be of interest.

 >From the Sunday times:-

http://www.sunday-times.co.uk/news/pages/Sunday-Times/stifgnnws01015.html?youra-c

 AMERICAN intelligence agents have hacked into
 the computers of the European parliament and
 European commission as part of an international
 espionage campaign aimed at stealing economic and
 political secrets, according to investigators, write
 Tim Kelsey and David Leppard.

 The European parliament has called in British
 communications experts to improve its security and
 to block further attempts by American govern ment
 agents to spy on its workings.

 Security officials at the parliament's Luxembourg
 offices say they have discovered several recent
 instances in which its communications system was
 compromised by American hacking. They have also
 found evidence that the Americans used information
 obtained from hacking to help them in negotiations
 last year on the General Agreement on Tariffs and
 Trade (Gatt).

 Lord Plumb, leader of the British Tory MEPs in the
 European parliament, said he was shocked by the
 disclosure. "I will be taking this up directly with the
 American ambassador [to the European Union]," he
 said.

 The CIA has already been accused by the Japanese
 and French governments of hacking into their
 communications networks in an attempt to obtain
 confidential trade secrets.

 The European parliament's computer network links
 more than 5,000 MEPs, officials, researchers and
 other staff to each other, and to the European
 commission headquarters in Brussels and the council
 of ministers.

 Traffic across the network by telephone and
 computers includes details of the private medical
 and financial records of many MEPs and officials,
 and discussion documents on confidential issues,
 including trade, tariff and quota agreements. The
 records of closed committees of inquiry into BSE
 and fraud are also stored on the system.

 European parliament sources say the Americans
 accessed the network by compromising the
 information exchanges that link the parliament's
 internal networks with the Internet and external
 users.

 The devices, called "routers", filter entry to the
 European parliament's network. It is understood the
 Americans were able to obtain access to what is
 called the simple network management protocol
 (SNMP), the language that enables the networks to
 talk to each other. They were able to exploit the fact
 that parts of the system were manufactured by two
 American firms.

 The breach came to light when officials believed
 that American negotiators had been given advance
 warning of confidential European Union positions
 in last year's trade negotiations. "It was established
 that the system had been penetrated just days before
 the talks," an EU source said. "Our principal
 concern is not to establish what has already been
 copied but to ensure that it does not happen again.
 This is an on-going problem."

 A spokeswoman for Antonio Cavaco, director of
 data processing at the commission, confirmed that
 allegations of hacking had been investigated.
 However, she said she was unable to provide any
 details.


From firewalls-owner  Mon Aug 12 13:45:21 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA22104 for firewalls-outgoing; Mon, 12 Aug 1996 13:38:13 -0700 (PDT)
Received: from dg-rtp.dg.com (dg-rtp.rtp.dg.com [128.222.1.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id NAA22048 for <Firewalls@greatcircle.com>; Mon, 12 Aug 1996 13:37:57 -0700 (PDT)
Received: from splinter.rtp.dg.com by dg-rtp.dg.com (5.4R3.10/dg-rtp-v02)
	id AA01589; Mon, 12 Aug 1996 16:37:45 -0400
Received: by splinter.rtp.dg.com (8.6.10/200.15.1.2)
	id QAA16119; Mon, 12 Aug 1996 16:36:23 -0400
From: spencerj@dg-rtp.dg.com (Jon Spencer)
Message-Id: <199608122036.QAA16119@splinter.rtp.dg.com>
Subject: Re: unix security over 30 years (was Info World....)
To: attila@primenet.com
Date: Mon, 12 Aug 1996 16:36:20 -0400 (EDT)
Cc: Firewalls@greatcircle.com, jsdy@cospo.osis.gov
In-Reply-To: <199608110053.SAA20251@InfoWest.COM> from "attila" at Aug 11, 96 00:52:25 am
X-Mailer: ELM [version 2.4 PL23]
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

You would think by now I would be able to let these things go by, but ...
:-)

Just to keep the players straight (if I got the nesting right)...

> = > jminie@earthlink.net wrote:  
> = > >We're aware of how insecure UNIX is natively.  ...  
> Joseph S. D. Yao wrote:
> = Let's clarify this.  Unix is an operating system that allows you 
> = great latitude in how you set it up.  It is neither secure nor 
> = insecure "natively" (whatever that means).
> =
Atilla wrote:
>         absolutely; agreed!
> 
[lots of SNIPs]
>         UNIX has been expanded with the same conceptual visions
>     (other than commercial companies who listened to their marketing
>     sleeze trying to be unique and are mostly history) by generations 
>     of practicioners who *understand* the unix kernel and concepts.

... and who did not or were not able to invest the resouces necessary to
maintain good software engineering practices - for whatever reasons.

> 
> = It can be set up as Ken and Dennis  
> = did initially, in a "friendly" environment, so that everybody can do  
> = anything.  In these days, probably a very very bad idea.  It can also  
> = be set up quite tightly, so that it's about as secure as any 
> = operating system NOT SPECIFICALLY DESIGNED FOR HIGH-LEVEL SECURITY 
> = can get.   
> = 
> 	agreed!  

Well, maybe agreed, but not necessarily.  We must be very careful to
distinguish between the implementation and the concepts.  There are a few
VERY ugly, very difficult to secure and interoperate with APIs such as
chmod(2), user identification, etc.  Otherwise, it is the implementation
that is "NOT SPECIFICALLY DESIGNED FOR HIGH-LEVEL SECURITY."
> 
>         and flavours of UNIX with restricted functions and trust are
>     _very_secure_ when properly installed. We have almost 30 years

This is a gratuitous statement.  It depends upon what you mean by "secure.'
If you mean that you know it works properly to enforce the Unix policy,
then I would not agree with you.

>     of finding the week spots; and, an updated 20 year old 'routed' 
>     and 'gated' as a two machine master firewall is _very_ secure.      

This was a joke, right?

>     [PAY me enough money and I will show you HOW TO build a REAL 
>     secure system for CHEAP].

Too easy a target.  I'll leave this one alone!  :-)

>  
>         and, given enough background, you quickly understand WHY there
>     is no perfect software, no perfect operating system [except in Bill 
>     Gates' dreams], and _no_ secure kernel in a multi-user, 
>     multi-tasking, multi-machine environment if the user(s) expect 
>     access other than by batched punch cards, &c.

That's a rather bold statement.  See comment below.

> 
>         in other words, "security" and "friendly" are diametrically 
>     opposed: the more you improved the client space for friendly
>     access and sharing of information on a single machine or on a
>     network, the less the security. 
> 
>         A "perfectly" secure machine is therefore "perfectly"
>     unusable.

This does not follow.  I would argue that your assumptions could use some
close examination.  Why are "security" and "friendly" diametrically
opposed?  In my mind, they march hand in hand!  I frankly do not think that
an operating system that allows viruses into your system is very
"friendly!"  You know, "with friends like that ...." (finish with your
favorite yukism).

A high assurance security system allows you to do everything you are
authorized to do, see everything you are authorized to see, without
getting in your way. And it does it all **correctly**!  The big mistake
that most "experts" make is that they confuse features with assurance.
Security means that the OS *works*.  It works as stated.  If the
statement is that no unauthorized user gets past the front gate, then
everyone who should get past does get past and no one else does.  Is
that unfriendly?  Only to the bad guys.  You can construct the rest of
the obvious statements.

Security got a bad rap when people were trying to figure out how things
worked.  Now that we have a pretty good idea, we have come up with
alternate ways of solving REAL problems (like covert channels) in a manner
that does not reduce usability or get in your way.

If you want an excellent example, look at DG/UX R4.12 B2 Security Option.
There is still room to improve (we know how, but the exec's expect you to -
you know - actually sell something sometime! :-), especially in the admin
area.  But you build high assurance from the ground up, not from features
down.  And a nice result from good software engineering is fewer bugs,
easier to maintain code, higher MTBF, etc.

> 
>         having been extensively involved during the 70s and 80s as a
>     consultant to both Western Electric and Labs and taught college 
>     level courses on security , I, and others, have traveled through
>     through these same problems  --and, remember, R, T, and K 
>     constructed unix _in their spare time_  --for a DEC 11/45 which 
>     was limited to 64K data and 64K program.

I'll remain humble here .... :-)



-- 
Jon F. Spencer   spencerj@rtp.dg.com  (uunet!rtp.dg.com!spencerj)
Data General Corp.                  Phone : (919)248-6246
62 T.W. Alexander Dr, MS #119       FAX   : (919)248-6108
Research Triangle Park, NC  27709   Office RTP 121/9

	Reality is an illusion - perception is what counts.

	No success can compensate for failure at home.
			President David O. McKay

***** UCC 1-207 ********

From firewalls-owner  Mon Aug 12 14:03:02 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA23883 for firewalls-outgoing; Mon, 12 Aug 1996 13:53:45 -0700 (PDT)
Received: from hidata.com (hidata.com [205.158.61.34]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id NAA23865 for <Firewalls@GreatCircle.COM>; Mon, 12 Aug 1996 13:53:37 -0700 (PDT)
Received: by hidata.com; id AA12456; Mon, 12 Aug 96 13:53:34 PDT
Received: from osc.hidata.com(205.158.62.10) by hds-gw.hidata.com via smap (V3.1.1)
	id xma012446; Mon, 12 Aug 96 13:53:27 -0700
Received: from enterprise by osc.osc.hidata.com (SMI-8.6/SMI-SVR4)
	id NAA07557; Mon, 12 Aug 1996 13:53:25 -0700
Date: Mon, 12 Aug 1996 13:53:25 -0700
Message-Id: <199608122053.NAA07557@osc.osc.hidata.com>
X-Sender: bstout@osc.hidata.com
X-Mailer: Windows Eudora Pro Version 2.1.2
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
To: Firewalls@GreatCircle.COM
From: Bill Stout <bill.stout@hidata.com>
Subject: JAVA Black Widow list 
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

I used to have a list of JAVA Black Widow sites, but erased them.

I was 'convinced' into disabling java filtering from the firewall.  :(

Please post lists of Black Widow sites for reference.


Bill Stout
_______________________________________________________________________________
Senior Systems Admin   NT/UNIX/I-net/Routers/Mainframes/Janitor ;)
Hitachi Data Systems   408-970-4822   ---  Disclaimer:  I speak only for myself
___________"Infowar, Cyber-war, yes, 'they' _are_ out to get you..."___________


From firewalls-owner  Mon Aug 12 14:13:46 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA23998 for firewalls-outgoing; Mon, 12 Aug 1996 13:55:33 -0700 (PDT)
Received: from pinky.junction.net (pinky.junction.net [199.166.227.12]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id NAA23989 for <firewalls@greatcircle.com>; Mon, 12 Aug 1996 13:55:22 -0700 (PDT)
Received: from sidhe.memra.com (sidhe.memra.com [199.166.227.105]) by pinky.junction.net (8.6.12/8.6.12) with ESMTP id NAA07339; Mon, 12 Aug 1996 13:07:37 -0700
Received: from localhost (michael@localhost) by sidhe.memra.com (8.6.12/8.6.12) with SMTP id NAA12571; Mon, 12 Aug 1996 13:51:25 -0700
Date: Mon, 12 Aug 1996 13:51:24 -0700 (PDT)
From: Michael Dillon <michael@memra.com>
To: inet-access@earth.com
Subject: WARNING: Free "service" asking for your users' login info... (fwd)
Message-ID: <Pine.BSI.3.93.960812135051.3974e-100000@sidhe.memra.com>
Organization: Memra Software Inc. - Internet consulting
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

---------- Forwarded message ----------
Date: Thu, 8 Aug 1996 22:12:12 -0600
From: "Thomas L. Baca" <tbaca@LASCRUCES.COM>
Reply-To: Small Internet Access Providers <IAP@VMA.CC.ND.EDU>
To: Multiple recipients of list IAP <IAP@VMA.CC.ND.EDU>
Subject: WARNING: Free "service" asking for your users' login info...

Especially for those of you who offer POP3 email _and_ Unix shell
access:

My TCP Wrappers just turned away a POP3 client from
freedom.hotmail.com.  I decided to look into it and here's what I
found out at http://www.hotmail.com/

This is a free service by which anyone can get a free email account on
HoTMaiL's system and conduct all email activities using their WWW
interface.   That's OK with me, BUT they also offer the additional
service of allowing access to any POP3 account using this same WWW
interface.  Of course, you must provide them with your
username/password to your POP3 account for this to work.

Now, maybe I'm being way too picky here, but I don't like the idea of
my users giving away their account passwords to _anyone_.

I'm afraid that this points out the danger of naive users giving this
sensitive information to someone "out there" just because they look
like a "legitimate" service.  Perhaps it's worth re-emphasizing to our
users that they _really_ should not give out this information.  I
suspect we'll be doing that here, ASAP.

I am not intending to rekindle a flame war about the wisdom of
allowing shell access in the first place.  Just thought others might
want to be aware of this "service" and to think about the more general
problem of protecting login passwords...

best regards,
-tom


From firewalls-owner  Mon Aug 12 14:59:48 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA28735 for firewalls-outgoing; Mon, 12 Aug 1996 14:31:38 -0700 (PDT)
Received: from portal.east.saic.com (portal.east.saic.com [198.151.13.15]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id OAA28709 for <firewalls@GreatCircle.COM>; Mon, 12 Aug 1996 14:31:30 -0700 (PDT)
Received: from leosec.saic.com ([149.8.136.21]) by portal.east.saic.com
          via smtpd (for miles.greatcircle.com [198.102.244.34]) with SMTP; 12 Aug 1996 21:31:30 UT
Received: by leosec.saic.com (5.x/SMI-SVR4)
	id AA03490; Mon, 12 Aug 1996 17:31:44 -0400
Date: Mon, 12 Aug 1996 17:31:44 -0400
From: dsulser@leosec.saic.com (David Sulser)
Message-Id: <9608122131.AA03490@leosec.saic.com>
To: pah@esoft.co.uk, Ben.Goodyear@dial.pipex.com
Subject: Re: To Subnet or not?
Cc: firewalls@GreatCircle.COM
X-Sun-Charset: US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

 
> I always believed that you couldn't use the first or last subnet 
> (i.e. 0-63 and 192-255) - but recently I heard that this was OK so 
> long as your routers were new enough(!) and you follow the rule above 
> (i.e. don't use first or last address in the subnet).  I'd be 
> interested in any opinions on this....
> 
> Regards (and good luck Paul),
> 
> Ben
> 

I noticed that the InterNIC, when assigning IP addresses, encourages
the use of the first subnet. Also, you don't have to use only
"high-order bits," i.e. those resulting in netmasks ending in 128, 192,
224, 240, etc. It just makes it easier if you do.

Paul, in your original question, it sounds like it would be ideal if
you could bridge (MAC layer decision) while still being able to drop
packets based on network layer (address and port numbers) information.
Any ideas out there? It seems to me that some of the hardware switching
vendors are already blurring the lines between bridging and routing,
albeit in the interest of high throughput.

Regards,
David

From firewalls-owner  Mon Aug 12 15:13:05 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA02749 for firewalls-outgoing; Mon, 12 Aug 1996 14:52:54 -0700 (PDT)
Received: from nymt.reuter.com (nymt.reuter.com [204.5.74.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id OAA02734 for <firewalls@greatcircle.com>; Mon, 12 Aug 1996 14:52:46 -0700 (PDT)
Received: by nymt.reuter.com (8.6.12) id RAA05238; Mon, 12 Aug 1996 17:53:03 -0400
Received: from zarquon(129.12.42.104) by nymt via smap (V1.3)
	id sma005236; Mon Aug 12 17:52:59 1996
Received: from titan.reuter. by zarquon (4.1) id AA02116; Mon, 12 Aug 96 17:45:43 EDT
Received: by titan.reuter. (5.x/SMI-SVR4)
	id AA11860; Mon, 12 Aug 1996 17:46:59 -0400
From: hsingh@nymt.reuter.com (Hardayal Singh)
Message-Id: <9608122146.AA11860@titan.reuter.>
Subject: deleted: HERF
To: firewalls@greatcircle.com
Date: Mon, 12 Aug 1996 17:46:58 -0400 (EDT)
X-Mailer: ELM [version 2.4 PL24]
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

HI, 
Someone just sent an article with the subject header under HERF .
I accidentally deleted it. Can some one repost or mail it to me.

From firewalls-owner  Mon Aug 12 15:27:52 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id PAA05137 for firewalls-outgoing; Mon, 12 Aug 1996 15:17:46 -0700 (PDT)
Received: from nutspgw.nutec.com.br ([200.246.248.99]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id PAA05088 for <firewalls@greatcircle.com>; Mon, 12 Aug 1996 15:17:15 -0700 (PDT)
Received: (uucp@localhost) by nutspgw.nutec.com.br (8.6.9/8.6.5) id TAA08527; Mon, 12 Aug 1996 19:11:11 -0300
Message-Id: <199608122211.TAA08527@nutspgw.nutec.com.br>
Received: from unknown(200.246.248.32) by nutspgw.nutec.com.br via smap (g3.0.3)
	id xma008520; Mon, 12 Aug 96 19:11:03 -0300
Comments: Authenticated sender is <silveira@nutspgw.sao.nutecnet.com.br>
From: "Fernando da Silveira Montenegro" <silveira@nutec.com.br>
Organization: Nutec Informsstica
To: Chris Michael <cm@rmsbus.com>, firewalls@greatcircle.com
Date: Mon, 12 Aug 1996 19:19:20 -0300
Subject: RE: Supporting Internet Relay Chat CTCP and DCC.
Reply-to: silveira@nutpagw.nutec.com.br
X-mailer: Pegasus Mail for Win32 (v2.42a)
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Hi!

> >On Mon, 12 Aug 1996, Matthew Stier - Imonics Corporation wrote:
> >> I have a few users that, on their free time, like to chat on the IRC.
> >FW-1 should provide a proxy, or recognition as they try to do with FTP 
> >that they need to open a path from the contacted host to a backchannel.
> 

Firewalls are supposed to be devices for IMPLEMENTING SECURITY
POLICIES, not toys to be used during free periods. The fact that I 
have some free time in the office and I enjoy DOOM (which I don't) 
doesn't mean my company ALLOWS me to do it.

If your users want to chat using IRC, evaluate the possibility of 
leaving one or two PCs out of the corporate network in the cafeteria 
or something.

FWIW, our own experience with IRC (which we studied as a way to
improve synchronous communications without voice) shows that it
doesn't serve for the way we do business, and, since it is NOT 
mission-critical, it doesn't pass through the firewall.

Hope this helps.

Fernando

--
Fernando da Silveira Montenegro        E-mail: silveira@nutec.com.br
Nutec Informatica S.A.                 Phone.: +55-11-505-5728
Rua Florida, 1821/11th floor           Fax...: +55-11-505-1918
Sao Paulo, SP BRAZIL 04565-001         WWW: http://www.nutec.com.br

From firewalls-owner  Mon Aug 12 16:49:27 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id QAA13086 for firewalls-outgoing; Mon, 12 Aug 1996 16:40:45 -0700 (PDT)
Received: from merle.acns.nwu.edu (merle.acns.nwu.edu [129.105.16.57]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id QAA13074 for <firewalls@greatcircle.com>; Mon, 12 Aug 1996 16:40:37 -0700 (PDT)
Received: from localhost by merle.acns.nwu.edu with SMTP
	(1.40.112.4/16.2) id AA128743153; Mon, 12 Aug 1996 18:39:13 -0500
Date: Mon, 12 Aug 1996 18:39:13 -0500 (CDT)
From: Brian Hatch <bri@ifokr.org>
X-Sender: bri@merle.acns.nwu.edu
To: Paul Harrison <pah@esoft.co.uk>
Cc: firewalls@greatcircle.com
Subject: Re: To Subnet or not?
In-Reply-To: <199608121536.QAA28159@paris.esoft.co.uk>
Message-Id: <Pine.HPP.3.93.960812183503.11183B-100000@merle.acns.nwu.edu>
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

On Mon, 12 Aug 1996, Paul Harrison wrote:

+All the references on this soft of setup assume that you are doing packet
+forwarding from something like 192.100.100.1 to 192.100.99.1, but I only have a
+class C from my ISP and cannot affort to loose the half my IP addresses that
+subnetting would cause.

Well, the main two things you can do are (as has been previously meantioned)
subnet it, or if you'd rather, use one of the officially
blessed 'internal' (ie non-internet propagatable) network number
for the internal side.  If I remember correctly, they're (from RFC 1597)

class a		10.0.0.0

class b		172.16.0.0 to
		172.31.0.0

class c		192.168.0.0 to
		192.168.254.0


Use one of these for the internal interface, and you won't have to subnet 
at all.  


						 Bri
--
bri@ifokr.org
Systems and Security Engineer
Onsight, Inc.  http://www.avue.com/


From firewalls-owner  Mon Aug 12 17:04:55 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id QAA14267 for firewalls-outgoing; Mon, 12 Aug 1996 16:48:24 -0700 (PDT)
Received: (mcb@localhost) by miles.greatcircle.com (8.7.4/Miles-951221-1) id QAA14248 for firewalls@greatcircle.com; Mon, 12 Aug 1996 16:48:18 -0700 (PDT)
Received: from ns2.eds.com ([199.228.142.78]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id MAA17671 for <firewalls@greatcircle.com>; Mon, 12 Aug 1996 12:53:59 -0700 (PDT)
Received: by ns2.eds.com (hello)
	id PAA05745; Mon, 12 Aug 1996 15:53:56 -0400
Received: from kocrsv04.delcoelect.com (kocrsv04.delcoelect.com [144.250.100.205]) by nnsp.eds.com (8.7.5/8.7.3) with ESMTP id PAA18238 for <firewalls@greatcircle.com>; Mon, 12 Aug 1996 15:53:26 -0400 (EDT)
Received: from kocrsw07.delcoelect.com (kocrsw07.delcoelect.com [144.250.106.13]) by kocrsv04.delcoelect.com (8.7.5/8.7.3) with SMTP id OAA13537 for <firewalls@greatcircle.com>; Mon, 12 Aug 1996 14:53:25 -0500 (EST)
Received: by kocrsw07.delcoelect.com (SMI-8.6/SMI-SVR4)
	id OAA08559; Mon, 12 Aug 1996 14:53:23 -0500
From: "Steve Lodin" <swlodin@eng.delcoelect.com>
Message-Id: <9608121453.ZM8557@kocrsw07.delcoelect.com>
Date: Mon, 12 Aug 1996 14:53:23 -0500
X-URL: http://www.cs.purdue.edu/people/swlodin
X-Face: Mx\#!$C!&CSez|Z]d^0t`P#ZJlPoyC#zJN;#4nwe8h4-rnXL-2>=!if`{Pi-*s^"vRs}SK]oA(n<(QS:gHZ%CX+Kq~It<%Glg~r_mv2*-l]x+19x*wHC]ON}<q)I|&@hIX=ndPF%:)P*{WL9k~vo"w852Q4[R$'!+Fu|f-=V^i=ES#hH!a&o5bi:XpRg!qf@,ujReOH!F}hK[BEwiE`S(_.?x>`47?]4{9>^w^S~/JxeEF!npYd1CLIp@}fA6|L~A:rBAuLlkfoQ~SlAIZsIkTrqFw5$uN4#P^Tga+BLOg
X-Mailer: Z-Mail (3.2.1 10oct95)
To: firewalls@greatcircle.com
Subject: USENIX Symposium Firewalls BOF Notes
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Firewall BOF - Tuesday July 23, 1996

Brent Chapman - Great Circle Associates - Referee

Introductory Material
--------------------------

Firewalls Mailing List - send "subscribe firewalls [address]" to
majordomo@greatcircle.com or check
http://www.greatcircle.com/firewalls/.

4550 main list, 4126 fw-digest, readership estimated at 15-20 K

US - 2/3 readership

Top domains - com, edu, net au

Questions
------------

Q: When you install a proxy firewall without sendmail, what sendmail
proxies/replacements running on FW can do LHS and RHS hacking.
A: smap eventually hands things off to sendmail anyway

Q: What services are necessary for the next generation proxies? IMAP?
A: SQL*Net, Lotus Notes
A: Steve Bellovin makes the point of asking yourself why you want to
pass complicated protocols thru proxies like this.
A: Send email to carson@lehman.com to work on IMAP proxy.

Q: Audience experiences with penetration analysis? Hiring someone else
to try penetration testing.
A: Saved time although some test seemed cookbook that they could have
done themselves if they had time.
A: Brent - How good and how honest are the people you hire. People
that are good at breaking into systems have different mind sets than
people who are good at defending systems.
A: Steve - A lot depends on your type of service. Application gateway
only doing three services won't pay to test.
A: Brent - Using it for automated audits to check things like
configuration. It only tells you what you test.
A: Brent - Packet sniffer on the inside looking for things the firewall is
supposed to block and sending alarms. Try tcpdump or etherfind or
snoop.
A: Steve - Look for strange addresses - means uncontrolled portion of
your net or a leak in your firewall.
A: Brent - Check routing tables for unkown networks.

Q: Users require X. Only know about SSH or Xforward. Any safe way
to do X?
A: Brent - (Lists problems with X server access) Mitre paper in last
year's USENIX Security Symposium. After allowing connection, you
trust all connections from that end.
A: Possibility of X server monitor
A: xnest is a neat application

Q: Useful encryption for dial-in for both Suns and Pcs?
A: Hughes Netlock.
A: SSH which might not work for his application.
A: Encrypting modems
A: Steve - IPSEC should be available soon.
A: SKIP might be solution that is available now.

Q: How to handle remote connections where the remote end might be
compromised.
A: Fred Avolio - SWIPE based, separate encryption and strong user
authentication
A: Steve - Don't think there is a general answer.
A: Carson - Drafted a policy to address remote access from home with
known configurations and a higher level of assurance. Different classes
of machines, known vs. unknown.

Q: How do you determine if the box at the other end of the PPP
connection isn't a router?
A: Steve - Don't allow routing protocols through PPP connections
A: Brent - Assume the connection has a network. (Describes problems
with dual career couples in the Bay Area with in home LANs that route
between companies.)
A: Tough decision on whether to put the terminal servers on the inside
or outside of the firewall.
A: Fred - Suggest that anyone coming from the outside is on the outside
of the security perimeter. Authenticate, then allow services based on
their identity. Recommend that terminal servers be put on the outside of
the firewall.
A: Jim Duncan - More than one firewall is now the norm.

Q: Anyone comment on Cisco PIX box?
A: Steve - Fundamental conflict between NAT and encryption. Can't do
end-to-end security (like DNS).

Q: How to treat SMTP, using smap on FW or proxying?
A: If you are going to run smap, make sure you patch (check FW
archives).

Q: How many people running stuff other than IP thru/around firewall.
A: IPX tunnel thru IP thru firewall
A: Decnet around firewall.

Q: Implementations of VPN for European.
A: BSDI IPSEC being done Greece.

Q: How many using SSH to tunnel into firewall for administrative
purposes?
A: A couple.

Discussion about MD5 and S/key. S/key attacks and MD5 potential
problems. Schneier may have new results on MD5 (in)security.

Q: Anything better?
A: SHA or RIPEM-160.

Q: Does Tripwire support SHA?
A: Don't think so.

Q: Firewalls for ATM?
A: Christoph Schuba is doing research for Xerox and the Purdue
University COAST Project.
A: Address filtering will be less doable in IPv6. IPv6 can autorenumber.

Q: Has IETF addressed encryption for export?
A: IAB did make a statement. IETF specify techically sound protocols
and let politicians worry about it.

Q: SQL*Net transactions thru firewall and doing audit/control?
A: No, only tunneling.
A: SAP and D&B internet clients will probably need this.
A: Every DB vendor has their own proprietary SQL format.

Q: NCSA Firewall Certification

A: Anything resembling a firewall will pass the certification basically.
A: 80% of compromises due to misconfiguration or misunderstandings.
80% of support calls are DNS, sendmail, and routing issues for TIS.
A: No plug and play firewalls. Even the most advanced firewalls can
still be misconfigured.
A: Customers asking vendors for the capability to misconfigure their
firewall.

Brand new DNS patches from Sun update to BIND 4.9.3 with BIND
4.9.4 validation code for Sol2.

Q: What to do about organization which says that since we have a
firewall we don't need to worry about internal security?
A: Some companies will place trust on inside employees and feel that
the risk is worth it.
A: Fred - some companies think that a firewall will protect them from
everything, takes education.

(Ran out of battery on the notebook at this point. Hopefully Rik can
offer his notes to finish the session.)

Steve Lodin

-- 
Steve Lodin - Delco Electronics - swlodin@delcoelect.com - (317)451-0479


		"Too many issues, not enough time."  --  Tony Powers


From firewalls-owner  Mon Aug 12 17:22:51 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id QAA15395 for firewalls-outgoing; Mon, 12 Aug 1996 16:59:35 -0700 (PDT)
Received: from firewall.outsource.com.au (gw.outsource.com.au [203.2.75.26]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id QAA15335 for <firewalls@GreatCircle.COM>; Mon, 12 Aug 1996 16:59:13 -0700 (PDT)
Received: from  (huey [192.168.1.3]) by firewall.outsource.com.au (8.6.12/8.6.9) with ESMTP id JAA01670 for <firewalls@GreatCircle.COM>; Tue, 13 Aug 1996 09:57:57 +1000
Received: from guyj.outsource.com.au ([192.168.1.110]) by huey.outsource.com.au with SMTP
	(1.39.111.2/16.2) id AA168264408; Tue, 13 Aug 1996 10:00:09 +1000
Received: by guyj.outsource.com.au with Microsoft Mail
	id <01BB88FE.1BB8FEC0@guyj.outsource.com.au>; Tue, 13 Aug 1996 09:59:25 +-1000
Message-Id: <01BB88FE.1BB8FEC0@guyj.outsource.com.au>
From: Guy Jones <guyj@outsource.com.au>
To: "'firewalls@GreatCircle.COM'" <firewalls@GreatCircle.COM>
Subject: DNS attack symptoms?
Date: Tue, 13 Aug 1996 09:59:19 +-1000
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

My client had scrambled entries in their DNS tables (eg. the =
/var/named/db.XXX files looked like binaries when viewed thru vi).  Is =
this a symptom of a DNS attack?  It certainly works as denial of service =
method.
They are running Solaris 2.5 on a Netra (3.0), with firewall-1 2.0b. =
They had not applied the latest Solaris security patches.
They were/are being pestered by a local nuisance, I just want to know =
whether the two issues are related (as I suspect).

Guy Jones

From firewalls-owner  Mon Aug 12 18:01:57 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA22406 for firewalls-outgoing; Mon, 12 Aug 1996 17:50:55 -0700 (PDT)
Received: from lint.cisco.com (lint.cisco.com [171.68.223.44]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id RAA22389 for <firewalls@GreatCircle.COM>; Mon, 12 Aug 1996 17:50:46 -0700 (PDT)
Received: from pferguso-pc.cisco.com (c3robo10.cisco.com [171.68.13.74]) by lint.cisco.com (8.6.12/CISCO.SERVER.1.1) with SMTP id RAA26297; Mon, 12 Aug 1996 17:51:32 -0700
Message-Id: <199608130051.RAA26297@lint.cisco.com>
X-Sender: pferguso@lint.cisco.com
X-Mailer: Windows Eudora Pro Version 2.1.2
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Date: Mon, 12 Aug 1996 20:50:22 -0400
To: Brian Hatch <bri@ifokr.org>
From: Paul Ferguson <pferguso@cisco.com>
Subject: Re: To Subnet or not?
Cc: Paul Harrison <pah@esoft.co.uk>, firewalls@GreatCircle.COM
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk


Minor nit:

RFC-1597 has been obsoleted by RFC-1918.

- paul

At 06:39 PM 8/12/96 -0500, Brian Hatch wrote:

>
>Well, the main two things you can do are (as has been previously meantioned)
>subnet it, or if you'd rather, use one of the officially
>blessed 'internal' (ie non-internet propagatable) network number
>for the internal side.  If I remember correctly, they're (from RFC 1597)
>
>class a		10.0.0.0
>
>class b		172.16.0.0 to
>		172.31.0.0
>
>class c		192.168.0.0 to
>		192.168.254.0
>

--
Paul Ferguson                                           ||        ||
Consulting Engineering                                  ||        ||
Reston, Virginia   USA                                 ||||      ||||
tel: +1.703.716.9538                               ..:||||||:..:||||||:..
e-mail: pferguso@cisco.com                         c i s c o S y s t e m s


From firewalls-owner  Mon Aug 12 18:13:06 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA22640 for firewalls-outgoing; Mon, 12 Aug 1996 17:54:34 -0700 (PDT)
Received: from morebbs.com (morebbs.com [206.165.150.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id RAA22631 for <firewalls@greatcircle.com>; Mon, 12 Aug 1996 17:54:23 -0700 (PDT)
From: potlicker@morebbs.com
Received: by morebbs.com
     id 0TD3Y005 Mon, 12 Aug 96 20:54:08 
Message-ID: <9608122054.0TD3Y00@morebbs.com>
Organization: MORE BBS
X-Mailer: TBBS/TIGER v1.0/PRIMP 1.56p
Date: Mon, 12 Aug 96 20:54:08 
Subject: Surprise
To: firewalls@greatcircle.com
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk


I was visiting a friend at MergerCo   He was setting up a Firewall-1
machine to limit IP connections coming out of an X25 line   Helped him
set up an X25 sniffer to look directly at the line   There were supposed
to be 6 stations   Three in US and three in Africa   Surprise   There
are 940 stations on three different continents on the X25 line   Best part
is that MergerCo has no idea how they got connected into there

Thought I would pass this on to those of you working with X25 and firewalls

                                                  PoT_LiCkEr

-=  Any intrepid readers got experience hacking TRW satellite controls? =-    


From firewalls-owner  Mon Aug 12 19:13:00 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id SAA28484 for firewalls-outgoing; Mon, 12 Aug 1996 18:57:48 -0700 (PDT)
Received: from firewall.outsource.com.au (gw.outsource.com.au [203.2.75.26]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id SAA28433 for <firewalls@GreatCircle.COM>; Mon, 12 Aug 1996 18:57:28 -0700 (PDT)
Received: from  (huey [192.168.1.3]) by firewall.outsource.com.au (8.6.12/8.6.9) with ESMTP id LAA00300 for <firewalls@GreatCircle.COM>; Tue, 13 Aug 1996 11:56:52 +1000
Received: from guyj.outsource.com.au ([192.168.1.110]) by huey.outsource.com.au with SMTP
	(1.39.111.2/16.2) id AA169181546; Tue, 13 Aug 1996 11:59:06 +1000
Received: by guyj.outsource.com.au with Microsoft Mail
	id <01BB890E.B84E3060@guyj.outsource.com.au>; Tue, 13 Aug 1996 11:58:19 +-1000
Message-Id: <01BB890E.B84E3060@guyj.outsource.com.au>
From: Guy Jones <guyj@outsource.com.au>
To: "'firewalls@GreatCircle.COM'" <firewalls@GreatCircle.COM>
Subject: RE: DNS attack symptoms?
Date: Tue, 13 Aug 1996 11:58:17 +-1000
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Sorry, I didn't actually catch the bind version but I am pretty sure it =
was 4.9.3 (un-patched).
There was no evidence of access attempts in the logs (syslog or fw.log) =
neither was there a bind reset, (it started generating errors about =
addresses it couldn't resolve at about midnight, this was a symptom of =
the scrambled tables, and gives an indication of when things happened) =
the bind daemon itself was still running. =20
Neither telnetd nor ftpd were enabled, and access to the ports was =
specifically blocked by firewall rules.  The only active service ports =
were DNS and SMTP, sendmail was version 8.6.
I don't think the problem was filesystem corruption, although this is a =
possibility.  The fact that every db.xxx file was trashed seems beyond =
coincidence.  There were no other corruptions that were apparent.
I should have kept the files... (but didn't) DOH!

----------
From: 	Paul D. Robertson[SMTP:proberts@clark.net]
Sent: 	Tuesday, 13 August 1996 7:00
To: 	Guy Jones
Subject: 	Re: DNS attack symptoms?

On Tue, 13 Aug 1996, Guy Jones wrote:

> My client had scrambled entries in their DNS tables (eg. the =
/var/named/db.XXX files looked like binaries when viewed thru vi).  Is =
this a symptom of a DNS attack?  It certainly works as denial of service =
method.
> They are running Solaris 2.5 on a Netra (3.0), with firewall-1 2.0b. =
They had not applied the latest Solaris security patches.
> They were/are being pestered by a local nuisance, I just want to know =
whether the two issues are related (as I suspect).

What version of Bind?  What FTP, telnet, etc. access were in the logs?
Was a named restart in syslog?  Have they fsck'ed the filesystem, to
ensure it wasn't just Solaris corruption?=20

Did you save the files?

Paul
-------------------------------------------------------------------------=
----
Paul D. Robertson      "My statements in this message are personal =
opinions
proberts@clark.net      which may have no basis whatsoever in fact."
                                                                     =
PSB#9280





From firewalls-owner  Mon Aug 12 20:13:09 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id UAA03110 for firewalls-outgoing; Mon, 12 Aug 1996 20:06:05 -0700 (PDT)
Received: from classic (classic.dataprep.com.my [202.190.57.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id UAA03071 for <firewalls@greatcircle.com>; Mon, 12 Aug 1996 20:05:41 -0700 (PDT)
Received: from sos.dataprep.com.my by classic (SMI-8.6/SMI-SVR4)
	id MAA04365; Tue, 13 Aug 1996 12:08:04 -0700
Received: by sos.dataprep.com.my with Microsoft Mail
	id <01BB8908.2ACDE1A0@sos.dataprep.com.my>; Tue, 13 Aug 1996 11:11:25 +-800
Message-ID: <01BB8908.2ACDE1A0@sos.dataprep.com.my>
From: KENNETH PHANG <kent@dataprep.com.my>
To: "'Firewall digest'" <firewalls@greatcircle.com>
Subject: Other Firewall products for Frame Relay Network?
Date: Tue, 13 Aug 1996 11:11:21 +-800
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Hi,

	I've been wandering whether there are other types of Firewall product =
in the market that can be use to protect data in a Frame Relay =
network(eg. VPN or encryption) as the cloud would be running multiple =
protocols as our ISP planning to do. There are using the Northern =
Telekom switches. Possiblity or IPX, appletalk, Decnet, IP and etc.=20

Thanks in advance.

Cheers
kent

From firewalls-owner  Mon Aug 12 20:42:40 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id UAA05340 for firewalls-outgoing; Mon, 12 Aug 1996 20:36:36 -0700 (PDT)
Received: from mcfeely.bsfs.org (mcfeely.bsfs.org [204.91.13.34]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id UAA05315 for <firewalls@GreatCircle.COM>; Mon, 12 Aug 1996 20:36:24 -0700 (PDT)
Received: (from wombat@localhost) by mcfeely.bsfs.org (8.6.12/8.6.12) id DAA27696; Tue, 13 Aug 1996 03:31:39 -0400
Date: Tue, 13 Aug 1996 03:31:35 -0400 (EDT)
From: Rabid Wombat <wombat@mcfeely.bsfs.org>
To: KENNETH PHANG <kent@dataprep.com.my>
cc: "'Firewall digest'" <firewalls@GreatCircle.COM>
Subject: Re: Other Firewall products for Frame Relay Network?
In-Reply-To: <01BB8908.2ACDE1A0@sos.dataprep.com.my>
Message-ID: <Pine.BSF.3.91.960813032816.27684A-100000@mcfeely.bsfs.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk


I don't know if support for multiple protocols will be included in the
first release, but 11.2 of Cisco's IOS (not out yet - Sept.?) is supposed
to include network level encryption (suitable for frame relay and other
communications methods where payload-only encryption is needed) based on
Cylink's technology. Check the Cisco web site. 

- r.w.


On Tue, 13 Aug 1996, KENNETH PHANG wrote:

> Hi,
> 
> 	I've been wandering whether there are other types of Firewall product in the market that can be use to protect data in a Frame Relay network(eg. VPN or encryption) as the cloud would be running multiple protocols as our ISP planning to do. There are using the Northern Telekom switches. Possiblity or IPX, appletalk, Decnet, IP and etc. 
> 
> Thanks in advance.
> 
> Cheers
> kent
> 

From firewalls-owner  Mon Aug 12 21:57:40 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id VAA09163 for firewalls-outgoing; Mon, 12 Aug 1996 21:48:02 -0700 (PDT)
Received: from cet.cet.com (cet.cet.com [206.96.91.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id VAA09155 for <firewalls@GreatCircle.COM>; Mon, 12 Aug 1996 21:47:52 -0700 (PDT)
Received: from cet.cet.com (roberth@cet.cet.com [206.96.91.1]) by cet.cet.com (8.6.12/8.6.12) with SMTP id VAA18721; Mon, 12 Aug 1996 21:47:41 -0700
Date: Mon, 12 Aug 1996 21:47:41 -0700 (PDT)
From: Robert Hanson <roberth@cet.com>
To: potlicker@morebbs.com
cc: firewalls@GreatCircle.COM
Subject: Re: Surprise
In-Reply-To: <9608122054.0TD3Y00@morebbs.com>
Message-ID: <Pine.LNX.3.94.960812214440.18503F-100000@cet.cet.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

so in other words.... MergerCo is on a "public" x.25 network? i didnt
realize that there were all that many "private" x.25's...

could this type of scenario exist in frame-relay scenarios, or would on
the telco(s) aka IXC's be able to get out the ole' snoz?

--->
Robert H. Hanson           LAN/WAN Consultant - Internet Service Provider
Otis Orchards, Wa.         Cutting Edge Communications        www.cet.com
(509) 927-9541             finger: info@cet.com or email: roberth@cet.com



On Mon, 12 Aug 1996 potlicker@morebbs.com wrote:

> 
> I was visiting a friend at MergerCo   He was setting up a Firewall-1
> machine to limit IP connections coming out of an X25 line   Helped him
> set up an X25 sniffer to look directly at the line   There were supposed
> to be 6 stations   Three in US and three in Africa   Surprise   There
> are 940 stations on three different continents on the X25 line   Best part
> is that MergerCo has no idea how they got connected into there
> 
> Thought I would pass this on to those of you working with X25 and firewalls
> 
>                                                   PoT_LiCkEr
> 
> -=  Any intrepid readers got experience hacking TRW satellite controls? =-    
> 


From firewalls-owner  Mon Aug 12 22:42:40 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id WAA10221 for firewalls-outgoing; Mon, 12 Aug 1996 22:28:43 -0700 (PDT)
Received: from mcfeely.bsfs.org (mcfeely.bsfs.org [204.91.13.34]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id WAA10213 for <firewalls@GreatCircle.COM>; Mon, 12 Aug 1996 22:28:35 -0700 (PDT)
Received: (from wombat@localhost) by mcfeely.bsfs.org (8.6.12/8.6.12) id FAA27899; Tue, 13 Aug 1996 05:24:23 -0400
Date: Tue, 13 Aug 1996 05:24:19 -0400 (EDT)
From: Rabid Wombat <wombat@mcfeely.bsfs.org>
To: Brian Hatch <bri@ifokr.org>
cc: Paul Harrison <pah@esoft.co.uk>, firewalls@GreatCircle.COM
Subject: Re: To Subnet or not?
In-Reply-To: <Pine.HPP.3.93.960812183503.11183B-100000@merle.acns.nwu.edu>
Message-ID: <Pine.BSF.3.91.960813051925.27882A-100000@mcfeely.bsfs.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk



On Mon, 12 Aug 1996, Brian Hatch wrote:

> On Mon, 12 Aug 1996, Paul Harrison wrote:
> 
> +All the references on this soft of setup assume that you are doing packet
> +forwarding from something like 192.100.100.1 to 192.100.99.1, but I only have a
> +class C from my ISP and cannot affort to loose the half my IP addresses that
> +subnetting would cause.
> 
> Well, the main two things you can do are (as has been previously meantioned)
> subnet it, or if you'd rather, use one of the officially
> blessed 'internal' (ie non-internet propagatable) network number
> for the internal side.  If I remember correctly, they're (from RFC 1597)
> 

RFC 1597 has been replaced by RFC 1918. See:
http://ds.internic.net/rfc/rfc1918.txt

- r.w.



From firewalls-owner  Mon Aug 12 23:27:44 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id XAA12345 for firewalls-outgoing; Mon, 12 Aug 1996 23:12:23 -0700 (PDT)
Received: from PACBELL.net (chumash.snfc21.pbi.net [206.13.28.17]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id XAA12330 for <firewalls@greatcircle.com>; Mon, 12 Aug 1996 23:12:14 -0700 (PDT)
Received: from robert-1 (ppp-207-104-17-83.snrf01.pacbell.net [207.104.17.83]) by PACBELL.net (8.7.5/8.7.1) with SMTP id XAA09493 for <firewalls@greatcircle.com>; Mon, 12 Aug 1996 23:12:11 -0700 (PDT)
Message-ID: <32101D59.70F6@pacbell.net>
Date: Mon, 12 Aug 1996 23:14:49 -0700
From: Robert Carter <stigmata@pacbell.net>
Reply-To: stigmata@pacbell.net
Organization: PSA
X-Mailer: Mozilla 3.0b5aGold (Win95; I)
MIME-Version: 1.0
To: firewalls@greatcircle.com
Subject: BootUp Security!
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

We recently had a breakin and the R&D department was litteraly broken
apart for their harddrives is there anyway to protect data that is
stored on a down system like this.?
mailto:stigmata@pacbell.net
Robert

From firewalls-owner  Tue Aug 13 00:27:54 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id AAA15712 for firewalls-outgoing; Tue, 13 Aug 1996 00:23:01 -0700 (PDT)
Received: from nsco.network.com (nsco.network.com [129.191.1.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id AAA15694 for <firewalls@greatcircle.com>; Tue, 13 Aug 1996 00:22:51 -0700 (PDT)
Received: from mnbp.network.com (ushub.network.com) by nsco.network.com (4.1/1.34)
	id AA19249; Tue, 13 Aug 96 02:29:17 CDT
Received: by mnbp.network.com with Microsoft Mail
	id <32102C53@mnbp.network.com>; Tue, 13 Aug 96 02:18:43 CDT
From: "Jeff D. Hayes" <hayesjd@mnbp2.network.com>
To: Firewalls <firewalls@greatcircle.com>
Subject: Holes In Frame Relay
Date: Tue, 13 Aug 96 02:18:00 CDT
Message-Id: <32102C53@mnbp.network.com>
X-Mailer: Microsoft Mail V3.0
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk


Premise:  All public data service offerings have security holes:  if you 
don't own the real estate or the copper/fiber, consider it untrusted.

Request:  Everyone believes the Internet to be an unsecure network, however, 
most people believe frame relay to be quite secure.  I don't believe this is 
accurate.  I believe frame relay is every bit as unsecure as the Internet. 
 I would like to understand the security concerns applicable to frame relay? 
 White papers, press reports, opinions, etc. are welcomed.

jeff.hayes@network.com

From firewalls-owner  Tue Aug 13 02:42:50 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id CAA22099 for firewalls-outgoing; Tue, 13 Aug 1996 02:30:51 -0700 (PDT)
Received: from snet (dataprep.com.my [202.190.57.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id CAA21940 for <firewalls@greatcircle.com>; Tue, 13 Aug 1996 02:28:32 -0700 (PDT)
Received: from palan-net by snet (SMI-8.6/SMI-SVR4)
	id RAA14475; Tue, 13 Aug 1996 17:33:00 -0800
Date: Tue, 13 Aug 1996 17:33:00 -0800
Message-Id: <199608140133.RAA14475@snet>
X-Sender: palan@dataprep.com.my
X-Mailer: Windows Eudora Light Version 1.5.2
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
To: firewalls@greatcircle.com
From: Kogulapalan <palan@dataprep.com.my>
Subject: Security on Frame Relay
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Hi folks,

        Can a Frame Relay network support many different types of protocols
running on same backbone ??? If can, is there a firewall product which can
be used to secure those data that travels within ?? As far as I know, there
is only a encryption on frame relay is available (only one company sells
it). How about other method is securing data on Frame Relay ?
 
        Another question is, can a Cisco router talk to a Bay
Networks/Wellfleet router over the frame relay ? How reliable is this ?? 

        Anyway, my main concern is the security portion. Is there anybosy
outside there did a test run on the encryption or other securities on frame
relay ??

Thanks,
Palan K

" Hack From The Rich And Download To The Poor "
        
  



From firewalls-owner  Tue Aug 13 03:12:47 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id CAA22962 for firewalls-outgoing; Tue, 13 Aug 1996 02:51:38 -0700 (PDT)
Received: from KLSE.COM.MY (smtp.klse.com.my [202.190.12.202]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id CAA22929 for <firewalls@greatcircle.com>; Tue, 13 Aug 1996 02:50:32 -0700 (PDT)
Received: from GPO#u#DOMAIN-Message_Server by KLSE.COM.MY
	with Novell_GroupWise; Tue, 13 Aug 1996 17:58:54 +0800
Message-Id: <s210c25d.089@KLSE.COM.MY>
X-Mailer: Novell GroupWise 4.1
Date: Tue, 13 Aug 1996 17:58:08 +0800
From: MOHAMED HABIB MOHAMED EUSOFF <habib@KLSE.COM.MY>
To: firewalls@greatcircle.com, hayesjd@mnbp2.network.com
Subject:  try http://www.sangoma.com. There are few papers on tech 
	       support.
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

try http://www.sangoma.com. There are few papers on tech support.


From firewalls-owner  Tue Aug 13 05:12:40 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id EAA29979 for firewalls-outgoing; Tue, 13 Aug 1996 04:57:07 -0700 (PDT)
Received: from homeport.org (lighthouse.homeport.org [205.136.65.198]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id EAA29972 for <firewalls@GreatCircle.COM>; Tue, 13 Aug 1996 04:56:56 -0700 (PDT)
Received: (adam@localhost) by homeport.org (8.6.9/8.6.9) id HAA09341; Tue, 13 Aug 1996 07:42:15 -0500
From: Adam Shostack <adam@homeport.org>
Message-Id: <199608131242.HAA09341@homeport.org>
Subject: Re: BootUp Security!
To: stigmata@pacbell.net
Date: Tue, 13 Aug 1996 07:42:15 -0500 (EST)
Cc: firewalls@GreatCircle.COM
In-Reply-To: <32101D59.70F6@pacbell.net> from "Robert Carter" at Aug 12, 96 11:14:49 pm
X-Mailer: ELM [version 2.4 PL24 ME8b]
Content-Type: text
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Robert Carter wrote:

| We recently had a breakin and the R&D department was litteraly broken
| apart for their harddrives is there anyway to protect data that is
| stored on a down system like this.?
| mailto:stigmata@pacbell.net
| Robert

Sure.  Theres encryption, and physical security.

	For disk encryption on UNIX, use CFS.
ftp.research.att.com/pub/mab/?  On macs, look into Cryptdisk, or for
PCs, I think securedrive is reccommended, but I haven't used it.  All
use (or offer) strong encryption at the filesystem level.

	Then there is physical security.  DIRCIA has a psec manual
that you can look at.  (Don't try to buy the approved locks unless you
have armed guards with orders to shoot intruders.)  Basically, you'll
want some form* of permiter security in conjunction with irregular
patrols, and the CIA manual goes over such nits as make sure you don't
have windows on the area that you're tyring to keep physically
secured, or if you do, have bars & alarms, etc.

* Maybe several forms of border security, such as a fence, a guard at
the gate, and a badge + numberpad entry system for the rooms in
question.  In the rooms, you could consider locking down the machines,
but be very careful not to make things so intrusive that people leave
the machines unlocked because unlocking them is such a pain.  Also
remember that locks require keys, and if the guard has a full set,
then the guard is a primary point of comprimise.

Adam


-- 
"It is seldom that liberty of any kind is lost all at once."
					               -Hume


From firewalls-owner  Tue Aug 13 05:28:01 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA00660 for firewalls-outgoing; Tue, 13 Aug 1996 05:14:25 -0700 (PDT)
Received: from jasmine.tc.pw.com (jasmine.tc.pw.com [131.209.1.16]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id FAA00652 for <firewalls@greatcircle.com>; Tue, 13 Aug 1996 05:14:15 -0700 (PDT)
From: Patrick_Flanigan@europe.notes.pw.com
Received: from orchid.tc.pw.com by jasmine.tc.pw.com (4.1/SMI-4.1)
	id AA17045; Tue, 13 Aug 96 05:19:57 PDT
Received: by orchid.tc.pw.com (4.1/SMI-4.1)
	id AA29325; Tue, 13 Aug 96 05:19:58 PDT
Message-Id: <9608131219.AA29325@orchid.tc.pw.com>
To: firewalls@greatcircle.com
Date: Tue, 13 Aug 96 13:26:19 EDT
Subject: NT Firewalling
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Hello,

This is perhaps too basic a question for this list, but I'm interested in 
obtaining some background information on commercial firewalls for Windows NT.  
I'm looking for a moderately priced software-solution, probably based on 
packet-level filtering, to protect a LAN from external access.

My experience is mostly with UNIX, and I must confess that I have very little 
familiarity with NT products.  Any help that you can provide would be greatly 
appreciated.

Patrick

From firewalls-owner  Tue Aug 13 05:46:07 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id EAA00175 for firewalls-outgoing; Tue, 13 Aug 1996 04:58:10 -0700 (PDT)
Received: from lint.cisco.com (lint.cisco.com [171.68.223.44]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id EAA00161 for <firewalls@GreatCircle.COM>; Tue, 13 Aug 1996 04:57:55 -0700 (PDT)
Received: from pferguso-pc.cisco.com (c1robo11.cisco.com [171.68.13.11]) by lint.cisco.com (8.6.12/CISCO.SERVER.1.1) with SMTP id EAA11659; Tue, 13 Aug 1996 04:58:24 -0700
Message-Id: <199608131158.EAA11659@lint.cisco.com>
X-Sender: pferguso@lint.cisco.com
X-Mailer: Windows Eudora Pro Version 2.1.2
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Date: Tue, 13 Aug 1996 07:57:12 -0400
To: Kogulapalan <palan@dataprep.com.my>
From: Paul Ferguson <pferguso@cisco.com>
Subject: Re: Security on Frame Relay
Cc: firewalls@GreatCircle.COM
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

At 05:33 PM 8/13/96 -0800, Kogulapalan wrote:

>Hi folks,
>
>        Can a Frame Relay network support many different types of protocols
>running on same backbone ??? 

Yes.

> If can, is there a firewall product which can
>be used to secure those data that travels within ??

In theory, yes.  :-)

Certainly an TCP/IP firewall could be placed anywhere in the topology;
you'll be hard-pressed to find one which will handle multiprotocol
traffic. In any event, a good multiprotocol router :-) could certainly
handle this.


> As far as I know, there
>is only a encryption on frame relay is available (only one company sells
>it). How about other method is securing data on Frame Relay ?
> 

Encryption is the only sure method.


>        Another question is, can a Cisco router talk to a Bay
>Networks/Wellfleet router over the frame relay ? How reliable is this ?? 
>

Yes, and very (using RFC-1490).

- paul

>        Anyway, my main concern is the security portion. Is there anybosy
>outside there did a test run on the encryption or other securities on frame
>relay ??
>
>Thanks,
>Palan K
>
>" Hack From The Rich And Download To The Poor "
>        

--
Paul Ferguson                                           ||        ||
Consulting Engineering                                  ||        ||
Reston, Virginia   USA                                 ||||      ||||
tel: +1.703.716.9538                               ..:||||||:..:||||||:..
e-mail: pferguso@cisco.com                         c i s c o S y s t e m s


From firewalls-owner  Tue Aug 13 06:01:20 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA02079 for firewalls-outgoing; Tue, 13 Aug 1996 05:45:52 -0700 (PDT)
Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id FAA02050 for <firewalls@miles>; Tue, 13 Aug 1996 05:45:37 -0700 (PDT)
Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123)
	id FAA09881; Tue, 13 Aug 1996 05:45:22 -0700
Received: from vector.wantree.com.au(203.63.10.1) by mycroft via smap (V1.3mjr)
	id sma009874; Tue Aug 13 05:44:20 1996
Received: (from darius@localhost) by vector.wantree.com.au (8.7.5/8.6.9) id UAA04023 for Firewalls@GreatCircle.COM; Tue, 13 Aug 1996 20:30:58 +0800
From: Kevin Littlejohn <darius@vector.wantree.com.au>
Message-Id: <199608131230.UAA04023@vector.wantree.com.au>
Subject: IP Spoofing
To: Firewalls@GreatCircle.COM
Date: Tue, 13 Aug 1996 20:30:57 +0800 (WST)
In-Reply-To: <199608100800.BAA24098@miles.greatcircle.com> from "Firewalls-Digest" at Aug 10, 96 01:00:32 am
X-Mailer: ELM [version 2.4 PL23]
Content-Type: text
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Hi all,

Just a quick one - looking for recommendations for documentation re:
IP Spoofing - I would like to know how, and what can be done about it,
and how to recognise it, and basically everything :)

Anyone got any good books or doccos?

KevinL

From firewalls-owner  Tue Aug 13 06:43:49 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA06020 for firewalls-outgoing; Tue, 13 Aug 1996 06:33:00 -0700 (PDT)
Received: from sp-agency.ca (scins1.sp-agency.ca [142.74.1.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id GAA05989 for <firewalls@greatcircle.com>; Tue, 13 Aug 1996 06:32:42 -0700 (PDT)
Received: from sso.sci.sp-agency.ca by sp-agency.ca (4.1/SMI-4.1-DNI)
	id AA22038; Tue, 13 Aug 96 09:32:23 EDT
Received: by sso.sci.sp-agency.ca; Tue, 13 Aug 96 9:32:31 EDT
Date: Tue, 13 Aug 96 9:24:17 EDT
Message-Id: <vines.ev39+,662mB@sso.sci.sp-agency.ca>
X-Priority: 3 (Normal)
To: <potlicker@morebbs.com>
Cc: <firewalls@greatcircle.com>
From: "Darin Comi" <comid@sp-agency.ca>
Subject: re: Surprise
X-Incognito-Sn: 940
X-Incognito-Format: VERSION=2.01a ENCRYPTED=NO
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

>I was visiting a friend at MergerCo   He was setting up a Firewall-1
>machine to limit IP connections coming out of an X25 line   Helped him
>set up an X25 sniffer to look directly at the line   There were supposed

Cool experiment.  Can I get one of these x25 sniffers for my
 toolbox?

Regards,
Darin

From firewalls-owner  Tue Aug 13 07:14:17 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA08750 for firewalls-outgoing; Tue, 13 Aug 1996 07:07:00 -0700 (PDT)
Received: from relay5.UU.NET (relay5.UU.NET [192.48.96.15]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id HAA08729 for <firewalls@greatcircle.com>; Tue, 13 Aug 1996 07:06:50 -0700 (PDT)
Received: from uucp1.UU.NET by relay5.UU.NET with SMTP 
	(peer crosschecked as: uucp1.UU.NET [192.48.96.32])
	id QQbcpc23896; Tue, 13 Aug 1996 10:06:48 -0400 (EDT)
Received: from dra.UUCP by uucp1.UU.NET with UUCP/RMAIL
        ; Tue, 13 Aug 1996 10:06:48 -0400
Received: by dra-hq.com (5.x/SMI-SVR4)
	id AA16544; Tue, 13 Aug 1996 09:57:00 -0400
Date: Tue, 13 Aug 1996 09:57:00 -0400
From: gweber@dra.dra-hq.com (Greg Weber)
Message-Id: <9608131357.AA16544@dra-hq.com>
To: firewalls@greatcircle.com
Subject: info request
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

please send faq

From firewalls-owner  Tue Aug 13 07:28:03 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA07274 for firewalls-outgoing; Tue, 13 Aug 1996 06:46:08 -0700 (PDT)
Received: from bliss.stetson.edu (bliss.stetson.edu [147.253.70.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id GAA07253 for <firewalls@GreatCircle.COM>; Tue, 13 Aug 1996 06:45:55 -0700 (PDT)
Received: from localhost (fay@localhost) by bliss.stetson.edu (8.6.10/8.6.10) with SMTP id JAA24795; Tue, 13 Aug 1996 09:46:46 GMT
Date: Tue, 13 Aug 1996 09:46:45 +0000 (GMT)
From: Jeff Fay <fay@bliss.stetson.edu>
To: Adam Shostack <adam@homeport.org>
cc: stigmata@pacbell.net, firewalls@GreatCircle.COM
Subject: Re: BootUp Security!
In-Reply-To: <199608131242.HAA09341@homeport.org>
Message-ID: <Pine.SUN.3.93.960813094527.24785A-100000@bliss.stetson.edu>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk



On Tue, 13 Aug 1996, Adam Shostack wrote:

> Robert Carter wrote:
> 
> | We recently had a breakin and the R&D department was litteraly broken
> | apart for their harddrives is there anyway to protect data that is
> | stored on a down system like this.?
> | mailto:stigmata@pacbell.net
> | Robert
> 
> Sure.  Theres encryption, and physical security.
> 
> 	For disk encryption on UNIX, use CFS.
> ftp.research.att.com/pub/mab/?  On macs, look into Cryptdisk, or for
> PCs, I think securedrive is reccommended, but I haven't used it.  All
> use (or offer) strong encryption at the filesystem level.
> 
  What exactly is strong encryption? DES? RSA? Just curious...because if I
have the hard drives I have all the time in the world to brute force it.
-Jeff "Fiji" Fay


From firewalls-owner  Tue Aug 13 07:42:41 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA07995 for firewalls-outgoing; Tue, 13 Aug 1996 06:56:54 -0700 (PDT)
Received: from relay2.eunet.fr (relay2.EUnet.fr [192.134.192.149]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id GAA07987 for <firewalls@greatcircle.com>; Tue, 13 Aug 1996 06:56:41 -0700 (PDT)
From: Francis.Gregoire@met.fr
Received: from metmail.met.fr by relay2.eunet.fr (5.65c8d/96.05.03)
	via EUnet-France id AA14150; Tue, 13 Aug 1996 15:56:30 +0200 (MET)
Received: from galymede.tech.met.fr by metmail.met.fr; Tue, 13 Aug 1996 15:52:51 +0200 (MET DST)
Received: from lievre.met.fr by galymede.tech.met.fr; Tue, 13 Aug 1996 15:54:14 +0200 (MET DST)
Received: by lievre.met.fr; Tue, 13 Aug 1996 15:56:40 +0200 (MET DST)
Date: Tue, 13 Aug 1996 15:56:40 +0200 (MET DST)
Message-Id: <199608131356.PAA09790@lievre.met.fr>
To: firewalls@greatcircle.com
Subject: syslogd under Solaris 2.5
Cc: Francis.Gregoire@met.fr
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

	
	Hello,

	We have a problem with syslogd on our bastion. Any messages are lost and aren't logged in the file /var/adm/messages. Before, syslogd worked very fine but today it's wrong. When we send it the HUP signal, it does't work because the file /etc/syslog.pid hasn't the good iud. If we put the good uid in this file, the result is same. If we kill it and if we reexecute syslogd, it sleeps and doesn't work ( it doesn't write his uid in the file /etc/syslog.pid ). There are no messages on the system console. We have verified the rights of files : they are good. We have changed the executable : the result is same. 

	Has anyone an idea why our syslogd doesn't work? Thanks,

					Francis GREGOIRE 

From firewalls-owner  Tue Aug 13 08:00:01 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA10620 for firewalls-outgoing; Tue, 13 Aug 1996 07:37:24 -0700 (PDT)
Received: from relay1.UU.NET (relay1.UU.NET [192.48.96.5]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id HAA10603 for <Firewalls@GreatCircle.COM>; Tue, 13 Aug 1996 07:37:12 -0700 (PDT)
Received: from netevolve.com by relay1.UU.NET with SMTP 
	(peer crosschecked as: [206.136.48.11])
	id QQbcpe20901; Tue, 13 Aug 1996 10:36:54 -0400 (EDT)
Received: from lazar by netevolve.com (4.1/SMI-4.1)
	id AA03175; Tue, 13 Aug 96 10:39:47 EDT
Message-Id: <9608131439.AA03175@netevolve.com>
Comments: Authenticated sender is <lazar@netevolve.com>
From: "Irwin Lazar" <lazar@netevolve.com>
Organization: Network Evolutions
To: Firewalls@GreatCircle.COM, Kevin Littlejohn <darius@vector.wantree.com.au>
Date: Tue, 13 Aug 1996 10:38:32 +0000
Subject: Re: IP Spoofing
Reply-To: lazar@netevolve.com
X-Mailer: Pegasus Mail for Win32 (v2.42)
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

The following URL is usefull:
http://www.willamette.edu/~dlabar/firewall.html

And the following book as well:
Chapman, Brent D. "Building Internet Firewalls."  O'Reilly & 
Associates, Inc.  Sebastopol, CA.  September 1995.

Also try searching www.alta-vista.com for IP SPOOFING

And last but not least, try searching the home page of the Computer 
Literacy Bookshop for other relevant titles.
http://www.clbooks.com

Happy Hunting!!

> Hi all,
> 
> Just a quick one - looking for recommendations for documentation re:
> IP Spoofing - I would like to know how, and what can be done about it,
> and how to recognise it, and basically everything :)
> 
> Anyone got any good books or doccos?
> 
> KevinL
> 
> 
Irwin M. Lazar
Network Evolutions, Inc.
lazar@netevolve.com
http://www.netevolve.com

From firewalls-owner  Tue Aug 13 08:13:25 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA09302 for firewalls-outgoing; Tue, 13 Aug 1996 07:13:55 -0700 (PDT)
Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.76.24]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id HAA09206 for <firewalls@GreatCircle.COM>; Tue, 13 Aug 1996 07:13:31 -0700 (PDT)
Message-Id: <199608131413.HAA09206@miles.greatcircle.com>
Received: by cheops.anu.edu.au
	(1.37.109.16/16.2) id AA190775479; Wed, 14 Aug 1996 00:11:19 +1000
From: Darren Reed <avalon@coombs.anu.edu.au>
Subject: Re: Supporting Internet Relay Chat CTCP and DCC.
To: njs@scifi.squawk.com (Nick Simicich)
Date: Wed, 14 Aug 1996 00:11:18 +1000 (EST)
Cc: matthew.stier@imonics.com, firewalls@GreatCircle.COM
In-Reply-To: <Pine.LNX.3.91.960812124735.8570Z-100000@scifi.squawk.com> from "Nick Simicich" at Aug 12, 96 12:57:46 pm
X-Mailer: ELM [version 2.4 PL23]
Content-Type: text
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

In some mail from Nick Simicich, sie said:
[...]
> DCC (especially) and CTCP work like FTP in that they open a port and do a
> bind to a random non-priv port (not root, after all, and multiple users are
> allowed on a single machine so they can't use a single port), a getsockname()
> to discover what they happened to bind, and then the client sends the port
> number and address in a private protocol message to the other party, who then
> attempts to connect to the backchannel. 

Just to clear up any confusion:

CTCP - Client To Client Protocol
DCC - Direct Client to Client

The former is used for clients to query each other or just provide data
through IRC to other clients in a recognisable format.  It is not required
for clients to understand if they wish to partake `in IRC' but compliant
clients may make some of the generally accepted CTCP components less of an
eye sore (well, depends on your opinion).  CTCP doesn't open up any
connections, it is simply a commonly recognised message format within IRC
by clients for sending `out of band data'.

DCC is used to support communication directly between clients.  This is most
obviously of benefit to exchange files of largish size which the IRC servers
try to discourage users sending through the relayed network.  The call setup
information is sent between clients using CTCP.  The endpoints for the TCP
connection used are as good as random except that to/from < 1024 is usually
discouraged and not supported by Unix clients.

Alone, neither are a problem.  But when IRC clients are written to
automatically respond in various ways (such as accept files being sent to
the user via DCC) it becomes increasingly risky to support the software
being used through a firewall.

Darren

From firewalls-owner  Tue Aug 13 08:32:29 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA14159 for firewalls-outgoing; Tue, 13 Aug 1996 08:08:00 -0700 (PDT)
Received: from beach.sctc.com (beach.sctc.com [192.55.214.50]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id IAA14083 for <firewalls@greatcircle.com>; Tue, 13 Aug 1996 08:07:38 -0700 (PDT)
Received: from beach.sctc.com (root@localhost) by beach.sctc.com (8.7.5/8.7.3) with ESMTP id KAA11102 for <firewalls@greatcircle.com>; Tue, 13 Aug 1996 10:13:07 -0500 (CDT)
Received: from sphinx.sctc.com (sphinx.sctc.com [172.17.192.3]) by beach.sctc.com (8.7.5/8.7.3) with ESMTP id KAA11098 for <firewalls@greatcircle.com>; Tue, 13 Aug 1996 10:13:06 -0500 (CDT)
Received: from ppp-mccue.sctc.com (ppp-mccue.sctc.com [172.17.197.75]) by sphinx.sctc.com (8.7.5/8.7.3) with SMTP id KAA16705 for <firewalls@greatcircle.com>; Tue, 13 Aug 1996 10:07:18 -0500 (CDT)
Date: Tue, 13 Aug 1996 10:07:18 -0500 (CDT)
Message-Id: <2.2.16.19960813110758.2e979e1a@sphinx.sctc.com>
X-Sender: mccue@sphinx.sctc.com
X-Mailer: Windows Eudora Pro Version 2.2 (16)
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
To: firewalls@greatcircle.com
From: Gwen McCue <mccue@sctc.com>
Subject: Re: Other Firewall products for Frame Relay Network?
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Sure, Secure Computing Corp. has a firewall that will create VPNs through
FW-2-FW
encryption using IPsec. Although, I beleive that their product currently
only handles
IP ATT, I think I heard a rumor somewhere that they are planning on adding IPX
support in the near future.

Gwen 

At 11:11 AM 8/13/96 +-800, you wrote:
>Hi,
>
>	I've been wandering whether there are other types of Firewall product in
the market that can be use to protect data in a Frame Relay network(eg. VPN
or encryption) as the cloud would be running multiple protocols as our ISP
planning to do. There are using the Northern Telekom switches. Possiblity or
IPX, appletalk, Decnet, IP and etc. 
>
>Thanks in advance.
>
>Cheers
>kent
>
>


From firewalls-owner  Tue Aug 13 08:47:09 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA16148 for firewalls-outgoing; Tue, 13 Aug 1996 08:23:08 -0700 (PDT)
Received: from goffer.research.megasoft.com (gw.research.megasoft.com [206.230.35.93]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id IAA16120 for <firewalls@GreatCircle.COM>; Tue, 13 Aug 1996 08:22:55 -0700 (PDT)
Received: from goffette.research.megasoft.com (goffette.research.megasoft.com [192.168.1.2]) by goffer.research.megasoft.com (8.7.5/8.7.3-cmcurtin) with SMTP id LAA09919; Tue, 13 Aug 1996 11:18:06 -0400 (EDT)
Received: by goffette.research.megasoft.com (940816.SGI.8.6.9/940406.SGI)
	 id LAA06466; Tue, 13 Aug 1996 11:18:21 -0400
Date: Tue, 13 Aug 1996 11:18:21 -0400
Message-Id: <199608131518.LAA06466@goffette.research.megasoft.com>
From: C Matthew Curtin <cmcurtin@research.megasoft.com>
To: Patrick_Flanigan@europe.notes.pw.com
Cc: firewalls@GreatCircle.COM
Subject: Re: NT Firewalling
In-Reply-To: <9608131219.AA29325@orchid.tc.pw.com>
References: <9608131219.AA29325@orchid.tc.pw.com>
Reply-To: cmcurtin@research.megasoft.com
X-Attribution: mattC
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

>>>>> "Patrick" == Patrick Flanigan <Patrick_Flanigan@europe.notes.pw.com> writes:

Patrick> My experience is mostly with UNIX, and I must confess that I
Patrick> have very little familiarity with NT products.  Any help that
Patrick> you can provide would be greatly appreciated.

You should _definitely_ use Unix if that's what you know. NT on
bastion hosts or other firewall components won't buy you anything at
all. Also, because NT is so new, and under so much pressure to be
released so quickly, there is a large potential for errors that
result in security problems.

The only time I would even consider recommending NT over Unix for such
things is in an envirnoment where there are NT gurus around (not just
people who think they understand it because it has a familiar
interface), and a complete lack of skilled Unix people.

Don't believe the hype.

--
C Matthew Curtin        MEGASOFT, LLC        Director, Security Architecture
I speak only for myself.  Don't whine to anyone but me about anything I say.
Hacker Security Firewall Crypto PGP Privacy Unix Perl Java Internet Intranet
cmcurtin@research.megasoft.com http://research.megasoft.com/people/cmcurtin/

From firewalls-owner  Tue Aug 13 09:28:10 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA23338 for firewalls-outgoing; Tue, 13 Aug 1996 09:15:01 -0700 (PDT)
Received: from rodan.UU.NET (rodan.UU.NET [153.39.130.10]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id JAA23290 for <firewalls@GreatCircle.COM>; Tue, 13 Aug 1996 09:14:44 -0700 (PDT)
Received: from woobie.uu.net by rodan.UU.NET with SMTP 
	(peer crosschecked as: woobie.UU.NET [153.39.253.138])
	id QQbcpk03633; Tue, 13 Aug 1996 12:14:07 -0400 (EDT)
Message-ID: <3210A9CE.446B9B3D@uu.net>
Date: Tue, 13 Aug 1996 12:14:07 -0400
From: Mark Krause <mkrause@UU.NET>
Organization: UUNET Technologies, Inc.
X-Mailer: Mozilla 3.0b5 (X11; I; SunOS 4.1.3_U1 sun4c)
MIME-Version: 1.0
To: Jeff Fay <fay@bliss.stetson.edu>
CC: Adam Shostack <adam@homeport.org>, stigmata@pacbell.net,
        firewalls@GreatCircle.COM
Subject: Re: BootUp Security!
References: <Pine.SUN.3.93.960813094527.24785A-100000@bliss.stetson.edu>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Jeff Fay wrote:

>   What exactly is strong encryption? DES? RSA? Just curious...because if I
> have the hard drives I have all the time in the world to brute force it.

See http://www.bsa.org/policy/encryption/cryptographers.html for
details on how long it may take to "brute force" different key
lengths.

-- 
Mark Krause                UUNET Technologies, Inc.   http://www.uu.net/
Senior Security Engineer   3060 Williams Drive
mkrause@uu.net             Fairfax, VA 22031-4648 USA
Tel: +1 703 208 5349       Fax: +1 703 206 5493

From firewalls-owner  Tue Aug 13 10:58:30 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA00338 for firewalls-outgoing; Tue, 13 Aug 1996 10:49:34 -0700 (PDT)
Received: from freebsd.netcom.com (freebsd.netcom.com [198.211.79.3]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id KAA00331 for <firewalls@greatcircle.com>; Tue, 13 Aug 1996 10:49:26 -0700 (PDT)
Received: by freebsd.netcom.com (8.6.12/SMI-4.1)
	id MAA21559; Tue, 13 Aug 1996 12:55:09 -0500
From: bugs@freebsd.netcom.com (Mark Hittinger)
Message-Id: <199608131755.MAA21559@freebsd.netcom.com>
Subject: re: syslogd under Solaris 2.5
To: firewalls@greatcircle.com
Date: Tue, 13 Aug 1996 12:55:09 -0500 (CDT)
X-Mailer: ELM [version 2.4 PL25]
Content-Type: text
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

> From: Francis.Gregoire@met.fr
> 	We have a problem with syslogd on our bastion. Any messages are lost
> and aren't logged in the file /var/adm/messages.

Check nsswitch.conf and make sure you can reference "host: files" before your
dns.  In the /etc/hosts make sure you have a loghost defined.  Restart syslogd.

Regards,

Mark Hittinger
Netcom/Dallas
bugs@freebsd.netcom.com

From firewalls-owner  Tue Aug 13 11:40:41 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA01922 for firewalls-outgoing; Tue, 13 Aug 1996 11:21:05 -0700 (PDT)
Received: from nutspgw.nutec.com.br ([200.246.248.99]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id LAA01915 for <firewalls@greatcircle.com>; Tue, 13 Aug 1996 11:20:51 -0700 (PDT)
Received: (uucp@localhost) by nutspgw.nutec.com.br (8.6.9/8.6.5) id PAA05040 for <firewalls@greatcircle.com>; Tue, 13 Aug 1996 15:05:32 -0300
Message-Id: <199608131805.PAA05040@nutspgw.nutec.com.br>
Received: from unknown(200.246.248.32) by nutspgw.nutec.com.br via smap (g3.0.3)
	id xma004426; Tue, 13 Aug 96 14:59:53 -0300
Comments: Authenticated sender is <silveira@nutspgw.sao.nutecnet.com.br>
From: "Fernando da Silveira Montenegro" <silveira@nutec.com.br>
Organization: Nutec Informsstica
To: firewalls@greatcircle.com
Date: Tue, 13 Aug 1996 14:55:01 -0300
Subject: Re: NT Firewalling
Reply-to: silveira@nutpagw.nutec.com.br
X-mailer: Pegasus Mail for Win32 (v2.42a)
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Hi everybody!

> The only time I would even consider recommending NT over Unix for such
> things is in an envirnoment where there are NT gurus around (not just
> people who think they understand it because it has a familiar
> interface), and a complete lack of skilled Unix people.

While NT expertise is a must-have, another factor I'd add to using NT 
over UNIX is product availability for a given platform. For instance, 
if you're not using a RISC workstation, if have VERY limited options 
as to different products. Given the current market pressure, if you 
want to firewall (perhaps we should create a new verb, "to firewall") 
using an Intel PC, your best bet will probably be NT.

With this neverending upgrade of client PC's, the availability of
Intel machines powerful enough to act as a firewall increases. Most 
of us probably have an old 486/66 they can put 32MB in and run NT, 
no?

I know vendors such as TIS offer versions of their product for 
BSD/OS, but it is more likely to see a new product come out for NT 
than for BSD/OS (which is sad, in my opinion). 

> 
> Don't believe the hype.
Well said! Don't you guys (and girls) think firewalls should also
block vaporware? :-) 


Fernando
--
Fernando da Silveira Montenegro        E-mail: silveira@nutec.com.br
Nutec Informatica S.A.                 Phone.: +55-11-505-5728
Rua Florida, 1821/11th floor           Fax...: +55-11-505-1918
Sao Paulo, SP BRAZIL 04565-001         WWW: http://www.nutec.com.br

From firewalls-owner  Tue Aug 13 12:52:33 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA06374 for firewalls-outgoing; Tue, 13 Aug 1996 12:30:52 -0700 (PDT)
Received: from zcias1.ziff.com (ias1.iacnet.com [140.244.1.69]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id MAA06318 for <firewalls@greatcircle.com>; Tue, 13 Aug 1996 12:30:30 -0700 (PDT)
Received: from DN-ARNOR by ias1.iacnet.com (PMDF V5.0-5 #10330)
 id <01I88D6GG9WG00Y5UN@ias1.iacnet.com> for firewalls@greatcircle.com; Tue,
 13 Aug 1996 15:30:12 -0500 (EST)
Received: from tico.med.iacnet.com by tico.med.iacnet.com (PMDF V4.3-10 #6906)
 id <01I88CEVG8SGB9VADR@tico.med.iacnet.com>; Tue,
 13 Aug 1996 15:30:05 -0400 (EDT)
Date: Tue, 13 Aug 1996 15:30:05 -0400 (EDT)
From: "May we be forgiving of our systems' faults..." <SEAN@tico.med.iacnet.com>
Subject: Building a SOCKS application under VMS
To: firewalls@greatcircle.com
Message-id: <01I88CEVHBDEB9VADR@tico.med.iacnet.com>
X-VMS-To: IN%"firewalls@greatcircle.com"
X-VMS-Cc: EPUB::CRAIGJ,EPUB::SDAVIS,SEAN
MIME-version: 1.0
Content-transfer-encoding: 7BIT
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

	One of our client/server applications requires SOCKS access
	from Windows 3.1 & Win95 clients to a back-end VMS server.
	Has anyone built socks-ified applications under VMS?  Is
	there a port or a procedure you can share?  Thanks!

							Sean.

+--------------------------------------+---------------------------------------+
|      Sean_Gonzalez@iacnet.com        |  Senior Technical Support Specialist  |
|         or sean@iacnet.com           |          Business Development         |
+--------------------------------------+---------------------------------------+
|      Information Access Centre       |    http://www.iacnet.com              |
|       Ten Presidents Landing         |    http://www.cognito.com             |
|   Medford, MA 02155 - 617.393.3252   |    http://www.autosite.com            |
|       http://www.iacenter.com        |    http://www.ichange.com             |
+--------------------------------------+---------------------------------------+

L.A.T.R.:  HI Rh+W B 04 Y L W- C++ I+++ T+ A+ E H+ S++ V++ F Q++ P B++ PA++ PL--
ISAAC:  AS W C 07 Y L+++ W+ C-- I+++ T+ A++ E H+ S+++ V++ F- Q++ P++ B- PA++ PL+
SPECKLES:  AS r C 04 X L++ W++ C-- I+++ T+ A-  E++ H S+++ V- F- Q++ P+ B PA+ PL+
TwinkCode v1.12:  T5C1L5 (w) h+ d-- a- (w) c- y (e) (g) f+ (t) k s- (m1) (m2) q-

From firewalls-owner  Tue Aug 13 13:00:14 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA07454 for firewalls-outgoing; Tue, 13 Aug 1996 12:50:33 -0700 (PDT)
Received: from mailbox.neosoft.com (mailbox.neosoft.com [206.109.1.16]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id MAA07433 for <firewalls@GreatCircle.COM>; Tue, 13 Aug 1996 12:50:19 -0700 (PDT)
Received: from fw.nmti.com (fw.baileynm.com [206.109.159.11]) by mailbox.neosoft.com (8.7.5/8.7.3) with SMTP id OAA09917; Tue, 13 Aug 1996 14:50:06 -0500 (CDT)
Received: from web.nmti.com(198.178.0.201) by fw.nmti.com via smap (V1.3)
	id sma012379; Tue Aug 13 14:44:06 1996
Received: from sonic.nmti.com (peter@sonic.nmti.com [198.178.0.2]) by web.nmti.com (8.6.12/8.6.9) with SMTP id OAA09279; Tue, 13 Aug 1996 14:44:05 -0500
Received: by sonic.nmti.com; id AA30557; Tue, 13 Aug 1996 14:44:04 -0500
From: peter@baileynm.com (Peter da Silva)
Message-Id: <9608131944.AA30557@sonic.nmti.com.nmti.com>
Subject: Re: NT Firewalling
To: silveira@nutpagw.nutec.com.br
Date: Tue, 13 Aug 1996 14:44:04 -0500 (CDT)
Cc: firewalls@GreatCircle.COM
In-Reply-To: <199608131805.PAA05040@nutspgw.nutec.com.br> from "Fernando da Silveira Montenegro" at Aug 13, 96 02:55:01 pm
X-Mailer: ELM [version 2.4 PL23]
Content-Type: text
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

> While NT expertise is a must-have, another factor I'd add to using NT 
> over UNIX is product availability for a given platform. For instance, 
> if you're not using a RISC workstation, if have VERY limited options 
> as to different products. Given the current market pressure, if you 
> want to firewall (perhaps we should create a new verb, "to firewall") 
> using an Intel PC, your best bet will probably be NT.

Why? What does market pressure have to do with buying a firewall? You're
buying it as a specialized standalone box. You're not going to be running
anything else on it. What does it matter whether you can run this or that
third party product on it? 

You're buying the hardware, the OS, and the firewall code in a single
conceptual package. You're unlikely to be switching to a different
product, but if you do you have to you really need to redo your whole
installation from scratch to be secure anyway.

> With this neverending upgrade of client PC's, the availability of
> Intel machines powerful enough to act as a firewall increases. Most 
> of us probably have an old 486/66 they can put 32MB in and run NT, 
> no?

Or 8MB and run FreeBSD or Linux.


From firewalls-owner  Tue Aug 13 13:14:10 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA06173 for firewalls-outgoing; Tue, 13 Aug 1996 12:28:56 -0700 (PDT)
Received: from montreal.capitalworks.com (montreal.capitalworks.com [206.186.48.130]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id MAA06147 for <firewalls@greatcircle.com>; Tue, 13 Aug 1996 12:28:42 -0700 (PDT)
Received: from host156.capitalworks.com by montreal.capitalworks.com (NTMail 3.01.01) id ja003285; Tue, 13 Aug 1996 15:32:38 -0400
Message-ID: <3210D74B.7DB9@capitalworks.com>
Date: Tue, 13 Aug 1996 15:28:11 -0400
From: Capital Works Webmaster <webmaster@capitalworks.com>
Reply-To: webmaster@capitalworks.com
Organization: Capital Works Inc.
X-Mailer: Mozilla 3.0b6Gold (Win95; I)
MIME-Version: 1.0
To: Ben Goodyear <Ben.Goodyear@dial.pipex.com>
CC: pah@esoft.co.uk, firewalls@greatcircle.com
Subject: Re: To Subnet or not?
References: <199608121736.SAA08098@typhoon.dial.pipex.net>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
X-Info: Evaluation version at montreal.capitalworks.com
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Ben Goodyear wrote:
> 
> > I'm sure that this is blindingly obvious, but I have not been able to find any
> > references to it...
> >
> > I have a class C address for my network - As part of my firewall I will have a
> > dual homed sparc 5 running Solaris 2.5. I want to forward packets from one
> > interface to the other - am I allowed to use netmask 255.255.255.0 with both
> > interfaces in the same subnet e.g.
> >
> > 192.100.100.1 and the other on 192.100.100.2
> >
> > I have tried to set routing up for this up and failed so the question is
> >
> > Do I have to subnet a class C address to achieve packet forwarding or is there
> > some trick in the routing that I am missing??
> >
> > All the references on this soft of setup assume that you are doing packet
> > forwarding from something like 192.100.100.1 to 192.100.99.1, but I only have a
> > class C from my ISP and cannot affort to loose the half my IP addresses that
> > subnetting would cause.
> >
> > Paul.
> > --
> >
> 
> Yes you do have to use subnetting to implement routing on a single
> class "c" address.
> 
> To route between two networks, the two networks have to have a
> different network number (or else, how would it know when to route?).
> To get different network numbers on a class "c" you have to use
> subnetting.
> 
> e.g.
> 
> use subnet 255.255.255.192
> 
> this will give you four networks of 64 hosts:
> 
> x.x.x.0-63, x.x.x.64-127, x.x.x.128-191, x.x.x.192-255
> 
> Set one interface to: 192.100.100.65
> Set the other to:       192.100.100.129
> 
Avoid the whole thing!  Get one additional address from your ISP, on the
same address subnet as your router!  -unless- if your router is
configured on your class 'C', then have your ISP provide you with a
unique IP for the router and then do a by-the-way-request for an
additional one for your firewall?  Thus avoiding the masking issue.

Kevin

From firewalls-owner  Tue Aug 13 13:42:58 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA10194 for firewalls-outgoing; Tue, 13 Aug 1996 13:29:37 -0700 (PDT)
Received: from scifi.squawk.com (scifi.emi.net [204.181.45.10]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id NAA10174 for <firewalls@GreatCircle.COM>; Tue, 13 Aug 1996 13:29:23 -0700 (PDT)
Received: (from njs@localhost) by scifi.squawk.com (8.6.11/8.6.9) id QAA24667; Tue, 13 Aug 1996 16:24:59 -0400
Date: Tue, 13 Aug 1996 16:24:59 -0400 (EDT)
From: Nick Simicich <njs@scifi.squawk.com>
cc: firewalls@GreatCircle.COM
Subject: Re: NT Firewalling
In-Reply-To: <9608131944.AA30557@sonic.nmti.com.nmti.com>
Message-ID: <Pine.LNX.3.91.960813162158.8570u-100000@scifi.squawk.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk


> > With this neverending upgrade of client PC's, the availability of
> > Intel machines powerful enough to act as a firewall increases. Most 
> > of us probably have an old 486/66 they can put 32MB in and run NT, 
> > no?
> 
> Or 8MB and run FreeBSD or Linux.

Can you really run NT effectively in 32 meg?  I have a friend who has 32 meg
in an Intel box running NT, and he is going to get another 32 meg, because he
says that whenever he loads any app, the box just sits there and thrashes. 

I worry that the process footprint in NT is large enough that you will 
not be able to run a reasonable number of proxies without lots and lots 
of memory, relative to the amount normally put into an NT desktop box.

Eat a package of natto first thing in the morning and nothing worse can happen  to you for the rest of the day.
Nick Simicich-njs@scifi.squawk.com 
(last choice)-nick_simicich@bocaraton.ibm.com
http://scifi.squawk.com/njs.html -- Stop by and Light Up The World!


From firewalls-owner  Tue Aug 13 14:12:45 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA15246 for firewalls-outgoing; Tue, 13 Aug 1996 14:08:29 -0700 (PDT)
Received: from mail.Clark.Net (mail.clark.net [168.143.0.10]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id OAA15225 for <firewalls@GreatCircle.COM>; Tue, 13 Aug 1996 14:08:18 -0700 (PDT)
Received: from clark.net (proberts@clark.net [168.143.0.7]) by mail.Clark.Net (8.7.3/8.6.5) with ESMTP id RAA25268; Tue, 13 Aug 1996 17:08:15 -0400 (EDT)
Received: from localhost (proberts@localhost) by clark.net (8.7.1/8.7.1) with SMTP id RAA05862; Tue, 13 Aug 1996 17:08:13 -0400 (EDT)
X-Authentication-Warning: clark.net: proberts owned process doing -bs
Date: Tue, 13 Aug 1996 17:08:13 -0400 (EDT)
From: "Paul D. Robertson" <proberts@clark.net>
To: Nick Simicich <njs@scifi.squawk.com>
cc: firewalls@GreatCircle.COM
Subject: Re: NT Firewalling
In-Reply-To: <Pine.LNX.3.91.960813162158.8570u-100000@scifi.squawk.com>
Message-ID: <Pine.GSO.3.95.960813170156.1351C-100000@clark.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

On Tue, 13 Aug 1996, Nick Simicich wrote:

> > > With this neverending upgrade of client PC's, the availability of
> > > Intel machines powerful enough to act as a firewall increases. Most 
> > > of us probably have an old 486/66 they can put 32MB in and run NT, 
> > > no?
> > 
> > Or 8MB and run FreeBSD or Linux.
> 
> Can you really run NT effectively in 32 meg?  I have a friend who has 32 meg
> in an Intel box running NT, and he is going to get another 32 meg, because he
> says that whenever he loads any app, the box just sits there and thrashes. 

You can effectively run *BSD, Solaris for Intel, and Linux on such a 
machine.  That offers a large range of commercial and do-it-yourself
options involving filtering, application proxies, and hybrids.  Most of
the NT folks I've spoken to wouldn't procure a box with less than 64M on
it to do much of anything.  Perhaps one of the NT vendors could post base
requirements without adding any salesfluff?  

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
proberts@clark.net      which may have no basis whatsoever in fact."
                                                                     PSB#9280


From firewalls-owner  Tue Aug 13 14:27:48 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA16421 for firewalls-outgoing; Tue, 13 Aug 1996 14:23:39 -0700 (PDT)
Received: from nsco.network.com (nsco.network.com [129.191.1.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id OAA16347 for <firewalls@greatcircle.com>; Tue, 13 Aug 1996 14:22:49 -0700 (PDT)
Received: from anubis.network.com by nsco.network.com (4.1/1.34)
	id AA29859; Tue, 13 Aug 96 16:28:53 CDT
Received: from blefscu.network.com by anubis.network.com (4.1/SMI-4.1)
	id AA18375; Tue, 13 Aug 96 16:25:43 CDT
Date: Tue, 13 Aug 96 16:25:43 CDT
From: amolitor@anubis.network.com (Andrew Molitor)
Message-Id: <9608132125.AA18375@anubis.network.com>
To: firewalls@greatcircle.com
Subject: Re: Other Firewall products for Frame Relay Network?
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

	Plug plug plug. You can buy fine NSC borderguard equipment. I think
1 ether, 1 v.35 and some crypto will run you $US2100 a unit. Bridge anything
you like over the VPNs. Key exchange sort of pgp-like.

	Works great, as far as I know, I'm not on the project, but I do
work for the company.

		Andrew

From firewalls-owner  Tue Aug 13 14:44:07 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA17536 for firewalls-outgoing; Tue, 13 Aug 1996 14:36:45 -0700 (PDT)
Received: from hidata.com (hidata.com [205.158.61.34]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id OAA17507 for <Firewalls@GreatCircle.COM>; Tue, 13 Aug 1996 14:36:32 -0700 (PDT)
Received: by hidata.com; id AA04818; Tue, 13 Aug 96 14:36:30 PDT
Received: from osc.hidata.com(205.158.62.10) by hds-gw.hidata.com via smap (V3.1.1)
	id xma004814; Tue, 13 Aug 96 14:36:24 -0700
Received: from enterprise by osc.osc.hidata.com (SMI-8.6/SMI-SVR4)
	id OAA03285; Tue, 13 Aug 1996 14:36:22 -0700
Date: Tue, 13 Aug 1996 14:36:22 -0700
Message-Id: <199608132136.OAA03285@osc.osc.hidata.com>
X-Sender: bstout@osc.hidata.com
X-Mailer: Windows Eudora Pro Version 2.1.2
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
To: Firewalls@GreatCircle.COM
From: Bill Stout <bill.stout@hidata.com>
Subject: Looking for SYN packet generator.
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Anyone know where to get a SYN generator for test purposes?

Anyone know if NT, Solaris or a Network General Sniffer can gen 
SYN packets?


Bill Stout
_______________________________________________________________________________
Senior Systems Admin   NT/UNIX/I-net/Routers/Mainframes/Janitor ;)
Hitachi Data Systems   408-970-4822   ---  Disclaimer:  I speak only for myself
___________"Infowar, Cyber-war, yes, 'they' _are_ out to get you..."___________


From firewalls-owner  Tue Aug 13 14:58:08 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA15628 for firewalls-outgoing; Tue, 13 Aug 1996 14:13:50 -0700 (PDT)
Received: from mail.RC.Toronto.on.ca ([207.6.29.231]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id OAA15599 for <firewalls@greatcircle.com>; Tue, 13 Aug 1996 14:13:33 -0700 (PDT)
Received: by mail.RC.Toronto.on.ca with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.993.5)
	id <01BB893A.4F87F800@mail.RC.Toronto.on.ca>; Tue, 13 Aug 1996 17:10:21 -0400
Message-ID: <c=US%a=_%p=Toronto%l=MAIL-960813211016Z-10@mail.RC.Toronto.on.ca>
From: Russ <Russ.Cooper@RC.Toronto.on.ca>
To: "'firewalls@greatcircle.com'" <firewalls@greatcircle.com>,
        "'Patrick_Flanigan@europe.notes.pw.com'"
	 <Patrick_Flanigan@europe.notes.pw.com>
Subject: REL: NT Firewalling
Date: Tue, 13 Aug 1996 17:10:16 -0400
X-Mailer:  Microsoft Exchange Server Internet Mail Connector Version 4.0.993.5
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Patrick,

To start, this list is here to talk about Firewalls, so your question is
not misplaced. I would suggest, however, that you might want to start
with something like http://www.altavista.digital.com/ and use a search
key like "+Windows +NT +Firewall", that will bring up about 1,000 web
pages to have a look through, just look at ones that have a vendor name
with them. Raptor, Centri, and Checkpoint all have NT versions of their
Unix counterparts. Digital has one too.

You have to understand that all of these are relatively new, and
therefore (as was pointed out already) have the potential for problems.
NT 4.0 offers packet filtering, although you may not find it flexible
enough to suit your needs. By adding Catapult, Microsoft's beta Proxy
Server, the environment certainly becomes more flexible but less
reliable (obviously beta software does not a Firewall make...).

Probably the best thing you could do at this time would be to ask
yourself what you are trying to achieve and why you feel NT is the
platform you want to run your Firewall on. Obviously many on this list
believe that no firewalling solution can be obtained if NT is included
somehow in the specification. I don't happen to agree with them, but,
then again, I wouldn't rule out buying a proprietary Firewall that I
hadn't seen the source code for, so I'm probably seen as deranged by
many of them anyway...;-]

I would suggest that anyone who discounts NT with simple, short,
answers, probably doesn't know enough about it to properly answer your
questions. That's O.k., nobody can be expert in everything. If you have
to have NT, or have a really good reason to want NT, there are many
options available. I think the person who pointed out that your lack of
NT experience, while having Unix experience, does beg the question why
you would implement NT. If you have to support it, you're in for a
pretty steep learning curve to master the eccentricities of NT Security.

Anyway, try giving us a little more background info about why you want
NT and maybe either side will be better able to state their case (Unix
vs. NT).

Cheers,
Russ
...eek, quick, someone give me some broken software, I'm suffering beta
withdrawals...
>

From firewalls-owner  Tue Aug 13 15:13:02 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA19129 for firewalls-outgoing; Tue, 13 Aug 1996 14:55:03 -0700 (PDT)
Received: from midfire1.aetna.com (midfire1.aetna.com [206.156.35.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id OAA19088 for <firewalls@GreatCircle.COM>; Tue, 13 Aug 1996 14:54:46 -0700 (PDT)
Received: from midfire1.aetna.com (daemon@localhost) by midfire1.aetna.com (8.7.2/8.7.2) with ESMTP id RAA23065; Tue, 13 Aug 1996 17:54:46 -0400 (EDT)
Received: from NOWHERE_ ([129.12.66.230]) by midfire1.aetna.com (8.7.2/8.7.2) with SMTP id RAA23058; Tue, 13 Aug 1996 17:54:45 -0400 (EDT)
Received: by NOWHERE_ with Microsoft Mail
	id <01BB8940.DFBA6E70@NOWHERE_>; Tue, 13 Aug 1996 17:57:20 -0400
Message-ID: <01BB8940.DFBA6E70@NOWHERE_>
From: Mike Eddington <toranix@ultranet.com>
To: "'Nick Simicich'" <njs@scifi.squawk.com>
Cc: "firewalls@GreatCircle.COM" <firewalls@GreatCircle.COM>
Subject: RE: NT Firewalling
Date: Tue, 13 Aug 1996 17:57:19 -0400
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

The minimum configuration I would ever use for an NT server would be =
64MB of RAM.  a 486/66 w/16MB of RAM and a 40MB HD with Linux great as a =
firewall, don't need a CRT (though I usually stick a mono on em) or =
mouse/keyboard with 8MB I would recommend 100MB HD and a partitioned =
swap space.  Another concern of mine is that NT 4.0 is the ONLY version =
of NT fast enough to be run as a proxy/router (this is admitted by the =
editors/writers at NT Mag.), and a firewall don;t need no GUI ;)

ps. oh, and linux is FREE not $1000 as NT 4.0 server will be.

- Mike

----------
From: 	Nick Simicich[SMTP:njs@scifi.squawk.com]
Sent: 	Tuesday, August 13, 1996 4:24 PM
Cc: 	firewalls@GreatCircle.COM
Subject: 	Re: NT Firewalling


> > With this neverending upgrade of client PC's, the availability of
> > Intel machines powerful enough to act as a firewall increases. Most=20
> > of us probably have an old 486/66 they can put 32MB in and run NT,=20
> > no?
>=20
> Or 8MB and run FreeBSD or Linux.

Can you really run NT effectively in 32 meg?  I have a friend who has 32 =
meg
in an Intel box running NT, and he is going to get another 32 meg, =
because he
says that whenever he loads any app, the box just sits there and =
thrashes.=20

I worry that the process footprint in NT is large enough that you will=20
not be able to run a reasonable number of proxies without lots and lots=20
of memory, relative to the amount normally put into an NT desktop box.

Eat a package of natto first thing in the morning and nothing worse can =
happen  to you for the rest of the day.
Nick Simicich-njs@scifi.squawk.com=20
(last choice)-nick_simicich@bocaraton.ibm.com
http://scifi.squawk.com/njs.html -- Stop by and Light Up The World!




From firewalls-owner  Tue Aug 13 15:18:26 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA17800 for firewalls-outgoing; Tue, 13 Aug 1996 14:40:35 -0700 (PDT)
Received: from mailbox.neosoft.com (mailbox.neosoft.com [206.109.1.16]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id OAA17765 for <firewalls@greatcircle.com>; Tue, 13 Aug 1996 14:40:14 -0700 (PDT)
Received: from fw.nmti.com (fw.baileynm.com [206.109.159.11]) by mailbox.neosoft.com (8.7.5/8.7.3) with SMTP id QAA22346 for <firewalls@greatcircle.com>; Tue, 13 Aug 1996 16:40:09 -0500 (CDT)
Received: from web.nmti.com(198.178.0.201) by fw.nmti.com via smap (V1.3)
	id sma012912; Tue Aug 13 16:32:37 1996
Received: from sonic.nmti.com (peter@sonic.nmti.com [198.178.0.2]) by web.nmti.com (8.6.12/8.6.9) with SMTP id QAA12627 for <firewalls@greatcircle.com>; Tue, 13 Aug 1996 16:32:37 -0500
Received: by sonic.nmti.com; id AA10383; Tue, 13 Aug 1996 16:32:36 -0500
From: peter@baileynm.com (Peter da Silva)
Message-Id: <9608132132.AA10383@sonic.nmti.com.nmti.com>
Subject: Re: NT Firewalling
To: firewalls@greatcircle.com
Date: Tue, 13 Aug 1996 16:32:35 -0500 (CDT)
In-Reply-To: <199608132035.RAA02469@nutspgw.nutec.com.br> from "Fernando da Silveira Montenegro" at Aug 13, 96 05:43:06 pm
X-Mailer: ELM [version 2.4 PL23]
Content-Type: text
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

> What I meant to say is that given current market pressure, vendors 
> are more likely to ship Intel support for NT only, or to do an NT 
> version before a UNIX version.

Should that happen then by all means go for the NT version. At the moment
and for the near future the UNIX version is coming out well before the
NT version, for those firewalls that even *have* an NT version, with very
few exceptions.

> I know it is not a firewall product, 
> but Netscape, for example, doesn't have a BSD/OS version of its Mail 
> Server 2.0, while there is one for NT.

If you're running Netscape software on your firewall you're in for a world
of pain, buddy. (mail server? Why would anyone consider buying a mail server
from Netscape anyway?)

> If you want a firewall 
> example, I'm almost sure Raptor only supports NT if I choose an Intel 
> platform.

Raptor has been an NT house since they moved their principle product
from the Amiga to the MIPS then DEC platforms, but if I was buying a Raptor
firewall I'd go with their Alpha based package... and dyke out the 386
executable support... simply to reduce the chance of someone slipping
a buffer overflow into my firewall and running code. If they have to be
smart enough to grok Alpha code as well it's an extra protection.

But why do I want to "choose an intel platform"?

I don't go looking at firewalls by saying "oh, let's go with intel" or "oh,
let's go with MIPS" or "oh, let's go with SPARC". I don't even go "let's go
with UNIX". If I had my druthers I would have a firewall that ran as an
embedded system with no underlying OS.

> Using a firewall example, what happens when vendors start shipping 
> SWAN support and my poor choice gets me nothing but maintenance 
> releases?

I assume that by "SWAN" you mean "Secure WAN" or "Virtual Network
Perimeters". Firewall-to-firewall encryption?

All the work on that's being done on UNIX, that I can tell by reading
papers and the like.

> Yes, no question about it, IF I'm using something like fwtk or
> ipfilterd. Last time I checked neither platform were supported by
> the firewalls I'm familiar with (TIS' and Raptor's).

If you're paying TIS prices then the extra few hundred bucks for BSDI
are negligable, and it'll still run on the same hardware.

From firewalls-owner  Tue Aug 13 15:43:01 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id PAA22061 for firewalls-outgoing; Tue, 13 Aug 1996 15:21:53 -0700 (PDT)
Received: from bliss.stetson.edu (bliss.stetson.edu [147.253.70.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id PAA21990 for <Firewalls@GreatCircle.COM>; Tue, 13 Aug 1996 15:21:27 -0700 (PDT)
Received: from localhost (fay@localhost) by bliss.stetson.edu (8.6.10/8.6.10) with SMTP id SAA26743; Tue, 13 Aug 1996 18:22:17 GMT
Date: Tue, 13 Aug 1996 18:22:16 +0000 (GMT)
From: Jeff Fay <fay@bliss.stetson.edu>
To: Bill Stout <bill.stout@hidata.com>
cc: Firewalls@GreatCircle.COM
Subject: Re: Looking for SYN packet generator.
In-Reply-To: <199608132136.OAA03285@osc.osc.hidata.com>
Message-ID: <Pine.SUN.3.93.960813182146.26741A-100000@bliss.stetson.edu>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk



On Tue, 13 Aug 1996, Bill Stout wrote:

> Anyone know where to get a SYN generator for test purposes?
> 
> Anyone know if NT, Solaris or a Network General Sniffer can gen 
> SYN packets?


  I believe NetXray will generate SYN packets
 -Jeff "Fiji" Fay

> 
> 
> Bill Stout
> _______________________________________________________________________________
> Senior Systems Admin   NT/UNIX/I-net/Routers/Mainframes/Janitor ;)
> Hitachi Data Systems   408-970-4822   ---  Disclaimer:  I speak only for myself
> ___________"Infowar, Cyber-war, yes, 'they' _are_ out to get you..."___________
> 
> 


From firewalls-owner  Tue Aug 13 16:01:15 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id PAA23762 for firewalls-outgoing; Tue, 13 Aug 1996 15:33:12 -0700 (PDT)
Received: from www.steldyn.com (www.steldyn.com [198.68.45.121]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id PAA23722 for <firewalls@greatcircle.com>; Tue, 13 Aug 1996 15:32:55 -0700 (PDT)
Received: from juneau.steldyn.com (172.16.31.1) by www.steldyn.com
 (EMWAC SMTPRS 0.81) with SMTP id <B0000003435@www.steldyn.com>;
 Tue, 13 Aug 1996 16:39:01 -0600
Received: by juneau.steldyn.com with Microsoft Exchange (IMC 4.0.837.3)
	id <01BB8935.27C7D420@juneau.steldyn.com>; Tue, 13 Aug 1996 16:33:27 -0600
Message-ID: <c=US%a=_%p=Stellar_Dynamics%l=JUNEAU-960813223326Z-176@juneau.steldyn.com>
From: Chris Pugrud <ChrisP@steldyn.com>
To: Firewalls Mailing list <firewalls@greatcircle.com>
Subject: RE: NT Firewalling
Date: Tue, 13 Aug 1996 16:33:26 -0600
X-Mailer:  Microsoft Exchange Server Internet Mail Connector Version 4.0.837.3
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

I am not a vendor, but the published specs for Global Internet and
Raptor both say Pentium 100 and 32 MB of RAM.  I have run GI comfortably
on a 486/66 w/ 24 MB for a small test group (25 active users).  Raptor
publishes formulas to deduce how much RAM you should have depending on
simultaneous connections but I do not have them handy.

Chris

>----------
>From: 	Paul D. Robertson[SMTP:proberts@clark.net]
>Sent: 	Tuesday, August 13, 1996 3:08 PM
>To: 	Nick Simicich
>Cc: 	Firewalls Mailing list
>Subject: 	Re: NT Firewalling
>
>On Tue, 13 Aug 1996, Nick Simicich wrote:
>
>> > > With this neverending upgrade of client PC's, the availability of
>> > > Intel machines powerful enough to act as a firewall increases. Most 
>> > > of us probably have an old 486/66 they can put 32MB in and run NT, 
>> > > no?
>> > 
>> > Or 8MB and run FreeBSD or Linux.
>> 
>> Can you really run NT effectively in 32 meg?  I have a friend who has
>>32 meg
>> in an Intel box running NT, and he is going to get another 32 meg,
>>because he
>> says that whenever he loads any app, the box just sits there and thrashes. 
>
>You can effectively run *BSD, Solaris for Intel, and Linux on such a 
>machine.  That offers a large range of commercial and do-it-yourself
>options involving filtering, application proxies, and hybrids.  Most of
>the NT folks I've spoken to wouldn't procure a box with less than 64M
>on
>it to do much of anything.  Perhaps one of the NT vendors could post
>base
>requirements without adding any salesfluff?  
>
>Paul
>------------------------------------------------------------------------
>-----
>Paul D. Robertson      "My statements in this message are personal
>opinions
>proberts@clark.net      which may have no basis whatsoever in fact."
>                                                                    
>PSB#9280
>
>

From firewalls-owner  Tue Aug 13 16:27:47 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id QAA00144 for firewalls-outgoing; Tue, 13 Aug 1996 16:22:10 -0700 (PDT)
Received: from bmv.com.mx (ns.bmv.com.mx [200.13.112.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id QAA00121 for <Firewalls@GreatCircle.COM>; Tue, 13 Aug 1996 16:21:59 -0700 (PDT)
Received: by firewall.bmv.com.mx id <14977>; Tue, 13 Aug 1996 18:18:37 -0600
Date: Tue, 13 Aug 1996 15:23:29 -0600
From: Hector Casavantes <hcasav@bmv.com.mx>
X-Mailer: Mozilla 2.02 (X11; I; HP-UX B.10.01 9000/819)
MIME-Version: 1.0
To: Firewalls@GreatCircle.COM
Subject: No More Unlimited User Licenses Please...
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <96Aug13.181837cst.14977@firewall.bmv.com.mx>
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk


Hello List

Do anybody understand the difference between the number of users 
and the number of protected computers in a firewall?

Maybe someone can help me with this simple disyuntive:

I have more than 400 machines but I don't need all of them 
running trough internet. From ouside, anybody can access my 
WWW server and some can access my FTP server. Few users from 
the inside need to access internet (maybe 30-50) to "browse" or 
something like this. I want anyone from inside to have email 
by using a common email SMTP/POP server living in the 
common-named "secure net" or maybe in internal net (doesn't
matter at this very moment).

In my actual evaluation-licensed firewall, I have edited an 
outbound proxy access rule, where I've put the list of IP 
addresses of the users that can resolv out. 

Do I need to buy an unlimited user license (which is surely more 
expensive) or can I use the 50's one? How can the firewall knows 
if there are more than N machines connected in the Inside Network?
(it surely can't). It doesn't make a lot of sense that if I let less 
than 50 IP's to go to Internet, I need to buy an unlimited user license!

Thanks for cooperation on this
Hector Casavantes

From firewalls-owner  Tue Aug 13 16:57:59 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id QAA02776 for firewalls-outgoing; Tue, 13 Aug 1996 16:50:38 -0700 (PDT)
Received: from dfw-ix4.ix.netcom.com (dfw-ix4.ix.netcom.com [206.214.98.4]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id QAA02748 for <firewalls@GreatCircle.COM>; Tue, 13 Aug 1996 16:50:25 -0700 (PDT)
Received: from ftp2 (ftp2.retailpro.com [204.86.245.12]) by dfw-ix4.ix.netcom.com (8.6.13/8.6.12) with SMTP id QAA14974 for <firewalls@GreatCircle.COM>; Tue, 13 Aug 1996 16:50:14 -0700
Message-ID: <32111489.57A0@ix.netcom.com>
Date: Tue, 13 Aug 1996 16:49:29 -0700
From: "Karl W. Palachuk" <karlp@ix.netcom.com>
Reply-To: karlp@ix.netcom.com
Organization: Firebrand
X-Mailer: Mozilla 3.0b5a (WinNT; I)
MIME-Version: 1.0
To: firewalls@GreatCircle.COM
Subject: Re: NT Memory (formerly NT Firewalling)
References: <Pine.LNX.3.91.960813162158.8570u-100000@scifi.squawk.com>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

> 
> > > With this neverending upgrade of client PC's, the availability of
> > > Intel machines powerful enough to act as a firewall increases. Most
> > > of us probably have an old 486/66 they can put 32MB in and run NT,
> > > no?
> >
> 
> Can you really run NT effectively in 32 meg?  I have a friend who has 32 meg
> in an Intel box running NT, and he is going to get another 32 meg, because he
> says that whenever he loads any app, the box just sits there and thrashes.
> 
> I worry that the process footprint in NT is large enough that you will
> not be able to run a reasonable number of proxies without lots and lots
> of memory, relative to the amount normally put into an NT desktop box.
> 
After it's installed, NT can *run* on 5.5 megs.  Of course that pages
part of the OS plus all your programs out to disc.  Realistically, NT
workstation can run proxy servers, web servers, and FTP servers pretty
well on 32 megs.  NT server strains a bit below 48 megs, but will do
okay with 32.

The thrashing your friend describes comes from a pagefile that is too
large.  His disc cache is too big and the machine is spending too much
time swapping.  Smaller paging files on each physical drive are better
that a huge file on one drive.

NT comes with a nice performance monitor that will allow you to log the
amount of committed memory.  This can help you determine page file and
physical memory needs.

-- 
  _______
  \_____/ Karl W. Palachuk        Firebrand Corporation
  / /__   4800 Manzanita Ave.     http://www.firebrand.com
 / ___/   Carmichael, CA  95608   mailto:karlp@ix.netcom.com
/_/       Ph: 916-483-9736        Fax: 916-481-6903

From firewalls-owner  Tue Aug 13 17:12:42 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA04248 for firewalls-outgoing; Tue, 13 Aug 1996 17:06:31 -0700 (PDT)
Received: from sapa.inka.de (sapa.inka.de [193.197.84.6]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id RAA04230 for <firewalls@greatcircle.com>; Tue, 13 Aug 1996 17:06:18 -0700 (PDT)
Received: from uu.inka.de (root@[193.197.84.8]) by sapa.inka.de
	 with smtp (S3.1.29.1) id <m0uqTSU-000L6dC>; Wed, 14 Aug 96 02:05 MET DST
Received: from lina (lists@lina.inka.de) by uu.inka.de
	 with bsmtp (S3.1.29.1) id <m0uqTSU-001l5cC>; Wed, 14 Aug 96 02:05 MET DST
Received: by lina
	id m0uqTO3-0004k3C
	(Debian /\oo/\ Smail3.1.29.1 #29.37); Wed, 14 Aug 96 02:00 MET DST
Message-Id: <m0uqTO3-0004k3C@lina>
From: lists@lina.inka.de (Bernd Eckenfels)
Subject: Re: Surprise
To: comid@sp-agency.ca (Darin Comi)
Date: Wed, 14 Aug 1996 02:00:38 +0200 (MET DST)
Cc: potlicker@morebbs.com, firewalls@greatcircle.com
In-Reply-To: <vines.ev39+,662mB@sso.sci.sp-agency.ca> from "Darin Comi" at Aug 13, 96 09:24:17 am
X-Mailer: ELM [version 2.4 PL25 PGP2]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Hi,

> Cool experiment.  Can I get one of these x25 sniffers for my
>  toolbox?

The question is, how does one sniff a switched packet network at one end of
the switch? You wont see actual Data of other Connections. Is there anything
like arp or other broadcasts which can be read to get the information about
all the users on the 'cable'?

Greetings
Bernd
-- 
  (OO)      -- Bernd_Eckenfels@Wittumstrasse13.76646Bruchsal.de --
 ( .. )  ecki@lina.{inka.de,ka.sub.org}  http://home.pages.de/~eckes/
  o--o     *plush*  2048/A2C51749  eckes@irc  +4972573817  *plush*
(O____O)       If privacy is outlawed only Outlaws have privacy

From firewalls-owner  Tue Aug 13 17:57:42 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA07040 for firewalls-outgoing; Tue, 13 Aug 1996 17:41:58 -0700 (PDT)
Received: from starnet.gov.sg (mercury.starnet.gov.sg [202.42.202.192]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id RAA07028 for <Firewalls@GreatCircle.COM>; Tue, 13 Aug 1996 17:41:39 -0700 (PDT)
Received: by starnet.gov.sg (5.x/SMI-SVR4)
	id AA17636; Wed, 14 Aug 1996 08:43:06 +0800
Date: Wed, 14 Aug 1996 08:43:05 +0800 (SGT)
From: Soh Tjiaw Lee Jeffrey <stjiawle@starnet.gov.sg>
X-Sender: stjiawle@mercury
To: Kevin Littlejohn <darius@vector.wantree.com.au>
Cc: Firewalls@GreatCircle.COM
Subject: Re: IP Spoofing
In-Reply-To: <199608131230.UAA04023@vector.wantree.com.au>
Message-Id: <Pine.SOL.3.91.960814084042.17258A-100000@mercury>
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Hi Kevin, you might want to check out the Computer Emergency Response Team
(CERT) web site archive at www.cert.org. They have got some interesting
articles on IP spoofing there. 

Kind regards
Jeffrey Soh

On Tue, 13 Aug 1996, Kevin Littlejohn wrote:

> Hi all,
> 
> Just a quick one - looking for recommendations for documentation re:
> IP Spoofing - I would like to know how, and what can be done about it,
> and how to recognise it, and basically everything :)
> 
> Anyone got any good books or doccos?
> 
> KevinL
> 

From firewalls-owner  Tue Aug 13 18:13:16 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA06740 for firewalls-outgoing; Tue, 13 Aug 1996 17:39:23 -0700 (PDT)
Received: from morebbs.com (morebbs.com [206.165.150.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id RAA06723 for <firewalls@greatcircle.com>; Tue, 13 Aug 1996 17:39:13 -0700 (PDT)
From: potlicker@morebbs.com
Received: by morebbs.com
     id 0T0AU00D Tue, 13 Aug 96 20:38:56 
Message-ID: <9608132038.0T0AU00@morebbs.com>
Organization: MORE BBS
X-Mailer: TBBS/TIGER v1.0/PRIMP 1.56p
Date: Tue, 13 Aug 96 20:38:56 
Subject: Re:surprise
To: firewalls@greatcircle.com
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk


lists@lina.inko.de wrote
You wont see any actual data of other Connections

We did   We captured all the X25 packets then opened them up   There was
IBM SNA data going through the X25   Looked like a database update   
There was mail going through   Boring stuff about various shipments
And there was a trickle of teletype

A couple of TRW machines showed up too   They were not sending   Just
listening   Thats why I asked if any readers had experience in that area 
Discreet enquiries today showed they were provided by Uncle Sam
and are run by a NASA dude   In view of the ownership we shall definitely 
stay out of them   Just send us the toolz d00ds   Never know when you
need them

What kind of sneaky stuff is Uncle Sam up to connecting into a private 
X25 network?   Could he be beating Le Francais at their own game?

Network management - proprietary blah blah blah   Bullshit
They used Rexix X.25 cards and data protocol

Remember that MergerCo is simply bringing up a Firewall-1 machine to control
their intra-net connections   Nobody expected to see all this stuff

                                                    PoT_LiCkEr

-=I pledge allegiance to the phag and to the perversion for which he stands=-

From firewalls-owner  Tue Aug 13 19:27:46 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id TAA15272 for firewalls-outgoing; Tue, 13 Aug 1996 19:22:02 -0700 (PDT)
Received: from sapa.inka.de (sapa.inka.de [193.197.84.6]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id TAA15252 for <firewalls@greatcircle.com>; Tue, 13 Aug 1996 19:21:39 -0700 (PDT)
Received: from uu.inka.de (root@[193.197.84.8]) by sapa.inka.de
	 with smtp (S3.1.29.1) id <m0uqVaH-000L6WC>; Wed, 14 Aug 96 04:21 MET DST
Received: from lina (lists@lina.inka.de) by uu.inka.de
	 with bsmtp (S3.1.29.1) id <m0uqVaG-001l5wC>; Wed, 14 Aug 96 04:21 MET DST
Received: by lina
	id m0uqVU1-0004k3C
	(Debian /\oo/\ Smail3.1.29.1 #29.37); Wed, 14 Aug 96 04:14 MET DST
Message-Id: <m0uqVU1-0004k3C@lina>
From: lists@lina.inka.de (Bernd Eckenfels)
Subject: Re: surprise
To: potlicker@morebbs.com
Date: Wed, 14 Aug 1996 04:14:56 +0200 (MET DST)
Cc: firewalls@greatcircle.com
In-Reply-To: <9608132038.0T0AU00@morebbs.com> from "potlicker@morebbs.com" at Aug 13, 96 08:38:56 pm
X-Mailer: ELM [version 2.4 PL25 PGP2]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Hi,

> We did   We captured all the X25 packets then opened them up   There was
> IBM SNA data going through the X25   Looked like a database update   
> There was mail going through   Boring stuff about various shipments
> And there was a trickle of teletype

what kind of X.25 Connection is this? Generally X.25 is not used on
broadcast mediums, only with point-to-point links to the switches. (You can
compare it to switched ethernet, where ethernet sniffing is impossible,
too).

Greetings
Bernd
-- 
  (OO)      -- Bernd_Eckenfels@Wittumstrasse13.76646Bruchsal.de --
 ( .. )  ecki@lina.{inka.de,ka.sub.org}  http://home.pages.de/~eckes/
  o--o     *plush*  2048/A2C51749  eckes@irc  +4972573817  *plush*
(O____O)       If privacy is outlawed only Outlaws have privacy

From firewalls-owner  Tue Aug 13 19:42:42 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id TAA14792 for firewalls-outgoing; Tue, 13 Aug 1996 19:14:38 -0700 (PDT)
Received: from pinky.junction.net (pinky.junction.net [199.166.227.12]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id TAA14782 for <Firewalls@GreatCircle.COM>; Tue, 13 Aug 1996 19:14:29 -0700 (PDT)
Received: from sidhe.memra.com (sidhe.memra.com [199.166.227.105]) by pinky.junction.net (8.6.12/8.6.12) with ESMTP id SAA28265 for <Firewalls@GreatCircle.COM>; Tue, 13 Aug 1996 18:26:44 -0700
Received: from localhost (michael@localhost) by sidhe.memra.com (8.6.12/8.6.12) with SMTP id TAA28018 for <Firewalls@GreatCircle.COM>; Tue, 13 Aug 1996 19:10:35 -0700
Date: Tue, 13 Aug 1996 19:10:34 -0700 (PDT)
From: Michael Dillon <michael@memra.com>
To: "'Firewalls@GreatCircle.COM'" <Firewalls@GreatCircle.COM>
Subject: Re: REL: Security:  Java vs ActiveX (Part 1)
In-Reply-To: <c=US%a=_%p=Toronto%l=MAIL-960807003938Z-10@mail.RC.Toronto.on.ca>
Message-ID: <Pine.BSI.3.93.960813190430.17891w-100000@sidhe.memra.com>
Organization: Memra Software Inc. - Internet consulting
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

On Tue, 6 Aug 1996, Russ wrote:

> Since we're at the beginning here, why not engineer something new which can 
> be all encompassing? Look how long it took to get mandatory seat belts, or 
> even air bags for that matter. This because they were additions to an 
> existing design. What if we took the approach that we need to start with 
> the most secure environment, and then figure out how to make it user 
> friendly and functional, rather than the pre-assumption that we have to 
> augment, transparently, our existing environments with patchy security here 
> and there?

There are ways to do this. You start from the premise that the client is a
terminal and supplies inputs (keyboard, mouse, digitizer, microphone) and
outputs (screen, speakers) but no storage and no robotic devices. In other
words, a glorified terminal. Then you define a protocol that manages input
and output streams with no local programming ability other than things
like decompressing bitmaps, drawing commands and macros of the above
operations. No persistent state on the terminals, because that is what
they will be, terminals. 


Michael Dillon                   -               ISP & Internet Consulting
Memra Software Inc.              -                  Fax: +1-604-546-3049
http://www.memra.com             -               E-mail: michael@memra.com


From firewalls-owner  Tue Aug 13 21:12:55 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id VAA21870 for firewalls-outgoing; Tue, 13 Aug 1996 21:09:19 -0700 (PDT)
Received: from nsco.network.com (nsco.network.com [129.191.1.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id VAA21862 for <firewalls@greatcircle.com>; Tue, 13 Aug 1996 21:09:11 -0700 (PDT)
Received: from mnbp.network.com (ushub.network.com) by nsco.network.com (4.1/1.34)
	id AA03657; Tue, 13 Aug 96 23:14:45 CDT
Received: by mnbp.network.com with Microsoft Mail
	id <32115038@mnbp.network.com>; Tue, 13 Aug 96 23:04:08 CDT
From: "Jeff D. Hayes" <hayesjd@mnbp2.network.com>
To: Firewalls <firewalls@greatcircle.com>
Cc: "'wombat@mcfeely.bsfs.org'" <wombat@mcfeely.bsfs.org>
Subject: Re: Other Firewall products for Frame Relay Network?
Date: Tue, 13 Aug 96 23:02:00 CDT
Message-Id: <32115038@mnbp.network.com>
X-Mailer: Microsoft Mail V3.0
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk


On Tue, 13 Aug 1996, KENNETH PHANG wrote:

> Hi,
>
>       I've been wandering whether there are other types of Firewall 
product
in the market that can be use to protect data in a Frame Relay network(eg.
VPN or encryption) as the cloud would be running multiple protocols as our
ISP planning to do. There are using the Northern Telekom switches. 
Possiblity
or IPX, appletalk, Decnet, IP and etc.
>

Vendor alert!   Network Systems' BorderGuard family provides VPN protections 
for any data service offerring including frame relay.  It is also one of the 
only organization that can provide a secure VPN for not-IP protocols 
including IPX.  The secure VPN suite consists RSA/Diffie-Hellman 
public-private keys/exchange/authentication, digital signatures via MD5, 
replay prevention, strong encryption (DES, triple DES, IDEA), and it even 
offers data compression prior to encryption.  NSC has been shipping released 
products since 1Q95.  See www.network.com.

 -jeff hayes

From firewalls-owner  Tue Aug 13 21:28:49 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id UAA21700 for firewalls-outgoing; Tue, 13 Aug 1996 20:58:20 -0700 (PDT)
Received: from cet.cet.com (cet.cet.com [206.96.91.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id UAA21693 for <firewalls@greatcircle.com>; Tue, 13 Aug 1996 20:58:12 -0700 (PDT)
Received: from cet.cet.com (roberth@cet.cet.com [206.96.91.1]) by cet.cet.com (8.6.12/8.6.12) with SMTP id UAA03358 for <firewalls@greatcircle.com>; Tue, 13 Aug 1996 20:58:11 -0700
Date: Tue, 13 Aug 1996 20:58:11 -0700 (PDT)
From: Robert Hanson <roberth@cet.com>
To: firewalls@greatcircle.com
Subject: huh? switch hitter?
In-Reply-To: <m0uqVU1-0004k3C@lina>
Message-ID: <Pine.LNX.3.94.960813205645.1983C-100000@cet.cet.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk


excuse my ignorance or lack or research, yet...

what makes switched ethernet unable to be snarfed....

--->
Robert H. Hanson           LAN/WAN Consultant - Internet Service Provider
Otis Orchards, Wa.         Cutting Edge Communications        www.cet.com
(509) 927-9541             finger: info@cet.com or email: roberth@cet.com



On Wed, 14 Aug 1996, Bernd Eckenfels wrote:

> Hi,
> 
> > We did   We captured all the X25 packets then opened them up   There was
> > IBM SNA data going through the X25   Looked like a database update   
> > There was mail going through   Boring stuff about various shipments
> > And there was a trickle of teletype
> 
> what kind of X.25 Connection is this? Generally X.25 is not used on
> broadcast mediums, only with point-to-point links to the switches. (You can
> compare it to switched ethernet, where ethernet sniffing is impossible,
> too).
> 
> Greetings
> Bernd
> -- 
>   (OO)      -- Bernd_Eckenfels@Wittumstrasse13.76646Bruchsal.de --
>  ( .. )  ecki@lina.{inka.de,ka.sub.org}  http://home.pages.de/~eckes/
>   o--o     *plush*  2048/A2C51749  eckes@irc  +4972573817  *plush*
> (O____O)       If privacy is outlawed only Outlaws have privacy
> 


From firewalls-owner  Tue Aug 13 21:40:40 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id UAA21721 for firewalls-outgoing; Tue, 13 Aug 1996 20:59:22 -0700 (PDT)
Received: from westie.gi.net (westie.gi.net [198.247.250.16]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id UAA21714 for <firewalls@GreatCircle.COM>; Tue, 13 Aug 1996 20:59:09 -0700 (PDT)
Received: (from alan@localhost) by westie.gi.net (8.7.5/8.7.1) id WAA14445; Tue, 13 Aug 1996 22:58:53 -0500 (CDT)
From: Alan Hannan <alan@gi.net>
Message-Id: <199608140358.WAA14445@westie.gi.net>
Subject: Re: NT Firewalling
To: proberts@clark.net (Paul D. Robertson)
Date: Tue, 13 Aug 1996 22:58:53 -0500 (CDT)
Cc: njs@scifi.squawk.com, firewalls@GreatCircle.COM
In-Reply-To: <Pine.GSO.3.95.960813170156.1351C-100000@clark.net> from "Paul D. Robertson" at Aug 13, 96 05:08:13 pm
X-Mailer: ELM [version 2.4 PL23]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk


  We at GI recommend 64M of ram for our Centri firewall.  We require
  32M.  It runs passingly well on 32, but most optimally at 64
  Megs.

  Also (from http://www/Global/centrifirewall.html):

:GI: Minimum Hardware/Software Requirements
:GI: 
:GI: * 90+ MHz Intel CPU with minimum of 32M RAM
:GI: * Microsoft[TM] Windows NT 3.51 installed
:GI: * Suitable display with corresponding video card
:GI: * 2 GB hard disk drive
:GI: * CD-ROM drive
:GI: * 1.44 MB 3.5" floppy disk drive
:GI: * PCI network adapter

  -alan

  ps who hopes he didn't inject any sales fluff :)

.........  Paul D. Robertson is rumored to have said:
] 
] On Tue, 13 Aug 1996, Nick Simicich wrote:
] 
] > > > With this neverending upgrade of client PC's, the availability of
] > > > Intel machines powerful enough to act as a firewall increases. Most 
] > > > of us probably have an old 486/66 they can put 32MB in and run NT, 
] > > > no?
] > > 
] > > Or 8MB and run FreeBSD or Linux.
] > 
] > Can you really run NT effectively in 32 meg?  I have a friend who has 32 meg
] > in an Intel box running NT, and he is going to get another 32 meg, because he
] > says that whenever he loads any app, the box just sits there and thrashes. 
] 
] You can effectively run *BSD, Solaris for Intel, and Linux on such a 
] machine.  That offers a large range of commercial and do-it-yourself
] options involving filtering, application proxies, and hybrids.  Most of
] the NT folks I've spoken to wouldn't procure a box with less than 64M on
] it to do much of anything.  Perhaps one of the NT vendors could post base
] requirements without adding any salesfluff?  
] 
] Paul
] -----------------------------------------------------------------------------
] Paul D. Robertson      "My statements in this message are personal opinions
] proberts@clark.net      which may have no basis whatsoever in fact."
]                                                                      PSB#9280
] 
] 


From firewalls-owner  Tue Aug 13 21:43:07 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id VAA23093 for firewalls-outgoing; Tue, 13 Aug 1996 21:36:38 -0700 (PDT)
Received: from nsco.network.com (nsco.network.com [129.191.1.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id VAA23009 for <firewalls@greatcircle.com>; Tue, 13 Aug 1996 21:36:15 -0700 (PDT)
Received: from mnbp.network.com (ushub.network.com) by nsco.network.com (4.1/1.34)
	id AA03902; Tue, 13 Aug 96 23:42:40 CDT
Received: by mnbp.network.com with Microsoft Mail
	id <321156C3@mnbp.network.com>; Tue, 13 Aug 96 23:32:03 CDT
From: "Jeff D. Hayes" <hayesjd@mnbp2.network.com>
To: Firewalls <firewalls@greatcircle.com>
Subject: re: Security on Frame Relay
Date: Tue, 13 Aug 96 23:31:00 CDT
Message-Id: <321156C3@mnbp.network.com>
X-Mailer: Microsoft Mail V3.0
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk


Tue, 13 Aug 1996 07:57:12 -0400, Paul Ferguson <pferguso@cisco.com> 
commented on Kogulapalan's questions regarding Security on Frame Relay

> If can, is there a firewall product which can
>be used to secure those data that travels within ??

In theory, yes.  :-)

Certainly an TCP/IP firewall could be placed anywhere in the topology;
you'll be hard-pressed to find one which will handle multiprotocol
traffic. In any event, a good multiprotocol router :-) could certainly
handle this.

**BorderGuard from NSC supports multiprotocol filtering, including IPX.

 -jeff.hayes@network.com

From firewalls-owner  Tue Aug 13 22:28:20 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id WAA27572 for firewalls-outgoing; Tue, 13 Aug 1996 22:17:29 -0700 (PDT)
Received: from sapa.inka.de (sapa.inka.de [193.197.84.6]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id WAA27545 for <firewalls@greatcircle.com>; Tue, 13 Aug 1996 22:17:15 -0700 (PDT)
Received: from uu.inka.de (root@[193.197.84.8]) by sapa.inka.de
	 with smtp (S3.1.29.1) id <m0uqYFE-000L6WC>; Wed, 14 Aug 96 07:11 MET DST
Received: from lina (lists@lina.inka.de) by uu.inka.de
	 with bsmtp (S3.1.29.1) id <m0uqYFD-001l6SC>; Wed, 14 Aug 96 07:11 MET DST
Received: by lina
	id m0uqYAU-0004k3C
	(Debian /\oo/\ Smail3.1.29.1 #29.37); Wed, 14 Aug 96 07:06 MET DST
Message-Id: <m0uqYAU-0004k3C@lina>
From: lists@lina.inka.de (Bernd Eckenfels)
Subject: Re: huh? switch hitter?
To: roberth@cet.com (Robert Hanson)
Date: Wed, 14 Aug 1996 07:06:57 +0200 (MET DST)
Cc: firewalls@greatcircle.com
In-Reply-To: <Pine.LNX.3.94.960813205645.1983C-100000@cet.cet.com> from "Robert Hanson" at Aug 13, 96 08:58:11 pm
X-Mailer: ELM [version 2.4 PL25 PGP2]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Hi,

> excuse my ignorance or lack or research, yet...
> what makes switched ethernet unable to be snarfed....

On a switched ethernet a NIC in promisc mode will only receive the packets
which are broadcasted (i.e. ARP) and those which are send directly to the
HW-Address of the interface. Thats the reason why u have less collisions
with switches, cause they simply filter the Packets on the net for each
port. You can also lock the arp-addresses in the switch for more security.

Greetings
Bernd
-- 
  (OO)      -- Bernd_Eckenfels@Wittumstrasse13.76646Bruchsal.de --
 ( .. )  ecki@lina.{inka.de,ka.sub.org}  http://home.pages.de/~eckes/
  o--o     *plush*  2048/A2C51749  eckes@irc  +4972573817  *plush*
(O____O)       If privacy is outlawed only Outlaws have privacy

From firewalls-owner  Tue Aug 13 22:47:57 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id WAA28375 for firewalls-outgoing; Tue, 13 Aug 1996 22:33:19 -0700 (PDT)
Received: from surfer-1.getonthe.net (support.getonthe.net [204.71.96.157]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id WAA28367 for <firewalls@greatcircle.com>; Tue, 13 Aug 1996 22:33:11 -0700 (PDT)
Received: from [206.29.101.116] by surfer-1.getonthe.net (NTMail 3.02.07) with ESMTP id ma009424 for <firewalls@greatcircle.com>; Wed, 14 Aug 1996 00:32:58 +0100
Message-Id: <1.5.4.32.19960814053224.006ac3ac@mail.getonthe.net>
X-Sender: joey@mail.getonthe.net
X-Mailer: Windows Eudora Light Version 1.5.4 (32)
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Date: Wed, 14 Aug 1996 00:32:24 -0500
To: Bill Stout <bill.stout@hidata.com>
From: Joe Smith <joey@getonthe.net>
Subject: Re: Looking for SYN packet generator.
Cc: firewalls@greatcircle.com
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

At 02:36 PM 8/13/96 -0700, you wrote:
>Anyone know where to get a SYN generator for test purposes?
>
>Anyone know if NT, Solaris or a Network General Sniffer can gen 
>SYN packets?

Summer issue of 2600 has a listing of a program, "hostlock" that generates
syn packets and stamps them with invalid ip addresses.  Great for denial of
service attacks (tests of course).

Mayhaps you had similar intents?




From firewalls-owner  Tue Aug 13 22:57:58 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id WAA29166 for firewalls-outgoing; Tue, 13 Aug 1996 22:52:56 -0700 (PDT)
Received: from mcfeely.bsfs.org (mcfeely.bsfs.org [204.91.13.34]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id WAA29118 for <firewalls@GreatCircle.COM>; Tue, 13 Aug 1996 22:52:39 -0700 (PDT)
Received: (from wombat@localhost) by mcfeely.bsfs.org (8.6.12/8.6.12) id FAA00949; Wed, 14 Aug 1996 05:48:31 -0400
Date: Wed, 14 Aug 1996 05:48:28 -0400 (EDT)
From: Rabid Wombat <wombat@mcfeely.bsfs.org>
To: "Jeff D. Hayes" <hayesjd@mnbp2.network.com>
cc: Firewalls <firewalls@GreatCircle.COM>
Subject: re: Security on Frame Relay
In-Reply-To: <321156C3@mnbp.network.com>
Message-ID: <Pine.BSF.3.91.960814053439.771D-100000@mcfeely.bsfs.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk



I think somebody is missing the point here, though perhaps it is me. :)

If all you want to do is firewall the point at which a circuit connects 
to your network, than a multiprotocol router will provide basic 
filtering, and a firewall, such as BorderGuard, will give you a more 
control and logging capability. Whether the circuit in question is frame 
relay or not is immaterial.

This will provide intrusion detection, but won't protect data in transit
between firewalls. In order to protect the data while it is traveling the
circuit between firewalls, you need to encrypt the data. On a
point-to-point circuit, this is easily done with a simple hardware device
- just drop it between the router and DSU, (one at each end of the link),
and encrypt the entire data stream, regardless of protocol.

On packet switched public networks, like frame relay, this encryption
technique won't work, as it would encrypt the frame header, and you'd be
outa luck :).  The solution is to encrypt only the payload, with respect
to the frame. Cisco has announced an implemetation of Cylink's technology,
and last I heard, this is due out w/ release 11.2 of the IOS (sept. ?),
though you should check their web site, rather than take my word for it.
Maybe Paul can help you out. ;)

Many firewall vendors offer "virtual private networking", which is done
through similar cryto application, though I don't know if they are IP
specific or support other protocols. 

Anybody got a handy list of vendor's VPN specifics?

- r.w.



On Tue, 13 Aug 1996, Jeff D. Hayes wrote:

> 
> Tue, 13 Aug 1996 07:57:12 -0400, Paul Ferguson <pferguso@cisco.com> 
> commented on Kogulapalan's questions regarding Security on Frame Relay
> 
> > If can, is there a firewall product which can
> >be used to secure those data that travels within ??
> 
> In theory, yes.  :-)
> 
> Certainly an TCP/IP firewall could be placed anywhere in the topology;
> you'll be hard-pressed to find one which will handle multiprotocol
> traffic. In any event, a good multiprotocol router :-) could certainly
> handle this.
> 
> **BorderGuard from NSC supports multiprotocol filtering, including IPX.
> 
>  -jeff.hayes@network.com
> 

From firewalls-owner  Tue Aug 13 23:27:47 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id XAA00303 for firewalls-outgoing; Tue, 13 Aug 1996 23:03:06 -0700 (PDT)
Received: from relay-4.mail.demon.net (relay-4.mail.demon.net [158.152.1.108]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id XAA00231 for <firewalls@greatcircle.com>; Tue, 13 Aug 1996 23:02:42 -0700 (PDT)
Received: from post.demon.co.uk ([158.152.1.72]) by relay-4.mail.demon.net
          id aj21202; 14 Aug 96 6:02 GMT
Received: from dowrmain.demon.co.uk ([158.152.123.251])
          by relay-3.mail.demon.net id aa27098; 14 Aug 96 6:53 +0100
Message-ID: <T8IKQGA2rMEyEwxb@dowrmain.demon.co.uk>
Date: Tue, 13 Aug 1996 19:35:34 +0100
To: firewalls@greatcircle.com
From: Ian Wade <ian@dowrmain.demon.co.uk>
Reply-To: Ian Wade <ianwade@netro.co.uk>
Subject: Re: NT Firewalling
In-Reply-To: <9608131219.AA29325@orchid.tc.pw.com>
MIME-Version: 1.0
X-Mailer: Turnpike Version 1.10 <Lk0q1Sj1GvJmSFtNlZKz0mplH3>
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

In article <9608131219.AA29325@orchid.tc.pw.com>, Patrick_Flanigan@europ
e.notes.pw.com writes
>Hello,
>
>This is perhaps too basic a question for this list, but I'm interested in 
>obtaining some background information on commercial firewalls for Windows NT.  
>I'm looking for a moderately priced software-solution, probably based on 
>packet-level filtering, to protect a LAN from external access.
>
>My experience is mostly with UNIX, and I must confess that I have very little 
>familiarity with NT products.  Any help that you can provide would be greatly 
>appreciated.
>
>Patrick

Take a look at Raptor's NT Eagle. Info at http://www.raptor.com.

Ian

-- 

 \|--------\|--------\|--------\|    Ian Wade  <ianwade@netro.co.uk>
  |\--------|\--------|\--------|\             
  |         |         |         |    http://www.netro.co.uk/nosintro.html
  |  Netro  |  Press  |     (tm)|    for all about KA9Q NOS.

From firewalls-owner  Tue Aug 13 23:42:50 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id XAA02971 for firewalls-outgoing; Tue, 13 Aug 1996 23:23:56 -0700 (PDT)
Received: from mail.Clark.Net (mail.clark.net [168.143.0.10]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id XAA02962 for <firewalls@GreatCircle.COM>; Tue, 13 Aug 1996 23:23:47 -0700 (PDT)
Received: from clark.net (proberts@clark.net [168.143.0.7]) by mail.Clark.Net (8.7.3/8.6.5) with ESMTP id CAA12315; Wed, 14 Aug 1996 02:23:46 -0400 (EDT)
Received: from localhost (proberts@localhost) by clark.net (8.7.1/8.7.1) with SMTP id CAA15935; Wed, 14 Aug 1996 02:23:45 -0400 (EDT)
X-Authentication-Warning: clark.net: proberts owned process doing -bs
Date: Wed, 14 Aug 1996 02:23:45 -0400 (EDT)
From: "Paul D. Robertson" <proberts@clark.net>
To: Bernd Eckenfels <lists@lina.inka.de>
cc: Robert Hanson <roberth@cet.com>, firewalls@GreatCircle.COM
Subject: Re: huh? switch hitter?
In-Reply-To: <m0uqYAU-0004k3C@lina>
Message-ID: <Pine.GSO.3.95.960814021455.12958C-100000@clark.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

On Wed, 14 Aug 1996, Bernd Eckenfels wrote:

> HW-Address of the interface. Thats the reason why u have less collisions
> with switches, cause they simply filter the Packets on the net for each
> port. You can also lock the arp-addresses in the switch for more security.

Just as a point of information, you don't necessarily see *less*
collisions on a loaded network that sustains a high load.  I have a
network with three very heavily trafficed web servers on it, and moving
from a hub to a switch didn't help collisons at the router, because the
router would collide with each server just about as much (>0.5% difference
over 3 hours).  It suprised me.  But then the "I've been here over seven
years, and I've never seen one of our routers sustain that kind of load
continuously" from the Cisco engineer wasn't exactly heartwarming either.
(To be fair, the Cisco is handling the load admirably, the collisions are
just a fact of the traffic volume, perhaps teamed with the ethernet
drivers in the servers being asynchronous). 

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
proberts@clark.net      which may have no basis whatsoever in fact."
                                                                     PSB#9280


From firewalls-owner  Tue Aug 13 23:57:54 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id XAA04682 for firewalls-outgoing; Tue, 13 Aug 1996 23:48:04 -0700 (PDT)
Received: from sapa.inka.de (sapa.inka.de [193.197.84.6]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id XAA04669 for <firewalls@GreatCircle.COM>; Tue, 13 Aug 1996 23:47:43 -0700 (PDT)
Received: from uu.inka.de (root@[193.197.84.8]) by sapa.inka.de
	 with smtp (S3.1.29.1) id <m0uqZb4-000L0dC>; Wed, 14 Aug 96 08:38 MET DST
Received: from lina (lists@lina.inka.de) by uu.inka.de
	 with bsmtp (S3.1.29.1) id <m0uqZb4-001l6SC>; Wed, 14 Aug 96 08:38 MET DST
Received: by lina
	id m0uqZYs-0004k3C
	(Debian /\oo/\ Smail3.1.29.1 #29.37); Wed, 14 Aug 96 08:36 MET DST
Message-Id: <m0uqZYs-0004k3C@lina>
From: lists@lina.inka.de (Bernd Eckenfels)
Subject: Re: huh? switch hitter?
To: proberts@clark.net (Paul D. Robertson)
Date: Wed, 14 Aug 1996 08:36:12 +0200 (MET DST)
Cc: roberth@cet.com, firewalls@GreatCircle.COM
In-Reply-To: <Pine.GSO.3.95.960814021455.12958C-100000@clark.net> from "Paul D. Robertson" at Aug 14, 96 02:23:45 am
X-Mailer: ELM [version 2.4 PL25 PGP2]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Hi,

> Just as a point of information, you don't necessarily see *less*
> collisions on a loaded network that sustains a high load.
Ah, of course not. It depends on the Connections between the hosts, if u
have:


                               a
                             / | \
                            h1 h2 h3
(- = prefered data path)

Then the load on Port a is the same, with or without a switch, but if you
have:

                    h1-h2
                    h3-h4

You basically double the bandwith of your network with a switch.

Greetings
Bernd

From firewalls-owner  Wed Aug 14 00:32:44 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id AAA08234 for firewalls-outgoing; Wed, 14 Aug 1996 00:25:44 -0700 (PDT)
Received: from pcslink.com (pcslink.com [206.43.160.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id AAA08166 for <firewalls@GreatCircle.COM>; Wed, 14 Aug 1996 00:25:26 -0700 (PDT)
Received: (from ryan@localhost) by pcslink.com (8.6.12/8.6.12) id AAA09127; Wed, 14 Aug 1996 00:25:26 -0700
From: Ryan Mooney <ryan@pcslink.com>
Message-Id: <199608140725.AAA09127@pcslink.com>
Subject: huh? switch hitter? (fwd)
To: firewalls@GreatCircle.COM
Date: Wed, 14 Aug 1996 00:25:26 -0700 (MST)
Cc: roberth@cet.com
X-Mailer: ELM [version 2.4 PL24]
Content-Type: text
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk


You only can't sniff across switched ports.

ie:

-----seg1-------+----------+
                |          |
-----seg2-------+          |
                | Switch   |
-----seg3-------+          |
                |          |
-----seg4-------+----------+

In this scenario if you are on seg1 and traffic is going from seg2 to
seg3 you never see it.  You would of course be able to see any traffic
on seg1, but thats it (except for broadcast packets and the like).
Saying that switched ethernet can't be sniffed is somewhat of a misnomer
as each virtual segment usually has more than one system on it and
any one of those systems could theoretically snoop any traffic on that
segment.  I think this is really simple common sense once you look at what
the switch is really doing... and what machines are where.  There are
of course ways to capture all data going across the switch with things
like switch probes and the like, these do however have to be installed,
and left open for evil bad dude to use in his copious spare time.

> 
> excuse my ignorance or lack or research, yet...
> 
> what makes switched ethernet unable to be snarfed....
> 
> --->
> Robert H. Hanson           LAN/WAN Consultant - Internet Service Provider
> Otis Orchards, Wa.         Cutting Edge Communications        www.cet.com
> (509) 927-9541             finger: info@cet.com or email: roberth@cet.com
> 
> 
> 
> On Wed, 14 Aug 1996, Bernd Eckenfels wrote:
> 
> > Hi,
> > 
> > > We did   We captured all the X25 packets then opened them up   There was
> > > IBM SNA data going through the X25   Looked like a database update   
> > > There was mail going through   Boring stuff about various shipments
> > > And there was a trickle of teletype
> > 
> > what kind of X.25 Connection is this? Generally X.25 is not used on
> > broadcast mediums, only with point-to-point links to the switches. (You can
> > compare it to switched ethernet, where ethernet sniffing is impossible,
> > too).
> > 
> > Greetings
> > Bernd
> > -- 
> >   (OO)      -- Bernd_Eckenfels@Wittumstrasse13.76646Bruchsal.de --
> >  ( .. )  ecki@lina.{inka.de,ka.sub.org}  http://home.pages.de/~eckes/
> >   o--o     *plush*  2048/A2C51749  eckes@irc  +4972573817  *plush*
> > (O____O)       If privacy is outlawed only Outlaws have privacy
> > 
> 
> 

-------------------------------------------------------------------------------
Ryan Mooney                  ryan@pcslink.com           
Systems Engineer
Phoenix Computer Specialists Internet Provider     "Illuminate The Opposition!"
Phone (602)265-9188          Fax (602)265-9357        -- Adam Weishaupt
proud member of AAAAAA - American Association Against Acronym Abuse Anonymous.
--------------------------------------------------------------------------------

From firewalls-owner  Wed Aug 14 02:31:07 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id BAA15488 for firewalls-outgoing; Wed, 14 Aug 1996 01:56:47 -0700 (PDT)
Received: from callisto.lif.icnet.uk (callisto.lif.icnet.uk [143.65.1.5]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id BAA15481 for <firewalls@greatcircle.com>; Wed, 14 Aug 1996 01:56:28 -0700 (PDT)
Received: by callisto.lif.icnet.uk; Wed, 14 Aug 1996 09:55:39 +0100
Date: Wed, 14 Aug 1996 09:55:39 +0100 (BST)
From: John Hopkins <hopkins@icrf.icnet.uk>
Subject: Re: huh? switch hitter? (fwd)
To: Ryan Mooney <ryan@pcslink.com>
Cc: firewalls@GreatCircle.COM, roberth@cet.com
In-Reply-To: <199608140725.AAA09127@pcslink.com>
Message-Id: <Pine.3.89.9608140947.A16353-0100000@callisto.lif.icnet.uk>
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

I think that a lot of ethernet switches also have a common port that can
see all the traffic on the other ports if required.

J.

On Wed, 14 Aug 1996, Ryan Mooney wrote:

> 
> You only can't sniff across switched ports.
> 
> ie:
> 
> -----seg1-------+----------+
>                 |          |
> -----seg2-------+          |
>                 | Switch   |
> -----seg3-------+          |
>                 |          |
> -----seg4-------+----------+
> 
> In this scenario if you are on seg1 and traffic is going from seg2 to
> seg3 you never see it.  You would of course be able to see any traffic
> on seg1, but thats it (except for broadcast packets and the like).
> Saying that switched ethernet can't be sniffed is somewhat of a misnomer
> as each virtual segment usually has more than one system on it and
> any one of those systems could theoretically snoop any traffic on that
> segment.  I think this is really simple common sense once you look at what
> the switch is really doing... and what machines are where.  There are
> of course ways to capture all data going across the switch with things
> like switch probes and the like, these do however have to be installed,
> and left open for evil bad dude to use in his copious spare time.
> 
> > 
> > excuse my ignorance or lack or research, yet...
> > 
> > what makes switched ethernet unable to be snarfed....
> > 
> > --->
> > Robert H. Hanson           LAN/WAN Consultant - Internet Service Provider
> > Otis Orchards, Wa.         Cutting Edge Communications        www.cet.com
> > (509) 927-9541             finger: info@cet.com or email: roberth@cet.com
> > 
> > 
> > 
> > On Wed, 14 Aug 1996, Bernd Eckenfels wrote:
> > 
> > > Hi,
> > > 
> > > > We did   We captured all the X25 packets then opened them up   There was
> > > > IBM SNA data going through the X25   Looked like a database update   
> > > > There was mail going through   Boring stuff about various shipments
> > > > And there was a trickle of teletype
> > > 
> > > what kind of X.25 Connection is this? Generally X.25 is not used on
> > > broadcast mediums, only with point-to-point links to the switches. (You can
> > > compare it to switched ethernet, where ethernet sniffing is impossible,
> > > too).
> > > 
> > > Greetings
> > > Bernd
> > > -- 
> > >   (OO)      -- Bernd_Eckenfels@Wittumstrasse13.76646Bruchsal.de --
> > >  ( .. )  ecki@lina.{inka.de,ka.sub.org}  http://home.pages.de/~eckes/
> > >   o--o     *plush*  2048/A2C51749  eckes@irc  +4972573817  *plush*
> > > (O____O)       If privacy is outlawed only Outlaws have privacy
> > > 
> > 
> > 
> 
> -------------------------------------------------------------------------------
> Ryan Mooney                  ryan@pcslink.com           
> Systems Engineer
> Phoenix Computer Specialists Internet Provider     "Illuminate The Opposition!"
> Phone (602)265-9188          Fax (602)265-9357        -- Adam Weishaupt
> proud member of AAAAAA - American Association Against Acronym Abuse Anonymous.
> --------------------------------------------------------------------------------
> 

From firewalls-owner  Wed Aug 14 02:57:50 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id AAA08719 for firewalls-outgoing; Wed, 14 Aug 1996 00:33:49 -0700 (PDT)
Received: from Heidi.came.sbg.ac.at (heidi.came.sbg.ac.at [141.201.27.3]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id AAA08712 for <firewalls@GreatCircle.COM>; Wed, 14 Aug 1996 00:33:36 -0700 (PDT)
Received: by Heidi.came.sbg.ac.at (940816.SGI.8.6.9/940406.SGI.AUTO)
	 id JAA15196; Wed, 14 Aug 1996 09:33:31 +0200
Date: Wed, 14 Aug 1996 09:33:17 +0200 (MDT)
From: Peter Lackner <plo@came.sbg.ac.at>
To: firewalls@GreatCircle.COM
Subject: drawbridge HW/SW 
Message-ID: <Pine.SGI.3.91.960814093112.15185A-100000@Heidi.came.sbg.ac.at>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Hi,

I want to set up a PC running drawbridge and I'd like to know
if someone could manage to run drawbridge-2.0 with the following
hard/software:
* Accton EN166x Ethernet Cards
* DOS 6.22, NDIS 2.1
I could not manage to get it work yet.
It also would help if someone who is already using drawbridge-2.0
could tell me what kind of cards he/she is using and which 
version of DOS.


Thanks for any hint,

--Peter

+-------------------------------------------------+
|                   Peter Lackner                 |
|    Center of Applied Molecular Engineering      |
|          University of Salzburg, Austria        |
|                plo@came.sbg.ac.at               |
+-------------------------------------------------+



From firewalls-owner  Wed Aug 14 03:12:45 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id AAA09199 for firewalls-outgoing; Wed, 14 Aug 1996 00:41:49 -0700 (PDT)
Received: (mcb@localhost) by miles.greatcircle.com (8.7.4/Miles-951221-1) id AAA09189 for firewalls@greatcircle.com; Wed, 14 Aug 1996 00:41:35 -0700 (PDT)
Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id XAA12106 for <firewalls@miles>; Mon, 12 Aug 1996 23:04:13 -0700 (PDT)
Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123)
	id XAA08339; Mon, 12 Aug 1996 23:03:58 -0700
Received: from netrd.iii.org.tw(140.92.61.55) by mycroft via smap (V1.3mjr)
	id sma008332; Mon Aug 12 23:02:50 1996
Received: from lky.iii.org.tw by netrd.iii.org.tw (SMI-8.6/SMI-SVR4)
	id NAA00695; Tue, 13 Aug 1996 13:54:00 +0800
Date: Tue, 13 Aug 1996 13:54:00 +0800
Message-Id: <199608130554.NAA00695@netrd.iii.org.tw>
X-Sender: lky@netrd.iii.org.tw
X-Mailer: Windows Eudora Light Version 1.5.2
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
To: firewalls@greatcircle.com
From: Kun-Yu Li <lky@netrd.iii.org.tw>
Subject: Help: FWTK http-gw problem
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Has anyone used  FWTK http-gw successfully? Can anyone help me?
I'm learning FWTK http-gw setup,

my inetd.conf is
http    stream   tcp   nowait   root   /usr/libexec/httpd      http
http-gw stream   tcp   nowait  root   /usr/local/WWW/http-gw   http-gw

my netperm-table is 
http-gw: userid 		root
http-gw: default-httpd 	host.company.org.tw:80
http-gw: deny-hosts		unknown
http-gw: hosts		140.92.*.*

It should be correct.

But every time I connected to http-gw,
the response is "Netscape Error: Document contains no data." 

Can anyone give me advices?
Thanks 
                                                            lky@iii.org.tw




From firewalls-owner  Wed Aug 14 03:28:25 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id DAA20773 for firewalls-outgoing; Wed, 14 Aug 1996 03:06:51 -0700 (PDT)
Received: from jpmgate1.jpmorgan.com (jpmorgan.jpmorgan.com [146.149.99.127]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id DAA20732 for <firewalls@GreatCircle.COM>; Wed, 14 Aug 1996 03:06:16 -0700 (PDT)
Received: from jpmgate1.jpmorgan.com (mrzip.ny.jpmorgan.com [146.149.1.2]) by jpmgate1.jpmorgan.com (8.7.5/8.7.5) with SMTP id GAA24332 for <firewalls@GreatCircle.COM>; Wed, 14 Aug 1996 06:06:15 -0400
Received: from NYC-NTGW-N02.ny.jpmorgan.com (nyc_ntgw_n02.ny.jpmorgan.com [198.75.84.103]) by mrzip.ny.jpmorgan.com (8.7.4/8.7.3) with SMTP id GAA28126 for <@mrzip.ny.jpmorgan.com:firewalls@GreatCircle.COM>; Wed, 14 Aug 1996 06:06:17 -0400 (EDT)
Received: by NYC-NTGW-N02.ny.jpmorgan.com (IBM OS/2 SENDMAIL VERSION 1.3.14/1.0)
	  id AA2451; Wed, 14 Aug 96 06:06:12 -0400
Message-Id: <9608141006.AA2451@NYC-NTGW-N02.ny.jpmorgan.com>
Received: by JPMORGAN (Lotus Notes Mail Gateway for SMTP V1.1) id
  4E2801848C2590AD802563860036A3C4; Wed, 14 Aug 96 06:06:12 
To: firewalls <firewalls@GreatCircle.COM>
From: Brian B Mitchell
  <mitchell_brian@jpmorgan.com>
Date: 14 Aug 96 11:03:46 
Subject: Sniffing Switched Segments
Mime-Version: 1.0
Content-Type: Text/Plain
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Depending on which switch you are using, it may be possible to use a roving 
analyser port, as with the 3Com LANPlex product. By defining one switch port as 
the analyser and connected a sniffer to it, the software of the switch will 
allow you to connect the sniffer to any other segment / backplane segment / 
fddi ring.

Another way, if you are using intellegent hubs on each segment, is to use the 
RMON agent (assuming that it supports packet capture and decode) to sniff that 
particular segment.


From firewalls-owner  Wed Aug 14 03:49:47 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id AAA08762 for firewalls-outgoing; Wed, 14 Aug 1996 00:35:24 -0700 (PDT)
Received: from scctn01.sp.ac.sg (scctn01.sp.ac.sg [164.78.252.3]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id AAA08755 for <firewalls@greatcircle.com>; Wed, 14 Aug 1996 00:35:04 -0700 (PDT)
Received: from sspws500.sp.ac.sg (sspws500.sp.ac.sg [164.78.252.5]) by scctn01.sp.ac.sg (8.6.12/8.6.9) with SMTP id PAA07624 for <@scctn01.sp.ac.sg:firewalls@greatcircle.com>; Wed, 14 Aug 1996 15:35:40 +0730
Received: by sspws500.sp.ac.sg (IBM OS/2 SENDMAIL VERSION 1.3.2)/1.0)
	  id AA1561; Wed, 14 Aug 96 15:38:10 -0700
Message-Id: <9608142238.AA1561@sspws500.sp.ac.sg>
Received: from SP_SD with "Lotus Notes Mail Gateway for SMTP" id
  B139DA7475EAFC3A482563860008B35B; Wed, 14 Aug 96 15:38:08 
To: "Francis.Gregoire" <Francis.Gregoire@met.fr>
Cc: firewalls <firewalls@greatcircle.com>
From: Lee Yee Poh/CC/SP_SF
  <LeeYP@sp.ac.sg>
Date: 14 Aug 96  9:36:19 WAT
Subject: Re: syslogd under Solaris 2.5
Mime-Version: 1.0
Content-Type: Text/Plain
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

You may want to check up your /etc/syslog.conf to ensure that there is an entry 
for logging into /var/adm/messages file.




	Francis.Gregoire @ met.fr 
13/08/96 03:56 PM
To: firewalls @ GreatCircle.COM @ INTERNET
cc: Francis.Gregoire @ met.fr @ INTERNET (bcc: Lee Yee Poh/CC/SP_SF)
Subject: syslogd under Solaris 2.5

 
 Hello,

 We have a problem with syslogd on our bastion. Any messages are lost and 
aren't logged in the file /var/adm/messages. Before, syslogd worked very fine 
but today it's wrong. When we send it the HUP signal, it does't work because 
the file /etc/syslog.pid hasn't the good iud. If we put the good uid in this 
file, the result is same. If we kill it and if we reexecute syslogd, it sleeps 
and doesn't work ( it doesn't write his uid in the file /etc/syslog.pid ). 
There are no messages on the system console. We have verified the rights of 
files : they are good. We have changed the executable : the result is same. 

 Has anyone an idea why our syslogd doesn't work? Thanks,

     Francis GREGOIRE 






From firewalls-owner  Wed Aug 14 03:57:53 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id DAA20494 for firewalls-outgoing; Wed, 14 Aug 1996 03:03:05 -0700 (PDT)
Received: from bastian.moldenett.no (bastian.moldenett.no [194.52.169.100]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id DAA20433 for <firewalls@greatcircle.com>; Wed, 14 Aug 1996 03:02:33 -0700 (PDT)
Received: from [194.52.169.41] by bastian.moldenett.no with SMTP 
	id <AA25048>; Wed, 14 Aug 1996 12:05:33 GMT
Message-Id: <3211C0CA.77D@moldenett.no>
Date: Wed, 14 Aug 1996 12:04:26 +0000
From: Kaare Digernes <kaared@bastian.moldenett.no>
Organization: Moldenett AS
X-Mailer: Mozilla 2.02 (WinNT; I)
Mime-Version: 1.0
To: firewalls@greatcircle.com
Subject: Feedback on solution?
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

A local school is considering connecting to the Internet. 
Bot the student and the teacher networks will be connected 
through a single ISDN router. Due to security, lack of IP 
addresses, and bandwidth, I believe a firewall with a 
caching proxy (HTTP and FTP) would be a solution.

I've pictured the solution like this:

The firewall has three network cards; one for the Internet 
(public IP address), one for the students (private IP 
address) and one for the teachers (private IP address).

The only services offered to the users is e-mail (SMTP and 
POP3), web (proxied) and FTP (proxied). It could also be a 
demand for telnet to the firwall to change passwords, create 
homepages, etc. However, I see this as a potential hole and 
it doen't necessarily have to be implemented if it's a 
hazard (students getting onto the teacher network).

The router and the firewall have public (registered) IP 
addresses, but the two LANs have private ones (192.168.1.0 
and 192.168.2.0).

The firewall itself must accept SMTP, HTTP (port 80) 
requests, and DNS traffic. I believe it must accept proxy 
traffic as well (port 8080?). No other services are offered 
to the rest of the world.

I would be grateful if anyone could give me some feedback on 
this solution, whether it's feasible or not, and what 
software I could use to build it.

Thanks in advance for any help.

-Kaare
kaared@moldenett.no

From firewalls-owner  Wed Aug 14 04:43:47 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id EAA28980 for firewalls-outgoing; Wed, 14 Aug 1996 04:24:24 -0700 (PDT)
Received: from s.wipinfo.soft.net (s.wipinfo.soft.net [164.164.6.6]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id EAA28896 for <firewalls@greatcircle.com>; Wed, 14 Aug 1996 04:23:44 -0700 (PDT)
Received: by s.wipinfo.soft.net (4.1/SMI-4.1)
	id AA16607; Wed, 14 Aug 96 12:48:04 IST
Received: from comm10 by rolex.rnd.blr (4.1/SMI-4.1)
	id AA11663; Wed, 14 Aug 96 12:48:06+050
Received: (from rjoshi@localhost) by comm10 (8.6.12/8.6.9) id MAA31877; Wed, 14 Aug 1996 12:45:37 +0500
From: Rajesh Joshi <rjoshi@wipinfo.soft.net>
Message-Id: <199608140745.MAA31877@comm10>
Subject: SOCKS4.2 specifications
To: socks@socks.nec.com, socks5@socks.nec.com, firewalls@GreatCircle.COM
Date: Wed, 14 Aug 1996 12:45:32 +0500 (GMT+0500)
X-Mailer: ELM [version 2.4 PL24]
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk


Hi all,

Where can I get the SOCKS4.2 specifications ? I have with me SOCKS5 and SOCKS4
specifications. Can anybody give me some pointers ?

What is the most used version of SOCKS ( 4/ 4.2/ 5 ) for SOCKS client ( e. g.
NetScape) implementations ?

Thanks in Advance,

|==============================================================================|
|				RAJESH B JOSHI                                 |
|  Sr. Engineer  R & D (Software), Communications Group, Wipro Infotech Ltd.   |
|------------------------------------------------------------------------------|

From firewalls-owner  Wed Aug 14 05:16:10 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA01835 for firewalls-outgoing; Wed, 14 Aug 1996 05:04:43 -0700 (PDT)
Received: from merle.acns.nwu.edu (merle.acns.nwu.edu [129.105.16.57]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id FAA01826 for <firewalls@greatcircle.com>; Wed, 14 Aug 1996 05:04:28 -0700 (PDT)
Received: from localhost by merle.acns.nwu.edu with SMTP
	(1.40.112.4/16.2) id AA282114112; Wed, 14 Aug 1996 07:01:52 -0500
Date: Wed, 14 Aug 1996 07:01:52 -0500 (CDT)
From: Brian Hatch <bri@ifokr.org>
X-Sender: bri@merle.acns.nwu.edu
To: Kun-Yu Li <lky@netrd.iii.org.tw>
Cc: firewalls@greatcircle.com
Subject: Re: Help: FWTK http-gw problem
In-Reply-To: <199608130554.NAA00695@netrd.iii.org.tw>
Message-Id: <Pine.HPP.3.93.960814065705.27627A-100000@merle.acns.nwu.edu>
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk


+ my inetd.conf is
+ http    stream   tcp   nowait   root   /usr/libexec/httpd      http
+ http-gw stream   tcp   nowait  root   /usr/local/WWW/http-gw   http-gw

First, make sure you have a line similar to 

http-gw		81/tcp

in /etc/services (I used 81, since I see you already have a web server 
running, presumably on port 80)
 
+ http-gw: userid 		root
+ http-gw: default-httpd 	host.company.org.tw:80
+ http-gw: deny-hosts		unknown
+ http-gw: hosts		140.92.*.*

Firstly, I'd set userid to something else (nobody, etc) but that's
certainly not affecting it here.  My guess is the default-httpd line,
which tells it to which server to hand off the requests.  If that
server isn't grabbing them for you, you're out of luck.

The http-gw itself can grab the pages on its own, so I'd just try 
nuking that line.

+ the response is "Netscape Error: Document contains no data." 

This seems consistant with the above explanation.


						 Bri
--
bri@ifokr.org
Systems and Security Engineer
Onsight, Inc.  http://www.avue.com/


From firewalls-owner  Wed Aug 14 06:31:15 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA05698 for firewalls-outgoing; Wed, 14 Aug 1996 06:18:38 -0700 (PDT)
Received: from horse.blanket.com (horse.blanket.com [206.28.190.179]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id GAA05689 for <Firewalls@GreatCircle.COM>; Wed, 14 Aug 1996 06:18:30 -0700 (PDT)
Received: from horse (jfulmer@localhost [127.0.0.1]) by horse.blanket.com (8.6.12/8.6.9) with SMTP id IAA00361 for <Firewalls@GreatCircle.COM>; Wed, 14 Aug 1996 08:24:26 -0500
Message-ID: <3211D389.A89D6CE@blanket.com>
Date: Wed, 14 Aug 1996 08:24:25 -0500
From: John Fulmer <jfulmer@blanket.com>
X-Mailer: Mozilla 3.0b6 (X11; I; Linux 2.0.11 i586)
MIME-Version: 1.0
To: Firewalls Mailing List <Firewalls@GreatCircle.COM>
Subject: Re: NT Firewalling
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

> Date: Tue, 13 Aug 1996 14:55:01 -0300
> From: "Fernando da Silveira Montenegro" <silveira@nutec.com.br>
> Subject: Re: NT Firewalling
> 
...
> While NT expertise is a must-have, another factor I'd add to using NT 
> over UNIX is product availability for a given platform. For instance, 
> if you're not using a RISC workstation, if have VERY limited options 
> as to different products. Given the current market pressure, if you 
> want to firewall (perhaps we should create a new verb, "to firewall") 
> using an Intel PC, your best bet will probably be NT.
> 

Not necessarily. I can think of at least four very good firewalls based
on Intel platforms (Borderware, Sidewinder, TIS Gauntlet, V-One), and
more that
are planned (Cyberguard ?), that are based on some variant of BSDI UNIX. 

Also remember that a Sparc 5 can make a very good firewall for a medium
sized network for under $5k. A comparable Pentium probably runs at least
3K. Or at least the way I build them :)

BTW, does anyone know of a decent application gateway firewall for OS/2?
It would probably have as much of a justification as an NT firewall, but
with more stable network underpinnings...

jf

-- 
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+ John Fulmer           	| "UNIX was not designed to stop     +
+ Secure Network System		|  you from doing stupid things,     +
+ Lawrence, Kansas		|  because that would also stop you  +
+				|  from doing clever things."	     +
+ jfulmer@blanket.com		|                                    + 
+ http://www.blanket.com	|                     -- Doug Gwyn   +
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

From firewalls-owner  Wed Aug 14 06:43:07 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA06069 for firewalls-outgoing; Wed, 14 Aug 1996 06:32:23 -0700 (PDT)
Received: from balder-int.ssds.com (balder.ssds.com [204.131.72.62]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id GAA06062 for <firewalls@GreatCircle.COM>; Wed, 14 Aug 1996 06:32:10 -0700 (PDT)
Received: by balder-int.ssds.com; id AA12862; Wed, 14 Aug 96 07:31:52 MDT
Received: from denver.ssds.com(134.127.16.1) by balder.ssds.com via smap (V3.1.1)
	id xma012853; Wed, 14 Aug 96 07:31:43 -0600
Received: by denver.ssds.com id HAA12508; Wed, 14 Aug 1996 07:32:27 -0600 (MDT)
From: chris.liljenstolpe@ssds.com (Christopher Liljenstolpe)
To: webmaster@capitalworks.com
Cc: Ben Goodyear <Ben.Goodyear@dial.pipex.com>, pah@esoft.co.uk,
        firewalls@GreatCircle.COM
Subject: Re: To Subnet or not?
Date: Wed, 14 Aug 1996 13:32:32 GMT
Organization: SSDS, Inc.
Reply-To: chris.liljenstolpe@ssds.com
Message-Id: <3211d4c5.1769211@denver.ssds.com>
References: <199608121736.SAA08098@typhoon.dial.pipex.net> <3210D74B.7DB9@capitalworks.com>
In-Reply-To: <3210D74B.7DB9@capitalworks.com>
X-Mailer: Forte Agent .99e/32.227
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Greetings,

	I have to disagree, asking for a whole class C for one or
possibly two addresses is egregious use of address space.  Either
subnet the class C (as discussed in an earlier posting) or, if the
firewall can do address translation, use the class C for the network
between your firewall and your ISP or your router, and one of the
reuseable networks behind your firewall.

	-=Chris

On Tue, 13 Aug 1996 15:28:11 -0400, the sage Capital Works Webmaster
<webmaster@capitalworks.com> scribed:

>Ben Goodyear wrote:
>> 
>> > I'm sure that this is blindingly obvious, but I have not been able to find any
>> > references to it...
>> >
>> > I have a class C address for my network - As part of my firewall I will have a
>> > dual homed sparc 5 running Solaris 2.5. I want to forward packets from one
>> > interface to the other - am I allowed to use netmask 255.255.255.0 with both
>> > interfaces in the same subnet e.g.
>> >
>> > 192.100.100.1 and the other on 192.100.100.2
>> >
>> > I have tried to set routing up for this up and failed so the question is
>> >
>> > Do I have to subnet a class C address to achieve packet forwarding or is there
>> > some trick in the routing that I am missing??
>> >
>> > All the references on this soft of setup assume that you are doing packet
>> > forwarding from something like 192.100.100.1 to 192.100.99.1, but I only have a
>> > class C from my ISP and cannot affort to loose the half my IP addresses that
>> > subnetting would cause.
>> >
>> > Paul.
>> > --
>> >
>> 
>> Yes you do have to use subnetting to implement routing on a single
>> class "c" address.
>> 
>> To route between two networks, the two networks have to have a
>> different network number (or else, how would it know when to route?).
>> To get different network numbers on a class "c" you have to use
>> subnetting.
>> 
>> e.g.
>> 
>> use subnet 255.255.255.192
>> 
>> this will give you four networks of 64 hosts:
>> 
>> x.x.x.0-63, x.x.x.64-127, x.x.x.128-191, x.x.x.192-255
>> 
>> Set one interface to: 192.100.100.65
>> Set the other to:       192.100.100.129
>> 
>Avoid the whole thing!  Get one additional address from your ISP, on the
>same address subnet as your router!  -unless- if your router is
>configured on your class 'C', then have your ISP provide you with a
>unique IP for the router and then do a by-the-way-request for an
>additional one for your firewall?  Thus avoiding the masking issue.
>
>Kevin
>


--
   ( (   | (               Chris Liljenstolpe <Chris.Liljenstolpe@ssds.com>
    ) ) (|  ), inc.        SSDS, Inc; 8400 Normandale Lake Blvd.; Suite 993
   business driven         Bloomington, MN   55437; 
 technology solutions      TEL 612.921.2392  FAX 612.921.2395   Fram Fram Free!
 PGP Key 1024/E8546BD5     FE 43 BD A6 3C 13 6C DB  89 B3 E4 A1 BF 6D 2A A9

From firewalls-owner  Wed Aug 14 07:00:31 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA06297 for firewalls-outgoing; Wed, 14 Aug 1996 06:39:06 -0700 (PDT)
Received: from nutspgw.nutec.com.br ([200.246.248.99]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id GAA06282 for <firewalls@greatcircle.com>; Wed, 14 Aug 1996 06:38:52 -0700 (PDT)
Received: (uucp@localhost) by nutspgw.nutec.com.br (8.6.9/8.6.5) id KAA01982; Wed, 14 Aug 1996 10:30:54 -0300
Message-Id: <199608141330.KAA01982@nutspgw.nutec.com.br>
Received: from unknown(200.246.248.32) by nutspgw.nutec.com.br via smap (g3.0.3)
	id xma001975; Wed, 14 Aug 96 10:30:41 -0300
Comments: Authenticated sender is <silveira@nutspgw.sao.nutecnet.com.br>
From: "Fernando da Silveira Montenegro" <silveira@nutec.com.br>
Organization: Nutec Informsstica
To: peter@baileynm.com (Peter da Silva), firewalls@greatcircle.com
Date: Wed, 14 Aug 1996 10:38:56 -0300
Subject: Re: NT Firewalling
Reply-to: silveira@nutpagw.nutec.com.br
X-mailer: Pegasus Mail for Win32 (v2.42a)
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

> From:          peter@baileynm.com (Peter da Silva)
> Subject:       Re: NT Firewalling
> To:            firewalls@greatcircle.com
> Date:          Tue, 13 Aug 1996 16:32:35 -0500 (CDT)

> Should that happen then by all means go for the NT version. At the moment
> and for the near future the UNIX version is coming out well before the
> NT version, for those firewalls that even *have* an NT version, with very
> few exceptions.

This is a crucial point. First, I think more vendors will come out 
with NT firewalls, due to market pressure. Since M$ is positioning NT 
as the perfect corporate OS (whether or not this is true is another 
story) using NT as a firewall is something that needs to be 
considered. I think vendors will respond to this demand with NT 
products. Just like desktop publishing people brought their excellent 
Mac (and Amiga) stuff to Windows, we will see such a move for server 
products towards NT.

> If you're running Netscape software on your firewall you're in for a world
> of pain, buddy. (mail server? Why would anyone consider buying a mail server
> from Netscape anyway?)

Running ANYTHING on the firewall other than the firewall itself is a 
no-no for me, too. I used Netscape Mail as an example of how market 
pressure forces a developer to write NT code for Intel rather than 
(or before, I'm still hopeful) BSD/OS code, for example.

As for why using a mail server from Netscape, I'd rather use that 
than Exchange...

> ... simply to reduce the chance of someone slipping
> a buffer overflow into my firewall and running code. If they have to be
> smart enough to grok Alpha code as well it's an extra protection.

I truly belive in security in depth, and adding an extra layer of 
protection in the form of a not-so-popular server platform is great, 
but at some point I have to use a component that the admin people can 
manage, and cost is always an issue.

> But why do I want to "choose an intel platform"?
> 
In my situation, this is a choice I HAVE to make. Why? Most people I 
talk to want to have an "open" solution in terms of hardware 
components. At least here in Brazil, it is a royal pain to get spare 
parts for some Risc machines. How can I justify keeping $800 NICs 
just sitting around when $100 cards on an Intel platform would do 
just as well?

I'm not an NT evangelist (hell, I'm agnostic!) but I'm trying to say 
that choosing NT over Unix is not the absurd choice it was a year or 
so ago. We have major vendors coming out with NT versions of their 
products, and I have a feeling that NT will be the only (or major) Intel 
platform some of them will support.

> If I had my druthers I would have a firewall that ran as an
> embedded system with no underlying OS.

Me too. I have the experience of users asking why is that server 
"just sitting there" not running anything? When I tell them that is 
our firewall, they ask "but can't we use it for such and such as 
well?" Grrrrr.

> I assume that by "SWAN" you mean "Secure WAN" or "Virtual Network
> Perimeters". Firewall-to-firewall encryption?
> All the work on that's being done on UNIX, that I can tell by reading
> papers and the like.

Yes, this is what I meant, as an example. But what is more likely: 
for a vendor to add S/WAN support first to a more popular platform 
(such as NT will be in the Intel world, in my opinion) or to a more 
obscure one (BSD/OS, in the same context)?

> If you're paying TIS prices then the extra few hundred bucks for BSDI
> are negligable, and it'll still run on the same hardware.

Yes, but TIS doesn't ship VPN (even skimpy 40-bit stuff) outside the 
US, whereas Raptor does. Does Raptor have a BSD/OS product? If so, 
I'd get on the phone (or e-mail, whichever is the fastest) to get one 
now.

Fernando
--
Fernando da Silveira Montenegro        E-mail: silveira@nutec.com.br
Nutec Informatica S.A.                 Phone.: +55-11-505-5728
Rua Florida, 1821/11th floor           Fax...: +55-11-505-1918
Sao Paulo, SP BRAZIL 04565-001         WWW: http://www.nutec.com.br

From firewalls-owner  Wed Aug 14 07:17:20 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA06891 for firewalls-outgoing; Wed, 14 Aug 1996 06:49:32 -0700 (PDT)
Received: from atl1.america.net (atl1.america.net [199.170.121.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id GAA06870 for <firewalls-digest@GreatCircle.COM>; Wed, 14 Aug 1996 06:49:17 -0700 (PDT)
Received: from w3.telemate.com (pl1-16.america.net [199.170.121.182]) by atl1.america.net (8.7.5/8.7.3) with SMTP id JAA18812 for <firewalls-digest@GreatCircle.COM>; Wed, 14 Aug 1996 09:47:50 -0400 (EDT)
Message-Id: <1.5.4.32.19960814134818.0068d66c@192.168.2.200>
X-Sender: renec#netcom7.netcom.com@192.168.2.200
X-Mailer: Windows Eudora Light Version 1.5.4 (32)
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Date: Wed, 14 Aug 1996 09:48:18 -0400
To: firewalls-digest@GreatCircle.COM
From: Rene Campbell <renec@futurus.com>
Subject: How secure is =?iso-8859-1?Q?Ascend=92s_?= Secure Access 
 Firewall
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk


	Ascend has recently come out with a really effective firewall which is a
software option for many of their routers.  From the marketing spec, it
looks like a modified approach on a packet filtering technology and it's
clearly states that is not proxy based.  Any thoughts on how secure it may be?

Rene


From firewalls-owner  Wed Aug 14 07:47:20 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA10094 for firewalls-outgoing; Wed, 14 Aug 1996 07:22:49 -0700 (PDT)
Received: from relay1.smtp.psi.net (relay1.smtp.psi.net [38.8.14.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id HAA10075 for <firewalls-digest@GreatCircle.COM>; Wed, 14 Aug 1996 07:22:29 -0700 (PDT)
Received: from adpmail.es.adp.com by relay1.smtp.psi.net (8.6.12/SMI-5.4-PSI)
	id KAA16377; Wed, 14 Aug 1996 10:22:28 -0400
Received: from ccMail by adpmail.es.adp.com
  (IMA Internet Exchange 1.04b) id 211ef310; Wed, 14 Aug 96 10:22:25 -0500
Mime-Version: 1.0
Date: Wed, 14 Aug 1996 10:04:17 -0500
Message-ID: <211ef310@es.adp.com>
From: jorge_triana@es.adp.com (Jorge Triana)
Subject: Question about Web sizing
To: firewalls-digest@GreatCircle.COM
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Content-Description: cc:Mail note part
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

     Question is a bit out of place here, but I'm wondering if anybody can 
     help.
     
     Company has to get some contract in place for the people that are 
     hosting our Web site and the person encharged of that wanted to know 
     if I could help...
     
     Are there any matrices out there that give a price/performance/user 
     count breakdown of users.... or any type of web server 
     evaluation...specifically, I think they are running it on an SGI 
     machine...(Dont ask me why)... but video department was the one that 
     was granted the work..so they went on their own and read books...
     
     Oh well...just wondering...
     
     
     Thanks...
     
     Jorge Triana
     ADP
     Lan/Wan Engineer
     1 ADP Boulevard
     MS-240
     Roseland, NJ 07068
     (201)535-7357
     (201)535-7336  fax
     jorge_triana@es.adp.com

From firewalls-owner  Wed Aug 14 08:13:24 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA09508 for firewalls-outgoing; Wed, 14 Aug 1996 07:16:45 -0700 (PDT)
Received: from LIVEDGAR.gsionline.com (livedgar.gsionline.com [204.254.209.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id HAA09470 for <firewalls@greatcircle.com>; Wed, 14 Aug 1996 07:16:27 -0700 (PDT)
Received: from [204.254.209.10] by LIVEDGAR.gsionline.com (NTMail 3.02.04) id ka019536; Wed, 14 Aug 1996 10:15:55 -0400
X-Sender: nbk@livedgar
X-Mailer: Windows Eudora Version 1.4.3
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
To: "Paul D. Robertson" <proberts@clark.net>
From: nkeenan@gsionline.com (Nick Keenan)
Subject: Re: NT Firewalling
Cc: firewalls@greatcircle.com
Date: Wed, 14 Aug 1996 10:15:55 -0400
Message-Id: <14155579603976@gsionline.com>
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

>> Can you really run NT effectively in 32 meg?  I have a friend who has 32 meg
>> in an Intel box running NT, and he is going to get another 32 meg, because he
>> says that whenever he loads any app, the box just sits there and thrashes. 
>
>You can effectively run *BSD, Solaris for Intel, and Linux on such a 
>machine.  That offers a large range of commercial and do-it-yourself
>options involving filtering, application proxies, and hybrids.  Most of
>the NT folks I've spoken to wouldn't procure a box with less than 64M on
>it to do much of anything.  Perhaps one of the NT vendors could post base
>requirements without adding any salesfluff?  


OK, I've sat on the sidelines long enough. I am an NT user -- no unix here.
I have run NT effectively on a 486 with 8meg of RAM.  The user interface was
a little slow, but it had no problem filling a T1 in its role as an
application gateway.  I upgraded it to a pentium with 16 meg of ram, and now
it has three ethernet cards and can easily pass 3-4 Gig a day of data.

NT's not unix, but it's not bad either.


From firewalls-owner  Wed Aug 14 08:20:45 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA08071 for firewalls-outgoing; Wed, 14 Aug 1996 06:59:39 -0700 (PDT)
Received: from anchorsteam (anchorsteam.unifiedtech.com [38.251.136.100]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id GAA08037 for <Firewalls@GreatCircle.COM>; Wed, 14 Aug 1996 06:59:23 -0700 (PDT)
Received: from bass.com. by anchorsteam (SMI-8.6/SMI-SVR4)
	id JAA13605; Wed, 14 Aug 1996 09:54:47 -0400
Received: by bass.com. (SMI-8.6/SMI-SVR4)
	id JAA04767; Wed, 14 Aug 1996 09:58:00 -0400
Date: Wed, 14 Aug 1996 09:58:00 -0400
From: jonesmd@unifiedtech.com (Mike Jones)
Message-Id: <199608141358.JAA04767@bass.com.>
To: Firewalls@GreatCircle.COM, jfulmer@blanket.com
Subject: Re: NT Firewalling
X-Sun-Charset: US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

John Fulmer writes...
> > Date: Tue, 13 Aug 1996 14:55:01 -0300
> > From: "Fernando da Silveira Montenegro" <silveira@nutec.com.br>
> > Subject: Re: NT Firewalling
> ...
> > While NT expertise is a must-have, another factor I'd add to using NT 
> > over UNIX is product availability for a given platform. For instance, 
> > if you're not using a RISC workstation, if have VERY limited options 
> > as to different products. Given the current market pressure, if you 
> > want to firewall (perhaps we should create a new verb, "to firewall") 
> > using an Intel PC, your best bet will probably be NT.
> Not necessarily. I can think of at least four very good firewalls based
> on Intel platforms (Borderware, Sidewinder, TIS Gauntlet, V-One), and
> more that
> are planned (Cyberguard ?), that are based on some variant of BSDI UNIX. 

Plus you can make a perfectly good firewall with Solaris x86 and FW-1. I
have a customer who's running that configuration on a Gateway Pentium box.
I will say that he's had more hardware problems than any dozen SPARC
customers I can think of. But hey, PC parts are cheap, right? And who
really counts time the engineers spend figuring out what went wrong and
swapping parts? And doesn't everybody have spare Ethernet cards on the
shelf?

--
	Mike.Jones@unifiedtech.com
Pause a moment and ponder this about the sedan; a six-footer can lay
flat inside the trunk of this car....
	- Car and Driver preview of the 1992 Buick Roadmaster

From firewalls-owner  Wed Aug 14 08:23:58 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA11275 for firewalls-outgoing; Wed, 14 Aug 1996 07:37:23 -0700 (PDT)
Received: from bsd.synx.com (rt.synx.com [194.167.81.239]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id HAA11256 for <firewalls@greatcircle.com>; Wed, 14 Aug 1996 07:37:07 -0700 (PDT)
Received: from s3.synx.com (s3 [192.1.1.247]) by bsd.synx.com (8.6.12/8.6.12) with SMTP id PAA22592; Wed, 14 Aug 1996 15:37:29 +0100
Received: from rs1 by s3.synx.com id aa15665; 14 Aug 96 16:17 BST
Date: Wed, 14 Aug 1996 16:36:25 -2300 ()
From: Remy NONNENMACHER <remy@synx.com>
To: Bernd Eckenfels <lists@lina.inka.de>
cc: potlicker@morebbs.com, firewalls@greatcircle.com
Subject: Re: surprise
In-Reply-To: <m0uqVU1-0004k3C@lina>
Message-ID: <Pine.A32.3.91.960814162401.21023A-100000@rs1>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

On Wed, 14 Aug 1996, Bernd Eckenfels wrote:

> Hi,
> 
> > We did   We captured all the X25 packets then opened them up   There was
> > IBM SNA data going through the X25   Looked like a database update   
> > There was mail going through   Boring stuff about various shipments
> > And there was a trickle of teletype
> 
> what kind of X.25 Connection is this? Generally X.25 is not used on
> broadcast mediums, only with point-to-point links to the switches. (You can
> compare it to switched ethernet, where ethernet sniffing is impossible,
> too).
>

It may be something like a SDLC/SNA token-polled/broadcasted stuff. As 
SDLC is implemented as part of nearly all X.25 products, the fact that 
"X.25" is written down onto the card package doesn't mean the use is ala 
CCITT/ITU X.25 recommendations series (as we understand it in Europe were 
X.25 is something like a big "digital switch" for computer).


> Greetings
> Bernd
> -- 
>   (OO)      -- Bernd_Eckenfels@Wittumstrasse13.76646Bruchsal.de --
>  ( .. )  ecki@lina.{inka.de,ka.sub.org}  http://home.pages.de/~eckes/
>   o--o     *plush*  2048/A2C51749  eckes@irc  +4972573817  *plush*
> (O____O)       If privacy is outlawed only Outlaws have privacy
> 


-------------------------------------------------------------------------------
     S Y N C H R O N I X  S.A.
   Remy NONNENMACHER - APAV Dpt. (remy@synx.com)

"My uncle and I entered a better life" - Alphonse Allais
					 (When his rich uncle died).


From firewalls-owner  Wed Aug 14 08:47:46 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA10395 for firewalls-outgoing; Wed, 14 Aug 1996 07:27:32 -0700 (PDT)
Received: from dns.ottawa.net (dns.ottawa.net [205.211.4.4]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id HAA10388 for <Firewalls@GreatCircle.COM>; Wed, 14 Aug 1996 07:27:19 -0700 (PDT)
Received: from slip-ppp3.ottawa.net (slip-ppp3.ottawa.net [205.211.5.3]) by dns.ottawa.net (8.7.5/1.2) with SMTP id KAA15590; Wed, 14 Aug 1996 10:27:01 -0400 (EDT)
Date: Wed, 14 Aug 1996 10:27:01 -0400 (EDT)
Message-Id: <199608141427.KAA15590@dns.ottawa.net>
X-Sender: bjm@ottawa.net
X-Mailer: Windows Eudora Version 1.4.4
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
To: Hector Casavantes <hcasav@bmv.com.mx>, Firewalls@GreatCircle.COM
From: bjm@ottawa.net (Brian McIntosh)
Subject: Re: No More Unlimited User Licenses Please...
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Hector,

Licensing based on 'users' is simply a marketing tool by which 
a vendor can provide a firewall to smaller organanizations at a 
reduced cost.

Confusion often arises because of the term 'users'.  In this
scenario, it does *not* mean users of the Internet; it refers 
to a user of the firewall's protection.  Less confusion would
arise if vendors used the more specific term 'protected 
nodes' rather than 'users'.

Bear in mind that a firewall is protecting all 400 of your 
machines whether the users of those machines are
surfers or not.

Licensing based on the number of Internet users makes
sense if you're referring to a browser, but it doesn't make 
sense for a firewall meant to protect your entire enterprise.

Regards,
Brian




At 03:23 PM 96/8/13 -0600, Hector Casavantes wrote:
>
>Hello List
>
>Do anybody understand the difference between the number of users 
>and the number of protected computers in a firewall?
>
>Maybe someone can help me with this simple disyuntive:
>
>I have more than 400 machines but I don't need all of them 
>running trough internet. From ouside, anybody can access my 
>WWW server and some can access my FTP server. Few users from 
>the inside need to access internet (maybe 30-50) to "browse" or 
>something like this. I want anyone from inside to have email 
>by using a common email SMTP/POP server living in the 
>common-named "secure net" or maybe in internal net (doesn't
>matter at this very moment).
>
>In my actual evaluation-licensed firewall, I have edited an 
>outbound proxy access rule, where I've put the list of IP 
>addresses of the users that can resolv out. 
>
>Do I need to buy an unlimited user license (which is surely more 
>expensive) or can I use the 50's one? How can the firewall knows 
>if there are more than N machines connected in the Inside Network?
>(it surely can't). It doesn't make a lot of sense that if I let less 
>than 50 IP's to go to Internet, I need to buy an unlimited user license!
>
>Thanks for cooperation on this
>Hector Casavantes
>
>


========================================================
 Brian J. McIntosh  
 
 UniSol Inc.     

 53 Courtney Road               Tel:    613 831 6373
 Kanata, Ontario                    Fax:    613 831 4739
 Canada, K2L 1M1                Email:  bjm@ottawa.net
========================================================


From firewalls-owner  Wed Aug 14 09:02:25 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA14178 for firewalls-outgoing; Wed, 14 Aug 1996 08:05:42 -0700 (PDT)
Received: from ny3hpfw01.lazard.com (ny3hpfw01.lazard.com [207.19.205.10]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id IAA14119 for <firewalls@GreatCircle.COM>; Wed, 14 Aug 1996 08:05:26 -0700 (PDT)
Received: by ny3hpfw01.lazard.com; id KAA24966; Wed, 14 Aug 1996 10:57:14 -0400
Received: from ny3hpx01.lazard.com(129.1.96.201) by ny3hpfw01.lazard.com via smap (V3.1)
	id xma024962; Wed, 14 Aug 96 10:56:45 -0400
Received: by ny3hpx01.lazard.com
	(1.37.109.16/16.2-WT4.0) id AA155135386; Wed, 14 Aug 1996 11:09:47 -0400
Date: Wed, 14 Aug 1996 11:09:16 -0400
From: DykesD <DykesD@lazard.com>
Message-Id: <LOTUS NOTES */PRMD=LAZARD/ADMD=TELEMAIL/C=US/@MHS>
Subject: TIS Gauntlet Firewall vs. Raptor Eagle Firewall
To: firewalls@GreatCircle.COM
X400-Mts-Identifier: [ /P=LAZARD/A=TELEMAIL/C=US/ ; n\wtln01\960814110916a ]
X-Mailer: Worldtalk (4.0.1p12)/STREAM
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Does anyone have any experience with both the TIS Gauntlet firewall and Raptor 
Eagle firewall and if so what 
are your opinions about which one is better.  I am specifically concerned about 
centralized management, Alert paging,
user interface, intranet firewalling and remote access.


Thanks
Dale Dykes
dykesd@lazard.com

From firewalls-owner  Wed Aug 14 09:22:12 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA16664 for firewalls-outgoing; Wed, 14 Aug 1996 08:26:13 -0700 (PDT)
Received: from relay2.UU.NET (relay2.UU.NET [192.48.96.7]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id IAA16613 for <firewalls-digest@GreatCircle.COM>; Wed, 14 Aug 1996 08:25:47 -0700 (PDT)
Received: from netevolve.com by relay2.UU.NET with SMTP 
	(peer crosschecked as: [206.136.48.11])
	id QQbcsz11634; Wed, 14 Aug 1996 11:25:40 -0400 (EDT)
Received: from lazar by netevolve.com (4.1/SMI-4.1)
	id AA04686; Wed, 14 Aug 96 11:28:33 EDT
Message-Id: <9608141528.AA04686@netevolve.com>
Comments: Authenticated sender is <lazar@netevolve.com>
From: "Irwin Lazar" <lazar@netevolve.com>
Organization: Network Evolutions
To: firewalls-digest@GreatCircle.COM, Rene Campbell <renec@futurus.com>
Date: Wed, 14 Aug 1996 11:27:18 +0000
Subject: Re: How secure is Ascend's  Secure Access  Firewall
Reply-To: lazar@netevolve.com
X-Mailer: Pegasus Mail for Win32 (v2.42)
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

I'm waiting on my demo disk.

You can get a free demo by going to:
http://www.ascend.com/secureaccess

> 
> 	Ascend has recently come out with a really effective firewall which is a
> software option for many of their routers.  From the marketing spec, it
> looks like a modified approach on a packet filtering technology and it's
> clearly states that is not proxy based.  Any thoughts on how secure it may be?
> 
> Rene
> 
> 
> 
Irwin M. Lazar
Network Evolutions, Inc.
lazar@netevolve.com
http://www.netevolve.com

From firewalls-owner  Wed Aug 14 09:56:10 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA14860 for firewalls-outgoing; Wed, 14 Aug 1996 08:10:51 -0700 (PDT)
Received: from mailbox.neosoft.com (mailbox.neosoft.com [206.109.1.16]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id IAA14792 for <firewalls@greatcircle.com>; Wed, 14 Aug 1996 08:10:13 -0700 (PDT)
Received: from fw.nmti.com (fw.baileynm.com [206.109.159.11]) by mailbox.neosoft.com (8.7.5/8.7.3) with SMTP id KAA07613; Wed, 14 Aug 1996 10:10:05 -0500 (CDT)
Received: from web.nmti.com(198.178.0.201) by fw.nmti.com via smap (V1.3)
	id sma016847; Wed Aug 14 10:03:18 1996
Received: from sonic.nmti.com (peter@sonic.nmti.com [198.178.0.2]) by web.nmti.com (8.6.12/8.6.9) with SMTP id KAA13743; Wed, 14 Aug 1996 10:03:17 -0500
Received: by sonic.nmti.com; id AA16423; Wed, 14 Aug 1996 10:03:17 -0500
From: peter@baileynm.com (Peter da Silva)
Message-Id: <9608141503.AA16423@sonic.nmti.com.nmti.com>
Subject: Re: NT Firewalling
To: silveira@nutpagw.nutec.com.br
Date: Wed, 14 Aug 1996 10:03:16 -0500 (CDT)
Cc: peter@baileynm.com, firewalls@greatcircle.com
In-Reply-To: <199608141330.KAA01982@nutspgw.nutec.com.br> from "Fernando da Silveira Montenegro" at Aug 14, 96 10:38:56 am
X-Mailer: ELM [version 2.4 PL23]
Content-Type: text
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

> > Should that happen then by all means go for the NT version. At the moment
> > and for the near future the UNIX version is coming out well before the
> > NT version, for those firewalls that even *have* an NT version, with very
> > few exceptions.

> This is a crucial point. First, I think more vendors will come out 
> with NT firewalls, due to market pressure.

Absolutely, but since their primary platform is (with very few exceptions)
UNIX, it's the NT versions that are trailing... not the UNIX ones.

> As for why using a mail server from Netscape, I'd rather use that 
> than Exchange...

Why use either? Eudora runs just fine, and you lose all those lovely
MS-MAIL hassles.

> Yes, this is what I meant, as an example. But what is more likely: 
> for a vendor to add S/WAN support first to a more popular platform 
> (such as NT will be in the Intel world, in my opinion) or to a more 
> obscure one (BSD/OS, in the same context)?

I'd expect them to add it to the platform it was developed on, first.

From firewalls-owner  Wed Aug 14 10:13:07 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA19907 for firewalls-outgoing; Wed, 14 Aug 1996 08:59:45 -0700 (PDT)
Received: from portal.east.saic.com (portal.east.saic.com [198.151.13.15]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id IAA19880 for <firewalls-digest@GreatCircle.com>; Wed, 14 Aug 1996 08:59:34 -0700 (PDT)
Received: from leosec.saic.com ([149.8.136.21]) by portal.east.saic.com
          via smtpd (for miles.greatcircle.com [198.102.244.34]) with SMTP; 14 Aug 1996 15:59:36 UT
Received: by leosec.saic.com (5.x/SMI-SVR4)
	id AA04922; Wed, 14 Aug 1996 12:00:09 -0400
Date: Wed, 14 Aug 1996 12:00:09 -0400
From: dsulser@leosec.saic.com (David Sulser)
Message-Id: <9608141600.AA04922@leosec.saic.com>
To: firewalls-digest@GreatCircle.com, renec@futurus.com
Subject: Re: How secure is =?iso-8859-1?Q?Ascend=92s_?= Secure Access  Firewall
X-Sun-Charset: US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

 
> 	Ascend has recently come out with a really effective firewall which is a
> software option for many of their routers.  From the marketing spec, it
> looks like a modified approach on a packet filtering technology and it's
> clearly states that is not proxy based.  Any thoughts on how secure it may be?
> 
> Rene
> 

Sure. It is derived from the Morningstar firewall router technology
which they recently acquired. Morningstar's modus operandus is the
"dynamic packet filter."  According to the Morningstar tech reps I
spoke to, their filters open a given port(s) only when the router CPU
sees an authorized connection request. The filter stays open for the
duration of the session and then goes away. The ports do not remain
open by default. Great for reducing ports scannable from the outside to
a minimum.

This approach offers more security than classical packet filtering
(static filters). It does not offer the kind of control and granularity
you get with an application gateway firewall. The Morningstar
technology will probably do better now thanks to Ascend's market
position.

Regards,
David

From firewalls-owner  Wed Aug 14 10:32:11 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA21445 for firewalls-outgoing; Wed, 14 Aug 1996 09:11:25 -0700 (PDT)
Received: from nutspgw.nutec.com.br ([200.246.248.99]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id JAA21365 for <firewalls@greatcircle.com>; Wed, 14 Aug 1996 09:11:03 -0700 (PDT)
Received: (uucp@localhost) by nutspgw.nutec.com.br (8.6.9/8.6.5) id NAA03537; Wed, 14 Aug 1996 13:07:38 -0300
Message-Id: <199608141607.NAA03537@nutspgw.nutec.com.br>
Received: from unknown(200.246.248.32) by nutspgw.nutec.com.br via smap (g3.0.3)
	id xma003518; Wed, 14 Aug 96 13:07:09 -0300
Comments: Authenticated sender is <silveira@nutspgw.sao.nutecnet.com.br>
From: "Fernando da Silveira Montenegro" <silveira@nutec.com.br>
Organization: Nutec Informsstica
To: peter@baileynm.com (Peter da Silva)
Date: Wed, 14 Aug 1996 13:15:27 -0300
Subject: Re: NT Firewalling
Reply-to: silveira@nutpagw.nutec.com.br
CC: firewalls@greatcircle.com
X-mailer: Pegasus Mail for Win32 (v2.42a)
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

> > This is a crucial point. First, I think more vendors will come out 
> > with NT firewalls, due to market pressure.
> 
> Absolutely, but since their primary platform is (with very few exceptions)
> UNIX, it's the NT versions that are trailing... not the UNIX ones.

Agreed, but when the vendor considers an *Intel* platform, it is more 
likely to choose NT over UNIX. In this case (Intel support), I expect the UNIX 
versions will be trailing.

Imagine for a second you're a firewall developer, and you have a
version of your product for the "mandatory" platforms: RISC Solaris,
HP-UX, AIX, Digital. What next? Intel support. What are the options:
NT, BSD/OS, FreeBSD, NetBSD, Linux, SCO UNIX, Solaris for Intel, ...
What would you choose?

> > As for why using a mail server from Netscape, I'd rather use that 
> > than Exchange...
> 
> Why use either? Eudora runs just fine, and you lose all those lovely
> MS-MAIL hassles.
Yup, MS-Mail has a place of honor in my hate list, right next to its 
X400 Gateway.

Netscape Mail seems to be a fine POP3/SMTP mail server, with
simplified administration through HTML forms. Now, I prefer the UNIX
version over the NT one (NT doesn't support delivery to a program,
last time I checked) but, because of the market pressure I
mentioned, I'm forced to user an older version (1.1 vs 2.0). But this 
is not firewalls related, and I'd rather take this discussion offline.

Fernando
--
Fernando da Silveira Montenegro        E-mail: silveira@nutec.com.br
Nutec Informatica S.A.                 Phone.: +55-11-505-5728
Rua Florida, 1821/11th floor           Fax...: +55-11-505-1918
Sao Paulo, SP BRAZIL 04565-001         WWW: http://www.nutec.com.br

From firewalls-owner  Wed Aug 14 10:44:38 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA24317 for firewalls-outgoing; Wed, 14 Aug 1996 09:36:02 -0700 (PDT)
Received: from warbucks.esd.sgi.com (sgigate.SGI.COM [204.94.209.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id JAA24241 for <firewalls@GreatCircle.COM>; Wed, 14 Aug 1996 09:35:40 -0700 (PDT)
Received: by warbucks.esd.sgi.com (8.6.10/YDL1.9.1-950317.10)
	id JAA25520(warbucks.esd.sgi.com); Wed, 14 Aug 1996 09:35:17 -0700
Date: Wed, 14 Aug 1996 09:35:17 -0700
From: yingda@esd.sgi.com (Ying-Da Lee)
Message-Id: <199608141635.JAA25520@warbucks.esd.sgi.com>
To: firewalls@GreatCircle.COM, socks5@socks.nec.com, socks@socks.nec.com,
        Rajesh Joshi <rjoshi@wipinfo.soft.net>
Subject: Re:  SOCKS4.2 specifications
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

>Where can I get the SOCKS4.2 specifications ? I have with me SOCKS5 and SOCKS4
>specifications. Can anybody give me some pointers ?

All 4.x releases of SOCKS implement protocol version 4. The protocol
version 4A is upward-compatible from version 4 and is implemented in
release 4.3, currently in beta 2. Both the protocol version 4 and the
4A extension are described in files included in 4.3 beta 2 release,
which is aviable from

ftp://ftp.best.com/pub/yingda/socks/

or

ftp://ftp.nec.com/pub/socks/socks4/

	Ying-Da Lee	yingda@best.com  or  yingda@esd.sgi.com
			http://www.best.com/~yingda/

From firewalls-owner  Wed Aug 14 10:52:40 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA22853 for firewalls-outgoing; Wed, 14 Aug 1996 09:23:11 -0700 (PDT)
Received: from tera.bctel.net (tera.bctel.net [204.174.64.252]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id JAA22787 for <firewalls@GreatCircle.COM>; Wed, 14 Aug 1996 09:22:37 -0700 (PDT)
Received: (from nobody@localhost) by tera.bctel.net (8.7.4/8.7.1) id JAA04308; Wed, 14 Aug 1996 09:17:54 -0700 (PDT)
Received: from mocha.bctel.net(204.174.66.5) by tera via smap (V1.3)
	id sma004304; Wed Aug 14 09:17:48 1996
Received: (from murrell@localhost) by mocha.bctel.net (8.7.5/8.7.3) id JAA24207; Wed, 14 Aug 1996 09:17:48 -0700 (PDT)
From: Brian Murrell <Brian_Murrell@bctel.net>
Message-Id: <199608141617.JAA24207@mocha.bctel.net>
Date: Wed, 14 Aug 1996 09:17:46 -0700 (PDT)
To: lists@lina.inka.de
Cc: roberth@cet.com, firewalls@GreatCircle.COM
Subject: Re[2]: huh? switch hitter?
In-Reply-To: <m0uqYAU-0004k3C@lina>
X-Mailer: Ishmail 1.2.2-960610-sol24 <http://www.halsoft.com/products/ishmail>
MIME-Version: 1.0
Content-Type: text/plain
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

from the quill of lists@lina.inka.de (Bernd Eckenfels) on scroll
<m0uqYAU-0004k3C@lina>
> On a switched ethernet a NIC in promisc mode will only receive the
> packets
> which are broadcasted (i.e. ARP) and those which are send directly to the
> HW-Address of the interface. Thats the reason why u have less collisions
> with switches, cause they simply filter the Packets on the net for each
> port. You can also lock the arp-addresses in the switch for more
> security.

Don't people usually switch segments rather than individual hosts??  Isn't
switching ethernet a little expensive to do it by host??  If the switching
is done by segment rather than by host, then one could still sniff one's
own physical segment.

b.


--
Brian J. Murrell                                        Brian_Murrell@bctel.net
BCTel Advanced Communications                                   brian@ilinx.com
Vancouver, B.C.                                                brian@wimsey.com
604 454 5279

From firewalls-owner  Wed Aug 14 11:13:02 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA28692 for firewalls-outgoing; Wed, 14 Aug 1996 10:10:03 -0700 (PDT)
Received: from SanFrancisco01.POP.InterNex.Net (SanFrancisco01.POP.InterNex.Net [205.158.3.50]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id KAA28674 for <firewalls@greatcircle.com>; Wed, 14 Aug 1996 10:09:51 -0700 (PDT)
Received: from taoist.marineterminals.com ([157.151.226.68])
          by SanFrancisco01.POP.InterNex.Net (post.office MTA v1.9.3
          ID# 0-11028) with SMTP id AAA11733;
          Wed, 14 Aug 1996 10:06:04 -0700
X-Sender: marineterminals-3@SanFrancisco01.pop.internex.net
X-Mailer: Windows Eudora Light Version 1.5.2
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
To: John Hopkins <hopkins@icrf.icnet.uk>
From: robw@marineterminals.com (Robert Williams)
Subject: Re: huh? switch hitter? (fwd)
Cc: firewalls@greatcircle.com
Date: Wed, 14 Aug 1996 10:06:03 -0700
Message-ID: <19960814170602.AAA11733@taoist.marineterminals.com>
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

At 09:55 AM 8/14/96 +0100, KJ allegedly wrote:
>I think that a lot of ethernet switches also have a common port that can
>see all the traffic on the other ports if required.
>

I know of ports being configurable for "roving analysis", but has someone
built a device with which one can set up a filter and grab packets directly
off of the switch's backplane?

R


From firewalls-owner  Wed Aug 14 11:17:08 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA03215 for firewalls-outgoing; Wed, 14 Aug 1996 10:49:22 -0700 (PDT)
Received: from pcslink.com (pcslink.com [206.43.160.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id KAA03193 for <firewalls@greatcircle.com>; Wed, 14 Aug 1996 10:49:04 -0700 (PDT)
Received: (from ryan@localhost) by pcslink.com (8.6.12/8.6.12) id KAA16510; Wed, 14 Aug 1996 10:48:58 -0700
From: Ryan Mooney <ryan@pcslink.com>
Message-Id: <199608141748.KAA16510@pcslink.com>
Subject: Re: huh? switch hitter? (fwd)
To: hopkins@icrf.icnet.uk (John Hopkins)
Date: Wed, 14 Aug 1996 10:48:58 -0700 (MST)
Cc: firewalls@greatcircle.com
In-Reply-To: <Pine.3.89.9608140947.A16353-0100000@callisto.lif.icnet.uk> from "John Hopkins" at Aug 14, 96 09:55:39 am
X-Mailer: ELM [version 2.4 PL24]
Content-Type: text
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk


Some do, most however have a switch probe port (which is slightly 
different) into which you plug the probe..  Its not an ethernet
port at all (not sure if there's  a standard to be honest but most
look like a DB25 connector).  The probes can be packet analyzers/tracers
(local or remote, usually RMON nowdays), or they can be just statistical 
analyzers or some combination thereof.  The difference between a common
port an a probe port is that you can "program" the probe port to allow you 
to see different segments and traffic types.  This makes a LOT of sense 
when you start talking about the larger switches that are becoming more
common, as they have hundreds of Mbs of backplane (sometimes Gbps) and
to have ALL that traffic go out one port is to much traffic for any
protocol analysis tool (or other end point for that matter) to
handle in a timely fashion.  The problem (problem? I guess thats the word)
is that switches are mostly MUCH to fast nowdays for simple analysis
tools, and require smarter switch aware monitoring tools


> I think that a lot of ethernet switches also have a common port that can
> see all the traffic on the other ports if required.
> 
> J.
> 
> On Wed, 14 Aug 1996, Ryan Mooney wrote:
> 
> > 
> > You only can't sniff across switched ports.
> > 
> > ie:
> > 
> > -----seg1-------+----------+
> >                 |          |
> > -----seg2-------+          |
> >                 | Switch   |
> > -----seg3-------+          |
> >                 |          |
> > -----seg4-------+----------+
> > 
> > In this scenario if you are on seg1 and traffic is going from seg2 to
> > seg3 you never see it.  You would of course be able to see any traffic
> > on seg1, but thats it (except for broadcast packets and the like).
> > Saying that switched ethernet can't be sniffed is somewhat of a misnomer
> > as each virtual segment usually has more than one system on it and
> > any one of those systems could theoretically snoop any traffic on that
> > segment.  I think this is really simple common sense once you look at what
> > the switch is really doing... and what machines are where.  There are
> > of course ways to capture all data going across the switch with things
> > like switch probes and the like, these do however have to be installed,
> > and left open for evil bad dude to use in his copious spare time.
> > 
> > > 
> > > excuse my ignorance or lack or research, yet...
> > > 
> > > what makes switched ethernet unable to be snarfed....
> > > 
> > > --->
> > > Robert H. Hanson           LAN/WAN Consultant - Internet Service Provider
> > > Otis Orchards, Wa.         Cutting Edge Communications        www.cet.com
> > > (509) 927-9541             finger: info@cet.com or email: roberth@cet.com
> > > 
> > > 
> > > 
> > > On Wed, 14 Aug 1996, Bernd Eckenfels wrote:
> > > 
> > > > Hi,
> > > > 
> > > > > We did   We captured all the X25 packets then opened them up   There was
> > > > > IBM SNA data going through the X25   Looked like a database update   
> > > > > There was mail going through   Boring stuff about various shipments
> > > > > And there was a trickle of teletype
> > > > 
> > > > what kind of X.25 Connection is this? Generally X.25 is not used on
> > > > broadcast mediums, only with point-to-point links to the switches. (You can
> > > > compare it to switched ethernet, where ethernet sniffing is impossible,
> > > > too).
> > > > 
> > > > Greetings
> > > > Bernd
> > > > -- 
> > > >   (OO)      -- Bernd_Eckenfels@Wittumstrasse13.76646Bruchsal.de --
> > > >  ( .. )  ecki@lina.{inka.de,ka.sub.org}  http://home.pages.de/~eckes/
> > > >   o--o     *plush*  2048/A2C51749  eckes@irc  +4972573817  *plush*
> > > > (O____O)       If privacy is outlawed only Outlaws have privacy
> > > > 
> > > 
> > > 
> > 
> > -------------------------------------------------------------------------------
> > Ryan Mooney                  ryan@pcslink.com           
> > Systems Engineer
> > Phoenix Computer Specialists Internet Provider     "Illuminate The Opposition!"
> > Phone (602)265-9188          Fax (602)265-9357        -- Adam Weishaupt
> > proud member of AAAAAA - American Association Against Acronym Abuse Anonymous.
> > --------------------------------------------------------------------------------
> > 
> 

-------------------------------------------------------------------------------
Ryan Mooney                  ryan@pcslink.com           
Systems Engineer
Phoenix Computer Specialists Internet Provider     "Illuminate The Opposition!"
Phone (602)265-9188          Fax (602)265-9357        -- Adam Weishaupt
proud member of AAAAAA - American Association Against Acronym Abuse Anonymous.
--------------------------------------------------------------------------------

From firewalls-owner  Wed Aug 14 11:45:58 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA29960 for firewalls-outgoing; Wed, 14 Aug 1996 10:21:05 -0700 (PDT)
Received: from mailbox.neosoft.com (mailbox.neosoft.com [206.109.1.16]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id KAA29891 for <firewalls@greatcircle.com>; Wed, 14 Aug 1996 10:20:38 -0700 (PDT)
Received: from fw.nmti.com (fw.baileynm.com [206.109.159.11]) by mailbox.neosoft.com (8.7.5/8.7.3) with SMTP id MAA21218; Wed, 14 Aug 1996 12:20:20 -0500 (CDT)
Received: from web.nmti.com(198.178.0.201) by fw.nmti.com via smap (V1.3)
	id sma017720; Wed Aug 14 12:17:11 1996
Received: from sonic.nmti.com (peter@sonic.nmti.com [198.178.0.2]) by web.nmti.com (8.6.12/8.6.9) with SMTP id MAA18598; Wed, 14 Aug 1996 12:17:10 -0500
Received: by sonic.nmti.com; id AA29017; Wed, 14 Aug 1996 12:17:09 -0500
From: peter@baileynm.com (Peter da Silva)
Message-Id: <9608141717.AA29017@sonic.nmti.com.nmti.com>
Subject: Re: NT Firewalling
To: silveira@nutpagw.nutec.com.br
Date: Wed, 14 Aug 1996 12:17:09 -0500 (CDT)
Cc: peter@baileynm.com, firewalls@greatcircle.com
In-Reply-To: <199608141607.NAA03537@nutspgw.nutec.com.br> from "Fernando da Silveira Montenegro" at Aug 14, 96 01:15:27 pm
X-Mailer: ELM [version 2.4 PL23]
Content-Type: text
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

> > > This is a crucial point. First, I think more vendors will come out 
> > > with NT firewalls, due to market pressure.

> > Absolutely, but since their primary platform is (with very few exceptions)
> > UNIX, it's the NT versions that are trailing... not the UNIX ones.

> Agreed, but when the vendor considers an *Intel* platform, it is more 
> likely to choose NT over UNIX.

You think? I think that if the vendor chooses a *UNIX* platform they are
just as likely to choose Intel for one of their ports. If they choose an
NT platform they're unlikely (except for Raptor) to pick anything but Intel.

And, of course, the relative abundance of UNIX based products supports that.

> Imagine for a second you're a firewall developer, and you have a
> version of your product for the "mandatory" platforms: RISC Solaris,
> HP-UX, AIX, Digital. What next? Intel support. What are the options:
> NT, BSD/OS, FreeBSD, NetBSD, Linux, SCO UNIX, Solaris for Intel, ...
> What would you choose?

UNIX, since if I'm not a total idiot the Digital UNIX port I've already
got will drop right into place on BSDI. Digital UNIX is 4.3 reno with
the scheduler and VM system replaced by Mach, which is very close to what
BSDI did in completing the 4.4-lite port. In fact at the Usenix course
on 4.4BSD internals Mike and Kirk both mentioned that Digital UNIX was
the closest one to their design, and my own OSF/1 internals work supports
that.

For an NT port they'd have to pretty much start over from scratch. What
fun. Think what that'll do to their time-to-market. And since the Firewall
is a dedicated box, why take the hit?

From firewalls-owner  Wed Aug 14 12:44:11 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA07851 for firewalls-outgoing; Wed, 14 Aug 1996 11:21:56 -0700 (PDT)
Received: from pcslink.com (pcslink.com [206.43.160.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id LAA07833 for <firewalls@greatcircle.com>; Wed, 14 Aug 1996 11:21:44 -0700 (PDT)
Received: (from ryan@localhost) by pcslink.com (8.6.12/8.6.12) id LAA16826; Wed, 14 Aug 1996 11:21:33 -0700
From: Ryan Mooney <ryan@pcslink.com>
Message-Id: <199608141821.LAA16826@pcslink.com>
Subject: Re: huh? switch hitter? (fwd)
To: ian@south-border.com (The Unseen)
Date: Wed, 14 Aug 1996 11:21:33 -0700 (MST)
Cc: firewalls@greatcircle.com
In-Reply-To: <199608141110.HAA14402@south-border.com> from "The Unseen" at Aug 14, 96 07:10:01 am
X-Mailer: ELM [version 2.4 PL24]
Content-Type: text
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk


Not far fetched at all.. I've been to a few places that leave
the probe monitor hooked up to thier main switch... it convienient
and quite often they are gathering statistics periodically to check
the state of the lan.  They where less that enthused when I showed them
how easy it was to get into, and now the switch has a few mac layer 
filters, and the switch porobe is in a slightly more difficult to guess
SNMP community.  The beauty of a lot of the probe products is that
you DONT need access as they are remotely monitorable... makes life
nice for network managers, it could be a security concern though 
because it provides a way to tunnel inside traffic to another
location (at least on the better probe/sniffer products).

As an aside talking about this reminds me of Novells Managewise 
where you can remotely take over another users terminal and it
looks/feels as if your right there in control (as long as user.com
is loaded as a TSR on te remote).. I know a lot of people don't know 
any better and they just use the default SNMP communities... if you 
have SNMP access to a network like that there's a good chance you may 
be able to take over a random machine, just use vendor supplied tools
and voila your god on the network (especially dangerous if the admin
commonly logs in as supervisor/or admin/or other priveleged user and
runs user.com)

> However, if someone has access to the switch they can use the monitor
> port provided by most vendors to monitor traffic on specified ports.  
> There is a vendor that sells a remote sniffer that you would install on 
> this port and provides this  (forgoten who..).  This is kinda far fetched,
> but it is possible.
> 
> Ian
> 

-------------------------------------------------------------------------------
Ryan Mooney                  ryan@pcslink.com           
Systems Engineer
Phoenix Computer Specialists Internet Provider     "Illuminate The Opposition!"
Phone (602)265-9188          Fax (602)265-9357        -- Adam Weishaupt
proud member of AAAAAA - American Association Against Acronym Abuse Anonymous.
--------------------------------------------------------------------------------

From firewalls-owner  Wed Aug 14 12:51:22 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA14393 for firewalls-outgoing; Wed, 14 Aug 1996 12:19:57 -0700 (PDT)
Received: from midfire1.aetna.com (midfire1.aetna.com [206.156.35.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id MAA14374 for <firewalls@GreatCircle.COM>; Wed, 14 Aug 1996 12:19:42 -0700 (PDT)
Received: from midfire1.aetna.com (daemon@localhost) by midfire1.aetna.com (8.7.2/8.7.2) with ESMTP id PAA01264; Wed, 14 Aug 1996 15:19:41 -0400 (EDT)
Received: from NOWHERE_ ([129.12.66.230]) by midfire1.aetna.com (8.7.2/8.7.2) with SMTP id PAA01233; Wed, 14 Aug 1996 15:19:23 -0400 (EDT)
Received: by NOWHERE_ with Microsoft Mail
	id <01BB89F4.544B30E0@NOWHERE_>; Wed, 14 Aug 1996 15:21:56 -0400
Message-ID: <01BB89F4.544B30E0@NOWHERE_>
From: Mike Eddington <toranix@ultranet.com>
To: "lists@lina.inka.de" <lists@lina.inka.de>,
        "'Brian Murrell'"
	 <Brian_Murrell@bctel.net>
Cc: "roberth@cet.com" <roberth@cet.com>,
        "firewalls@GreatCircle.COM"
	 <firewalls@GreatCircle.COM>
Subject: RE: Re[2]: huh? switch hitter?
Date: Wed, 14 Aug 1996 15:21:53 -0400
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Then in reality you aren't sniffing the switch, and all the connections coming into it, your just sniffing that segment.

Also, while switching hosts is costly, sometimes the bandwidth is needed... though the norm is switching segments... :)

- Mike

----------
From: 	Brian Murrell[SMTP:Brian_Murrell@bctel.net]
Sent: 	Wednesday, August 14, 1996 12:17 PM
To: 	lists@lina.inka.de
Cc: 	roberth@cet.com; firewalls@GreatCircle.COM
Subject: 	Re[2]: huh? switch hitter?

from the quill of lists@lina.inka.de (Bernd Eckenfels) on scroll
<m0uqYAU-0004k3C@lina>
> On a switched ethernet a NIC in promisc mode will only receive the
> packets
> which are broadcasted (i.e. ARP) and those which are send directly to the
> HW-Address of the interface. Thats the reason why u have less collisions
> with switches, cause they simply filter the Packets on the net for each
> port. You can also lock the arp-addresses in the switch for more
> security.

Don't people usually switch segments rather than individual hosts??  Isn't
switching ethernet a little expensive to do it by host??  If the switching
is done by segment rather than by host, then one could still sniff one's
own physical segment.

b.


--
Brian J. Murrell                                        Brian_Murrell@bctel.net
BCTel Advanced Communications                                   brian@ilinx.com
Vancouver, B.C.                                                brian@wimsey.com
604 454 5279



From firewalls-owner  Wed Aug 14 12:51:34 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA14650 for firewalls-outgoing; Wed, 14 Aug 1996 12:22:34 -0700 (PDT)
Received: from kcpgw2.kcp.com (kcpgw2.kcp.com [198.62.69.67]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id MAA14624 for <Firewalls@GreatCircle.COM>; Wed, 14 Aug 1996 12:22:10 -0700 (PDT)
Received: by kcpgw2.kcp.com id AA13346
  (InterLock SMTP Gateway 3.0 for Firewalls@GreatCircle.COM);
  Wed, 14 Aug 1996 14:21:47 -0500
Message-Id: <199608141921.AA13346@kcpgw2.kcp.com>
Received: by kcpgw2.kcp.com (Protected-side Proxy Mail Agent-2);
  Wed, 14 Aug 1996 14:21:47 -0500
Received: by kcpgw2.kcp.com (Protected-side Proxy Mail Agent-1);
  Wed, 14 Aug 1996 14:21:47 -0500
Mime-Version: 1.0
Date: Wed, 14 Aug 1996 14:15:58 -0500
From: dharris@kcp.com (Delmer Harris)
Subject: Re: No More Unlimited User Licenses Please...
To: Firewalls@GreatCircle.COM, Hector Casavantes <hcasav@bmv.com.mx>
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Content-Description: cc:Mail note part
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Hector:

My experience says you are correct about not needing an unlimited license.  The 
license (for Un*x, I am assuming) is for concurrent logon sessions, so you 
should be able to configure more valid IP addresses than you have user licenses 
as long as you don't need them all at once.

If your firewall vendor has a different idea of licenses (firewall licenses as 
opposed to Un*x licenses) then you may have to have as many licenses as you have
allowed IP addresses, but you still shouldn't need an unlimited license.

If we are both wrong I am sure the list will correct us;-)


                                Delmer D. Harris
                                dharris@kcp.com

______________________________ Reply Separator _________________________________
Subject: No More Unlimited User Licenses Please...
Author:  Hector Casavantes <hcasav%bmv.com.mx@cerberus2.kcp.com> at 
INTERNET-MAIL
Date:    8/13/96 3:23 PM



Hello List

Do anybody understand the difference between the number of users 
and the number of protected computers in a firewall?

Maybe someone can help me with this simple disyuntive:

I have more than 400 machines but I don't need all of them 
running trough internet. From ouside, anybody can access my 
WWW server and some can access my FTP server. Few users from 
the inside need to access internet (maybe 30-50) to "browse" or 
something like this. I want anyone from inside to have email 
by using a common email SMTP/POP server living in the 
common-named "secure net" or maybe in internal net (doesn't
matter at this very moment).

In my actual evaluation-licensed firewall, I have edited an 
outbound proxy access rule, where I've put the list of IP 
addresses of the users that can resolv out. 

Do I need to buy an unlimited user license (which is surely more 
expensive) or can I use the 50's one? How can the firewall knows 
if there are more than N machines connected in the Inside Network?
(it surely can't). It doesn't make a lot of sense that if I let less 
than 50 IP's to go to Internet, I need to buy an unlimited user license!

Thanks for cooperation on this
Hector Casavantes

From firewalls-owner  Wed Aug 14 13:13:53 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA08212 for firewalls-outgoing; Wed, 14 Aug 1996 11:24:38 -0700 (PDT)
Received: from duna.prodemge.gov.br (duna.prodemge.gov.br [200.251.192.5]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id LAA08171 for <firewalls-digest@greatcircle.com>; Wed, 14 Aug 1996 11:24:15 -0700 (PDT)
Received: from event38.prodemge.gov.br by duna.prodemge.gov.br (AIX 3.2/UCB 5.64/4.03)
          id AA22923; Wed, 14 Aug 1996 15:21:23 GMT
Date: Wed, 14 Aug 1996 15:21:23 GMT
Message-Id: <9608141521.AA22923@duna.prodemge.gov.br>
X-Sender: aluno06@prodemge.gov.br (Unverified)
X-Mailer: Windows Eudora Version 1.4.4
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
To: firewalls-digest@greatcircle.com
From: aluno06@duna.prodemge.gov.br (delio)
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk




From firewalls-owner  Wed Aug 14 13:33:13 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA20178 for firewalls-outgoing; Wed, 14 Aug 1996 13:23:06 -0700 (PDT)
Received: from nikki.aol.fi (nikki.aol.fi [194.110.177.3]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id NAA20110 for <firewalls@GreatCircle.COM>; Wed, 14 Aug 1996 13:22:46 -0700 (PDT)
Received: from kurtis.aol.fi (kasha.aol.fi [194.110.177.1]) by nikki.aol.fi (8.7.1/8.6.12) with SMTP id UAA08500 for <firewalls@GreatCircle.COM>; Wed, 14 Aug 1996 20:15:16 +0300
Message-ID: <3212793C.60F7@aol.fi>
Date: Wed, 14 Aug 1996 23:11:24 -0200
From: Kurtis Lindqvist <kurtis@aol.fi>
Reply-To: kurtis@aol.fi
Organization: Alandia Online
X-Mailer: Mozilla 3.0b6Gold (Win95; I)
MIME-Version: 1.0
To: firewalls@GreatCircle.COM
Subject: Socksified news reader
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Hi!

Does anyone know of a socksified news reader for Windows/Windows 95?
Netscape does support socks for news but doesn't support user
autentication (as far as I know).
	
-- 
- kurtis -      | email : kurtis@aol.fi | Phone : +358-(9)28-17924
Alandia Online  | http://www.aol.fi     | Mobile : +358-(9)405512277

From firewalls-owner  Wed Aug 14 13:40:21 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA13389 for firewalls-outgoing; Wed, 14 Aug 1996 12:10:27 -0700 (PDT)
Received: from newfed.FRB.GOV (newfed.frb.gov [198.3.221.5]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id MAA13347 for <firewalls@greatcircle.com>; Wed, 14 Aug 1996 12:10:10 -0700 (PDT)
Received: from FRB.GOV by newfed.FRB.GOV (4.1/SMI-4.0)
	id AA13466; Wed, 14 Aug 96 15:10:32 EDT
Received: from kryten.frb.gov by frbgate.FRB.GOV (4.1/SMI-4.0)
	id AA14491; Wed, 14 Aug 96 15:07:13 EDT
Received: from localhost.frb.gov (localhost.frb.gov [127.0.0.1]) by kryten.frb.gov (8.6.12/8.6.12) with SMTP id PAA04487; Wed, 14 Aug 1996 15:04:47 -0400
Message-Id: <199608141904.PAA04487@kryten.frb.gov>
X-Authentication-Warning: kryten.frb.gov: Host localhost.frb.gov didn't use HELO protocol
X-Mailer: exmh version 1.6.5 12/11/95
To: silveira@nutpagw.nutec.com.br
Cc: peter@baileynm.com (Peter da Silva), firewalls@greatcircle.com
Subject: Re: NT Firewalling 
In-Reply-To: Your message of "Wed, 14 Aug 1996 13:15:27 -0300."
             <199608141607.NAA03537@nutspgw.nutec.com.br> 
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Date: Wed, 14 Aug 1996 15:04:46 -0400
From: "Jonathan M. Bresler" <jmb@FRB.GOV>
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk


>Imagine for a second you're a firewall developer, and you have a
>version of your product for the "mandatory" platforms: RISC Solaris,
>HP-UX, AIX, Digital. What next? Intel support. What are the options:
>NT, BSD/OS, FreeBSD, NetBSD, Linux, SCO UNIX, Solaris for Intel, ...
>What would you choose?

pick any one of the following:

	--the one that is closest to what you have already done
	--the one(s) for which you can get source so that you can
		further harden the os
	--the one the marketing folks talk about

	better question:  which one does a *user* want?

		--fancy 9 digit company name
		--effective security
jmb

-- 
Jonathan M. Bresler             202-452-2831                 breslerj@frb.gov
MS-169          Federal Reserve Board of Governors        Washington DC 20551
Speaking for myself.  Others speak for the Federal Reserve Board of Governors



From firewalls-owner  Wed Aug 14 13:45:37 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA12861 for firewalls-outgoing; Wed, 14 Aug 1996 12:03:47 -0700 (PDT)
Received: from pegase.total.fr (pegase.total.fr [146.249.152.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id MAA12818 for <Firewalls@greatcircle.com>; Wed, 14 Aug 1996 12:03:22 -0700 (PDT)
Received: from tidtest.total.fr (tidtest.total.fr [146.249.165.73]) by pegase.total.fr (8.6.8/8.6.6) with SMTP id VAA09578; Wed, 14 Aug 1996 21:04:02 +0200
Received: by tidtest.total.fr (4.1/SMI-4.1)
	id AA26820; Wed, 14 Aug 96 21:02:08 +0200
Message-Id: <9608141902.AA26820@tidtest.total.fr>
To: Bill Stout <bill.stout@hidata.com>
Cc: Firewalls@greatcircle.com
Subject: Re: Looking for SYN packet generator. 
In-Reply-To: Your message of "Tue, 13 Aug 1996 14:36:22 PDT."
             <199608132136.OAA03285@osc.osc.hidata.com> 
X-Cuse: "The dog ate my network"
Date: Wed, 14 Aug 1996 21:02:07 +0100
From: Michel Lavondes <lavondes@tidtest.total.fr>
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk


In message <199608132136.OAA03285@osc.osc.hidata.com>, Bill Stout writes:
> Anyone know where to get a SYN generator for test purposes?
> 
> Anyone know if NT, Solaris or a Network General Sniffer can gen 
> SYN packets?
> 
The Sniffer can, by replaying (part of) a capture. Since you can
edit the frames, you can change addresses, ISNs, etc ...

HTH

Michel Lavondes (lavondes@tidtest.total.fr)
#include <disclaimer.h>
Governments are guilty until proved innocent

From firewalls-owner  Wed Aug 14 14:30:20 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA11405 for firewalls-outgoing; Wed, 14 Aug 1996 11:50:32 -0700 (PDT)
Received: from homeport.org (lighthouse.homeport.org [205.136.65.198]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id LAA11311 for <firewalls@GreatCircle.COM>; Wed, 14 Aug 1996 11:49:55 -0700 (PDT)
Received: (adam@localhost) by homeport.org (8.6.9/8.6.9) id OAA13408; Wed, 14 Aug 1996 14:53:57 -0500
From: Adam Shostack <adam@homeport.org>
Message-Id: <199608141953.OAA13408@homeport.org>
Subject: Re: BootUp Security!
To: fay@bliss.stetson.edu (Jeff Fay)
Date: Wed, 14 Aug 1996 14:53:57 -0500 (EST)
Cc: adam@homeport.org, stigmata@pacbell.net, firewalls@GreatCircle.COM
In-Reply-To: <Pine.SUN.3.93.960813094527.24785A-100000@bliss.stetson.edu> from "Jeff Fay" at Aug 13, 96 09:46:45 am
X-Mailer: ELM [version 2.4 PL24 ME8b]
Content-Type: text
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

	People smarter than me tell me that 3des and IDEA are both
very good.  RSA with key sizes greater than 1024 bits are probably
good for a while longer.  Both 3des and IDEA will take longer than you
have left here to brute force search, assuming no clever short cuts
are found.

	(The other question I was asked is where to get the CIA
directive?)

It is: Director Of Central Intelligence Directive 1/21
Physical Security Standards for senstive conmpartmnted information
facilities, approved 30 Jan 1994.

The only addresses are for comments:
Community Counterintelligence and security
Countermeasures Office/Community Management Staff (CCISCMO/CMS)
Central Intellignece[sic] Agency, Washington, DC, 20505

Adam

Jeff Fay wrote:

| > 	For disk encryption on UNIX, use CFS.
| > ftp.research.att.com/pub/mab/?  On macs, look into Cryptdisk, or for
| > PCs, I think securedrive is reccommended, but I haven't used it.  All
| > use (or offer) strong encryption at the filesystem level.

|   What exactly is strong encryption? DES? RSA? Just curious...because if I
| have the hard drives I have all the time in the world to brute force it.
| -Jeff "Fiji" Fay
| 


-- 
"It is seldom that liberty of any kind is lost all at once."
					               -Hume


From firewalls-owner  Wed Aug 14 14:32:17 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA21515 for firewalls-outgoing; Wed, 14 Aug 1996 13:36:34 -0700 (PDT)
Received: from sapa.inka.de (sapa.inka.de [193.197.84.6]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id NAA21454 for <firewalls@GreatCircle.COM>; Wed, 14 Aug 1996 13:36:06 -0700 (PDT)
Received: from uu.inka.de (root@[193.197.84.8]) by sapa.inka.de
	 with smtp (S3.1.29.1) id <m0uqmXq-000Kz3C>; Wed, 14 Aug 96 22:28 MET DST
Received: from lina (lists@lina.inka.de) by uu.inka.de
	 with bsmtp (S3.1.29.1) id <m0uqmXq-001l7sC>; Wed, 14 Aug 96 22:28 MET DST
Received: by lina
	id m0uqmTk-0004k9C
	(Debian /\oo/\ Smail3.1.29.1 #29.37); Wed, 14 Aug 96 22:23 MET DST
Message-Id: <m0uqmTk-0004k9C@lina>
From: lists@lina.inka.de (Bernd Eckenfels)
Subject: Re: Re[2]: huh? switch hitter?
To: toranix@ultranet.com (Mike Eddington)
Date: Wed, 14 Aug 1996 22:23:47 +0200 (MET DST)
Cc: Brian_Murrell@bctel.net, roberth@cet.com, firewalls@GreatCircle.COM
In-Reply-To: <01BB89F4.544B30E0@NOWHERE_> from "Mike Eddington" at Aug 14, 96 03:21:53 pm
X-Mailer: ELM [version 2.4 PL25 PGP2]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Hi,

> Then in reality you aren't sniffing the switch, and all the connections coming into it, 
> your just sniffing that segment.
On twised pair networks you usually have one cable to the central switch%hub
rack/host. If you then connect all the system to switched hubs or smarthubs,
you will get 1segment/host, which is a good idea for heavy loaded networks
or in environmants you might have a lot of malicious sniffers.

Greetings
Bernd

PS: of course it doesnt make enryption unnecessary for important data
streams.

From firewalls-owner  Wed Aug 14 14:48:38 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA22866 for firewalls-outgoing; Wed, 14 Aug 1996 13:47:05 -0700 (PDT)
Received: from csc.com (explorer.csc.com [20.1.10.27]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id NAA22692 for <Firewalls@greatcircle.com>; Wed, 14 Aug 1996 13:46:01 -0700 (PDT)
Received: by csc.com (Smail3.1.29.1 #1)
	id m0uqmpB-001AoMC; Wed, 14 Aug 96 16:45 EDT
Message-ID: <3212655B.6956@csc.com>
Date: Wed, 14 Aug 1996 16:46:36 -0700
From: Adam Safier <asafier@csc.com>
Reply-To: asafier@csc.com
Organization: Computer Sciences Corp.
X-Mailer: Mozilla 3.0b5a (Win16; I)
MIME-Version: 1.0
To: Firewalls@greatcircle.com
Subject: authentification
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

This is the second time I've seen/heard the term "authentification".

Is there such a word and what does it mean?  
(Maybe what happens to you when authentication fails?)

Or is this evolution or convolution of the language?
-- 
Adam Safier                  asafier@csc.com
CSC-SED-Infosec              (301) 794-1349

Please check out the Libertarian party page, http://www.lp.org.
Check the interesting 2 Dimensional political position graph/survey.

The above are my own opinions, 
and I'm proud to live in a country where I'm free to express them!

From firewalls-owner  Wed Aug 14 14:58:59 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA26083 for firewalls-outgoing; Wed, 14 Aug 1996 14:13:07 -0700 (PDT)
Received: from thehole.pils.com (pils.com [198.168.83.192]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id OAA26060 for <firewalls@greatcircle.com>; Wed, 14 Aug 1996 14:12:46 -0700 (PDT)
From: jaysona@pils.com
Received: from ccmgate.pils.com (ccmgate.pils.com [199.202.224.253])
	by thehole with SMTP (DuhMail/2.0)
	id RAA23642; Wed, 14 Aug 1996 17:17:09 -0400
Received: from cc:Mail by ccmgate.pils.com
	id AA840067955; Wed, 14 Aug 96 17:11:55 EST
Date: Wed, 14 Aug 96 17:11:55 EST
Message-Id: <9607148400.AA840067955@ccmgate.pils.com>
To: firewalls@greatcircle.com
Subject: Re: BootUp Security!
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

     
     Keep all important and critical data off of the computer stations, and 
     store them on a server that is stored in a controlled access room.
     
     Another alternative is to use removeable hard drives, and store them 
     in a vault each night before leaving.
     
     
*************************************************************************** 
* Jayson Agagnier                                      514-333-0042 x4144 * 
* Phoenix International Life Sciences Inc.             Fax:  514-333-8861 * 
* 2350 Cohen                                           jaysona@pils.com   * 
* Montreal, Quebec  CANADA                             jaysona@micro.org  * 
* H4R 2N6                       http://www.pils.com  http://www.micro.org * 
*************************************************************************** 
     

     


______________________________ Reply Separator _________________________________
Subject: BootUp Security!
Author:  stigmata@pacbell.net at INTERNET
Date:    13-08-1996 4:02 AM


We recently had a breakin and the R&D department was litteraly broken 
apart for their harddrives is there anyway to protect data that is 
stored on a down system like this.?
mailto:stigmata@pacbell.net
Robert


From firewalls-owner  Wed Aug 14 15:12:41 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA11592 for firewalls-outgoing; Wed, 14 Aug 1996 11:52:35 -0700 (PDT)
Received: from SanFrancisco01.POP.InterNex.Net (SanFrancisco01.POP.InterNex.Net [205.158.3.50]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id LAA11581 for <firewalls@greatcircle.com>; Wed, 14 Aug 1996 11:52:22 -0700 (PDT)
Received: from taoist.marineterminals.com ([157.151.226.68])
          by SanFrancisco01.POP.InterNex.Net (post.office MTA v1.9.3
          ID# 0-11028) with SMTP id AAA17038;
          Wed, 14 Aug 1996 11:52:00 -0700
X-Sender: marineterminals-3@SanFrancisco01.pop.internex.net
X-Mailer: Windows Eudora Light Version 1.5.2
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
To: Brian Murrell <Brian_Murrell@bctel.net>
From: robw@marineterminals.com (Robert Williams)
Subject: Re: Re[2]: huh? switch hitter?
Cc: firewalls@greatcircle.com
Date: Wed, 14 Aug 1996 11:52:00 -0700
Message-ID: <19960814185159.AAA17038@taoist.marineterminals.com>
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

>Don't people usually switch segments rather than individual hosts??  Isn't
>switching ethernet a little expensive to do it by host??  If the switching
>is done by segment rather than by host, then one could still sniff one's
>own physical segment.
>
>b.

1) I think most people are switching segments as opposed to switching all
the way to the client.

2) Switching is coming down in cost per port.  In the areas where we wanted
it, we put switch-to-client in at a cost of around $140 per port.

Regards.

RobW




From firewalls-owner  Wed Aug 14 15:28:46 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA25202 for firewalls-outgoing; Wed, 14 Aug 1996 14:04:02 -0700 (PDT)
Received: from maddie.atlantic.com (maddie.atlantic.com [198.252.200.3]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id OAA25186 for <Firewalls@GreatCircle.COM>; Wed, 14 Aug 1996 14:03:47 -0700 (PDT)
Received: (pokey@localhost) by maddie.atlantic.com (8.6.10/8.6.11) id RAA30974; Wed, 14 Aug 1996 17:00:19 -0400
From: Rick Romkey <pokey@maddie.atlantic.com>
Message-Id: <199608142100.RAA30974@maddie.atlantic.com>
Subject: Re: No More Unlimited User Licenses Please...
To: bjm@ottawa.net (Brian McIntosh)
Date: Wed, 14 Aug 1996 17:00:18 -0400 (EDT)
Cc: hcasav@bmv.com.mx, Firewalls@GreatCircle.COM
In-Reply-To: <199608141427.KAA15590@dns.ottawa.net> from "Brian McIntosh" at Aug 14, 96 10:27:01 am
X-Mailer: ELM [version 2.4 PL23]
Content-Type: text
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

 
> Licensing based on 'users' is simply a marketing tool by which 
> a vendor can provide a firewall to smaller organanizations at a 
> reduced cost.

Or to increase the cost for a larger org...

> Confusion often arises because of the term 'users'.  In this
> scenario, it does *not* mean users of the Internet; it refers 
> to a user of the firewall's protection.  Less confusion would
> arise if vendors used the more specific term 'protected 
> nodes' rather than 'users'.

Many firewalls use a bit from both worlds for licensing.  FW-1
creates a flat file list of all unique IP hosts it learns
about (through useage).  If this list exceeds the purchase license
count (either 50, 256 or unlimited), then it indicates this violation
to the admin.  It also has a "concurrent use" license.  

BorderWare uses what they call a "screen" license.  The number of
computers, terminals, etc in total that will be using the firewall.
It is not based on all machines capable of using it, just those
that will be accessing the internet through it.
 
Just talk with your VAR about what the particlar product's license
actually means...it varies quite a bit.

-Rick

----------------------------------------------------------------------------
 Rick E Romkey     |          A T L A N T I C           |     Internet
pokey@atlantic.com |  Computing Technology Corporation  |   Specialists
 (860) 667-9596    |     http://www.atlantic.com/       |    
-----------------------------------------------------------------------------

From firewalls-owner  Wed Aug 14 15:32:56 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id PAA04199 for firewalls-outgoing; Wed, 14 Aug 1996 15:15:03 -0700 (PDT)
Received: from gatekeeper-o.neurondata.com (gatekeeper.neurondata.com [204.162.77.3]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id PAA04041 for <firewalls@greatcircle.com>; Wed, 14 Aug 1996 15:14:21 -0700 (PDT)
Received: by gatekeeper-o.neurondata.com; id IAA17674; Wed, 14 Aug 1996 08:10:08 -0700 (PDT)
Received: from melbourne.neurondata.com(204.162.78.110) by gatekeeper.neurondata.com via smap (V3.1.1)
	id xma017639; Wed, 14 Aug 96 08:09:48 -0700
X-Sender: gilbert@netcom16.netcom.com
Message-Id: <v03007801ae37b27eaab1@[204.162.78.110]>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Date: Wed, 14 Aug 1996 15:03:12 -0800
To: firewalls@greatcircle.com
From: Gilbert Rankin <gilbert@netcom.com>
Subject: RealAudio?
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

My employer is considering putting a RealAudio server on our public web
site.  There is some concern that many of our customers will not be able to
access the server because they are behind a firewall and due to the
conservative approach that many companies take toward new proprietary
protocols.

If you maintain a firewall, have a moment and responding wouldn't violate
your security policy would you please send  me, _not_ the list a short note
saying whether you do or do not allow RealAudio traffic through your
firewall.  If there is interest I will summarize the responses to the list
in a week or so.




----------------------------------------------------------------------
Gilbert Rankin                              Email:  gilbert@netcom.com
                                            Voice:      (415) 943-2562

Anonymous Quote -------------> "God is real, unless declared integer."



From firewalls-owner  Wed Aug 14 17:02:20 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id PAA10874 for firewalls-outgoing; Wed, 14 Aug 1996 15:56:46 -0700 (PDT)
Received: from stewpot.mazama.com (stewpot.mazama.com [204.122.23.18]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id PAA10865 for <Firewalls@GreatCircle.COM>; Wed, 14 Aug 1996 15:56:36 -0700 (PDT)
Received: from klawatti.inside.sealabs.com (klawatti.sealabs.com [207.54.9.49]) by stewpot.mazama.com (8.7.4/8.6.9) with SMTP id PAA28947; Wed, 14 Aug 1996 15:56:24 -0700
Received: from torment.sealabs.com (torment.sealabs.com [207.54.9.53]) by klawatti.inside.sealabs.com (8.7.3/8.7.3) with ESMTP id PAA04162; Wed, 14 Aug 1996 15:53:38 -0700
Received: (from david@localhost) by torment.sealabs.com (8.7.4/8.7.3) id PAA06525; Wed, 14 Aug 1996 15:56:34 -0700
Date: Wed, 14 Aug 1996 15:56:34 -0700
Message-Id: <199608142256.PAA06525@torment.sealabs.com>
From: David Bonn <david@sealabs.com>
To: Rick Romkey <pokey@maddie.atlantic.com>
Cc: bjm@ottawa.net (Brian McIntosh), hcasav@bmv.com.mx,
        Firewalls@GreatCircle.COM
Subject: Re: No More Unlimited User Licenses Please...
In-Reply-To: <199608142100.RAA30974@maddie.atlantic.com>
References: <199608141427.KAA15590@dns.ottawa.net>
	<199608142100.RAA30974@maddie.atlantic.com>
X-Face: XqRX&d@*a1_=<M;\%Bn)r1oej(8/KCH%Q05[@<2hf@A~{zX.g)%>Sj'S2uy!1yF*A;#j3jP
 MlQ~tg6Wz[+$c~|cKDX<Cs:l${*tj46ew@:aG\Ob?X*uV~"pmC{]uP_hA1V<&I7TO;x0zITo2A&eY-
 x%GA1Ixz%g})=^W]jji}jw
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

>>>>> "Rick" == Rick Romkey <pokey@maddie.atlantic.com> writes:

>> Licensing based on 'users' is simply a marketing tool by which 
>> a vendor can provide a firewall to smaller organanizations at a 
>> reduced cost.

Rick> Or to increase the cost for a larger org...

It seems to me that just selling the product for less money would be less
work.  All that hassle with n-user licenses is an annoying support
burden and tracking problem.

dwb

From firewalls-owner  Wed Aug 14 17:31:24 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA18564 for firewalls-outgoing; Wed, 14 Aug 1996 17:05:10 -0700 (PDT)
Received: from cet.cet.com (cet.cet.com [206.96.91.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id RAA18501 for <firewalls@greatcircle.com>; Wed, 14 Aug 1996 17:04:43 -0700 (PDT)
Received: from cet.cet.com (roberth@cet.cet.com [206.96.91.1]) by cet.cet.com (8.6.12/8.6.12) with SMTP id RAA22810 for <firewalls@greatcircle.com>; Wed, 14 Aug 1996 17:04:42 -0700
Date: Wed, 14 Aug 1996 17:04:41 -0700 (PDT)
From: Robert Hanson <roberth@cet.com>
To: firewalls@greatcircle.com
Subject: Re: Re[2]: huh? switch hitter?
In-Reply-To: <19960814185159.AAA17038@taoist.marineterminals.com>
Message-ID: <Pine.LNX.3.94.960814170046.22693A-100000@cet.cet.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

i appreciate the etherswitch info from everyone...

now... with multiple entry points to the net... say a cisco 7000ish in one
or more places... is everyone putting their firewalls "just" inside the
border routers before the etherswitches or in multiple places or...

im getting there... ;)

--->
Robert H. Hanson           LAN/WAN Consultant - Internet Service Provider
Otis Orchards, Wa.         Cutting Edge Communications        www.cet.com
(509) 927-9541             finger: info@cet.com or email: roberth@cet.com


From firewalls-owner  Wed Aug 14 17:43:02 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA21305 for firewalls-outgoing; Wed, 14 Aug 1996 17:35:43 -0700 (PDT)
Received: from interramp.com (pop3.interramp.com [38.8.32.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id RAA21250 for <firewalls@greatcircle.com>; Wed, 14 Aug 1996 17:35:24 -0700 (PDT)
Received: from .interramp.com by interramp.com (8.6.12/SMI-4.1.3-PSI-pop-local)
	id UAA13316; Wed, 14 Aug 1996 20:35:19 -0400
Message-ID: <32129968.73D9@pop3.interramp.com>
Date: Wed, 14 Aug 1996 20:28:40 -0700
From: Ed Young <us002628@interramp.com>
X-Mailer: Mozilla 2.01 (Win16; I)
MIME-Version: 1.0
To: alexf@iss.net
CC: firewalls@greatcircle.com
Subject: Re: binary sniffer
References: <199607121451.KAA02534@phoenix.iss.net>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Alex F wrote:
> 
> I am wondering, are there any sniffers that show packets in binary
> rather than hex?  I would like to have something akin to Sun's
> "snoop" where on one side of the screen I can see the actual packets
> and on the other side I can see the ASCII translation.  Yes, I can
> pipe the output to something that will convert the HEX to binary, but
> I would just rather have a program that will show the packets in
> binary form to start with.
> 
> Thanks,
> 
> Alex F
> =-=-=-=-=-=-=-=-=-=-=-=-=-
> Alex F    alexf@iss.net
> Marketing Specialist
> Internet Security Systems
> =-=-=-=-=-=-=-=-=-=-=-=-=-The Network General Sniffer will show packets in Hex and Ascii format 
side by side.

From firewalls-owner  Wed Aug 14 17:58:00 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA19207 for firewalls-outgoing; Wed, 14 Aug 1996 17:08:29 -0700 (PDT)
Received: from prometheus.hol.gr (prometheus.hol.gr [194.30.193.159]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id RAA19015 for <firewalls@greatcircle.com>; Wed, 14 Aug 1996 17:07:30 -0700 (PDT)
Hops: 0
Host: greatcircle.com.
Received: from del.tla.org (root@ppp33.hol.gr [194.30.192.97]) by prometheus.hol.gr (8.7.4/8.7.3) with ESMTP id DAA17673 for <firewalls@greatcircle.com>; Thu, 15 Aug 1996 03:02:16 -0200 (GMT)
Posted-Date: Thu, 15 Aug 1996 03:02:16 -0200 (GMT)
Received: from del.tla.org (ji@localhost.tla.org [127.0.0.1]) by del.tla.org (8.7.2/8.6.9) with ESMTP id DAA07299 for <firewalls@greatcircle.com>; Thu, 15 Aug 1996 03:05:50 +0300 (EET DST)
Message-Id: <199608150005.DAA07299@del.tla.org>
X-Mailer: exmh version 1.6.2 7/18/95
To: firewalls@greatcircle.com
Subject: Re: authentification 
In-reply-to: Your message of "Wed, 14 Aug 1996 16:46:36 PDT."
             <3212655B.6956@csc.com> 
Reply-To: ji@hol.gr
Organization: La maison qui rend fou.
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Date: Thu, 15 Aug 1996 03:05:44 +0300
From: John Ioannidis <ji@hol.gr>
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

There is no such word. There are people on this list whose command of English 
is less than perfect, and make up words by converting words from their own 
language into something that sounds vaguely english-like.

The proper word is `authentication' (which, according to the Barnhart Concise 
Dictionary of Etymology, has been in the English language since at least 1788).

/ji, for whom English is a third language.



From firewalls-owner  Wed Aug 14 18:09:37 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA20272 for firewalls-outgoing; Wed, 14 Aug 1996 17:20:58 -0700 (PDT)
Received: from balder-int.ssds.com (balder.ssds.com [204.131.72.62]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id RAA20238 for <firewalls@GreatCircle.COM>; Wed, 14 Aug 1996 17:20:45 -0700 (PDT)
Received: by balder-int.ssds.com; id AA00534; Wed, 14 Aug 96 18:20:23 MDT
Received: from baltimore.ssds.com(134.127.34.1) by balder.ssds.com via smap (V3.1.1)
	id xma000530; Wed, 14 Aug 96 18:20:21 -0600
Received: by baltimore.ssds.com id UAA28371; Wed, 14 Aug 1996 20:21:17 -0400 (EDT)
Date: Wed, 14 Aug 1996 20:21:17 -0400 (EDT)
From: "Mike \"Will tame Cisco's for food\" Malik" <mike.malik@ssds.com>
X-Sender: mam@baltimore
To: Rabid Wombat <wombat@mcfeely.bsfs.org>
Cc: "Jeff D. Hayes" <hayesjd@mnbp2.network.com>,
        Firewalls <firewalls@GreatCircle.COM>
Subject: re: Security on Frame Relay
In-Reply-To: <Pine.BSF.3.91.960814053439.771D-100000@mcfeely.bsfs.org>
Message-Id: <Pine.SUN.3.93.960814201539.28170A-100000@baltimore>
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Ok get real simple here Cray Communications makes a box for around 3 K
which does Frame-relay payload encryption. No I will or do not work for
them and if you ask me in private email I can give you the gory details
about the box. So if you were going to deploy them you would need one for
each site.
Because you are doing this at the frame level all protocols are supported.
But of coures everyone knew that right ? 
Mike
  ( (   | (                Mike Malik (mam@ssds.com)         
   ) ) (|  ), inc.         9841 Broken Land Parkway,Suite 100 
  business driven          Columbia, MD 21046 
technology solutions       410-381-4313 FAX: 410-381-2170


From firewalls-owner  Wed Aug 14 18:10:50 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id QAA18002 for firewalls-outgoing; Wed, 14 Aug 1996 16:59:43 -0700 (PDT)
Received: from halon.sybase.com (halon.sybase.com [192.138.151.33]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id QAA17933 for <firewalls@GreatCircle.COM>; Wed, 14 Aug 1996 16:59:19 -0700 (PDT)
Received: from smtp1.sybase.com (sybgate) by halon.sybase.com (5.x/SMI-SVR4/SybFW4.0)
	id AA23259; Wed, 14 Aug 1996 17:00:49 -0700
Received: from notesgw2.sybase.com by smtp1.sybase.com (4.1/SMI-4.1/SybH3.5-030896)
	id AA21324; Wed, 14 Aug 96 16:58:50 PDT
Received: by notesgw2.sybase.com (5.x/SMI-4.1/SybEGW3.3)
	id AA28391; Wed, 14 Aug 1996 16:58:42 -0700
Message-Id: <9608142358.AA28391@notesgw2.sybase.com>
Received: by SybaseNotes (Lotus Notes Mail Gateway for SMTP V1.1) id
  9D4EAA98D36ABBE6882563860083B9BD; Wed, 14 Aug 96 16:58:41 EDT
To: Matthew Stier - Imonics Corporation <matthew.stier@imonics.com>
Cc: firewalls <firewalls@sybase.com>
From: Ryan Russell/SYBASE
  <Ryan.Russell@sybase.com>
Date: 14 Aug 96 17:00:15 EDT
Subject: Re: Supporting Internet Relay Chat CTCP and DCC.
X-Lotus-Type: Reply All
Mime-Version: 1.0
Content-Type: Text/Plain
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

With your same setup, I can DCC receive, but not
DCC send.  The reason is that for me to DCC
send, I have to become a server, with a unique
IP address, which is contrary to the fundamental 
philosophy of SPF/NAT.

    Ryan

---------- Previous Message ----------
To: firewalls
cc: 
From: matthew.stier @ imonics.com (Matthew Stier - Imonics Corporation) @ smtp
Date: 08/12/96 11:42:41 AM
Subject: Supporting Internet Relay Chat CTCP and DCC.


I have a few users that, on their free time, like to chat on the IRC.

Now that our site has replaced its packet filtering, with FireWall-1,
these users are have trouble with DCC and CTCP protocols from within
thier IRC clients.

I have been looking for the port/protocol specifications for these
so a solution can be implemented.

--
Matthew.Stier@imonics.com         |
Unix Systems Administrator        |
BSG Corporation                   |       "Wisconsin Escapee"
Cary, NC 27511, (919) 461-6000    |




From firewalls-owner  Wed Aug 14 18:29:47 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id QAA11819 for firewalls-outgoing; Wed, 14 Aug 1996 16:01:21 -0700 (PDT)
Received: from sapa.inka.de (sapa.inka.de [193.197.84.6]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id PAA11333 for <firewalls@GreatCircle.COM>; Wed, 14 Aug 1996 15:59:30 -0700 (PDT)
Received: from uu.inka.de (root@[193.197.84.8]) by sapa.inka.de
	 with smtp (S3.1.29.1) id <m0uqojX-000L5xC>; Thu, 15 Aug 96 00:48 MET DST
Received: from lina (lists@lina.inka.de) by uu.inka.de
	 with bsmtp (S3.1.29.1) id <m0uqojX-001l96C>; Thu, 15 Aug 96 00:48 MET DST
Received: by lina
	id m0uqogU-0004k9C
	(Debian /\oo/\ Smail3.1.29.1 #29.37); Thu, 15 Aug 96 00:45 MET DST
Message-Id: <m0uqogU-0004k9C@lina>
From: lists@lina.inka.de (Bernd Eckenfels)
Subject: Re: BootUp Security!
To: firewalls@GreatCircle.COM
Date: Thu, 15 Aug 1996 00:45:05 +0200 (MET DST)
In-Reply-To: <199608141953.OAA13408@homeport.org> from "Adam Shostack" at Aug 14, 96 02:53:57 pm
X-Mailer: ELM [version 2.4 PL25 PGP2]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Hi,

> 	People smarter than me tell me that 3des and IDEA are both
> very good.  RSA with key sizes greater than 1024 bits are probably
> good for a while longer.  Both 3des and IDEA will take longer than you
> have left here to brute force search, assuming no clever short cuts
> are found.

RSA is not suited to encrypt large amounts of data (like all the Public Key
systems). Usually rc4, idea, 3des, blowfish and all those cryptographic
block-chifres are secure against brute-force attacks as long as the key is
long enough. (128bits are save quite some time i guess). 

On the other hand there is no real proofen method, so you can never be sure
if there is a shortcut. There is a proofen method, but the proof relies on
the fact that a special cryptografic hash (i.e. SHA-1) is realy a hash
function without collissions. Since you can't proof that, too.. there is no
big security gain from that method.

In all cases: don't by 'product a which is secure due to cool programming
tricks by Company X', but look at products with uses 'well knwn algortithm X
in XXX-Mode with well known cryptocrafic Hash ZZY'.

There is no magic in applying math to crypt a disk, dont bother with secret
methods which are only secret as long as youdont use an debuggger on the
program.

Greetings
Bernd

PS: of course crypto WILL decrease your performance (you might look at
hardware crypto-systems, but those are usually very expensive and wont allow
all transfer-rates as well). Therefore locking you computer in a room or
placing the hard-disk in a safe at nicht is a possible soultion, too. (And
dont forget to lock your backup tapes, too :)
-- 
  (OO)      -- Bernd_Eckenfels@Wittumstrasse13.76646Bruchsal.de --
 ( .. )   ecki@{lina.inka.de,linux.de}  http://home.pages.de/~eckes/
  o--o     *plush*  2048/A2C51749  eckes@irc  +4972573817  *plush*
(O____O)       If privacy is outlawed only Outlaws have privacy

From firewalls-owner  Wed Aug 14 18:33:52 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id SAA25182 for firewalls-outgoing; Wed, 14 Aug 1996 18:14:26 -0700 (PDT)
Received: from sapa.inka.de (sapa.inka.de [193.197.84.6]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id SAA25110 for <firewalls@greatcircle.com>; Wed, 14 Aug 1996 18:13:54 -0700 (PDT)
Received: from uu.inka.de (root@[193.197.84.8]) by sapa.inka.de
	 with smtp (S3.1.29.1) id <m0uqr0G-000KyqC>; Thu, 15 Aug 96 03:13 MET DST
Received: from lina (lists@lina.inka.de) by uu.inka.de
	 with bsmtp (S3.1.29.1) id <m0uqr0F-001l9CC>; Thu, 15 Aug 96 03:13 MET DST
Received: by lina
	id m0uqr04-0004k9C
	(Debian /\oo/\ Smail3.1.29.1 #29.37); Thu, 15 Aug 96 03:13 MET DST
Message-Id: <m0uqr04-0004k9C@lina>
From: lists@lina.inka.de (Bernd Eckenfels)
Subject: Re: Re[2]: huh? switch hitter?
To: roberth@cet.com (Robert Hanson)
Date: Thu, 15 Aug 1996 03:13:27 +0200 (MET DST)
Cc: firewalls@greatcircle.com
In-Reply-To: <Pine.LNX.3.94.960814170046.22693A-100000@cet.cet.com> from "Robert Hanson" at Aug 14, 96 05:04:41 pm
X-Mailer: ELM [version 2.4 PL25 PGP2]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Hi,

> now... with multiple entry points to the net... say a cisco 7000ish in one
> or more places... is everyone putting their firewalls "just" inside the
> border routers before the etherswitches or in multiple places or...

Depens on the switch and the firewal. Usually you connect the switch
(perhaps with an downlink-port) to the firewall, all stations to the ports
of the switch and the cisco to the firewall.

You can think of a switch like a multi-plug for network cables.

Greetings
Bernd
-- 
  (OO)      -- Bernd_Eckenfels@Wittumstrasse13.76646Bruchsal.de --
 ( .. )   ecki@{lina.inka.de,linux.de}  http://home.pages.de/~eckes/
  o--o     *plush*  2048/A2C51749  eckes@irc  +4972573817  *plush*
(O____O)       If privacy is outlawed only Outlaws have privacy

From firewalls-owner  Wed Aug 14 18:43:08 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id PAA03287 for firewalls-outgoing; Wed, 14 Aug 1996 15:10:02 -0700 (PDT)
Received: from us.checkpoint.com (us.checkpoint.com [206.86.35.130]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id PAA03170 for <Firewalls@GreatCircle.COM>; Wed, 14 Aug 1996 15:09:29 -0700 (PDT)
Received: from Barbara Jaarsma.us.checkpoint.com (barbara-pc) by  us.checkpoint.com (5.x/SMI-SVR4)
	id AA07061; Wed, 14 Aug 1996 15:10:19 -0700
Message-Id: <32124F4B.7389@us.checkpoint.com>
Date: Wed, 14 Aug 1996 15:12:27 -0700
From: Barbara Jaarsma <barbara@us.checkpoint.com>
Organization: CheckPoint Software Technologies, Inc. Technical Services
X-Mailer: Mozilla 2.0 (Win95; U)
Mime-Version: 1.0
To: Delmer Harris <dharris@kcp.com>
Cc: Firewalls@GreatCircle.COM, Hector Casavantes <hcasav@bmv.com.mx>
Subject: Re: No More Unlimited User Licenses Please...
References: <199608141921.AA13346@kcpgw2.kcp.com>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Delmer Harris wrote:
> Hector:
> My experience says you are correct about not needing an unlimited 
> license.  The license (for Un*x, I am assuming) is for concurrent 
> logon sessions, so you should be able to configure more valid IP
> addresses than you have user licenses as long as you don't need them 
> all at once. 
Delmer, Hector, et al:

The number of licenses you need to purchase should equal the NUMBER OF 
NODES THAT ARE PROTECTED BY THE FIREWALL, whether or not traffic from 
said nodes actually traverses the firewall.

-Barb
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Barbara Jaarsma, Sr. Technical Support Engineer - x250    800-429-4391
                                                          415-562-0400
CheckPoint Software Technologies, Inc.            
400 Seaport Court - Suite 105                barbara@us.checkpoint.com
Redwood City, California  95063              http://www.checkpoint.com
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From firewalls-owner  Wed Aug 14 19:16:48 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id TAA01285 for firewalls-outgoing; Wed, 14 Aug 1996 19:00:39 -0700 (PDT)
Received: from citecuh.citec.qld.gov.au (citecuh.citec.qld.gov.au [203.5.10.10]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id TAA01235 for <firewalls@greatcircle.com>; Wed, 14 Aug 1996 19:00:15 -0700 (PDT)
Received: (from mail@localhost) by citecuh.citec.qld.gov.au (8.7.5/8.7.3) id MAA01350; Thu, 15 Aug 1996 12:00:11 +1000 (EST)
Received: from guru.citec.qld.gov.au(147.132.20.47) by citecuh.citec.qld.gov.au via smap (V1.3)
	id /mail/incoming/sma001320; Thu Aug 15 11:59:52 1996
Received: (from sgcccdc@localhost) by guru.citec.qld.gov.au (8.6.12/8.6.12) id MAA22391; Thu, 15 Aug 1996 12:00:11 +1000
From: Colin Campbell <sgcccdc@citec.qld.gov.au>
Message-Id: <199608150200.MAA22391@guru.citec.qld.gov.au>
Subject: Re: authentification
To: ji@hol.gr
Date: Thu, 15 Aug 1996 12:00:10 +1000 (EST)
Cc: firewalls@greatcircle.com
In-Reply-To: <199608150005.DAA07299@del.tla.org> from "John Ioannidis" at Aug 15, 96 03:05:44 am
X-Mailer: ELM [version 2.4 PL24]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

My mailer thinks John Ioannidis said:
> 
> There is no such word. There are people on this list whose command of English 
> is less than perfect, and make up words by converting words from their own 
> language into something that sounds vaguely english-like.
> 
> The proper word is `authentication' (which, according to the Barnhart Concise 
> Dictionary of Etymology, has been in the English language since at least 1788).
> 
Not to be outdone, we have a person here who thinks the word is

	authenticication

Top that!

Colin

From firewalls-owner  Wed Aug 14 19:19:52 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA10280 for firewalls-outgoing; Wed, 14 Aug 1996 11:41:43 -0700 (PDT)
Received: from tartarus (willard.us.newbridge.com [204.177.219.100]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id LAA10202 for <firewalls@GreatCircle.COM>; Wed, 14 Aug 1996 11:41:22 -0700 (PDT)
Received: from tartarus (tartarus.us.newbridge.com [138.120.108.65]) by tartarus (8.7.5/8.7.3) with SMTP id OAA11055; Wed, 14 Aug 1996 14:37:41 -0400 (EDT)
Date: Wed, 14 Aug 1996 14:37:41 -0400 (EDT)
From: "Roderick Murchison, Jr." <murchiso@vivid.newbridge.com>
X-Sender: murchiso@tartarus
To: Brian Murrell <Brian_Murrell@bctel.net>
cc: lists@lina.inka.de, roberth@cet.com, firewalls@GreatCircle.COM
Subject: Re: Re[2]: huh? switch hitter?
In-Reply-To: <199608141617.JAA24207@mocha.bctel.net>
Message-ID: <Pine.SOL.3.95.960814143020.3252G-100000@tartarus>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Actually, we are finding a large number of our customers are purchasing
our solutions to dedicate a single switched ethernet port per workstation.
This much bandwidth is not always necessary for each individual, but as
soon as they start playing with network-based multimedia applications the
need becomes more apparent... the security benefits are also a plus. :-)

Roderick Murchison, Jr.                      murchiso@vivid.newbridge.com
Newbridge Networks, Inc.                     office: (703) 708-5930
Product Manager - VIVID ACS                     fax: (703) 708-5937
Herndon, VA 22070-5241                       http://www.vivid.newbridge.com

On Wed, 14 Aug 1996, Brian Murrell wrote:

> from the quill of lists@lina.inka.de (Bernd Eckenfels) on scroll
> <m0uqYAU-0004k3C@lina>
> > On a switched ethernet a NIC in promisc mode will only receive the
> > packets
> > which are broadcasted (i.e. ARP) and those which are send directly to the
> > HW-Address of the interface. Thats the reason why u have less collisions
> > with switches, cause they simply filter the Packets on the net for each
> > port. You can also lock the arp-addresses in the switch for more
> > security.
> 
> Don't people usually switch segments rather than individual hosts??  Isn't
> switching ethernet a little expensive to do it by host??  If the switching
> is done by segment rather than by host, then one could still sniff one's
> own physical segment.
> 
> b.
> 
> 
> --
> Brian J. Murrell                                        Brian_Murrell@bctel.net
> BCTel Advanced Communications                                   brian@ilinx.com
> Vancouver, B.C.                                                brian@wimsey.com
> 604 454 5279
> 


From firewalls-owner  Wed Aug 14 19:27:50 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id TAA02342 for firewalls-outgoing; Wed, 14 Aug 1996 19:08:39 -0700 (PDT)
Received: from crow.spirit.com (pool025.Max6.FFX1.VA.DYNIP.ALTER.NET [205.230.245.89]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id TAA02303 for <firewalls@greatcircle.com>; Wed, 14 Aug 1996 19:08:24 -0700 (PDT)
Received: (from rik@localhost) by crow.spirit.com (8.7.3/8.7.3) id QAA00297; Wed, 14 Aug 1996 16:37:21 -0700 (MST)
Date: Wed, 14 Aug 1996 16:37:21 -0700 (MST)
From: Rik Farrow <rik@spirit.com>
Message-Id: <199608142337.QAA00297@crow.spirit.com>
To: firewalls@greatcircle.com, swlodin@eng.delcoelect.com
Subject: Re: USENIX Symposium Firewalls BOF Notes
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Steve Lodin suggested that I add my notes to the ones he already posted.

In regards to MD5, Steve Bellovin mentioned that S/Key only used the
lower 64 bits of the 128 bits generated by MD5.  Also, that success
in finding two inputs which would have the same output involved using
fewer iterations of the algorithm.  Steve mentioned seeing a hacker
tool designed to capture S/Key responses, and a tool named monkey
which performs a crack-style search for keys based on bad passwords.

Someone else asked if Tripwire supported SHA.  The answer was no, [but
I'd like to add that combining MD5 with Snefru provides 256 bits, and
should be safe for a while.]

At the end of Steve's notes, Fred Avolio was making the point that
some sites feel that having a firewall, any firewall, makes their 
site secure against anything (which reminds me of something Bill
or Steve said about having a vault for a front door and screen
doors in the back).

To continue, someone asked about blocking Java at the firewall.  Brent
mentioned that there have been implementation problems with Java,
but no fatal design problems had appeared.  [TIS and ANS have announced
Java blocking.]

Someone else asked about blocking Active-X, but got no direct response.

Carson stated that if you allow SSL through your firewall, people
can send things through the firewall which are encrypted.  For
example, a way cool Javascript [sic] that plays strip poker with
interesting animation while doing something else.  Brent then said
"You don't know you are being hosed until it's too late.  Tough 
problem."

Someone asked about performance testing.  Fred Avolio answered that
performance testing can be pruchased, but most people don't know 
what their usage is or will be.  Gaspar Carson suggested recording
IP traffic, and playing it back at different speeds.  Brent mentioned
that application mix may change over time.  Carson continued by
saying he had seen a test of sendmail which used the same address
over and over (no aliasing, DNS lookups, same rewriting each time).

Someone asked about highly available firewalls.  Carson suggested
Veritas, uses round robin DNS to assign connections to multiple
firewalls, loss of one host means loss of current TCP connections
at worst.  [I believe DEC sells a clustered firewall solution also.]

Someone asked about gated problems.  Carson suggested the gated 
mailing list.  Someone asked about having a Web server on third
leg of proxy firewall.  Carson suggested using packet filtering
in front of Web server on semi-exposed DMZ.

At this point, things became quiet enough for Brent to adjourn the
BoF.

Rik

From firewalls-owner  Wed Aug 14 20:12:52 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id TAA09133 for firewalls-outgoing; Wed, 14 Aug 1996 19:57:26 -0700 (PDT)
Received: from mailsrv1.pcy.mci.net (mailsrv1.pcy.mci.net [204.71.0.43]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id TAA09077 for <Firewalls@GreatCircle.COM>; Wed, 14 Aug 1996 19:57:08 -0700 (PDT)
Received: from [204.189.153.18] (usr1-dialup18.Washington.mci.net)
 by MAIL-CLUSTER.PCY.MCI.NET (PMDF V5.0-7 #10045)
 id <01I8A6U228S09I8EDQ@MAIL-CLUSTER.PCY.MCI.NET>; Wed,
 14 Aug 1996 22:55:17 -0400 (EDT)
Received: from [204.189.153.18] (usr1-dialup18.Washington.mci.net)
 by MAIL-CLUSTER.PCY.MCI.NET (PMDF V5.0-7 #10044)
 id <01I8A334LOE89JFLUN@MAIL-CLUSTER.PCY.MCI.NET>; Wed,
 14 Aug 1996 21:02:50 -0400 (EDT)
Date: Wed, 14 Aug 1996 21:03:37 -0500
From: Steve Keefe <Steve.Keefe@internetmci.com>
Subject: Re: NT Firewalling
To: Mike Jones <jonesmd@unifiedtech.com>,
        "'Firewalls@GreatCircle.COM'" <Firewalls@GreatCircle.COM>,
        "jfulmer@blanket.com" <jfulmer@blanket.com>
Message-id: <01I8A33573R69JFLUN@MAIL-CLUSTER.PCY.MCI.NET>
MIME-version: 1.0
X-Mailer: e-mailMCI v2.3
Content-type: TEXT/PLAIN; CHARSET=US-ASCII
Content-transfer-encoding: 7BIT
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

-- [ From: Steve Keefe * EMC.Ver #2.3 ] --


-------- REPLY, Original message follows --------

Date: Wednesday, 14-Aug-96 09:58 AM

From: Mike Jones               \ Internet:    (jonesmd@unifiedtech.com)
To:   'Firewalls@GreatCircle.COM' \ Internet:    (firewalls@greatcircle.com)
To:   jfulmer@blanket.com      \ Internet:    (jfulmer@blanket.com)

Subject: Re: NT Firewalling

John Fulmer writes...
> > Date: Tue, 13 Aug 1996 14:55:01 -0300
> > From: "Fernando da Silveira Montenegro" <silveira@nutec.com.br>
> > Subject: Re: NT Firewalling
> ...
> > While NT expertise is a must-have, another factor I'd add to using NT 
> > over UNIX is product availability for a given platform. For instance, 
> > if you're not using a RISC workstation, if have VERY limited options 
> > as to different products. Given the current market pressure, if you 
> > want to firewall (perhaps we should create a new verb, "to firewall") 
> > using an Intel PC, your best bet will probably be NT.
> Not necessarily. I can think of at least four very good firewalls based
> on Intel platforms (Borderware, Sidewinder, TIS Gauntlet, V-One), and
> more that
> are planned (Cyberguard ?), that are based on some variant of BSDI UNIX. 

Plus you can make a perfectly good firewall with Solaris x86 and FW-1. I
have a customer who's running that configuration on a Gateway Pentium box.
I will say that he's had more hardware problems than any dozen SPARC
customers I can think of. But hey, PC parts are cheap, right? And who
really counts time the engineers spend figuring out what went wrong and
swapping parts? And doesn't everybody have spare Ethernet cards on the
shelf?

It's the old adage "you get what you pay for".  If your penny wise and
pound foolish you'll never learn.  Invest
in some decent X86 Pentium h/w and you can't go wrong.  I've been building
firewalls for almost 3 years with
insignificant fall out.

Steve Keefe
Patriot Technologies
--
	Mike.Jones@unifiedtech.com
Pause a moment and ponder this about the sedan; a six-footer can lay
flat inside the trunk of this car....
	- Car and Driver preview of the 1992 Buick Roadmaster

-------- REPLY, End of original message --------



From firewalls-owner  Wed Aug 14 20:27:48 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id UAA11566 for firewalls-outgoing; Wed, 14 Aug 1996 20:22:27 -0700 (PDT)
Received: from wichita.fn.net (wichita.fn.net [204.233.71.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id UAA11547 for <firewalls@greatcircle.com>; Wed, 14 Aug 1996 20:22:16 -0700 (PDT)
Received: (from bkmarsh@localhost) by wichita.fn.net (8.7.4/8.6.9) id WAA25162; Wed, 14 Aug 1996 22:22:16 -0500 (CDT)
Date: Wed, 14 Aug 1996 22:22:16 -0500 (CDT)
From: "Bruce M." <bkmarsh@feist.com>
X-Sender: bkmarsh@wichita.fn.net
To: firewalls@greatcircle.com
Subject: Re: USENIX Symposium Firewalls BOF Notes
In-Reply-To: <199608142337.QAA00297@crow.spirit.com>
Message-ID: <Pine.BSI.3.91.960814221954.22360B-100000@wichita.fn.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

On Wed, 14 Aug 1996, Rik Farrow wrote:

> In regards to MD5, Steve Bellovin mentioned that S/Key only used the
> lower 64 bits of the 128 bits generated by MD5.  Also, that success
> in finding two inputs which would have the same output involved using
> fewer iterations of the algorithm.  Steve mentioned seeing a hacker
> tool designed to capture S/Key responses, and a tool named monkey
> which performs a crack-style search for keys based on bad passwords.

    Monkey was developed by Mudge and can be found at 
http://www.l0pht.com/~mudge/
along with some other information about S/Key vulnerabilities.
                       ________________________________
                      [ Bruce M. - Feist Systems, Inc. ]
                       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
     "Official estimates show that more than 120 countries have or are 
      developing [information warfare] capabilities." -GAO/AIMD-96-84
                         So, what is your excuse now?


From firewalls-owner  Wed Aug 14 20:44:57 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id UAA10069 for firewalls-outgoing; Wed, 14 Aug 1996 20:03:42 -0700 (PDT)
Received: from mcfeely.bsfs.org (mcfeely.bsfs.org [204.91.13.34]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id UAA10050 for <firewalls@GreatCircle.COM>; Wed, 14 Aug 1996 20:03:31 -0700 (PDT)
Received: (from wombat@localhost) by mcfeely.bsfs.org (8.6.12/8.6.12) id CAA03588; Thu, 15 Aug 1996 02:59:21 -0400
Date: Thu, 15 Aug 1996 02:59:17 -0400 (EDT)
From: Rabid Wombat <wombat@mcfeely.bsfs.org>
To: "Roderick Murchison, Jr." <murchiso@vivid.newbridge.com>
cc: Brian Murrell <Brian_Murrell@bctel.net>, lists@lina.inka.de,
        roberth@cet.com, firewalls@GreatCircle.COM
Subject: Re: Re[2]: huh? switch hitter?
In-Reply-To: <Pine.SOL.3.95.960814143020.3252G-100000@tartarus>
Message-ID: <Pine.BSF.3.91.960815025100.3489D-100000@mcfeely.bsfs.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk


I'm running into a lot of dedicated switch port installations, too. Many 
of the switch implementations I've done recently have one station per 
port, with a few unlucky users getting plugged into a concentrator and 
being forced to share. Guess they got caught playing Windoze solitaire. :)

Be careful with the security benefits angle, though. I read a test report
a while back (sorry, don't have the reference handy, and no brands were
specified) that indicated that some switches will pass packets out all
ports when under very heavy loads - even crossing VLANs established on the
switch.  An attacker could "load" the switch from one or more ports, then
watch for "fallout" on another port. 

I don't recall Newbridge even being among those tested - this is just a 
"general warning", not directed at Roderick's post.

- r.w.


On Wed, 14 Aug 1996, Roderick Murchison, Jr. wrote:

> Actually, we are finding a large number of our customers are purchasing
> our solutions to dedicate a single switched ethernet port per workstation.
> This much bandwidth is not always necessary for each individual, but as
> soon as they start playing with network-based multimedia applications the
> need becomes more apparent... the security benefits are also a plus. :-)
> 
> Roderick Murchison, Jr.                      murchiso@vivid.newbridge.com
> Newbridge Networks, Inc.                     office: (703) 708-5930
> Product Manager - VIVID ACS                     fax: (703) 708-5937
> Herndon, VA 22070-5241                       http://www.vivid.newbridge.com
> 
> On Wed, 14 Aug 1996, Brian Murrell wrote:
> 
> > from the quill of lists@lina.inka.de (Bernd Eckenfels) on scroll
> > <m0uqYAU-0004k3C@lina>
> > > On a switched ethernet a NIC in promisc mode will only receive the
> > > packets
> > > which are broadcasted (i.e. ARP) and those which are send directly to the
> > > HW-Address of the interface. Thats the reason why u have less collisions
> > > with switches, cause they simply filter the Packets on the net for each
> > > port. You can also lock the arp-addresses in the switch for more
> > > security.
> > 
> > Don't people usually switch segments rather than individual hosts??  Isn't
> > switching ethernet a little expensive to do it by host??  If the switching
> > is done by segment rather than by host, then one could still sniff one's
> > own physical segment.
> > 
> > b.
> > 
> > 
> > --
> > Brian J. Murrell                                        Brian_Murrell@bctel.net
> > BCTel Advanced Communications                                   brian@ilinx.com
> > Vancouver, B.C.                                                brian@wimsey.com
> > 604 454 5279
> > 
> 
> 

From firewalls-owner  Wed Aug 14 20:58:02 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id UAA13919 for firewalls-outgoing; Wed, 14 Aug 1996 20:48:50 -0700 (PDT)
Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id UAA13749 for <firewalls@miles>; Wed, 14 Aug 1996 20:48:06 -0700 (PDT)
Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123)
	id UAA18623; Wed, 14 Aug 1996 20:47:47 -0700
Received: from halon.sybase.com(192.138.151.33) by mycroft via smap (V1.3mjr)
	id sma018596; Wed Aug 14 20:46:53 1996
Received: from smtp1.sybase.com (sybgate) by halon.sybase.com (5.x/SMI-SVR4/SybFW4.0)
	id AA15233; Wed, 14 Aug 1996 20:48:37 -0700
Received: from notesgw2.sybase.com by smtp1.sybase.com (4.1/SMI-4.1/SybH3.5-030896)
	id AA07075; Wed, 14 Aug 96 20:46:47 PDT
Received: by notesgw2.sybase.com (5.x/SMI-4.1/SybEGW3.3)
	id AA05679; Wed, 14 Aug 1996 20:46:40 -0700
Message-Id: <9608150346.AA05679@notesgw2.sybase.com>
Received: by SybaseNotes (Lotus Notes Mail Gateway for SMTP V1.1) id
  928096419CA06FAA882563870014E8FF; Wed, 14 Aug 96 20:46:36 EDT
To: Christopher Liljenstolpe <chris.liljenstolpe@sybase.com>
Cc: webmaster <webmaster@sybase.com>,
        Ben Goodyear <Ben.Goodyear@dial.pipex.com>, pah <pah@esoft.co.uk>,
        firewalls <firewalls@sybase.com>
From: Ryan Russell/SYBASE
  <Ryan.Russell@sybase.com>
Date: 14 Aug 96 20:48:29 EDT
Subject: Re: To Subnet or not?
X-Lotus-Type: Reply All
Mime-Version: 1.0
Content-Type: Text/Plain
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk



---------- Previous Message ----------
To: webmaster
cc: Ben.Goodyear, pah, firewalls
From: chris.liljenstolpe @ ssds.com (Christopher Liljenstolpe) @ smtp
Date: 08/14/96 01:32:32 PM
Subject: Re: To Subnet or not?

Greetings,

 I have to disagree, asking for a whole class C for one or
possibly two addresses is egregious use of address space.  Either
subnet the class C (as discussed in an earlier posting) or, if the
firewall can do address translation, use the class C for the network
between your firewall and your ISP or your router, and one of the
reuseable networks behind your firewall.

 -=Chris

On Tue, 13 Aug 1996 15:28:11 -0400, the sage Capital Works Webmaster
<webmaster@capitalworks.com> scribed:

>Ben Goodyear wrote:
>> 
>> > I'm sure that this is blindingly obvious, but I have not been able to find 
any
>> > references to it...
>> >
>> > I have a class C address for my network - As part of my firewall I will 
have a
>> > dual homed sparc 5 running Solaris 2.5. I want to forward packets from one
>> > interface to the other - am I allowed to use netmask 255.255.255.0 with 
both
>> > interfaces in the same subnet e.g.
>> >
>> > 192.100.100.1 and the other on 192.100.100.2
>> >
>> > I have tried to set routing up for this up and failed so the question is
>> >
>> > Do I have to subnet a class C address to achieve packet forwarding or is 
there
>> > some trick in the routing that I am missing??
>> >
>> > All the references on this soft of setup assume that you are doing packet
>> > forwarding from something like 192.100.100.1 to 192.100.99.1, but I only 
have a
>> > class C from my ISP and cannot affort to loose the half my IP addresses 
that
>> > subnetting would cause.
>> >
>> > Paul.
>> > --
>> >
>> 
>> Yes you do have to use subnetting to implement routing on a single
>> class "c" address.
>> 
>> To route between two networks, the two networks have to have a
>> different network number (or else, how would it know when to route?).
>> To get different network numbers on a class "c" you have to use
>> subnetting.
>> 
>> e.g.
>> 
>> use subnet 255.255.255.192
>> 
>> this will give you four networks of 64 hosts:
>> 
>> x.x.x.0-63, x.x.x.64-127, x.x.x.128-191, x.x.x.192-255
>> 
>> Set one interface to: 192.100.100.65
>> Set the other to:       192.100.100.129
>> 
>Avoid the whole thing!  Get one additional address from your ISP, on the
>same address subnet as your router!  -unless- if your router is
>configured on your class 'C', then have your ISP provide you with a
>unique IP for the router and then do a by-the-way-request for an
>additional one for your firewall?  Thus avoiding the masking issue.
>
>Kevin
>


--
   ( (   | (               Chris Liljenstolpe <Chris.Liljenstolpe@ssds.com>
    ) ) (|  ), inc.        SSDS, Inc; 8400 Normandale Lake Blvd.; Suite 993
   business driven         Bloomington, MN   55437; 
 technology solutions      TEL 612.921.2392  FAX 612.921.2395   Fram Fram Free!
 PGP Key 1024/E8546BD5     FE 43 BD A6 3C 13 6C DB  89 B3 E4 A1 BF 6D 2A A9




From firewalls-owner  Wed Aug 14 22:57:50 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id WAA23460 for firewalls-outgoing; Wed, 14 Aug 1996 22:50:48 -0700 (PDT)
Received: from telemann.inoc.dl.nec.com (telemann.inoc.dl.nec.com [143.101.112.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id WAA23431 for <firewalls@greatcircle.com>; Wed, 14 Aug 1996 22:50:36 -0700 (PDT)
Received: from shredder.syl.dl.nec.com (shredder.syl.dl.nec.com [143.101.64.3]) by telemann.inoc.dl.nec.com (8.7.3/8.7.3) with ESMTP id AAA13501; Thu, 15 Aug 1996 00:50:31 -0500 (CDT)
Received: by shredder.syl.dl.nec.com (8.7.5/YDL1.9.1-940729.15)
	id AAA14300(shredder.syl.dl.nec.com); Thu, 15 Aug 1996 00:50:31 -0500 (CDT)
Received: by michigan.syl.dl.nec.com (8.7.3/YDL1.9.1-940729.15)
	id AAA02763(michigan.syl.dl.nec.com); Thu, 15 Aug 1996 00:50:30 -0500 (CDT)
Date: Thu, 15 Aug 1996 00:50:30 -0500 (CDT)
From: cornell@syl.dl.nec.com (Cornell Kinderknecht)
Message-Id: <199608150550.AAA02763@michigan.syl.dl.nec.com>
To: kurtis@aol.fi
Subject: Re: Socksified news reader
Newsgroups: necus.internet.mirror.firewalls
References: <3212793C.60F7@aol.fi>
Reply-To: cornell@syl.dl.nec.com
Cc: firewalls@greatcircle.com
X-Newsreader: NN version 6.5.0 #10 (NOV)
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

In firewalls kurtis writes:

>Does anyone know of a socksified news reader for Windows/Windows 95?
>Netscape does support socks for news but doesn't support user
>autentication (as far as I know).

SocksCap32 and SocksCap16 let you use (almost) any newsreader through
a Socks server.  I've used WinVN and News Express with SocksCap.  At
present SocksCap only supports username/password which isn't exactly
tight authentication, however.  You can find SocksCap at the Socks web
page www.socks.nec.com and you can find WinVN et al at www.tucows.com

--- Cornell
-- 
| Cornell Kinderknecht          Email: cornell@syl.dl.nec.com |
| NWSL                                                        |
| NEC USA, Inc.                 Phone: 214-518-3509           |
| Irving, TX (Dallas)                                         |

From firewalls-owner  Wed Aug 14 23:59:09 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id XAA26987 for firewalls-outgoing; Wed, 14 Aug 1996 23:51:52 -0700 (PDT)
Received: from gatekeeper.frontec.se (gatekeeper.frontec.se [193.13.192.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id XAA26976 for <firewalls@GreatCircle.COM>; Wed, 14 Aug 1996 23:51:07 -0700 (PDT)
Received: from tintin.lule.frontec.se (root@tintin.lule.frontec.se [192.36.15.4]) by gatekeeper.frontec.se (8.6.12/8.6.6) with SMTP id IAA11223 for <firewalls@GreatCircle.COM>; Thu, 15 Aug 1996 08:48:54 +0200
Received: from goozer.arctic (goozer.lule.frontec.se) by tintin.lule.frontec.se with SMTP id AA20574
  (5.67a8/IDA-1.5 for <firewalls@GreatCircle.COM>); Thu, 15 Aug 1996 08:48:52 +0200
Received: by goozer.arctic (SMI-8.6/SMI-SVR4)
	id IAA07594; Thu, 15 Aug 1996 08:46:21 +0200
Date: Thu, 15 Aug 1996 08:46:21 +0200
From: Petter.Haggman@lule.frontec.se (Petter H{ggman)
Message-Id: <199608150646.IAA07594@goozer.arctic>
To: firewalls@GreatCircle.COM
Subject: RealAudio and VDOLive
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: quoted-printable
Content-Md5: R8NmNYjChSwRNO0sh19c+A==
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk


Hi all!

I need to find out what protocols that RealAudio and VdoLive
are based upon. Are there any relevant RFC's?

Tia

/Petter

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=
~~~~
Petter Haggman			Email:  Petter.Haggman@lule.frontec.se
Arctic Software AB		Phone:	+46 920 75116 , Fax: +46 920 75199
Aurorum 1, S-977 75 Lulea, Sweden  GSM:  070 - 582 23 83

From firewalls-owner  Thu Aug 15 00:12:57 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id XAA26146 for firewalls-outgoing; Wed, 14 Aug 1996 23:38:36 -0700 (PDT)
Received: from salsa.gv.ssi1.com (salsa.gv.ssi1.com [146.252.44.194]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id XAA26138 for <firewalls@GreatCircle.COM>; Wed, 14 Aug 1996 23:38:11 -0700 (PDT)
Received: (from gdonl@localhost) by salsa.gv.ssi1.com (8.7.5/8.7.3) id XAA11433; Wed, 14 Aug 1996 23:38:00 -0700 (PDT)
From: Don Lewis <Don.Lewis@tsc.tdk.com>
Message-Id: <199608150638.XAA11433@salsa.gv.ssi1.com>
Date: Wed, 14 Aug 1996 23:38:00 -0700
In-Reply-To: "Karl W. Palachuk" <karlp@ix.netcom.com>
       "Re: NT Memory (formerly NT Firewalling)" (Aug 13,  4:49pm)
X-Mailer: Mail User's Shell (7.2.6 alpha(3) 7/19/95)
To: karlp@ix.netcom.com, firewalls@GreatCircle.COM
Subject: Re: NT Memory (formerly NT Firewalling)
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

On Aug 13,  4:49pm, "Karl W. Palachuk" wrote:
} Subject: Re: NT Memory (formerly NT Firewalling)
} After it's installed, NT can *run* on 5.5 megs.  Of course that pages
} part of the OS plus all your programs out to disc.  Realistically, NT
} workstation can run proxy servers, web servers, and FTP servers pretty
} well on 32 megs.  NT server strains a bit below 48 megs, but will do
} okay with 32.

Depending on how heavily it is used (more than 10 connections), it sounds
like using NT workstation for your firewall could put you in violation
of your licensing agreement.  Microsoft wants you to cough up the bucks
for NT server.  There's a pretty good article on page 1 of the August 12,
1996 issue of Communications Week.

			---  Truck

From firewalls-owner  Thu Aug 15 00:51:19 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id AAA00553 for firewalls-outgoing; Thu, 15 Aug 1996 00:36:58 -0700 (PDT)
Received: (mcb@localhost) by miles.greatcircle.com (8.7.4/Miles-951221-1) id AAA00543 for firewalls@greatcircle.com; Thu, 15 Aug 1996 00:36:45 -0700 (PDT)
Received: from bmv.com.mx (ns.bmv.com.mx [200.13.112.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id TAA04529 for <firewalls@GreatCircle.COM>; Wed, 14 Aug 1996 19:23:24 -0700 (PDT)
Received: by firewall.bmv.com.mx id <14983>; Wed, 14 Aug 1996 21:20:08 -0600
Date: Tue, 13 Aug 1996 22:49:23 -0600
From: Hector Casavantes <hcasav@bmv.com.mx>
X-Mailer: Mozilla 2.02 (X11; I; HP-UX B.10.01 9000/819)
MIME-Version: 1.0
To: firewalls@GreatCircle.COM
CC: armando@sar.net
Subject: SUMMARY: No More Unlimited User Licenses Please..
References: <3212A0A8.794B@bmv.com.mx>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <96Aug14.212008cst.14983@firewall.bmv.com.mx>
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk


Thanks a lot everyone and eachone for all great comments. 

It is surely an interesting point of evaluation when you 
are purchasing some security stuff...

Hector Casavantes wrote:
Subject: No More Unlimited User Licenses Please...
Date: Tue, 13 Aug 1996 15:23:29 -0600
From: Hector Casavantes <hcasav@bmv.com.mx>
To: Firewalls@GreatCircle.COM

Hello List
Does anybody understand the difference between the number of users
and the number of protected computers in a firewall?

Maybe someone can help me with this simple disyuntive:

I have more than 400 machines but I don't need all of them
running trough internet. From ouside, anybody can access my
WWW server and some can access my FTP server. Few users from
the inside need to access internet (maybe 30-50) to "browse" or
something like this. I want anyone from inside to have email
by using a common email SMTP/POP server living in the
common-named "secure net" or maybe in internal net (doesn't
matter at this very moment).

In my actual evaluation-licensed firewall, I have edited an
outbound proxy access rule, where I've put the list of IP
addresses of the users that can resolv out.

Do I need to buy an unlimited user license (which is surely more
expensive) or can I use the 50's one? How can the firewall knows
if there are more than N machines connected in the Inside Network?
(it surely can't). It doesn't make a lot of sense that if I let less
than 50 IP's to go to Internet, I need to buy an unlimited user license!

Thanks for cooperation on this
Hector Casavantes
 
        ---------------------------------------------------------------
 
> Subject: User License
> Date: Tue, 13 Aug 1996 22:29:14 -0600
> From: John Shum <jks@cybercom.net>
> To: hcasav@bmv.com.mx
> 
> The user license is based on how many computers the firewall will protect.
> The number of computers behind the firewall will be the number of users even
> if all of them will choose not to access the Internet.  'Screens' is not the
> best term to use in terms of licensing, but usually every computer has a screen.
> 
>     ---------------------------------------------------------------
> 
> Subject: RE: No More Unlimited User Licenses Please...
> Date: Wed, 14 Aug 1996 03:18:14 -0600
> From: Ian Rawlings <Ian.Rawlings@Quza.com>
> To: "'Hector Casavantes'" <hcasav>
> 
> Hector, I'm afraid that the attitude taken by Checkpoint is that the 400
> machines on the network are being protected by the firewall, after all
> that is the reason for using it in the first place. The number of users
> that need to go through the firewall does not come into the equation as
> this is a secondary function in effect. The primary reason for the
> firewall is to protect those 400 machines, whether they need to access
> the Internet or not.
> 
> As for the means of detecting the machines, all the machines will be
> sending information via the network, and the firewall reads all network
> packets as part of its functionality. This allows it to count how many
> unique addresses there are. There are other methods as well, such as DNS
> queries.
> 
> Ian
> --
> There are no facts, only opinions.
> 
> 
>     ---------------------------------------------------------------
> 
> Subject: No More Unlimited User Licenses Please...
> Date: Wed, 14 Aug 1996 06:30:22 -0600
> From: Steve Keefe <Steve.Keefe@internetmci.com>
> To: Hector Casavantes <hcasav>
> 
> -- [ From: Steve Keefe * EMC.Ver #2.3 ] --
> 
> Its an interesting question which I have to address frequently.
> 
> My company assembles and configures a variety of commercial firewalls for
> resellers across the US based on both unix and NT.  On the unix machines we
> include an embedded oem license for BSDI.  Its not sold per user since users
> do not log into the firewall but merely pass through.  This seems to be the
> case with the majority of unix firewall vendors.  NT, however, seems to 
> license per connection.
> This may be something to do with Microsoft and how they license NT.
> 
> Hope this helps
> 
> Steve Keefe Patriot Technologies www.patriot-tech.com
> 
>     ---------------------------------------------------------------
> 
> Subject: Hello:
> Date: Wed, 14 Aug 1996 07:18:25 -0600
> From: "Douglas M. Todd" <DOUG@fc.com>
> To: hcasav@bmv.com.mx
> 
> Hello:
> 
> The deal is this.. during the setup of a fw - you are given the range of ip 
> addresses you want to protect.  Here you will be allowed to specify 
> addresses allowed inboud/out bound traffic.
> 
> ==DMT>
> 
> 
>     ---------------------------------------------------------------
> 
> Subject: Re: No More Unlimited User Licenses Please...
> Date: Wed, 14 Aug 1996 08:27:01 -0600
> From: bjm@ottawa.net (Brian McIntosh)
> To: Hector Casavantes <hcasav@bmv.com.mx>, Firewalls@GreatCircle.COM
> 
> Hector,
> 
> Licensing based on 'users' is simply a marketing tool by which
> a vendor can provide a firewall to smaller organanizations at a
> reduced cost.
> 
> Confusion often arises because of the term 'users'.  In this
> scenario, it does *not* mean users of the Internet; it refers
> to a user of the firewall's protection.  Less confusion would
> arise if vendors used the more specific term 'protected
> nodes' rather than 'users'.
> 
> Bear in mind that a firewall is protecting all 400 of your
> machines whether the users of those machines are
> surfers or not.
> 
> Licensing based on the number of Internet users makes
> sense if you're referring to a browser, but it doesn't make
> sense for a firewall meant to protect your entire enterprise.
> 
> Regards,
> Brian
> 
> 
> ========================================================
>  Brian J. McIntosh
> 
>  UniSol Inc.
> 
>  53 Courtney Road               Tel:    613 831 6373
>  Kanata, Ontario                Fax:    613 831 4739
>  Canada, K2L 1M1                Email:  bjm@ottawa.net
> ========================================================
>
>     ---------------------------------------------------------------
> 
> Subject: Re: No More Unlimited User Licenses Please...
> Date: Wed, 14 Aug 1996 10:25:39 -0600
> From: armando@sar.net (Armando Aguilar)
> To: hcasav (Hector Casavantes)
> 
> Hello Re-list:
>
> Your network is entirely protected if the X firewall is behind your 400x machines.
> The number of users is the number of computers interacting with internet. (Outs to 
> internet)
> 
> --
> ------------------------------------------------------------------------
>   Armando Aguilar                        Soluciones Avanzadas de Redes
>   E-mail: armando@sar.net              Camino Real a Xochimilco No. 60
>   Tel. (+52+5) 420-5900                             Tepepan Xochimilco
>   Fax. (+52+5) 420-5909                             Mexico, D.F. 16020
> ------------------------------------------------------------------------
> 
>     ---------------------------------------------------------------
> 
> Subject: Re: No More Unlimited User Licenses Please...
> Date: Wed, 14 Aug 1996 13:15:58 -0600
> From: dharris@kcp.com (Delmer Harris)
> To: Firewalls@GreatCircle.COM, Hector Casavantes <hcasav>
> 
> Hector:
> 
> My experience says you are correct about not needing an unlimited license.  The
> license (for Unix, I am assuming) is for concurrent logon sessions, so you
> should be able to configure more valid IP addresses than you have user licenses
> as long as you don't need them all at once.
> 
> If your firewall vendor has a different idea of licenses (firewall licenses as
> opposed to Unix licenses) then you may have to have as many licenses as you have
> allowed IP addresses, but you still shouldn't need an unlimited license.
> 
> If we are both wrong I am sure the list will correct us;-)
> 
>                                 Delmer D. Harris
>                                 dharris@kcp.com
> 
> 
>     ---------------------------------------------------------------
> 
> Subject: Re: No More Unlimited User Licenses Please...
> Date: Wed, 14 Aug 1996 15:00:18 -0600
> From: Rick Romkey <pokey@maddie.atlantic.com>
> To: bjm@ottawa.net (Brian McIntosh)
> CC: hcasav, Firewalls@GreatCircle.COM
> 
> 
> > Licensing based on 'users' is simply a marketing tool by which
> > a vendor can provide a firewall to smaller organanizations at a
> > reduced cost.
> 
> Or to increase the cost for a larger org...
> 
> > Confusion often arises because of the term 'users'.  In this
> > scenario, it does *not* mean users of the Internet; it refers
> > to a user of the firewall's protection.  Less confusion would
> > arise if vendors used the more specific term 'protected
> > nodes' rather than 'users'.
> 
> Many firewalls use a bit from both worlds for licensing.  FW-1
> creates a flat file list of all unique IP hosts it learns
> about (through useage).  If this list exceeds the purchase license
> count (either 50, 256 or unlimited), then it indicates this violation
> to the admin.  It also has a "concurrent use" license.
> 
> BorderWare uses what they call a "screen" license.  The number of
> computers, terminals, etc in total that will be using the firewall.
> It is not based on all machines capable of using it, just those
> that will be accessing the internet through it.
> 
> Just talk with your VAR about what the particlar product's license
> actually means...it varies quite a bit.
> 
> -Rick
> 
> ----------------------------------------------------------------------------
>  Rick E Romkey     |          A T L A N T I C           |     Internet
> pokey@atlantic.com |  Computing Technology Corporation  |   Specialists
>  (860) 667-9596    |     http://www.atlantic.com/       |
> -----------------------------------------------------------------------------
> 
>     ---------------------------------------------------------------
> 
> Subject: Re: No More Unlimited User Licenses Please...
> Date: Wed, 14 Aug 1996 16:12:27 -0600
> From: Barbara Jaarsma <barbara@us.checkpoint.com>
> Organization: CheckPoint Software Technologies, Inc. Technical Services
> To: Delmer Harris <dharris@kcp.com>
> CC: Firewalls@GreatCircle.COM, Hector Casavantes <hcasav>
> References: <199608141921.AA13346@kcpgw2.kcp.com>
> 
> Delmer Harris wrote:
> > Hector:
> > My experience says you are correct about not needing an unlimited
> > license.  The license (for Un*x, I am assuming) is for concurrent
> > logon sessions, so you should be able to configure more valid IP
> > addresses than you have user licenses as long as you don't need them
> > all at once.
> Delmer, Hector, et al:
> 
> The number of licenses you need to purchase should equal the NUMBER OF
> NODES THAT ARE PROTECTED BY THE FIREWALL, whether or not traffic from
> said nodes actually traverses the firewall.
> 
> -Barb
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> Barbara Jaarsma, Sr. Technical Support Engineer - x250    800-429-4391
>                                                           415-562-0400
> CheckPoint Software Technologies, Inc.
> 400 Seaport Court - Suite 105                barbara@us.checkpoint.com
> Redwood City, California  95063              http://www.checkpoint.com
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> 
>     ---------------------------------------------------------------
> 
> Subject: Re: No More Unlimited User Licenses Please...
> Date: Wed, 14 Aug 1996 16:56:34 -0600
> From: David Bonn <david@sealabs.com>
> To: Rick Romkey <pokey@maddie.atlantic.com>
> CC: bjm@ottawa.net (Brian McIntosh), hcasav, Firewalls@GreatCircle.COM
> References: <199608141427.KAA15590@dns.ottawa.net>
>      <199608142100.RAA30974@maddie.atlantic.com>
> 
> >>>>> "Rick" == Rick Romkey <pokey@maddie.atlantic.com> writes:
> 
> >> Licensing based on 'users' is simply a marketing tool by which
> >> a vendor can provide a firewall to smaller organanizations at a
> >> reduced cost.
> 
> Rick> Or to increase the cost for a larger org...
> 
> It seems to me that just selling the product for less money would be less
> work.  All that hassle with n-user licenses is an annoying support
> burden and tracking problem.
> 
> dwb
> 
>     ---------------------------------------------------------------
> 
> Subject: RE: No More Unlimited User Licenses Please...
> Date: Wed, 14 Aug 1996 18:15:16 -0600
> From: Matthew Thompson <mthomps1@kiwitech.co.nz>
> To: "'Hector Casavantes'" <hcasav>
> 
> If it's borderware, They licence by "Machines protected", but are open to
> discussions of "symultaneous users", I have a Borderware site with >500
> machines and a 25 user licence used this way.
>


From firewalls-owner  Thu Aug 15 00:58:03 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id AAA01402 for firewalls-outgoing; Thu, 15 Aug 1996 00:46:28 -0700 (PDT)
Received: from salsa.gv.ssi1.com (salsa.gv.ssi1.com [146.252.44.194]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id AAA01395 for <firewalls@GreatCircle.COM>; Thu, 15 Aug 1996 00:46:19 -0700 (PDT)
Received: (from gdonl@localhost) by salsa.gv.ssi1.com (8.7.5/8.7.3) id AAA11665; Thu, 15 Aug 1996 00:45:49 -0700 (PDT)
From: Don Lewis <Don.Lewis@tsc.tdk.com>
Message-Id: <199608150745.AAA11665@salsa.gv.ssi1.com>
Date: Thu, 15 Aug 1996 00:45:49 -0700
In-Reply-To: Rabid Wombat <wombat@mcfeely.bsfs.org>
       "Re: Re[2]: huh? switch hitter?" (Aug 15,  2:59am)
X-Mailer: Mail User's Shell (7.2.6 alpha(3) 7/19/95)
To: Rabid Wombat <wombat@mcfeely.bsfs.org>,
        "Roderick Murchison, Jr." <murchiso@vivid.newbridge.com>
Subject: Re: Re[2]: huh? switch hitter?
Cc: Brian Murrell <Brian_Murrell@bctel.net>, lists@lina.inka.de,
        roberth@cet.com, firewalls@GreatCircle.COM
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

On Aug 15,  2:59am, Rabid Wombat wrote:
} Subject: Re: Re[2]: huh? switch hitter?
} Be careful with the security benefits angle, though. I read a test report
} a while back (sorry, don't have the reference handy, and no brands were
} specified) that indicated that some switches will pass packets out all
} ports when under very heavy loads - even crossing VLANs established on the
} switch.  An attacker could "load" the switch from one or more ports, then
} watch for "fallout" on another port. 

If a bridge/switch doesn't know which port a MAC address lives on, it
will forward a packet sent to that MAC address to all it's ports (unless
it knows that some of the ports only connect to a certain device(s)), in
the hope that one of them connects to the desired device.  You wouldn't
want all the machines on your net to stop talking just because the switch
was power cycled and lost it's MAC table.

Due to speed requirements, bridges/switches usually keep their MAC tables
in some type of high speed memory which is of limited size.  If someone
manages to overflow this memory with fake MAC addresses (or real addresses
if your network is big enough), then packets sent to a host whose MAC
address has been flushed can be forwarded to ports other than the one
to which the host is connected.

			---  Truck

From firewalls-owner  Thu Aug 15 02:28:17 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id BAA07991 for firewalls-outgoing; Thu, 15 Aug 1996 01:55:34 -0700 (PDT)
Received: from jpmgate1.jpmorgan.com (jpmorgan.jpmorgan.com [146.149.99.127]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id BAA07984 for <firewalls@GreatCircle.COM>; Thu, 15 Aug 1996 01:55:19 -0700 (PDT)
Received: from jpmgate1.jpmorgan.com (mrzip.ny.jpmorgan.com [146.149.1.2]) by jpmgate1.jpmorgan.com (8.7.5/8.7.5) with SMTP id EAA19946 for <firewalls@GreatCircle.COM>; Thu, 15 Aug 1996 04:55:20 -0400
Received: from NYC-NTGW-N02.ny.jpmorgan.com (nyc_ntgw_n02.ny.jpmorgan.com [198.75.84.103]) by mrzip.ny.jpmorgan.com (8.7.4/8.7.3) with SMTP id EAA11083 for <@mrzip.ny.jpmorgan.com:firewalls@GreatCircle.COM>; Thu, 15 Aug 1996 04:55:22 -0400 (EDT)
Received: by NYC-NTGW-N02.ny.jpmorgan.com (IBM OS/2 SENDMAIL VERSION 1.3.14/1.0)
	  id AA1254; Thu, 15 Aug 96 04:55:15 -0400
Message-Id: <9608150855.AA1254@NYC-NTGW-N02.ny.jpmorgan.com>
Received: by JPMORGAN (Lotus Notes Mail Gateway for SMTP V1.1) id
  718A2ED78A845DA88025638700307629; Thu, 15 Aug 96 04:55:15 
To: firewalls <firewalls@GreatCircle.COM>
Cc: Petter H{ggman <Petter.Haggman@lule.frontec.se>
From: Brian B Mitchell
  <mitchell_brian@jpmorgan.com>
Date: 15 Aug 96  9:51:29 
Subject: Re: RealAudio and VDOLive
Mime-Version: 1.0
Content-Type: Text/Plain
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Petter

Check out Real Audio's WWW site for info about using RA behind a FW.

http://www.realaudio.com/help/firewall/info.html

-----------------------------------------------------------------------------------

Hi all!

I need to find out what protocols that RealAudio and VdoLive
are based upon. Are there any relevant RFC's?

Tia

/Petter


From firewalls-owner  Thu Aug 15 04:43:01 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id EAA13383 for firewalls-outgoing; Thu, 15 Aug 1996 04:33:30 -0700 (PDT)
Received: from mwunix.mitre.org (mwunix.mitre.org [128.29.154.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id EAA13367 for <firewalls@GreatCircle.COM>; Thu, 15 Aug 1996 04:33:11 -0700 (PDT)
Received: from smiley.sit (smiley.mitre.org [128.29.140.20]) by mwunix.mitre.org (8.6.10/8.6.4) with SMTP id HAA04528; Thu, 15 Aug 1996 07:33:06 -0400
Received: from [128.29.140.130] (mckenney-mac) by smiley.sit (4.1/SMI-4.1)
	id AA17387; Thu, 15 Aug 96 07:31:16 EDT
Date: Thu, 15 Aug 96 07:31:15 EDT
Message-Id: <v01510103ae38823b861c@[128.29.140.130]>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
To: Rik Farrow <rik@spirit.com>
From: mckenney@smiley.mitre.org (Brian W. McKenney)
Subject: Re: USENIX Symposium Firewalls BOF Notes
Cc: firewalls@GreatCircle.COM
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk


>Someone else asked about blocking Active-X, but got no direct response.

Carl Claunch's TIS Toolkit http-gw patch can block ActiveX embedded in Web
pages.



From firewalls-owner  Thu Aug 15 05:44:26 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA15826 for firewalls-outgoing; Thu, 15 Aug 1996 05:31:17 -0700 (PDT)
Received: from gatekeeper2.mcimail.com (gatekeeper2.mcimail.com [192.147.45.10]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id FAA15819 for <firewalls@greatcircle.com>; Thu, 15 Aug 1996 05:31:10 -0700 (PDT)
Received: from mailgate2.mcimail.com (mailgate2.mcimail.com [166.40.135.23]) by gatekeeper2.mcimail.com (8.6.12/8.6.10) with SMTP id MAA27350; Thu, 15 Aug 1996 12:36:22 GMT
Received: from mcimail.com by mailgate2.mcimail.com id aa06802;
          15 Aug 96 12:31 WET
Date: Thu, 15 Aug 96 07:30 EST
From: Karl Janice <KJanice_+a_NYPP_+lKarl_Janice+r%NYPP@mcimail.com>
To: firewalls <firewalls@greatcircle.com>
Subject: Re[2]: authentification
Message-Id: <43960815123034/0006731076PK5EM@MCIMAIL.COM>
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

MHS:   Source date is:      15-Aug-96 08:13 EST


I'm glad that my boss is converting his native language to something
'english-like'. Now if I just can figure out what his native language is. He
thinks it's english.

______________________________ Reply Separator _________________________________
Subject: Re: authentification
Author:  JIoannid (John Ioannidis <ji@hol.gr>) { NAME: John Ioannidis
<ji@hol.gr> | EMS: NYPP } at MCIMAIL
Date:    8/15/96 3:05 AM


There is no such word. There are people on this list whose command of English
is less than perfect, and make up words by converting words from their own
language into something that sounds vaguely english-like.

The proper word is `authentication' (which, according to the Barnhart Concise
Dictionary of Etymology, has been in the English language since at least 1788).



/ji, for whom English is a third language.


From firewalls-owner  Thu Aug 15 05:57:58 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA15735 for firewalls-outgoing; Thu, 15 Aug 1996 05:27:20 -0700 (PDT)
Received: from cantor.uts.ohio-state.edu (cantor.uts.ohio-state.edu [128.146.214.115]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id FAA15728 for <firewalls@GreatCircle.COM>; Thu, 15 Aug 1996 05:27:12 -0700 (PDT)
Received: from localhost (jac@localhost) by cantor.uts.ohio-state.edu (8.7.3/8.7.3) with SMTP id IAA02707; Thu, 15 Aug 1996 08:27:07 -0400 (EDT)
Date: Thu, 15 Aug 1996 08:27:06 -0400 (EDT)
From: Jim Clausing <jac@postbox.acs.ohio-state.edu>
To: Rik Farrow <rik@spirit.com>
cc: firewalls@GreatCircle.COM, swlodin@eng.delcoelect.com,
        best-of-security@suburbia.net
Subject: Re: BoS: Re: USENIX Symposium Firewalls BOF Notes
In-Reply-To: <199608142337.QAA00297@crow.spirit.com>
Message-ID: <Pine.MCT.3.95.960815082336.1446D-100000@cantor.uts.ohio-state.edu>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk



On Wed, 14 Aug 1996, Rik Farrow wrote:

[...]
> Someone else asked if Tripwire supported SHA.  The answer was no, [but
> I'd like to add that combining MD5 with Snefru provides 256 bits, and
> should be safe for a while.]

This is the second time that I have seen this remark.  Perhaps that was
the recollection of those present, but the documentation for tripwire says
that signature 7 in SHA.  Granted, it is not one of the defaults, you have
to explicitly ask for it, but it looks to me like tripwire does indeed
support SHA.  Gene, care to correct me?

[...]

-- 
Jim Clausing                                    ph:  (614)292-2078
Manager, Network Information Services           fax: (614)292-7081
University Technology Services, Ohio State University
1971 Neil Ave, Columbus, OH  43210



From firewalls-owner  Thu Aug 15 06:14:10 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA16698 for firewalls-outgoing; Thu, 15 Aug 1996 06:04:10 -0700 (PDT)
Received: from homeport.org (lighthouse.homeport.org [205.136.65.198]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id GAA16691 for <firewalls@GreatCircle.COM>; Thu, 15 Aug 1996 06:04:01 -0700 (PDT)
Received: (adam@localhost) by homeport.org (8.6.9/8.6.9) id JAA16412; Thu, 15 Aug 1996 09:09:37 -0500
From: Adam Shostack <adam@homeport.org>
Message-Id: <199608151409.JAA16412@homeport.org>
Subject: Re: USENIX Symposium Firewalls BOF Notes
To: rik@spirit.com (Rik Farrow)
Date: Thu, 15 Aug 1996 09:09:37 -0500 (EST)
Cc: firewalls@GreatCircle.COM, swlodin@eng.delcoelect.com
In-Reply-To: <199608142337.QAA00297@crow.spirit.com> from "Rik Farrow" at Aug 14, 96 04:37:21 pm
X-Mailer: ELM [version 2.4 PL24 ME8b]
Content-Type: text
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Rik Farrow wrote:
| 
| 
| Steve Lodin suggested that I add my notes to the ones he already posted.

| Someone else asked if Tripwire supported SHA.  The answer was no, [but
| I'd like to add that combining MD5 with Snefru provides 256 bits, and
| should be safe for a while.]

tripwire-1.2/sigs/sha seems to be NIST SHA.  I haven't checked to see
if its the released or revised version.

Adam


-- 
"It is seldom that liberty of any kind is lost all at once."
					               -Hume


From firewalls-owner  Thu Aug 15 06:29:30 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA17006 for firewalls-outgoing; Thu, 15 Aug 1996 06:09:35 -0700 (PDT)
Received: from firewall.idoc.state.il.us (gatekeeper.idoc.state.il.us [163.191.155.5]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id GAA16999 for <firewalls@GreatCircle.COM>; Thu, 15 Aug 1996 06:09:26 -0700 (PDT)
From: tjdavis@idoc.state.il.us
Received: (from uucp@localhost) by firewall.idoc.state.il.us (8.6.12/8.6.9) id HAA15429; Thu, 15 Aug 1996 07:09:59 GMT
Received: from toad.idoc.state.il.us(163.191.155.129) by firewall.idoc.state.il.us via smap (V2.0alpha)
	id xma015427; Thu, 15 Aug 96 07:09:48 GMTContent-Length: 678
Message-ID: <XFMail.960815075614.tjdavis@idoc.state.il.us>
X-Mailer: XFMail 0.4 [p0] on Linux
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
In-Reply-To: <199608150646.IAA07594@goozer.arctic>
Date: Thu, 15 Aug 1996 07:54:30 -0000 ()
Organization: Illinois Department of Corrections
To: (Petter H{ggman) <Petter.Haggman@lule.frontec.se>
Subject: RE: RealAudio and VDOLive
Cc: firewalls@GreatCircle.COM
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk


I don't know about VDOlive, but RealAudio normally uses UDP, but the newer
clients can be configured to use TCP.  There is a proxy server available
on the realaudio site which I have working fine with the TIS firewall toolkit.


On 15-Aug-96 Petter.Haggman@lule.frontec.se wrote:
>>Content-Md5: R8NmNYjChSwRNO0sh19c+A=3D>Sender: firewalls-owner@GreatCircle.CO=
M
>Precedence: bulk
>
>
>Hi all!
>
>I need to find out what protocols that RealAudio and VdoLive
>are based upon. Are there any relevant RFC's?
>
>Tia


----------------------------------
Todd J. Davis
tjdavis@idoc.state.il.us

IL Department of Corrections
(217) 522-2666 ext 6358
----------------------------------

From firewalls-owner  Thu Aug 15 06:48:35 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA17918 for firewalls-outgoing; Thu, 15 Aug 1996 06:25:09 -0700 (PDT)
Received: from arthur.cs.purdue.edu (arthur.cs.purdue.edu [128.10.2.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id GAA17890 for <firewalls@GreatCircle.COM>; Thu, 15 Aug 1996 06:24:54 -0700 (PDT)
Received: from uther.cs.purdue.edu (root@uther.cs.purdue.edu [128.10.2.20]) by arthur.cs.purdue.edu (8.7.4/PURDUE_CS-1.4) with ESMTP id IAA02737; Thu, 15 Aug 1996 08:23:28 -0500 (EST)
Received: from localhost (spaf@localhost [127.0.0.1]) by uther.cs.purdue.edu (8.7.4/PURDUE_CS-1.4) with SMTP id IAA02976; Thu, 15 Aug 1996 08:23:26 -0500 (EST)
Message-Id: <199608151323.IAA02976@uther.cs.purdue.edu>
To: Jim Clausing <jac@postbox.acs.ohio-state.edu>
cc: Rik Farrow <rik@spirit.com>, firewalls@GreatCircle.COM,
        swlodin@eng.delcoelect.com, best-of-security@suburbia.net
Subject: Re: BoS: Re: USENIX Symposium Firewalls BOF Notes 
X-URI: http://www.cs.purdue.edu/people/spaf
X-Face: #Qsg)Z|}R*yk&8kWAs-y5(S=7}fDA:S;%d:gf$3VC<+5./P.gGhK7S)zL]EumGX}
  _*GuP+vNhr0qVCDP9VWfZH${(8htny}Y.#zgaNN4-l:i+RPD)!Ok7t`VxeH7TT!8jzV2?]
  _wv\J@EZi_4V!&ss7UQgQ2ZzeR<}>|!#z3cw*?%\@bGY}o_PI81of<Q<6,nz~_J_nD7voU
  @ql1%x,dw^xAHcDs7}tVK32Mn,
In-reply-to: Message from Jim Clausing <jac@postbox.acs.ohio-state.edu>  of
    "Thu, 15 Aug 1996 08:27:06 -0400"
    <Pine.MCT.3.95.960815082336.1446D-100000@cantor.uts.ohio-state.edu> 
Date: Thu, 15 Aug 1996 08:23:24 -0500
From: spaf@cs.purdue.edu (Gene Spafford)
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

> This is the second time that I have seen this remark.  Perhaps that was
> the recollection of those present, but the documentation for tripwire says
> that signature 7 in SHA.  Granted, it is not one of the defaults, you have
> to explicitly ask for it, but it looks to me like tripwire does indeed
> support SHA.  Gene, care to correct me?

No correction necessary as you are correct.  SHA has been in Tripwire
since release 1.2, made 2 years ago next week.

Signatures/checksums included in the distribution are MD5, SNEFRU, two
CRC implementations, MD4, MD2, SHA, and HAVAL.   The default sigs are
MD5 and SNEFRU -- any of the others can be added as defaults by a
one-character configuration change.

--spaf


From firewalls-owner  Thu Aug 15 06:56:00 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA17546 for firewalls-outgoing; Thu, 15 Aug 1996 06:20:02 -0700 (PDT)
Received: from tartarus (willard.us.newbridge.com [204.177.219.100]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id GAA17528 for <firewalls@GreatCircle.COM>; Thu, 15 Aug 1996 06:19:49 -0700 (PDT)
Received: from tartarus (tartarus.us.newbridge.com [138.120.108.65]) by tartarus (8.7.5/8.7.3) with SMTP id JAA25911; Thu, 15 Aug 1996 09:17:15 -0400 (EDT)
Date: Thu, 15 Aug 1996 09:17:15 -0400 (EDT)
From: "Roderick Murchison, Jr." <murchiso@vivid.newbridge.com>
X-Sender: murchiso@tartarus
To: firewalls@GreatCircle.COM
cc: lists@lina.inka.de
Subject: Re: Re[2]: huh? switch hitter?
In-Reply-To: <199608150745.AAA11665@salsa.gv.ssi1.com>
Message-ID: <Pine.SOL.3.95.960815083613.24422A-100000@tartarus>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

On Thu, 15 Aug 1996, Don Lewis wrote:

> If a bridge/switch doesn't know which port a MAC address lives on, it
> will forward a packet sent to that MAC address to all it's ports (unless
> it knows that some of the ports only connect to a certain device(s)), in
> the hope that one of them connects to the desired device.  You wouldn't
> want all the machines on your net to stop talking just because the switch
> was power cycled and lost it's MAC table.

Your standard broadcast traffic will get flodded to all ports on your
switch in that *broadcast domain*, and that will not change. Once the
location of an endstation is determined either by direct response to the
broadcast or by an external server as in MPOA, LANE, etc., your further
packet transmissions to that endstation should be port-specific. 

> Due to speed requirements, bridges/switches usually keep their MAC tables
> in some type of high speed memory which is of limited size.  If someone
> manages to overflow this memory with fake MAC addresses (or real addresses
> if your network is big enough), then packets sent to a host whose MAC
> address has been flushed can be forwarded to ports other than the one
> to which the host is connected.

For our products, there is a local cache which does the mapping for a
device, but the cache is cyclical, not flushed when it's filled.  The
number of entries in the cache can be very high, and if you are seeing
some other product hiccup when hit with too many source addresses, then it
would appear to be a bad design.  A cyclical approach, combined with an
intelligent aging method makes more sense. 

In response to the other gentleman's post on switches mistakenly
forwarding packets to the wrong ports when under heavy load, I have not
personally seen this.

Roderick Murchison, Jr.                      murchiso@vivid.newbridge.com
Newbridge Networks Inc.                      office: (703) 708-5930
Product Manager - VIVID ACS                     fax: (703) 708-5937
Herndon, VA 22070-5241                       http://www.vivid.newbridge.com



From firewalls-owner  Thu Aug 15 07:13:52 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA20907 for firewalls-outgoing; Thu, 15 Aug 1996 06:51:54 -0700 (PDT)
Received: from ns1.eds.com (ns1.eds.com [192.85.154.78]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id GAA20876 for <firewalls@GreatCircle.COM>; Thu, 15 Aug 1996 06:51:26 -0700 (PDT)
Received: by ns1.eds.com (hello)
	id JAA25857; Thu, 15 Aug 1996 09:51:16 -0400
Received: from kocrsv04.delcoelect.com (kocrsv04.delcoelect.com [144.250.100.205]) by nnsa.eds.com (8.7.5/8.7.3) with ESMTP id JAA00732; Thu, 15 Aug 1996 09:50:45 -0400 (EDT)
Received: from kocrsw07.delcoelect.com (kocrsw07.delcoelect.com [144.250.106.13]) by kocrsv04.delcoelect.com (8.7.5/8.7.3) with SMTP id IAA00388; Thu, 15 Aug 1996 08:50:41 -0500 (EST)
Received: by kocrsw07.delcoelect.com (SMI-8.6/SMI-SVR4)
	id IAA11731; Thu, 15 Aug 1996 08:50:40 -0500
From: "Steve Lodin" <swlodin@eng.delcoelect.com>
Message-Id: <9608150850.ZM11729@kocrsw07.delcoelect.com>
Date: Thu, 15 Aug 1996 08:50:39 -0500
In-Reply-To: Adam Shostack <adam@homeport.org>
        "Re: USENIX Symposium Firewalls BOF Notes" (Aug 15,  9:09am)
References: <199608151409.JAA16412@homeport.org>
X-URL: http://www.cs.purdue.edu/people/swlodin
X-Face: Mx\#!$C!&CSez|Z]d^0t`P#ZJlPoyC#zJN;#4nwe8h4-rnXL-2>=!if`{Pi-*s^"vRs}SK]oA(n<(QS:gHZ%CX+Kq~It<%Glg~r_mv2*-l]x+19x*wHC]ON}<q)I|&@hIX=ndPF%:)P*{WL9k~vo"w852Q4[R$'!+Fu|f-=V^i=ES#hH!a&o5bi:XpRg!qf@,ujReOH!F}hK[BEwiE`S(_.?x>`47?]4{9>^w^S~/JxeEF!npYd1CLIp@}fA6|L~A:rBAuLlkfoQ~SlAIZsIkTrqFw5$uN4#P^Tga+BLOg
X-Mailer: Z-Mail (3.2.1 10oct95)
To: Adam Shostack <adam@homeport.org>, rik@spirit.com (Rik Farrow)
Subject: Re: USENIX Symposium Firewalls BOF Notes
Cc: firewalls@GreatCircle.COM
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Yep, Spaf confirmed that from version 1.2 Tripwire has had SHA support.

Steve

-- 
Steve Lodin - Delco Electronics - swlodin@delcoelect.com - (317)451-0479
"It would be as useful as kicking a dead whale down the beach."
- Alec Muffett at the USENIX Security Symposium
[Alec says "...after Bob Morris (re: multics, I believe...)"]

From firewalls-owner  Thu Aug 15 07:34:59 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA23047 for firewalls-outgoing; Thu, 15 Aug 1996 07:16:06 -0700 (PDT)
Received: from kpgwy.kpscal.org (kpgwy.kpscal.org [167.117.0.140]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id HAA23016 for <firewalls@GreatCircle.COM>; Thu, 15 Aug 1996 07:15:46 -0700 (PDT)
Received: from mailhub.kp.org ([206.18.242.135]) by kpgwy.kpscal.org (8.6.9/8.6.9) with SMTP id HAA12460 for <firewalls@GreatCircle.COM>; Thu, 15 Aug 1996 07:16:26 -0700
X400-Received: by /c=us/admd=/prmd=kp/; converted ( IA5-Text);  Relayed; 
  15 Aug 1996 07:14:59 -0700
X400-Received: by mta KPMTA in /c=us/admd=/prmd=kp/; converted ( IA5-Text); 
   Relayed; 15 Aug 1996 07:14:59 -0700
X400-MTS-Identifier: [/c=us/admd=/prmd=kp/; 32133F63.CCC8.0B88.000]
Content-Identifier: 01D81321330E301F
Content-Return: Allowed
X400-Content-Type: P2-1988 ( 22 )
Conversion: Allowed
Original-Encoded-Information-Types: IA5-Text
Disclose-Recipients: Prohibited
Alternate-Recipient: Allowed
X400-Originator: Mark.Moore@kp.org
X400-Recipients: non-disclosure;
Message-Id: 
  <"32133F63.CCC8.0B88.000*/c=us/admd= /prmd=kp/o=ga/ou=gwise/s=Moore/g=Mark/"@MHS>
Expiry-Date: 30 Aug 1996 00:00: Z
Date: 15 Aug 1996 07:14:59 -0700
From: "Moore, Mark" <Mark.Moore@kp.ORG>
To: firewalls@GreatCircle.COM (Return requested) (Receipt notification requested)
Subject: Firewall Questions
MIME-Version: 1.0
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Before buying a firewall, what question should you ask the firewall
vendor ??  Is there some documentation on good questions to ask ? I'm
new to firewall technology, so I really dont know what good questions to
ask.  Thanks in-advance. : - )

Regards,

Security Analyst

From firewalls-owner  Thu Aug 15 07:42:51 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA20296 for firewalls-outgoing; Thu, 15 Aug 1996 06:46:50 -0700 (PDT)
Received: from stortek.com (stortek.com [129.80.22.249]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id GAA20271 for <firewalls@GreatCircle.COM>; Thu, 15 Aug 1996 06:46:38 -0700 (PDT)
Received: from coltano.stortek.com by stortek.com with SMTP id AA01430
  (5.65c/IDA-1.4.4 for <firewalls@GreatCircle.COM>); Thu, 15 Aug 1996 07:46:39 -0600
Received: (from jim@localhost) by coltano.stortek.com (8.7.4/8.7.3) id HAA17620 for firewalls@GreatCircle.COM; Thu, 15 Aug 1996 07:45:08 -0600 (MDT)
Date: Thu, 15 Aug 1996 07:45:08 -0600 (MDT)
From: Jim Wamsley 303-673-8163 <jim@coltano.stortek.com>
Message-Id: <199608151345.HAA17620@coltano.stortek.com>
To: firewalls@GreatCircle.COM
Subject: Re: Re[2]: authentification
X-Sun-Charset: US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk


 > From: Karl Janice <KJanice_+a_NYPP_+lKarl_Janice+r%NYPP@mcimail.com>
 > Subject: Re[2]: authentification
 > 
 > MHS:   Source date is:      15-Aug-96 08:13 EST
 > 
 > 
 > I'm glad that my boss is converting his native language to something
 > 'english-like'. Now if I just can figure out what his native language is. He
 > thinks it's english.
 > 
 > ______________________________ Reply Separator ______________________________ > Author:  JIoannid (John Ioannidis <ji@hol.gr>) { NAME: John Ioannidis
 > Date:    8/15/96 3:05 AM
 > 
 > 
 > There is no such word. There are people on this list whose command of English
 > is less than perfect, and make up words by converting words from their own
 > language into something that sounds vaguely english-like.
 > 
 > The proper word is `authentication' (which, according to the Barnhart Concise
 > Dictionary of Etymology, has been in the English language since at least 1788

I would like to add before this gets out of hand, and before a flurry of
insults from readers for whom ESL, that most of the abuse of the english
language is from those for whom english _is_ their native tongue and whose
command is less than perfect.  many of the corruptions are a result of either
some techno-babble jargon or by a need to feel superior through use of their 
vocabulary.  probably the natural richness of the english language lends itself
to such corruption.  if it weren't so flexible and evolving, dictionary writers
would be out of business.  (kind of like a certain nationalistic european
country that expends great efforts to keep its language sterile and
uninfluenced by outside sources.)

apologies for the soap box.

BTW - ESL means english as a second language.

 ______________________________________________________________
[ Jim Wamsley, Network Engineering                             ]
[ StorageTek 2270 S. 88th St, M.S. 4379, Louisville, CO 80028  ] 
[ Audible:  (303) 673-8163    Logical jim_wamsley@stortek.com  ]
[                   Everything to Excess!                      ]
[  To enjoy life to the fullest, you must take big bites.      ]
[                  Moderation is for monks.                    ]
[                                                Lazarus Long  ]
[______________________________________________________________]
  

From firewalls-owner  Thu Aug 15 08:27:51 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA00632 for firewalls-outgoing; Thu, 15 Aug 1996 08:21:25 -0700 (PDT)
Received: from rbit.co.za (rbit.co.za [196.7.71.94]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id IAA00619 for <firewalls@greatcircle.com>; Thu, 15 Aug 1996 08:21:15 -0700 (PDT)
Received: (from johnb@localhost) by rbit.co.za (8.7.3/8.7.3) id RAA11754 for firewalls@greatcircle.com; Thu, 15 Aug 1996 17:21:33 +0200
From: John Betts <johnb@aztec.co.za>
Message-Id: <199608151521.RAA11754@rbit.co.za>
Subject: Firewall Questions (fwd)
To: firewalls@greatcircle.com
Date: Thu, 15 Aug 1996 17:21:33 +0200 (SAT)
Reply-to: johnb@aztec.co.za
Content-Type: text
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Howdy
 
% Before buying a firewall, what question should you ask the firewall
% vendor ??  Is there some documentation on good questions to ask ? I'm
% new to firewall technology, so I really dont know what good questions to
% ask.  Thanks in-advance. : - )
% 
Dont we have a FAQ for all this kinda stuff?

If so, where?

tia

ciao

--
John


--
John Betts, Aztec Internet Services Port Elizabeth, South Africa
johnb@aztec.co.za,  Tel. +27(0)41 303 475, Fax. +27(0)41 301 052
Authorised Caldera Consultant     ||     Part of the UUNet Group
  Eat one live toad the first thing in the morning and nothing 
        worse will happen to you the rest of the day.


From firewalls-owner  Thu Aug 15 08:44:53 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA01740 for firewalls-outgoing; Thu, 15 Aug 1996 08:37:12 -0700 (PDT)
Received: from sndsu1.sedalia.sinet.slb.com (sinet.slb.com [163.185.18.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id IAA01724 for <firewalls@GreatCircle.COM>; Thu, 15 Aug 1996 08:37:02 -0700 (PDT)
Received: from [163.185.164.55] (dyn55.houston.omnes.net [163.185.164.55]) 
	by sndsu1.sedalia.sinet.slb.com (8.6.9/8.6.9) with ESMTP id PAA03016
	for <firewalls@GreatCircle.COM>; Thu, 15 Aug 1996 15:37:01 GMT
X-Sender: chaabouni@sndsn1.sedalia.sinet.slb.com
Message-Id: <v03007803ae390397dcde@[163.185.164.55]>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Date: Thu, 15 Aug 1996 10:46:21 -0600
To: firewalls@GreatCircle.COM
From: Nassim Chaabouni <chaabouni@houston.omnes.net>
Subject: Testing tools
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk


Hi

What are the available  tools  for  testing UNIX  Hosts security?

Can someone Help?
Regards,



From firewalls-owner  Thu Aug 15 08:58:44 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA27757 for firewalls-outgoing; Thu, 15 Aug 1996 07:53:56 -0700 (PDT)
Received: from extcom5.cbs.nl (extcom5.cbs.nl [192.87.118.5]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id HAA27698 for <firewalls@Greatcircle.com>; Thu, 15 Aug 1996 07:53:37 -0700 (PDT)
Received: from extcom3.cbs.nl by extcom5.cbs.nl (5.65/1.34) id AA19527; 
 	  Thu, 15 Aug 96 16:52:10 +0200
Received: via extcom3.cbs.nl; Thu, 15 Aug 96 16:46:06 +0200
X-To: firewalls@Greatcircle.com
Received: via mailslh2.cbs.nl; Thu, 15 Aug 96 16:47:38 -0700
Received: via mailslh2.cbs.nl; Thu, 15 Aug 96 16:44:56 -0700
Received: via fddiha.cbs.nl; Thu, 15 Aug 96 16:53:33 +0200
Received: by rh1e.cbs.nl with Microsoft Exchange (IMC 4.0.838.14) id <01BB8AC9.DB650170@rh1e.cbs.nl>; Thu, 15 Aug 1996 16:50:25 +0200
Message-Id: <c=NL%a=400net%p=CBS%l=RH1E-960815145024Z-54@rh1e.cbs.nl>
From: "Pleuger, R.B.W." <RPGR@cbs.nl>
To: "'firewalls@Greatcircle.com'" <firewalls@Greatcircle.com>
Date: Thu, 15 Aug 1996 16:50:24 +0200
X-Mailer:  Microsoft Exchange Server Internet Mail Connector Version 4.0.838.14
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Type: html document
Afzender: rpgr
Naam: test.htm
Httptak: /rpgr/sdir
Vrijgeven:

<HTML>
<BODY>

<H1>Tja...5</H1>

hgfgjhhjfhj

</BODY>
</HTML>

From firewalls-owner  Thu Aug 15 09:10:23 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA00273 for firewalls-outgoing; Thu, 15 Aug 1996 08:16:25 -0700 (PDT)
Received: from iaehv.IAEhv.nl (iaehv.IAEhv.nl [194.151.64.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id IAA00201 for <firewalls@GreatCircle.COM>; Thu, 15 Aug 1996 08:15:56 -0700 (PDT)
Received: from comp-008 (pm5d11.IAEhv.nl [194.151.70.140]) 
          by iaehv.IAEhv.nl (8.6.13/1.63) with SMTP; pid 14071
          on Thu, 15 Aug 1996 17:15:54 +0200; id RAA14071
          efrom: rdb@IAEhv.nl; eto: <firewalls@GreatCircle.COM> 
Message-ID: <32133ED7.4300@iaehv.nl>
Date: Thu, 15 Aug 1996 17:14:31 +0200
From: Rene de Baerdemaeker <rdb@IAEhv.nl>
X-Mailer: Mozilla 2.02 (Win95; I)
MIME-Version: 1.0
To: firewalls@GreatCircle.COM
Subject: Re: Firewall Questions
References: <"32133F63.CCC8.0B88.000*/c=us/admd= /prmd=kp/o=ga/ou=gwise/s=Moore/g=Mark/"@MHS>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Moore, Mark wrote:
> 
> Before buying a firewall, what question should you ask the firewall
> vendor ??  Is there some documentation on good questions to ask ? I'm
> new to firewall technology, so I really dont know what good questions to
> ask.  Thanks in-advance. : - )
> 
> Regards,
> 
> Security Analyst

The same question for me, but i would like to know some good places to 
go in the netherlands for advice on firewall technology.

Thanks,

Rene de Baerdemaeker

Account manager

From firewalls-owner  Thu Aug 15 09:18:11 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA28819 for firewalls-outgoing; Thu, 15 Aug 1996 08:02:49 -0700 (PDT)
Received: from mcfeely.bsfs.org (mcfeely.bsfs.org [204.91.13.34]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id IAA28775 for <firewalls@GreatCircle.COM>; Thu, 15 Aug 1996 08:02:29 -0700 (PDT)
Received: (from wombat@localhost) by mcfeely.bsfs.org (8.6.12/8.6.12) id OAA04671; Thu, 15 Aug 1996 14:57:47 -0400
Date: Thu, 15 Aug 1996 14:57:42 -0400 (EDT)
From: Rabid Wombat <wombat@mcfeely.bsfs.org>
To: Don Lewis <Don.Lewis@tsc.tdk.com>
cc: "Roderick Murchison, Jr." <murchiso@vivid.newbridge.com>,
        Brian Murrell <Brian_Murrell@bctel.net>, lists@lina.inka.de,
        roberth@cet.com, firewalls@GreatCircle.COM
Subject: Re: Re[2]: huh? switch hitter?
In-Reply-To: <199608150745.AAA11665@salsa.gv.ssi1.com>
Message-ID: <Pine.BSF.3.91.960815145316.4636B-100000@mcfeely.bsfs.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk



On Thu, 15 Aug 1996, Don Lewis wrote:

> On Aug 15,  2:59am, Rabid Wombat wrote:
> } Subject: Re: Re[2]: huh? switch hitter?
> } Be careful with the security benefits angle, though. I read a test report
> } a while back (sorry, don't have the reference handy, and no brands were
> } specified) that indicated that some switches will pass packets out all
> } ports when under very heavy loads - even crossing VLANs established on the
> } switch.  An attacker could "load" the switch from one or more ports, then
> } watch for "fallout" on another port. 
> 
> If a bridge/switch doesn't know which port a MAC address lives on, it
> will forward a packet sent to that MAC address to all it's ports (unless
> it knows that some of the ports only connect to a certain device(s)), in
> the hope that one of them connects to the desired device.  You wouldn't
> want all the machines on your net to stop talking just because the switch
> was power cycled and lost it's MAC table.
>

Correct, but I doubt you'd get any useful info this way, as you'd only 
get the first few packets, at most, and then the MAC table would pick up 
the target address from the ACK packets coming back. I'm assumming, of 
course, that the device would take long enough to power cycle that 
connections would time out and need to be re-started. If not, you'd be 
able to pick up a few packets out of any point in the conversation.

 
> Due to speed requirements, bridges/switches usually keep their MAC tables
> in some type of high speed memory which is of limited size.  If someone
> manages to overflow this memory with fake MAC addresses (or real addresses
> if your network is big enough), then packets sent to a host whose MAC
> address has been flushed can be forwarded to ports other than the one
> to which the host is connected.
> 

Flooding the table w/ fake/real addresses is one I hadn't thought of - 
this would be more dangerous than the above, because it could be used to 
pick up the middle of conversations.

- r.w.

> 			---  Truck
> 

From firewalls-owner  Thu Aug 15 09:23:09 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA29872 for firewalls-outgoing; Thu, 15 Aug 1996 08:13:25 -0700 (PDT)
Received: from callisto.lif.icnet.uk (callisto.lif.icnet.uk [143.65.1.5]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id IAA29810 for <firewalls@greatcircle.com>; Thu, 15 Aug 1996 08:13:04 -0700 (PDT)
Received: by callisto.lif.icnet.uk; Thu, 15 Aug 1996 16:12:57 +0100
Date: Thu, 15 Aug 1996 16:12:56 +0100 (BST)
From: John Hopkins <hopkins@icrf.icnet.uk>
Subject: Re: Re[2]: authentification
To: Jim Wamsley 303-673-8163 <jim@coltano.stortek.com>
Cc: firewalls@GreatCircle.COM
In-Reply-To: <199608151345.HAA17620@coltano.stortek.com>
Message-Id: <Pine.3.89.9608151609.A26483-0100000@callisto.lif.icnet.uk>
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

I suggest we drop this here. It has no real use on this list.

John Hopkins
Network Unit Manager
Imperial Cancer Research Fund
London



On Thu, 15 Aug 1996, Jim Wamsley 303-673-8163 wrote:

> 
>  > From: Karl Janice <KJanice_+a_NYPP_+lKarl_Janice+r%NYPP@mcimail.com>
>  > Subject: Re[2]: authentification
>  > 
>  > MHS:   Source date is:      15-Aug-96 08:13 EST
>  > 
>  > 
>  > I'm glad that my boss is converting his native language to something
>  > 'english-like'. Now if I just can figure out what his native language is. He
>  > thinks it's english.
>  > 
>  > ______________________________ Reply Separator ______________________________ > Author:  JIoannid (John Ioannidis <ji@hol.gr>) { NAME: John Ioannidis
>  > Date:    8/15/96 3:05 AM
>  > 
>  > 
>  > There is no such word. There are people on this list whose command of English
>  > is less than perfect, and make up words by converting words from their own
>  > language into something that sounds vaguely english-like.
>  > 
>  > The proper word is `authentication' (which, according to the Barnhart Concise
>  > Dictionary of Etymology, has been in the English language since at least 1788
> 
> I would like to add before this gets out of hand, and before a flurry of
> insults from readers for whom ESL, that most of the abuse of the english
> language is from those for whom english _is_ their native tongue and whose
> command is less than perfect.  many of the corruptions are a result of either
> some techno-babble jargon or by a need to feel superior through use of their 
> vocabulary.  probably the natural richness of the english language lends itself
> to such corruption.  if it weren't so flexible and evolving, dictionary writers
> would be out of business.  (kind of like a certain nationalistic european
> country that expends great efforts to keep its language sterile and
> uninfluenced by outside sources.)
> 
> apologies for the soap box.
> 
> BTW - ESL means english as a second language.
> 
>  ______________________________________________________________
> [ Jim Wamsley, Network Engineering                             ]
> [ StorageTek 2270 S. 88th St, M.S. 4379, Louisville, CO 80028  ] 
> [ Audible:  (303) 673-8163    Logical jim_wamsley@stortek.com  ]
> [                   Everything to Excess!                      ]
> [  To enjoy life to the fullest, you must take big bites.      ]
> [                  Moderation is for monks.                    ]
> [                                                Lazarus Long  ]
> [______________________________________________________________]
>   
> 

From firewalls-owner  Thu Aug 15 09:28:02 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA02571 for firewalls-outgoing; Thu, 15 Aug 1996 08:50:25 -0700 (PDT)
Received: from sapa.inka.de (sapa.inka.de [193.197.84.6]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id IAA02530 for <firewalls@GreatCircle.COM>; Thu, 15 Aug 1996 08:49:49 -0700 (PDT)
Received: from uu.inka.de (root@[193.197.84.8]) by sapa.inka.de
	 with smtp (S3.1.29.1) id <m0ur4fq-000L3RC>; Thu, 15 Aug 96 17:49 MET DST
Received: from lina (lists@lina.inka.de) by uu.inka.de
	 with bsmtp (S3.1.29.1) id <m0ur4fp-001l9BC>; Thu, 15 Aug 96 17:49 MET DST
Received: by lina
	id m0ur4eG-0004kCC
	(Debian /\oo/\ Smail3.1.29.1 #29.37); Thu, 15 Aug 96 17:47 MET DST
Message-Id: <m0ur4eG-0004kCC@lina>
From: lists@lina.inka.de (Bernd Eckenfels)
Subject: Re: BoS: Re: USENIX Symposium Firewalls BOF Notes
To: firewalls@GreatCircle.COM
Date: Thu, 15 Aug 1996 17:47:52 +0200 (MET DST)
In-Reply-To: <199608151323.IAA02976@uther.cs.purdue.edu> from "Gene Spafford" at Aug 15, 96 08:23:24 am
X-Mailer: ELM [version 2.4 PL25 PGP2]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Hi,

> No correction necessary as you are correct.  SHA has been in Tripwire
> since release 1.2, made 2 years ago next week.

AFAIK the real secure has is calles SHA-1 and is rather new, cause the
'first try' was not realy secure and was heavyly modified. The question is
is SHA in tripwire (2 years old?!) is refering tothe old or the new one? (Of
course its no problem to fix it if anybody cares).

Greetings
Bernd

From firewalls-owner  Thu Aug 15 09:59:32 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA04006 for firewalls-outgoing; Thu, 15 Aug 1996 09:06:49 -0700 (PDT)
Received: from dg-rtp.dg.com (dg-rtp.rtp.dg.com [128.222.1.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id JAA03995 for <Firewalls@greatcircle.com>; Thu, 15 Aug 1996 09:06:36 -0700 (PDT)
Received: from splinter.rtp.dg.com by dg-rtp.dg.com (5.4R3.10/dg-rtp-v02)
	id AA26599; Thu, 15 Aug 1996 12:06:34 -0400
Received: by splinter.rtp.dg.com (8.6.10/200.15.1.2)
	id MAA19649; Thu, 15 Aug 1996 12:05:16 -0400
From: spencerj@dg-rtp.dg.com (Jon Spencer)
Message-Id: <199608151605.MAA19649@splinter.rtp.dg.com>
Subject: Re: No More Unlimited User Licenses Please...
To: david@sealabs.com (David Bonn)
Date: Thu, 15 Aug 1996 12:05:13 -0400 (EDT)
Cc: pokey@maddie.atlantic.com, bjm@ottawa.net, hcasav@bmv.com.mx,
        Firewalls@greatcircle.com
In-Reply-To: <199608142256.PAA06525@torment.sealabs.com> from "David Bonn" at Aug 14, 96 03:56:34 pm
X-Mailer: ELM [version 2.4 PL23]
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

> 
> >>>>> "Rick" == Rick Romkey <pokey@maddie.atlantic.com> writes:
> 
> >> Licensing based on 'users' is simply a marketing tool by which 
> >> a vendor can provide a firewall to smaller organanizations at a 
> >> reduced cost.
> 
> Rick> Or to increase the cost for a larger org...
> 
> It seems to me that just selling the product for less money would be less
> work.  All that hassle with n-user licenses is an annoying support
> burden and tracking problem.
> 
> dwb
> 

It's clear to me that no one really knows how to market firewalls.  What is
a user, anyway?  How can you count them?  No one really even knows how to
size them properly.

Yes, "selling the product for less money would be less work," but giving it
away would be even LESS work!  The real trick is to price the beasts at a
level that is palitable to the customer - not an easy task given the
diverse range of uses for firewall.

Take ours, for example.  Since you can run both internal and external web
sites directly on the system which is the firewall, how do you price the
software?  There are very few direct users in this environment, just lots
of client-server transactions.  But the fact that you can do with one
machine what otherwise you would need three machines for (external web
site, firewall, internal web site), increases the software's value emensely
- in that situation.  But if you are simply performing firewall/routing
functions, that value (1 vs 3 systems) may not be a factor.

Man, I can't wait until my crystal ball comes back from the factory after
its upgrade to to add a pricing forecaster crystal facet!


-- 
Jon F. Spencer   spencerj@rtp.dg.com  (uunet!rtp.dg.com!spencerj)
Data General Corp.                  Phone : (919)248-6246
62 T.W. Alexander Dr, MS #119       FAX   : (919)248-6108
Research Triangle Park, NC  27709   Office RTP 121/9

	Reality is an illusion - perception is what counts.

	No success can compensate for failure at home.
			President David O. McKay

***** UCC 1-207 ********

From firewalls-owner  Thu Aug 15 10:31:07 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA05969 for firewalls-outgoing; Thu, 15 Aug 1996 09:31:22 -0700 (PDT)
Received: from gateway.grumman.com (gateway.grumman.com [192.86.71.8]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id JAA05961 for <Firewalls@GreatCircle.COM>; Thu, 15 Aug 1996 09:31:05 -0700 (PDT)
Message-Id: <1.5.4.32.19960815163030.0068f334@gateway.grumman.com>
X-Sender: gdunn@gateway.grumman.com
X-Mailer: Windows Eudora Light Version 1.5.4 (32)
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Date: Thu, 15 Aug 1996 12:30:30 -0400
To: Firewalls@GreatCircle.COM
From: George Dunn <gdunn@gateway.grumman.com>
Subject: Security implications of DHCP?
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

>From a security point of view, what are the pros and cons of DHCP? 

For example, Hector Casavantes wrote:

"In my actual evaluation-licensed firewall, I have edited an
outbound proxy access rule, where I've put the list of IP
addresses of the users that can resolv out."

If DHCP was deployed in his internal environment, DHCP's dynamic ip address
allocation configuration, or the firewall's access rules, would have to change.




From firewalls-owner  Thu Aug 15 10:46:24 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA09360 for firewalls-outgoing; Thu, 15 Aug 1996 10:01:32 -0700 (PDT)
Received: from lint.cisco.com (lint.cisco.com [171.68.223.44]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id KAA09350 for <firewalls@GreatCircle.COM>; Thu, 15 Aug 1996 10:01:17 -0700 (PDT)
Received: from pferguso-pc.cisco.com (c1robo12.cisco.com [171.68.13.12]) by lint.cisco.com (8.6.12/CISCO.SERVER.1.1) with SMTP id KAA06805; Thu, 15 Aug 1996 10:02:24 -0700
Message-Id: <199608151702.KAA06805@lint.cisco.com>
X-Sender: pferguso@lint.cisco.com
X-Mailer: Windows Eudora Pro Version 2.1.2
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Date: Thu, 15 Aug 1996 13:01:10 -0400
To: johnb@aztec.co.za
From: Paul Ferguson <pferguso@cisco.com>
Subject: Re: Firewall Questions (fwd)
Cc: firewalls@GreatCircle.COM
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

There's a Firewalls FAQ located at:

 http://www.v-one.com/newpages/faq.htm

- paul

At 05:21 PM 8/15/96 +0200, John Betts wrote:

>Howdy
> 
>% Before buying a firewall, what question should you ask the firewall
>% vendor ??  Is there some documentation on good questions to ask ? I'm
>% new to firewall technology, so I really dont know what good questions to
>% ask.  Thanks in-advance. : - )
>% 
>Dont we have a FAQ for all this kinda stuff?
>
>If so, where?
>
>tia
>
>ciao
>
>--
>John
>
>
>--
>John Betts, Aztec Internet Services Port Elizabeth, South Africa
>johnb@aztec.co.za,  Tel. +27(0)41 303 475, Fax. +27(0)41 301 052
>Authorised Caldera Consultant     ||     Part of the UUNet Group
>  Eat one live toad the first thing in the morning and nothing 
>        worse will happen to you the rest of the day.
>

--
Paul Ferguson                                           ||        ||
Consulting Engineering                                  ||        ||
Reston, Virginia   USA                                 ||||      ||||
tel: +1.703.716.9538                               ..:||||||:..:||||||:..
e-mail: pferguso@cisco.com                         c i s c o S y s t e m s


From firewalls-owner  Thu Aug 15 11:57:55 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA20981 for firewalls-outgoing; Thu, 15 Aug 1996 11:27:18 -0700 (PDT)
Received: from cet.cet.com (cet.cet.com [206.96.91.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id LAA20950 for <firewalls@GreatCircle.COM>; Thu, 15 Aug 1996 11:27:03 -0700 (PDT)
Received: from cet.cet.com (roberth@cet.cet.com [206.96.91.1]) by cet.cet.com (8.6.12/8.6.12) with SMTP id LAA32181; Thu, 15 Aug 1996 11:27:01 -0700
Date: Thu, 15 Aug 1996 11:27:01 -0700 (PDT)
From: Robert Hanson <roberth@cet.com>
To: Nassim Chaabouni <chaabouni@houston.omnes.net>
cc: firewalls@GreatCircle.COM
Subject: Re: Testing tools
In-Reply-To: <v03007803ae390397dcde@[163.185.164.55]>
Message-ID: <Pine.LNX.3.94.960815112529.28534G-100000@cet.cet.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

try

www.cert.org

in the pd... there are things like

iss
cops
satan
tiger (TAMU)

--->
Robert H. Hanson           LAN/WAN Consultant - Internet Service Provider
Otis Orchards, Wa.         Cutting Edge Communications        www.cet.com
(509) 927-9541             finger: info@cet.com or email: roberth@cet.com



On Thu, 15 Aug 1996, Nassim Chaabouni wrote:

> 
> Hi
> 
> What are the available  tools  for  testing UNIX  Hosts security?
> 
> Can someone Help?
> Regards,
> 
> 


From firewalls-owner  Thu Aug 15 12:09:31 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA20892 for firewalls-outgoing; Thu, 15 Aug 1996 11:25:51 -0700 (PDT)
Received: from iidev.inhouse.compuserve.com (iidev.inhouse.compuserve.com [149.174.72.212]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id LAA20884 for <Firewalls@GreatCircle.COM>; Thu, 15 Aug 1996 11:25:42 -0700 (PDT)
Received: (from uucp@localhost) by iidev.inhouse.compuserve.com (8.6.12/8.6.12) id OAA14621; Thu, 15 Aug 1996 14:17:43 -0400
Received: from gjones.inhouse.compuserve.com(149.174.79.3) by iidev.inhouse.compuserve.com via smap (V1.3)
	id sma014619; Thu Aug 15 14:17:40 1996
Date: Thu, 15 Aug 1996 14:20:37 -0400 (EDT)
From: "George M. Jones" <George.Jones@compuserve.net>
Reply-To: "George M. Jones" <George.Jones@compuserve.net>
Subject: Re: Security implications of DHCP?
To: George Dunn <gdunn@gateway.grumman.com>
cc: Firewalls@GreatCircle.COM
In-Reply-To: <1.5.4.32.19960815163030.0068f334@gateway.grumman.com>
Message-ID: <ML-2.2.840133237.7457.gjones@gjones.inhouse.compuserve.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; CHARSET=US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

> >From a security point of view, what are the pros and cons of DHCP? 
> 

It makes tracking down abuse that much harder...if you log assignments
you have to crawl through your logs to figure out which machine had
which address at which time...if you don't log, you *can't* track
the abuser via IP address

---George Jones
CompuServe Internet Security
Email: George.Jones@CompuServe.NET
Voice: +1 614 538 4052, Fax: +1 614 457 0348
Snail Mail: 5000 Arlington Centre Blvd., Columbus, Ohio 43220 USA


From firewalls-owner  Thu Aug 15 12:25:53 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA21439 for firewalls-outgoing; Thu, 15 Aug 1996 11:31:11 -0700 (PDT)
Received: from bmv.com.mx (ns.bmv.com.mx [200.13.112.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id LAA21420 for <Firewalls@GreatCircle.COM>; Thu, 15 Aug 1996 11:30:53 -0700 (PDT)
Received: by firewall.bmv.com.mx id <14978>; Thu, 15 Aug 1996 13:27:41 -0600
Date: Wed, 14 Aug 1996 14:57:01 -0600
From: Hector Casavantes <hcasav@bmv.com.mx>
X-Mailer: Mozilla 2.02 (X11; I; HP-UX B.10.01 9000/819)
MIME-Version: 1.0
To: George Dunn <gdunn@gateway.grumman.com>
CC: Firewalls@GreatCircle.COM
Subject: Re: Security implications of DHCP?
References: <1.5.4.32.19960815163030.0068f334@gateway.grumman.com>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <96Aug15.132741cst.14978@firewall.bmv.com.mx>
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk


George Dunn wrote:
> 
> >From a security point of view, what are the pros and cons of DHCP?
> 
> For example, Hector Casavantes wrote:
> 
> "In my actual evaluation-licensed firewall, I have edited an
> outbound proxy access rule, where I've put the list of IP
> addresses of the users that can resolv out."
> 
> If DHCP was deployed in his internal environment, DHCP's dynamic ip address
> allocation configuration, or the firewall's access rules, would have to change.


Yes, you are right. If you use DHCP, you must have to use a very smart packet-filtering
firewall, which can operate at network/link level (not as proxy) and it must also be
programmed to interact with the DHCP Server (I don't think there are something simmilar).

If my very personal opinion is wrong, the proffesionals of this list will help us...
Hector Casavantes

From firewalls-owner  Thu Aug 15 12:49:55 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA23923 for firewalls-outgoing; Thu, 15 Aug 1996 12:16:03 -0700 (PDT)
Received: from pe.net (pe.net [205.139.56.66]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id MAA23848 for <firewalls@GreatCircle.COM>; Thu, 15 Aug 1996 12:15:38 -0700 (PDT)
Received: from (null) (ohdavy@magnolia [205.139.56.92]) by pe.net (8.6.12/8.6.12) with SMTP id MAA16587; Thu, 15 Aug 1996 12:15:35 -0700
Message-Id: <199608151915.MAA16587@pe.net>
Comments: Authenticated sender is <ohdavy@mail.pe.net>
From: "David S. Ridlon" <ohdavy@pe.net>
To: Firewalls <firewalls@GreatCircle.COM>,
        "Jeff D. Hayes" <hayesjd@mnbp2.network.com>
Date: Wed, 14 Aug 1996 21:49:05 +0000
Subject: Re: Holes In Frame Relay
Reply-to: ohdavy@pe.net
X-mailer: Pegasus Mail for Windows (v2.23)
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

 PLEASE DO NOT SEND ME ANY MORE MAIL !!!!!





                             THANKS,
                                        OHDAVY@PE.NET

From firewalls-owner  Thu Aug 15 12:57:52 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA24401 for firewalls-outgoing; Thu, 15 Aug 1996 12:22:52 -0700 (PDT)
Received: from pe.net (pe.net [205.139.56.66]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id MAA24356 for <firewalls@GreatCircle.COM>; Thu, 15 Aug 1996 12:22:29 -0700 (PDT)
Received: from (null) (ohdavy@magnolia [205.139.56.92]) by pe.net (8.6.12/8.6.12) with SMTP id MAA16621; Thu, 15 Aug 1996 12:16:01 -0700
Message-Id: <199608151916.MAA16621@pe.net>
Comments: Authenticated sender is <ohdavy@mail.pe.net>
From: "David S. Ridlon" <ohdavy@pe.net>
To: Rabid Wombat <wombat@mcfeely.bsfs.org>
Date: Thu, 15 Aug 1996 12:18:24 +0000
Subject: Re: Re[2]: huh? switch hitter?
Reply-to: ohdavy@pe.net
CC: "Roderick Murchison, Jr." <murchiso@vivid.newbridge.com>,
        Brian Murrell <Brian_Murrell@bctel.net>, lists@lina.inka.de,
        roberth@cet.com, firewalls@GreatCircle.COM
X-mailer: Pegasus Mail for Windows (v2.23)
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

PLEASE DO NOT MAIL ME ANY MORE



THANKS   OHDAVY@PENET

From firewalls-owner  Thu Aug 15 12:58:56 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA22748 for firewalls-outgoing; Thu, 15 Aug 1996 11:53:29 -0700 (PDT)
Received: from midway.evtech.com (midway.evtech.com [204.96.163.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id LAA22730 for <firewalls@GreatCircle.COM>; Thu, 15 Aug 1996 11:53:18 -0700 (PDT)
Received: from tahiti.evtech.com (tahiti.evtech.com [192.35.179.19]) by midway.evtech.com (8.7.3/8.6.9) with ESMTP id NAA00938; Thu, 15 Aug 1996 13:53:02 -0500 (CDT)
Received: from borneo.evtech.com (borneo.evtech.com [192.35.179.29]) by tahiti.evtech.com (8.6.12/8.6.12) with ESMTP id NAA03637; Thu, 15 Aug 1996 13:52:59 -0500
Message-Id: <199608151852.NAA03637@tahiti.evtech.com>
To: spaf@cs.purdue.edu (Gene Spafford)
cc: Jim Clausing <jac@postbox.acs.ohio-state.edu>, Rik Farrow <rik@spirit.com>,
        firewalls@GreatCircle.COM, kevintx@ministry.paranoia.com
Subject: Tripwire, COPS, etc.
In-reply-to: Your message of "Thu, 15 Aug 1996 08:23:24 CDT."
             <199608151323.IAA02976@uther.cs.purdue.edu> 
Date: Thu, 15 Aug 1996 13:52:57 -0500
From: Travis Hassloch x231 <travis@EvTech.com>
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

In message <199608151323.IAA02976@uther.cs.purdue.edu> you write: 
> No correction necessary as you are correct.  SHA has been in Tripwire
> since release 1.2, made 2 years ago next week.

On a slightly different note, one of my friends pointed out to me that
being able to specify particular patterns of files to checksum was out
of Tripwire's scope.  I was wondering if anyone had considered writing
a similar tool in PERL - particularly since PERL5 can dynamically link
against binary objects where you could do your encryption, and can easily
treat parts of configuration files as program code for complex matching
or what-have-you.

Disclaimer: I haven't even looked at tripwire; I build my configuration
(/etc) files from another CVS-controlled directory and it sets off all
kinds of alarms, not to mention I rebuild my system every few weeks.
Not to mention the issue of where to store/how to update the checksums.
Too many programs, options, and issues; too little time.

Does anyone know if running COPS is even worth it anymore?  The last rev
I saw was 1.04 and it seemed really fragile and seems to require a lot
of customization to get it working right (at least, for my NetBSD system).

From firewalls-owner  Thu Aug 15 13:13:18 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA24389 for firewalls-outgoing; Thu, 15 Aug 1996 12:22:45 -0700 (PDT)
Received: from pe.net (pe.net [205.139.56.66]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id MAA24354 for <firewalls@GreatCircle.COM>; Thu, 15 Aug 1996 12:22:28 -0700 (PDT)
Received: from (null) (ohdavy@magnolia [205.139.56.92]) by pe.net (8.6.12/8.6.12) with SMTP id MAA16617; Thu, 15 Aug 1996 12:15:57 -0700
Message-Id: <199608151915.MAA16617@pe.net>
Comments: Authenticated sender is <ohdavy@mail.pe.net>
From: "David S. Ridlon" <ohdavy@pe.net>
To: Rabid Wombat <wombat@mcfeely.bsfs.org>
Date: Thu, 15 Aug 1996 12:18:26 +0000
Subject: Re: Re[2]: huh? switch hitter?
Reply-to: ohdavy@pe.net
CC: "Roderick Murchison, Jr." <murchiso@vivid.newbridge.com>,
        Brian Murrell <Brian_Murrell@bctel.net>, lists@lina.inka.de,
        roberth@cet.com, firewalls@GreatCircle.COM
X-mailer: Pegasus Mail for Windows (v2.23)
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

PLEASE DO NOT MAIL ME ANY MORE



THANKS   OHDAVY@PENET

From firewalls-owner  Thu Aug 15 13:28:09 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA25191 for firewalls-outgoing; Thu, 15 Aug 1996 12:31:28 -0700 (PDT)
Received: from zippy.radian.com (zippy.radian.com [129.160.16.4]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id MAA25160 for <firewalls@GreatCircle.COM>; Thu, 15 Aug 1996 12:31:12 -0700 (PDT)
Received: from frosty.radian.com (frosty.radian.com [129.160.144.9]) by zippy.radian.com (8.6.12/8.6.5) with ESMTP id OAA05375 for <firewalls@GreatCircle.COM>; Thu, 15 Aug 1996 14:31:13 -0500
Received: by frosty.radian.com (SMI-8.6/SMI-SVR4)
	id OAA26759; Thu, 15 Aug 1996 14:28:20 -0500
From: rtwood@radian.com (Ryan Wood)
Message-Id: <199608151928.OAA26759@frosty.radian.com>
Subject: Re: Testing tools
To: firewalls@GreatCircle.COM
Date: Thu, 15 Aug 96 14:28:19 CDT
X-Mailer: ELM [version 2.3 PL11]
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

> From: Robert Hanson <roberth@cet.com>
> Subject: Re: Testing tools
> 
> try
> 
> www.cert.org
> 
> in the pd... there are things like
> 
> iss
> cops
> satan
> tiger (TAMU)

"Tripwire" is another good tool to use.

Ryan
----
Ryan T. Wood, Scientist   |~~~~~\  /~~\  |~~~~~\ |~|  /~~\  |~\_|~| |~~~~~|
rtwood@radian.com         |  ~  / / /\ \ | [~_] || | / /\ \ | \ \ | |     |
(512) 419-5941            |_|~|_\/_|~~|_\|_____/ |_|/_|~~|_\|_|\__| |     |
                          ------------------------------------------| LLC |
                            I  N  T  E  R  N  A  T  I  O  N  A  L   |_____|

    All the opinions, typos, and errors are my own, not those of Radian!

Important Events:
   1 .. days till they postpone our next house closing date.... :(
   9 .. days till the start of Texas Aggie Football 1996, WHOOP!
 106 .. days till t.u. gets beat in football by A&M!!!!!

From firewalls-owner  Thu Aug 15 13:38:40 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA23282 for firewalls-outgoing; Thu, 15 Aug 1996 12:06:39 -0700 (PDT)
Received: from su1.in.net (su1.in.net [199.0.62.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id MAA23263 for <firewalls@GreatCircle.com>; Thu, 15 Aug 1996 12:06:28 -0700 (PDT)
Received: from pm3-20.in.net by su1.in.net with SMTP (5.65/1.2-eef)
	id AA24877; Thu, 15 Aug 96 13:52:12 -0400
Date: Thu, 15 Aug 96 13:52:12 -0400
Message-Id: <9608151752.AA24877@su1.in.net>
X-Sender: frankw@in.net
X-Mailer: Windows Eudora Pro Version 2.1.2
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
To: Rene de Baerdemaeker <rdb@IAEhv.nl>
From: Frank Willoughby <frankw@in.net>
Subject: Re: Firewall Questions
Cc: firewalls@GreatCircle.com
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

At 05:14 PM 8/15/96 +0200, you wrote:

>Moore, Mark wrote:
>> 
>> Before buying a firewall, what question should you ask the firewall
>> vendor ??  Is there some documentation on good questions to ask ? I'm
>> new to firewall technology, so I really dont know what good questions to
>> ask.  Thanks in-advance. : - )
>> 
>> Regards,
>> 
>> Security Analyst
>
>The same question for me, but i would like to know some good places to 
>go in the netherlands for advice on firewall technology.
>
>Thanks,
>
>Rene de Baerdemaeker
>
>Account manager


One way to get a head start is to pick up a copy of our free Firewall
Evaluation Checklist at our web site listed below.  (BTW, there's a 
commercial version available for the mere sum of $250 USD).  8^)

Best Regards,


Frank
Any sufficiently advanced bug is indistinguishable from a feature.
	-- Rich Kulawiec

<standard disclaimer>
The opinions expressed above are of the author and may not 
necessarily be representative of Fortified Networks Inc.

Fortified Networks Inc. - Information Security Consulting 
http://www.fortified.com     Phone: (317) 573-0800     FAX: (317) 573-0817     
Home of the Free Internet Firewall Evaluation Checklist




From firewalls-owner  Thu Aug 15 13:43:05 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA00809 for firewalls-outgoing; Thu, 15 Aug 1996 13:26:23 -0700 (PDT)
Received: from mail-1.mail.demon.net (mail-1.mail.demon.net [158.152.1.211]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id NAA00778 for <firewalls-digest@greatcircle.com>; Thu, 15 Aug 1996 13:26:08 -0700 (PDT)
Received: from post.demon.co.uk ([158.152.1.72]) by mail-1.mail.demon.net
           id aq04771; 15 Aug 96 21:01 BST
Received: from youngman.demon.co.uk ([158.152.67.147]) by relay-3.mail.demon.net
          id aa19409; 15 Aug 96 21:01 +0100
Message-ID: <32138FAE.5031@youngman.demon.co.uk>
Date: Thu, 15 Aug 1996 20:59:26 +0000
From: Jeremy Youngman <jeremy@youngman.demon.co.uk>
X-Mailer: Mozilla 2.02 (Win16; I)
MIME-Version: 1.0
To: firewalls-digest@greatcircle.com
Subject: http-gw possible spoofs (248.213.191.239)
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Hi, please could somebody explain the following messages I've seen over
the past few months? I'm particularly confused because it's the same IP
address being reported in each case by out http-gw proxy.

-----8<---------------------------------------------------------------------

 *Jun 28 13:10:55  http-gw$23913!: securityalert: possible spoof
 wolf.va.pubnix.com/248.213.191.239 != wolf.va.pubnix.com
 name lookup mismatch

 *Jul 12 10:45:17  http-gw$17538!: securityalert: possible spoof
 infowire.com/248.213.191.239 != infowire.com
 name lookup mismatch

 *Aug  9 10:32:59  http-gw$8377!: securityalert: possible spoof
 dspace.dial.pipex.com/248.213.191.239 != thunder.dial.pipex.com
 name lookup mismatch

 *Aug 14 09:19:29  http-gw$1726!: securityalert: possible spoof
 allsports.com/248.213.191.239 != allsports.com
 name lookup mismatch

-----8<---------------------------------------------------------------------

Thanks for any advice/ideas,

Jeremy

-- 
Jeremy Youngman             | ###### ## ## |    ("`-/")_.-'"``-.
jeremy@youngman.demon.co.uk |   ##   ##### |     . . `; -._    )-;-,_`)
Tel: +44 (0)1603 686258     | # ##      ## |    (v_,)'  _  )`-.\  ``-'
PGP: Key avail on request   | ####   ##### |   _.- _..-_/ / ((.'
 ----- All cats look grey in the dark -----  ((,.-'   ((,/


From firewalls-owner  Thu Aug 15 14:12:55 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA04172 for firewalls-outgoing; Thu, 15 Aug 1996 13:55:06 -0700 (PDT)
Received: from morebbs.com (morebbs.com [206.165.150.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id NAA04121 for <firewalls@greatcircle.com>; Thu, 15 Aug 1996 13:54:30 -0700 (PDT)
From: potlicker@morebbs.com
Received: by morebbs.com
     id 0NQZF005 Thu, 15 Aug 96 16:54:20 
Message-ID: <9608151654.0NQZF00@morebbs.com>
Organization: MORE BBS
X-Mailer: TBBS/TIGER v1.0/PRIMP 1.56p
Date: Thu, 15 Aug 96 16:54:20 
Subject: Re:surprise
To: firewalls@greatcircle.com
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk


In response to the several folks who had queries

We dont do no consulting   The Church of the Dead Meow (cDm) was 
founded by Sick Puppy   The Church has disowned its founder Sick 
Puppy because of his alleged involvment in espionage and other stuff 
which we strongly disagree with   

The present Imperator of the cDm is Hack Doggy Dawg   We are educational
researchers and simply seek to learn how do some things better   Security
systems are evolving fairly rapidly and they are one of the areas that interest
us

First Article of Faith   - Never admit you did anything
Second Article of Faith  - They didnt see you so they cant prove it
Third Article of Faith   - The only thing they have against you is what
                          you said you did
Fourth Article of Faith  - Never admit you did anything
Fifth Article of Faith   - Vendors always lie
Sixth Article of Faith   - Follow your thirst, preferably mead
Seventh Article of Faith - Pay attention to Marcus Ranum, the d00d is smart

The cDm has no interest in consulting   Only in research

I apologize to those who feel I wasted their time with this post  It is 
simply the most efficient way to answer the questions
                                                        PoT_LiCkEr


From firewalls-owner  Thu Aug 15 14:28:17 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA06378 for firewalls-outgoing; Thu, 15 Aug 1996 14:14:11 -0700 (PDT)
Received: from hap.arnold.af.mil (smokey.arnold.af.mil [132.45.120.11]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id OAA06369 for <firewalls@greatcircle.com>; Thu, 15 Aug 1996 14:13:54 -0700 (PDT)
Received: from zone.aedc (zone.arnold.af.mil [134.137.226.32]) by hap.arnold.af.mil (8.6.10/8.6.9) with ESMTP id QAA09357 for <@hap.aedc:firewalls@greatcircle.com>; Thu, 15 Aug 1996 16:17:15 -0500
Received: by zone.aedc (940816.SGI.8.6.9/930416.SGI)
	for firewalls@GreatCircle.COM id QAA09506; Thu, 15 Aug 1996 16:13:41 -0500
From: "Sean Fuller" <c60201@zone.arnold.af.mil>
Message-Id: <9608151613.ZM9504@zone.aedc>
Date: Thu, 15 Aug 1996 16:13:40 -0500
In-Reply-To: <firewalls-owner@GreatCircle.COM>
        "Security implications of DHCP?" (Aug 15,  1:09pm)
References: f<840132575ThuCDT.firewalls-owner@GreatCircle.COM>
X-Mailer: Z-Mail (3.2.2 10apr95 MediaMail)
To: firewalls@greatcircle.com
Subject: Re: Security implications of DHCP?
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

I run a proxy firewall here.  Not all PCs are able to get out on the web
proxy.  This was implemented as filtering on IP address.  When we went
to DHCP in conjunction with the migration to windows 95 it threw a
monkey wrench into this.  We also were using IP addresses for auditing
where people were going on the web.  I have since written a sniffer
program that maintains a dynamic list of ethernet address to IP address
mappings.  The web proxy queries this in real time and logs both the
IP address and mac address that make each request.  This solved our
logging problem.  I am now working on filtering PCs on base from going
out by using their ethernet address instead of their IP address.  I am
hoping to solve all of this eventually by supporting the new proxy
login stuff being added to HTTP.  Does anybody know of any web proxies
that support this now?

From firewalls-owner  Thu Aug 15 14:43:02 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA05759 for firewalls-outgoing; Thu, 15 Aug 1996 14:07:30 -0700 (PDT)
Received: from ftp.com (ftp.com [128.127.2.122]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id OAA05729 for <firewalls@greatcircle.com>; Thu, 15 Aug 1996 14:07:17 -0700 (PDT)
Received: from ftp.com by ftp.com  ; Thu, 15 Aug 1996 17:07:12 -0400
Received: from mailserv-100bs.ftp.com by ftp.com  ; Thu, 15 Aug 1996 17:07:12 -0400
Received: by MAILSERV-100BS.FTP.COM (SMI-8.6/SMI-SVR4)
	id RAA12343; Thu, 15 Aug 1996 17:05:42 -0400
Date: Thu, 15 Aug 1996 17:05:42 -0400
Message-Id: <199608152105.RAA12343@MAILSERV-100BS.FTP.COM>
To: firewalls@greatcircle.com
Subject: adding ipsec into your already firewalled world
From: chip@ftp.com (Chip Sparling)
Reply-To: chip@ftp.com
Repository: mailserv-100bs.ftp.com, [message accepted at Thu Aug 15 17:05:35 1996]
Originating-Client: slingshot.ftp.com
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Hello all,

What happens when you add packets to your firewalled world that 
don't have any information above the IP layer to filter on? This
is what I envision in a perfect IPSec world.  If the firewall is 
the IPSec tunnel point, I suppose your rules still apply, but what 
about using node to node IPSec (transport mode) or even node to 
some far away firewall/IPSec gateway (tunnel mode)?  Your local 
firewall will only see the IP header and then encrypted data that 
the other end will decrypt to see the protocol header, etc...

I'm assuming that since you specifically allow services, nothing 
will get through, although if you are using a router to specifically 
disallow certain services through, that will be defeated.

What you can't do;

Block destination addresses, if tunnel mode is being used it creates 
a proxy destination.  You could block end to end connections.

Block outbound "problem" services, protocols aren't known, it is only
type 51, no idea if it is ICMP, UDP or TCP, never mind application 
port filtering.

Block inbound connections with any level of granularity, you'll have
to allow all or none.


These are just some thoughts I have after 2 days with IPSec on
my host.  Any comments?

chip
ftp software


From firewalls-owner  Thu Aug 15 15:13:00 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id PAA11732 for firewalls-outgoing; Thu, 15 Aug 1996 15:07:00 -0700 (PDT)
Received: from london.micrognosis.com (midas.london.micrognosis.com [193.114.123.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id PAA11679 for <firewalls@greatcircle.com>; Thu, 15 Aug 1996 15:06:41 -0700 (PDT)
Received: by london.micrognosis.com (4.1/NAR-Gateway)
	id AA07332; Thu, 15 Aug 96 23:06:33 BST
Received: from zeus.london.micrognosis.com(192.83.165.17) by midas via smap (V1.0mjr)
	id sma007330; Thu Aug 15 23:05:44 1996
Received: from moria by zeus.london.micrognosis.com (4.1/SMI-4.1)
	id AA18098; Thu, 15 Aug 96 23:05:41 BST
From: nreadwin@london.micrognosis.com (Neil Readwin)
Received: by moria 
        (4.1//ident-1.0) id AA12437; Thu, 15 Aug 96 23:05:39 BST 
Message-Id: <9608152205.AA12437@moria>
Subject: Re: http-gw possible spoofs (248.213.191.239)
To: jeremy@youngman.demon.co.uk (Jeremy Youngman)
Date: Thu, 15 Aug 1996 23:05:38 +0100 (BST)
Cc: firewalls@greatcircle.com
In-Reply-To: <32138FAE.5031@youngman.demon.co.uk> from "Jeremy Youngman" at Aug 15, 96 08:59:26 pm
X-Mailer: ELM [version 2.4 PL23]
Content-Type: text
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Jeremy Youngman writes:
> Hi, please could somebody explain the following messages I've seen over
> the past few months?

Those sites have, or have had, inconsistent DNS entries. Consider dial ...

        thunder.dial.pipex.com          points to 158.43.192.50
        dspace.dial.pipex.com           is a CNAME pointing to thunder
        50.192.43.158.in-addr.arpa      points to www.dial.pipex.com
        www.dial.pipex.com              points to 158.43.121.45

Its nothing you need to worry about.
        
> I'm particularly confused because it's the same IP
> address being reported in each case by out http-gw proxy.

Looks like a bug in the http-gw. lib/nama.c calls inet_ntoa(long *)
when it should be doing inet_ntoa(struct in_addr). It is modified in 
2.0alpha to call inet_ntoa(long). Delete the &, request a page from
www.dial.pipex.com through the proxy and see if that improves it.

As far as I can see lib/pname.c would log it as

        dspace.dial.pipex.com/thunder.dial.pipex.com != 248.213.191.239

which is another bug :-) Neil.
-- 
"So you could say the greatest achievement of the Internet is that it turns
nuclear war into nothing more than a series of routing errors." -- Mark Pesce

From firewalls-owner  Thu Aug 15 15:42:52 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id PAA14281 for firewalls-outgoing; Thu, 15 Aug 1996 15:33:52 -0700 (PDT)
Received: from tera.bctel.net (tera.bctel.net [204.174.64.252]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id PAA14274 for <firewalls@GreatCircle.COM>; Thu, 15 Aug 1996 15:33:43 -0700 (PDT)
Received: (from nobody@localhost) by tera.bctel.net (8.7.4/8.7.1) id PAA18299; Thu, 15 Aug 1996 15:28:54 -0700 (PDT)
Received: from mocha.bctel.net(204.174.66.5) by tera via smap (V1.3)
	id sma018296; Thu Aug 15 15:28:34 1996
Received: (from murrell@localhost) by mocha.bctel.net (8.7.5/8.7.3) id PAA16904; Thu, 15 Aug 1996 15:28:33 -0700 (PDT)
From: Brian Murrell <Brian_Murrell@bctel.net>
Message-Id: <199608152228.PAA16904@mocha.bctel.net>
Date: Thu, 15 Aug 1996 15:28:32 -0700 (PDT)
To: chip@ftp.com
Cc: firewalls@GreatCircle.COM
Subject: Re: adding ipsec into your already firewalled world
In-Reply-To: <199608152105.RAA12343@MAILSERV-100BS.FTP.COM>
X-Mailer: Ishmail 1.2.2-960610-sol24 <http://www.halsoft.com/products/ishmail>
MIME-Version: 1.0
Content-Type: text/plain
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

from the quill of chip@ftp.com (Chip Sparling) on scroll
<199608152105.RAA12343@MAILSERV-100BS.FTP.COM>
> Hello all,
> 
> What happens when you add packets to your firewalled world that 
> don't have any information above the IP layer to filter on? This
> is what I envision in a perfect IPSec world.  If the firewall is 
> the IPSec tunnel point, I suppose your rules still apply, but what 
> about using node to node IPSec (transport mode) or even node to 
> some far away firewall/IPSec gateway (tunnel mode)?  Your local 
> firewall will only see the IP header and then encrypted data that 
> the other end will decrypt to see the protocol header, etc...

Ah, interesting indeed.  It's been a while since I read the IPSec specs,
but there are two ways to handle this that I can think of.  The easier of
the two is to just have the firewall pass any traffic which it knows will
be treated as encrypted IPSec at the end node.  When the end node gets it,
it can verify that it is indeed encrypted correctly and will know (not
guess based on the source IP address) which host it came from.

The second way to handle this is to allow the firewall to participate in
the cyrptographic authentication and pass/drop traffic based on that.  I
can see a filtering firewall where source address is a key identifying a
host rather than IP address.  This would be nice.

The problem with all of this is it only takes care of one portion of a
firewalls' job - eliminating traffic from unwanted sources.  There is a
whole separate process of validating data to avoid data driven attacks.  In
this scenario, the firewall has to be the endpoint of the IPSec tunnel,
much as firewalls are the endpoint of an SMTP session today.  The traffic
can be inspected and re-tunnelled to the actual recipient just as SMTP is
repackaged and sent to the intended recipient in today's firewalls.

> These are just some thoughts I have after 2 days with IPSec on
> my host.  Any comments?

Yeah.  What are you running IPSec on??  If you say a Windows (95!)
workstation, you win the prize and make me wet my pants.  :-)

Where/how/when can I get one??  We have a large user-base which are looking
for a routed access past a firewall.  I can only see IPSec (or similar VPN
technologies) making me at all comfortable about doing this.  We would
require a filter which allows us to source a machine by key and not IP
address.  We would also require encrypted sessions to networks behind the
firewall.

b.


--
Brian J. Murrell                                        Brian_Murrell@bctel.net
BCTel Advanced Communications                                   brian@ilinx.com
Vancouver, B.C.                                                brian@wimsey.com
604 454 5279

From firewalls-owner  Thu Aug 15 17:43:29 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA22063 for firewalls-outgoing; Thu, 15 Aug 1996 17:38:56 -0700 (PDT)
Received: from homeport.org (lighthouse.homeport.org [205.136.65.198]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id RAA22056 for <Firewalls@GreatCircle.COM>; Thu, 15 Aug 1996 17:38:48 -0700 (PDT)
Received: (adam@localhost) by homeport.org (8.6.9/8.6.9) id UAA18461; Thu, 15 Aug 1996 20:44:23 -0500
From: Adam Shostack <adam@homeport.org>
Message-Id: <199608160144.UAA18461@homeport.org>
Subject: Re: Security implications of DHCP?
To: gdunn@gateway.grumman.com (George Dunn)
Date: Thu, 15 Aug 1996 20:44:23 -0500 (EST)
Cc: Firewalls@GreatCircle.COM
In-Reply-To: <1.5.4.32.19960815163030.0068f334@gateway.grumman.com> from "George Dunn" at Aug 15, 96 12:30:30 pm
X-Mailer: ELM [version 2.4 PL24 ME8b]
Content-Type: text
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

George Dunn wrote:

| >From a security point of view, what are the pros and cons of DHCP? 

	A dhcp machine can't use securid authentication tokens because
the ACE/server uses IP to index into its database of client secret
keys.

	The pro- or con- nature of this is a matter of opinion.  ;)

Adam

-- 
"It is seldom that liberty of any kind is lost all at once."
					               -Hume


From firewalls-owner  Thu Aug 15 17:58:12 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA22289 for firewalls-outgoing; Thu, 15 Aug 1996 17:47:04 -0700 (PDT)
Received: from www.steldyn.com (www.steldyn.com [198.68.45.121]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id RAA22272 for <firewalls@greatcircle.com>; Thu, 15 Aug 1996 17:46:50 -0700 (PDT)
Received: from juneau.steldyn.com (172.16.31.1) by www.steldyn.com
 (EMWAC SMTPRS 0.81) with SMTP id <B0000003858@www.steldyn.com>;
 Thu, 15 Aug 1996 18:52:49 -0600
Received: by juneau.steldyn.com with Microsoft Exchange (IMC 4.0.837.3)
	id <01BB8ADA.369DDE80@juneau.steldyn.com>; Thu, 15 Aug 1996 18:47:30 -0600
Message-ID: <c=US%a=_%p=Stellar_Dynamics%l=JUNEAU-960816004728Z-69@juneau.steldyn.com>
From: Chris Pugrud <ChrisP@steldyn.com>
To: Firewalls Mailing list <firewalls@greatcircle.com>,
        "'Sean Fuller'"
	 <c60201@zone.arnold.af.mil>
Subject: RE: Security implications of DHCP?
Date: Thu, 15 Aug 1996 18:47:28 -0600
X-Mailer:  Microsoft Exchange Server Internet Mail Connector Version 4.0.837.3
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

There are a couple of solutions to these problems coming out.  One is
the DNS-WINS tie in which will let you do a revers DNS and get the name
of a machine that was assigned via DHCP.  For NT 3.51 the files are on
ftp://internet.microsoft.com.  For 4.0 it's built in.  
Catapult allows you to assign users permissions on the proxy via groups
or users from your domain list.  This nulifies the whole IP-DHCP-WINS
issue because it is based on who they are logged in as.  Browsers that
do not report the Challenge Response (IE 3.0 is supposed to) are popped
up with a login message asking for username/password.  Browsers that do
support CHAP will be transparent.
Catapult is the only product that I have tested that supports this. 
Raptor has said that they are working on it.  I have had no other
feedback from NT firewall vendors about this.

Chris

>----------
>From: 	Sean Fuller[SMTP:c60201@zone.arnold.af.mil]
>Sent: 	Thursday, August 15, 1996 3:13 PM
>To: 	Firewalls Mailing list
>Subject: 	Re: Security implications of DHCP?
>
>I run a proxy firewall here.  Not all PCs are able to get out on the
>web
>proxy.  This was implemented as filtering on IP address.  When we went
>to DHCP in conjunction with the migration to windows 95 it threw a
>monkey wrench into this.  We also were using IP addresses for auditing
>where people were going on the web.  I have since written a sniffer
>program that maintains a dynamic list of ethernet address to IP address
>mappings.  The web proxy queries this in real time and logs both the
>IP address and mac address that make each request.  This solved our
>logging problem.  I am now working on filtering PCs on base from going
>out by using their ethernet address instead of their IP address.  I am
>hoping to solve all of this eventually by supporting the new proxy
>login stuff being added to HTTP.  Does anybody know of any web proxies
>that support this now?
>

From firewalls-owner  Thu Aug 15 18:13:02 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA22696 for firewalls-outgoing; Thu, 15 Aug 1996 17:57:10 -0700 (PDT)
Received: from arthur.cs.purdue.edu (arthur.cs.purdue.edu [128.10.2.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id RAA22687 for <firewalls@GreatCircle.COM>; Thu, 15 Aug 1996 17:56:55 -0700 (PDT)
Received: from uther.cs.purdue.edu (root@uther.cs.purdue.edu [128.10.2.20]) by arthur.cs.purdue.edu (8.7.4/PURDUE_CS-1.4) with ESMTP id TAA02262; Thu, 15 Aug 1996 19:56:23 -0500 (EST)
Received: from localhost (spaf@localhost [127.0.0.1]) by uther.cs.purdue.edu (8.7.4/PURDUE_CS-1.4) with SMTP id TAA06510; Thu, 15 Aug 1996 19:56:20 -0500 (EST)
Message-Id: <199608160056.TAA06510@uther.cs.purdue.edu>
X-Mailer: exmh version 1.6.7 5/3/96
To: Travis Hassloch x231 <travis@EvTech.com>
cc: Jim Clausing <jac@postbox.acs.ohio-state.edu>, Rik Farrow <rik@spirit.com>,
        firewalls@GreatCircle.COM, kevintx@ministry.paranoia.com
Subject: Re: Tripwire, COPS, etc. 
X-URI: http://www.cs.purdue.edu/people/spaf
X-Face: #Qsg)Z|}R*yk&8kWAs-y5(S=7}fDA:S;%d:gf$3VC<+5./P.gGhK7S)zL]EumGX}
  _*GuP+vNhr0qVCDP9VWfZH${(8htny}Y.#zgaNN4-l:i+RPD)!Ok7t`VxeH7TT!8jzV2?]
  _wv\J@EZi_4V!&ss7UQgQ2ZzeR<}>|!#z3cw*?%\@bGY}o_PI81of<Q<6,nz~_J_nD7voU
  @ql1%x,dw^xAHcDs7}tVK32Mn,
In-reply-to: Message from Travis Hassloch x231 <travis@EvTech.com>  of
    "Thu, 15 Aug 1996 13:52:57 -0500"
    <199608151852.NAA03637@tahiti.evtech.com> 
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Date: Thu, 15 Aug 1996 19:56:16 -0500
From: spaf@cs.purdue.edu (Gene Spafford)
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

The next edition of Tripwire is going to have pattern-based file 
specification.

--spaf




From firewalls-owner  Thu Aug 15 18:27:55 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA22573 for firewalls-outgoing; Thu, 15 Aug 1996 17:54:31 -0700 (PDT)
Received: from mail.Clark.Net (mail.clark.net [168.143.0.10]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id RAA22544 for <Firewalls@GreatCircle.COM>; Thu, 15 Aug 1996 17:54:18 -0700 (PDT)
Received: from explorer2.clark.net (mjr@explorer2.clark.net [168.143.0.5]) by mail.Clark.Net (8.7.3/8.6.5) with ESMTP id UAA13348 for <Firewalls@GreatCircle.COM>; Thu, 15 Aug 1996 20:54:16 -0400 (EDT)
From: "Marcus J. Ranum" <mjr@clark.net>
Received: (from mjr@localhost) by explorer2.clark.net (8.7.1/8.7.1) id UAA25213 for Firewalls@GreatCircle.COM; Thu, 15 Aug 1996 20:54:15 -0400 (EDT)
Message-Id: <199608160054.UAA25213@explorer2.clark.net>
Subject: Re: Firewall Questions
To: Firewalls@GreatCircle.COM
Date: Thu, 15 Aug 1996 20:54:14 -0400 (EDT)
In-Reply-To: <199608152247.PAA15218@miles.greatcircle.com> from "Firewalls-Digest" at Aug 15, 96 03:47:02 pm
Reply-To: mjr@v-one.com
Organization: V-One Corporation, Baltimore, MD Office
Phone: 410-889-8569
X-Mailer: ELM [version 2.4 PL24alpha3]
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

John Betts <johnb@aztec.co.za> writes:
>Dont we have a FAQ for all this kinda stuff?

	The official firewalls FAQ is on http://www.v-one.com/pubs
along with a bunch of related white papers mostly authored by
myself. For questions to ask vendors, a good place to start is
with the firewall product summaries outline I was trying to promote
last year. I think NCSA has adopted pieces of it for their evaluation
process, but I'm not sure. The product summaries outline is a
checklist of the kinds of things that you typically will want to
know about a product. There's some information on that effort
on http://www.v-one.com/pubs/fwsumm

mjr.

From firewalls-owner  Thu Aug 15 18:41:27 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id SAA23176 for firewalls-outgoing; Thu, 15 Aug 1996 18:02:27 -0700 (PDT)
Received: from hap.arnold.af.mil (smokey.arnold.af.mil [132.45.120.11]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id SAA23169 for <firewalls@greatcircle.com>; Thu, 15 Aug 1996 18:02:12 -0700 (PDT)
Received: from zone.aedc (zone.arnold.af.mil [134.137.226.32]) by hap.arnold.af.mil (8.6.10/8.6.9) with ESMTP id UAA13145 for <@hap.aedc:firewalls@greatcircle.com>; Thu, 15 Aug 1996 20:05:34 -0500
Received: by zone.aedc (940816.SGI.8.6.9/930416.SGI)
	for firewalls@greatcircle.com id UAA09665; Thu, 15 Aug 1996 20:01:59 -0500
From: "Sean Fuller" <c60201@zone.arnold.af.mil>
Message-Id: <9608152001.ZM9663@zone.aedc>
Date: Thu, 15 Aug 1996 20:01:58 -0500
In-Reply-To: <chaabouni@houston.omnes.net>
        "RE: Security implications of DHCP?" (Aug 15,  5:27pm)
References: c<840148047ThuCDT.chaabouni@houston.omnes.net>
X-Mailer: Z-Mail (3.2.2 10apr95 MediaMail)
To: firewalls@greatcircle.com
Subject: Re: Security implications of DHCP?
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

On Aug 15,  5:27pm, Nassim Chaabouni <chaabouni@houston.omnes.net> wrote:
> >[a bunch of stuff I said deleted]
>
> Forget about proxies and use FW1

Thanks.  What brilliant insight.  ;)

I assume you are talking about Firewall 1?

The whole story is kinda funny when I look back on it.  I actually
independently invented proxies 4 years ago.  I coded the first one
on a MicroVAX.  It was a generic thing, a lot like SOCKS.   The
first application I proxied was FTP and the second was Mosaic 0.9.
It was a blast.   The whole thing has grown up since then, and I
have learned a lot.  Why ruin all my fun?  :)

There is a move to standardize within the Air Force.  Don't know what
we'll pick yet, but we are definitely looking at everything available,
including Firewall 1.

Why would you suggest FW1 over a proxy firewall?

Do you know if FW1 supports user authentication, or application specific
logging (like we do for Web accesses here)?


From firewalls-owner  Thu Aug 15 19:44:00 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id TAA00870 for firewalls-outgoing; Thu, 15 Aug 1996 19:29:32 -0700 (PDT)
Received: from cypress.cycon.com (cypress.CYCON.COM [204.5.16.32]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id TAA00863 for <Firewalls@GreatCircle.COM>; Thu, 15 Aug 1996 19:29:19 -0700 (PDT)
Received: (from sconner@localhost) by cypress.cycon.com (8.7.5/8.7.3) id VAA07757; Thu, 15 Aug 1996 21:47:50 -0400
Date: Thu, 15 Aug 1996 21:47:49 -0400 (EDT)
From: Steve Conner <sconner@cycon.com>
To: Hector Casavantes <hcasav@bmv.com.mx>
cc: Firewalls@GreatCircle.COM
Subject: Re: Security implications of DHCP? (fwd)
Message-ID: <Pine.LNX.3.91.960815213537.7737A-100000@cypress.cycon.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk


>>George Dunn wrote:
>> 
>> >From a security point of view, what are the pros and cons of DHCP?
>> 
>> For example, Hector Casavantes wrote:
>> 
>> "In my actual evaluation-licensed firewall, I have edited an
>> outbound proxy access rule, where I've put the list of IP
>> addresses of the users that can resolv out."
>> 
>> If DHCP was deployed in his internal environment, DHCP's dynamic ip 
>> address
>> allocation configuration, or the firewall's access rules, would have 
>> to change.

Hector Casavantes wrote:

> Yes, you are right. If you use DHCP, you must have to use a very smart 
> packet-filtering
> firewall, which can operate at network/link level (not as proxy) and it 
> must also be programmed to interact with the DHCP Server (I don't think 
> there are something simmilar).
>
> If my very personal opinion is wrong, the proffesionals of this list 
> will help us... Hector Casavantes

Hector,

You are right here, but there are two ways to do this.

1)  You have a firewall that will interact with the DHCP server.  It must 
obtain the list of DHCP address and create dynamic rules on the fly.  
This works, but you do loose a lot of logging that could be useful in the 
event of improper net use.

2)  The second way is to have a firewall, probably packet filtering that 
can authenticate the users on the way out and create dynamic rules base 
on user profiles.  This would not gives strong control over the type of 
traffic a user is authorized to generate, but it gives you robust logs 
that can be used to trace activity if needed.  

---------------------------------------------------------------
Steve Conner                            Cypress Consulting, Inc.
sconner@cycon.com                       703-256-1279
Manager, Research & Development         http://www.cycon.com
CYCON Labyrinth, Firewall and Network Address Translator
---------------------------------------------------------------


From firewalls-owner  Thu Aug 15 22:01:47 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id VAA06215 for firewalls-outgoing; Thu, 15 Aug 1996 21:42:46 -0700 (PDT)
Received: (mcb@localhost) by miles.greatcircle.com (8.7.4/Miles-951221-1) id VAA05983 for firewalls@greatcircle.com; Thu, 15 Aug 1996 21:35:47 -0700 (PDT)
Received: from fredin.co.frederick.md.us ([199.248.201.253]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id IAA01282 for <firewalls@greatcircle.com>; Thu, 15 Aug 1996 08:29:48 -0700 (PDT)
Received: from xl1.co.frederick.md.us by fredin.co.frederick.md.us with SMTP
	(1.38.193.4/16.2) id AA24679; Thu, 15 Aug 1996 11:30:48 -0400
Received: from XL1.CO.FREDERICK.MD.US by XL1.CO.FREDERICK.MD.US 
 with HPDesk-FSC id 002LX9; Thu, 15 Aug 1996 11:27:24 -0500
Message-Id: <002LX9@XL1.CO.FREDERICK.MD.US>
X-Mailer: DeskLink [Version B.03 95/12/18]
Mime-Version: 1.0
Date: 15 Aug 96 11:27 +0500
To: firewalls@greatcircle.com
Subject: How do I subscribe to cisco list?
X-Hpdesk-Id: 20532578 0 0 0 "NTMAIL  "
X-Hpdesk-Priority: 3
X-Hpdesk-System: 13
From: Alan_AMBERS@CO.FREDERICK.MD.US (Alan AMBERS)
X-Hpdesk-To: "INTERNET"@[firewalls@greatcircle.com]
X-Hpdesk-Cc: "Steve MORIARTY"@[IDPA/AA] 
Content-Type: text/plain; 
        Name="/HPOFFICE/NETMAIL/C2841245.txt"
Content-Disposition: inline; 
           Filename="/HPOFFICE/NETMAIL/C2841245.txt"
X-Hpdesk-Subject: Message text
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Greetings fellow firewall list users....


Does anyone know how to subscribe to the Cisco listserv (or majordomo or
???)

I need both the address and the subscribe info.

Thanks!

/alan

alan_ambers@co.frederick.md.us




From firewalls-owner  Fri Aug 16 05:58:06 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA23371 for firewalls-outgoing; Fri, 16 Aug 1996 05:44:51 -0700 (PDT)
Received: from mail.RC.Toronto.on.ca ([207.6.29.231]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id FAA23363 for <Firewalls@GreatCircle.COM>; Fri, 16 Aug 1996 05:44:33 -0700 (PDT)
Received: by mail.RC.Toronto.on.ca with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.993.5)
	id <01BB8B4E.AD10A600@mail.RC.Toronto.on.ca>; Fri, 16 Aug 1996 08:41:11 -0400
Message-ID: <c=US%a=_%p=Toronto%l=MAIL-960816124108Z-22@mail.RC.Toronto.on.ca>
From: Russ <Russ.Cooper@RC.Toronto.on.ca>
To: "'Firewalls@GreatCircle.COM'" <Firewalls@GreatCircle.COM>,
        "'George Dunn'" <gdunn@gateway.grumman.com>
Subject: RE: Security implications of DHCP?
Date: Fri, 16 Aug 1996 08:41:08 -0400
X-Mailer:  Microsoft Exchange Server Internet Mail Connector Version 4.0.993.5
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

George,

Assuming you are using NT's DHCP server, many people seem to forget that
you can define static leases, thereby assigning an IP address to a MAC
address, permanently. This has the advantage of giving you a known IP
address for a specific person (which you can then build ACLs on), while
still giving you the dynamic capabilities of DHCP for all other
information (i.e. scope parameters).

The vast majority of users in a DHCP environment do not actually need to
have dynamic IP addresses, but instead, you do it more to avoid having
to go to machines to configure, or reconfigure, options. Using static
leases still gives you these benefits, as there is nothing you need to
do at the client to configure a static lease.

For those machines that *seem to* need a dynamic address (i.e. laptops
that move from site to site), you can still assign static leases for
them in multiple scopes (i.e. they can have a static lease in each
site's DHCP server).

The machines that move will make your ACLs a bit more complicated as you
will have to have multiple IP addresses for each of these people on each
ACL you create, and for those you might have to maintain a list of all
of their IP addresses in the various subnets.

If you don't have sufficient IP addresses in each subnet to do this,
then considering putting a NAT in place to allow you to use RFC 1918 to
renumber your network. Since your machines are numbered using DHCP,
implementing RFC 1918 is much easier than without DHCP (I'm not
suggesting its easy to make all the modifications to all of your
routers, but its easier than if you didn't have DHCP).

There is no reason, in this environment, to have dynamically assigned IP
addresses, but if you want to have some anyway, just group them together
in each subnet and apply rules to them as if they are one machine (using
the range of addresses rather than a single address). I would suggest
you treat them like guest machines, restricting their access drastically
to the most basic services you might give your least trusted users. This
way you can still go out and do a new installation, receive a dynamic IP
address, and do basic installation checking. Once that's done, you
modify your DHCP database to include the new MAC address as a static
lease, release the dynamic lease, and have the client either reboot or
do a renew on their DHCP lease. You can still set expirations on static
leases, so you can have scope information automatically updated on
clients at regular intervals even though they're using static leases.

As Chris pointed out, Catapult from Microsoft is based on the user ID,
which has both pros and cons associated with it...pro means you don't
have to worry about IP addresses in ACLs on the Catapult server, ...cons
means someone can grant permission to someone else by giving them their
user ID and password (if they are using a piece of software that doesn't
understand NT Challenge/Response).

When LDAP support comes out in MSX 4.1, there may be a way to translate
user ID to IP address for a variety of authentication services.

Cheers,
Russ
...eek, quick, someone give me some broken software, I'm suffering beta
withdrawals...
>

From firewalls-owner  Fri Aug 16 06:13:30 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA23673 for firewalls-outgoing; Fri, 16 Aug 1996 05:58:13 -0700 (PDT)
Received: from warka.ai.univ-paris8.fr (warka.ai.univ-paris8.fr [192.33.156.38]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id FAA23639 for <Firewalls@GreatCircle.COM>; Fri, 16 Aug 1996 05:58:00 -0700 (PDT)
Received: (from fred@localhost) by warka.ai.univ-paris8.fr (8.6.12/8.6.9) id PAA23538; Fri, 16 Aug 1996 15:14:35 +0200
Date: Fri, 16 Aug 1996 15:14:35 +0200
Message-Id: <199608161314.PAA23538@warka.ai.univ-paris8.fr>
From: Frederic Cirera <fred@warka.ai.univ-paris8.fr>
To: Firewalls@GreatCircle.COM
Subject: ange-ftp and ssh
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk



Hello,

Please, how to use ssh with ange-ftp to encrypt the password exchange
or all the session. 

Thanks.
Fred.

-- 
  |o|         Redistribution by Microsoft Network is prohibited.   |o|
  |o|  Frederic CIRERA           Email : fred@ai.univ-paris8.fr    |o|
  |o|  Webmaster  Mygale.org     WWW   : http://www.mygale.org/    |o|
  |o|                                  : fred@mygale.org           |o|

From firewalls-owner  Fri Aug 16 06:28:29 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA23315 for firewalls-outgoing; Fri, 16 Aug 1996 05:42:50 -0700 (PDT)
Received: from morebbs.com (morebbs.com [206.165.150.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id FAA23275 for <firewalls@greatcircle.com>; Fri, 16 Aug 1996 05:42:34 -0700 (PDT)
From: potlicker@morebbs.com
Received: by morebbs.com
     id 0C8GI001 Fri, 16 Aug 96 08:42:33 
Message-ID: <9608160842.0C8GI00@morebbs.com>
Organization: MORE BBS
X-Mailer: TBBS/TIGER v1.0/PRIMP 1.56p
Date: Fri, 16 Aug 96 08:42:33 
Subject: What threats?
To: firewalls@greatcircle.com
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk


This a serious question   Serious answers will be appreciated

We have been reviewing the implementation plan presently being carried
out by WankersPLC together with DeSade (also known as SARDE) of Paris

WankersPLC has a large amount of documentation that it has moved onto 
an optical disk system   DeSade has helpled them set up an internal web
server that accesses the optical disk and returns the documents in HTML
format   In a stroke of brilliance WankersPLC decided to install a TIS
type firewall and let all web browsers on the Internet come in through
it to their internal web server   All other incoming services will be
blocked   External web browsers will only be permitted to connect to one
internal IP address which is the web server   DeSade has assured 
WankersPLC that the web server can be made secure but DeSade seems 
clueless about how to actually do that

Our question is - what specific threats are WankersPLC exposing themselves
to   

Recently we saw BigCo web server get knocked down twice in one hour
with SYN attacks so we would like to get an idea of what is likely to
hit WankersPLC
                                                PoT_LiCkEr

-= Fwederwick at Lavender AN Lace (LANL) we didnt forget you   Next time =-

From firewalls-owner  Fri Aug 16 06:59:37 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA26831 for firewalls-outgoing; Fri, 16 Aug 1996 06:49:45 -0700 (PDT)
Received: from mail.RC.Toronto.on.ca ([207.6.29.231]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id GAA26824 for <Firewalls@GreatCircle.COM>; Fri, 16 Aug 1996 06:49:33 -0700 (PDT)
Received: by mail.RC.Toronto.on.ca with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.993.5)
	id <01BB8B57.C3079410@mail.RC.Toronto.on.ca>; Fri, 16 Aug 1996 09:46:13 -0400
Message-ID: <c=US%a=_%p=Toronto%l=MAIL-960816134611Z-23@mail.RC.Toronto.on.ca>
From: Russ <Russ.Cooper@RC.Toronto.on.ca>
To: "'Firewalls@GreatCircle.COM'" <Firewalls@GreatCircle.COM>,
        "'Hector Casavantes'" <hcasav@bmv.com.mx>
Subject: RE: No More Unlimited User Licenses Please...
Date: Fri, 16 Aug 1996 09:46:11 -0400
X-Mailer:  Microsoft Exchange Server Internet Mail Connector Version 4.0.993.5
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Hector, et al...

Consider this.

If licensing were based on "nodes protected", you might say that by
putting a router just inside the Firewall means you only have to protect
the router, but since the router doesn't make requests for access to
applications that a Firewall can prevent, you have to add to that the
machines inside that do make the application requests. So, you might
then say, "well, I only need to protect those machines making a request
for applications through the Firewall", but since the Firewall also
protects requests coming from the Internet for access to internal hosts,
all of the machines which are not sending outbound requests are being
protected from inbound requests.

Therefore, its simply easier to say, you purchase a license for all
machines which are connected to the same network which the Firewall is
connected to. If the pricing model was different, you might set up two
Firewalls surrounding your Internet surfers, one protecting it from your
internal network, and the other protecting it from the external network.
Obviously, this is more expensive (typically) than buying an unlimited
license (or a license for your entire network).

Something that is often overlooked is the number of machines in WAN'd
sites that are also being protected by a single Firewall to the
Internet.

It is a marketing thing, but after all, nobody buys a Firewall simply to
restrict internal users from using certain protocols outbound, everyone
always wants security from inbound attacks. If the Firewall is doing the
job you bought it for, its protecting every machine on the network its
connected to regardless of what OS, transport protocol, or applications
are in use. If someone came up with a hack to stuff investigative SPX
packets into TCP packets and get them back and forth through your
Firewall to attack your Novell network, you'd be pretty pissed at your
Firewall vendor, wouldn't you?

If its on your network, its subject to attack, unless your Firewall is
protecting it. If it is, then its delivering a service that most vendors
feel they should be paid for. Where they set their levels on the
different license models is marketing, but the fact remains your
Firewall protects everything. If you don't think your Firewall needs to
protect machines that are not directly using it, then you have a serious
problem in your Site Security Policy and the way you understand the
risks associated with an Internet connection.

Cheers,
Russ
...eek, quick, someone give me some broken software, I'm suffering beta
withdrawals...
>

From firewalls-owner  Fri Aug 16 07:58:09 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA01232 for firewalls-outgoing; Fri, 16 Aug 1996 07:50:34 -0700 (PDT)
Received: from mailbox.neosoft.com (mailbox.neosoft.com [206.109.1.16]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id HAA01218 for <Firewalls@GreatCircle.COM>; Fri, 16 Aug 1996 07:50:22 -0700 (PDT)
Received: from fw.nmti.com (fw.baileynm.com [206.109.159.11]) by mailbox.neosoft.com (8.7.5/8.7.3) with SMTP id JAA23908; Fri, 16 Aug 1996 09:50:18 -0500 (CDT)
Received: from web.nmti.com(198.178.0.201) by fw.nmti.com via smap (V1.3)
	id sma001161; Fri Aug 16 09:46:12 1996
Received: from sonic.nmti.com (peter@sonic.nmti.com [198.178.0.2]) by web.nmti.com (8.6.12/8.6.9) with SMTP id JAA12939; Fri, 16 Aug 1996 09:46:12 -0500
Received: by sonic.nmti.com; id AA04308; Fri, 16 Aug 1996 09:46:11 -0500
From: peter@baileynm.com (Peter da Silva)
Message-Id: <9608161446.AA04308@sonic.nmti.com.nmti.com>
Subject: Re: No More Unlimited User Licenses Please...
To: Russ.Cooper@RC.Toronto.on.ca (Russ)
Date: Fri, 16 Aug 1996 09:46:11 -0500 (CDT)
Cc: Firewalls@GreatCircle.COM, hcasav@bmv.com.mx
In-Reply-To: <c=US%a=_%p=Toronto%l=MAIL-960816134611Z-23@mail.RC.Toronto.on.ca> from "Russ" at Aug 16, 96 09:46:11 am
X-Mailer: ELM [version 2.4 PL23]
Content-Type: text
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Just to play the devil's advocate here, let's look at a proxy firewall. Its
default behaviour is to allow NO connections. As installed, you can't tell
a proxy firewall from no internet connection at all.

If you have a classic C&B firewall, the *protection* mechanism is in the
two packet filters on either end.

So the proxy isn't providing protection so much as access... right? Shouldn't
you charge on that basis?

(waits for flames)

From firewalls-owner  Fri Aug 16 08:13:27 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA01233 for firewalls-outgoing; Fri, 16 Aug 1996 07:50:39 -0700 (PDT)
Received: from hqmail.usda.gov ([199.128.3.90]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id HAA01225; Fri, 16 Aug 1996 07:50:26 -0700 (PDT)
Received: by hqmail.usda.gov
	(1.40.112.4/16.2-WT4.1) id AA194167054; Fri, 16 Aug 1996 10:50:54 -0400
Date: Fri, 16 Aug 1996 10:48:00 -0400
From: "Hassan Karim" <Hassan.Karim@usda.gov>
Message-Id: <32149BCF.1DBD.09EF.000@MHS>
Subject: Re: Firewall Questions -Reply
To: firewalls-owner@GreatCircle.COM (Receipt Notification Requested),
        firewalls@GreatCircle.COM (Receipt Notification Requested)
X400-Mts-Identifier: [ /P=GOV+USDA/A=ATTMAIL/C=US/ ; 32149BCF.1DBD.09EF.000 ]
X-Mailer: Worldtalk (4.0.1t)/STREAM
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Concerning "Good questions to ask..."

1) Ask for some of their testing statistics concerning
throughput, and packet loss.

2) What type of f-wall is it, application proxy, packet filtering,
etc...

3) When logging, what level of details are included in the
logs?

4) How much does it cost?

5) When installing it... do you have to go back and do more
configuring users clients or is it completely transparent to the
users?

6) Does it offer encryption (f-wall to f-wall and f-wall to client)?

7) Does it do authentication?
8) Does it offer access control?
9) is it easy to manage (GUI or not)?
10) How many extra components do you have to buy inorder
for it to provide maximum(*hmp*) protection?

Peace, Hassan
________________________________________
Hassan Karim                       (202)690-0502
Senior Systems Analyst        hkarim@usda.gov
USDA 
--------> 
"The only thing we have to fear is an insecure box"
                                -Klynn "Chief of Paranoia"

From firewalls-owner  Fri Aug 16 08:54:55 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA03873 for firewalls-outgoing; Fri, 16 Aug 1996 08:35:49 -0700 (PDT)
Received: from mail.Clark.Net (mail.clark.net [168.143.0.10]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id IAA03866 for <firewalls@GreatCircle.COM>; Fri, 16 Aug 1996 08:35:41 -0700 (PDT)
Received: from clark.net (proberts@clark.net [168.143.0.7]) by mail.Clark.Net (8.7.3/8.6.5) with ESMTP id LAA17771; Fri, 16 Aug 1996 11:35:36 -0400 (EDT)
Received: from localhost (proberts@localhost) by clark.net (8.7.1/8.7.1) with SMTP id LAA03791; Fri, 16 Aug 1996 11:35:33 -0400 (EDT)
X-Authentication-Warning: clark.net: proberts owned process doing -bs
Date: Fri, 16 Aug 1996 11:35:33 -0400 (EDT)
From: "Paul D. Robertson" <proberts@clark.net>
To: potlicker@morebbs.com
cc: firewalls@GreatCircle.COM
Subject: Re: What threats?
In-Reply-To: <9608160842.0C8GI00@morebbs.com>
Message-ID: <Pine.GSO.3.95.960816112509.27322F-100000@clark.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

On Fri, 16 Aug 1996 potlicker@morebbs.com wrote:

> Our question is - what specific threats are WankersPLC exposing themselves
> to   

Assuming the blocking is limited to port 80, then if the server is doing
lookups for the log files, DNS based attacks for buffer overruns are
possible. Overruns by client info are alos possible, though most servers
have been coded to not have these vulnerabilities.

That leaves CGI, if the code isn't written well, it could have holes.

I much prefer to have web servers on the outside of the wall, with the
outside screening router blocking access to all ports that aren't
necessary for external access. 

> 
> Recently we saw BigCo web server get knocked down twice in one hour
> with SYN attacks so we would like to get an idea of what is likely to
> hit WankersPLC

SYN floods are boring.  It doesn't do anything but block the listening
socket.  I'm sure the lamers will have fun with it, but as an attack, it's
only good for a temporary Denial-of-Service.  Most of us have already,
or are trying to get the server listening queues increased, and the
timeouts decreased enough to make this negligable anyway.  This is a
*good* argument for having the source code to the Web Server (eg. Apache),
as you don't have to wait for the vendor to decide that the parm to the
listen call should be in a config file somewhere.

I'd *like* to see more service providers, and indeed companies block
outbound packets that don't come from their leagal addresses, that would
help the whole spoofing scenerio die a fairly quick death, as would the
NSPs allowing packets based on source addresses.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
proberts@clark.net      which may have no basis whatsoever in fact."
                                                                     PSB#9280


From firewalls-owner  Fri Aug 16 09:03:12 1996
Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA02892 for firewalls-outgoing; Fri, 16 Aug 1996 08:23:11 -0700 (PDT)
Received: from hp01.vak12ed.edu (hp01.vak12ed.edu [141.104.150.251]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id IAA02874 for <firewalls@greatcircle.com>; Fri, 16 Aug 1996 08:22:58 -0700 (PDT)
Message-Id: <199608161522.IAA02874@miles.greatcircle.com>
Received: by hp01.vak12ed.edu
	(1.37.109.18/16.2) id AA268818854; Fri, 16 Aug 1996 11:20:54 -0400
From: "W.C. Epperson" <epperson@vak12ed.edu>
Subject: RE: No More Unlimited User Licenses Please...
To: firewalls@greatcircle.com
Date: Fri, 16 Aug 1996 11:20:54 EDT
In-Reply-To: <c=US%a=_%p=Toronto%l=MAIL-960816134611Z-23@mail.RC.Toronto.on.ca>; from "Russ" at Aug 16, 96 9:46 am
X-Mailer: Elm [revision: 109.18]
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Russ could have said:
>always wants security from inbound attacks. If th