From firewalls-owner Sun Sep 1 00:34:17 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id AAA16348 for firewalls-outgoing; Sun, 1 Sep 1996 00:27:34 -0700 (PDT) Received: from whfirewall.nwtel.ca (whfirewall.nwtel.ca [199.85.228.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id AAA16323 for ; Sun, 1 Sep 1996 00:27:24 -0700 (PDT) Received: from whfirewall.nwtel.ca (daemon@localhost) by whfirewall.nwtel.ca (8.6.12/8.6.12) with ESMTP id AAA27602 for ; Sun, 1 Sep 1996 00:00:44 -0700 Received: from nwtel.ca (omega.nwtel.ca [198.135.216.209]) by whfirewall.nwtel.ca (8.6.12/8.6.12) with SMTP id AAA27598 for ; Sun, 1 Sep 1996 00:00:43 -0700 Received: from WHTHYT-Message_Server by nwtel.ca with Novell_GroupWise; Sun, 01 Sep 1996 00:30:13 -0700 Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Sun, 01 Sep 1996 00:18:16 -0700 From: Rod Carty To: firewalls@GreatCircle.COM Subject: Firewall-1,Sun,CISCO,Class"B"address -Reply Sender: firewalls-owner@GreatCircle.COM Precedence: bulk When I set up the default gateway routing through our firewall, I used the following commands on the Cisco router that is between our firewall and our Intranet: ip default-network 199.85.231.0 This identifies the default network, or route, which is the one between the router and the firewall. This should work fine regardless of whether you are using a Class B or a Class C network number. If you type the command 'show ip route' on any other Cisco router in your Intranet after your routing protocol has had time to update, you should see a similar entry to the following: Gateway of last resort is 198.135.216.223 to network 199.85.231.0 I have another Cisco router on the Internet side of the firewall as well, with another default-network command in it facing toward our ISP's network. Note that these default network commands always face outward, into the Internet. The firewall is set up the same as well, with the default-route facing outward, not inward. The reason for this is that inward, or toward the Intranet, all the network numbers are known - it is only outward, or toward the Internet, where network numbers and their route is not explicitly known. The firewall and the routers have to be configured so they know about all network numbers on your Intranet. Then, any ip address on a network they don't explicitly know about they will assume is on the Internet and use the default route. I used static route entries on the firewall for all network numbers in our Intranet, and IGRP on all our Intranet Cisco routers. No need this way to run RIP between the firewall and the Cisco router, configure the router to redistribute RIP, etc. The single Cisco router between our firewall and our ISP required no routing protocol, since the firewall we purchased gives us address isolation. (The only ip address visible from the Internet side of our firewall is the ip address of the external interface of the firewall.) The Internet-side router knows about the ip network between the firewall and itself from the ip address configured on the interface, so needs no additional routing declarations there, and an address on any other ip network has to be on the Internet, so the default-network routing command applies. If your firewall doesn't give you address isolation, I recommend you use static routing entries on your Internet-side router for all your Intranet-side ip network numbers. This will be much more secure than configuring your firewall to allow IGRP or some other routing protocol to pass to and from your Internet-side router. (I expect your firewall does provide address isolation, since I see you've listed the first of the 16 Class B Reserved Network numbers in your example, but I decided to give complete information here for Posterity.....) One other consideration, in case you only have one ip network number on your Intranet, is a default gateway configuration on each PC, etc. If you only have been using one network number until now you wouldn't have needed it before. The default gateway ip address to use would be the address of your Cisco router that connects them to the firewall. As in all cases, the default gateway ip address must be, a) on the same ip network as the host requiring it, and b) a router that is part of the routing protocol you are using, so it knows how to route to all other networks. And finally, for security purposes, I recommend you disallow telnet sessions to the Internet-side router as I did on ours. This means you have to physically connect a terminal or similar device to a TTY port on the Cisco router to work on it yourself, but it makes it so no one from the Internet can putz around on your router either. It's not really that big of a deal if you permanently attach an async line off a terminal server port to, say the console port of the Cisco router. If you do connect it permanently, just make sure you block incoming telnet connections on the async line too so you don't have a backdoor around your firewall. Hope this fixes it for you. Rod C-- >>> John H. Kerr 08/31/96 02:27pm >>> I was wondering if anyone has a solution to this problem. I have a Sun Sparc5 running SunOS 4.1.3, with this I have Firewall-1 2.0 running on top of it. I also have a CISCO 4000 setup as an Internal router. The problem that I'm having is that I'm unable to receive information back to my machines sitting behind the Internal router. The exact trouble seems to be the firewall does not know how to route back into my "Internal" networks. The setup is like this: Internet ------ ISP Router ----- FW ----- CISCO 4000 ------ Internal Nets 172.16.1.0 172.16.2.0 172.16.* I intially set the routing table on the FW to be DEST Nexthop 172.16.1 172.16.1.1 (local) 172.16.2 172.16.2.1 (local) default ISP router 172.16.0.0 CISCO 4000 This didn't work. I turned routed on within the Firewall, but when I did, the default route (0.0.0.0) from the CISCO added a *new* default route to the Firewall. default Cisco and it took precedence over the one I installed. Since the FW and the CISCO ping-ponged packets all day, nothing communicated. The default route of the CISCO router is overriding the default route that I have set on the FW. I have set the Metric Flag on the router to be higher that the FW in hopoes that the FW would take precednece, but this did not work. IS there a way to set something up on the SUN to force its default route to be used or is there a way to stop the CISCO's default route from taking over. I also tried not setting the 'route of last resort' on the CISCO hoping that the RIP update from the FW would fill in the default route. It didn't. Shouldn't this work? Is there a way on the CISCO to set a default route and not have it sent out in a routing update? BTW, what is the proper way to set the default route on a CISCO? I've been using: ip route 0.0.0.0 172.16.2.1 Has anyone else with a class "B" address run into this problem before? I know this can be solved if I obtained a class C, subnet it, and use it on either side of the FW. That way there would be an unambigious route to 172.16 from the FW's point of view. However that's not an option right now. Any help is appreciated. From firewalls-owner Sun Sep 1 02:04:22 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id BAA22149 for firewalls-outgoing; Sun, 1 Sep 1996 01:47:51 -0700 (PDT) Received: from po.dbs.com.sg (po.dbs.com.sg [203.120.44.8]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id BAA22133 for ; Sun, 1 Sep 1996 01:47:42 -0700 (PDT) Received: from dbs.com.sg by po.dbs.com.sg (SMI-8.6/SMI-SVR4) id QAA13691; Sun, 1 Sep 1996 16:46:35 +0800 Received: from T1#u#DM1-Message_Server by dbs.com.sg with Novell_GroupWise; Sun, 01 Sep 1996 16:45:28 +0800 Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Sun, 01 Sep 1996 16:37:56 +0800 From: Chin Cheng Baey To: Firewalls@GreatCircle.COM Subject: Firewalls-Digest V5 #488 -Reply Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'm away for reservist. Will return on 10 Sep 96. You may wish to resend your mail to the following: NAME USERID TEL SUBJECT ====== ======= ======== ======== Say Wee DSSDNSW 228-1630 CONSOLIDATED SERVER & VIRUSES Adeline DSSDAFG 321-5186 VIRUS HOT-LINE Andrew DSSDAWG 321-5351 ANY OTHER MATTERS From firewalls-owner Sun Sep 1 05:19:18 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA00319 for firewalls-outgoing; Sun, 1 Sep 1996 05:05:59 -0700 (PDT) Received: from su1.in.net (su1.in.net [199.0.62.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id FAA00300 for ; Sun, 1 Sep 1996 05:05:51 -0700 (PDT) Received: from pm2-10.in.net by su1.in.net with SMTP (5.65/1.2-eef) id AA20349; Sun, 1 Sep 96 07:06:04 -0400 Date: Sun, 1 Sep 96 07:06:04 -0400 Message-Id: <9609011106.AA20349@su1.in.net> X-Sender: frankw@in.net X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" X-Priority: 2 (High) To: firewalls@GreatCircle.com From: Frank Willoughby Subject: Re: S/key & secureid Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 10:52 PM 8/31/96 -0400, "Gary G. Hull" allegedly wrote: >On Thu, 29 Aug 1996 potlicker@morebbs.com wrote: > >> Anyone one else had trouble or success getting Secure ID to run on a >> TIS Gauntlet? >> PoT_LiCkEr 8< [snip] >We had great success getting securid running on our TIS. All we had to do > was register the TIS box with the master server, move a copy > of the sdconf.rec file to the /var/ace directory on the TIS and > remove the existing securid file. A new securid file is created > by the system at the time the first authentication login is > accomplished. > Hope this helps. Good luck.... > > |/ > ---o0o-@@-o0o--------- > > Gary G. Hull - Technical Consultant > email: gary_hull@glaxowellcome.com Hopefully, the SecurID connection is being used to authenticate internal users before they go to the Internet and not for incoming connections. Using SecurID (or Digital Pathways, S/Key, etc) is *lethal* if you are planning on using it to authenticate users from the Internet who wish to access a system on your internal network which is protected by the firewall. The reason is that the user may have his/her session hijacked by an attacker. Please note that this is *NOT* a security problem with Gauntlet or any other firewall. The problem is relying on authentication-only mechanisms for protection. Implementing User->Firewall encryption will help to solve this problem. Again, I strongly advise against using SecurID (or any other authentication- only solution) for incoming Internet connections to an internal system. Best Regards, Frank Any sufficiently advanced bug is indistinguishable from a feature. -- Rich Kulawiec The opinions expressed above are of the author and may not necessarily be representative of Fortified Networks Inc. Fortified Networks Inc. - Information Security Consulting http://www.fortified.com Phone: (317) 573-0800 FAX: (317) 573-0817 Home of the Free Internet Firewall Evaluation Checklist From firewalls-owner Sun Sep 1 11:08:19 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA12194 for firewalls-outgoing; Sun, 1 Sep 1996 10:59:22 -0700 (PDT) Received: from io.org (io.org [198.133.36.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id KAA12172 for ; Sun, 1 Sep 1996 10:59:14 -0700 (PDT) Received: from Taurus (eagle.net4.io.org [199.166.239.227]) by io.org (8.6.12/8.6.12) with SMTP id NAA00156 for ; Sun, 1 Sep 1996 13:58:59 -0400 Date: Sun, 1 Sep 1996 13:58:59 -0400 Message-Id: <199609011758.NAA00156@io.org> X-Sender: jeffm@io.org X-Mailer: Windows Eudora Light Version 1.5.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: Firewalls@GreatCircle.COM From: "Jefferson M. Mousseau" Subject: FW-1 2.0 & FTP Problem Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I've got a small problem & was wondering if anyone out there new the answer to it? We swapped out an NT web server with a Sun box running Solaris. We'd given internal FTP access to the server and everything worked fine under NT but now under Solaris although the FTP session is being allowed the ack back (i.e. on port 38863) is being denied. I checked the source port range specified but it is blank. Does anyone know why FW-1 2.0 is denying this? Will the upgrade to 2.1 help? Regards Jeff From firewalls-owner Sun Sep 1 17:59:11 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA05012 for firewalls-outgoing; Sun, 1 Sep 1996 17:07:24 -0700 (PDT) Received: (mcb@localhost) by miles.greatcircle.com (8.7.4/Miles-960830-1) id RAA04952 for firewalls@greatcircle.com; Sun, 1 Sep 1996 17:07:10 -0700 (PDT) Received: from mail.rc.toronto.on.ca ([207.6.29.231]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id IAA20359 for ; Fri, 30 Aug 1996 08:25:06 -0700 (PDT) Received: by mail.rc.toronto.on.ca with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.993.5) id <01BB9665.52156DE0@mail.rc.toronto.on.ca>; Fri, 30 Aug 1996 11:20:59 -0400 Message-ID: From: Russ To: "'Firewalls'" , "'MS DCOM List'" , "'Mark Ryland'" Subject: RE: Blocking non-http (executable) content Date: Fri, 30 Aug 1996 11:20:52 -0400 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.993.5 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >This feature has been requested by many customers. The inability of >DCOM to be used through HTTP-passing firewalls is considered by some to >significantly reduce its utility as an Internet technology, since they >want to use DCOM to talk directly between the COM objects making up the >ActiveX web browser and the objects extending the ActiveX web server. >Only admins can configure an NT server to use a new DCOM transport, so >use of HTTP as a DCOM transport can be controlled by security-conscious >users. Exchange Server uses RPC, but allows for the Information Store and Directory Service to be statically assigned port numbers that the portmapper returns to a requesting client, why? So those ports can have explicitly defined ACLs on port-based Firewalls. This is how the industry has been doing it for years, and it works very well thank you very much. Through MSX's mechanisms, full NT authentication is possible and the client functions normally. So don't go telling me its what the customers want or need, that's just marketing fluff. You wanna run something over HTTP its typically because customers are not going to be able to get their Firewall admins to open new and unknown ports for your innovation, so you stuff it down HTTP where Firewall admins typically have already given them access, hence your statement about "punching holes through Firewalls", why else would you have said that? Both the ActiveX web browser objects and the Denali objects can talk on any port they want, so its not the technology that's saying it has to be over HTTP. As for security-conscious users being able to control the use of HTTP as a DCOM transport, if that were true, then Firewalls would be virtually unnecessary because we'd all be nice and never do anything we weren't told we could do. We'd also never install something on our machines that we hadn't completely tested and understood ourselves. Do you think that every NT admin in a large organization is going to fully understand the security implications of every aspect of every product they install on their NT Servers? The question isn't whether or not they are supposed to do it or not, its whether a Firewall administrator has some method to >prevent it in the event that it does happen. > >This is a chimera -- there is no way you can hope to restrict the use of >HTTP by these schemes such that malicious people can't use it >maliciously. ASCII text is just source code for script engine, right? Yes, which is why people scrutinize products to determine if they are well written or not. If I can send a script through to a browser and get it to do something, say, like opening a Word document *without* alerting a user that its potentially dangerous, alarm bells start ringing throughout the industry, or hadn't you noticed? And what are you suggesting here, that there is no way to secure a site from malicious people, and therefore we shouldn't try? Are you in the insurance business? > >It is impossible in principle to write filters that can recognize all >"bad code/data" coming through on a given port. If code can be place on >the inside of the firewall (or a bad person can get access to the >network to turn sent data into code, either directly or with some kind >of VM/interpreter), then any data coming through can be malicious, >period. Which is why most Firewall'd sites don't allow inbound FTP or connection-less protocols like UDP. Your statement is correct, but its also precisely why Firewalls are built, to prevent such actions, and as I said earlier, is why people look closely at each new feature for the browsers to determine if an exploit exists. I've said before that ActiveX does not provide any security for the user that can be relied on, but I also said that something would have to be done to allow people to control its use. >I don't understand what this comment means. DCOM does not pass >"instructions" in the sense that you seem to mean over the wire, it >passes a packet with an method number and (typically) an opaque blob of >marshaled that can't do anything unless there is, on the other side of >the connection, a complex set of machinery (the DCOM runtime) as well as >an instantiated object and stub corresponding to the requested method >(and capable of unmarshaling the data, if any). It's just an >object-enhanced RPC system, no different from a security perspective >than ONC or DCE RPC. Unlike "mobile code" technology, there is no way >in the base DCOM system to pass arbitrary instructions over the network >that will blindly be executed by the runtime on the remote system. >There must be corresponding code on the remote system that is ready and >willing to perform the requested operations. The comment did not mean what you think it did. The instructions I was referring to were instructions to objects within the DCOM runtime, and if my marketing information is correct, DCOM is going to become a cornerstone of future versions of NT. How does a site administrator, responsible for security, control LAN administrators throughout the organization who each have administrative access to their machines? Are you buying MissionCritical software to give us a finer granularity of administrative control over NT's user model? If not, then every organization typically allows their NT admins to do pretty much what they want, and then use audits and Firewall logs to determine if people are complying or not. If DCOM is running over HTTP, what information am I getting as a site administrator to tell me what my LAN admins are doing? The real world says that by far the majority of Firewall administrators have no access to NT Event logs, nor would they know what to do with them if they did. If each product that used DCOM over IP, at least from Microsoft, were to use its own port as Exchange does, what would be the problem with this? >HTTP itself is essentially an RPC system. It encodes requests and >replies, allows arbitrary commands and data to be sent both ways, etc. >(It just doesn't do automatic data marshaling.) If you have malicious >or buggy code on either or both sides of a "standard" (whatever that is) >HTTP connection, then a malicious person may be able to do nasty things. > Running DCOM over HTTP adds absolutely zero new security risks -- an >RPC system running over an RPC system is not less secure than just an >RPC system alone. I didn't say it added a *new* security risk, I said it shouldn't be done and Microsoft should not promote it. Running RPC over HTTP is just as bad, and today, no NT product use RPC over HTTP, so why should DCOM allow it? HTTP is not a transport protocol, IP is, and your statement proves that you see HTTP as a transport protocol. HTTP doesn't have any mechanisms to deal with differentiating traffic types as IP does. >Fundamental fact is that port-base firewalls are of limited utility for >creating a truly secure environment. The main reason is that it is >impossible in principle to prevent people from using assigned ports for >a completely different purpose. Let's suppose you decide to let only >HTTP traffic through and, further, suppose you somehow mesmerize the >vendors into not using HTTP for anything "illegitimate" other than >"true" HTTP (whatever that means -- it whole point of these protocols is >extensibility). So what -- a malicious person on the inside of the >firewall will simply open the HTTP port with an entirely different >program, and send/receive all the nasty things in the world to their >accomplices outside. Worse yet, the nasty person sends their innocent >friend within the organization a nice little "chess program" on a floppy >that does everything the nasty person needs surreptitiously. Fundamental fact is that port-based Firewalls are typically only one part of a Firewall solution, but their value should be ignored as you suggest. Your scenarios are all true, I could use HTTP for anything, that's not my fear. If a port-based firewall directs HTTP traffic to a proxy server, then its the proxy servers job to determine what the traffic is doing and send or reject appropriately. The more stuff we cram down HTTP and call acceptable, the harder it will be to filter out the unacceptable stuff. I realize that you say this is impossible and so we shouldn't try, but far too many CEO's disagree with you for us to ignore. So, as a customer, I say that vendors should pay heed to the needs of Firewall administrators and make an effort to assist, not destroy, the tools we have. You obviously disagree and so I ask, what do you think we should do? > >(True, if you have a secure environment where only secure operating >systems are allowed to connect to the network, and you configure those >operating systems to allow only admins to installed executable code, and >you don't allow your users to be admins of their machines, and you test >all the executable code you install carefully to make sure it doesn't >have any backdoors, then you have a fighting chance. But how many >organizations don't allow DOS/Windows/Mac on their networks? And how >many don't allow NT and UNIX users to admin their own machines?) Again, you're restating your point that hackers will always get in no matter what Firewall admins do. > >Port-based firewalls prevent some bad behavior by UNSOPHISTICATED users >and hackers. Like car door locks, they're very worthwhile for that >reason. But the a pro can get through your port firewall as fast has a >pro can get into your car with a slim-jim. They typically act as the front line in a Firewall solution, so are you saying that they should be tossed? If you have a car alarm then don't lock your doors, it will only cause more damage if their locked? Look, your limiting your remark to port-based Firewalls does not solve the issue that proxy servers have with trying to sort out and allow ACLs to be placed on the different data traversing HTTP. I'd be saying the same thing if you build an NT Administration tool that used RPC over HTTP, so its not a DCOM thing here. Cheers, Russ > From firewalls-owner Sun Sep 1 18:54:08 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id SAA14414 for firewalls-outgoing; Sun, 1 Sep 1996 18:40:08 -0700 (PDT) Received: from mars.planet.net.au (mars.planet.net.au [203.15.90.4]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id SAA14407 for ; Sun, 1 Sep 1996 18:40:00 -0700 (PDT) Received: (from neale@localhost) by mars.planet.net.au (8.6.12/8.6.12) id LAA28439; Mon, 2 Sep 1996 11:40:26 +1000 Date: Mon, 2 Sep 1996 11:40:26 +1000 (EST) From: Neale Banks To: firewalls list Subject: Ascend numbered interfaces Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Recently, Ascend introduced support for "numbered" interfaces. From the release notes: --snip------------------------------------ The Pipeline will accept IP packets whose destination is a numbered interface listed in a Connection profile, considering them to be destined for the Pipeline itself. (The packet may actually arrive over any interface, and the numbered interface corresponding to the packet's destination address need not be in the active state.) --snip------------------------------------ Interesting that it will accept packets over *any* interface, destined for that _or_any_other_ interface. Any thoughts regarding if this is a security risk? Ob firewalls: using static filtering or Ascend's firewalling (ie Morningstar dynamic filtering) this should be controllable. Any remaining security risks? ----------------------------------------------------------------- Neale Banks Ph: +61 3 9205 0333 Senior Consultant Fx: +61 3 9819 0533 Integration Design P/L neale@idesign.com.au Planet Internet neale@planet.net.au ** Internet Consulting Services ** Video Conferencing Systems ** ** Network Management * Cable Management ** Help Desk Software ** ** Communications Consulting ** Electronic Paging & Faxing S/W ** ----------------------------------------------------------------- From firewalls-owner Sun Sep 1 22:55:31 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id WAA25822 for firewalls-outgoing; Sun, 1 Sep 1996 22:49:36 -0700 (PDT) Received: from firewall.ddeorg.soft.net (firewall.ddeorg.soft.net [164.164.74.3]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id WAA25815 for ; Sun, 1 Sep 1996 22:49:22 -0700 (PDT) Received: by firewall.ddeorg.soft.net (5.61/9.3) id AA08254; Mon, 2 Sep 96 11:19:37 +0530 Received: from orion.ddeorg.soft.net by ddeorg.soft.net (5.61/9.3) with SMTP id AA22536; Mon, 2 Sep 96 11:19:36 +0530 Received: from localhost by orion.ddeorg.soft.net (8.7.5/9.7) with SMTP id LAA08392; Mon, 2 Sep 1996 11:17:56 +0530 (IST) Message-Id: <199609020547.LAA08392@orion.ddeorg.soft.net> X-Mailer: exmh version 1.6.6 3/24/96 To: Firewalls@greatcircle.com Subject: Apology Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Mon, 02 Sep 1996 11:17:56 +0530 From: Rajaram Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'm sorry for the test mails sent to all. It was a mishap made by my novice friend who tested his mail delivery presorting (using my mail-id). No sooner did I detect it than he tested. I assure you all this will not happen again. -Rajaram From firewalls-owner Mon Sep 2 02:09:15 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id BAA07461 for firewalls-outgoing; Mon, 2 Sep 1996 01:55:00 -0700 (PDT) Received: from edelweb.fr (edelweb.fr [193.51.12.16]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id BAA07437 for ; Mon, 2 Sep 1996 01:54:51 -0700 (PDT) Received: from champagne.edelweb.fr (champagne.edelweb.fr [193.51.14.161]) by edelweb.fr (8.7.5/8.6.9) with ESMTP id KAA11944; Mon, 2 Sep 1996 10:54:16 +0200 (MET DST) Received: from mercier.gctech.edelweb.fr (mercier.gctech.edelweb.fr [193.51.14.7]) by champagne.edelweb.fr (8.6.10/8.6.6) with ESMTP id KAA20645; Mon, 2 Sep 1996 10:54:15 +0200 Received: from localhost (ben@localhost) by mercier.gctech.edelweb.fr (8.6.10/8.6.6) with SMTP id KAA10432; Mon, 2 Sep 1996 10:54:14 +0200 Date: Mon, 2 Sep 1996 10:54:14 +0200 (MET DST) From: Ben X-Sender: ben@mercier.gctech.edelweb.fr To: Avraham Hayam cc: firewalls@greatcircle.com Subject: Re: Re [2] Re: Data/Network/Computer Security personnel In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Bullshit. This isn't 'elementary discusion' with 'respect [for] others ideas', this is pure and simple advertising. Don't attempt to draw attention away from the point of your post which was to advertise by switching the onus or using smoke and mirrors. Ben. Ben. ____ Ben Samman.................................................ben@edelweb.fr Paris, France Illudium Q36 Explosive Space Modulator On Sat, 31 Aug 1996, Avraham Hayam wrote: > To Michel Mac Runnel, > > If you call my mail junk mail, you should be removed immediately from the > list and from every list. People who dont respect others ideas, and don't > have elementary discussion culture, should not take part in newsgroups. > > Avraham Hayam > > > On Fri, 30 Aug 1996, Michael Mac Runnel wrote: > > > *** ORIGINATED BY ON 11:34PM 08/30/1996 *** > > Greetings, > > > > To design, build and maintain trusted computer systems and trusted > > networks, i.e. a full "Secuirty Envelpe" around and in your Data bases, > > Networks and Computers you need a qualified IT systems security manager > > - ITSM who reprts directly to the company general manger. The ITSM will > > need a qulified staff in the various computers, networks, applications > > etc. that are in use in the company. > > > > Avraham hayam > > ITSSC - Information technology Systems Security Consultants > > P.O.Box 11233 Jerusalem, 91112 ISRAEL. > > Phone: + 972 - 2 - 6761803; Fax: + 972 - 2 - 6769263 > > E-Mail: hayam@actcom.co.il > > > > *** ANNOTATED BY MIKEM ON 07:47PM 08/30/1996 *** > > I do not want any more junk mail and I definatly will not need your > > services. > > > > List operator... remove my name from the list! > > > Ben. ____ Ben Samman.................................................ben@edelweb.fr Paris, France Illudium Q36 Explosive Space Modulator From firewalls-owner Mon Sep 2 07:59:21 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA19601 for firewalls-outgoing; Mon, 2 Sep 1996 07:50:45 -0700 (PDT) Received: from tounes.ati.tn ([193.94.51.21]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id HAA19591 for ; Mon, 2 Sep 1996 07:50:34 -0700 (PDT) Received: from carthage.ati.tn (carthage.ati.tn [193.94.51.20]) by tounes.ati.tn (8.6.9/8.6.9) with SMTP id PAA07030 for ; Mon, 2 Sep 1996 15:48:54 GMT Received: by carthage.ati.tn with Microsoft Exchange (IMC 4.12.736) id <01BB98E6.21CC2E70@carthage.ati.tn>; Mon, 2 Sep 1996 15:48:05 -0000 Message-ID: From: MONDHER GAM To: GreatCircle Subject: The use of TIS plug-gw ? Date: Mon, 2 Sep 1996 15:58:00 -0000 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.12.736 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >From : Mondher GAM Systems & Security Engineer NETCOM-Ltd Tunis-TUNISIA e-mail : mondher.gam@netcom.com.tn to: Firewalls@GreatCircle.COM I want to know the use of the generic proxy TIS plug-gw in a firewalled-system ? and how can we configure it ( hard & soft configuration ) to securize the internal network? Thanks in advance . Regards Mondher GAM Systems & Security Engineer NETCOM-Ltd From firewalls-owner Mon Sep 2 08:09:23 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA19600 for firewalls-outgoing; Mon, 2 Sep 1996 07:50:41 -0700 (PDT) Received: from tounes.ati.tn ([193.94.51.21]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id HAA19585 for ; Mon, 2 Sep 1996 07:50:30 -0700 (PDT) Received: from carthage.ati.tn (carthage.ati.tn [193.94.51.20]) by tounes.ati.tn (8.6.9/8.6.9) with SMTP id PAA07026 for ; Mon, 2 Sep 1996 15:48:54 GMT Received: by carthage.ati.tn with Microsoft Exchange (IMC 4.12.736) id <01BB98E6.2193B950@carthage.ati.tn>; Mon, 2 Sep 1996 15:48:05 -0000 Message-ID: From: MONDHER GAM To: GreatCircle Subject: What is the use of the TIS Plug-gw ? Date: Mon, 2 Sep 1996 15:58:00 -0000 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.12.736 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >From : Mondher GAM Systems & Security Engineer NETCOM-Ltd Tunis-TUNISIA e-mail : mondher.gam@netcom.com.tn to: Firewalls@GreatCircle.COM I want to know the use if the generic proxy TIS plug-gw in a firewalled-system ? and how can we configure it ( hard & soft configuration ) to securize the internal network? Thanks in advance . Regards Mondher GAM Systems & Security Engineer NETCOM-Ltd From firewalls-owner Mon Sep 2 08:54:12 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA23094 for firewalls-outgoing; Mon, 2 Sep 1996 08:49:14 -0700 (PDT) Received: from dfw-ix8.ix.netcom.com (dfw-ix8.ix.netcom.com [206.214.98.8]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id IAA23074 for ; Mon, 2 Sep 1996 08:49:07 -0700 (PDT) Received: from sherwinl.pop3.ix.netcom.com (atl-ga11-08.ix.netcom.com [199.183.210.168]) by dfw-ix8.ix.netcom.com (8.6.13/8.6.12) with SMTP id IAA25133 for ; Mon, 2 Sep 1996 08:48:39 -0700 Message-ID: <322B2EE3.10D8@.ix.netcom.com> Date: Mon, 02 Sep 1996 12:00:51 -0700 From: Sherwin Loudermilk X-Mailer: Mozilla 2.01 (Win95; U) MIME-Version: 1.0 To: Firewalls@GreatCircle.COM Subject: Please stop References: <199608272136.OAA28003@miles.greatcircle.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Can you please stop sending me e-mail messages. Thanks From firewalls-owner Mon Sep 2 09:39:12 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA26612 for firewalls-outgoing; Mon, 2 Sep 1996 09:26:42 -0700 (PDT) Received: from infoweb.magi.com (infoweb.magi.com [204.191.213.20]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id JAA26603 for ; Mon, 2 Sep 1996 09:26:36 -0700 (PDT) Received: from nmorrow.istar.ca (ts10-06.ott.iSTAR.ca [204.191.145.206]) by infoweb.magi.com (8.7.3/8.7.3) with SMTP id MAA18325 for ; Mon, 2 Sep 1996 12:26:16 -0400 (EDT) Date: Mon, 2 Sep 1996 12:26:16 -0400 (EDT) Message-Id: <199609021626.MAA18325@infoweb.magi.com> X-Sender: nmorrow@magi.com X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@GreatCircle.COM From: nmorrow@magi.com (Norman Morrow) Subject: Spoofing Messages in the Log files Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am administering two firewalls, and I get a high number of spoofing attempts from the inside of the network, in other words external IP addresses in our internal network. We have done a lot of research into this problem, and we believe most of this traffic is benign, we have not notice any malicious activity. I feel that a lot of this traffic is due to incorrectly configured workstations or laptops. For instance, I plugged in an unconfigured NT workstation onto my test environment and I got the an entry in my log file of the address "1.2.3.4 " trying to go through the firewall. Naturally, the firewall thought this was spoofing. I would appreciate knowing what other people think about internal spoofing, am I right to think most of this is due to mis-configurations, and how many entries would be an "industry standard" for this type of traffic. Thanks, Norman J. Morrow From firewalls-owner Mon Sep 2 10:09:16 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA28859 for firewalls-outgoing; Mon, 2 Sep 1996 10:02:51 -0700 (PDT) Received: from mail.medialab.com (goat.medialab.com [204.144.184.10]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id KAA28838 for ; Mon, 2 Sep 1996 10:02:43 -0700 (PDT) Received: from [206.168.172.12] by mail.medialab.com with SMTP (Apple Internet Mail Server 1.1.1); Mon, 2 Sep 1996 11:04:54 -0600 X-Sender: rjj@mail.medialab.com Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Mon, 2 Sep 1996 11:02:19 -0600 To: Sherwin Loudermilk , Firewalls@GreatCircle.COM From: "Richard Johnson" Subject: Re: Please stop Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 13:00 9/2/96, Sherwin Loudermilk wrote: >Received: from relay5.UU.NET (192.48.96.15) by mail.medialab.com > with SMTP (Apple Internet Mail Server 1.1.1); Mon, 2 Sep 1996 10:32:37 -0600 >Received: from miles.greatcircle.com by relay5.UU.NET with ESMTP > (peer crosschecked as: miles.greatcircle.com [198.102.244.34]) > id QQbflh19478; Mon, 2 Sep 1996 12:15:25 -0400 (EDT) >Received: (majordom@localhost) by miles.greatcircle.com >(8.7.1-lists/Lists-960417-1) id IAA23094 for firewalls-outgoing; Mon, 2 >Sep 1996 08:49:14 -0700 (PDT) >Received: from dfw-ix8.ix.netcom.com (dfw-ix8.ix.netcom.com >[206.214.98.8]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP >id IAA23074 for ; Mon, 2 Sep 1996 08:49:07 >-0700 (PDT) >Received: from sherwinl.pop3.ix.netcom.com (atl-ga11-08.ix.netcom.com >[199.183.210.168]) by dfw-ix8.ix.netcom.com (8.6.13/8.6.12) with SMTP id >IAA25133 for ; Mon, 2 Sep 1996 08:48:39 -0700 >Message-ID: <322B2EE3.10D8@.ix.netcom.com> >Date: Mon, 02 Sep 1996 12:00:51 -0700 >From: Sherwin Loudermilk >X-Mailer: Mozilla 2.01 (Win95; U) >MIME-Version: 1.0 >To: Firewalls@GreatCircle.COM >Subject: Please stop >References: <199608272136.OAA28003@miles.greatcircle.com> >Content-Type: text/plain; charset=us-ascii >Content-Transfer-Encoding: 7bit >Sender: firewalls-owner@GreatCircle.COM >Precedence: bulk > >Can you please stop sending me e-mail messages. > Thanks > Please remove yourself from the mailing list. Follow the instructions you received and saved when you subscribed. Sending your broken unsubscribe attempt to all the subscribers on the list is useless, not to mention rude. We can't unsubscribe you. Richard From firewalls-owner Mon Sep 2 13:39:14 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA11361 for firewalls-outgoing; Mon, 2 Sep 1996 13:34:08 -0700 (PDT) Received: from idsc.gov.eg (IDSC.GOV.EG [163.121.2.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id NAA11354 for ; Mon, 2 Sep 1996 13:34:00 -0700 (PDT) Received: from iti-idsc.gov.eg by idsc.gov.eg (5.0/SMI-SVR4) id AA26981; Mon, 2 Sep 1996 23:30:55 GMT Received: by iti-idsc.gov.eg (5.x/SMI-SVR4) id AA08343; Mon, 2 Sep 1996 21:43:05 -0200 Date: Mon, 2 Sep 1996 21:43:05 -0200 (GMT) From: Ghada Farouk To: Firewalls@greatcircle.com Subject: Master Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am a computer communication engineer. I started my master I want to choose a point for search in firewalls. The problem is I can't determine the hot subjects these days can anyone help me? Thank you all. Mohamed Amin From firewalls-owner Mon Sep 2 14:09:15 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA12582 for firewalls-outgoing; Mon, 2 Sep 1996 13:58:15 -0700 (PDT) Received: from morebbs.com (morebbs.com [206.165.150.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id NAA12555 for ; Mon, 2 Sep 1996 13:58:06 -0700 (PDT) From: potlicker@morebbs.com Received: by morebbs.com id 0NTA0003 Mon, 02 Sep 96 16:57:03 Message-ID: <9609021657.0NTA000@morebbs.com> Organization: MORE BBS X-Mailer: TBBS/TIGER v1.0/PRIMP 1.56p Date: Mon, 02 Sep 96 16:57:03 Subject: Re:s/key & securid To: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I didn't give a full back ground in the original post. Eyevynd is setting up Secure ID on a TIS Gauntlet to allow inbound connections that will work with encryption. About a year ago we were fiddling about with a Secure ID server and we had a client set up to connect to the server, had the user enter the number and followed this with user-id and password exchange followed by a crypto session. We were trying to grab the connection as soon as the number and user info was sent to the server but before the crypto started up. Theoretically our connection hi-jacking packet sniffer should have been able to grab the connection. In reality we never could. The Secure ID timing parameters were very sensitive and we killed connections instead of grabbing connections. I saw a couple of sites where people were allowed to connect in from the Internet using clear text for a few days when they were travelling. Afterwards their access was blocked again but other people tried logging in as them for weeks afterwards. This lead me to conclude there are plenty of folks watching the Internet to see who has inbound access to which network. You would be surprised which networks Bill Clinton tries logging into. Of course I don't think this guy is the real President. PoT_LiCkEr From firewalls-owner Mon Sep 2 14:27:22 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA14648 for firewalls-outgoing; Mon, 2 Sep 1996 14:19:28 -0700 (PDT) Received: from mcfeely.bsfs.org (mcfeely.bsfs.org [204.91.13.34]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id OAA14637 for ; Mon, 2 Sep 1996 14:19:21 -0700 (PDT) Received: (from wombat@localhost) by mcfeely.bsfs.org (8.6.12/8.6.12) id RAA22403; Mon, 2 Sep 1996 17:18:58 -0400 Date: Mon, 2 Sep 1996 17:18:52 -0400 (EDT) From: Rabid Wombat To: firewalls@greatcircle.com Subject: [OFF TOPIC][HUMOR] Password Guidelines (**) (fwd) Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Sorry for wasting the time of you anal-retentive types, but I had to pass this on for those with a sense of humor. Flames to /dev/null - r.w. ----------------------------------------------------------------------- Paul Ashton Newsgroups: comp.security.unix Subject: Advice on password security guidelines Hi, my boss has asked me for comments and improvements on his new password security policy. To me, it seems a bit severe. If anyone can offer any additional suggestions please do, here goes... For immediate issue: Password changing guidelines V2.2b Due to new security policies, the following guidelines have been issued to assist in choosing new passwords. Please follow them closely. Passwords must conform to at least 21 of the following attributes. 1. Minimum length 8 characters 2. Not in any dictionary. 3. No word or phrase bearing any connection to the holder. 4. Containing no characters in the ASCII character set. 5. No characters typeable on a Sun type 5 keyboard 6. No subset of one character or more must have appeared on Usenet news, /dev/mem, rand(3), or the King James bible (version 0.1alpha) 7. Must be quantum theoretically secure, i.e. must automatically change if observed (to protect against net sniffing). 8. Binary representation must not contain any of the sequences 00 01 10 11, commonly known about in hacker circles. 9. Be provably different from all other passwords on the internet. 10. Not be representable in any human language or written script. 11. Colour passwords must use a minimum 32 bit pallette. 12. Changed prior to every use. 13. Resistant to revelation under threat of physical violence. 14. Contain tissue samples of at least 3 vital organs. 15. Incontravertible by OJ Simpsons lawyers. 16. Undecodable by virtue of application of 0 way hash function. 17. Odourless, silent, invisible, tasteless, weightless, shapeless, lacking form and inert. 18. Contain non-linear random S-boxes (without a backdoor). 19. Self-escrowable to enable authorities to capture kiddie-porn people and baddies but not the goodies ("but we'll only decode it with a court order, honest"). 20. Not decryptable by exhaustive application of possible one time pads. Due to the severity of the restrictions, if the password is entered incorrectly 3 times at login time, you will be asked if you would like to pick a new one. Please add guidelines to the above and adjust the minimum conformation requirement, if applicable. From firewalls-owner Mon Sep 2 14:39:22 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA14773 for firewalls-outgoing; Mon, 2 Sep 1996 14:20:36 -0700 (PDT) Received: from dsacg1.dsac.dla.mil (dsacg1.dsac.dla.mil [131.78.1.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id OAA14755 for ; Mon, 2 Sep 1996 14:20:24 -0700 (PDT) Received: by dsacg1.dsac.dla.mil (1.38.193.5/1.40 (DSDC Columbus DSDCG1)) id AA28212; Mon, 2 Sep 1996 17:19:57 -0400 From: nto2584@dsacg1.dsac.dla.mil (Steven C. Payne) Message-Id: <9609022119.AA28212@dsacg1.dsac.dla.mil> Subject: Re: TN3270 and TN5250 through a firewall using OS/2 Clients To: mikeep03@Interpath.com (Mike Parsons) Date: Mon, 2 Sep 96 17:19:57 EDT Cc: firewalls@greatcircle.com In-Reply-To: <2.2.16.19960830155947.64bf2b5c@mail.interpath.net>; from "Mike Parsons" at Aug 30, 96 11:59 am Mailer: Elm [revision: 70.85.2.1] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > What experiences have folks had with using the WARP Connect TN3270 and > TN5250 clients to go through a proxy host? My experience has not been good. > In both cases the connection attempt has failed with the client providing a > message it was unable to shift into transparent mode. > > Why would a proxy written for Port 23 not be able to accomodate all forms of > telnet? > > Thanks in advance for your help. > > Hi, We just installed a firewall 2 weeks ago at one of our supported site and we had to ensure that tn3270 would work through the firewall and it surely does. I had ported a copy of tn3270 to our HP-9000's and I tested the connections with this 3270 everything I was able to try worked. There should be no reason anyone elses tn3270 client wouldn't work. take care stevp From firewalls-owner Mon Sep 2 16:58:18 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id QAA27316 for firewalls-outgoing; Mon, 2 Sep 1996 16:48:44 -0700 (PDT) Received: from hidata.com (hidata.com [205.158.61.34]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id QAA27309 for ; Mon, 2 Sep 1996 16:48:37 -0700 (PDT) Received: by hidata.com; id AA22861; Mon, 2 Sep 96 16:48:20 PDT Received: from osc.hidata.com(205.158.62.10) by hds-gw.hidata.com via smap (V3.1.1) id xma022856; Mon, 2 Sep 96 16:48:04 -0700 Received: from clag by osc.osc.hidata.com (SMI-8.6/SMI-SVR4) id QAA21374; Mon, 2 Sep 1996 16:48:03 -0700 Message-Id: <2.2.32.19960902234636.006d5178@osc.hidata.com> X-Sender: bstout@osc.hidata.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Mon, 02 Sep 1996 16:46:36 -0700 To: Russ , "'Firewalls'" From: Bill Stout Subject: RE: Blocking non-http (executable) content Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Technical Evangelist in Microsoft's DRG group, commented that >(paraphrased) HTTP be used as a transport for DCOM so people can (if >they want to) take advantage of punching through port-based firewalls. >This represents, IMO, a call to all Firewall vendors to do one thing, >build a unified HTTP filter. Having sat through Steve Ballmere's (Co-founder/VP Microsoft) keynote address at the NT Solutions conference, and reading this thread, something just dawned on me. Microsoft is using Catapult to gain experience with proxies, for a widely distributed html/other browser desktop for Windows. Ballmere demonstrated a preliminary desktop for NT 5.0, which had a centrally administrable browser-like desktop. He mentioned that HTML was far too limiting for desktop/forms use, and (I wish I paid more attention here) OLE? was to be the preliminary browsing (exploring) desktop language of choice. Hmm. An OLE Proxy via Catapult only. Next all other firewall vendors will have to play catch-up with Microsoft. P.S.- Clinton wants to allow private data/voice snooping by 'law enforcement' without requiring court order if re-elected. And to create 'tracking databases', initial purpose: to track the horrid criminal-type-of-the-month. And stronger Gun control, to pull the teeth out of us pheasants. And Dole wants to limit freedom of speech on the internet? It's 'Vote Libetarian' time. Bill Stout _______________________________________________________________________________ Senior Systems Admin NT/UNIX/I-net/Routers/Mainframes/Janitor ;) Hitachi Data Systems 408-970-4822 --- Disclaimer: I speak only for myself ___________"Infowar, Cyber-war, yes, 'they' _are_ out to get you..."___________ From firewalls-owner Mon Sep 2 19:09:20 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id SAA04131 for firewalls-outgoing; Mon, 2 Sep 1996 18:57:52 -0700 (PDT) Received: from istar.ca (istar.ca [204.191.136.4]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id SAA04123 for ; Mon, 2 Sep 1996 18:57:46 -0700 (PDT) Received: from ts32-13.tor.iSTAR.ca (ts32-13.tor.iSTAR.ca [204.191.140.53]) by istar.ca (8.7.3/8.7) with SMTP id WAA21134 for ; Mon, 2 Sep 1996 22:06:53 -0400 (EDT) Received: by ts32-13.tor.iSTAR.ca with Microsoft Mail id <01BB9919.B26339A0@ts32-13.tor.iSTAR.ca>; Mon, 2 Sep 1996 21:57:12 -0400 Message-ID: <01BB9919.B26339A0@ts32-13.tor.iSTAR.ca> From: Gene Lee To: "'Firewalls@GreatCircle.COM'" Subject: RE: Please stop Date: Mon, 2 Sep 1996 21:57:11 -0400 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Monday, September 02, 1996 1:02 PM, Richard Johnson[SMTP:rjj@medialab.com] wrote: >At 13:00 9/2/96, Sherwin Loudermilk wrote: >>Received: from relay5.UU.NET (192.48.96.15) by mail.medialab.com >> with SMTP (Apple Internet Mail Server 1.1.1); Mon, 2 Sep 1996 10:32:37 -0600 >>Received: from miles.greatcircle.com by relay5.UU.NET with ESMTP >> (peer crosschecked as: miles.greatcircle.com [198.102.244.34]) >> id QQbflh19478; Mon, 2 Sep 1996 12:15:25 -0400 (EDT) >>Received: (majordom@localhost) by miles.greatcircle.com >>(8.7.1-lists/Lists-960417-1) id IAA23094 for firewalls-outgoing; Mon, 2 >>Sep 1996 08:49:14 -0700 (PDT) >>Received: from dfw-ix8.ix.netcom.com (dfw-ix8.ix.netcom.com >>[206.214.98.8]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP >>id IAA23074 for ; Mon, 2 Sep 1996 08:49:07 >>-0700 (PDT) >>Received: from sherwinl.pop3.ix.netcom.com (atl-ga11-08.ix.netcom.com >>[199.183.210.168]) by dfw-ix8.ix.netcom.com (8.6.13/8.6.12) with SMTP id >>IAA25133 for ; Mon, 2 Sep 1996 08:48:39 -0700 >>Message-ID: <322B2EE3.10D8@.ix.netcom.com> >>Date: Mon, 02 Sep 1996 12:00:51 -0700 >>From: Sherwin Loudermilk >>X-Mailer: Mozilla 2.01 (Win95; U) >>MIME-Version: 1.0 >>To: Firewalls@GreatCircle.COM >>Subject: Please stop >>References: <199608272136.OAA28003@miles.greatcircle.com> >>Content-Type: text/plain; charset=us-ascii >>Content-Transfer-Encoding: 7bit >>Sender: firewalls-owner@GreatCircle.COM >>Precedence: bulk >> >>Can you please stop sending me e-mail messages. >> Thanks >> >Please remove yourself from the mailing list. Follow the instructions you >received and saved when you subscribed. > >Sending your broken unsubscribe attempt to all the subscribers on the list >is useless, not to mention rude. We can't unsubscribe you. Based on the number of "Don't send me e-mail" traffic lately on here, I'm beginning to suspect someone is adding e-mail addresses to mailing lists as part of a retribution/prank. -- Gene Lee genel@inforamp.net genelee@vnet.ibm.com From firewalls-owner Mon Sep 2 20:27:32 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id UAA09996 for firewalls-outgoing; Mon, 2 Sep 1996 20:10:46 -0700 (PDT) Received: from diablo.cisco.com (diablo.cisco.com [171.68.223.106]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id UAA09989 for ; Mon, 2 Sep 1996 20:10:39 -0700 (PDT) Received: from emailid90-pc.cisco.com (c3robo9.cisco.com [171.68.13.73]) by diablo.cisco.com (8.6.12/CISCO.SERVER.1.1) with SMTP id UAA08985; Mon, 2 Sep 1996 20:10:17 -0700 Message-Id: <2.2.32.19960903050537.006e51a8@diablo.cisco.com> X-Sender: clonvick@diablo.cisco.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Mon, 02 Sep 1996 22:05:37 -0700 To: firewalls@GreatCircle.COM, jonesmd@unifiedtech.com From: Chris Lonvick Subject: Re: PIX router Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello Mike, The PIX currently performs network layer protection and RFC-1631 Network Address Translation. As someone mentioned in a later post, there will be many new features in the upcoming release and many more in the future. Without knowing the specifics of your case, I can only give you some very general rules about how it can be used. The PIX has been implemented as a stand alone security device between a sensitive area of a network (i.e. - financial dept.) and the rest of a network. It's also been implemented as part of a firewall system, between the Internet and a private network. Rather than go into a lot of detail here, please look at http://www.cisco.com/univ-src/3.9/data/doc/cintrnet/ics/icssecur.htm#HDR10 - a Security white paper (see Fig. 3.1) and http://www.cisco.com/warp/public/751/pix/pie_ds.htm - a PIX spec sheet (see Fig. 2). As with anything, I urge you to fully define your expectations and then find a security device which can meet them. Thanks, Chris Lonvick Cisco Systems Consulting Engineering +1-713-778-5663 >I'm looking for information on why (or why not) a Cisco PIX box is >adequate as a firewall. My gut feeling is that it does part of the job, >but that it's not something you should rely on as a complete solution. > > Mike Jones > Unified Technologies > > From firewalls-owner Mon Sep 2 21:11:41 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id VAA14877 for firewalls-outgoing; Mon, 2 Sep 1996 21:05:08 -0700 (PDT) Received: from dns.networx.com.au (dns.networx.com.au [203.21.140.4]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id VAA14859 for ; Mon, 2 Sep 1996 21:04:57 -0700 (PDT) Received: from DEMO.networx.com.au (203.21.140.5) by dns.networx.com.au (EMWAC SMTPRS 0.80) with SMTP id ; Tue, 03 Sep 1996 13:56:44 +1000 Message-ID: From: "Leon O'Brien" To: Subject: Network monitoring tools Date: Tue, 3 Sep 1996 13:58:08 +1000 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1155 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I need to obtain a good network monitoring tool or analyser, our company is experiencing difficulties with WWW and have been informed that a network analyser would be benefitial. I thank all who help, even though it is not related to this list Leon O'Brien Managing Director NetWorx Pty Ltd leon@networx.com.au From firewalls-owner Tue Sep 3 00:09:35 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id AAA26964 for firewalls-outgoing; Tue, 3 Sep 1996 00:03:29 -0700 (PDT) Received: from mail.transpac.net (nic.transpac.net [194.52.1.10]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id AAA26953 for ; Tue, 3 Sep 1996 00:03:22 -0700 (PDT) Received: from alf.ihc.se (alf.ihc.se [194.52.187.254]) by mail.transpac.net (8.7.5/8.7.3) with SMTP id JAA09416 for ; Tue, 3 Sep 1996 09:02:26 +0200 (MET DST) Received: by alf.ihc.se; (5.65v3.2/1.3/10May95) id AA15149; Tue, 3 Sep 1996 09:06:29 +0200 Message-Id: <9609030704.AA09243@ns.ihc.se> To: "firewalls@greatcircle.com" Subject: C2 certified OS that can run a firewall Date: Tue, 03 Sep 96 09:03:16 -0500 From: "Mattias Lindstr\vm" X-Mailer: E-Mail Connection v2.5.03 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk -- [ From: Mattias Lindström * EMC.Ver #2.5.02 ] -- Taking up the thread again after healing my wounds. More seriously, Everybody that posted was more or less agreed on that MS is not to be trusted (as always) and that the Orange Book doesnt mention networking. Everybody were more or less discussing A1 or B2 or some other letter number combination security level, but nobody mentioned C2. Is there any OS out there that are C2 (not A1 or B2 or anuthing else, just C2) certified that can run a firewall with the C2 "stamp" applied? I dont want to hear that so and so are developing this and that for that OS, I want specific details. TNT, Mattias -- Mattias Lindstrom NT and Security Consultant This email is for the use of authorized users only. Individuals using this email without authority, or in excess of their authority, are subject to having all of their activities monitored and recorded by systempersonnel. From firewalls-owner Tue Sep 3 02:09:16 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id BAA06320 for firewalls-outgoing; Tue, 3 Sep 1996 01:55:51 -0700 (PDT) Received: from h01.scientia.com (h01.scientia.com [194.216.183.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id BAA06286 for ; Tue, 3 Sep 1996 01:55:38 -0700 (PDT) Received: by h01.scientia.com with SMTP id JAA03623 for ; Tue, 3 Sep 1996 09:55:16 +0100 Message-Id: <199609030855.JAA03623@h01.scientia.com> X-Sender: firewall@pop-server X-Mailer: Windows Eudora Light Version 1.5.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Tue, 03 Sep 1996 08:54:37 +0100 To: firewalls@greatcircle.com From: Ian Miller Subject: RE: Blocking non-http (executable) content Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 16:46 02/09/96 -0700, Bill Stout wrote: >Hmm. An OLE Proxy via Catapult only. Next all other firewall vendors >will have to play catch-up with Microsoft. > Given the power of OLE and its near total lack of even elementary integrity checking let alone security checking, OLE is one of the last services anyone should allow through a Firewall with or without proxies. (If you want a VPN, you can use a general NetBUI encrypted tunnel so don't need proxies.) I think that the trend towards increasing programmable features (e.g. Word/Excel macros, Java/Active-X etc.) is wholly incompatible with achieving secure networks. Regretably I fear this won't be appreciated by a lot non-technical managers until lots of real damage has been done. Ian From firewalls-owner Tue Sep 3 03:39:12 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id DAA12698 for firewalls-outgoing; Tue, 3 Sep 1996 03:22:48 -0700 (PDT) Received: from fireball.smartnet.co.za (fireball.smartnet.co.za [196.25.20.3]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id DAA12691 for ; Tue, 3 Sep 1996 03:22:36 -0700 (PDT) Received: from [196.25.20.135] (doctor.smartnet.co.za [196.25.20.135]) by fireball.smartnet.co.za (8.6.12/8.6.9) with SMTP id MAA15638 for ; Tue, 3 Sep 1996 12:45:43 +0200 Message-Id: <199609031045.MAA15638@fireball.smartnet.co.za> Comments: Authenticated sender is From: "Geoffrey Ellison" Organization: SmartNet, South Africa To: Firewalls@GreatCircle.COM Date: Tue, 3 Sep 1996 12:18:44 +0200 Subject: Re: WWW servers (Again) Reply-to: geoff@smartnet.co.za X-mailer: Pegasus Mail for Windows (v2.42a) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hey y'all. I still haven't seen a response to this in the list so I'm sending it again. If any you know about multihoming NT, please respond. Dennis said: > Windows NT and IIS (Internet information server) does this quite > well. Under Windows NT you can have 254 IP addresses/fqdn bound to > each nic installed. IIS also is very configurable on what ip's to > use and how. Whooah! Is this NT3.5x? My documentation says that I can configure up to five IP addresses per network interface. The word out on the net is that you can hack the registry to give you something like 10 - 16 addresses. It is said that anything more than that is asking for trouble. If there is a way to have up to 254 IP's per interface I would very much like to know what it is. Also, what is the server load for this type of thing? If 254 is the theoretical max, what is the practical max, assuming a 64M RAM 586 serving HTTP. Geoff. ====================================================== _ _ <@ @> +------oOO----(_)-------------+ | Geoffrey Ellison | | Manager: Technical Services | | SmartNet | | geoff@smartnet.co.za | +---------------------oOO-----+ \| |__|__| |/ || || ooO Ooo ====================================================== PGP public key available on request. From firewalls-owner Tue Sep 3 04:09:12 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id DAA13472 for firewalls-outgoing; Tue, 3 Sep 1996 03:50:49 -0700 (PDT) Received: from tounes.ati.tn ([193.94.51.21]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id DAA13441 for ; Tue, 3 Sep 1996 03:50:30 -0700 (PDT) Received: from carthage.ati.tn (carthage.ati.tn [193.94.51.20]) by tounes.ati.tn (8.6.9/8.6.9) with SMTP id LAA03201 for ; Tue, 3 Sep 1996 11:49:26 GMT Received: by carthage.ati.tn with Microsoft Exchange (IMC 4.12.736) id <01BB998D.E8DAEA40@carthage.ati.tn>; Tue, 3 Sep 1996 11:49:05 -0000 Message-ID: From: MONDHER GAM To: "Firewalls@GreatCircle.COM" Subject: RE: Master Date: Tue, 3 Sep 1996 11:59:00 -0000 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.12.736 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >From : Mondher GAM Systems & Security Engineer NETCOM-Ltd Tunis-TUNISIA e-mail : mondher.gam@netcom.com.tn to: Firewalls@GreatCircle.COM >I am a computer communication engineer. I started my master >I want to choose a point for search in firewalls. >The problem is I can't determine the hot subjects these days >can anyone help me? > ########################################################################### I'm a computer-scinence enginneer specialized in Networks & computer communications , and , I have already used the TIS Internet Firewall toolkit to implement our proper firewall system for my university and that was in terms of my final project of studies. I have in this context already used the topology of dual homed gateway, and the testing of all the services-proxies and everything was allright. Now I'm working in a company specialized in the networking domain, where I'm the security administrator and system engineer . I have already contacted Mr Ranum ( who has worked on the TIS Firewall Toolkit ) and I advize you to look up to these two points, after of course setting-up a firewall architecture inside your local site : i). the first is about the ARP ( Adress Resolution Protocole ). How can we realize the correspondance between the physical ethernet hard adress and the IP logical adress? That is of course for getting a stronger measure of security. ii). the second one is about UDP protocole. We all know, that many services are UDP based such as SNMP and NFS and it's thus more important to take security measures for this connectioneless protocole. So, how can we securize it? and what are the works that had been made for this protocole? In fact, the TIS FW Toolkit does not provide any security measures for the UDP-based services. So it's a best guess. Good luck for your master Mohamed, and please contact me for any documents or information need. ########################################################################## ######## Nothing is impossible, all taht exists is incapable people ######## ########################################################################## Mondher GAM Systems & Security Engineer NETCOM-Ltd Tunis-TUNISIA From firewalls-owner Tue Sep 3 05:24:22 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA21393 for firewalls-outgoing; Tue, 3 Sep 1996 05:14:16 -0700 (PDT) Received: from inet1.tek.com (inet1.tek.com [134.62.48.21]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id FAA21386; Tue, 3 Sep 1996 05:14:10 -0700 (PDT) From: kesavan.p.nair@bangate1.tek.com Received: by inet1.tek.com id ; Tue, 3 Sep 1996 05:13:53 -0700 Received: from bangate.tek.com(128.181.153.52) by inet1 via smap (V1.3) id sma033323; Tue Sep 3 05:10:53 1996 Received: by bangate2.tek.com with VINES-ISMTP; Tue, 3 Sep 96 5:11:12 PDT Date: Mon, 2 Sep 96 16:29:01 IST Message-Id: X-Priority: 3 (Normal) To: Cc: Subject: Info needed - Internet web server on a firewalled network Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Iam developing an Internet based secure application which will reside on a web server accessible to internet but within firewall. I have following questions for Firewall gurus out there to answer on general setup of HTTP servers facing internet on a secured(firewalled network). Please do give a general overview of how your web server is set in relation to your firewall. How is your firewall implemented in terms of HTTP ? Is your Web server to the external world inside the firewall or outside firewall? In case your web server is outside the firewall,does it have provisions to access machines inside YOUR firewall in a secured manner? How do u achieve this. In case your webserver is inside,How is the security structure regards Kesavan.p.nair@tek.com From firewalls-owner Tue Sep 3 06:09:11 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA24459 for firewalls-outgoing; Tue, 3 Sep 1996 06:02:45 -0700 (PDT) Received: from relay4.smtp.psi.net (relay4.smtp.psi.net [38.9.52.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id GAA24450 for ; Tue, 3 Sep 1996 06:02:38 -0700 (PDT) Received: from bscgnj.com by relay4.smtp.psi.net (8.7.5/SMI-5.4-PSI) id JAA09469; Tue, 3 Sep 1996 09:02:21 -0400 (EDT) Received: from BSCG_NJ/SpoolDir by bscgnj.com (Mercury 1.21); 3 Sep 96 09:02:24 -0500 Received: from SpoolDir by BSCG_NJ (Mercury 1.30); 3 Sep 96 09:02:17 -0500 From: "Stefan Kwiatkowski" Organization: Bay State Computer Group of NJ To: Firewalls@GreatCircle.COM Date: Tue, 3 Sep 1996 09:02:09 EDT MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Shiva and firewalls [Eagle] X-mailer: Pegasus Mail for Windows (v2.33) Message-ID: <8BF7A84390@bscgnj.com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Has anyone setup a Shiva LanRover outside of a firewall, and still maintained accessibility from the internal network? Does Shiva use a UDP port to make a Comm connection from the Clients? All thoughts appreciated. From firewalls-owner Tue Sep 3 07:09:27 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA27724 for firewalls-outgoing; Tue, 3 Sep 1996 06:41:40 -0700 (PDT) Received: from tcs_gateway1.treas.gov (tcs_gateway1.treas.gov [204.151.245.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id GAA27700 for ; Tue, 3 Sep 1996 06:41:12 -0700 (PDT) Received: by tcs_gateway1.treas.gov id AA19834 (InterLock SMTP Gateway 3.0 for firewalls@GreatCircle.COM); Tue, 3 Sep 1996 09:40:41 -0400 Received: by tcs_gateway1.treas.gov (Internal Mail Agent-4); Tue, 3 Sep 1996 09:40:41 -0400 Received: by tcs_gateway1.treas.gov (Internal Mail Agent-3); Tue, 3 Sep 1996 09:40:41 -0400 Received: by tcs_gateway1.treas.gov (Internal Mail Agent-2); Tue, 3 Sep 1996 09:40:41 -0400 Received: by tcs_gateway1.treas.gov (Internal Mail Agent-1); Tue, 3 Sep 1996 09:40:41 -0400 Date: Tue, 3 Sep 1996 09:43:54 -0400 From: meritj@fincen.treas.gov (Jim Meritt) Message-Id: <199609031343.JAA23294@dirham.fincen.gov> To: firewalls@GreatCircle.COM Subject: locate unauthorized connections Sender: firewalls-owner@GreatCircle.COM Precedence: bulk A problem after a firewall - no matter how secure the firewall is itself - is that users put (for whatever reason) connections to the "secure" side that act as backdoors. How do you determine if such a thing has been done (after the connection has been made but before disaster befalls)? I'm looking at the output of netstat on every node at both the routes and the remote nodes connected to. I use a simple script to extract the information from netstat and netstat -r. Does anyone have other recommendations? Jim Meritt From firewalls-owner Tue Sep 3 08:55:55 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA05727 for firewalls-outgoing; Tue, 3 Sep 1996 08:42:41 -0700 (PDT) Received: from bdncs1.dynawell.ch (bdncs1.dynawell.ch [194.209.41.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id IAA05704 for ; Tue, 3 Sep 1996 08:42:32 -0700 (PDT) Received: by bdncs1.dynawell.ch with Microsoft Exchange (IMC 4.12.736) id <01BB99BF.7D2AA290@bdncs1.dynawell.ch>; Tue, 3 Sep 1996 17:44:00 +0200 Message-ID: From: Peter Schumacher To: "'Firewalls@GreatCircle.COM'" Subject: RE: Subject: C2 certified OS that can run a firewall Date: Tue, 3 Sep 1996 17:43:58 +0200 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.12.736 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Digital UNIX is a C2 certified OS. The Alta Vista Firewall Software runs on it. Fore more information check out the Alta Vista Firewall at www.networks.digital.com >Peter.Schumacher@netpartner.ch From firewalls-owner Tue Sep 3 09:09:58 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA05756 for firewalls-outgoing; Tue, 3 Sep 1996 08:43:34 -0700 (PDT) Received: from telxon (telxon.mis.telxon.com [149.23.2.4]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id IAA05749 for ; Tue, 3 Sep 1996 08:43:23 -0700 (PDT) Received: from exchange.mis.telxon.com by telxon (SMI-8.6/SMI-SVR4) id LAA23354; Tue, 3 Sep 1996 11:42:57 -0400 Received: by exchange.mis.telxon.com with Microsoft Exchange (IMC 4.0.838.14) id <01BB998D.34B92D10@exchange.mis.telxon.com>; Tue, 3 Sep 1996 11:44:03 -0400 Message-ID: From: "Wojno, Jim" To: "'firewalls@greatcircle.com'" Subject: Firewall-1 Logs Date: Tue, 3 Sep 1996 11:44:02 -0400 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.838.14 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk To All: We are in the process of determining how much disk space we will require for a Firewall-1 unit. We will be using a SPARC-20, and currently have about 400 to 500 active Internet users. We would like to keep at least one month worth of logging data on-line. Approximately how much disk space would you recommend we have available to accomodate this. Any input on this would be appreciated. If this topic has already been discussed, please feel free to contact me directly off-list. Jim Wojno Systems Administrator Telxon Corporation jwojn@telxon.com From firewalls-owner Tue Sep 3 09:44:22 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA05896 for firewalls-outgoing; Tue, 3 Sep 1996 08:46:38 -0700 (PDT) Received: from apu.connectix.com (apu.connectix.com [204.247.159.242]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id IAA05875 for ; Tue, 3 Sep 1996 08:46:30 -0700 (PDT) Received: from [204.118.199.198] (snowball.connectix.com [204.118.199.198]) by apu.connectix.com (8.7.5/8.6.9) with SMTP id IAA05440 for ; Tue, 3 Sep 1996 08:46:08 -0700 Date: Tue, 3 Sep 1996 08:46:08 -0700 Message-Id: <199609031546.IAA05440@apu.connectix.com> Subject: Denied packets with no protocol?? From: Rob Sansom To: Mime-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Anybody know what this is??? It appears to be from a dial in terminal server in Germany. denied 5 141.2.28.130 -> 204.247.159.244, 1 packet Aug 30 14:33:03 gate247159.connectix.com 2377: %SEC-6-IPACCESSLOGNP: list 120 denied 10 141.2.28.130 -> 204.247.159.244, 1 packet Aug 30 14:35:32 gate247159.connectix.com 2378: %SEC-6-IPACCESSLOGNP: list 120 denied 3 141.2.28.130 -> 204.247.159.244, 1 packet Aug 30 14:35:39 gate247159.connectix.com 2379: %SEC-6-IPACCESSLOGNP: list 120 denied 9 141.2.28.130 -> 204.247.159.244, 1 packet Aug 30 14:38:27 gate247159.connectix.com 2380: %SEC-6-IPACCESSLOGNP: list 120 denied 10 141.2.28.130 -> 204.247.159.244, 3 packets Aug 30 14:44:27 gate247159.connectix.com 2381: %SEC-6-IPACCESSLOGNP: list 120 denied 10 141.2.28.130 -> 204.247.159.244, 1 packet Aug 30 14:54:45 gate247159.connectix.com 2382: %SEC-6-IPACCESSLOGNP: list 120 denied 15 141.2.28.130 -> 204.247.159.244, 1 packet Aug 30 14:54:45 gate247159.connectix.com 2383: %SEC-6-IPACCESSLOGNP: list 120 denied 11 141.2.28.130 -> 204.247.159.244, 1 packet Aug 30 14:56:27 gate247159.connectix.com 2384: %SEC-6-IPACCESSLOGNP: list 120 denied 10 141.2.28.130 -> 204.247.159.244, 2 packets Aug 30 14:56:45 gate247159.connectix.com 2385: %SEC-6-IPACCESSLOGNP: list 120 denied 4 141.2.28.130 -> 204.247.159.244, 1 packet Aug 30 14:57:27 gate247159.connectix.com 2386: %SEC-6-IPACCESSLOGNP: list 120 denied 5 141.2.28.130 -> 204.247.159.244, 1 packet Aug 30 15:01:41 gate247159.connectix.com 2387: %SEC-6-IPACCESSLOGNP: list 120 denied 12 141.2.28.130 -> 204.247.159.244, 1 packet Aug 30 15:03:16 gate247159.connectix.com 2388: %SEC-6-IPACCESSLOGNP: list 120 denied 14 141.2.28.130 -> 204.247.159.244, 1 packet Aug 30 15:03:27 gate247159.connectix.com 2389: %SEC-6-IPACCESSLOGNP: list 120 denied 15 141.2.28.130 -> 204.247.159.244, 1 packet Aug 30 15:03:27 gate247159.connectix.com 2390: %SEC-6-IPACCESSLOGNP: list 120 denied 11 141.2.28.130 -> 204.247.159.244, 1 packet Aug 30 15:03:27 gate247159.connectix.com 2391: %SEC-6-IPACCESSLOGNP: list 120 denied 9 141.2.28.130 -> 204.247.159.244, 1 packet Aug 30 15:03:29 gate247159.connectix.com 2392: %SEC-6-IPACCESSLOGNP: list 120 denied 8 141.2.28.130 -> 204.247.159.244, 1 packet Aug 30 15:07:27 gate247159.connectix.com 2393: %SEC-6-IPACCESSLOGNP: list 120 denied 12 141.2.28.130 -> 204.247.159.244, 5 packets Aug 30 15:08:27 gate247159.connectix.com 2394: %SEC-6-IPACCESSLOGNP: list 120 denied 14 141.2.28.130 -> 204.247.159.244, 2 packets Aug 30 15:18:34 gate247159.connectix.com 2395: %SEC-6-IPACCESSLOGP: list 120 Rob Sansom Network Admin. Connectix Corp (415) 638-7398 sansom@connectix.com From firewalls-owner Tue Sep 3 09:54:40 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA08768 for firewalls-outgoing; Tue, 3 Sep 1996 09:30:08 -0700 (PDT) Received: from manzanita. ([139.87.180.206]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id JAA08523 for ; Tue, 3 Sep 1996 09:29:16 -0700 (PDT) Received: by manzanita. (SMI-8.6/SMI-SVR4) id JAA19744; Tue, 3 Sep 1996 09:29:45 -0700 Date: Tue, 3 Sep 1996 09:29:45 -0700 From: bobk@manzanita (Bob Konigsberg) Message-Id: <199609031629.JAA19744@manzanita.> To: firewalls@GreatCircle.COM, nmorrow@magi.com Subject: Re: Spoofing Messages in the Log files X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Internal "spoofing" is also due to the fact that many people simply make up a network number for labs and such, not realizing that this prevents Internet access to the particular network in question. The solution to this is either central administration of private IP networks (a la RFC 1918), or router policies that don't allow the propagation of such network numbers beyond the boundaries of the labs. Another possibility is internal firewalling of "unauthorized" traffic. I've had to use all of these methods, depending on the situation. BobK From firewalls-owner Tue Sep 3 10:01:52 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA10355 for firewalls-outgoing; Tue, 3 Sep 1996 09:44:46 -0700 (PDT) Received: from hidata.com (hidata.com [205.158.61.34]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id JAA10207 for ; Tue, 3 Sep 1996 09:44:15 -0700 (PDT) Received: by hidata.com; id AA24429; Tue, 3 Sep 96 09:43:56 PDT Received: from osc.hidata.com(205.158.62.10) by hds-gw.hidata.com via smap (V3.1.1) id xma024427; Tue, 3 Sep 96 09:43:51 -0700 Received: from clag by osc.osc.hidata.com (SMI-8.6/SMI-SVR4) id JAA23346; Tue, 3 Sep 1996 09:43:50 -0700 Message-Id: <2.2.32.19960903164226.009d64a8@osc.hidata.com> X-Sender: bstout@osc.hidata.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Date: Tue, 03 Sep 1996 09:42:26 -0700 To: Firewalls@GreatCircle.COM From: Bill Stout Subject: Re: NT port activity list Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I started this thread out of interest in NT Firewalls and Webservers. Let me know if this is too unrelated and I will take this elsewhere. Amazing what you learn by reading. Windows NT Resource Kit 3.51=20 Windows NT Networking - Part III 'TCP/IP'. I haven't completed a Satan scan against an NT system yet, but this is what I got so far. Also much of the system-level communication is still a mystery; logon process, etc (RPC?). NT TCP/IP is divided into the following separate categories;=20 =B7 =91Core protocols=92 - TCP, IP, UDP, ARP, ICMP, PPP and SLIP. =B7 API support - Windows Sockets v1.1, RPC, NetBIOS, and Network DDE. =B7 Basic TCP/IP utilities - finger, ftp, lpr, rcp, rexec, rsh, telnet,=20 and tftp. =B7 Diagnostic tools - arp, hostname, ipconfig, lpq, nbtstat, netstat,=20 ping, route, and tracert. =B7 Services and Administration tools - FTP Server, WINS, DHCP, and=20 TCP/IP Printing. =B7 SNMP agent =B7 Client software for =91Simple network protocols=92 - chargen, daytime,= =20 discard, echo, quotd. =B7 Path MTU discovery - discovers datagram size for all routers between=20 Windows NT computer and any system on a WAN. (RFC 1191) =B7 IGMP - Internet Gateway Multicast Protocol =20 The following is a partial list of available IP network ports in NT: Port Name Description RFC 1 icmp Internet Control Message Protocol 792 2 igmp Internet Group Management Protocol 1112 7 echo Ping 862 9 discard Discard (sink null) 863 13 daytime Daytime 867 15 netstat Network Statistics=09 17 quotd Quote of the Day=20 (\winnt\system32\drivers\etc\quotes) 865 19 chargen Character Generator 864 20 ftp-data File Transfer Protocol (Data) 959 21 ftp File Transfer Protocol (Control) 959 23 telnet Telnet 854 53 domain Domain Name Service 1034,1035 69 tftp Trivial File Transfer Protocol Used by Bootp, DHCP 783,1534,1541 79 finger Finger 1194 137 netbios_ns NetBIOS Name Service =20 Typically UDPAlso used by 'nbtstat' Node Status Request 1001,1002 138 netbios_dgm NetBIOS Datagram Service 1001,1002 139 netbios_ssn NetBIOS Session Service 1001,1002 161 snmp SNMP Messages 1157 162 snmptrap SNMP Traps 1157 530 courier RPC=09 515 printer LPD Spooler 1179 Other installed services: 775 sms_db =09 777 sms_update =09 1433 tds Tabular Data Stream DB-library SQLserver Please edit this list if you have more data (ISS, Raptor, MS?). Bill Stout ____________________________________________________________________________= ___ Senior Systems Admin NT/UNIX/I-net/Routers/Mainframes/Janitor ;) Hitachi Data Systems 408-970-4822 --- Disclaimer: I speak only for= myself ___________"Infowar, Cyber-war, yes, 'they' _are_ out to get= you..."___________ From firewalls-owner Tue Sep 3 10:13:51 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA11373 for firewalls-outgoing; Tue, 3 Sep 1996 09:52:53 -0700 (PDT) Received: from hp3.xlconnect.com ([166.80.10.80]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id JAA11214 for ; Tue, 3 Sep 1996 09:51:50 -0700 (PDT) Received: by hp3.xlconnect.com with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.993.5) id <01BB9996.E168B360@hp3.xlconnect.com>; Tue, 3 Sep 1996 12:53:18 -0400 Message-ID: X-MS-TNEF-Correlator: From: "Larson, Erik @TFN Cin" To: "'Firewalls@GreatCircle.COM'" , "'geoff@smartnet.co.za'" Subject: RE: WWW servers (Again) Date: Tue, 3 Sep 1996 12:52:24 -0400 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.993.5 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="---- =_NextPart_000_01BB9996.E16D4740" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------ =_NextPart_000_01BB9996.E16D4740 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit According to a Microsoft developer that I spoke with last week, NT 3.5.1 can be hacked with the known registry edit hack to allow up to 254 IP addresses/nic. NT 4.0 can support up to 500/nic. He said that several ISPs were already rolling out the NT 4.0 solution. Given that UUNet is 13% owned by Microsoft I would venture to say that they are probably the first to roll out these features and you might be able to get more information from them. -ekl ---------- From: Geoffrey Ellison[SMTP:geoff@smartnet.co.za] Sent: Tuesday, September 03, 1996 6:18 AM To: Firewalls@GreatCircle.COM Subject: Re: WWW servers (Again) Hey y'all. I still haven't seen a response to this in the list so I'm sending it again. If any you know about multihoming NT, please respond. Dennis said: > Windows NT and IIS (Internet information server) does this quite > well. Under Windows NT you can have 254 IP addresses/fqdn bound to > each nic installed. IIS also is very configurable on what ip's to > use and how. Whooah! Is this NT3.5x? My documentation says that I can configure up to five IP addresses per network interface. The word out on the net is that you can hack the registry to give you something like 10 - 16 addresses. It is said that anything more than that is asking for trouble. If there is a way to have up to 254 IP's per interface I would very much like to know what it is. Also, what is the server load for this type of thing? If 254 is the theoretical max, what is the practical max, assuming a 64M RAM 586 serving HTTP. Geoff. ====================================================== _ _ <@ @> +------oOO----(_)-------------+ | Geoffrey Ellison | | Manager: Technical Services | | SmartNet | | geoff@smartnet.co.za | +---------------------oOO-----+ \| |__|__| |/ || || ooO Ooo ====================================================== PGP public key available on request. ------ =_NextPart_000_01BB9996.E16D4740 Content-Type: application/ms-tnef Content-Transfer-Encoding: base64 eJ8+IhMQAQaQCAAEAAAAAAABAAEAAQeQBgAIAAAA5AQAAAAAAADoAAEIgAcAGAAAAElQTS5NaWNy b3NvZnQgTWFpbC5Ob3RlADEIAQmAAQAhAAAAMkRDRUY3QzRBMjAyRDAxMUE2QkUwMDIwQUZGNjE1 NEMAPQcBIIADAA4AAADMBwkAAwAMADUAEQACADMBAQWAAwAOAAAAzAcJAAMADAA0ABgAAgA5AQEN gAQAAgAAAAIAAgABBIABABgAAABSRTogV1dXIHNlcnZlcnMgKEFnYWluKQBxBwEDkAYA7AgAABkA AAADAC4AAAAAAAMANgAAAAAAAwAGEMG1ZgkDAAcQzwUAAB4ACBABAAAAZQAAAEFDQ09SRElOR1RP QU1JQ1JPU09GVERFVkVMT1BFUlRIQVRJU1BPS0VXSVRITEFTVFdFRUssTlQzNTFDQU5CRUhBQ0tF RFdJVEhUSEVLTk9XTlJFR0lTVFJZRURJVEhBQ0tUT0EAAAAAAwAQEAAAAAADABEQAQAAAAIBCRAB AAAALgYAACoGAACpCwAATFpGdfglmM7/AAoBDwIVAqQD5AXrAoMAUBMDVAIAY2gKwHNldO4yBgAG wwKDMgPGBxMCg7ozEw19CoAIzwnZOxX/eDI1NQKACoENsQtgbvBnMTAzFCALChLyDAFWYwBAE3Bj BaFkC4BnoCB0byBhBdBpBQAob3NvAYAgDbB2ZT0VkHAEkBtwEcAFQEkgwHNwb2tlIAPwHRAqIAtg cwVAdwngayyBB7BUIDMuNS4awFpjA5FiHcARwGMdsGSHHdQdEB3Aa25vdwOghRYAZwQAdHJ5IAmA Nx3wH9Mbc2wVkAfgdXArG3IYMDQdUFAboGRklxYABBAHkC8DAGMuHtLoNC4wH2NzIwAdkAAgUSL1 NTAwJGRIHcBz3wtwIDAdExHwHJByB0AdUPxTUAQgHoAWACKRFgAj0P8hsANgIrAbQghgBUAgoiTF MxwgCkB0aQIgJKBHaecckAOgHRNVVQfABUAEAHAgMTMlKcAhECAhYtchsBvYHWB3CGBsIDArgf50 CHAdwBuBJxAhsB0TIKFXIbAKwB3AcANgYgGgbPMvYh3AZmkR4CnxG5ApUv8pxhHwMSApAC7CBCAA cCAwgnkIYCBtaWdoBUD3H7EwoS7zZyxBBGAooQuAfQIQcgDAKwIxIANhIJJt1i4KhQqFLR6gbDbM CosZKYAxOCZgAgBpLTE8NDQN8AzQOjMLWTE22wqgA2B0BZAFQC08VwqH1zsLDDA71kYDYTo9XjvW uwyCK1BlHDADUC/xRSlxARwgbltTTVRQOnM00EExQHMAwAAgLQB0wi4FoC56YV08/z4NLwZgAjA/ P0BLVApQc2T/L1AewAZgBTA2kB+wBcAZMAEewDE5OTYgNjqbObATcE1Dzz4NVG9GDx1AS0YxQAfQ IqFzQEcpKPF0QzFAYzRwLkPGT0oPRM91Ymo8EUw/aUBLUmVSEFdUMCehcqMn0QQgKEFnC3EpOF/5 OWMzNjrXFCIMATvWJuD5IbB5JyKhJKA2zB1hKwD3MeERwCuBJyeSK5EbsCQB/x2QAIAu8x0QLHEL gCCTQcHzJ5EbkEknNlAR8DNQG0KbIfEKhWFVEiSgSWYzMd9YgTORIOI0QSnSbS5QKwD+aANwG0Ie 4B7AC1ApADKB9VtkZDa9RAnwAwAEICcS2jo2zD5UIAuAZCEAB6HbHvAzQkkoMFTgSQIwBJHXLEI1 eVR0KRxgbweRXCP0cXUd8GVklx6AWNIsAH8zUBzhZSkzgh9yWnIjXy/4ZnFkH5EIYDNRG4Bkl/sp ABGwICRxNVEeUCKhCYD/afFmEgdAXTEscSfRIbAFoN81cDPQCHA0UzXxdx0iBSB2J2hhbdh1MoEz QmDgd4U2vVdg4G9haCEdUOdoZR7gHxF4PwXQIbBlUPxjdQeAAjBnVS9QaGIdM/8fcnDWHcAjAAqF G4ExMGvR3yOqMFAc4UMhLjByIlALgP1mgWYA0E9QR9AgsXtBIDDvKdI18SCiZrNzeRYdIms4/yJC ILEhRzSiecIzghwgB4B/XCEbUSmAHbEZIDeQLJA2/15WI+ZfESxTJxhfYYFENRPvHRErpSxxHkBr G0I1gXkW/wNgUbBPQVkdX0AgoTUyMyH/HdAvUhuQa7MjCnJBHNJ7l/8uCSGgCoVgkG6RgaMbgV/j 93HULFIkoEFwER7AcdRoYv8m8VSDHiB08CAwNYFcE3kW/nkc0CnAiLIbQXYgXzFsAn+P1SChNSEr AB9wAyAAwHj/j2wwYADQlCOM1pSSHkAlcONhAxuwNjRNB/BJ8CZAzjhJgFRyG0JIVEJANr37QRM2 tj2a35vvnP+dIAqFO56fnzdfoDCeP6FtPEBYIEA+oH9qACs8VG/ET088UihfKTxYPFH2K6LPagB8 oWRBHqampe+9pvJNAHBewASQUhBUBZD+aCRxKAEGYZiAfAAEIKj/+6booWJTQuIsMqy5rC+m9f9C f0OBru+jfbPtpGWlz6FjxFxcrVh8X1+3gqaI9i+1j7mdfKcQuqC4r7vc8XTgTyBPdOA2zJ0vvz/T wE+eCFBHI7Bwh3Fu0fsdsDABdgtwC2BxZRYAaND/B5BDQFXfOtcaNTvWCoUVIQIAx4AAAB4AcAAB AAAAGAAAAFJFOiBXV1cgc2VydmVycyAoQWdhaW4pAAIBcQABAAAAFgAAAAG7moDWge2nkiUGQBHQ n8xERVNUAAAAAEAAOQBAZCdIuJm7AQMA8T8JBAAAAgEUNAEAAAAQAAAAVJShwCl/EBulhwgAKyol FwMAJgAAAAAAAgH5PwEAAABPAAAAAAAAANynQMjAQhAatLkIACsv4YIBAAAAAAAAAC9PPVhMQ09O TkVDVC9PVT1YTENPTk5FQ1QvQ049UkVDSVBJRU5UUy9DTj1FTEFSU09OAAAeAPg/AQAAAA0AAABM YXJzb24sIEVyaWsAAAAAAgH7PwEAAABPAAAAAAAAANynQMjAQhAatLkIACsv4YIBAAAAAAAAAC9P PVhMQ09OTkVDVC9PVT1YTENPTk5FQ1QvQ049UkVDSVBJRU5UUy9DTj1FTEFSU09OAAAeAPo/AQAA AA0AAABMYXJzb24sIEVyaWsAAAAAQAAHMIDD6gy4mbsBQAAIMLC652e4mbsBAwANNP0/AAAeAD0A AQAAAAUAAABSRTogAAAAAAsAKQAAAAAACwAjAAAAAAACAX8AAQAAAEgAAAA8Yz1VUyVhPV8lcD1Y TENvbm5lY3QlbD1YTENPTk5FQ1QvWExDT05ORUNULzAwMDBGN0I1QGhwMy54bGNvbm5lY3QuY29t PgCHyQ== ------ =_NextPart_000_01BB9996.E16D4740-- From firewalls-owner Tue Sep 3 10:51:36 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA15899 for firewalls-outgoing; Tue, 3 Sep 1996 10:38:34 -0700 (PDT) Received: from intfw.bear.com (intfw.bear.com [206.25.172.66]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id KAA15855 for ; Tue, 3 Sep 1996 10:38:20 -0700 (PDT) Received: by intfw.bear.com (4.1/SMI-4.1) id AA12245; Tue, 3 Sep 96 13:35:51 EDT Received: from fastbear(165.168.74.3) by intfw via smap (V1.3) id sma011207; Tue Sep 3 13:27:35 1996 Received: from ursa2.bear.com by fastbear.bear.com (4.1/SMI-4.1/1.0 AMR 12/15/94) id AA05530; Tue, 3 Sep 96 13:29:37 EDT Received: from whip_xfr.bear.com (whip-xfr) by ursa2.bear.com (4.1/SMI-4.1/AMR+DJMS(2)) id AA11458; Tue, 3 Sep 96 13:28:11 EDT Received: from wizard.bsnet by whip_xfr.bear.com (SMI-8.6/SMI-SVR4) id NAA12627; Tue, 3 Sep 1996 13:27:24 -0400 Received: from neptune.bsnet by wizard.bsnet (SMI-8.6/SMI-SVR4) id NAA05229; Tue, 3 Sep 1996 13:27:25 -0400 Received: by neptune.bsnet (SMI-8.6/SMI-SVR4) id NAA05963; Tue, 3 Sep 1996 13:27:22 -0400 Date: Tue, 3 Sep 1996 13:27:22 -0400 From: sj@bear.com (Shahryar Jahangir) Message-Id: <199609031727.NAA05963@neptune.bsnet> To: firewalls@greatcircle.com, jwojn@telxon.com Subject: Re: Firewall-1 Logs Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Content-Md5: Qqee2Y+UpV6oI5iLYIwpQQ== Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Jim, Firewall-1 logging is configurable. If you plan on doing detailed logging of all incoming and outgoing connections, your log file (just the log file not the errors file) may reach anywhere between 5-10 MB (again depending upon your internet usage and logging style). This usually happens if you are tracking http proxy connections. However, if you don'r care whether or not someone accesses playboy.com etc, you can skip (or at compact logging) the http outbound loging which will cut down tremendously on your log size. So, the size of your filesystem/drive depends upon your logging structure. For heavy logging, I use a separate filesys as well as drive (1 GB). But we, as a financial firm, have more to record than most other orgs. I also keep past logs online. Hope this gives you some guidance. luck sj :->From jwojn@telxon.com Tue Sep 3 12:57:44 1996 :->From: "Wojno, Jim" :->To: "'firewalls@greatcircle.com'" :->Subject: Firewall-1 Logs :->Date: Tue, 3 Sep 1996 11:44:02 -0400 :->Mime-Version: 1.0 :->Content-Transfer-Encoding: 7bit :-> :->To All: :-> :->We are in the process of determining how much disk space we will require :->for a Firewall-1 unit. We will be using a SPARC-20, and currently have :->about 400 to 500 active Internet users. We would like to keep at least :->one month worth of logging data on-line. Approximately how much disk :->space would you recommend we have available to accomodate this. :-> :->Any input on this would be appreciated. If this topic has already been :->discussed, please feel free to contact me directly off-list. :-> :->Jim Wojno :->Systems Administrator :->Telxon Corporation :->jwojn@telxon.com -- ******************************************************************************* Bear Stearns is not responsible for any recommendation, solicitation, offer or agreement or any information about any transaction, customer account or account activity contained in this communication. ******************************************************************************* From firewalls-owner Tue Sep 3 10:58:55 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA17996 for firewalls-outgoing; Tue, 3 Sep 1996 10:51:22 -0700 (PDT) Received: from tavor.openu.ac.il (tavor.openu.ac.il [147.233.128.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id KAA17977 for ; Tue, 3 Sep 1996 10:51:06 -0700 (PDT) Received: from localhost (nullhost.openu.ac.il)[] by tavor.openu.ac.il with SMTP id AA18345 (5.67a8/IDA-1.5 for ); Tue, 3 Sep 1996 20:49:41 +0300 Date: Tue, 3 Sep 1996 20:49:39 +0300 (IDT) From: Rafi Sadowsky X-Sender: rafi@tavor To: Rob Sansom Cc: firewalls@greatcircle.com Subject: Re: Denied packets with no protocol?? In-Reply-To: <199609031546.IAA05440@apu.connectix.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk you get this (no type) normally with an ip deny rule ( no subprotocol e.g. TCP,UDP,ICMP... ) what is the deny rule that caused it ? -- Rafi Sadowsky rafi@tavor.openu.ac.il [postmaster@openu.ac.il] FAX: +972-3-6460744 On Tue, 3 Sep 1996, Rob Sansom wrote: > Anybody know what this is??? It appears to be from a dial in terminal > server in Germany. > > denied 5 141.2.28.130 -> 204.247.159.244, 1 packet > Aug 30 14:33:03 gate247159.connectix.com 2377: %SEC-6-IPACCESSLOGNP: list > 120 denied 10 141.2.28.130 -> 204.247.159.244, 1 packet > Aug 30 14:35:32 gate247159.connectix.com 2378: %SEC-6-IPACCESSLOGNP: list > 120 denied 3 141.2.28.130 -> 204.247.159.244, 1 packet > Aug 30 14:35:39 gate247159.connectix.com 2379: %SEC-6-IPACCESSLOGNP: list > 120 denied 9 141.2.28.130 -> 204.247.159.244, 1 packet > Aug 30 14:38:27 gate247159.connectix.com 2380: %SEC-6-IPACCESSLOGNP: list > 120 denied 10 141.2.28.130 -> 204.247.159.244, 3 packets > Aug 30 14:44:27 gate247159.connectix.com 2381: %SEC-6-IPACCESSLOGNP: list > 120 denied 10 141.2.28.130 -> 204.247.159.244, 1 packet > Aug 30 14:54:45 gate247159.connectix.com 2382: %SEC-6-IPACCESSLOGNP: list > 120 denied 15 141.2.28.130 -> 204.247.159.244, 1 packet > Aug 30 14:54:45 gate247159.connectix.com 2383: %SEC-6-IPACCESSLOGNP: list > 120 denied 11 141.2.28.130 -> 204.247.159.244, 1 packet > Aug 30 14:56:27 gate247159.connectix.com 2384: %SEC-6-IPACCESSLOGNP: list > 120 denied 10 141.2.28.130 -> 204.247.159.244, 2 packets > Aug 30 14:56:45 gate247159.connectix.com 2385: %SEC-6-IPACCESSLOGNP: list > 120 denied 4 141.2.28.130 -> 204.247.159.244, 1 packet > Aug 30 14:57:27 gate247159.connectix.com 2386: %SEC-6-IPACCESSLOGNP: list > 120 denied 5 141.2.28.130 -> 204.247.159.244, 1 packet > Aug 30 15:01:41 gate247159.connectix.com 2387: %SEC-6-IPACCESSLOGNP: list > 120 denied 12 141.2.28.130 -> 204.247.159.244, 1 packet > Aug 30 15:03:16 gate247159.connectix.com 2388: %SEC-6-IPACCESSLOGNP: list > 120 denied 14 141.2.28.130 -> 204.247.159.244, 1 packet > Aug 30 15:03:27 gate247159.connectix.com 2389: %SEC-6-IPACCESSLOGNP: list > 120 denied 15 141.2.28.130 -> 204.247.159.244, 1 packet > Aug 30 15:03:27 gate247159.connectix.com 2390: %SEC-6-IPACCESSLOGNP: list > 120 denied 11 141.2.28.130 -> 204.247.159.244, 1 packet > Aug 30 15:03:27 gate247159.connectix.com 2391: %SEC-6-IPACCESSLOGNP: list > 120 denied 9 141.2.28.130 -> 204.247.159.244, 1 packet > Aug 30 15:03:29 gate247159.connectix.com 2392: %SEC-6-IPACCESSLOGNP: list > 120 denied 8 141.2.28.130 -> 204.247.159.244, 1 packet > Aug 30 15:07:27 gate247159.connectix.com 2393: %SEC-6-IPACCESSLOGNP: list > 120 denied 12 141.2.28.130 -> 204.247.159.244, 5 packets > Aug 30 15:08:27 gate247159.connectix.com 2394: %SEC-6-IPACCESSLOGNP: list > 120 denied 14 141.2.28.130 -> 204.247.159.244, 2 packets > Aug 30 15:18:34 gate247159.connectix.com 2395: %SEC-6-IPACCESSLOGP: list > 120 > > Rob Sansom > Network Admin. > Connectix Corp > (415) 638-7398 > sansom@connectix.com > From firewalls-owner Tue Sep 3 11:13:40 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA19344 for firewalls-outgoing; Tue, 3 Sep 1996 10:59:59 -0700 (PDT) Received: from beach.sctc.com (beach.sctc.com [192.55.214.50]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id KAA19281 for ; Tue, 3 Sep 1996 10:59:40 -0700 (PDT) Received: from beach.sctc.com (root@localhost) by beach.sctc.com (8.7.5/8.7.3) with ESMTP id NAA28920 for ; Tue, 3 Sep 1996 13:05:22 -0500 (CDT) Received: from sphinx.sctc.com (sphinx.sctc.com [172.17.192.3]) by beach.sctc.com (8.7.5/8.7.3) with ESMTP id NAA28916 for ; Tue, 3 Sep 1996 13:05:22 -0500 (CDT) Received: from shade.sctc.com (shade.sctc.com [172.17.192.48]) by sphinx.sctc.com (8.7.5/8.7.3) with SMTP id MAA26476; Tue, 3 Sep 1996 12:59:29 -0500 (CDT) Received: (from smith@localhost) by shade.sctc.com (8.6.12/8.6.9) id MAA13978; Tue, 3 Sep 1996 12:59:28 -0500 Date: Tue, 3 Sep 1996 12:59:28 -0500 From: Rick Smith Message-Id: <199609031759.MAA13978@shade.sctc.com> To: firewalls@greatcircle.com Cc: smith@sctc.com Subject: Re: C2 certified OS that can run a firewall X-Newsreader: TIN [version 1.2 PL2] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk If you need strong protection (otherwise, why care about NCSC evaluations) then you should take a look at the C2 specification and realize that it's not intended for strong protection. Rick. smith@sctc.com secure computing corporation From firewalls-owner Tue Sep 3 12:03:58 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA23740 for firewalls-outgoing; Tue, 3 Sep 1996 11:34:26 -0700 (PDT) Received: from mailbox.neosoft.com (mailbox.neosoft.com [206.109.1.16]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id LAA23696 for ; Tue, 3 Sep 1996 11:34:05 -0700 (PDT) Received: from fw.nmti.com (fw.baileynm.com [206.109.159.11]) by mailbox.neosoft.com (8.7.5/8.7.3) with SMTP id NAA18300; Tue, 3 Sep 1996 13:33:43 -0500 (CDT) Received: from web.nmti.com(198.178.0.201) by fw.nmti.com via smap (V1.3) id sma009510; Thu Aug 29 08:20:17 1996 Received: from sonic.nmti.com (peter@sonic.nmti.com [198.178.0.2]) by web.nmti.com (8.6.12/8.6.9) with SMTP id IAA02666; Thu, 29 Aug 1996 08:20:16 -0500 Received: by sonic.nmti.com; id AA01232; Thu, 29 Aug 1996 08:20:15 -0500 From: peter@baileynm.com (Peter da Silva) Message-Id: <9608291320.AA01232@sonic.nmti.com.nmti.com> Subject: Re: Win NT PPTP vs. VPN To: endrizzi@master.the-link.com Date: Thu, 29 Aug 1996 08:20:15 -0500 (CDT) Cc: firewalls@GreatCircle.COM In-Reply-To: <199608290229.VAA17801@master.the-link.com> from "endrizzi@master.the-link.com" at Aug 28, 96 09:07:05 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > 1)MS is 90% of the desktop market and after NT squishes Novell, MS will > also be 90% of the NOS market. Given the way companies are backing out of NT and going back to Nightmare for enterprise networking...? From firewalls-owner Tue Sep 3 12:14:03 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA26904 for firewalls-outgoing; Tue, 3 Sep 1996 11:58:46 -0700 (PDT) Received: from mailbox.neosoft.com (mailbox.neosoft.com [206.109.1.16]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id LAA26861 for ; Tue, 3 Sep 1996 11:58:34 -0700 (PDT) Received: from fw.nmti.com (fw.baileynm.com [206.109.159.11]) by mailbox.neosoft.com (8.7.5/8.7.3) with SMTP id NAA21506; Tue, 3 Sep 1996 13:58:12 -0500 (CDT) Received: from web.nmti.com(198.178.0.201) by fw.nmti.com via smap (V1.3) id sma002540; Tue Sep 3 11:45:49 1996 Received: from sonic.nmti.com (peter@sonic.nmti.com [198.178.0.2]) by web.nmti.com (8.6.12/8.6.9) with SMTP id LAA05514; Tue, 3 Sep 1996 11:45:48 -0500 Received: by sonic.nmti.com; id AA14943; Tue, 3 Sep 1996 11:45:47 -0500 From: peter@baileynm.com (Peter da Silva) Message-Id: <9609031645.AA14943@sonic.nmti.com.nmti.com> Subject: Re: C2 certified OS that can run a firewall To: mattias.lindstrom@ihc.se (Mattias Lindstr_vm) Date: Tue, 3 Sep 1996 11:45:47 -0500 (CDT) Cc: firewalls@GreatCircle.COM In-Reply-To: <9609030704.AA09243@ns.ihc.se> from "Mattias Lindstr\vm" at Sep 3, 96 09:03:16 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text X-Bogus-To: mattias.lindstrom@ihc.se (Mattias Lindstr\vm) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Is there any OS out there that are C2 (not A1 or B2 or anuthing else, just > C2) certified that can run a firewall with the C2 "stamp" applied? What specific features of C2 (over, say, C1) do you need? Or are you just looking for the stamp? From firewalls-owner Tue Sep 3 12:29:56 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA25715 for firewalls-outgoing; Tue, 3 Sep 1996 11:48:06 -0700 (PDT) Received: from mailbox.neosoft.com (mailbox.neosoft.com [206.109.1.16]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id LAA25646 for ; Tue, 3 Sep 1996 11:47:38 -0700 (PDT) Received: from fw.nmti.com (fw.baileynm.com [206.109.159.11]) by mailbox.neosoft.com (8.7.5/8.7.3) with SMTP id NAA19947; Tue, 3 Sep 1996 13:46:52 -0500 (CDT) Received: from web.nmti.com(198.178.0.201) by fw.nmti.com via smap (V1.3) id sma024059; Sat Aug 31 11:16:36 1996 Received: from sonic.nmti.com (peter@sonic.nmti.com [198.178.0.2]) by web.nmti.com (8.6.12/8.6.9) with SMTP id LAA07153; Sat, 31 Aug 1996 11:16:36 -0500 Received: by sonic.nmti.com; id AA16580; Sat, 31 Aug 1996 11:16:35 -0500 From: peter@baileynm.com (Peter da Silva) Message-Id: <9608311616.AA16580@sonic.nmti.com.nmti.com> Subject: Re: NT port activity list To: bill.stout@hidata.com (Bill Stout) Date: Sat, 31 Aug 1996 11:16:34 -0500 (CDT) Cc: Firewalls@GreatCircle.COM In-Reply-To: <2.2.32.19960831000931.00db5ef8@osc.hidata.com> from "Bill Stout" at Aug 30, 96 05:09:31 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I just sniffed NTWS4.0 beta and got: TCP services on fubar [198.178.0.183]: echo 7/tcp discard 9/tcp daytime 13/tcp chargen 19/tcp ftp 21/tcp (note, this is only open if you enable ftp access during setup) The netbios services didn't show up under a scan. From firewalls-owner Tue Sep 3 12:50:47 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA27199 for firewalls-outgoing; Tue, 3 Sep 1996 12:00:20 -0700 (PDT) Received: from mailbox.neosoft.com (mailbox.neosoft.com [206.109.1.16]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id LAA27036 for ; Tue, 3 Sep 1996 11:59:34 -0700 (PDT) Received: from fw.nmti.com (fw.baileynm.com [206.109.159.11]) by mailbox.neosoft.com (8.7.5/8.7.3) with SMTP id NAA21181; Tue, 3 Sep 1996 13:56:15 -0500 (CDT) Received: from web.nmti.com(198.178.0.201) by fw.nmti.com via smap (V1.3) id sma001368; Tue Sep 3 08:49:22 1996 Received: from sonic.nmti.com (peter@sonic.nmti.com [198.178.0.2]) by web.nmti.com (8.6.12/8.6.9) with SMTP id IAA29418; Tue, 3 Sep 1996 08:49:22 -0500 Received: by sonic.nmti.com; id AA11026; Tue, 3 Sep 1996 08:49:21 -0500 From: peter@baileynm.com (Peter da Silva) Message-Id: <9609031349.AA11026@sonic.nmti.com.nmti.com> Subject: Re: Blocking non-http (executable) content To: Russ.Cooper@RC.Toronto.on.ca (Russ) Date: Tue, 3 Sep 1996 08:49:21 -0500 (CDT) Cc: Firewalls@GreatCircle.COM, DCOM@Listserv.msn.com, markry@microsoft.com In-Reply-To: from "Russ" at Aug 30, 96 11:20:52 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > HTTP is not a transport protocol, IP is, and your statement > proves that you see HTTP as a transport protocol. HTTP doesn't have any > mechanisms to deal with differentiating traffic types as IP does. Um, yeh, actually Russ... it does. The problem is that browsers ignore these tags if they're inconvenient, so in practice they're only marginally useful. From firewalls-owner Tue Sep 3 12:59:06 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA01729 for firewalls-outgoing; Tue, 3 Sep 1996 12:40:54 -0700 (PDT) Received: from mailbox.neosoft.com (mailbox.neosoft.com [206.109.1.16]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id MAA01702 for ; Tue, 3 Sep 1996 12:40:38 -0700 (PDT) Received: from fw.nmti.com (fw.baileynm.com [206.109.159.11]) by mailbox.neosoft.com (8.7.5/8.7.3) with SMTP id OAA26266; Tue, 3 Sep 1996 14:40:17 -0500 (CDT) Received: from web.nmti.com(198.178.0.201) by fw.nmti.com via smap (V1.3) id sma004513; Tue Sep 3 14:34:29 1996 Received: from sonic.nmti.com (peter@sonic.nmti.com [198.178.0.2]) by web.nmti.com (8.6.12/8.6.9) with SMTP id OAA12122; Tue, 3 Sep 1996 14:34:29 -0500 Received: by sonic.nmti.com; id AA30172; Tue, 3 Sep 1996 14:34:28 -0500 From: peter@baileynm.com (Peter da Silva) Message-Id: <9609031934.AA30172@sonic.nmti.com.nmti.com> Subject: Re: Firewalls-Digest V5 #484 To: Russ.Cooper@RC.Toronto.on.ca (Russ) Date: Tue, 3 Sep 1996 14:34:28 -0500 (CDT) Cc: Bernhard_Schneck@GeNUA.DE, peter@baileynm.com, toranix@ultranet.com, jsong@amer.net, Firewalls@GreatCircle.COM In-Reply-To: from "Russ" at Sep 3, 96 03:07:24 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Just because you hack my webserver does not translate into access to my > SQL server for anything other than the defined access that the webserver > had, which could quite easily be read-only. Then it's not in the same trust boundary. End of subject. From firewalls-owner Tue Sep 3 13:19:52 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA01992 for firewalls-outgoing; Tue, 3 Sep 1996 12:43:15 -0700 (PDT) Received: from hap.arnold.af.mil (smokey.arnold.af.mil [132.45.120.11]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id MAA01945 for ; Tue, 3 Sep 1996 12:42:53 -0700 (PDT) Received: from zone.aedc (zone.arnold.af.mil [134.137.226.32]) by hap.arnold.af.mil (8.6.10/8.6.9) with ESMTP id OAA03800 for <@hap.aedc:firewalls@GreatCircle.COM>; Tue, 3 Sep 1996 14:45:54 -0500 Received: by zone.aedc (940816.SGI.8.6.9/930416.SGI) for firewalls@GreatCircle.COM id OAA27397; Tue, 3 Sep 1996 14:41:44 -0500 From: "Sean Fuller" Message-Id: <9609031441.ZM27395@zone.aedc> Date: Tue, 3 Sep 1996 14:41:43 -0500 In-Reply-To: "Any virtual telnet proxy gateways about?" (Aug 30, 6:42am) References: <841405326FriCDT.firewalls-owner@GreatCircle.COM> X-Mailer: Z-Mail (3.2.2 10apr95 MediaMail) To: firewalls@GreatCircle.COM Subject: Re: Any virtual telnet proxy gateways about? Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I modified our telnet proxy here to automatically connect certain users to a machine while allowing other users full access to the telnet gateways functionality. Sorry, I can't give out the code, but you can find out which host the client is coming from by calling getpeername() and then you can force a command in the usercmd() function of TIS FWTK by using a sprintf(buf, "connect %s", desthost) at the beginning rather than prompting the user for a telnet gateway command. I hope this helps. ------------------------------------------------- #include /* Sean Fuller */ From firewalls-owner Tue Sep 3 13:25:12 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA24265 for firewalls-outgoing; Tue, 3 Sep 1996 11:37:33 -0700 (PDT) Received: from mailbox.neosoft.com (mailbox.neosoft.com [206.109.1.16]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id LAA24100 for ; Tue, 3 Sep 1996 11:36:51 -0700 (PDT) Received: from fw.nmti.com (fw.baileynm.com [206.109.159.11]) by mailbox.neosoft.com (8.7.5/8.7.3) with SMTP id NAA18612; Tue, 3 Sep 1996 13:36:15 -0500 (CDT) Received: from web.nmti.com(198.178.0.201) by fw.nmti.com via smap (V1.3) id sma011047; Thu Aug 29 11:37:53 1996 Received: from sonic.nmti.com (peter@sonic.nmti.com [198.178.0.2]) by web.nmti.com (8.6.12/8.6.9) with SMTP id LAA09776; Thu, 29 Aug 1996 11:37:53 -0500 Received: by sonic.nmti.com; id AA07879; Thu, 29 Aug 1996 11:37:52 -0500 From: peter@baileynm.com (Peter da Silva) Message-Id: <9608291637.AA07879@sonic.nmti.com.nmti.com> Subject: Re: Dcom Rollout (fwd) To: proberts@clark.net (Paul D. Robertson) Date: Thu, 29 Aug 1996 11:37:52 -0500 (CDT) Cc: firewalls@GreatCircle.COM In-Reply-To: from "Paul D. Robertson" at Aug 29, 96 11:00:15 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Is it just me, or does everyone else see a problem with every vendor in > the world encapsulating over HTTP so the users can get right through the > firewall? It's not just you. > IMNSHO we need a way to identify and block non-content HTTP. Stealthed IP-over-HTTP would be a piece of cake. Just package the packets in POST/RESPONSE pairs, and poll. I don't think there's anything we can do against hostile software vendors (people coming up with COOL APPS that grovel through your Netscape.INI files to find your proxies without saying anything about it). We need to come up with a tagging plan for cooperative vendors to go along with. What mime type do Microsoft's product use? From firewalls-owner Tue Sep 3 13:31:47 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA01146 for firewalls-outgoing; Tue, 3 Sep 1996 12:36:23 -0700 (PDT) Received: from mail11.digital.com (mail11.digital.com [192.208.46.10]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id MAA01139 for ; Tue, 3 Sep 1996 12:36:16 -0700 (PDT) Received: from akonts.ako.dec.com by mail11.digital.com (8.7.5/UNX 1.2/1.0/WV) id PAA18676; Tue, 3 Sep 1996 15:24:02 -0400 (EDT) Received: from isbu-mail.ljo.dec.com by akonts.ako.dec.com (5.65/MS-010395) id AA07942; Tue, 3 Sep 1996 15:22:15 -0400 Received: from tun-30.imc.das.dec.com [16.136.208.30] (HELO jimlester) by isbu-mail.ljo.dec.com (AltaVista Mail V1.0/1.0 BL17 listener) id 0000_00ab_322c_85cd_3cb7; Tue, 03 Sep 1996 15:23:57 -0400 Message-Id: <1.5.4.32.19960903202448.006dee78@isbu-mail.ljo.dec.com> X-Sender: jim.lester@isbu-mail.ljo.dec.com X-Mailer: Windows Eudora Light Version 1.5.4 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Tue, 03 Sep 1996 15:24:48 -0500 To: Peter Schumacher , "'Firewalls@GreatCircle.COM'" From: Jim Lester Subject: RE: Subject: C2 certified OS that can run a firewall Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Digital also offers their firewall on NT and BSDI. The Unix and NT versions are certified by NCSA. Digital also offers a tunnel server which is firewall independent and provide remote access from static or dynamic ip addresses with 128bit encryption. For more information visit Digital's homepage at http://altavista.software.digital.com. Or email me directly. I work for Digital. At 05:43 PM 9/3/96 +0200, Peter Schumacher wrote: > >Digital UNIX is a C2 certified OS. The Alta Vista Firewall Software runs on >it. > >Fore more information check out the Alta Vista Firewall >at www.networks.digital.com > >>Peter.Schumacher@netpartner.ch > From firewalls-owner Tue Sep 3 13:44:29 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA25067 for firewalls-outgoing; Tue, 3 Sep 1996 11:43:09 -0700 (PDT) Received: from mailbox.neosoft.com (mailbox.neosoft.com [206.109.1.16]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id LAA25008 for ; Tue, 3 Sep 1996 11:42:48 -0700 (PDT) Received: from fw.nmti.com (fw.baileynm.com [206.109.159.11]) by mailbox.neosoft.com (8.7.5/8.7.3) with SMTP id NAA19454; Tue, 3 Sep 1996 13:42:23 -0500 (CDT) Received: from web.nmti.com(198.178.0.201) by fw.nmti.com via smap (V1.3) id sma017592; Fri Aug 30 09:25:43 1996 Received: from sonic.nmti.com (peter@sonic.nmti.com [198.178.0.2]) by web.nmti.com (8.6.12/8.6.9) with SMTP id JAA20698; Fri, 30 Aug 1996 09:25:43 -0500 Received: by sonic.nmti.com; id AA01067; Fri, 30 Aug 1996 09:25:42 -0500 From: peter@baileynm.com (Peter da Silva) Message-Id: <9608301425.AA01067@sonic.nmti.com.nmti.com> Subject: Re: Blocking non-http (executable) content To: Russ.Cooper@RC.Toronto.on.ca (Russ) Date: Fri, 30 Aug 1996 09:25:42 -0500 (CDT) Cc: Firewalls@GreatCircle.COM, DCOM@Listserv.msn.com In-Reply-To: from "Russ" at Aug 30, 96 09:26:32 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > If, for example, every standard HTTP proxy recognized images, which > typically have some sort of header text, and ASCII text, then the proxy > could prevent any code blocks that contain anything else. This would > eliminate the need to constantly modify the proxy for new innovations. Tunnel 1: begin 664 packet MKJhJKHsjkHJKAShjkHJKDFHKJDWHFJKWHDJKFHJKFDLWJDHJKWHJKCHJK MjhewfgdkjfhjkhKJHWJQKhJKH JKhJK HWQJKHKJhDJKH DJKWHJKDjhj 'kljdshsjk end Tunnel 2: lorum ipsem dolor sic amet. gang five sleep dupe new diet green lemming infinity truth sex gnoll trust 1984 meddle plug sing. Basically, if we can't come up with a platform to let them easily punch through firewalls with our approval, they'll do it without. SOCKS used to be thought of as a security problem. By comparison with this it might be our last best hope. From firewalls-owner Tue Sep 3 13:47:16 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA25283 for firewalls-outgoing; Tue, 3 Sep 1996 11:44:48 -0700 (PDT) Received: from mailbox.neosoft.com (mailbox.neosoft.com [206.109.1.16]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id LAA25207 for ; Tue, 3 Sep 1996 11:44:20 -0700 (PDT) Received: from fw.nmti.com (fw.baileynm.com [206.109.159.11]) by mailbox.neosoft.com (8.7.5/8.7.3) with SMTP id NAA19583; Tue, 3 Sep 1996 13:43:40 -0500 (CDT) Received: from web.nmti.com(198.178.0.201) by fw.nmti.com via smap (V1.3) id sma018878; Fri Aug 30 11:39:22 1996 Received: from sonic.nmti.com (peter@sonic.nmti.com [198.178.0.2]) by web.nmti.com (8.6.12/8.6.9) with SMTP id LAA25689; Fri, 30 Aug 1996 11:39:22 -0500 Received: by sonic.nmti.com; id AA22076; Fri, 30 Aug 1996 11:39:21 -0500 From: peter@baileynm.com (Peter da Silva) Message-Id: <9608301639.AA22076@sonic.nmti.com.nmti.com> Subject: Re: Blocking non-http (executable) content To: markry@microsoft.com (Mark Ryland) Date: Fri, 30 Aug 1996 11:39:20 -0500 (CDT) Cc: Firewalls@GreatCircle.COM, DCOM@Listserv.msn.com, Russ.Cooper@RC.Toronto.on.ca In-Reply-To: from "Mark Ryland" at Aug 30, 96 07:32:58 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Running DCOM over HTTP adds absolutely zero new security risks -- an > RPC system running over an RPC system is not less secure than just an > RPC system alone. The type of transport mechanism used to ship information over a link (though if you extend things far enough, you can describe IP as an RPC mechanism if that's the sort of argument you want to make) is irrelevant to the security implications of the link. It's the boxes at the ends of the link that are the problem. With HTTP, the boxes don't trust each other. This means that both clients and servers limit what the information (commands, programs, scripts, what have you) can do. And even then there's holes. > Fundamental fact is that port-base firewalls are of limited utility for > creating a truly secure environment. That's true. You want application specific gateways. But if you can't do that then you want to be able to restrict access by host and port. It's not perfect, but it's better than nothing. Also, it's a situation where things are by default closed, and the admin has to take a definite step to open them up. With HTTP things are open by default. It's not perfect, but it's better than nothing. > Port-based firewalls prevent some bad behavior by UNSOPHISTICATED users > and hackers. Like car door locks, they're very worthwhile for that > reason. But the a pro can get through your port firewall as fast has a > pro can get into your car with a slim-jim. Are you really characterising Microsoft as "a pro with a slim-jim"? While there are many people who would be in agreement, I think that's probably a little extreme. Shouldn't a company in Microsoft's position be providing a *good* example? How about a DCOM application proxy, available in source, that can be slipped into existing firewalls with a minimum of bother. Oh, and while we're on the subject of Microsoft and security and HTTP, how about the source to the Font Page CGIs or at least a format spec... a lot of people are justifiably concerned about this chunk of untestable binary code Microsoft wants us to drop into cgi-bin... From firewalls-owner Tue Sep 3 13:50:47 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA28700 for firewalls-outgoing; Tue, 3 Sep 1996 12:12:47 -0700 (PDT) Received: from mail.rc.toronto.on.ca ([207.6.29.231]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id MAA28630 for ; Tue, 3 Sep 1996 12:12:03 -0700 (PDT) Received: by mail.rc.toronto.on.ca with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.993.5) id <01BB99A9.9E6F5600@mail.rc.toronto.on.ca>; Tue, 3 Sep 1996 15:07:26 -0400 Message-ID: From: Russ To: "'Bernhard_Schneck@GeNUA.DE'" , "'peter@baileynm.com'" Cc: "'toranix@ultranet.com'" , "'jsong@amer.net'" , "'Firewalls@GreatCircle.COM'" Subject: RE: Firewalls-Digest V5 #484 Date: Tue, 3 Sep 1996 15:07:24 -0400 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.993.5 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Peter said... >To put it another way: systems that trust each other are effectively >the same system. > >If any system is in the same trust boundary as your webserver, then if >the webserver is compromised so is it. Could we just take a step back a sec here and think about what we're saying??? Just because you hack my webserver does not translate into access to my SQL server for anything other than the defined access that the webserver had, which could quite easily be read-only. Even if the webserver had write access to the SQL server, this does not translate to the SQL server being compromised in the sense that you could then magically send it instructions to do something on the internal network. Please don't take this the wrong way, but far too many people assume far too much when they start talking like "and if I can hack your machine, I can do anything I want". No, Peter, I'm not saying you said that, but the idea is there in yours, and others statements. So we've all heard that a Trojan could be placed into an NT registry (a poorly secured one), and that a file could be transferred to a machine through an FTP server that allows inbound writes (again, a poorly secured one), so this means we have some program installed on the NT box awaiting the next boot. This program will then do what, exactly? What is the exploit that you are using to discover whether or not that NT box can access the internal box with any kind of rights that would allow it to place a copy of itself (or some other files you've previously left on the external NT box) on the internal box? If its not external, it probably won't be running FTP, right? So you are now using a share, assuming you have access to it (i.e. C$). Oh, but then, you are exploiting the poorly configured NT registry on the internal box again, once again, with the assumption that you somehow have access to it? Remember, if the systems are properly configured, the external NT box can only access the Internal box for SQL, so how do you execute a program on the webserver that does anything to the internal box? The external box would be part of its own domain, untrusted from the internal domain, so accounts that exist on the webserver would not be valid within the internal domain. Since the external box doesn't have a copy of the SAM, how are you accessing the internal registry? See, in NT, unless you are putting things into the registry, you can't remotely log on to it, you can't get a command prompt. AND ITS EASY TO SECURE THE REGISTRY, just remove Everybody Read access from the HKEY_LOCAL_SYSTEM hive, viola, a secure registry that cannot be connected to by anyone other than Administrators Group (and your entire environment will be very happy, unless you are running some form of multi-user NT extension). I often think that far too many people assume far too much about NT security, which ends up with them assuming that exploits which have never been reported become easily done, if you just knew how... I said it before, and I'll say it again, NetBEUI can be used to create protocol isolation which does not require encryption to connect an external Internet NT box to an internal NT box that is also connected to an internal network. This connection does by-pass a firewall, but it is a tool that a Firewall administrator can use to effect a solution that has been thought out and planned, which will also avoid some of the problems associated with creating such a connection through a Firewall. Until such time as there is a proper NT proxy for Firewalls, this is the method I believe has the highest level of assurance. If you don't think so, then please be specific about the exploits that could be used against such a connection. Making assumptions about what you could do if you only had a program to do it skirts the issues and obscures the security that NT provides. Anyone can speculate to no end about what an unknown, undefined program could do to such a connection, without ever having to face the realities of the environment. I fail to see how this helps anyone, or proves anyone's point. Cheers, Russ From firewalls-owner Tue Sep 3 13:55:48 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA25999 for firewalls-outgoing; Tue, 3 Sep 1996 11:50:11 -0700 (PDT) Received: from keeper.tribune.com (keeper.tribune.com [163.192.21.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id LAA25817 for ; Tue, 3 Sep 1996 11:49:13 -0700 (PDT) From: Help_desk@tribune.com Received: by keeper.tribune.com; id NAA18109; Tue, 3 Sep 1996 13:45:40 -0500 Received: from tco-link2.tis-in.trb(163.192.23.15) by keeper.tribune.com via smap (V3.1) id xma018101; Tue, 3 Sep 96 13:45:37 -0500 Received: from ccMail by smtpout.tribune.com (IMA Internet Exchange 1.04b) id 22c7d700; Tue, 3 Sep 96 13:48:16 -0500 Mime-Version: 1.0 Date: Tue, 3 Sep 1996 13:42:51 -0500 Message-ID: <22c7d700@tribune.com> Subject: Re: Re: Firewalls-Digest #484 To: Firewall mailing list Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable Content-Description: cc:Mail note part Sender: firewalls-owner@GreatCircle.COM Precedence: bulk How about hearing from some more of you on this one? Hear are some thing= s that = I have been thinking about.... (more below) =A6Date: Thu, 29 Aug 1996 14:46:20 +0200 =A6From: Bernhard Schneck = = =A6Subject: Re: Firewalls-Digest V5 #484 = = =A6 = = =A6 > One extra note: Connecting the Web server directly to your database= = =A6 > would be a breach of security, you would in effect be providing any= = =A6 > hacker a direct line into your internal network, bypassing any = = =A6 > firewall/router security. = = =A6 = = =A6That's what I was thinking about (mostly). = = =A6 = = =A6When you allow access to internal data from external sources, you = = =A6*should* assume that any access can be with hostile intent. = = =A6 = = =A6In Jenjen's case (users access an external web server, which queries = = =A6the internal database and returns query results in HTMLized form), = = =A6this would mean that she/he has to assume that web server security = = =A6has been breached and the web server is under full control of the = = =A6attackers. =A6 =A6Two things may happen: =A6- - the attackers gain access to data in the database =A6- - the attackers send wrong responses to users querying the service =A6 =A6Only mutual authentication between user and database will solve the =A6second problem, so let's stick to the first for now. =A6 =A6Encrypting the data stream between web server and database will not =A6help in this case, as some sort of keys will have to reside on the =A6web server (which was taken over by The Bad Guys). =A6 =A6Using challenge/response between server and database won't help =A6either ... again, The Bad Guys are already on the web server and can =A6fake those, too. =A6 =A6A private network connection (using any type of protocol) between =A6server and database won't help, unless the server has no way to speak =A6that protocol (but then, how would it send legitimate queries to the =A6database? :-) =A6What will help (at least somewhat) is =A6 =A6- - do not allow the web server to run any SQL statement against the =A6 database (The Bad Guys might plug in their own select statements) =A6 but use a restricted, well defined proxy protocol to a separate =A6 internal service with tight security, which will then access the =A6 database. =A6 --> Anyone will be able to access the data, but only in a (more or =A6 less) controlled fashion. I tend to agree on not allowing SQL to be executed on the Webserver. Unl= ess = your applications are very simple, that your are writing an API or a prot= ocol = for each application. This is job security, but may not be scaleable. Th= e other thing I hate about this is that it starts looking like "security through = obscurity" again. Anyone else have a "path" worth strolling down? Something else I ran across the other day: Vendor A has developed a search/retrieval/server product. If I have cont= ent = that I think users will pay for, I install the server product behind a FW= to = protect that investment in the content. Now we haven't talked about how = to = interface to the payment switch yet.... I install Vendor A's CGI on my W3 server outside the FW and install a plu= g-gw on a high numbered port to only accept incoming connects from my W3 server b= ound = for Vendor A's server. I find out that Vendor A's CGI is only a IP gatew= ay from the client to the Vendor A's server (there is nothing to the CGI, open so= cket, = connect, print STDIN to STDOUT). This tells me that the API/protocol mus= t be in the HTML form, this application is probably very simple. How secure is a CGI like this? (Vulnerablity: W3 server security) What I like about this is that there is no information (other than the = connecting address and the embedded API/values in the HTML form) on the W= 3 = server about the back-end service. It appears to be vulnerable to denial= of = service attacks (anyone can POST to this CGI and the W3 server will conta= ct = Vendor A's server thru the FW, consuming resources on the W3, FW and Vend= or A's = box). Your thoughts? If I use a Secure/Commerce W3 server, will SSL or SHTTP be foiled by Vend= or A's = CGI approach, but doesn't this mean that Vendor A's server would have to = support SSL and SHTTP also? If it does support one or both, there application st= arts to look a lot like a modified secure W3 server doesn't it? Now continuing on with this discussion: If the W3 server is taken over, = it can = talk to only one port on the FW bound for Vendor A's server. We are left= with = placing trust in Vendor A's application team for our network security. I= f this = application is secure, why is it behind the FW? They seem to be followin= g the = guide lines set forth by the NCSA Web Site Certification criteria. =A6 =A6- - challenge/response between the end user and the database on every =A6 transaction (`authenticated' state should not be kept) =A6 --> The Bad Guys can wait for such an access and sniff the data or =A6 can replace the web server and send their own queries using the =A6 intercepted user's authentication. =A6 =A6- - authenticated+encrypted links (eg. IPSEC AH/ESP) between end user =A6 and database *not* going through the web server (remember, it has =A6 been taken over! If it decrypts somehow, The Bad Guys are in) =A6 --> The Bad Guys will need to either break the encryption or the =A6 key exchage mechanism (which is supposed to be hard) =A6 =A6Unless you use a non subvertible channel between enduser and database,= =A6you're prone to snooping, if not worse! =A6 =A6Again: Encryption between web server and database may not be enough. =A6 =A6\Bernhard. =A6 From firewalls-owner Tue Sep 3 13:59:38 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA23805 for firewalls-outgoing; Tue, 3 Sep 1996 11:35:03 -0700 (PDT) Received: from mailbox.neosoft.com (mailbox.neosoft.com [206.109.1.16]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id LAA23751 for ; Tue, 3 Sep 1996 11:34:44 -0700 (PDT) Received: from fw.nmti.com (fw.baileynm.com [206.109.159.11]) by mailbox.neosoft.com (8.7.5/8.7.3) with SMTP id NAA18340; Tue, 3 Sep 1996 13:34:08 -0500 (CDT) Received: from web.nmti.com(198.178.0.201) by fw.nmti.com via smap (V1.3) id sma009612; Thu Aug 29 08:45:51 1996 Received: from sonic.nmti.com (peter@sonic.nmti.com [198.178.0.2]) by web.nmti.com (8.6.12/8.6.9) with SMTP id IAA03315; Thu, 29 Aug 1996 08:45:50 -0500 Received: by sonic.nmti.com; id AA01577; Thu, 29 Aug 1996 08:45:49 -0500 From: peter@baileynm.com (Peter da Silva) Message-Id: <9608291345.AA01577@sonic.nmti.com.nmti.com> Subject: Re: Firewalls-Digest V5 #484 To: Bernhard_Schneck@GeNUA.DE (Bernhard Schneck) Date: Thu, 29 Aug 1996 08:45:49 -0500 (CDT) Cc: toranix@ultranet.com, jsong@amer.net, Russ.Cooper@rc.toronto.on.ca, Firewalls@GreatCircle.COM In-Reply-To: <199608291246.OAA22790@auryn.genua.de> from "Bernhard Schneck" at Aug 29, 96 02:46:20 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Again: Encryption between web server and database may not be enough. To put it another way: systems that trust each other are effectively the same system. If any system is in the same trust boundary as your webserver, then if the webserver is compromised so is it. From firewalls-owner Tue Sep 3 14:32:40 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA04998 for firewalls-outgoing; Tue, 3 Sep 1996 13:05:25 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id NAA04907 for ; Tue, 3 Sep 1996 13:05:03 -0700 (PDT) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) id NAA01172; Tue, 3 Sep 1996 13:04:11 -0700 Received: from smokey.arnold.af.mil(132.45.120.11) by mycroft via smap (V1.3mjr) id sma001170; Tue Sep 3 13:04:02 1996 Received: from zone.aedc (zone.arnold.af.mil [134.137.226.32]) by hap.arnold.af.mil (8.6.10/8.6.9) with ESMTP id PAA04225 for <@hap.aedc:firewalls@GreatCircle.COM>; Tue, 3 Sep 1996 15:05:53 -0500 Received: by zone.aedc (940816.SGI.8.6.9/930416.SGI) for firewalls@GreatCircle.COM id PAA27420; Tue, 3 Sep 1996 15:02:08 -0500 From: "Sean Fuller" Message-Id: <9609031502.ZM27418@zone.aedc> Date: Tue, 3 Sep 1996 15:02:07 -0500 In-Reply-To: "TN3270 and TN5250 through a firewall using OS/2 Clients" (Aug 30, 11:43am) References: <841423389FriCDT.firewalls-owner@GreatCircle.COM> X-Mailer: Z-Mail (3.2.2 10apr95 MediaMail) To: firewalls@GreatCircle.COM Subject: Re: TN3270 and TN5250 through a firewall using OS/2 Clients Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Why would a proxy written for Port 23 not be able to accomodate all forms of >telnet? I can tell you why my proxy does not currently support tn3270. It is because I do not send a 3270 data stream for the initial login. Instead, I use line mode. Emulating a 3270 data stream is a lot harder. I plan on supporting it soon because it was requested by our users, one of which is my wife who is a DBA on the mainframe here. If I did not have to converse with the client before allowing them through the firewall, it would be easy to write a proxy to allow passthrough. :) Actually, I'm a Unix guy now and, of course, I deny 3270 because :) :) it is an IBM Mainframe protocol and non-Unix things suck. :) From firewalls-owner Tue Sep 3 14:43:43 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA15881 for firewalls-outgoing; Tue, 3 Sep 1996 14:32:10 -0700 (PDT) Received: from mail.marben.com (losgatos.marben.com [206.86.34.51]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id OAA15846 for ; Tue, 3 Sep 1996 14:31:54 -0700 (PDT) Received: (from girsch@localhost) by mail.marben.com (SMI-8.6/SMI-SVR4/MPI-AG) id OAA06149; Tue, 3 Sep 1996 14:31:08 -0700 From: girsch@marben.com (Arnaud Girsch) Message-Id: <199609032131.OAA06149@mail.marben.com> Subject: Re: NT port activity list To: peter@baileynm.com (Peter da Silva) Date: Tue, 3 Sep 1996 14:31:06 -0700 (PDT) Cc: bill.stout@hidata.com, Firewalls@GreatCircle.COM In-Reply-To: <9608311616.AA16580@sonic.nmti.com.nmti.com> from "Peter da Silva" at Aug 31, 96 11:16:34 am X-Organization: Marben Products, Inc. X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > I just sniffed NTWS4.0 beta and got: > > TCP services on fubar [198.178.0.183]: > echo 7/tcp > discard 9/tcp > daytime 13/tcp > chargen 19/tcp > ftp 21/tcp (note, this is only open if you enable > ftp access during setup) > > The netbios services didn't show up under a scan. hum ... I was wondering why a 'netstat -a' ala Unix doesn't show all ports in listen state, as one would expect. Arnaud. -- Arnaud Girsch -+- agirsch@marben.com -+- Marben Products, Inc. - San Jose, CA From firewalls-owner Tue Sep 3 14:59:14 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA15230 for firewalls-outgoing; Tue, 3 Sep 1996 14:23:47 -0700 (PDT) Received: from icicle.winternet.com (NS.WINTERNET.COM [198.174.169.5]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id OAA15216 for ; Tue, 3 Sep 1996 14:23:31 -0700 (PDT) Received: (from adm@localhost) by icicle.winternet.com (8.7.5/8.7.5) id QAA02063; Tue, 3 Sep 1996 16:22:53 -0500 (CDT) Date: Tue, 3 Sep 1996 16:22:53 -0500 (CDT) Posted-Date: Tue, 3 Sep 1996 16:22:53 -0500 (CDT) Received: from parka.winternet.com(198.174.169.9) by icicle.winternet.com via smap (V2.0alpha) id xma001967; Tue, 3 Sep 96 16:22:14 -0500Date: Tue, 3 Sep 1996 16:20:10 -0500 (CDT) From: Ron DuFresne To: Peter da Silva cc: endrizzi@master.the-link.com, firewalls@GreatCircle.COM Subject: Re: Win NT PPTP vs. VPN In-Reply-To: <9608291320.AA01232@sonic.nmti.com.nmti.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 29 Aug 1996, Peter da Silva wrote: > > 1)MS is 90% of the desktop market and after NT squishes Novell, MS will > > also be 90% of the NOS market. > > Given the way companies are backing out of NT and going back to Nightmare > for enterprise networking...? > > Peter, Is that the way your seeing things out where ya'll is now? I've seen just the opposite. Folks rolling up the netware servers and moving NT out on the networks... Later, Ron DuFresne ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything. From firewalls-owner Tue Sep 3 15:14:18 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA16622 for firewalls-outgoing; Tue, 3 Sep 1996 14:42:12 -0700 (PDT) Received: from hidata.com (hidata.com [205.158.61.34]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id OAA16582 for ; Tue, 3 Sep 1996 14:41:56 -0700 (PDT) Received: by hidata.com; id AA25870; Tue, 3 Sep 96 14:41:38 PDT Received: from osc.hidata.com(205.158.62.10) by hds-gw.hidata.com via smap (V3.1.1) id xma025868; Tue, 3 Sep 96 14:41:35 -0700 Received: from clag by osc.osc.hidata.com (SMI-8.6/SMI-SVR4) id OAA25529; Tue, 3 Sep 1996 14:41:34 -0700 Message-Id: <2.2.32.19960903214011.006cddd0@osc.hidata.com> X-Sender: bstout@osc.hidata.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Tue, 03 Sep 1996 14:40:11 -0700 To: girsch@marben.com (Arnaud Girsch), peter@baileynm.com (Peter da Silva) From: Bill Stout Subject: Re: NT port activity list Cc: Firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >> I just sniffed NTWS4.0 beta and got: >> >> TCP services on fubar [198.178.0.183]: >> echo 7/tcp >> discard 9/tcp >> daytime 13/tcp >> chargen 19/tcp >> ftp 21/tcp (note, this is only open if you enable >> ftp access during setup) >> >> The netbios services didn't show up under a scan. > >hum ... I was wondering why a 'netstat -a' ala Unix doesn't show all ports >in listen state, as one would expect. Type 'netstat /?' at the command prompt, under the -a variable it states that 'server side connections are normally not shown'. :( Sounds like something to hack at, or throw a huge Satan scan at. Bill Stout _______________________________________________________________________________ Senior Systems Admin NT/UNIX/I-net/Routers/Mainframes/Janitor ;) Hitachi Data Systems 408-970-4822 --- Disclaimer: I speak only for myself ___________"Infowar, Cyber-war, yes, 'they' _are_ out to get you..."___________ From firewalls-owner Tue Sep 3 15:28:39 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id PAA19322 for firewalls-outgoing; Tue, 3 Sep 1996 15:04:44 -0700 (PDT) Received: from thoughtport.thoughtport.net (ThoughtPort.COM [199.171.224.105]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id PAA19264 for ; Tue, 3 Sep 1996 15:04:25 -0700 (PDT) Received: from jon.cypher-sage.com (tpa-206-41-182-2.ThoughtPort.COM [206.41.182.2]) by thoughtport.thoughtport.net (8.7.5/8.7.3/tpa-mailhost+bbum-hacquage) with SMTP id RAA05984; Tue, 3 Sep 1996 17:03:54 -0500 (CDT) Received: by jon.cypher-sage.com with Microsoft Mail id <01BB99B9.A657EC00@jon.cypher-sage.com>; Tue, 3 Sep 1996 17:02:12 -0500 Message-ID: <01BB99B9.A657EC00@jon.cypher-sage.com> From: Jon Tegethoff To: "'firewalls@GreatCircle.COM'" , "'Frank Willoughby'" Subject: RE: S/key & secureid Date: Tue, 3 Sep 1996 17:02:10 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Frank Willoughby said: >Hopefully, the SecurID connection is being used to authenticate internal >users before they go to the Internet and not for incoming connections. > >Using SecurID (or Digital Pathways, S/Key, etc) is *lethal* if you are >planning on using it to authenticate users from the Internet who wish >to access a system on your internal network which is protected by the >firewall. The reason is that the user may have his/her session hijacked >by an attacker. >Please note that this is *NOT* a security problem with Gauntlet or any >other firewall. The problem is relying on authentication-only mechanisms >for protection. Implementing User->Firewall encryption will help to solve >this problem. > >Again, I strongly advise against using SecurID (or any other authentication- >only solution) for incoming Internet connections to an internal system. Since there is a significant reason in many cases to have remote users communicating through a firewall, what do you currently consider the best method with todays technology. My preference is a combination of two factor authentication (like SecurID or one of the challenge/response cards) used together with an encryption tunnel like Raptor Eagle's). Jon Tegethoff From firewalls-owner Tue Sep 3 16:50:28 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id QAA01495 for firewalls-outgoing; Tue, 3 Sep 1996 16:09:09 -0700 (PDT) Received: from explorateur.quaternet.fr (nonsense.explorateur.quaternet.fr [194.51.191.161]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id QAA01450 for ; Tue, 3 Sep 1996 16:08:54 -0700 (PDT) From: Ben@explorateur.quaternet.fr Received: from ([193.55.44.106]) by explorateur.quaternet.fr (8.6.12/8.6.9) with SMTP id BAA10037 for Firewalls@GreatCircle.COM; Wed, 4 Sep 1996 01:17:52 +0100 Date: Wed, 4 Sep 1996 01:17:52 +0100 Message-Id: <199609040017.BAA10037@explorateur.quaternet.fr> Apparently-To: Firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk suscribe me From firewalls-owner Tue Sep 3 17:13:44 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA10102 for firewalls-outgoing; Tue, 3 Sep 1996 17:01:58 -0700 (PDT) Received: from cet.cet.com (cet.cet.com [206.96.91.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id RAA10029 for ; Tue, 3 Sep 1996 17:01:34 -0700 (PDT) Received: from cet.cet.com (roberth@cet.cet.com [206.96.91.1]) by cet.cet.com (8.6.12/8.6.12) with SMTP id RAA10634; Tue, 3 Sep 1996 17:01:13 -0700 Date: Tue, 3 Sep 1996 17:01:13 -0700 (PDT) From: Robert Hanson To: Rick Smith cc: firewalls@GreatCircle.COM Subject: Re: C2 certified OS that can run a firewall In-Reply-To: <199609031759.MAA13978@shade.sctc.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk what is intended for "strong" protection then? tia... ---> Robert H. Hanson LAN/WAN Consultant - Internet Service Provider Otis Orchards, Wa. Cutting Edge Communications www.cet.com (509) 927-9541 finger: info@cet.com or email: roberth@cet.com On Tue, 3 Sep 1996, Rick Smith wrote: > If you need strong protection (otherwise, why care about NCSC > evaluations) then you should take a look at the C2 specification and > realize that it's not intended for strong protection. > > Rick. > smith@sctc.com secure computing corporation > From firewalls-owner Tue Sep 3 17:28:43 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA12163 for firewalls-outgoing; Tue, 3 Sep 1996 17:23:33 -0700 (PDT) Received: from silence.secnet.com (silence.secnet.com [204.191.222.34]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id RAA12154 for ; Tue, 3 Sep 1996 17:23:24 -0700 (PDT) Received: (from peiterz@localhost) by silence.secnet.com (8.8.Beta.1/secnet) id LAA01415 for firewalls@greatcircle.com; Wed, 4 Sep 1996 11:38:40 -0600 (MDT) Date: Wed, 4 Sep 1996 11:38:40 -0600 (MDT) From: Peiter Z Message-Id: <199609041738.LAA01415@silence.secnet.com> To: firewalls@greatcircle.com Subject: SecurID White Paper Sender: firewalls-owner@GreatCircle.COM Precedence: bulk SecurID Vulnerabilities White-Paper Due to increased recent interest that has been witnessed on the net about the SecurID token cards and potential vulnerabilities with their use, we offer a white paper on some of the vulnerabilities that we believe have been witnessed and/or speculated upon. This paper is being put forth into the public domain by Secure Networks Incorporated and is available at the following URL : ftp://ftp.secnet.com/pub/papers/securid.ps Topics dealt with in the paper include: . Race attacks based upon fixed length responses (still valid even with the current patch) . Denial of Service attacks based upon server patches . Server - Slave separation and replay attacks . Vulnerabilities in the communications with the ACE Server . A quick analysis of the communications with the ACE Server . Problems with out-of-band authentication We hope this paper provides insight, enlightenment, and is helpful to the security community in general. thanks and enjoy, Secure Networks Inc. From firewalls-owner Tue Sep 3 18:19:22 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id SAA17290 for firewalls-outgoing; Tue, 3 Sep 1996 18:13:12 -0700 (PDT) Received: from sapa.inka.de (sapa.inka.de [193.197.84.6]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id SAA17283 for ; Tue, 3 Sep 1996 18:13:02 -0700 (PDT) Received: from uu.inka.de (root@[193.197.84.8]) by sapa.inka.de with smtp (S3.1.29.1) id ; Wed, 4 Sep 96 03:03 MET DST Received: from lina (lists@lina.inka.de) by uu.inka.de with bsmtp (S3.1.29.1) id ; Wed, 4 Sep 96 03:03 MET DST Received: by lina id m0uy6Ic-0004kJC (Debian /\oo/\ Smail3.1.29.1 #29.37); Wed, 4 Sep 96 02:58 MET DST Message-Id: From: lists@lina.inka.de (Bernd Eckenfels) Subject: Re: SecurID White Paper To: peiterz@secnet.com (Peiter Z) Date: Wed, 4 Sep 1996 02:58:33 +0200 (MET DST) Cc: firewalls@greatcircle.com In-Reply-To: <199609041738.LAA01415@silence.secnet.com> from "Peiter Z" at Sep 4, 96 11:38:40 am X-Mailer: ELM [version 2.4 PL25 PGP2] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, > Topics dealt with in the paper include: > . Race attacks based upon fixed length responses (still valid even with > the current patch) > . Denial of Service attacks based upon server patches > . Server - Slave separation and replay attacks > . Vulnerabilities in the communications with the ACE Server > . A quick analysis of the communications with the ACE Server > . Problems with out-of-band authentication What about the Relationship between the Serial Number of a Card (or any other nformation printed on it) and the Seed of the PNG? How does a Admin announce new Cards to the Ace Server? Is this a "keep it secret" thing, or is it cryptogrfically secure? Greetings Bernd From firewalls-owner Tue Sep 3 19:17:26 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id TAA19971 for firewalls-outgoing; Tue, 3 Sep 1996 19:01:54 -0700 (PDT) Received: from morebbs.com (morebbs.com [206.165.150.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id TAA19942 for ; Tue, 3 Sep 1996 19:01:44 -0700 (PDT) From: potlicker@morebbs.com Received: by morebbs.com id 0UXLH00B Tue, 03 Sep 96 22:01:09 Message-ID: <9609032201.0UXLH00@morebbs.com> Organization: MORE BBS X-Mailer: TBBS/TIGER v1.0/PRIMP 1.56p Date: Tue, 03 Sep 96 22:01:09 Subject: No toolz at cdm To: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Several folks asked for copies of cDm toolz to assist them in their research. Unfortunately we ain't got no toolz any more. During the past year the cDm has fallen on hard times. First the Dawg of which we are forbidden to speak got involved in some national security stuff. The Naughty Schoolgirls Association (mainly Catholics) had this real slinky Chinese Filipina chick called Belle get the Dawg to set up a multi-media pentium. I told the Dawg "Forget the short skirt and tight white panties. Her godamn eyebrows and those full red lips are tattooed on." Stupid Dawg wouldn't listen. While he was helping her set up the pentium and running his yap, the bug detector that Father Frank had given him started vibrating in his pocket. The Dawg excused himself to take a piss and disappeared. We haven't seen him since. He logged in remotely and deleted most of our philes. All I was able to recover were a couple of packet sniffers in a hidden directory he forgot about. What a prideful bastard. Hard to believe he founded the church. Then Father Frank was forced to serve penance for his research into the radio system used to control the subway system. Finally EyeVynd de Reindeer left us for a real job. EyeVynd is alternately warm and snotty. Takes great pride in writing his own tools and is very reluctant to share them with anyone else. He is also very cagey about giving away copies of anything he pilfered. I would truly like to help others who are engaged in purely educational research but we just don't have anything left. PoT_LiCkEr From firewalls-owner Tue Sep 3 20:16:24 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id UAA24716 for firewalls-outgoing; Tue, 3 Sep 1996 20:00:20 -0700 (PDT) Received: from homeport.org (lighthouse.homeport.org [205.136.65.198]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id UAA24691 for ; Tue, 3 Sep 1996 20:00:11 -0700 (PDT) Received: (adam@localhost) by homeport.org (8.6.9/8.6.9) id XAA04413; Tue, 3 Sep 1996 23:05:05 -0500 From: Adam Shostack Message-Id: <199609040405.XAA04413@homeport.org> Subject: Re: SecurID White Paper To: lists@lina.inka.de (Bernd Eckenfels) Date: Tue, 3 Sep 1996 23:05:05 -0500 (EST) Cc: peiterz@secnet.com, firewalls@GreatCircle.COM In-Reply-To: from "Bernd Eckenfels" at Sep 4, 96 02:58:33 am X-Mailer: ELM [version 2.4 PL24 ME8b] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Bernd Eckenfels wrote: | > Topics dealt with in the paper include: | > . Race attacks based upon fixed length responses (still valid even with | > the current patch) | > . Denial of Service attacks based upon server patches | > . Server - Slave separation and replay attacks | > . Vulnerabilities in the communications with the ACE Server | > . A quick analysis of the communications with the ACE Server | > . Problems with out-of-band authentication | | What about the Relationship between the Serial Number of a Card (or any | other nformation printed on it) and the Seed of the PNG? How does a Admin There is none. There are real problems, as Peiter points out. This is not one of them. | announce new Cards to the Ace Server? Is this a "keep it secret" thing, or | is it cryptogrfically secure? The card records (which include data on the seed) are des encrypted, and only sent to the site contact at the appropriate address. I've suggested PGP to them. Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume From firewalls-owner Wed Sep 4 04:32:31 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id EAA16338 for firewalls-outgoing; Wed, 4 Sep 1996 04:13:40 -0700 (PDT) Received: from inet1.tek.com (inet1.tek.com [134.62.48.21]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id EAA16328; Wed, 4 Sep 1996 04:13:28 -0700 (PDT) From: kesavan.p.nair@bangate1.tek.com Received: by inet1.tek.com id ; Wed, 4 Sep 1996 04:13:04 -0700 Received: from bangate.tek.com(128.181.153.52) by inet1 via smap (V1.3) id sma042263; Wed Sep 4 04:12:37 1996 Received: by bangate2.tek.com with VINES-ISMTP; Wed, 4 Sep 96 4:13:13 PDT Date: Tue, 3 Sep 96 15:39:52 IST Message-Id: X-Priority: 3 (Normal) To: , Subject: Queries on HTTP server and firewalls Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, Please go through the attachment enclosed and answer my queries Regards Kesavan P Nair We are developing some Internet based secured application which should work across firewalls in a secured manner.I need some information on firewalls and general structure of how HTTP server sits in terms of firewall. In the following diagrams I have shown 2 firewall scenarios which I believe is the most common.I have put down my earlier queries here once again.Please forward your comments CASE A +----------+ +-----+ | | |SMTP | +----+ -----SMTP request--->|Firewall |--------------->|Relay|-----| | | |Gateway | |Host | |--->| | | | +-----+ | A | | | +-----+ |--->| | -----HTTP request--->| |--------------->|HTTP |-----| | | +----------+ |Host | +----+ | to | |world| +-----+ CASE B +----------+ +-----+ | | |SMTP | +----+ -----SMTP request--->|Firewall |--------------->|Relay|-----| | | |Gateway | |Host | |--->| | +-----+ | | +-----+ | A | |HTTP | | | |--->| | --HTTP req->|Host |->| |----------------------------| | | |to | +----------+ +----+ |World| +-----+ Case A: Http host to the world is inside , the firewall makes sure that HTTP requests from outside are acceptable only to "HTTP Host to World" Case B: Http host is outside the firewall.But the "HTTP Host to world" can access the resources of A which is inside the firewall. In both the cases the SMTP request to host A will be fulfilled(by store and forward).In case of the HTTP request,I have shown the HTTP request being forwarded to A,please intrepret this as a request for resources from A by HTTP host to answer the external HTTP HOST's request. Iam sure that enough verification + authentication can be done by this HTTP host before fulfilling the external HTTP request(whenever there is a need for resources from inside the network). My query is that how many of you out there has seen one of these setups where the HTTP request from outside could be fulfilled with accessing A's resources and what are your comments on the feasibilty of these setups Please forward your comments to kesavan.p.nair@tek.com My address Kesavan P Nair Tektronix(India)Ltd Tek Towers Hayes Road Bangalore - 25 India. Tel +91 80 227 5577 Fax +91 80 227 5588 From firewalls-owner Wed Sep 4 05:29:36 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA19450 for firewalls-outgoing; Wed, 4 Sep 1996 05:27:39 -0700 (PDT) Received: from nebula.online.ee (nebula.online.ee [194.106.96.11]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id FAA19392 for ; Wed, 4 Sep 1996 05:26:58 -0700 (PDT) Received: from localhost by nebula.online.ee (5.x/SMI-4.1) id AA24942; Wed, 4 Sep 1996 15:26:08 +0300 Organization: MicroLink OnLine Date: Wed, 4 Sep 1996 15:26:07 +0300 (EET DST) From: =?ISO-8859-1?Q?J=FCri_Kaljundi?= X-Sender: jk@nebula To: Firewalls@GreatCircle.COM Subject: RE: S/key & secureid In-Reply-To: <199609040800.BAA07209@miles.greatcircle.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=ISO-8859-1 Content-Transfer-Encoding: QUOTED-PRINTABLE Sender: firewalls-owner@GreatCircle.COM Precedence: bulk From: Jon Tegethoff > > >Again, I strongly advise against using SecurID (or any other authenticat= ion- > >only solution) for incoming Internet connections to an internal system. >=20 > Since there is a significant reason in many cases to have remote us= ers=20 > communicating through a firewall, what do you currently consider the best= =20 > method with todays technology. My preference is a combination of two fac= tor=20 > authentication (like SecurID or one of the challenge/response cards) used= =20 > together with an encryption tunnel like Raptor Eagle's). SSH and F-Secure products are quite good for secure login. SSH forms a secure tunnel between the remote user and unix host, and SSH does support SecurID tokens for authentication. It does mean you probably should allow incoming SSH connections (tcp port 22) and run SSH daemon on the unix machine. The best part is that SSH does not use some weak breakable US-export encryption, but strong IDEA or 3DES.=20 Have a look at http://www.ssh.fi/ or http://www.datafellows.com/f-secure/ J=FCri Kaljundi AS Stallion jk@stallion.ee From firewalls-owner Wed Sep 4 07:29:05 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA25395 for firewalls-outgoing; Wed, 4 Sep 1996 07:18:20 -0700 (PDT) Received: from hermes.cu-online.com (hermes.cu-online.com [205.198.248.82]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id HAA25383 for ; Wed, 4 Sep 1996 07:18:14 -0700 (PDT) Received: from argus.cu-online.com (argus.cu-online.com [205.198.248.112]) by hermes.cu-online.com (8.7.5/8.7.5-cuo-s6) with SMTP id JAA16929 for ; Wed, 4 Sep 1996 09:28:56 -0500 (CDT) Received: by argus.cu-online.com (SMI-8.6/SMI-SVR4) id JAA13446; Wed, 4 Sep 1996 09:22:06 -0500 Date: Wed, 4 Sep 1996 09:22:06 -0500 From: mcnabb@argus.cu-online.com (Paul McNabb) Message-Id: <199609041422.JAA13446@argus.cu-online.com> To: firewalls@GreatCircle.COM Subject: RE: Subject: C2 certified OS that can run a firewall Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Is there any OS out there that are C2 (not A1 or B2 or anuthing else, just > C2) certified that can run a firewall with the C2 "stamp" applied? Argus has a certified C2 version of Solaris for both x86 and SPARC. paul ------------------------------------------------------------ Paul McNabb mcnabb@argus.cu-online.com Argus Systems Group, Inc. TEL 217-384-6300 1405A East Florida Avenue FAX 217-384-6404 Urbana, IL 61801 USA ------------------------------------------------------------ From firewalls-owner Wed Sep 4 07:43:46 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA25803 for firewalls-outgoing; Wed, 4 Sep 1996 07:32:29 -0700 (PDT) Received: from hermes.cu-online.com (hermes.cu-online.com [205.198.248.82]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id HAA25796 for ; Wed, 4 Sep 1996 07:32:23 -0700 (PDT) Received: from argus.cu-online.com (argus.cu-online.com [205.198.248.112]) by hermes.cu-online.com (8.7.5/8.7.5-cuo-s6) with SMTP id JAA17116 for ; Wed, 4 Sep 1996 09:43:05 -0500 (CDT) Received: by argus.cu-online.com (SMI-8.6/SMI-SVR4) id JAA13457; Wed, 4 Sep 1996 09:36:14 -0500 Date: Wed, 4 Sep 1996 09:36:14 -0500 From: mcnabb@argus.cu-online.com (Paul McNabb) Message-Id: <199609041436.JAA13457@argus.cu-online.com> To: firewalls@GreatCircle.com Subject: Re: C2 certified OS that can run a firewall Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Date: Tue, 3 Sep 1996 17:01:13 -0700 (PDT) > From: Robert Hanson > > what is intended for "strong" protection then? tia... About 5 years ago I wrote a short paper entitled "The Myths of C2" which discussed the misconception about what C2 really is. I'll dig it up and post it if anyone wants it. The bottom line is that C2 is designed for one of these two environments: 1) a hardened, restricted environment where everyone on the system or connected to the system is authorized to see all information on the system, such as at a military site, or 2) the system and its information is sufficiently unimportant so that the users are trusted to decide who gets access to what. Of course C2 security is better than no security, but C2 was never "designed for commercial use" as is sometimes written in articles and email. If you are in an environment where the system administrators want to *enforce* security on the users, B1 and higher security features are needed. But remember, none of the TCSEC ("Orange Book") security levels were designed for anything other than military/government use. It just happens that a lot of the security they specify is general- purpose and works well in all kinds of environments. paul ------------------------------------------------------------ Paul McNabb mcnabb@argus.cu-online.com Argus Systems Group, Inc. TEL 217-384-6300 1405A East Florida Avenue FAX 217-384-6404 Urbana, IL 61801 USA ------------------------------------------------------------ From firewalls-owner Wed Sep 4 07:58:58 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA26243 for firewalls-outgoing; Wed, 4 Sep 1996 07:46:15 -0700 (PDT) Received: from intfw.bear.com (intfw.bear.com [206.25.172.66]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id HAA26233 for ; Wed, 4 Sep 1996 07:45:56 -0700 (PDT) Received: by intfw.bear.com (4.1/SMI-4.1) id AA22490; Wed, 4 Sep 96 10:45:36 EDT Received: from fastbear(165.168.74.3) by intfw via smap (V1.3) id sma021718; Wed Sep 4 10:41:45 1996 Received: from ursa2.bear.com by fastbear.bear.com (4.1/SMI-4.1/1.0 AMR 12/15/94) id AA14291; Wed, 4 Sep 96 10:44:06 EDT Received: from whip_xfr.bear.com (whip-xfr) by ursa2.bear.com (4.1/SMI-4.1/AMR+DJMS(2)) id AA16141; Wed, 4 Sep 96 10:42:36 EDT Received: from wizard.bsnet by whip_xfr.bear.com (SMI-8.6/SMI-SVR4) id KAA11852; Wed, 4 Sep 1996 10:41:50 -0400 Received: from neptune.bsnet by wizard.bsnet (SMI-8.6/SMI-SVR4) id KAA16732; Wed, 4 Sep 1996 10:41:50 -0400 Received: by neptune.bsnet (SMI-8.6/SMI-SVR4) id KAA06430; Wed, 4 Sep 1996 10:41:49 -0400 Date: Wed, 4 Sep 1996 10:41:49 -0400 From: sj@bear.com (Shahryar Jahangir) Message-Id: <199609041441.KAA06430@neptune.bsnet> To: manderse@mordor@syseng.fbc.com Subject: Re: Firewalls-Digest: Re: Firewall-1 Logs Cc: firewalls-digest@GreatCircle.COM Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Content-Md5: jnja0P9qs8ARdTBUO7IP7g== Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi Mike, I don't have a PC connection as you mentioned. However, my logs are backed-up to various media. If I ever needed to check the integrity of my logs, I can compare them to any/all of my saved copies. sj ->From manderse@mordor@syseng.fbc.com Wed Sep 4 10:35:46 1996 :->From: "Mike Andersen" :->Date: Wed, 4 Sep 1996 09:38:04 -0400 :->To: sj@bear.com :->Subject: Firewalls-Digest: Re: Firewall-1 Logs :->Mime-Version: 1.0 :-> :->Hi Shahryar - :-> :->I see from your response to Jim that you keep a month of logs for your :->firewall. :->Though you don't mention it I assume that you also safe store the logs (say on :->a PC connected via a serial line) so that when you get compromised you have an :->clean log to go against? :-> :->Mike (CS Firstboston 212-322-1743) ........................................... Shahryar Jahangir Information Services Bear Stearns & Co. Inc. 245 Park Avenue New York, NY 10167 email: sj@bear.com Tele: 212 272 7764 Fax : 212 499 6977 ........................................... -- ******************************************************************************* Bear Stearns is not responsible for any recommendation, solicitation, offer or agreement or any information about any transaction, customer account or account activity contained in this communication. ******************************************************************************* From firewalls-owner Wed Sep 4 09:18:56 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA02901 for firewalls-outgoing; Wed, 4 Sep 1996 09:08:00 -0700 (PDT) Received: from halon.sybase.com (halon.sybase.com [192.138.151.33]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id JAA02883 for ; Wed, 4 Sep 1996 09:07:47 -0700 (PDT) Received: from smtp1.sybase.com (sybgate) by halon.sybase.com (5.x/SMI-SVR4/SybFW4.0) id AA12446; Wed, 4 Sep 1996 09:08:46 -0700 Received: from notesgw2.sybase.com by smtp1.sybase.com (4.1/SMI-4.1/SybH3.5-030896) id AA27971; Wed, 4 Sep 96 09:07:12 PDT Received: by notesgw2.sybase.com (5.x/SMI-4.1/SybEGW3.3) id AA01481; Wed, 4 Sep 1996 09:07:08 -0700 Message-Id: <9609041607.AA01481@notesgw2.sybase.com> Received: by SybaseNotes (Lotus Notes Mail Gateway for SMTP V1.1) id D1AB4D96C27F73E08825639B00586F71; Wed, 4 Sep 96 09:07:07 EDT To: "Wojno Jim" Cc: "'firewalls@greatcircle.com'" From: Ryan Russell/SYBASE Date: 4 Sep 96 9:06:36 EDT Subject: Re: Firewall-1 Logs X-Lotus-Type: Reply All Mime-Version: 1.0 Content-Type: Text/Plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I have a very similar setup. Running FW1 2.1, I'm getting up to 100MB of logs per day ( logging accepts and drops) Ryan ---------- Previous Message ---------- To: firewalls cc: From: jwojn @ telxon.com ("Wojno, Jim") @ smtp Date: 09/03/96 11:44:02 AM Subject: Firewall-1 Logs To All: We are in the process of determining how much disk space we will require for a Firewall-1 unit. We will be using a SPARC-20, and currently have about 400 to 500 active Internet users. We would like to keep at least one month worth of logging data on-line. Approximately how much disk space would you recommend we have available to accomodate this. Any input on this would be appreciated. If this topic has already been discussed, please feel free to contact me directly off-list. Jim Wojno Systems Administrator Telxon Corporation jwojn@telxon.com From firewalls-owner Wed Sep 4 10:28:54 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA08073 for firewalls-outgoing; Wed, 4 Sep 1996 10:21:09 -0700 (PDT) Received: from tuna.wang.com (TUNA.wang.com [150.124.136.4]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id KAA08066 for ; Wed, 4 Sep 1996 10:21:03 -0700 (PDT) Received: from mars.wangfed.com (mars.Wangfed.COM [159.94.10.1]) by tuna.wang.com (8.6.12/8.6.12tf1) with SMTP id NAA06410 for ; Wed, 4 Sep 1996 13:20:48 -0400 Received: from uc0009.wangfed.com (uc0009 [159.94.10.15]) by mars.wangfed.com (8.7.5/3.8) with SMTP for delivery to "" id NAA28921; Wed, 4 Sep 1996 13:26:35 -0400 (EDT) Received: from [159.94.14.48] by uc0009.wangfed.com (BULL 5.61++/B.O.S 02.01) id AA27435; Wed, 4 Sep 96 13:13:43 -0400 Date: Wed, 4 Sep 96 13:13:43 -0400 Message-Id: <9609041713.AA27435@uc0009.wangfed.com> From: "Wang Federal SSSO" Reply-To: "Wang Federal SSSO" To: firewalls@GreatCircle.COM Subject: Re: C2 certified OS that can run a firewall Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In message <199609041436.JAA13457@argus.cu-online.com> Paul McNabb writes: > But remember, none of the TCSEC ("Orange Book") security > levels were designed for anything other than military/government use. > It just happens that a lot of the security they specify is general- > purpose and works well in all kinds of environments. I guess that's what's meant by "technology transfer". But then, NASA didn't invent Velcro for commercial use either. ===== K.M. GOERTZEL Manager, Business Development Secure Systems and Services Operation WANG FEDERAL, Inc. 7900 Westpark Drive - MS 700 McLean, VA 22102-4299 USA +1-703-827 3914 +1-703-827 3161 (fax) goertzek@wangfed.com http://www.wangfed.com/products/ssso/homepage.html *** "The true artist has no pride, for he realizes art's demands are limitless, and though he may be admired or praised by others, he sees only darkly how far he is from his goal, when a greater inspiration shall shine before him like a distant sun." -- Ludwig van Beethoven From firewalls-owner Wed Sep 4 10:43:43 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA08394 for firewalls-outgoing; Wed, 4 Sep 1996 10:27:37 -0700 (PDT) Received: from tuna.wang.com (TUNA.wang.com [150.124.136.4]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id KAA08385 for ; Wed, 4 Sep 1996 10:27:30 -0700 (PDT) Received: from mars.wangfed.com (mars.Wangfed.COM [159.94.10.1]) by tuna.wang.com (8.6.12/8.6.12tf1) with SMTP id NAA06554 for ; Wed, 4 Sep 1996 13:27:17 -0400 Received: from uc0009.wangfed.com (uc0009 [159.94.10.15]) by mars.wangfed.com (8.7.5/3.8) with SMTP for delivery to "" id NAA28970; Wed, 4 Sep 1996 13:33:04 -0400 (EDT) Received: from [159.94.14.48] by uc0009.wangfed.com (BULL 5.61++/B.O.S 02.01) id AA27491; Wed, 4 Sep 96 13:20:12 -0400 Date: Wed, 4 Sep 96 13:20:12 -0400 Message-Id: <9609041720.AA27491@uc0009.wangfed.com> From: "Wang Federal SSSO" Reply-To: "Wang Federal SSSO" To: firewalls@GreatCircle.COM Subject: Desperately Seeking CyberGuard and Norman Users Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'd very much like to hear from anyone who has had hands-on experience with the CyberGuard or Norman firewall - either users or evaluators. Please e-mail me directly. K.M. GOERTZEL |*| Manager, Business Development Secure Systems and Services Operation |*| WANG FEDERAL, Inc. 7900 Westpark Drive - MS 700 |*| McLean, VA 22102-4299 USA +1-703-827 3914 |*| +1-703-827 3161 (fax) | goertzek@wangfed.com http://www.wangfed.com/products/ssso/homepage.html *** "The true artist has no pride, for he realizes art's demands are limitless, and though he may be admired or praised by others, he sees only darkly how far he is from his goal, when a greater inspiration shall shine before him like a distant sun." -- Ludwig van Beethoven From firewalls-owner Wed Sep 4 11:43:52 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA14758 for firewalls-outgoing; Wed, 4 Sep 1996 11:41:16 -0700 (PDT) Received: from iron.octet.com (iron.octet.com [204.141.97.10]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id LAA14751 for ; Wed, 4 Sep 1996 11:41:08 -0700 (PDT) Received: from dialup213.octet.com (dialup213.octet.com [204.141.97.213]) by iron.octet.com (8.7.5/8.7.3) with SMTP id OAA25666; Wed, 4 Sep 1996 14:39:37 -0400 (EDT) Date: Wed, 4 Sep 1996 14:39:37 -0400 (EDT) Message-Id: <199609041839.OAA25666@iron.octet.com> X-Sender: runnerfx@octet.com X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: potlicker@morebbs.com, firewalls@GreatCircle.COM From: runnerfx@octet.com (Wearen Life) Subject: Re: No toolz at cdm Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Pot_licker you do know your eleet right? =) At 10:01 PM 9/3/96, potlicker@morebbs.com wrote: > >Several folks asked for copies of cDm toolz to assist them in their research. >Unfortunately we ain't got no toolz any more. During the past year the cDm >has fallen on hard times. > >First the Dawg of which we are forbidden to speak got involved in some >national security stuff. The Naughty Schoolgirls Association (mainly >Catholics) had this real slinky Chinese Filipina chick called Belle get >the Dawg to set up a multi-media pentium. I told the Dawg "Forget the short >skirt and tight white panties. Her godamn eyebrows and those full red lips >are tattooed on." Stupid Dawg wouldn't listen. While he was helping her >set up the pentium and running his yap, the bug detector that Father Frank >had given him started vibrating in his pocket. The Dawg excused himself to >take a piss and disappeared. We haven't seen him since. He logged in >remotely and deleted most of our philes. All I was able to recover were a >couple of packet sniffers in a hidden directory he forgot about. What a >prideful bastard. Hard to believe he founded the church. > >Then Father Frank was forced to serve penance for his research into the >radio system used to control the subway system. > >Finally EyeVynd de Reindeer left us for a real job. EyeVynd is alternately >warm and snotty. Takes great pride in writing his own tools and is very >reluctant to share them with anyone else. He is also very cagey about >giving away copies of anything he pilfered. > >I would truly like to help others who are engaged in purely educational >research but we just don't have anything left. > > PoT_LiCkEr > > > > From firewalls-owner Wed Sep 4 12:16:59 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA16749 for firewalls-outgoing; Wed, 4 Sep 1996 12:05:22 -0700 (PDT) Received: from emh7.monroe.army.mil (emh7.monroe.army.mil [150.184.22.4]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id MAA16704 for ; Wed, 4 Sep 1996 12:05:08 -0700 (PDT) X-Nvlenv-01Date-Posted: 4-Sep-1996 15:02:00 -0400; at NGM.JWC To: firewalls@greatcircle.com Message-Id: Subject: Dialin From: HARRELLJ@emh7.monroe.army.mil (Harrell, Mr Jonathan) Date: 04 Sep 96 15:03:26 EDT In-Reply-To: <04742D3201E43A7C@-SMF-> References: <04742D3202E43A7C@-SMF-> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk We am currently integrating an application based (proxy) firewall into our Novell/IPX and SUN/IP lan. Our current dialin capability is through a cubix dialin server (reachout software) acting as a workstation on the LAN, and it only passes screen, keyboard, and cursor movement to our remote PC. We then attach to our one of our Novell servers (by IPX---our IP id statically given to the workstation by lanworkgroups). The management would like to put our current dialin hardware outside of the firewall and use Fortezza cards {yes, DMS :-( } for authentication. Problems I see: 1)Firewall can't see remote authentication token without seeing the remote computer that is dialing in with the current hardware 2)Cubix computers now talk IPX (not IP). So what is a standard architecture/configuration for dialin outside of Firewalls using authentication? It has to be simple---what am I missing? All ISPs do it don't they? Would it be better to put a SUN outside of the Firewall for dialin, and then just FTP in to get files and/or forward email from the inside server? All opinions are helpful. Dialin Server | Here's what I'm thinking: router-------------Firewall----Internal LAN | WEB Server Thanks.. V/R, Jonathan Harrell From firewalls-owner Wed Sep 4 12:45:23 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA18591 for firewalls-outgoing; Wed, 4 Sep 1996 12:31:13 -0700 (PDT) Received: from rasputin (dreco.com [205.241.119.161]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id MAA18563 for ; Wed, 4 Sep 1996 12:31:01 -0700 (PDT) Received: from [205.241.113.9] by rasputin via smtpd (for miles.greatcircle.com [198.102.244.34]) with SMTP; 23 May 1996 19:31:33 UT Received: by srvex01u.dreco.com with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.993.5) id <01BB9A6D.1098E930@srvex01u.dreco.com>; Wed, 4 Sep 1996 14:26:30 -0500 Message-ID: X-MS-TNEF-Correlator: From: David Kimball To: "'Firewalls@GreatCircle.COM'" Cc: "'Bill Stout'" Subject: RE: NT port activity list Date: Wed, 4 Sep 1996 14:26:29 -0500 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.993.5 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="---- =_NextPart_000_01BB9A6D.10A08A50" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------ =_NextPart_000_01BB9A6D.10A08A50 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable I know I go stupid from time to time. However, I was under the=20 impression that all the ports open on an shrink wraped NT box was=20 evrething that is listed in the services phile in the /drivers/etc=20 dir. No, nix that. Rather they are alternately open/not open depending=20 on the actual services/software installed. Am I missing something=20 here? David Kimball wk 713.965.9122 Systems Administration fx 713.341.9581 NT/Exchange/SMS/Blah/Blah/Blah Dreco, Inc. Tomorrow, tomorrow, tomorrow...creeps this petty pace. From now til' the end of time..... ---------- From: Bill Stout[SMTP:bill.stout@hidata.com] Sent: Tuesday, September 03, 1996 11:42 AM To: Firewalls@GreatCircle.COM Subject: Re: NT port activity list I started this thread out of interest in NT Firewalls and Webservers. Let me know if this is too unrelated and I will take this elsewhere. Amazing what you learn by reading. Windows NT Resource Kit 3.51 Windows NT Networking - Part III 'TCP/IP'. I haven't completed a Satan scan against an NT system yet, but this is what I got so far. Also much of the system-level communication is still a mystery; logon process, etc (RPC?). NT TCP/IP is divided into the following separate categories; =B7 'Core protocols' - TCP, IP, UDP, ARP, ICMP, PPP and SLIP. =B7 API support - Windows Sockets v1.1, RPC, NetBIOS, and Network DDE. =B7 Basic TCP/IP utilities - finger, ftp, lpr, rcp, rexec, rsh, telnet,=20 and tftp. =B7 Diagnostic tools - arp, hostname, ipconfig, lpq, nbtstat, netstat, ping, route, and tracert. =B7 Services and Administration tools - FTP Server, WINS, DHCP, and TCP/IP Printing. =B7 SNMP agent =B7 Client software for 'Simple network protocols' - chargen, daytime, discard, echo, quotd. =B7 Path MTU discovery - discovers datagram size for all routers between = Windows NT computer and any system on a WAN. (RFC 1191) =B7 IGMP - Internet Gateway Multicast Protocol The following is a partial list of available IP network ports in NT: Port Name Description RFC 1 icmp Internet Control Message Protocol 792 2 igmp Internet Group Management Protocol 1112 7 echo Ping 862 9 discard Discard (sink null) 863 13 daytime Daytime 867 15 netstat Network Statistics=09 17 quotd Quote of the Day (\winnt\system32\drivers\etc\quotes) 865 19 chargen Character Generator 864 20 ftp-data File Transfer Protocol (Data) 959 21 ftp File Transfer Protocol (Control) 959 23 telnet Telnet 854 53 domain Domain Name Service 1034,1035 69 tftp Trivial File Transfer Protocol Used by Bootp, DHCP=20 783,1534,1541 79 finger Finger 1194 137 netbios_ns NetBIOS Name Service Typically UDPAlso used by 'nbtstat' Node Status Request 1001,1002 138 netbios_dgm NetBIOS Datagram Service 1001,1002 139 netbios_ssn NetBIOS Session Service 1001,1002 161 snmp SNMP Messages 1157 162 snmptrap SNMP Traps 1157 530 courier RPC=09 515 printer LPD Spooler 1179 Other installed services: 775 sms_db =09 777 sms_update =09 1433 tds Tabular Data Stream DB-library SQLserver Please edit this list if you have more data (ISS, Raptor, MS?). Bill Stout _______________________________________________________________________ = ________ Senior Systems Admin NT/UNIX/I-net/Routers/Mainframes/Janitor ;) Hitachi Data Systems 408-970-4822 --- Disclaimer: I speak only=20 for myself ___________"Infowar, Cyber-war, yes, 'they' _are_ out to get=20 you..."___________ ------ =_NextPart_000_01BB9A6D.10A08A50 Content-Type: application/ms-tnef Content-Transfer-Encoding: base64 eJ8+Ih8TAQaQCAAEAAAAAAABAAEAAQeQBgAIAAAA5AQAAAAAAADoAAEIgAcAGAAAAElQTS5NaWNy b3NvZnQgTWFpbC5Ob3RlADEIAQWAAwAOAAAAzAcJAAQADgAaAB0AAwAoAQEggAMADgAAAMwHCQAE AA4AGgAdAAMAKAEBCYABACEAAAAyNTk0NEU3QTE2MDFEMDExODI4NzAwQTAyNDI5NjE3RADABgEN gAQAAgAAAAIAAgABBIABABoAAABSRTogTlQgcG9ydCBhY3Rpdml0eSBsaXN0AOEIAQOQBgAEDgAA GgAAAB4AcAABAAAAFgAAAE5UIHBvcnQgYWN0aXZpdHkgbGlzdAAAAAIBcQABAAAAGwAAAAG7mbw5 Q3pOjHcBFhHQgocAoCQpYX0ANocVZQADAC4AAAAAAAMABhBZ0ohNAwAHEDIKAAAeAAgQAQAAAGUA AABJS05PV0lHT1NUVVBJREZST01USU1FVE9USU1FSE9XRVZFUixJV0FTVU5ERVJUSEVJTVBSRVNT SU9OVEhBVEFMTFRIRVBPUlRTT1BFTk9OQU5TSFJJTktXUkFQRUROVEJPWFdBAAAAAAMAEBAAAAAA AwAREAsAAAACAQkQAQAAABoLAAAWCwAAWBUAAExaRnU6PPW6/wAKAQ8CFQKkA+QF6wKDAFATA1QC AGNoCsBzZXTuMgYABsMCgzIDxgcTAoPiMxEncHJxEiAHbQKDIjQPemhlbAMgRGxaZwKDNQ9/EIc2 Ew19FwqACM8J2TsbeTEyOI8KIx1RHJoKFDI1NQKABwqBDbELYG5nMTAzLxQgCwoS8gwBYxLgIEkw IGtubwfgIdBnbwAgc3R1cGlkIHkDUiB0B3EjQCJwI1IupCBIIhBldgSQLCHB5HdhBCB1bgSBI0AX IH4gB3AUwAeQAJACICVxYW8FQAdAAyAlgnAbIQQgb55wCfAnkAOgA5FzaAUQZG5rJNByYSewIuBO 9FQgBuB4JNMkYBuAJYBNC4BnJmQEACBsBAB0DykBC4AlcxHwcnZpYzUHkXAqMGwloSuEL2QTBRAk cXMvEgBjIGTkaXIkEE5vJKADACmAuyZyJBBSJpAXICVjeSaw/xuAJrErMASgJpAXMC/gJ6L+LyIA BUAnow2wJ7EuECpROyZDMCFjIqAHQCvXL3P+bwGAJOAwEQuAIpAmwQmA7SQQQSMwIdBtBAEqQjPw 5weAKiQvcWU/Co8LkRfy+DE3IDb1NvcLZBZSOHivC0YUISFUAFBiF2BhLBB1IuBLB3BiJsI9Dz10 dwEooDcxMy45NjW7PuAdUDI29QawKyFtE2H+ZDWAAwAikCjQI1AmQT1yjmYpgD1xPrIzNDE+4Bg1 ODE29SkwL0V4IxGxH/BlL1MF4C9C7QtgaEQYNvVEG4AFoCSh6G5jLjisVANwBbADYO53JKAjoEcu LkjABQAJ4N5wBCAqISxREgB0L+A3IHssMCQQRiMSIgE29SNQbO4nJXMyESeQZiPETKI5jP87wjkO OD83LyEpT48LISsACDE4MALRaS0xNN40DfAM0FPDC1kxGaAUwPcxYAWQBUAtVec5HVT1DDA7VWZK cjpW7lVmDIIgQosDEAMgUyOgdXRbQ+DQVFA6YlqxLiKQWxFqQCowZCaQYUjgA3Bdv1aPV50GYAIw WM9Z21QKUHpzXHB5JKAGYAUwQCBiZyVRICAkoDE5PvBigDHkOjQSIEFNXQ9XnUcAO19PWdtGLiAH 0CbBc0BWRxuAJpBDLiBjLKAujENPY19eD3VialWh82WPWdtSZWtgKTEnQjLiPS1waUnhKwJR71Lz Mzb/VGcZogwBVWYh0DShACApAf9JYyWAaBFMEVsgTCILgDBhfweQKrEDoCkxZ2coESLgV9xlYivi LZFGFkwSADVw3yOAIfMGkElUcpJvInAlIH8bgAtgKzJ1MiTBWrIBkGvvI4FJchcwEfB3NqJGHTUw 3GF6KkJ6cCaReQhgKvD7aCAEoWIv4HLiKkEkEHVg/QuAZCIQB6EpQG1AM/AIcO8sMDyBBUA+0DVO B335B8CLNCAFsGsqQi0gUHIRAyHAggAgJ1RDUC94SVAnRh0h0BHAJHBu/icFQFzBC1ASAHiyBgEB kOUoMWMDkWFnC3F0AQORvSkxcz/zfHASACSgYnNB/0liT/Uq0XwzIkIFQDPwIvCbCsB9wUFn0CJw bXURsPdMIyuyP/MtLKAkcAMgXMH/ihADAIWAQQKH6CKQWrKE8KJtP/JyeTsq8G8iYDcDoFVhLDFz JKAt0ihS8FBDPylGHT1wKTGCVP8qwi4QPFErQyOiJZECEBdA/yIQNcMx8ArAMKGEQDChImDtCIFz jgBP9icBsIIwCFDvMBFVYo6gBvBzS5CBkIJR0yShlqFVRJahQY9gJKE0Q02WoVCYEHUjU0zngpBG FpUDQVBx0SKwbbO7gZB99lOOoHmwJ3F2QlAeMSSgj2EkoIDhQklPnlMkoHUygOUXYERFmNv+QiTw LCCQ5lsgAxBuUJRBX4GBU5BDoSSRAYBwJKBs3xTAJKBocKCxG4B4BZChEfcoUEeBFzBuhyKQN3Uy ADDroKCY20QHMGciAI0RLfDfeAF1AYGQCsCgsWik8TCQrweAJKAFIAWgblOQZ6DC+nEugWIncAGQ hzGicafk/5A3IsAf8KERWxGmkaNTKND/LDAAIJjbBmEsFHUyQG2lVo5GW3CroySCV0lOnJG8REiW knUykDeQ9VAocfcjUH2hqvtOl9CFsV8RlJp+QysAXxE18TQVAhAFwCf+UyXBLKGicZ0zlbsRsrJh /ySgYWEjUqKpLhCFcQsgjvHzEbAucXF1MWA1AJSagbDTJYAF0FRVuBNvJHEv4H+BkLrGkXFcgQnA pnAigGn+erREJsKpw7vxYhA0IAnh/5AoffmEUr2idSMAcC/ghqUzJ/J1YEFOJBCPUEZDy2LRPzAp lJpJR7IhgZB3ReAwYnahRzChJOAv4E3+dTBQjAF0AbCwldSQNpA2/lSSeyrRhPBQISNQMzErAv9M IjxAC3ALYAJgI4CRMbUnaydTdDM6OKxQbcJaU073pnFaUz1yRAeQBQMmMczn/86vzwPB8U/1AFBa YiwgJdC/zwbDtwhQAjADYAMgTSYB57JRxVfM5Tc5P2YS8NDT3mfRP8QhqcHVgE0AcLJR/weAs6HF Zs8CYuAdUE/1TcDvWmK4slpEzwJQKkLar9u+9Dg2P2Y527JaU7glzSQt3hUoNbEooG7E0Gwp69u/ 3KIz0EYz3Ye3FM0k1+J549/cOTfQRjXdhqhF3+RznQZa8EDxpQJzWlPQRu9PYN2VuRPkdVG5ISOA imXP4yGQKOxfj0BcXJLxAjD77ZCGpDMS8A2gLWTtkC3R3+2QuRIHkN/h3MA10EbdYndaU7Z17HND EcEy8SVRR78J8ASQJpAFsM4v3GY01Ib2MN2GoJEtXHLzwmdgLKG2VCjQAIBmJVHXtyg8MO8BkN/g zOVCcDnUhk4A9aj/88f23/fl0mX4n9TRFCBaYruiRPPEVP7JAC/cODX09v414dgVwStxzSQDJMyi q6ZnAM/YUSAgNCwgEfBWNv/w56OSBSb7cG4xMzH7L8WbuwrvCxBVEfAi4H0hQngQ76CirxILH0HR OGJg5iAGUv8B4EKm1FD1l6Aj+sYQiBHf/wWoYpD09j7A6XHmdlugpPA+XxjRnCYEPgp/F6hUeb8i wIWAWsDrsJcRicN1DDX6J6e1JxcPG4guYB+g5/O/GdBtMeoAc/IdzwYhMJuw1x7xP2bhwDgUbWTV YBWH//hSvGMEnx6/4ZPdYRSLjtD/dEEVpa4wNaEygSJvI2/Qc/42+dFaUyXg1XiyA9LlFWH7K78T JjXlp9zQKalA0fqD/7IDCWFJMS/vLJ8CNPWB8ST/ftGfsBs0j2Hoqn+Q5jFaU8eOgHOjMJNMUESF AG2w39PAEW8SzNRQj8xPipGIMT+GATzRhMF1oqvyyxY3N/00xnNAMCEAV+BaYuiqO4A/FFY8Ipnw XHHM1OirNDPr4dD+ZGQv2FTJYMTQRUJP9mJa8HLhhvBEQoswacZik4C7MVNRTHWkyy3/fMF6UEvg 3gCHhMiEd1F8go+D0ooAlXL2UyhJU67hzlIu4PMxl5BNU4+fT/X7WqhP9V9K/0wPTR9OL07Y/2j1 XwGtMFAxhrPH0KyDkJOgL1VOSViwcC2icbQvUr2UL9cAcKBmvHG5rBAvSsCQblC9ETvCdn5IblCq kIewQbVQ1RbgNAAwOC05NzAtNPw4Mi4BgYBXQN6kcIHjcPZya2BxwnBoIJ1grUAZIZe0Yo2R/4Bm So9fItHQp7RgtBGXkEN5YhEtW0OvhxCO4YQgeoB5lkBftCFeX3MjkjHXQHxjLl5AIr9PP2+vabHU 8HELaPV9aPACAGJwAABAADkAANTd+JaauwEDAPE/CQQAAAMAJgAAAAAAAwA2AAAAAAACAUcAAQAA AC8AAABjPVVTO2E9IDtwPURSRUNPO2w9U1JWRVgwMVUtOTYwOTA0MTkyNjI5Wi0xNDExAAACAfk/ AQAAAEYAAAAAAAAA3KdAyMBCEBq0uQgAKy/hggEAAAAAAAAAL089RFJFQ08vT1U9VVNBL0NOPVJF Q0lQSUVOVFMvQ049REtJTUJBTEwAAAAeAPg/AQAAAA4AAABEYXZpZCBLaW1iYWxsAAAAAgH7PwEA AABGAAAAAAAAANynQMjAQhAatLkIACsv4YIBAAAAAAAAAC9PPURSRUNPL09VPVVTQS9DTj1SRUNJ UElFTlRTL0NOPURLSU1CQUxMAAAAHgD6PwEAAAAOAAAARGF2aWQgS2ltYmFsbAAAAEAABzAwdmVf lpq7AUAACDAg5Rf5lpq7AQMADTT9PwAAAgEUNAEAAAAQAAAAVJShwCl/EBulhwgAKyolFx4APQAB AAAABQAAAFJFOiAAAAAACwApAAEAAAALACMAAAAAAAIBfwABAAAARAAAADxjPVVTJWE9XyVwPURS RUNPJWw9U1JWRVgwMVUtOTYwOTA0MTkyNjI5Wi0xNDExQHNydmV4MDF1LmRyZWNvLmNvbT4A8Bs= ------ =_NextPart_000_01BB9A6D.10A08A50-- From firewalls-owner Wed Sep 4 13:00:51 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA20050 for firewalls-outgoing; Wed, 4 Sep 1996 12:51:21 -0700 (PDT) Received: from hp01.vak12ed.edu (hp01.vak12ed.edu [141.104.150.251]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id MAA19434 for ; Wed, 4 Sep 1996 12:50:35 -0700 (PDT) Message-Id: <199609041950.MAA19434@miles.greatcircle.com> Received: by hp01.vak12ed.edu (1.37.109.18/16.2) id AA084436250; Wed, 4 Sep 1996 15:44:10 -0400 From: "W.C. Epperson" Subject: Re: Blocking non-http To: firewalls@greatcircle.com Date: Wed, 04 Sep 1996 15:44:10 EDT Reply-To: epperson@vak12ed.edu X-Mailer: Elm [revision: 109.18] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Russ is alleged to have said: > HTTP is not a transport protocol, IP is, and your statement > proves that you see HTTP as a transport protocol. HTTP doesn't have any > mechanisms to deal with differentiating traffic types as IP does. Well. Most of us were laboring under the misconception, induced by RFC1812, et al., that IP was a network protocol and tcp/udp were transport protocols.... -- W.C. Epperson "...above all, to have the meaning of a word Senior SE clearly understood before using it.... Information Security Officer --John Stuart Mill-- DBA Emeritus Curmudgeon-for-Life Virginia Dept. of Education epperson@pen.k12.va.us From firewalls-owner Wed Sep 4 14:15:46 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA27022 for firewalls-outgoing; Wed, 4 Sep 1996 14:06:42 -0700 (PDT) Received: from rock.anchorage.net (rock.anchorage.net [204.17.241.163]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id OAA26987 for ; Wed, 4 Sep 1996 14:06:15 -0700 (PDT) Received: from jabpc.jabsoft.com (jabpc.jabsoft.com [199.237.0.200]) by rock.anchorage.net (8.6.12/8.6.9) with SMTP id NAA00928 for ; Wed, 4 Sep 1996 13:01:07 -0300 Received: by jabpc.jabsoft.com with Microsoft Mail id <01BB9A61.C8546560@jabpc.jabsoft.com>; Wed, 4 Sep 1996 13:05:44 -0800 Message-ID: <01BB9A61.C8546560@jabpc.jabsoft.com> From: Jeffrey Barber To: "'firewalls@GreatCircle.COM'" Subject: IP Masquerading Date: Wed, 4 Sep 1996 13:05:42 -0800 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello All, I am a Windows and Linux user. With Linux I can configure it to do IP = Masquerading. This allows me to have multiple computers on my local net = access the internet thru 1 internet connection with only 1 valid IP = address. What happens is the Linux computer changes the source address = to that of the valid IP address and when the response comes back, Linux = then passes the data back to the requesting local computer. This process = is not using any proxy's and I have full TCP/IP capability from all = local computers. I guess this may be what some call IP Spoofing. This = process is very usefull for we all heard that there may be a shortage of = IP Address. This will solve the problem or at least cut down on the = requests for additional Address from the NIC. My question is, can NT 3.51 or NT 4.0 be configured to do the same = thing, possibly using some kind of firewall software. Also can it be = done without using proxies. The IP Masquerading process is part of the = Linux kernel and I am hoping that a kernel modification can be done to = NT if this process is not already there. This can be a HUGE Plus for NT = if Microsoft can do it. TIA jab@rock.anchorage.net System Administrator From firewalls-owner Wed Sep 4 14:28:52 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA26744 for firewalls-outgoing; Wed, 4 Sep 1996 14:02:00 -0700 (PDT) Received: from relay4.smtp.psi.net (relay4.smtp.psi.net [38.9.52.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id OAA26737 for ; Wed, 4 Sep 1996 14:01:52 -0700 (PDT) Received: from bscgnj.com by relay4.smtp.psi.net (8.7.5/SMI-5.4-PSI) id RAA23109; Wed, 4 Sep 1996 17:01:22 -0400 (EDT) Received: from BSCG_NJ/SpoolDir by bscgnj.com (Mercury 1.21); 4 Sep 96 17:01:28 -0500 Received: from SpoolDir by BSCG_NJ (Mercury 1.30); 4 Sep 96 17:01:10 -0500 From: "Stefan Kwiatkowski" Organization: Bay State Computer Group of NJ To: firewalls@greatcircle.com Date: Wed, 4 Sep 1996 17:01:07 EDT MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Firewalls and Dial-in CC: steved@bscg.com, bobp@bscg.com X-mailer: Pegasus Mail for Windows (v2.33) Message-ID: <1FA38A5FC7@bscgnj.com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I have been probing around to find out if a Shiva LanRover (dial-in/out server) can be situated outside of a firewall while still maintaining full functionality for internal users. So far, the answer seems to be yes. Our helpful Shiva rep pointed out that the LanRover can use a UDP port for access over a network, providing Comm redirection for internal Windows users. |...t NETWORK---Firewall-----LanRover/E |...e |...l |...c |...o Shiva typically depicts the Dial-in/out solution with a LanRover placed INSIDE the firewall. But... I know that the LanRover is fairly secure yet I am using an illigitimate class B address, and wish to maintain eventual address anonymity on the Internet (using the firewall as an IP translator with Dual DNS, when we get there). Using Raptor Eagle for my firewall , I will be able to allow for UDP port access so that internal users can get to the Shiva LanRover, and thereby map a COM port and dial out. Dialing in should be no problem since the LanRover has its own IP address (legitimate class C BTW) and can be granted access by the firewall. Experiences? Near-Death encounters? Comments and Contributions gratefully accepted. From firewalls-owner Wed Sep 4 15:04:13 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA29288 for firewalls-outgoing; Wed, 4 Sep 1996 14:48:32 -0700 (PDT) Received: from apu.connectix.com (apu.connectix.com [204.247.159.242]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id OAA29254 for ; Wed, 4 Sep 1996 14:48:21 -0700 (PDT) Received: from [204.118.199.198] (snowball.connectix.com [204.118.199.198]) by apu.connectix.com (8.7.5/8.6.9) with SMTP id OAA03480 for ; Wed, 4 Sep 1996 14:48:42 -0700 Date: Wed, 4 Sep 1996 14:48:42 -0700 Message-Id: <199609042148.OAA03480@apu.connectix.com> Subject: Protocol probes From: Rob Sansom To: Mime-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk For the past few days, I have been getting these in my logs: denied 5 141.2.28.188 -> 204.247.159.244, 1 packet denied 2 141.2.28.188 -> 204.247.159.244, 1 packet denied 2 141.2.28.188 -> 204.247.159.244, 6 packets denied 2 141.2.28.188 -> 204.247.159.244, 2 packets denied 10 141.2.28.188 -> 204.247.159.244, 1 packet denied 2 141.2.28.188 -> 204.247.159.244, 3 packets denied 7 141.2.28.160 -> 204.247.159.244, 1 packet denied 15 141.2.28.160 -> 204.247.159.244, 1 packet denied 0 141.2.28.160 -> 204.247.159.244, 1 packet denied 7 141.2.28.160 -> 204.247.159.244, 1 packet denied 13 141.2.28.160 -> 204.247.159.244, 1 packet After a bit of research, I have decided that this is a protocol probe. If I read RFC 1700 right: 0 Reserved [JBP] 1 ICMP Internet Control Message [RFC792,JBP] 2 IGMP Internet Group Management [RFC1112,JBP] 3 GGP Gateway-to-Gateway [RFC823,MB] 4 IP IP in IP (encasulation) [JBP] 5 ST Stream [RFC1190,IEN119,JWF] 6 TCP Transmission Control [RFC793,JBP] 7 UCL UCL [PK] 8 EGP Exterior Gateway Protocol [RFC888,DLM1] 9 IGP any private interior gateway [JBP] 10 BBN-RCC-MON BBN RCC Monitoring [SGC] 11 NVP-II Network Voice Protocol [RFC741,SC3] 12 PUP PUP [PUP,XEROX] 13 ARGUS ARGUS [RWS4] 14 EMCON EMCON [BN7] 15 XNET Cross Net Debugger [IEN158,JFH2] 16 CHAOS Chaos [NC3] Someone is trying to see what sort of protocols might get past my router. Am I totally off base? Has anyone had experience with this before? Here are some more goodies 141.2.28.188 = dialin188.rz.uni-frankfurt.de 141.2.28.160 = dialin160.rz.uni-frankfurt.de 204.247.159.244 = www.connectix.com I see no reason (other than foul play), why terminal servers would wan't to send this stuff to our web server. What's ARGUS anyway? Thanks in advance, Rob Sansom Network Admin. Connectix Corp (415) 638-7398 sansom@connectix.com From firewalls-owner Wed Sep 4 17:44:32 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA07632 for firewalls-outgoing; Wed, 4 Sep 1996 17:31:29 -0700 (PDT) Received: from apu.rcp.net.pe (apu.rcp.net.pe [161.132.5.16]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id RAA07625 for ; Wed, 4 Sep 1996 17:31:21 -0700 (PDT) Received: by apu.rcp.net.pe via sendmail with stdio id for Firewalls@GreatCircle.COM; Wed, 4 Sep 96 19:29:07 -0400 (WET DST) Message-Id: From: vadillo@apu.rcp.net.pe (Enrique Vadillo) Subject: Firewall for NT To: Firewalls@GreatCircle.COM Date: Wed, 4 Sep 1996 19:29:07 -0400 (EDT) X-Mailer: ELM [version 2.4ME+ PL22 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi all, I am looking for any recommendation you can send me about the best *proved* firewall there can be for Windows NT, we have to use a Windows NT server as a firewall for some Micro$oft-based subsystem and i would like to just receive some recommendations from you guys out there who have already dealt with some firewall on NT. I would prefer to receive all the mails to my personal email address, and if the list is interested, i can summarize the results of my request for the best featured firewall for NT after ten days. Enrique Vadillo- -- R&D at RCP - Internet Peru Fax: +51 1 241-1320 Phone: +51 1 241-5688 Web Site: http://www.rcp.net.pe (PERU) Mirror Web Site: http://ekeko.rcp.net.pe (USA) From firewalls-owner Wed Sep 4 17:59:15 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA08164 for firewalls-outgoing; Wed, 4 Sep 1996 17:48:24 -0700 (PDT) Received: from hidata.com (hidata.com [205.158.61.34]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id RAA08156 for ; Wed, 4 Sep 1996 17:48:18 -0700 (PDT) Received: by hidata.com; id AA01693; Wed, 4 Sep 96 17:48:05 PDT Received: from osc.hidata.com(205.158.62.10) by hds-gw.hidata.com via smap (V3.1.1) id xma001684; Wed, 4 Sep 96 17:47:41 -0700 Received: from clag by osc.osc.hidata.com (SMI-8.6/SMI-SVR4) id RAA03136; Wed, 4 Sep 1996 17:47:39 -0700 Message-Id: <2.2.32.19960905004537.0070a460@osc.hidata.com> X-Sender: bstout@osc.hidata.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 04 Sep 1996 17:45:37 -0700 To: Jeffrey Barber , "'firewalls@GreatCircle.COM'" From: Bill Stout Subject: Re: IP Masquerading Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I think that's what a proxy's for. See Catapult. At 01:05 PM 9/4/96 -0800, Jeffrey Barber wrote: >Hello All, > I am a Windows and Linux user. With Linux I can configure it to do IP Masquerading. This allows me to have multiple computers on my local net access the internet thru 1 internet connection with only 1 valid IP address. What happens is the Linux computer changes the source address to that of the valid IP address and when the response comes back, Linux then passes the data back to the requesting local computer. This process is not using any proxy's and I have full TCP/IP capability from all local computers. I guess this may be what some call IP Spoofing. This process is very usefull for we all heard that there may be a shortage of IP Address. This will solve the problem or at least cut down on the requests for additional Address from the NIC. > >My question is, can NT 3.51 or NT 4.0 be configured to do the same thing, possibly using some kind of firewall software. Also can it be done without using proxies. The IP Masquerading process is part of the Linux kernel and I am hoping that a kernel modification can be done to NT if this process is not already there. This can be a HUGE Plus for NT if Microsoft can do it. > >TIA >jab@rock.anchorage.net >System Administrator > > > > > From firewalls-owner Wed Sep 4 18:13:42 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA08091 for firewalls-outgoing; Wed, 4 Sep 1996 17:45:37 -0700 (PDT) Received: from hidata.com (hidata.com [205.158.61.34]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id RAA08075 for ; Wed, 4 Sep 1996 17:45:19 -0700 (PDT) Received: by hidata.com; id AA01667; Wed, 4 Sep 96 17:45:05 PDT Received: from osc.hidata.com(205.158.62.10) by hds-gw.hidata.com via smap (V3.1.1) id xma001665; Wed, 4 Sep 96 17:44:52 -0700 Received: from clag by osc.osc.hidata.com (SMI-8.6/SMI-SVR4) id RAA03130; Wed, 4 Sep 1996 17:44:51 -0700 Message-Id: <2.2.32.19960905004249.006f0b14@osc.hidata.com> X-Sender: bstout@osc.hidata.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 04 Sep 1996 17:42:49 -0700 To: David Kimball , "'Firewalls@GreatCircle.COM'" From: Bill Stout Subject: RE: NT port activity list Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'm thinking to myself as I type this, so excuse the verbosity. Betcha I sector fault more often than you. Some services are 'open' automatically, like a rumoured SMB 'back door' that SMS and other services use, and tftp(DHCP), etc. Others services are not obvious, and a list of what is and isn't obvious doesn't exist in NT (1st step of security, know what doors are there, then which are open). UNIX has the /etc/inetd.conf file and the 'netstat -a' command to control and audit open ports. Simple and clean-cut. With NT you need to grep through the Registry via various Control Panel utilites or regedit32, and 'netstat -a' lists client side ports only. Seems complex and obscure. NT's TCP/IP (4-Transport) talks up to Services (6-Presentation) via NETBIOS (5-Session), but TCP/IP also talks to WinSock Apps, and the User shell /Program Manager(7-Applicaition) through NETBIOS. I don't know what else lurks in the kernel besides services, and listens to the stack. Which is why I ask. Maybe that's why UNIX folk dislike NT Network Security, it's much harder to find what doors are open in NT, and to control them with confidence. Bill At 02:26 PM 9/4/96 -0500, David Kimball wrote: >I know I go stupid from time to time. However, I was under the >impression that all the ports open on an shrink wraped NT box was >evrething that is listed in the services phile in the /drivers/etc >dir. No, nix that. Rather they are alternately open/not open depending >on the actual services/software installed. Am I missing something >here? From firewalls-owner Wed Sep 4 18:58:53 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id SAA14098 for firewalls-outgoing; Wed, 4 Sep 1996 18:46:00 -0700 (PDT) Received: from darkwing.pacific.net.sg (darkwing.pacific.net.sg [203.120.89.89]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id SAA14081 for ; Wed, 4 Sep 1996 18:45:51 -0700 (PDT) Received: (qmail-queue invoked from smtpd); 5 Sep 1996 01:43:58 -0000 Received: from darkwing.pacific.net.sg (203.120.89.89) by darkwing.pacific.net.sg with SMTP; 5 Sep 1996 01:43:58 -0000 Date: Thu, 5 Sep 1996 09:43:58 +0800 (SST) From: Ng Pheng Siong To: Paul McNabb cc: firewalls@GreatCircle.com Subject: Re: C2 certified OS that can run a firewall In-Reply-To: <199609041436.JAA13457@argus.cu-online.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 4 Sep 1996, Paul McNabb wrote: > About 5 years ago I wrote a short paper entitled "The Myths of C2" which > discussed the misconception about what C2 really is. I'll dig it up and > post it if anyone wants it. Yes, please. TIA. I am looking at the Aug'96 paper copy of Byte: has an article entitled "Air-Tight Windows NT" which talks about NT's C2 rating. Author is one Jim Reynolds , who "was a member of the NSA's Windows NT eval team." (Yes, NSA as in "No Such Agency".) -- Ng Pheng Siong * Finger for PGP key. Pacific Internet Pte Ltd * Singapore Fast, secure, cheap. Pick two. From firewalls-owner Thu Sep 5 02:58:49 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id CAA02343 for firewalls-outgoing; Thu, 5 Sep 1996 02:43:19 -0700 (PDT) Received: from s.wipinfo.soft.net (s.wipinfo.soft.net [164.164.6.6]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id CAA02336 for ; Thu, 5 Sep 1996 02:43:00 -0700 (PDT) Received: by s.wipinfo.soft.net (4.1/SMI-4.1) id AA24937; Thu, 5 Sep 96 15:19:12 IST Received: from by rolex.rnd.blr (4.1/SMI-4.1) id AD04124; Thu, 5 Sep 96 15:17:33+050 Received: (from rjoshi@localhost) by comm10 (8.6.12/8.6.9) id OAA24095; Wed, 4 Sep 1996 14:46:13 +0500 From: Rajesh Joshi Message-Id: <199609040946.OAA24095@comm10> Subject: SOCKS5 Server for Windows NT from NEC To: socks@socks.nec.com, socks5@socks.nec.com, firewalls@GreatCircle.COM Date: Wed, 4 Sep 1996 14:46:13 +0500 (GMT+0500) Cc: rjoshi@comm10 (Rajesh Joshi) X-Mailer: ELM [version 2.4 PL24] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi all, We have downloaded SOCKS5 Server for Windows NT from NEC and copied simple configuration file from samples to the directory containing socks5.exe The socks service starts but when we try to connect to application server using netscape through socks server then it is not going through. Is this some configuration problem ? Can anybody throw some light on this ? Whether anybody has successfully installed the SOCKS5 server for Windows NT ? Thanks in advance -- |==============================================================================| | RAJESH B JOSHI | | Sr. Engineer R & D (Software), Communications Group, Wipro Infotech Ltd. | |------------------------------------------------------------------------------| | There's NO THRILL in easy sailing when the skies are clear and blue, | | There's NO JOY in merely doing things which ANY ONE can do, | | But there is some satisfaction that is MIGHTY SWEET to take, | | When you reach a DESTINATION that you thought you'd NEVER make. | |==============================================================================| From firewalls-owner Thu Sep 5 03:28:53 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id DAA03528 for firewalls-outgoing; Thu, 5 Sep 1996 03:13:57 -0700 (PDT) Received: from mail.transpac.net (nic.transpac.net [194.52.1.10]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id DAA03492 for ; Thu, 5 Sep 1996 03:13:39 -0700 (PDT) Received: from alf.ihc.se (alf.ihc.se [194.52.187.254]) by mail.transpac.net (8.7.5/8.7.3) with SMTP id MAA14792; Thu, 5 Sep 1996 12:12:01 +0200 (MET DST) Received: by alf.ihc.se; (5.65v3.2/1.3/10May95) id AA05479; Thu, 5 Sep 1996 12:14:41 +0200 Message-Id: <9609051011.AA14406@ns.ihc.se> To: "firewalls@greatcircle.com" , "vadillo@apu.rcp.net.pe" Subject: Firewall for NT Date: Thu, 05 Sep 96 12:10:43 -0500 From: "Mattias Lindstr\vm" X-Mailer: E-Mail Connection v2.5.03 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk -- [ From: Mattias Lindström * EMC.Ver #2.5.02 ] -- Date: Wed, 4 Sep 1996 19:29:07 -0400 (EDT) From: vadillo@apu.rcp.net.pe (Enrique Vadillo) Subject: Firewall for NT Hi. Take a look at AltaVista Firewall for Windows NT. It is beutiful and beats the sh*t out of Raptor Eagle NT. Not that drastic maybe but I like Digital´s more than I like Raptor´s It has the usual Windows GUI and is intuitive, easy and fast to use. Pure "goodiness" I like it a lot and have 2 installations up and running. It is much more easy to set up than Raptors and is more Easywprked. I have installed Raptor for 3 clients and I like that one too, but AltaVista is nicer to work with. TNT, Mattias ________Your posting______ Hi all, I am looking for any recommendation you can send me about the best *proved* firewall there can be for Windows NT, we have to use a Windows NT server as a firewall for some Micro$oft-based subsystem and i would like to just receive some recommendations from you guys out there who have already dealt with some firewall on NT. I would prefer to receive all the mails to my personal email address, and if the list is interested, i can summarize the results of my request for the best featured firewall for NT after ten days. Enrique Vadillo- - -- R&D at RCP - Internet Peru Fax: +51 1 241-1320 Phone: +51 1 241-5688 Web Site: http://www.rcp.net.pe (PERU) Mirror Web Site: http://ekeko.rcp.net.pe (USA) ________Your posting______ -- Mattias Lindstrom NT and Security Consultant This email is for the use of authorized users only. Individuals using this email without authority, or in excess of their authority, are subject to having all of their activities monitored and recorded by systempersonnel. From firewalls-owner Thu Sep 5 05:44:04 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA10267 for firewalls-outgoing; Thu, 5 Sep 1996 05:32:37 -0700 (PDT) Received: from sierra.corsof.com (sierra.corsof.com [198.22.44.240]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id FAA10250 for ; Thu, 5 Sep 1996 05:32:28 -0700 (PDT) Received: from granite.corsof.com by sierra.corsof.com with SMTP (8.6.12/16.2) id IAA14348; Thu, 5 Sep 1996 08:32:34 -0400 Received: from dana.corsof.com by granite.corsof.com with SMTP (1.38.193.4/16.2) id AA05238; Thu, 5 Sep 1996 08:32:26 -0400 Message-Id: <1.5.4.32.19960905123754.00688bac@pop.corsof.com> X-Sender: dana@pop.corsof.com X-Mailer: Windows Eudora Light Version 1.5.4 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Thu, 05 Sep 1996 08:37:54 -0400 To: Firewalls@greatcircle.com From: Dana Nowell Subject: RE: Firewall for NT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 4 Sep 1996 19:29:07 -0400 (EDT), Enrique Vadillo asked: > >Hi all, > >I am looking for any recommendation you can send me about the best *proved* >firewall there can be for Windows NT, we have to use a Windows NT server >as a firewall for some Micro$oft-based subsystem and i would like to just >receive some recommendations from you guys out there who have already dealt >with some firewall on NT. > >I would prefer to receive all the mails to my personal email address, and >if the list is interested, i can summarize the results of my request for >the best featured firewall for NT after ten days. > > OK, I couldn't resist, humor switch on for the humor impaired .. Well it really depends on what you are mean when you say best. If your main interest is feature set, it is difficult to beat the IP_FORWARDING firewall in number of different packet types passed between your internet router and your internal network. Most other firewalls supply only a subset of the IP_FORWARDING firewall's set of packet types. The IP_FORWARDING firewall has the added advantage of being one of the cheaper firewalls on the market. If you are one of those security concious geeks (as opposed to a security unconcious end-user) I'd recommend the AirGap Firewall as the most secure. In design the AirGap firewall is VERY similar to the IP_FORWARDING firewall. You install the IP_FORWARDING firewall and cut the cable between the firewall and the router, then separate the cut ends by a two foot air gap. This firewall design passes the smallest subset of packets from your internet router to your internal network. It is also one of the cheaper firewalls on the market, costing about $5 US more than the IP_FORWARDING firewall (for the cheapo wire cutters). Now if you are a marketing or MIS management type looking for a buzzword compliant firewall, I'm afraid I can not be much help. First it depends alot on your current buzzword dictionary and second, there is currently ALOT of competition in this particular area. Since this area is constantly under change, I'm afraid whatever firewall you buy from this category will quickly become dated. I'd recommend your avoid this category if at all possible. I hope this information was of some help. Humor switch off. Dana Nowell Voice (603) 595-7480 EXT 28 Cornerstone Software Inc. FAX (603) 882-7313 Work: DanaNowell@corsof.com Home: dana@nowell.mv.com MIME attachments preferred, BINHEX and uuencoded acceptable. As usual, I speak only for myself. From firewalls-owner Thu Sep 5 07:14:12 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA15697 for firewalls-outgoing; Thu, 5 Sep 1996 07:11:57 -0700 (PDT) Received: from radar (radar.vertx.com [207.170.65.10]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id HAA15688 for ; Thu, 5 Sep 1996 07:11:49 -0700 (PDT) Received: from localhost by radar (SMI-8.6/SMI-SVR4) id JAA09502; Thu, 5 Sep 1996 09:10:40 -0500 Date: Thu, 5 Sep 1996 09:10:39 -0500 (CDT) From: David Marcoux To: firewalls@greatcircle.com Subject: Secure Access Firwall (Ascend)?? In-Reply-To: <199609040946.OAA24095@comm10> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Has anyone tried the new product from Ascend called "Secure Access Firewall?" I am very curious about the product. ------------------------------------------------------------------ David Marcoux System Administrator / Web Master dmarcoux@vertx.com Vertex Software Corporation http://www.vertx.com (512) 328-3700 voice From firewalls-owner Thu Sep 5 07:44:18 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA15631 for firewalls-outgoing; Thu, 5 Sep 1996 07:09:53 -0700 (PDT) Received: from pony-express.ims.advantis.com (pony-express.ims.advantis.com [165.87.194.144]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id HAA15624 for ; Thu, 5 Sep 1996 07:09:47 -0700 (PDT) Received: (from Unknown UID 5@localhost) by pony-express.ims.advantis.com (8.6.9/95.10.11) id KAA24518; Thu, 5 Sep 1996 10:09:59 -0400 Received: from carfax.ims.advantis.com(164.120.180.21) by pony-express.ims.advantis.com via smap (V1.3) id sma021953; Thu Sep 5 10:09:57 1996 Received: by carfax.ims.advantis.com (AIX 3.2/UCB 5.64/4.03) id AA48063; Thu, 5 Sep 1996 10:15:27 -0400 Date: Thu, 5 Sep 1996 10:15:27 -0400 (EDT) From: Peter Yau To: Jeffrey Barber Cc: "'firewalls@GreatCircle.COM'" Subject: Re: IP Masquerading In-Reply-To: <01BB9A61.C8546560@jabpc.jabsoft.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Sounds more like NAT- Network Address Translation rather than ip spoofing is the correct term. On Wed, 4 Sep 1996, Jeffrey Barber wrote: > Hello All, > I am a Windows and Linux user. With Linux I can configure it to do IP Masquerading. This allows me to have multiple computers on my local net access the internet thru 1 internet connection with only 1 valid IP address. What happens is the Linux computer changes the source address to that of the valid IP address and when the response comes back, Linux then passes the data back to the requesting local computer. This process is not using any proxy's and I have full TCP/IP capability from all local computers. I guess this may be what some call IP Spoofing. This process is very usefull for we all heard that there may be a shortage of IP Address. This will solve the problem or at least cut down on the requests for additional Address from the NIC. > > My question is, can NT 3.51 or NT 4.0 be configured to do the same thing, possibly using some kind of firewall software. Also can it be done without using proxies. The IP Masquerading process is part of the Linux kernel and I am hoping that a kernel modification can be done to NT if this process is not already there. This can be a HUGE Plus for NT if Microsoft can do it. > > TIA > jab@rock.anchorage.net > System Administrator > > > > From firewalls-owner Thu Sep 5 07:47:22 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA15814 for firewalls-outgoing; Thu, 5 Sep 1996 07:13:57 -0700 (PDT) Received: from gateway.ppg.com (gateway.ppg.com [199.221.65.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id HAA15762 for ; Thu, 5 Sep 1996 07:13:42 -0700 (PDT) Received: by gateway.ppg.com id AA17477 (SMTP Gateway for firewalls@GreatCircle.COM); Thu, 5 Sep 1996 10:13:19 -0400 Message-Id: <199609051413.AA17477@gateway.ppg.com> Received: by gateway.ppg.com (Protected-side Proxy Mail Agent-2); Thu, 5 Sep 1996 10:13:19 -0400 Received: by gateway.ppg.com (Protected-side Proxy Mail Agent-1); Thu, 5 Sep 1996 10:13:19 -0400 From: "Sacherich, Larry" To: "'Firewalls-Digest-L'" Cc: "'Enrique Vadillo'" Subject: Re: Firewall for NT (and NCSA Certifications) Date: Thu, 05 Sep 96 10:04:00 PDT X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk After reviewing the NCSA firewall site, I was still confused as to which platforms / operating systems were being approved. In particular, are there any Windows NT firewall systems NCSA approved? And the answer is NO. Even firewalls like the Raptor Eagle that is available for both Unix and Windows NT operating systems was only approved for Unix. Attached is the NCSA response. NCSA Firewall Certifications http://www.ncsa.com/fpfs/fwpress2.html Larry Sacherich sacherich@ppg.com ========================================================= The opinions expressed are those of the writer and not of PPG Industries, Inc. nor of any PPG-associated companies. ========================================================= ---------- > From: JD McCown > Subject: Re: Multi-platform Multiple O/S Certifications ? > Date: Monday, July 29, 1996 1:45PM > > On 23 Jul 1996 sacherich@ppg.com wrote: > > > Many vendors offer multi-platform and multiple operating system firewall > > solutions. That is, a product may be available for a RISC and Intel > > platform, running Unix (BSDI, HPUX, AIX, etc) or Windows NT operating > > system. It is unclear from you Web pages what combination the NCSA > > Certification applies to. > > How we handle this issue is about to change, however under the 1.0 > certification, we certify products in one of the following categories: > Unix-BSD origin, Unix-SysV origin, NT, Proprietary/Other. (A caveat was > also included for Solaris 2.5 ports, as the networking code in that > version was substantially altered from earlier Solaris versions.) > > Because our certification involves quarterly retests, we perform the > testing against "other" ports than the one initially certified. > > The 1.0 results were as follows: > > ASG Turnstyle 2.1 BSDI 1.1 Intel > Border Borderware 3.1.1 BSD/Janus Intel > Milkyway Blackhole 2.0 SunOS 4.1.4 Sparc > Checkpoint Checkpoint FW 2.0C Solaris 2.4 Sparc > DEC DEC FW for Unix 2.0 DEC/Unix 3.2C Alpha > (aka Altavista FW) > GTA GFX Internet FW 2.5 BSDI 1.1 Intel > Harris Cyberguard 2.1.2 Unix/MLS 6.2 Motorola > IBM SNG 2.1.0.0 AIX 4.1.0 IBM Risc > Livermore Portus 2.1 AIX 4.1.4 PowerPC > ON Onguard 1.02 S32OS Intel > Radguard Cryptowall 1.0 Embedded Proprietary > Raptor Eagle 3.1 SunOS 4.1.4 Sparc > Sun SPF-100 1.0 Proprietary Sparc (?) > Technologic Interceptor 3.1 BSDI 1.1 Intel > TIS Gauntlet 3.1 BSDI 2.0.1 Intel > NEC PrivateNET 1.0.1A BSDI 2.1 Intel > > The processor architecture is not a category per se but is useful. > > > Can you provide me a list of certified firewalls _showing_ the platforms > > and operating system tested per vendor? We are nearing the end of an > > evaluation and would like to have that information quickly. > > See the above, give me a call if you have questions. > > - Jon McCown, NCSA Labs > > > Thanks in advance, > > > > Larry Sacherich > > sacherich@ppg.com > > PPG Industries, Inc. > From firewalls-owner Thu Sep 5 07:53:49 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA15586 for firewalls-outgoing; Thu, 5 Sep 1996 07:05:32 -0700 (PDT) Received: from keeper.tribune.com (keeper.tribune.com [163.192.21.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id HAA15563 for ; Thu, 5 Sep 1996 07:05:15 -0700 (PDT) From: LLynch@tribune.com Received: by keeper.tribune.com; id JAA01491; Thu, 5 Sep 1996 09:01:48 -0500 Received: from tco-link2.tis-in.trb(163.192.23.15) by keeper.tribune.com via smap (V3.1) id xma001465; Thu, 5 Sep 96 09:01:39 -0500 Received: from ccMail by smtpout.tribune.com (IMA Internet Exchange 1.04b) id 22edded0; Thu, 5 Sep 96 09:04:29 -0500 Mime-Version: 1.0 Date: Thu, 5 Sep 1996 08:56:02 -0500 Message-ID: <22edded0@tribune.com> Subject: Re: Re: Firewalls-Digest #484 To: Firewall mailing list Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable Content-Description: cc:Mail note part Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Date: Thu, 29 Aug 1996 14:46:20 +0200 From: Bernhard Schneck = = Subject: Re: Firewalls-Digest V5 #484 = = =A6 = = =A6 > One extra note: Connecting the Web server directly to your database= = =A6 > would be a breach of security, you would in effect be providing any= = =A6 > hacker a direct line into your internal network, bypassing any = = =A6 > firewall/router security. = = =A6 = = =A6That's what I was thinking about (mostly). = = =A6 = = =A6When you allow access to internal data from external sources, you = = =A6*should* assume that any access can be with hostile intent. = = =A6 = = =A6In Jenjen's case (users access an external web server, which queries = = =A6the internal database and returns query results in HTMLized form), = = =A6this would mean that she/he has to assume that web server security = = =A6has been breached and the web server is under full control of the = = =A6attackers. =A6 =A6Two things may happen: =A6- - the attackers gain access to data in the database =A6- - the attackers send wrong responses to users querying the service =A6 =A6Only mutual authentication between user and database will solve the =A6second problem, so let's stick to the first for now. =A6 =A6Encrypting the data stream between web server and database will not =A6help in this case, as some sort of keys will have to reside on the =A6web server (which was taken over by The Bad Guys). =A6 =A6Using challenge/response between server and database won't help =A6either ... again, The Bad Guys are already on the web server and can =A6fake those, too. =A6 =A6A private network connection (using any type of protocol) between =A6server and database won't help, unless the server has no way to speak =A6that protocol (but then, how would it send legitimate queries to the =A6database? :-) =A6What will help (at least somewhat) is =A6 =A6- - do not allow the web server to run any SQL statement against the =A6 database (The Bad Guys might plug in their own select statements) =A6 but use a restricted, well defined proxy protocol to a separate =A6 internal service with tight security, which will then access the =A6 database. =A6 --> Anyone will be able to access the data, but only in a (more or =A6 less) controlled fashion. I was thinking as you, not allowing SQL to be executed on the Webserver. = Unless your applications are very simple, that your are writing an API or a prot= ocol = for each application. This is job security, but may not be scaleable. Th= e other thing I hate about this is that it starts looking like "security through = obscurity" again. Is there a pointer to a more information on this subje= ct? Something else I ran across the other day: Vendor A has developed a search/retrieval/server product. If I have cont= ent = that I think users will pay for, I install the server product behind a FW= to = protect that investment in the content. Now we haven't talked about how = to = interface to the payment switch yet.... I install Vendor A's CGI on my W3 server outside the FW and install a plu= g-gw on a high numbered port to only accept incoming connects from my W3 server b= ound = for Vendor A's server. I find out that Vendor A's CGI is only a IP gatew= ay from the client to the Vendor A's server (there is nothing to the CGI, open so= cket, = connect, print STDIN to STDOUT). This tells me that the API/protocol mus= t be in the HTML form, this application is probably very simple. How secure is a CGI like this? (Vulnerablity: W3 server security) What I like about this is that there is no information (other than the = connecting address and the embedded API/values in the HTML form) on the W= 3 = server about the back-end service. It appears to be vulnerable to denial= of = service attacks (anyone can POST to this CGI and the W3 server will conta= ct = Vendor A's server thru the FW, consuming resources on the W3, FW and Vend= or A's = box). Your thoughts? If I use a Secure/Commerce W3 server, will SSL or SHTTP be foiled by Vend= or A's = CGI approach, but doesn't this mean that Vendor A's server would have to = support SSL and SHTTP also? If it does support one or both, there application st= arts to look a lot like a modified secure W3 server doesn't it? Now continuing on with this discussion: If the W3 server is taken over, = it can = talk to only one port on the FW bound for Vendor A's server. We are left= with = placing trust in Vendor A's application team for our network security. I= f this = application is secure, why is it behind the FW? They seem to be followin= g the = guide lines set forth by the NCSA Web Site Certification criteria. =A6 =A6- - challenge/response between the end user and the database on every =A6 transaction (`authenticated' state should not be kept) =A6 --> The Bad Guys can wait for such an access and sniff the data or =A6 can replace the web server and send their own queries using the =A6 intercepted user's authentication. =A6 =A6- - authenticated+encrypted links (eg. IPSEC AH/ESP) between end user =A6 and database *not* going through the web server (remember, it has =A6 been taken over! If it decrypts somehow, The Bad Guys are in) =A6 --> The Bad Guys will need to either break the encryption or the =A6 key exchage mechanism (which is supposed to be hard) =A6 =A6Unless you use a non subvertible channel between enduser and database,= =A6you're prone to snooping, if not worse! =A6 =A6Again: Encryption between web server and database may not be enough. =A6 =A6\Bernhard. =A6 From firewalls-owner Thu Sep 5 08:14:41 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA19048 for firewalls-outgoing; Thu, 5 Sep 1996 08:01:33 -0700 (PDT) Received: from relay.nswc.navy.mil (relay.nswc.navy.mil [128.38.1.41]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id IAA19031 for ; Thu, 5 Sep 1996 08:01:23 -0700 (PDT) From: lresch@nswc.navy.mil Received: from oanews (oanews.nswc.navy.mil) by relay.nswc.navy.mil (4.1/SMI-4.1) id AA24896; Thu, 5 Sep 96 11:00:49 EDT Received: by oanews (4.1/SMI-4.1) id AA08735; Thu, 5 Sep 96 10:59:20 EDT Message-Id: <9609051459.AA08735@oanews> Subject: IPX Router/Gateway To: firewalls@GreatCircle.com (Firewalls Mailing List) Date: Thu, 5 Sep 96 10:59:19 EDT X-Mailer: ELM [version 2.3 PL11] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk We have recently implemented a firewall for our network here but we need to verify the user who is accessing the Internet outside of the firewall. The firewall logs the IP of the connections, but our internal IPs are tied to specific machines and our users are not. The firewall accredits TELNET and FTP (user name and password) to get out (which is fine), but we are having to do a work around for HTTP until the next release of the firewall comes out. Our internal network is Netware 4.1 running pure IPX and our users have IP only for accessing our UNIX workstations. Does anyone have any suggestions for accredidation of the user? I am also thinking about some kind of IPX to IP router/gateway that can log the user (possibly require a single session log in) for accessing the firewall and then turn off accreditation at the firewall. This would also help to block the workstations accessing the Internet which we do not want.... Thanks. +----------------------------------------------------+ | Larry Resch | | lresch@nswc.navy.mil | | | | My thoughts are mine alone, and do not necessarily | | reflect the thoughts of those for whom I work. | +----------------------------------------------------+ From firewalls-owner Thu Sep 5 09:23:31 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA26219 for firewalls-outgoing; Thu, 5 Sep 1996 09:12:55 -0700 (PDT) Received: from fsd1.fsdirect.com ([206.235.252.10]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id JAA26212 for ; Thu, 5 Sep 1996 09:12:49 -0700 (PDT) Received: from fsd1.fsdirect.com (fsd1.fsdirect.com [206.235.252.10]) by fsd1.fsdirect.com (8.7.5/8.7.3) with SMTP id MAA00568; Thu, 5 Sep 1996 12:08:51 -0400 (EDT) Date: Thu, 5 Sep 1996 12:08:51 -0400 (EDT) From: To: ssl-talk@netscape.com, firewalls@greatcircle.com Subject: options for proxying SSL traffic? Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk If a network connected to the internet was using a proxy firewall (say, Gauntlet or fwtk), and had an web server behind the firewall which had SSL enabled, what options does the firewall administrator have to ensure that people outside can access the web server inside w/SSL? Someone at TIS said all that needed to be done was to use plug-gw (a generic proxy which just passes bytes) so that the firewall passes traffic. However, given that internal web browsers require a specific SSL proxy service to access SSL enabled web servers on the outside, I don't feel quite convinced. (won't browsers care that the host they're connecting to is different from what the passed certificate information says?) If it's the case that a SSL proxy service is needed for incoming requests, it would seem like the rules would have to be fairly stringent so that someone would not take advantage of it to probe the internal network - like having an HTTP proxy for incoming requests. Can someone explain, before I actually try it out? Junya Ho FSDirect v: 416 368 3920 x5411 f: 416 368 5505 From firewalls-owner Thu Sep 5 09:43:50 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA27668 for firewalls-outgoing; Thu, 5 Sep 1996 09:41:57 -0700 (PDT) Received: from halon.sybase.com (halon.sybase.com [192.138.151.33]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id JAA27650 for ; Thu, 5 Sep 1996 09:41:48 -0700 (PDT) Received: from smtp1.sybase.com (sybgate) by halon.sybase.com (5.x/SMI-SVR4/SybFW4.0) id AA03592; Thu, 5 Sep 1996 09:43:14 -0700 Received: from notesgw2.sybase.com by smtp1.sybase.com (4.1/SMI-4.1/SybH3.5-030896) id AA16183; Thu, 5 Sep 96 09:41:29 PDT Received: by notesgw2.sybase.com (5.x/SMI-4.1/SybEGW3.3) id AA07536; Thu, 5 Sep 1996 09:41:23 -0700 Message-Id: <9609051641.AA07536@notesgw2.sybase.com> Received: by SybaseNotes (Lotus Notes Mail Gateway for SMTP V1.1) id E3FCA0A357CDE2088825639C005BAA00; Thu, 5 Sep 96 09:41:21 EDT To: "John H. Kerr" Cc: firewalls From: Ryan Russell/SYBASE Date: 5 Sep 96 9:42:53 EDT Subject: Re: Firewall-1,Sun,CISCO,Class"B"address X-Lotus-Type: Reply All Mime-Version: 1.0 Content-Type: Text/Plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk SunOS can't deal with variable-length subnet masks, so having 172.16.1.0 and 172.16.0.0 in it's route tables will just confuse it. Either change the inside interface address to a subnet mask of 255.255.0.0 and use proxy arp on the Cisco, or put in a route entry for each subnet on the inside with a subnet mask of 255.255.255.0 Ryan ---------- Previous Message ---------- To: firewalls cc: From: jhkerr @ ashton.csc.com ("John H. Kerr") @ smtp Date: 08/31/96 05:27:32 PM Subject: Firewall-1,Sun,CISCO,Class"B"address I was wondering if anyone has a solution to this problem. I have a Sun Sparc5 running SunOS 4.1.3, with this I have Firewall-1 2.0 running on top of it. I also have a CISCO 4000 setup as an Internal router. The problem that I'm having is that I'm unable to receive information back to my machines sitting behind the Internal router. The exact trouble seems to be the firewall does not know how to route back into my "Internal" networks. The setup is like this: Internet ------ ISP Router ----- FW ----- CISCO 4000 ------ Internal Nets 172.16.1.0 172.16.2.0 172.16.* I intially set the routing table on the FW to be DEST Nexthop 172.16.1 172.16.1.1 (local) 172.16.2 172.16.2.1 (local) default ISP router 172.16.0.0 CISCO 4000 This didn't work. I turned routed on within the Firewall, but when I did, the default route (0.0.0.0) from the CISCO added a *new* default route to the Firewall. default Cisco and it took precedence over the one I installed. Since the FW and the CISCO ping-ponged packets all day, nothing communicated. The default route of the CISCO router is overriding the default route that I have set on the FW. I have set the Metric Flag on the router to be higher that the FW in hopoes that the FW would take precednece, but this did not work. IS there a way to set something up on the SUN to force its default route to be used or is there a way to stop the CISCO's default route from taking over. I also tried not setting the 'route of last resort' on the CISCO hoping that the RIP update from the FW would fill in the default route. It didn't. Shouldn't this work? Is there a way on the CISCO to set a default route and not have it sent out in a routing update? BTW, what is the proper way to set the default route on a CISCO? I've been using: ip route 0.0.0.0 172.16.2.1 Has anyone else with a class "B" address run into this problem before? I know this can be solved if I obtained a class C, subnet it, and use it on either side of the FW. That way there would be an unambigious route to 172.16 from the FW's point of view. However that's not an option right now. Any help is appreciated. From firewalls-owner Thu Sep 5 11:14:02 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA04332 for firewalls-outgoing; Thu, 5 Sep 1996 11:02:55 -0700 (PDT) Received: from keeper.tribune.com (keeper.tribune.com [163.192.21.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id LAA04315 for ; Thu, 5 Sep 1996 11:02:36 -0700 (PDT) From: LLynch@tribune.com Received: by keeper.tribune.com; id MAA07513; Thu, 5 Sep 1996 12:59:20 -0500 Received: from tco-link2.tis-in.trb(163.192.23.15) by keeper.tribune.com via smap (V3.1) id xma007436; Thu, 5 Sep 96 12:59:01 -0500 Received: from ccMail by smtpout.tribune.com (IMA Internet Exchange 1.04b) id 22f158c0; Thu, 5 Sep 96 13:01:48 -0500 Mime-Version: 1.0 Date: Thu, 5 Sep 1996 12:57:30 -0500 Message-ID: <22f158c0@tribune.com> Subject: Re: Re: Firewalls-Digest #484 To: firewalls@greatcircle.com Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable Content-Description: cc:Mail note part Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Date: Thu, 29 Aug 1996 14:46:20 +0200 From: Bernhard Schneck = = Subject: Re: Firewalls-Digest V5 #484 = = =A6 = = =A6 > One extra note: Connecting the Web server directly to your database= = =A6 > would be a breach of security, you would in effect be providing any= = =A6 > hacker a direct line into your internal network, bypassing any = = =A6 > firewall/router security. = = =A6 = = =A6That's what I was thinking about (mostly). = = =A6 = = =A6When you allow access to internal data from external sources, you = = =A6*should* assume that any access can be with hostile intent. = = =A6 = = =A6In Jenjen's case (users access an external web server, which queries = = =A6the internal database and returns query results in HTMLized form), = = =A6this would mean that she/he has to assume that web server security = = =A6has been breached and the web server is under full control of the = = =A6attackers. =A6 =A6Two things may happen: =A6- - the attackers gain access to data in the database =A6- - the attackers send wrong responses to users querying the service =A6 =A6Only mutual authentication between user and database will solve the =A6second problem, so let's stick to the first for now. =A6 =A6Encrypting the data stream between web server and database will not =A6help in this case, as some sort of keys will have to reside on the =A6web server (which was taken over by The Bad Guys). =A6 =A6Using challenge/response between server and database won't help =A6either ... again, The Bad Guys are already on the web server and can =A6fake those, too. =A6 =A6A private network connection (using any type of protocol) between =A6server and database won't help, unless the server has no way to speak =A6that protocol (but then, how would it send legitimate queries to the =A6database? :-) =A6What will help (at least somewhat) is =A6 =A6- - do not allow the web server to run any SQL statement against the =A6 database (The Bad Guys might plug in their own select statements) =A6 but use a restricted, well defined proxy protocol to a separate =A6 internal service with tight security, which will then access the =A6 database. =A6 --> Anyone will be able to access the data, but only in a (more or =A6 less) controlled fashion. I was thinking as you, not allowing SQL to be executed on the Webserver. = Unless your applications are very simple, that your are writing an API or a prot= ocol = for each application. This is job security, but may not be scaleable. Th= e other thing I hate about this is that it starts looking like "security through = obscurity" again. Is there a pointer to a more information on this subje= ct? Something else I ran across the other day: Vendor A has developed a search/retrieval/server product. If I have cont= ent = that I think users will pay for, I install the server product behind a FW= to = protect that investment in the content. Now we haven't talked about how = to = interface to the payment switch yet.... I install Vendor A's CGI on my W3 server outside the FW and install a plu= g-gw on a high numbered port to only accept incoming connects from my W3 server b= ound = for Vendor A's server. I find out that Vendor A's CGI is only a IP gatew= ay from the client to the Vendor A's server (there is nothing to the CGI, open so= cket, = connect, print STDIN to STDOUT). This tells me that the API/protocol mus= t be in the HTML form, this application is probably very simple. How secure is a CGI like this? (Vulnerablity: W3 server security) What I like about this is that there is no information (other than the = connecting address and the embedded API/values in the HTML form) on the W= 3 = server about the back-end service. It appears to be vulnerable to denial= of = service attacks (anyone can POST to this CGI and the W3 server will conta= ct = Vendor A's server thru the FW, consuming resources on the W3, FW and Vend= or A's = box). Your thoughts? If I use a Secure/Commerce W3 server, will SSL or SHTTP be foiled by Vend= or A's = CGI approach, but doesn't this mean that Vendor A's server would have to = support SSL and SHTTP also? If it does support one or both, there application st= arts to look a lot like a modified secure W3 server doesn't it? Now continuing on with this discussion: If the W3 server is taken over, = it can = talk to only one port on the FW bound for Vendor A's server. We are left= with = placing trust in Vendor A's application team for our network security. I= f this = application is secure, why is it behind the FW? They seem to be followin= g the = guide lines set forth by the NCSA Web Site Certification criteria. =A6 =A6- - challenge/response between the end user and the database on every =A6 transaction (`authenticated' state should not be kept) =A6 --> The Bad Guys can wait for such an access and sniff the data or =A6 can replace the web server and send their own queries using the =A6 intercepted user's authentication. =A6 =A6- - authenticated+encrypted links (eg. IPSEC AH/ESP) between end user =A6 and database *not* going through the web server (remember, it has =A6 been taken over! If it decrypts somehow, The Bad Guys are in) =A6 --> The Bad Guys will need to either break the encryption or the =A6 key exchage mechanism (which is supposed to be hard) =A6 =A6Unless you use a non subvertible channel between enduser and database,= =A6you're prone to snooping, if not worse! =A6 =A6Again: Encryption between web server and database may not be enough. =A6 =A6\Bernhard. =A6 From firewalls-owner Thu Sep 5 13:44:16 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA11390 for firewalls-outgoing; Thu, 5 Sep 1996 13:32:04 -0700 (PDT) Received: from morebbs.com (morebbs.com [206.165.150.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id NAA11372 for ; Thu, 5 Sep 1996 13:31:40 -0700 (PDT) From: potlicker@morebbs.com Received: by morebbs.com id 0N79E004 Thu, 05 Sep 96 16:30:56 Message-ID: <9609051630.0N79E00@morebbs.com> Organization: MORE BBS X-Mailer: TBBS/TIGER v1.0/PRIMP 1.56p Date: Thu, 05 Sep 96 16:30:56 Subject: Mail and win95 To: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk A question has come up at Big Co. as to how to bypass their cc:Mail entirely and go from Windows 95 machines directly to their firewall. That's cos their cc:Mail crashed again and delayed mail for power users. Does anyone on the list know of freeware, shareware or commerical progams to run sendmail or popmail3 on a Windows 95 workstation? The Windows 95 workstations are 66 mhz 486's with 32 MB RAM and two 1 GB hard disks. PoT_LiCkEr From firewalls-owner Thu Sep 5 14:13:58 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA12449 for firewalls-outgoing; Thu, 5 Sep 1996 14:01:19 -0700 (PDT) Received: from orca.sitesonthe.net (orca.sitesonthe.net [207.16.80.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id OAA12425 for ; Thu, 5 Sep 1996 14:01:02 -0700 (PDT) Received: from golgi.sitesonthe.net by orca.sitesonthe.net (SMI-8.6/SMI-SVR4) id RAA03479; Thu, 5 Sep 1996 17:07:04 -0400 Message-ID: <322F40BB.632A@sitesonthe.net> Date: Thu, 05 Sep 1996 17:06:04 -0400 From: Robert Evans Reply-To: pedro@orca.sitesonthe.net Organization: GETtheNET, Inc. X-Mailer: Mozilla 3.0 (Win95; I) MIME-Version: 1.0 To: firewalls@greatcircle.com Subject: Appropriate List Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, We are working with a Netware network and we want to put a www server up. We're using a Sparc box for the www server and want to pass the IP packets across the netware network. We looked at Sunsoft's Webscout, which is a client server package that does ip tunneling and puts a modified winsock.dll on each client. Will this allow all types of ip and udp traffic to traverse the Novell Network, is there going to be any problems with routing the packets to the www Server? Any suggestions from folks with experience in this area is greatly appreciated. I know this may not be an exactly appropriate place to post, but any help could be emailed directly, and pointers to more appropriate lists would be greatly appreciated. Thanks In advance. Bob -- GETtheNET, Inc. Heyburn Building 332 W. Broadway Suite 911 Louisville, KY 40202 502 585 4638 http://WWW.SitesOnThe.Net/ From firewalls-owner Thu Sep 5 14:44:10 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA14999 for firewalls-outgoing; Thu, 5 Sep 1996 14:38:45 -0700 (PDT) Received: from gate.ups.com (gate.ups.com [198.80.14.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id OAA14947 for ; Thu, 5 Sep 1996 14:38:22 -0700 (PDT) Received: from is.ups.com (smtp.telecom.ups.com) by gate.ups.com with SMTP id AA07618 (InterLock SMTP Gateway 3.0 for ); Thu, 5 Sep 1996 17:37:42 -0400 Received: from butthead.ups.com by is.ups.com (5.x/SMI-SVR4) id AA26687; Thu, 5 Sep 1996 17:37:05 -0400 Received: from localhost by butthead.ups.com (SMI-8.6/SMI-SVR4) id RAA21049; Thu, 5 Sep 1996 17:37:40 -0400 Date: Thu, 5 Sep 1996 17:37:39 -0400 (EDT) From: Dave Wreski X-Sender: tel1dvw@butthead To: firewalls@greatcircle.com Subject: fw-1 2.0: Menu too large for screen Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Argh. I am trying to add a host, and I am getting the following message: XView warning: Menu too large for screen (Command Menu package) I have been away for a while, and someone else must have made some changes. Any idea what I can do to add a host? Thanks, Dave Wreski -- echo '16i[q]sa[ln0=aln100%Pln100/snlbx]sbA0D3F204445524F42snlbxq'|dc From firewalls-owner Thu Sep 5 15:29:11 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id PAA18590 for firewalls-outgoing; Thu, 5 Sep 1996 15:21:07 -0700 (PDT) Received: from smurfland.cit.buffalo.edu (smurfland.cit.buffalo.edu [128.205.10.10]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id PAA18531 for ; Thu, 5 Sep 1996 15:20:51 -0700 (PDT) Received: (jcmurphy@localhost) by smurfland.cit.buffalo.edu (8.7.4/8.6.4) id SAA14315; Thu, 5 Sep 1996 18:17:16 -0400 (EDT) From: Jeff Murphy Message-Id: <199609052217.SAA14315@smurfland.cit.buffalo.edu> Subject: Re: fw-1 2.0: Menu too large for screen To: tel1dvw@is.ups.com (Dave Wreski) Date: Thu, 5 Sep 1996 18:17:16 -0400 (EDT) Cc: firewalls@greatcircle.com In-Reply-To: from "Dave Wreski" at Sep 5, 96 05:37:39 pm X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Dave Wreski writes: > > > >Argh. I am trying to add a host, and I am getting the following message: > >XView warning: Menu too large for screen (Command Menu package) > >I have been away for a while, and someone else must have made some >changes. Any idea what I can do to add a host? > >Thanks, >Dave Wreski untick the "display in menu" check box in the host properties sheet. The hosts are no longer displayed in the "add" popup menu, only groups. From firewalls-owner Thu Sep 5 15:43:57 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id PAA18648 for firewalls-outgoing; Thu, 5 Sep 1996 15:21:53 -0700 (PDT) Received: from dg-rtp.dg.com (dg-rtp.rtp.dg.com [128.222.1.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id PAA18641 for ; Thu, 5 Sep 1996 15:21:41 -0700 (PDT) Received: from splinter.rtp.dg.com by dg-rtp.dg.com (5.4R3.10/dg-rtp-v02) id AA17891; Thu, 5 Sep 1996 18:21:16 -0400 Received: by splinter.rtp.dg.com (8.6.10/200.15.1.2) id SAA23622; Thu, 5 Sep 1996 18:19:39 -0400 From: spencerj@dg-rtp.dg.com (Jon Spencer) Message-Id: <199609052219.SAA23622@splinter.rtp.dg.com> Subject: Re: C2 certified OS that can run a firewall To: mcnabb@argus.cu-online.com (Paul McNabb) Date: Thu, 5 Sep 1996 18:19:32 -0400 (EDT) Cc: firewalls@greatcircle.com In-Reply-To: <199609041436.JAA13457@argus.cu-online.com> from "Paul McNabb" at Sep 4, 96 09:36:14 am X-Mailer: ELM [version 2.4 PL23] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Of course C2 security is better than no security, but C2 was never Welll ....... it is if you understand its limitations. Otherwise ... > "designed for commercial use" as is sometimes written in articles and > email. If you are in an environment where the system administrators > want to *enforce* security on the users, B1 and higher security features > are needed. But remember, none of the TCSEC ("Orange Book") security > levels were designed for anything other than military/government use. > It just happens that a lot of the security they specify is general- > purpose and works well in all kinds of environments. (1) B1 is not much better than C2. (2) The strengths of B2 and above are related to the high assurance issues rather than to the features. At B2 you have a very good expectation that the system actually works like it is supposed to. After that, you must determine if the high assurance features really address the threats in your environment. I would also argue the issue that TCSEC strictly addressed the military. The issues addressed by the TCSEC primarily, at B2 and above, focus on "how do you know it works - prove it!" The sad truth is that people who generated TCSEC systems focused on meeting precisely their interpretation of the minimum system that met the TCSEC requirements. That is not the TCSEC's fault. -- Jon F. Spencer spencerj@rtp.dg.com (uunet!rtp.dg.com!spencerj) Data General Corp. Phone : (919)248-6246 62 T.W. Alexander Dr, MS #119 FAX : (919)248-6108 Research Triangle Park, NC 27709 Office RTP 121/9 Reality is an illusion - perception is what counts. No success can compensate for failure in the home. President David O. McKay ***** UCC 1-207 ******** From firewalls-owner Thu Sep 5 16:31:18 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id QAA22158 for firewalls-outgoing; Thu, 5 Sep 1996 16:17:19 -0700 (PDT) Received: from tsc3.express-hr.com (tsc3.express-hr.com [204.180.103.66]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id QAA22130 for ; Thu, 5 Sep 1996 16:16:58 -0700 (PDT) Received: by tsc3.express-hr.com with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.993.5) id <01BB9B57.665CFA10@tsc3.express-hr.com>; Thu, 5 Sep 1996 18:23:56 -0500 Message-ID: From: Bill Maples To: "'firewalls@greatcircle.com'" , "'David Marcoux'" Subject: RE: Secure Access Firwall (Ascend)?? Date: Thu, 5 Sep 1996 18:23:44 -0500 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.993.5 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am in the process of installing it today. The features are better than I had expected. I don't have all the settings done correctly yet but is very user friendly. I would suggest that you go to Ascend's home page "www.ascend.com" and download the Secure Access Manager software package. It is the actual package that you will use to administer the router. You can set everything up in the software and build your own firewall, you just won't have a router to send the firewall to. I today enabled WWW and SMTP Mail along with outbound FTP, but I am missing some protocol because I still can't get www to work. I'll try to reply back once I get it up and going. ---------- From: David Marcoux[SMTP:dmarcoux@radar.vertx.com] Sent: Thursday, September 05, 1996 9:11 AM To: firewalls@greatcircle.com Subject: Secure Access Firwall (Ascend)?? Has anyone tried the new product from Ascend called "Secure Access Firewall?" I am very curious about the product. ------------------------------------------------------------------ David Marcoux System Administrator / Web Master dmarcoux@vertx.com Vertex Software Corporation http://www.vertx.com (512) 328-3700 voice From firewalls-owner Thu Sep 5 18:06:38 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA27927 for firewalls-outgoing; Thu, 5 Sep 1996 17:20:39 -0700 (PDT) Received: from mcfeely.bsfs.org (mcfeely.bsfs.org [204.91.13.34]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id RAA27894 for ; Thu, 5 Sep 1996 17:20:10 -0700 (PDT) Received: (from wombat@localhost) by mcfeely.bsfs.org (8.6.12/8.6.12) id UAA29927; Thu, 5 Sep 1996 20:19:46 -0400 Date: Thu, 5 Sep 1996 20:19:41 -0400 (EDT) From: Rabid Wombat To: Jon Spencer cc: Paul McNabb , firewalls@GreatCircle.COM Subject: Re: C2 certified OS that can run a firewall In-Reply-To: <199609052219.SAA23622@splinter.rtp.dg.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 5 Sep 1996, Jon Spencer wrote: > > Of course C2 security is better than no security, but C2 was never > > Welll ....... it is if you understand its limitations. Otherwise ... > WTH does C2 security have to do with a system that should not have any user accounts on it, no user access to it? -r.w. From firewalls-owner Thu Sep 5 18:12:18 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA26357 for firewalls-outgoing; Thu, 5 Sep 1996 17:03:42 -0700 (PDT) Received: from mcfeely.bsfs.org (mcfeely.bsfs.org [204.91.13.34]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id RAA26327 for ; Thu, 5 Sep 1996 17:03:30 -0700 (PDT) Received: (from wombat@localhost) by mcfeely.bsfs.org (8.6.12/8.6.12) id TAA29906; Thu, 5 Sep 1996 19:58:43 -0400 Date: Thu, 5 Sep 1996 19:58:38 -0400 (EDT) From: Rabid Wombat To: HARRELLJ@emh7.monroe.army.mil cc: firewalls@GreatCircle.COM Subject: Re: Dialin In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Could you load both IPX and IP stacks on the CUBIX processors? If so, look into running your remote control software (PC Anywhere supports IP connectivity) via a PPP dial-up connection into a terminal server on a bastion segment; use the terminal server to authenticate users. You could implement TACACS+ or RADIUS on the TS. Once you're through the TS and into the CUBIX (you can deny access to other devices at the TS and router sevicing the bastion segment), log into PCAnywhere, take control of the CUBIX processor, and access your Novell assets via IPX. -r.w. On 4 Sep 1996 HARRELLJ@emh7.monroe.army.mil wrote: > We am currently integrating an application based (proxy) firewall into > our Novell/IPX and SUN/IP lan. Our current dialin capability is through > a cubix dialin server (reachout software) acting as a workstation on the > LAN, and it only passes screen, keyboard, and cursor movement to our > remote PC. We then attach to our one of our Novell servers (by IPX---our > IP id statically given to the workstation by lanworkgroups). The > management would like to put our current dialin hardware outside of the > firewall and use Fortezza cards {yes, DMS :-( } for authentication. > Problems I see: 1)Firewall can't see remote authentication token without > seeing the remote computer that is dialing in with the current hardware > 2)Cubix computers now talk IPX (not IP). So what is a standard > architecture/configuration for dialin outside of Firewalls using > authentication? It has to be simple---what am I missing? All ISPs do it > don't they? Would it be better to put a SUN outside of the Firewall for > dialin, and then just FTP in to get files and/or forward email from the > inside server? All opinions are helpful. > > > > Dialin Server > > | > > Here's what I'm thinking: router-------------Firewall----Internal > LAN > > | > > WEB Server > > > > Thanks.. > > > > > > V/R, > > > > Jonathan Harrell > > > > From firewalls-owner Thu Sep 5 18:11:17 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA26428 for firewalls-outgoing; Thu, 5 Sep 1996 17:04:29 -0700 (PDT) Received: (mcb@localhost) by miles.greatcircle.com (8.7.4/Miles-960830-1) id RAA26406 for firewalls@greatcircle.com; Thu, 5 Sep 1996 17:04:21 -0700 (PDT) Received: from remise (alb-nm2-10.ix.netcom.com [204.32.171.74]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id WAA03938 for ; Tue, 3 Sep 1996 22:38:29 -0700 (PDT) Received: from localhost (mcn@localhost) by remise (950413.SGI.8.6.12/950213.SGI.AUTOCF) via SMTP id XAA02230; Tue, 3 Sep 1996 23:36:08 -0600 Message-Id: <199609040536.XAA02230@remise> X-Mailer: exmh version 1.6.7 5/3/96 To: Peiter Z Cc: firewalls@greatcircle.com, bugtraq@netspace.org, best-of-security@suburbia.net Subject: Re: BoS: SecurID White Paper In-reply-to: peiterz's message of Wed, 04 Sep 1996 11:37:56 -0600. <199609041737.LAA01403@silence.secnet.com> Reply-To: mcn@EnGarde.com Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Tue, 03 Sep 1996 23:36:07 -0600 From: Mike Neuman Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I apologize for the cross post, but I believe this encompasses all of the mailing lists to which the original announcement was sent. > SecurID Vulnerabilities White-Paper > > Due to increased recent interest that has been witnessed on the net > about the SecurID token cards and potential vulnerabilities with their > use, we offer a white paper on some of the vulnerabilities that we believe > have been witnessed and/or speculated upon. I appreciate the conclusion of the paper which finally does proclaim that SecureID (and other one time password tokens) are extremely vulnerable. The vulnerabilities described seem to be overly esoteric, however. Unmentioned is perhaps the most serious flaw in one-time password systems: session hijacking atttacks. It's trivial for an intruder to monitor the network, waiting for a user to legitimately authenticate themselves. Once authenticated, the intruder can hijack that user's connection and assume his credentials. This type of attack can even be automated. (If you believe hijacking is only a theoretical attack, see http://www.engarde.com/software/ipwatcher . Versions of our software have existed for about 4 years, and recently we've begun seeing some public domain hijacking tools available). The author does mention the use of combination encrypted sessions and one time passwords, which seems to be the best solution at present. -Mike mcn@EnGarde.com From firewalls-owner Thu Sep 5 18:40:23 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA26925 for firewalls-outgoing; Thu, 5 Sep 1996 17:08:26 -0700 (PDT) Received: (mcb@localhost) by miles.greatcircle.com (8.7.4/Miles-960830-1) id RAA26751 for firewalls@greatcircle.com; Thu, 5 Sep 1996 17:07:39 -0700 (PDT) Received: from tuna.wang.com (TUNA.wang.com [150.124.136.4]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id KAA07810 for ; Wed, 4 Sep 1996 10:17:27 -0700 (PDT) Received: from mars.wangfed.com (mars.Wangfed.COM [159.94.10.1]) by tuna.wang.com (8.6.12/8.6.12tf1) with SMTP id NAA06278 for ; Wed, 4 Sep 1996 13:16:48 -0400 Received: from uc0009.wangfed.com (uc0009 [159.94.10.15]) by mars.wangfed.com (8.7.5/3.8) with SMTP for delivery to "" id NAA28892; Wed, 4 Sep 1996 13:22:35 -0400 (EDT) Received: from [159.94.14.48] by uc0009.wangfed.com (BULL 5.61++/B.O.S 02.01) id AA27404; Wed, 4 Sep 96 13:09:43 -0400 Date: Wed, 4 Sep 96 13:09:43 -0400 Message-Id: <9609041709.AA27404@uc0009.wangfed.com> From: "Wang Federal SSSO" Reply-To: "Wang Federal SSSO" To: firewalls@GreatCircle.COM Subject: Re: C2 certified OS that can run a firewall Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In message Robert Hanson writes: > what is intended for "strong" protection then? tia... It depends on which religion you subscribe to. If it's the NCSC religion, "strong" protection (which they call "high assurance") doesn't kick in until you're running on at least a B2-evaluated system (B3 and A1 will also do the trick). The notion behind "high assurance" is that covert channel analysis has been performed to ensure that mechanisms used by the operating system itself to exchange data between its own processes/objects cannot be subverted to bypass system security policy and exchange meaningful human-readable information (or, ostensibly, trojan horse code). The practical notion behind it is that a high assurance system will not only be difficult to hack from the outside, it will be difficult to compromise by expert users on the inside. It will also make auditing of security administrator logins and logouts impossible to circumvent, even by the security administrator, so there is always *some* kind of audit trail even of the "superuser". "Medium assurance" (B1) and "High Assurance" (B2-A1) systems also provide two access policies - discretionary, which is also provided on C-level systems, and mandatory, which is unique to B and A level systems. Used intelligently, a mandatory policy can help further protect firewall executable images and configuration files from hacker attack, and can also isolate the firewall from the underlying operating system in a way that is harder to circumvent than using discretionary access controls alone. Anyone who's really interested in this stuff can take a look at the the NCSC's Orange and Yellow Books. Those of the ITSEC persuasion will discover that their Protestantism isn't all that different from NCSC's Catholicism when it comes to defining "high assurance". The difference is that the ITSEC separates features from assurance when it rates a system, so that one could ostensibly have a system with all sorts of security features that are found in high assurance systems, with no corresponding level of assurance that the features work as designed and documented. I guess this is because (allegedly) in the commercial world (and, frighteningly, in much of the government) people don't care about independent certification of a vendor's security claims. For example, why would anyone in his right mind trust a vendor's word on whether the "hardened" UNIX on which its firewall runs actually has all the security "holes" removed. Or whether an unevaluated system truly has the assurance the vendor claims it does? Oh well. There are a lot of folks who want to do away with the FDA, too, and leave it up to the individual drug companies to assure us their products are safe. I don't know if I'm too cynical, but I kind of like knowing that the organisation certifying the safeness of a drug - or the assurance of an operating system - isn't the same organisation that has a vested interest in selling that drug or organisation. REALITY CHECK: Nothing the underlying operating system does can guarantee the correctness of the firewall application code. However, the operating system *can* be used to isolate that code in a way that will ensure that if the firewall code contains some (intentionally or unintentionally) malicious code, that malicious code cannot attack the operating system. ===== K.M. GOERTZEL Manager, Business Development Secure Systems and Services Operation WANG FEDERAL, Inc. 7900 Westpark Drive - MS 700 McLean, VA 22102-4299 USA +1-703-827 3914 +1-703-827 3161 (fax) goertzek@wangfed.com http://www.wangfed.com/products/ssso/homepage.html *** "The true artist has no pride, for he realizes art's demands are limitless, and though he may be admired or praised by others, he sees only darkly how far he is from his goal, when a greater inspiration shall shine before him like a distant sun." -- Ludwig van Beethoven From firewalls-owner Thu Sep 5 18:57:03 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA26646 for firewalls-outgoing; Thu, 5 Sep 1996 17:06:52 -0700 (PDT) Received: (mcb@localhost) by miles.greatcircle.com (8.7.4/Miles-960830-1) id RAA26624 for firewalls@greatcircle.com; Thu, 5 Sep 1996 17:06:41 -0700 (PDT) Received: from phoenix.iss.net (phoenix.iss.net [204.241.60.5]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id IAA28862 for ; Wed, 4 Sep 1996 08:19:23 -0700 (PDT) Received: (from cklaus@localhost) by phoenix.iss.net (8.6.13/8.6.12) id LAA31427 for firewalls@greatcircle.com; Wed, 4 Sep 1996 11:17:22 -0400 From: Christopher Klaus Message-Id: <199609041517.LAA31427@phoenix.iss.net> Subject: C2 Myths To: firewalls@greatcircle.com Date: Wed, 4 Sep 1996 11:17:22 -0400 (EDT) X-Mailer: ELM [version 2.4 PL24 PGP2] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk There is a lot of hype among security products touting the fact that they are C2 certified so that they are more secure than non-C2 security products. I was wondering how many people really perceive that C2 brings them a more secure product? Here's an interesting article from InfoWorld (www.infoworld.com) that explains C2 and tries to explain what benefits a C2 product provides. Exploding the C2 myth C2-level security had its place in the past, but today's systems need security that is much more robust By Ben Rothke Publication Date: August 26, 1996 (Vol. 18, Issue 35) The label "C2 certified" is enough to make some users feel secure and cozy with what they perceive to be the Holy Grail of secure computing. Although C2-certified systems are often described as overly secure, the C2 designation is really the most bare-bones approach to a secure system. The term C2 is being used to sell computer security products and operating systems the same way as phrases such as "100 percent organic," "doctor recommended," and "completely guaranteed" are used to sell vitamins. However, requiring C2 security in your corporation's security products and operating systems doesn't protect them from attack. In fact, you need to look to much more robust security products to protect systems at both the desktop and the network level. With-in the network operating systems realm, for example, NetWare and Windows NT Workstation are touted as C2 certified. Although C2 is a good starting point, it was never intended to be the one-and-only guarantee that security measures are up to snuff. Further complicating this issue are the different designations given to products. Some products boast that they are "C2 compliant," "C2 certifiable," "designed to C2," or "under C2 evaluation." But the term "designed to meet C2" does not mean the same thing as "evaluated at C2." Many vendors have been marketing their systems as designed to meet C2 requirements. This sounds impressive but actually is more likely to mean that a product is in evaluation, or a company is "thinking about someday having it evaluated." The C2 specification and the six related security levels are hampered by a slow and time-consuming certification process. Remember, the U.S. government does the testing. Certification can easily take longer than a year; it often takes as many as two years to complete. During that time, a product could go through an interim release, which would render the latest version uncertified because certification only applies to a specific version. For example, even though NT Workstation and NT Server 3.51 were C2-certified, Microsoft Corp. has to reapply for the certification of NT, Version 4.0. SEVEN LEVELS. The C2 security designation is just one of seven security levels specified in the Department of Defense's Trusted Computer System Evaluation Criteria (TCSEC). The TCSEC is also known as the Orange Book (because of its orange cover). The need to measure trust and security led to the development of the TCSEC, which was first issued in 1985. It was created by the Department of Defense and the National Computer Security Center (NCSC). Seven security levels are listed, from the highest impenetrability to the lowest, in the Orange Book. A1 - Verified Design. The highest level demands formal security verification methods to ensure that security controls protect classified and other sensitive information. Even the National Security Agency cannot break in. B3 - Security Domains. This level is intended to protect systems from people with programming experience. B2 - Structured Protection. Hackers should not be able to break into a system with B2-level security. B1 - Labeled Protection. At this level, a really good hacker could possible break in, but users can't. C2 - Controlled Access Protection. C2 provides protection for log-in procedures, allows auditing of security-relevant events, and offers resource isolation. C1 - Discretionary Protection. This level enables users to set access controls to protect private or project information. D - Minimal Protection. The lowest level is reserved for systems that have been evaluated but have failed to meet the requirements for a higher evaluation class. POPULAR YET INSECURE. Some of the most important stipulations of C2-level security are discretionary access control, auditing, identification and authentication, and object reuse. Of these, the term most often used when discussing C2 is access control. Access control simply means that you can designate and control who can use any object within an operating system, from the file and directory level to printers and systems management. C2 also has provisions for system auditing to determine what users have done and where they have been within the system. The identification and authentication stipulation requires the system to use passwords to protect data from being accessed by unauthorized users. But even when a product meets these and other requirements and is C2 certified, that doesn't mean the system is bulletproof. The Orange Book is simply a book of basic specifications. One can have a C2 system that allows a user to have the password "password." Further, C2 certification does not require any tiger team penetration testing or any real requirement that holes identified in the system get fixed. (Tiger teams were first created by the military to test system security by staging attacks on sensitive computer systems.) Operating systems such as MS-DOS, the MacOS, Windows, and OS/2 are considered to have level D protection because they provide no security. To be precise, these systems are not truly D-rated because they were never submitted for evaluation. DATED INTENTIONS. The design intentions of the C2 planners were impressive, but C2 has not held up over the years. The Orange Book has its roots in the U.S. military, which has security needs that are not comparable to a nonmilitary organization. The specification starts with the premise that every system is under attack. Although true in many situations, it is incorrect to accept that premise in all situations. Security experts say C2 levels of security are inadequate for protecting a computer from well-known attacks. C2 security relies entirely on discretionary access control, which means that all protective measures on the system are under the control of individual users. In particular, there are administrative users, such as Unix root or NetWare 3.x supervisors, and there are supervisor-equivalent users, who can circumvent any protection placed on system resources. Thus, an attacker can bypass any system security measure by penetrating an administrative user account or by tricking such a user to execute a Trojan horse program. C2 was a really good concept for its time, but it is somewhat dated, according to Padgett Peterson, a security expert based in Orlando, Fla. A big problem today is that people are trying to stretch Orange Book criteria and apply them to network environments. However, NT is only certified when not connected to a network, according to both the Trusted Products List and Microsoft's own documentation. But other security experts believe that in spite of all its flaws, the Orange Book has a lot to offer to companies that have yet to secure their systems. "I never liked the Orange Book approach much, but it does have one benefit: It induces people who have to comply with it to make safer systems in general, even if I disagree with some of the desired functionality," says William Cheswick, a computer security expert and author of the 1994 book Firewalls and Internet Security: Repelling the Wily Hacker. "Commercial systems these days could be improved by following some of the Orange Book advice. Right now they are often wide open," Cheswick says. BEYOND C2. Companies such as Mergent International Inc., in Rocky Hill, Conn., and Fischer International Systems Corp., in Naples, Fla., offer products that go beyond making local workstations C2-compliant by providing additional security as well. Mergent's desktop security product, PC/DACS, available for DOS, Windows, and Windows 95, offers features such as encryption and a time-out option that lets users walk away without leaving their workstations vulnerable to attack. The TCSEC criteria were a notable commodity in their day. But new security standards are sorely needed today, and they are indeed being worked on. The TCSEC criteria are a long way from being effective. They can at times be inadequate, and they are often utterly ineffective when it comes to creating a secure corporate computing environment. So when a salesperson shows you a glossy brochure in which every 10th term is C2, don't get too excited. Rather than being the end of your search for a secure computing environment, C2 is just the beginning. Ben Rothke is a New York-based network and security engineer for Citibank North America. The views expressed are his own. He can be reached via e-mail at 74710.3325@compuserve.com. The Orange Book's purpose The Orange Book has its roots in principles of a state-machine model developed by Bell and LaPadula in the early 1970s. That model has fallen into disuse today and is clearly no longer viewed as state of the art. The complete set of Trusted Computer System Evaluation Criteria (TCSEC) manuals are known as the Rainbow series, due to the different colors of the manuals. The Rainbow series currently is made up of more than 20 books. These numerous interpretations clarify Orange Book requirements with respect to specific system components. In 1987, the NCSC created the Red Book, which is an interpretation of Orange Book security requirements that are applicable to the network computing environment. TCSEC criteria are developed around the concept of a Trusted Computing Base (TCB). The Orange Book defines the TCB as "The totality of protection mechanisms within a computer system, including hardware, firmware, and software, the combination of which is responsible for enforcing a security policy." The government attempted to update the Rainbow series, but it never got beyond the stage of a first draft. Work on a document known as the Common Criteria began as the European TCSEC in 1993. Version 1.0 of the Common Criteria is now available. It was somewhat modified first by Canada and then by the United States. More information can be found at http://csrc.ncsl.nist.gov/nistpubs/cc. The Orange Book offers this explanation of its goals: The TCSEC criteria defined in the Orange Book classify systems in four broad hierarchical divisions of enhanced security protection. They provide a basis for the evaluation of effectiveness of security controls built into automatic data processing system products. The criteria were developed with three objectives in mind: * to provide users with a yardstick with which to assess the degree of trust that can be placed in computer systems for the secure processing of classified or other sensitive information; * to provide guidance to manufacturers with regard to what to build into their new, widely available trusted commercial products in order to satisfy trust requirements for sensitive applications; and * to provide a basis for specifying security requirements in acquisition specifications. For more information on the Orange Book and C2, readers should consult Computer Security Basics, by Russell & Gangemi. The Orange Book is available online at http://www.disa.mil/MLS/info/orange. You can also order copies of the Orange Book from the Superintendent of Documents in the U.S. Government Printing Office at (202) 512-1800. SCC takes a different security path Secure Computing Corp. (SCC), in Roseville, Minn., has taken a unique approach to security with its Sidewinder Internet Firewall product. The company has effectively said, "To heck with C2, we will design something that works." SCC has designed its systems with the utmost security in mind, and it says that C2 is too limited in the real world. SCC says that even the mandatory access control mechanism customarily provided in B- and A-level systems is far too permissive for implementing guard and firewall systems. Instead, the company uses Type Enforcement, a patented mandatory access control mechanism it developed that provides a finer degree of control. SCC implemented this mechanism in its Secure Network Server Mail Guard, a system for passing e-mail between classified and unclassified networks that offers a high level of security protection and verification. High security systems incorporate mandatory access control systems, such as the multilevel security mechanisms in B- or A-level systems, or Sidewinder's Type Enforcement. These mandatory systems prevent all users from circumventing vital access restrictions. On Sidewinder, for example, the Type Enforcement restrictions prevent even the highly privileged Internet mail server from accessing other portions of the system. In fact, the mail system can only pass messages to internal users by way of a separate, protected filtering process. Thus, if the Internet mail software is attacked and corrupted, the attacker is still blocked from penetrating the internal network. The mandatory protections applied to the mail software can only be disabled by taking the system down and restarting it, with its network connections disabled. SCC validates its approach by having over a decade of experience developing highly assured computing systems in accordance with the National Computer Security Center's (NCSC) Orange Book requirements. Based on SCC's experience, Sidewinder would earn a B2- or B3-level certification if SCC did additional analytical and documentation tasks. SCC says that because its Sidewinder product was originally developed for the commercial market, there is very limited value to NCSC evaluations in the commercial market. Therefore, there is little cost justification for the additional work required to complete an NCSC evaluation. For more information, contact SCC at (800) 692-5625, or visit the company's Web site at http://www.sctc.com. -- Christopher William Klaus Voice: (770)395-0150. Fax: (770)395-1972 Internet Security Systems, Inc. "Internet Scanner finds Ste. 660,41 Perimeter Center East,Atlanta,GA 30346 your network security holes Web: http://www.iss.net/ Email: cklaus@iss.net before the hackers do." From firewalls-owner Thu Sep 5 18:59:01 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id QAA25807 for firewalls-outgoing; Thu, 5 Sep 1996 16:59:17 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id QAA25642 for ; Thu, 5 Sep 1996 16:58:31 -0700 (PDT) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) id QAA11276; Thu, 5 Sep 1996 16:57:39 -0700 Received: from hidata.com(205.158.61.34) by mycroft via smap (V1.3mjr) id sma011274; Thu Sep 5 16:56:49 1996 Received: by hidata.com; id AA05519; Thu, 5 Sep 96 16:57:20 PDT Received: from osc.hidata.com(205.158.62.10) by hds-gw.hidata.com via smap (V3.1.1) id xma005517; Thu, 5 Sep 96 16:57:02 -0700 Received: from clag by osc.osc.hidata.com (SMI-8.6/SMI-SVR4) id QAA12253; Thu, 5 Sep 1996 16:56:57 -0700 Message-Id: <2.2.32.19960905235504.0036cf30@osc.hidata.com> X-Sender: bstout@osc.hidata.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Thu, 05 Sep 1996 16:55:04 -0700 To: Firewalls@GreatCircle.COM From: Bill Stout Subject: Re: C2 certified OS that can run a firewall Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 06:19 PM 9/5/96 -0400, you wrote: >> Of course C2 security is better than no security, but C2 was never >> ... >Welll ....... it is if you understand its limitations. Otherwise ... >(1) B1 is not much better than C2. >(2) The strengths of B2 and above are related to the high assurance issues > rather than to the features. At B2 you have a very good expectation >I would also argue the issue that TCSEC strictly addressed the military. Using ancient government specs for leading edge technology is like trying to wedge square pegs into round holes. Since none of the existing certification processes comply with our requirements for firewalls, why not write our own security certification? Let Gatekeepers write an RFC as a customer writes a RFQ. The "Great Circle Firewall-List certification version 1.0", or gcfl-1. There. I said it. 'Make it so', and 'Engage'. Bill Stout _______________________________________________________________________________ Senior Systems Admin NT/UNIX/I-net/Routers/Mainframes/Janitor ;) Hitachi Data Systems 408-970-4822 --- Disclaimer: I speak only for myself ___________"Infowar, Cyber-war, yes, 'they' _are_ out to get you..."___________ From firewalls-owner Thu Sep 5 19:04:22 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA01260 for firewalls-outgoing; Thu, 5 Sep 1996 17:59:12 -0700 (PDT) Received: from homeport.org (lighthouse.homeport.org [205.136.65.198]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id RAA01128 for ; Thu, 5 Sep 1996 17:58:32 -0700 (PDT) Received: (adam@localhost) by homeport.org (8.6.9/8.6.9) id VAA03267; Thu, 5 Sep 1996 21:03:46 -0500 From: Adam Shostack Message-Id: <199609060203.VAA03267@homeport.org> Subject: Re: options for proxying SSL traffic? To: junya@fsdirect.com Date: Thu, 5 Sep 1996 21:03:46 -0500 (EST) Cc: ssl-talk@netscape.com, firewalls@greatcircle.com In-Reply-To: from "junya@fsdirect.com" at Sep 5, 96 12:08:51 pm X-Mailer: ELM [version 2.4 PL24 ME8b] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'd go for a demilitarized zone, a third interface off the firewall with just the web server. Web servers tend to be big, complex, buggy bits of software with things like user written cgis that just blow your security. So, if you proxy a connection through the firewall to a box thats likely to be broken into, you need protection from that box. Adam junya@fsdirect.com wrote: | If a network connected to the internet was using a proxy firewall (say, | Gauntlet or fwtk), and had an web server behind the firewall which had | SSL enabled, what options does the firewall administrator have to ensure | that people outside can access the web server inside w/SSL? | | Someone at TIS said all that needed to be done was to use plug-gw (a | generic proxy which just passes bytes) so that the firewall passes | traffic. However, given that internal web browsers require a specific SSL | proxy service to access SSL enabled web servers on the outside, I don't | feel quite convinced. (won't browsers care that the host they're | connecting to is different from what the passed certificate information | says?) | | If it's the case that a SSL proxy service is needed for incoming requests, | it would seem like the rules would have to be fairly stringent so that | someone would not take advantage of it to probe the internal network - | like having an HTTP proxy for incoming requests. | | Can someone explain, before I actually try it out? | | | Junya Ho | FSDirect | v: 416 368 3920 x5411 | f: 416 368 5505 | | -- "It is seldom that liberty of any kind is lost all at once." -Hume From firewalls-owner Thu Sep 5 19:09:14 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id SAA07286 for firewalls-outgoing; Thu, 5 Sep 1996 18:43:06 -0700 (PDT) Received: from norway.it.earthlink.net (norway-c.it.earthlink.net [204.119.177.49]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id SAA07270 for ; Thu, 5 Sep 1996 18:42:52 -0700 (PDT) Received: from x.earthlnk.net (pool014.Max18.Orlando.FL.DYNIP.ALTER.NET [153.37.188.206]) by norway.it.earthlink.net (8.7.5/8.7.3) with SMTP id SAA08542 for ; Thu, 5 Sep 1996 18:35:10 -0700 (PDT) Date: Thu, 5 Sep 96 18:44:22 PST From: rich Subject: authenticated/encrypted sessions To: firewalls@greatcircle.com X-PRIORITY: 3 (Normal) X-Mailer: Chameleon 4.6.3, TCP/IP for Windows, NetManage Inc. Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, This should be a simple one (yeah right) that should generate lots of responses (I hope). I want to set up authenticated and encrypted tunnels through a firewall. the rub, NO COMMERCIAL products allowed. My thoughts -- socks5 since I have to handle windows 3.1, win 95 and winNT apps as well as Unix. So, Comments? Suggestions? Strange Sounds? ADVANCE, rich o' |,=./ `o (o o) -----ooO--(_)--Ooo------- ** Remember -- If you can keep your head when all others around you are losing theirs... You're probably not paying attention! From firewalls-owner Thu Sep 5 19:59:28 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id TAA14527 for firewalls-outgoing; Thu, 5 Sep 1996 19:37:56 -0700 (PDT) Received: from dallas-cs-000.novare.net ([205.229.104.10]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id TAA14466 for ; Thu, 5 Sep 1996 19:37:35 -0700 (PDT) Received: from muggles (mark@muggles.novare.net [205.229.105.72]) by dallas-cs-000.novare.net (8.7.5/8.6.9) with SMTP id VAA10597 for ; Thu, 5 Sep 1996 21:36:21 -0500 Message-ID: <322F9189.7ADCFED4@novare.net> Date: Thu, 05 Sep 1996 21:50:49 -0500 From: mark Organization: novare international advanced weapons division X-Mailer: Mozilla 3.0 (X11; I; Linux 2.0.6 i586) MIME-Version: 1.0 To: firewalls@greatcircle.com Subject: a linux firewall admin'd with ipfwadm Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk anyone done it and if so can you offer any pointers? i have the reading material, but some anecdotal wisdom would be helpful. and i'll be happy to dicuss configuration specifics if necessary. thanks, mark From firewalls-owner Thu Sep 5 20:14:52 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id TAA14824 for firewalls-outgoing; Thu, 5 Sep 1996 19:39:52 -0700 (PDT) Received: from sapa.inka.de (sapa.inka.de [193.197.84.6]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id TAA14789 for ; Thu, 5 Sep 1996 19:39:30 -0700 (PDT) Received: from uu.inka.de (root@[193.197.84.8]) by sapa.inka.de with smtp (S3.1.29.1) id ; Fri, 6 Sep 96 04:38 MET DST Received: from lina (lists@lina.inka.de) by uu.inka.de with bsmtp (S3.1.29.1) id ; Fri, 6 Sep 96 04:38 MET DST Received: by lina id m0uyqhj-0004jQC (Debian /\oo/\ Smail3.1.29.1 #29.37); Fri, 6 Sep 96 04:31 MET DST Message-Id: From: lists@lina.inka.de (Bernd Eckenfels) Subject: Re: Mail and win95 To: firewalls@greatcircle.com Date: Fri, 6 Sep 1996 04:31:34 +0200 (MET DST) In-Reply-To: <9609051630.0N79E00@morebbs.com> from "potlicker@morebbs.com" at Sep 5, 96 04:30:56 pm X-Mailer: ELM [version 2.4 PL25 PGP2] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, > A question has come up at Big Co. as to how to bypass their cc:Mail > entirely and go from Windows 95 machines directly to their firewall. > That's cos their cc:Mail crashed again and delayed mail for power users. Are you talking about an MTA on the W95 System or a pop3 MUA? The later ius easy, use netscape or eudora or MS Exchange Client (from PLUS Package) to acess a POP3 Server and Send SMTP Mail. Of course you need a MTA Host (How about Linux with smail and qpopper?). Zhis is much better than running a mailer on a desktop system. Of course this is not a firewall question. Greetings Bernd From firewalls-owner Thu Sep 5 20:48:06 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id UAA24174 for firewalls-outgoing; Thu, 5 Sep 1996 20:35:37 -0700 (PDT) Received: from omega.IntraNet.com (omega.IntraNet.com [192.148.106.20]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id UAA24136 for ; Thu, 5 Sep 1996 20:35:25 -0700 (PDT) Received: by omega.IntraNet.com; (5.65/1.1.8.3/20May95-0100AM) id AA09890; Thu, 5 Sep 1996 23:40:43 -0400 Received: by giant.IntraNet.com (DECUS UUCP /2.0/2.0/2.0/); Thu, 5 Sep 96 23:23:40 EDT Received: by intranet.com (MX V4.2 VAX) id 1; Thu, 05 Sep 1996 23:23:38 EDT Date: Thu, 05 Sep 1996 23:23:37 EDT From: "G. Del Merritt" To: Firewalls@GreatCircle.COM Message-Id: <009A7F09.BAB2B644.1@intranet.com> Subject: Re: Firewalls-Digest V5 #494 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In-reply-to: "potlicker@morebbs.com"'s message of 05 Sep 96 16:30:56 > : >Does anyone on the list know of freeware, shareware or commerical >progams to run sendmail or popmail3 on a Windows 95 workstation? >The Windows 95 workstations are 66 mhz 486's with 32 MB RAM and two 1 GB >hard disks. Mosaic can do SMTP to any node with a proper MX record. It's pretty free. Don't know off hand of standalone pop clients for windoze. -- Del Merritt, ** del@IntraNet.com IntraNet, Inc., One Gateway Center #700, Newton, MA 02158 Voice: 617-527-7020; FAX: 617-527-1761 Just say no to Clipper. You may not add me to a commercial mailing list or send me commercial advertising without my consent. From firewalls-owner Thu Sep 5 21:04:03 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id UAA24320 for firewalls-outgoing; Thu, 5 Sep 1996 20:37:17 -0700 (PDT) Received: from ns.helec.co.nz ([202.49.84.17]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id UAA24302 for ; Thu, 5 Sep 1996 20:36:57 -0700 (PDT) Received: from dev.helec.co.nz (gw.helec.co.nz [202.49.84.24]) by ns.helec.co.nz (8.7.4/8.7.3) with ESMTP id WAA01260 for ; Thu, 5 Sep 1996 22:54:10 +1200 Received: (from john@localhost) by dev.helec.co.nz (8.7.4/8.7.3) id WAA06651 for Firewalls@GreatCircle.COM; Thu, 5 Sep 1996 22:57:04 +1200 From: john@helec.co.nz (John L Hardcastle) Message-Id: <9609052257.ZM6650@dev.helec.co.nz> Date: Thu, 5 Sep 1996 22:57:03 +0000 In-Reply-To: firewalls-digest-owner@GreatCircle.COM (Firewalls-Digest) "Firewalls-Digest V5 #493" (Sep 5, 1:00am) References: <199609050800.BAA26701@miles.greatcircle.com> X-Mailer: Z-Mail (3.2.1 24feb96 Caldera) To: Firewalls@GreatCircle.COM Subject: NT port activity list Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk From: Bill Stout[SMTP:bill.stout@hidata.com] > Sent: Tuesday, September 03, 1996 11:42 AM > To: Firewalls@GreatCircle.COM > Subject: Re: NT port activity list Like you Bill, I'm intrigued by this subject and would like to know more, and I've been chatting with Russ offline. > I haven't completed a Satan scan against an NT system yet, but this > is what I got so far. Also much of the system-level communication > is still a mystery; logon process, etc (RPC?). My approach, if I had time, would be to set up an NT server on a small LAN with one host sniffing the NT traffic and another flailing the NT server with Satan. NT boxes seem to love to advertize their services. It should be an easy exercise to generate a fair list of all the things NT responds to and just how it responds would be quite educational.... One could use tcpdump or similar, capture the NT traffic to a file and analyze it with Unix tools. Perhaps someone would like to do this and let us all know the outcome? Its important to know all the potentially dangerous services which should be blocked or carefully handled by a firewall. I bet there are some builtins no one knows about yet, like license crawlers. Oh, imagination and the fascination of the unknown! Any far-siders talking out there? Any one in the know from M$ itself reading this and feeling public spirited? Hot topic... BTW you can learn quite a lot from your own firewall logs if you turn on logging for every denied service and connection...... -- John L Hardcastle, Director, HARDCASTLE ELECTRONICS LIMITED P O Box 74028 Market Rd, Auckland 5 Level 7, Eden House, 44 Khyber Pass Rd, Grafton, Auckland, NEW ZEALAND Tel +64.9.366.1502 Fax +64.9.366.1554 Internet: john@helec.co.nz http://www.helec.co.nz/~helec From firewalls-owner Thu Sep 5 21:19:08 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id VAA28171 for firewalls-outgoing; Thu, 5 Sep 1996 21:03:12 -0700 (PDT) Received: from sapa.inka.de (sapa.inka.de [193.197.84.6]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id VAA28119 for ; Thu, 5 Sep 1996 21:02:57 -0700 (PDT) Received: from uu.inka.de (root@[193.197.84.8]) by sapa.inka.de with smtp (S3.1.29.1) id ; Fri, 6 Sep 96 06:02 MET DST Received: from lina (lists@lina.inka.de) by uu.inka.de with bsmtp (S3.1.29.1) id ; Fri, 6 Sep 96 06:02 MET DST Received: by lina id m0uyrzY-0004jQC (Debian /\oo/\ Smail3.1.29.1 #29.37); Fri, 6 Sep 96 05:54 MET DST Message-Id: From: lists@lina.inka.de (Bernd Eckenfels) Subject: Re: C2 Myths To: cklaus@iss.net (Christopher Klaus) Date: Fri, 6 Sep 1996 05:54:02 +0200 (MET DST) Cc: firewalls@greatcircle.com In-Reply-To: <199609041517.LAA31427@phoenix.iss.net> from "Christopher Klaus" at Sep 4, 96 11:17:22 am X-Mailer: ELM [version 2.4 PL25 PGP2] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, > A1 - Verified Design. The highest level demands formal security verification > methods to ensure that security controls protect classified and other > sensitive information. Even the National Security Agency cannot break in. > > B3 - Security Domains. This level is intended to protect systems from people > with programming experience. > > B2 - Structured Protection. Hackers should not be able to break into a > system with B2-level security. > > B1 - Labeled Protection. At this level, a really good hacker could possible > break in, but users can't. > > C2 - Controlled Access Protection. C2 provides protection for log-in > procedures, allows auditing of security-relevant events, and offers resource > isolation. > > C1 - Discretionary Protection. This level enables users to set access > controls to protect private or project information. > > D - Minimal Protection. The lowest level is reserved for systems that have > been evaluated but have failed to meet the requirements for a higher > evaluation class. sorry, this is not very usefull... "Users" "Hackers" "peaple with programming experience" "NSA" is not a usefull (nor realistic) atributation(sp?) for secrity classes. Greetings Bernd -- (OO) -- Bernd_Eckenfels@Wittumstrasse13.76646Bruchsal.de -- ( .. ) ecki@{lina.inka.de,linux.de} http://home.pages.de/~eckes/ o--o *plush* 2048/A2C51749 eckes@irc +4972573817 *plush* (O____O) If privacy is outlawed only Outlaws have privacy From firewalls-owner Thu Sep 5 23:14:13 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id XAA06098 for firewalls-outgoing; Thu, 5 Sep 1996 23:04:13 -0700 (PDT) Received: from gate1.scandpower.no (gate1.scandpower.no [193.91.254.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id XAA06090 for ; Thu, 5 Sep 1996 23:04:05 -0700 (PDT) Received: by gate1.scandpower.no; (5.65v3.2/1.3/10May95) id AA32407; Fri, 6 Sep 1996 08:04:09 +0200 Message-Id: <2.2.16.19960906061714.2c37c812@bill.halden.scandpower.no> X-Sender: bak@bill.halden.scandpower.no X-Mailer: Windows Eudora Pro Version 2.2 (16) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Fri, 06 Sep 1996 08:17:14 +0200 To: firewalls@greatcircle.com From: Bjorn-Arild Kydland Subject: RADIUS protocol specifications Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Does anyone have a pointer to the RADIUS protocol specification? ***************************************************************** Bjorn-Arild Kydland E-mail: bjorn-arild.kydland@halden.scandpower.no Scandpower A/S X.400 G=bjorn-arild S=kydland OU1=halden Os Alle 9 P=scandpower A=telemax C=no N-1777 Halden NORWAY Phone (+47) 69184100 Fax (+47) 69184435 Pager (+47) 96514696 ***************************************************************** From firewalls-owner Fri Sep 6 01:27:48 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id BAA10751 for firewalls-outgoing; Fri, 6 Sep 1996 01:08:11 -0700 (PDT) Received: from cet.cet.com (cet.cet.com [206.96.91.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id BAA10744 for ; Fri, 6 Sep 1996 01:08:04 -0700 (PDT) Received: from cet.cet.com (roberth@cet.cet.com [206.96.91.1]) by cet.cet.com (8.6.12/8.6.12) with SMTP id BAA00921; Fri, 6 Sep 1996 01:07:40 -0700 Date: Fri, 6 Sep 1996 01:07:40 -0700 (PDT) From: Robert Hanson To: Bjorn-Arild Kydland cc: firewalls@GreatCircle.COM Subject: Re: RADIUS protocol specifications In-Reply-To: <2.2.16.19960906061714.2c37c812@bill.halden.scandpower.no> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk check www.livingston.com or ftp.livingston.com it's there somewhere ---> Robert H. Hanson LAN/WAN Consultant - Internet Service Provider Otis Orchards, Wa. Cutting Edge Communications www.cet.com (509) 927-9541 finger: info@cet.com or email: roberth@cet.com On Fri, 6 Sep 1996, Bjorn-Arild Kydland wrote: > Does anyone have a pointer to the RADIUS protocol specification? > ***************************************************************** > Bjorn-Arild Kydland E-mail: bjorn-arild.kydland@halden.scandpower.no > Scandpower A/S X.400 G=bjorn-arild S=kydland OU1=halden > Os Alle 9 P=scandpower A=telemax C=no > N-1777 Halden > NORWAY > > Phone (+47) 69184100 Fax (+47) 69184435 > Pager (+47) 96514696 > ***************************************************************** > From firewalls-owner Fri Sep 6 02:59:05 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id CAA15920 for firewalls-outgoing; Fri, 6 Sep 1996 02:33:53 -0700 (PDT) Received: from rara.kotel.co.kr (rara.kotel.co.kr [147.6.15.64]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id CAA15820 for ; Fri, 6 Sep 1996 02:33:08 -0700 (PDT) Received: by rara.kotel.co.kr (8.6.9H1/8.6.4) id RAA18104; Fri, 6 Sep 1996 17:59:48 +1000 From: Kim Message-Id: <199609060759.RAA18104@rara.kotel.co.kr> Subject: firewall-1 delay is tolerable ? To: firewalls@GreatCircle.COM Date: Fri, 6 Sep 1996 17:59:44 +0900 (GMT+9:00) X-Mailer: ELM [version 2.4 PL21-h4] MIME-Version: 1.0 Content-Type: text/plain; charset=iso-2022-kr Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am using FW-1 2.0 on sparc 1000 with 2 cpu. Ping and traceroute passing firewall through indicate the delay on there is great and such delay is very clear by compairing it with pings in outside router. Also the system collision indicator shows excessive ,I think, collision status. Do you have any nice improvements about this ? - Kim. From firewalls-owner Fri Sep 6 04:17:16 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id DAA22229 for firewalls-outgoing; Fri, 6 Sep 1996 03:55:22 -0700 (PDT) Received: from lint.cisco.com (lint.cisco.com [171.68.223.44]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id DAA22186 for ; Fri, 6 Sep 1996 03:54:57 -0700 (PDT) Received: from pferguso-pc.cisco.com ([171.68.52.54]) by lint.cisco.com (8.6.10/CISCO.SERVER.1.1) with SMTP id DAA09492; Fri, 6 Sep 1996 03:54:16 -0700 Message-Id: <2.2.32.19960906105430.006d62cc@lint.cisco.com> X-Sender: pferguso@lint.cisco.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Fri, 06 Sep 1996 06:54:30 -0400 To: Bjorn-Arild Kydland From: Paul Ferguson Subject: Re: RADIUS protocol specifications Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 08:17 AM 9/6/96 +0200, Bjorn-Arild Kydland wrote: > >Does anyone have a pointer to the RADIUS protocol specification? The RADIUS 'specification' is still an I-D [Internet Draft]: Remote Authentication Dial In User Service (RADIUS) http://www.internic.net/internet-drafts/draft-ietf-radius-radius-05.txt - paul >***************************************************************** >Bjorn-Arild Kydland E-mail: bjorn-arild.kydland@halden.scandpower.no >Scandpower A/S X.400 G=bjorn-arild S=kydland OU1=halden >Os Alle 9 P=scandpower A=telemax C=no >N-1777 Halden >NORWAY > >Phone (+47) 69184100 Fax (+47) 69184435 >Pager (+47) 96514696 >***************************************************************** > -- Paul Ferguson || || Consulting Engineering || || Reston, Virginia USA |||| |||| tel: +1.703.716.9538 ..:||||||:..:||||||:.. e-mail: pferguso@cisco.com c i s c o S y s t e m s From firewalls-owner Fri Sep 6 05:14:25 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id EAA25054 for firewalls-outgoing; Fri, 6 Sep 1996 04:58:51 -0700 (PDT) Received: from gateway.fcmc.com (gateway.fcmc.com [207.17.186.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id EAA25024 for ; Fri, 6 Sep 1996 04:58:30 -0700 (PDT) Received: by gateway.fcmc.com; id HAA05712; Fri, 6 Sep 1996 07:53:40 -0400 Received: from unknown(192.129.90.50) by vone.fcmc.com via smap (g3.0.3) id xma005710; Fri, 6 Sep 96 07:53:35 -0400 Received: from anderson.fcmc.com by moonraker.fcmc.COM (4.1/SMI-4.1) id AA20149; Fri, 6 Sep 96 07:58:14 EDT Received: from alanis.fcmc.com by anderson.fcmc.com (4.1/SMI-4.1) id AA02542; Fri, 6 Sep 96 07:58:10 EDT Received: by alanis.fcmc.com (SMI-8.6/SMI-SVR4) id HAA04441; Fri, 6 Sep 1996 07:53:12 -0400 From: "James Rippas (Technology)" Message-Id: <9609060753.ZM4439@alanis> Date: Fri, 6 Sep 1996 07:53:11 -0400 X-Mailer: Z-Mail (3.2.1 10oct95) To: firewalls@greatcircle.com Subject: traceroute through a packet filter Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, I'd like to know what ports/protocol I need to permit through a packet filter for traceroute to work. I've tried just ICMP/traceroute, but that doesn't work. I suspect I need to let a UDP port through, but I'm not sure. Thanks, -jim From firewalls-owner Fri Sep 6 05:32:09 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA26332 for firewalls-outgoing; Fri, 6 Sep 1996 05:17:05 -0700 (PDT) Received: from zang.com (zang.com [204.119.251.100]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id FAA26191 for ; Fri, 6 Sep 1996 05:16:28 -0700 (PDT) Received: (from mark@localhost) by zang.com (8.6.9/zang) id CAA09218 for firewalls@greatcircle.com; Fri, 6 Sep 1996 02:14:11 -1000 From: Mark (Mookie) Message-Id: <199609061214.CAA09218@zang.com> Subject: Need static NAT product pointers To: firewalls@greatcircle.com Date: Fri, 6 Sep 1996 02:14:09 -1000 (HST) X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, I am looking for NAT products which can do static mappings of external registered IP addresses to internal RFC1597 addresses. External IPs should always be presented as the same individual internal IP every time. I do NOT want dynamic pools. What I am after is: external nat internal host 1.2.3.4 ---------|===========|------- 172.16.1.4 host 1.2.3.5 ---------| |------- 172.16.1.5 host 1.2.3.6 ---------| |------- 172.16.1.6 host 3.4.5.6 ---------| |------- 172.16.9.6 host 3.4.5.7 ---------| |------- 172.16.9.7 host 3.4.5.8 ---------|===========|------- 172.16.9.8 The above mappings should be permanent so that each time the external connects through the NAT machine, the same IP address as used before is assigned for the new connection. No other hosts should be able to reuse the internal IP. Highly desirable is the ability to filter and do next-hop-enforcing on all packets. Hosts which have not been defined for mapping should be rejected, with optional logging. Please email me replies directly. Thanks, Mark mark@zang.com From firewalls-owner Fri Sep 6 05:47:23 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id EAA25082 for firewalls-outgoing; Fri, 6 Sep 1996 04:59:06 -0700 (PDT) Received: from ereapp.erenj.com (ereapp.ERENJ.COM [159.70.31.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id EAA25033 for ; Fri, 6 Sep 1996 04:58:37 -0700 (PDT) Received: (from smap@localhost) by ereapp.erenj.com (8.7.4/8.7.3) id HAA05525; Fri, 6 Sep 1996 07:57:49 -0400 Received: from eredns.erenj.com(159.70.1.252) by ereapp.erenj.com via smap (V1.3) id sma005510; Fri Sep 6 07:57:33 1996 Received: from stargate.erenj.com (stargate.erenj.com [159.70.1.8]) by eredns.erenj.com (8.7.4/8.7.3) with SMTP id HAA19753; Fri, 6 Sep 1996 07:57:32 -0400 Received: from stargate.erenj.com by stargate.erenj.com; (5.65v3.2/1.1.8.2/12Feb96-1009AM/bdboyle@erenj.com) id AA20184; Fri, 6 Sep 1996 07:57:31 -0400 Message-Id: <323011AB.446B@erenj.com> Date: Fri, 06 Sep 1996 07:57:31 -0400 From: "Bryan D. Boyle" Organization: Exxon Research and Engineering Co. X-Mailer: Mozilla 3.0 (X11; I; OSF1 V4.0 alpha) Mime-Version: 1.0 To: Rabid Wombat Cc: firewalls@greatcircle.com Subject: Re: C2 certified OS that can run a firewall References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Rabid Wombat wrote: > > On Thu, 5 Sep 1996, Jon Spencer wrote: > > > > Of course C2 security is better than no security, but C2 was never > > > > Welll ....... it is if you understand its limitations. Otherwise ... > > > > WTH does C2 security have to do with a system that should not have any > user accounts on it, no user access to it? Nothing. But, it is a good buzzword that can be thrown around to make it look like you know what you are talking about, when, in fact, if you run the full suite of C2, you probably have opened up more holes in your os than if you actually ran a stripped-down, tightly configured, and heavily controlled system environment. But C2 is some sort of magic talisman for security. Like MTBE is a good oxygenate for gasoline. It impresses those that don't know any better. Of course, if you don't run the system EXACTLY as the qualification suite specified, the system is not rated at the level you think you are. -- Bryan D. Boyle | EMAIL: bdboyle@erenj.com 908-730-3338 #include | http://www.access.digex.net/~bdboyle/index.html "They that can give up liberty to obtain a little temporary safety deserve neither liberty nor safety." - Benjamin Franklin, Historical Review of Pennsylvania From firewalls-owner Fri Sep 6 06:14:25 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA27038 for firewalls-outgoing; Fri, 6 Sep 1996 05:35:08 -0700 (PDT) Received: from itchy.mindspring.com (itchy.mindspring.com [204.180.128.6]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id FAA27031 for ; Fri, 6 Sep 1996 05:34:57 -0700 (PDT) Received: from [168.121.206.219] (user-168-121-206-219.dialup.mindspring.com [168.121.206.219]) by itchy.mindspring.com (8.7.5/8.7.3) with SMTP id IAA05296; Fri, 6 Sep 1996 08:34:41 -0400 (EDT) Date: Fri, 6 Sep 1996 08:34:41 -0400 (EDT) Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: Christopher Klaus From: pelicans@mindspring.com (BeachCruiser) Subject: Re: C2 Myths Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >SCC takes a different security path > >Secure Computing Corp. (SCC), in Roseville, Minn., has taken a unique >approach to security with its Sidewinder Internet Firewall product. >For more information, contact SCC at (800) 692-5625, or visit the company's >Web site at http://www.sctc.com. Great post Christopher. ...and these ads just keep getting get better and better. :-) ___________________________ Bob McKisson Cypress Systems Corporation P. O. Box 809 Virginia Beach, VA 23451 (757) 425-4195 Voice (757) 425-4196 FAX (757) 442-0008 STU-III pelicans@mindspring.com From firewalls-owner Fri Sep 6 06:24:43 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA27222 for firewalls-outgoing; Fri, 6 Sep 1996 05:37:32 -0700 (PDT) Received: from mercury.Sun.COM (mercury.Sun.COM [192.9.25.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id FAA27214 for ; Fri, 6 Sep 1996 05:37:17 -0700 (PDT) Received: by mercury.Sun.COM (Sun.COM) id FAA22482; Fri, 6 Sep 1996 05:37:06 -0700 Received: from congress.East.Sun.COM by East.Sun.COM (5.x/SMI-5.3) id AA04675; Fri, 6 Sep 1996 08:37:04 -0400 Received: from rest1000.East.Sun.COM by congress.East.Sun.COM (4.1/SMI-4.1) id AA03865; Fri, 6 Sep 96 08:37:02 EDT Received: by rest1000.East.Sun.COM (5.0/SMI-SVR4) id AA19439; Fri, 6 Sep 1996 08:40:07 -0400 From: Wayne.Gifford@East.Sun.COM (Wayne Gifford - Internet Commerce Group) Message-Id: <9609061240.AA19439@rest1000.East.Sun.COM> Subject: Re: authenticated/encrypted sessions To: firewalls@greatcircle.com Date: Fri, 6 Sep 1996 08:40:06 -0500 (EDT) In-Reply-To: from "rich" at Sep 5, 96 06:44:22 pm X-Mailer: ELM [version 2.4 PL21] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > Hi, > > This should be a simple one (yeah right) that should generate lots > of responses (I hope). > > I want to set up authenticated and encrypted tunnels through a > firewall. the rub, NO COMMERCIAL products allowed. My thoughts -- > socks5 since I have to handle windows 3.1, win 95 and winNT apps > as well as Unix. > > So, Comments? Suggestions? Strange Sounds? > Go to http://skip.incog.com and grab the SKIP source code and roll your own. giff -- Wayne Gifford giff@incog.com Sun Internet Commerce Group Phone 415-336-0253 http://www.incog.com Phax 415-336-0673 From firewalls-owner Fri Sep 6 06:30:35 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA29320 for firewalls-outgoing; Fri, 6 Sep 1996 06:00:03 -0700 (PDT) Received: from gateway.fcmc.com (gateway.fcmc.com [207.17.186.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id FAA29202 for ; Fri, 6 Sep 1996 05:59:29 -0700 (PDT) Received: by gateway.fcmc.com; id IAA06747; Fri, 6 Sep 1996 08:54:40 -0400 Received: from unknown(192.129.90.50) by vone.fcmc.com via smap (g3.0.3) id xma006741; Fri, 6 Sep 96 08:54:20 -0400 Received: from anderson.fcmc.com by moonraker.fcmc.COM (4.1/SMI-4.1) id AA20673; Fri, 6 Sep 96 08:58:59 EDT Received: from alanis.fcmc.com by anderson.fcmc.com (4.1/SMI-4.1) id AA03487; Fri, 6 Sep 96 08:58:55 EDT Received: by alanis.fcmc.com (SMI-8.6/SMI-SVR4) id IAA04510; Fri, 6 Sep 1996 08:53:56 -0400 From: "James Rippas (Technology)" Message-Id: <9609060853.ZM4508@alanis> Date: Fri, 6 Sep 1996 08:53:56 -0400 X-Mailer: Z-Mail (3.2.1 10oct95) To: firewalls@GreatCircle.COM Subject: traceroute Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, I'd like to know what ports/protocol I need to permit through a packet filter for traceroute to work. I've tried just ICMP/traceroute, but that doesn't work. I suspect I need to let a UDP port through, but I'm not sure. Thanks, -jim From firewalls-owner Fri Sep 6 06:50:33 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA29604 for firewalls-outgoing; Fri, 6 Sep 1996 06:01:37 -0700 (PDT) Received: from mail.rc.toronto.on.ca ([207.6.29.231]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id GAA29563 for ; Fri, 6 Sep 1996 06:01:16 -0700 (PDT) Received: by mail.rc.toronto.on.ca with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.993.5) id <01BB9BD1.E61003E0@mail.rc.toronto.on.ca>; Fri, 6 Sep 1996 09:00:49 -0400 Message-ID: From: Russ To: "'Firewalls'" Subject: Building a monitoring system Date: Fri, 6 Sep 1996 09:00:45 -0400 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.993.5 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Howdy folks, I'm going to take the plunge into Unix by way of building a monitoring system that would be dedicated to the task of reporting the actions of the other machines on my very small network. Given my limited Unix background, I figured the best way to approach this would be to ask y'all what this box should be. I've got a 486DX-100 sitting here with 8MB of RAM and a el cheapo PCI NE2000 clone NIC. I've got 1GB of drive and an ATI VGA Wonder VGA adapter. A floppy, a Future Domain TMC3260 PCI SCSI-2 adapter, and a NEC 3x SCSI CD round out the box. So; - what OS should I use (downloadable from the net would be preferred) - will the OS support the hardware I described or do I need more/different/better hardware - what packet monitor tool would be recommended, I would like something that I can set filters on and run several filters at once into different captures if possible - could somebody lend me a bookmark file of Unix tools links for the recommended OS - configuration recommendations would be appreciated I've got similar functionality in my NT boxes, so its not that I can't do this in NT. I want to put a dedicated box in place for this now so I figured I'd give Unix a try at this before I put NT on it. If it works well, I'll just leave it there, maybe allowing me to give you more detailed dumps of NT activity that you can actually grep...;-] A lot of people have been very helpful to me over time, and I have really appreciated that help, so I ask you to respond to me in private email once again and make your suggestions. I promise to summarize the system once its put together and post it to the list. Cheers, Russ Cheers, Russ From firewalls-owner Fri Sep 6 07:21:10 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA04644 for firewalls-outgoing; Fri, 6 Sep 1996 06:45:37 -0700 (PDT) Received: from dns.eng.auburn.edu (dns.eng.auburn.edu [131.204.10.13]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id GAA04626 for ; Fri, 6 Sep 1996 06:45:21 -0700 (PDT) Received: from netman.eng.auburn.edu (netman.eng.auburn.edu [131.204.12.24]) by dns.eng.auburn.edu (8.7.5/8.6.4) with ESMTP id IAA07680; Fri, 6 Sep 1996 08:45:07 -0500 (CDT) From: Doug Hughes Received: (doug@localhost) by netman.eng.auburn.edu (SMI-8.6/8.6.4) id IAA28913; Fri, 6 Sep 1996 08:45:06 -0500 Date: Fri, 6 Sep 1996 08:45:06 -0500 Subject: Re: authenticated/encrypted sessions To: rich Cc: firewalls@GreatCircle.COM Message-Id: X-Mailer: TkMail 4.0beta6 In-Reply-To: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk What about designing a proxy for stel or ssh? A proxy would probably be harder to do in this instance than a packet filter of some sort because they both have active man in the middle prevention which might get in your way depending on how you implement your proxy. -- ____________________________________________________________________________ Doug Hughes Engineering Network Services System/Net Admin Auburn University doug@eng.auburn.edu From firewalls-owner Fri Sep 6 07:21:18 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA28948 for firewalls-outgoing; Fri, 6 Sep 1996 05:57:38 -0700 (PDT) Received: from lint.cisco.com (lint.cisco.com [171.68.223.44]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id FAA28908 for ; Fri, 6 Sep 1996 05:57:23 -0700 (PDT) Received: from pferguso-pc.cisco.com ([171.68.52.54]) by lint.cisco.com (8.6.10/CISCO.SERVER.1.1) with SMTP id FAA08029; Fri, 6 Sep 1996 05:56:33 -0700 Message-Id: <2.2.32.19960906125633.0071a95c@lint.cisco.com> X-Sender: pferguso@lint.cisco.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Fri, 06 Sep 1996 08:56:33 -0400 To: Mark (Mookie) From: Paul Ferguson Subject: Re: Need static NAT product pointers Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The cisco/NTI Private Internet eXchange [PIX] has the ability to do this: http://www.translation.com Also, the upcoming release of cisco IOS 11.2 will integrate NAT functionality into the router software; this particular functionality will also allow you to do as you've described. - paul At 02:14 AM 9/6/96 -1000, Mookie wrote: >Hi, > >I am looking for NAT products which can do static mappings of external >registered IP addresses to internal RFC1597 addresses. External IPs >should always be presented as the same individual internal IP every time. I >do NOT want dynamic pools. What I am after is: > >external nat internal > >host 1.2.3.4 ---------|===========|------- 172.16.1.4 >host 1.2.3.5 ---------| |------- 172.16.1.5 >host 1.2.3.6 ---------| |------- 172.16.1.6 >host 3.4.5.6 ---------| |------- 172.16.9.6 >host 3.4.5.7 ---------| |------- 172.16.9.7 >host 3.4.5.8 ---------|===========|------- 172.16.9.8 > >The above mappings should be permanent so that each time the external >connects through the NAT machine, the same IP address as used before is >assigned for the new connection. No other hosts should be able to reuse >the internal IP. > >Highly desirable is the ability to filter and do next-hop-enforcing >on all packets. Hosts which have not been defined for mapping should >be rejected, with optional logging. > >Please email me replies directly. > >Thanks, >Mark >mark@zang.com > -- Paul Ferguson || || Consulting Engineering || || Reston, Virginia USA |||| |||| tel: +1.703.716.9538 ..:||||||:..:||||||:.. e-mail: pferguso@cisco.com c i s c o S y s t e m s From firewalls-owner Fri Sep 6 07:43:08 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA05512 for firewalls-outgoing; Fri, 6 Sep 1996 06:56:24 -0700 (PDT) Received: from odo (odo.acdnj.itt.com [151.190.1.25]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id GAA05494 for ; Fri, 6 Sep 1996 06:56:10 -0700 (PDT) Date: Fri, 6 Sep 1996 09:40:33 -0400 Message-Id: <96090609403338@odo.acdnj.itt.com> From: nabadm@odo.acdnj.itt.com (set chaos/total) To: Firewalls@greatcircle.com Subject: Re: Subject: C2 certified OS that can run a firewall X-VMS-To: SMTP%"Firewalls@GreatCircle.COM" X-VMS-Cc: NABADM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > >Digital UNIX is a C2 certified OS. The Alta Vista Firewall Software runs on >it. > As far as I know Digital UNIX is NOT C2 certified. (Which reminds me, my NSA catalog hasn't arrived.) However, it was designed to be C2 compliant. When we went to run Digital UNIX in classified system high mode we had to sit down with the DIS AIS representative and demonstrate to him every aspect of C2 compliance in order to get permission to use it. Object reuse was especially difficult to demonstrate, since we had to show that blocks on the disk were zeroed when deallocated. (I believe Digital UNIX satisfies the object reuse requirement by zeroing on deallocate. Some OSs do zero on allocate, some can do both.) --------------------------------------------------------------------------- "Crisis over back to panic mode!" --------------------------------------------------------------------------- N.A. Bogart nabadm@odo.acdnj.itt.com OpenVMS & Security Systems Manager nbogart@avionics.itt.com ITT Avionics (201) 284-5117 VOICE(MAIL) 100 Kingsland Road (201) 284-3947 FAX Clifton NJ 07014 (201) 730-2681 PAGER --------------------------------------------------------------------------- -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 4.0 Business Edition mQCNAjHhYaQAAAEEAMOlLciHvPWZbfk53ih4NjUfLvJAMs2ABD/njhYMM99zlwf0 76PJ8ItYVD97Fmbtd8iNN61PZQ0YiwHqPRDeKx+JAKsMGgh+X+VA2S2CRL+jT+s3 dOypfX3LBs1GzB5sEKjjf4S4uadoEXkgBXHEhIuUaRcpP3veDtuPMEONq1pZAAUR tCpOYW5jeSBBLiBCb2dhcnQgPG5ib2dhcnRAYXZpb25pY3MuaXR0LmNvbT4= =6sdj -----END PGP PUBLIC KEY BLOCK----- From firewalls-owner Fri Sep 6 08:07:24 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA05005 for firewalls-outgoing; Fri, 6 Sep 1996 06:49:27 -0700 (PDT) Received: from ereapp.erenj.com (ereapp.ERENJ.COM [159.70.31.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id GAA04988 for ; Fri, 6 Sep 1996 06:49:12 -0700 (PDT) Received: (from smap@localhost) by ereapp.erenj.com (8.7.4/8.7.3) id JAA09100 for ; Fri, 6 Sep 1996 09:48:51 -0400 Received: from eredns.erenj.com(159.70.1.252) by ereapp.erenj.com via smap (V1.3) id sma009069; Fri Sep 6 09:48:24 1996 Received: from stargate.erenj.com (stargate.erenj.com [159.70.1.8]) by eredns.erenj.com (8.7.4/8.7.3) with SMTP id JAA20507 for ; Fri, 6 Sep 1996 09:48:22 -0400 Received: from stargate.erenj.com by stargate.erenj.com; (5.65v3.2/1.1.8.2/12Feb96-1009AM/bdboyle@erenj.com) id AA20404; Fri, 6 Sep 1996 09:48:21 -0400 Message-Id: <32302BA5.ABD@erenj.com> Date: Fri, 06 Sep 1996 09:48:21 -0400 From: "Bryan D. Boyle" Organization: Exxon Research and Engineering Co. X-Mailer: Mozilla 3.0 (X11; I; OSF1 V4.0 alpha) Mime-Version: 1.0 To: firewalls@GreatCircle.COM Subject: Re: C2 Myths References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk BeachCruiser wrote: > > > > >SCC takes a different security path > > > >Secure Computing Corp. (SCC), in Roseville, Minn., has taken a unique > >approach to security with its Sidewinder Internet Firewall product. > > > >Web site at http://www.sctc.com. > > Great post Christopher. > ...and these ads just keep getting get better and better. :-) Of course, there is a somewhat comprehensive list of all reported firewall products (the first, and, non-vendor specific...) at: http://www.access.digex.net/~bdboyle/firewall.vendor.html where you can click and surf to all the marketing verborehea you can stand. This is non-commercial, and maintained by someone with no financial interest in any vendor products. So, as such, it is honest...:) -- Bryan D. Boyle | EMAIL: bdboyle@erenj.com 908-730-3338 #include | http://www.access.digex.net/~bdboyle/index.html "They that can give up liberty to obtain a little temporary safety deserve neither liberty nor safety." - Benjamin Franklin, Historical Review of Pennsylvania From firewalls-owner Fri Sep 6 08:16:15 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA03253 for firewalls-outgoing; Fri, 6 Sep 1996 06:32:13 -0700 (PDT) Received: from stortek.com (stortek.com [129.80.22.249]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id GAA03234 for ; Fri, 6 Sep 1996 06:31:54 -0700 (PDT) Received: from coltano.stortek.com by stortek.com with SMTP id AA22467 (5.65c/IDA-1.4.4 for ); Fri, 6 Sep 1996 07:31:01 -0600 Received: (from jim@localhost) by coltano.stortek.com (8.7.4/8.7.3) id HAA06879; Fri, 6 Sep 1996 07:28:42 -0600 (MDT) Date: Fri, 6 Sep 1996 07:28:42 -0600 (MDT) From: Jim Wamsley 303-673-8163 Message-Id: <199609061328.HAA06879@coltano.stortek.com> To: firewalls@GreatCircle.COM, raf@ezunx.com Subject: Re: authenticated/encrypted sessions Organization: Storage Technology Corporation X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk WARNING BLATANT CDOMMERCIALISM TO FOLLOW Network Systems Corporation, a division of StorageTek, has two products to allow exactly what you are asking to do. The Borderguard and the Security Router. Each has a capability known as network control facility. these devices can either be your firewall or set directly behind your firewall, and establish authenticated encrypted sleeves across the Internet to a like device on the far side. Various encryption algorithms are available. look at the web site http://www.network.com/SecurityProducts.html ______________________________________________________________ [ Jim Wamsley, Network Engineering ] [ StorageTek 2270 S. 88th St, M.S. 4379, Louisville, CO 80028 ] [ Audible: (303) 673-8163 Logical jim_wamsley@stortek.com ] [ Everything to Excess! ] [ To enjoy life to the fullest, you must take big bites. ] [ Moderation is for monks. ] [ Lazarus Long ] [______________________________________________________________] > From firewalls-owner@GreatCircle.COM Thu Sep 5 21:30 MDT 1996 > Date: Thu, 5 Sep 96 18:44:22 PST > From: rich > Subject: authenticated/encrypted sessions > To: firewalls@GreatCircle.COM > X-Priority: 3 (Normal) > Mime-Version: 1.0 > > Hi, > > This should be a simple one (yeah right) that should generate lots > of responses (I hope). > > I want to set up authenticated and encrypted tunnels through a > firewall. the rub, NO COMMERCIAL products allowed. My thoughts -- > socks5 since I have to handle windows 3.1, win 95 and winNT apps > as well as Unix. > > So, Comments? Suggestions? Strange Sounds? > > ADVANCE, > rich > > o' |,=./ `o > (o o) > -----ooO--(_)--Ooo------- > > ** Remember -- If you can keep your head when all others around > you are losing theirs... > > You're probably not paying attention! > From firewalls-owner Fri Sep 6 08:44:27 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA11164 for firewalls-outgoing; Fri, 6 Sep 1996 07:51:37 -0700 (PDT) Received: from shaft.wii.com (mail.wii.com [204.156.32.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id HAA11064 for ; Fri, 6 Sep 1996 07:51:02 -0700 (PDT) Received: (from smap@localhost) by shaft.wii.com (8.7.5/8.7.3) id HAA01346 for ; Fri, 6 Sep 1996 07:50:43 -0700 Received: from sunshine.tech.wii.com(1.1.19.105) by shaft via smap (V1.3) id sma001344; Fri Sep 6 07:50:26 1996 Received: (from ioh@localhost) by sunshine.tech.wii.com (8.7.5/8.7.3) id HAA25526; Fri, 6 Sep 1996 07:50:24 -0700 Date: Fri, 6 Sep 1996 07:50:23 -0700 (PDT) From: Il Oh To: firewalls@greatcircle.com Subject: smap alternative? Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Is there another product that works like smap? I don't like the licensing restrictions on it. From firewalls-owner Fri Sep 6 08:44:48 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA08796 for firewalls-outgoing; Fri, 6 Sep 1996 07:29:39 -0700 (PDT) Received: from cet.cet.com (cet.cet.com [206.96.91.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id HAA08758 for ; Fri, 6 Sep 1996 07:29:21 -0700 (PDT) Received: from cet.cet.com (roberth@cet.cet.com [206.96.91.1]) by cet.cet.com (8.6.12/8.6.12) with SMTP id HAA15197; Fri, 6 Sep 1996 07:28:42 -0700 Date: Fri, 6 Sep 1996 07:28:42 -0700 (PDT) From: Robert Hanson To: Kim cc: firewalls@GreatCircle.COM Subject: Re: firewall-1 delay is tolerable ? In-Reply-To: <199609060759.RAA18104@rara.kotel.co.kr> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ethernet switch? you can get a good one from smc for less than a thou ---> Robert H. Hanson LAN/WAN Consultant - Internet Service Provider Otis Orchards, Wa. Cutting Edge Communications www.cet.com (509) 927-9541 finger: info@cet.com or email: roberth@cet.com On Fri, 6 Sep 1996, Kim wrote: > I am using FW-1 2.0 on sparc 1000 with 2 cpu. > Ping and traceroute passing firewall through indicate the delay on there > is great and such delay is very clear by compairing it with pings in outside > router. > Also the system collision indicator shows excessive ,I think, collision status. > Do you have any nice improvements about this ? > - Kim. > From firewalls-owner Fri Sep 6 09:23:29 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA20851 for firewalls-outgoing; Fri, 6 Sep 1996 09:09:16 -0700 (PDT) Received: from rodin.ny.cantor.com (rodin.cantor.com [198.80.21.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id JAA20792 for ; Fri, 6 Sep 1996 09:08:58 -0700 (PDT) From: apilosov@cantor.com Received: by rodin.ny.cantor.com (8.6.9) id MAA21152; Fri, 6 Sep 1996 12:07:40 -0400 Received: from smtpgwy.ny.cantor.com(148.106.20.145) by rodin.ny.cantor.com via smap (V1.3) id sma020874; Fri Sep 6 12:05:38 1996 Received: from cc:Mail by smtpgwy.ny.cantor.com id AA842036712; Fri, 06 Sep 96 12:01:21 EST Date: Fri, 06 Sep 96 12:01:21 EST Message-Id: <9608068420.AA842036712@smtpgwy.ny.cantor.com> To: firewalls@GreatCircle.COM, "James Rippas (Technology)" Subject: Re: traceroute Sender: firewalls-owner@GreatCircle.COM Precedence: bulk AFAIK, traceroute operates by sending UDP packet destined for random port. So you can't really enable traceroute past packet filter. Maybe you can try looking at exact format of UDP packet traceroute sends and allow packets with just that combination of bytes. But I bet someone smart can hack this setup. --alex ______________________________ Reply Separator _________________________________ Subject: traceroute Author: "James Rippas (Technology)" at Internet Date: 9/6/96 11:03 AM Hi, I'd like to know what ports/protocol I need to permit through a packet filter for traceroute to work. I've tried just ICMP/traceroute, but that doesn't work. I suspect I need to let a UDP port through, but I'm not sure. Thanks, -jim From firewalls-owner Fri Sep 6 09:52:48 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA09936 for firewalls-outgoing; Fri, 6 Sep 1996 07:42:15 -0700 (PDT) Received: from goya.eunet.es (goya.eunet.es [193.127.1.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id HAA09891 for ; Fri, 6 Sep 1996 07:41:55 -0700 (PDT) Received: (uucp@localhost) by goya.eunet.es (8.7.5/13.34) id QAA03032 for Firewalls@GreatCircle.COM; Fri, 6 Sep 1996 16:33:00 +0200 (MET DST) Received: from livolo by dym.tiasa.es (5.x/6.3) id AA01520 for Firewalls@GreatCircle.COM; b Message-Id: <32303F12.691@tiasa.es> Date: Fri, 06 Sep 1996 16:11:14 +0100 From: Jose Manuel Dominguez Organization: TIASA X-Mailer: Mozilla 3.0 (X11; I; SunOS 5.5 sun4m) Mime-Version: 1.0 To: Firewalls@GreatCircle.COM Subject: [Fwd: Firewall for UNIX ??] Content-Type: multipart/mixed; boundary="------------4A7B474F2D22" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This is a multi-part message in MIME format. --------------4A7B474F2D22 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit -- --- Jose M. Dominguez (TIASA) Tecnologia Informatica Avanzada S.A. Miguel Angel 23, 2 Ph: 34-1- 310 25 57 Ext 206 28010 Madrid (Spain) Fax: 34-1- 308 68 79 --------------4A7B474F2D22 Content-Type: message/rfc822 Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-ID: <32301F4B.1D62@tiasa.es> Date: Fri, 06 Sep 1996 13:55:39 +0100 From: Jose Manuel Dominguez Organization: TIASA X-Mailer: Mozilla 3.0 (X11; I; SunOS 5.5 sun4m) MIME-Version: 1.0 To: firewalls@greatcircle.com Subject: Firewall for UNIX ?? Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Hi all, Does anybody know where to find a demo firewall for a Unix system based?? I would like to know, as well, the hardware requeriments for the implementation of a firewall system which is intended to be the truster of a 10 PCs and 1 Sun Sparc 20 Network. I'd thank any informacion supplied. Thanks in advance, --- Jose M. Dominguez (TIASA) Tecnologia Informatica Avanzada S.A. Miguel Angel 23, 2 Ph: 34-1- 310 25 57 Ext 206 28010 Madrid (Spain) Fax: 34-1- 308 68 79 --------------4A7B474F2D22-- From firewalls-owner Fri Sep 6 10:21:38 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA10337 for firewalls-outgoing; Fri, 6 Sep 1996 07:45:04 -0700 (PDT) Received: from syl.syl.nj.nec.com (syl.syl.nj.nec.com [138.15.50.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id HAA10246 for ; Fri, 6 Sep 1996 07:44:20 -0700 (PDT) Received: from syl.nj.nec.com (syl.syl.nj.nec.com [138.15.50.1]) by syl.syl.nj.nec.com (8.7.5/8.7.3) with ESMTP id KAA26082; Fri, 6 Sep 1996 10:41:45 -0400 (EDT) Message-Id: <199609061441.KAA26082@syl.syl.nj.nec.com> X-Mailer: exmh version 1.5.1 12/2/94 To: Rajesh Joshi cc: ashish@syl.nj.nec.com, socks@socks.nec.com, socks5@socks.nec.com, firewalls@GreatCircle.COM, ntsocks@syl.nj.nec.com Subject: Re: SOCKS5 Server for Windows NT from NEC In-reply-to: Your message of "Wed, 04 Sep 1996 14:46:13 +0500." <199609040946.OAA24095@comm10> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Fri, 06 Sep 1996 10:41:44 -0400 From: Ashish Bisarya Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In message <199609040946.OAA24095@comm10>, Rajesh Joshi writes: >Hi all, > >We have downloaded SOCKS5 Server for Windows NT from NEC and copied >simple configuration file from samples to the directory containing socks5.exe > >The socks service starts but when we try to connect to application server usin >g >netscape through socks server then it is not going through. > >Is this some configuration problem ? Can anybody throw some light on this ? >Whether anybody has successfully installed the SOCKS5 server for Windows NT >? > >Thanks in advance > >-- There are a few of things that you should check on: 1. Have you taken a look at the Event Log for any type of error or warning messages? The service may have trouble with your configuration file location or format. 2. Within Netscape make sure you are setting your SOCKS host to your server machine. We did notice problems using Netscape 2.x, but Netscape 3.0 is working quite well. 3. Make sure your socks5.conf has the appropriate permit line for your network? 4. set SOCKS5_DEBUG and SOCKS5_LOG_STDERR in the config file to see debug messages on stderr on the Socks server which will give you a lot more information about what is going on. You will have to start the socks server on command line with the -debug flag so that it does not start as a service. Hope this helps, Ashish ****************************************************************** Ashish Bisarya | NEC Systems Laboratory, Inc. phone: (609) 734-6114 | Open Systems Technology Center fax: (609) 734-6002 | 4 Independence Way, 3rd Floor ashish@syl.nj.nec.com | Princeton, NJ 08540 From firewalls-owner Fri Sep 6 10:23:02 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA06997 for firewalls-outgoing; Fri, 6 Sep 1996 07:08:49 -0700 (PDT) Received: from hermes.cu-online.com (hermes.cu-online.com [205.198.248.82]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id HAA06972 for ; Fri, 6 Sep 1996 07:08:36 -0700 (PDT) Received: from argus.cu-online.com (argus.cu-online.com [205.198.248.112]) by hermes.cu-online.com (8.7.5/8.7.5-cuo-s6) with SMTP id JAA21875; Fri, 6 Sep 1996 09:18:55 -0500 (CDT) Received: by argus.cu-online.com (SMI-8.6/SMI-SVR4) id JAA19248; Fri, 6 Sep 1996 09:11:03 -0500 Date: Fri, 6 Sep 1996 09:11:03 -0500 From: mcnabb@argus.cu-online.com (Paul McNabb) Message-Id: <199609061411.JAA19248@argus.cu-online.com> To: wombat@mcfeely.bsfs.org Cc: firewalls@GreatCircle.COM Subject: Re: C2 certified OS that can run a firewall Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Date: Thu, 5 Sep 1996 20:19:41 -0400 (EDT) > From: Rabid Wombat > > On Thu, 5 Sep 1996, Jon Spencer wrote: > > > > Of course C2 security is better than no security, but C2 was never > > > > Welll ....... it is if you understand its limitations. Otherwise ... > > > > WTH does C2 security have to do with a system that should not have any > user accounts on it, no user access to it? Well, let's see. 1) You could have the activity of the daemons and other processes audited in case of a problem. This could be very useful when trying to track a problem or security hole. 2) The object reuse requirements would make it less likely that a daemon or other process could be tricked into sending info from a previous network request. 3) The TCB protections will make it less likely that bugs and holes in programs can circumvent or damage the system operation. 4) Daemons could be run in a mode that doesn't have access to any file or other resource on the system (e.g., on UNIX, run a daemon as user "noroot"). 5) The overall functioning of the system would be analyzed and you could feel better about its reliability and security (although at C2 this is somewhat weak). C2 (and all other trusted systems) provides security enhancements in ways that are useful even when no user is on the system. Add to that the assurances that come from well-design and well-reviewed code, and trusted systems make a lot of sense in a lot of instances. There is a lot of smoke in the air about trusted products, and a lot of misconceptions and misleading statements by both sides (those who claim supernatural protection by trusted systems and those who claim it's all a crock). But you are correct in part. As stated in various places in the Rainbow Series, there are places where a trusted system will add no appreciable benefit to an operation. You could build a firewall machine in such a way to eliminate the need for a trusted operating system, but I think you would probably want to take your hardware and configuration through an evaluation and get a rating -- something easy like C2, or, for real assurance, B2 or B3. paul ------------------------------------------------------------ Paul McNabb mcnabb@argus.cu-online.com Argus Systems Group, Inc. TEL 217-384-6300 1405A East Florida Avenue FAX 217-384-6404 Urbana, IL 61801 USA ------------------------------------------------------------ From firewalls-owner Fri Sep 6 10:26:55 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA22228 for firewalls-outgoing; Fri, 6 Sep 1996 09:22:29 -0700 (PDT) Received: from reflections.mindspring.com (reflections.mindspring.com [204.180.142.192]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id JAA22210 for ; Fri, 6 Sep 1996 09:22:18 -0700 (PDT) Received: from reflections.mindspring.com (localhost [127.0.0.1]) by reflections.mindspring.com (8.7.1/8.7.1) with SMTP id MAA14400; Fri, 6 Sep 1996 12:21:58 -0400 Date: Fri, 6 Sep 1996 12:21:54 -0400 (EDT) From: Todd Graham Lewis To: Russ cc: "'Firewalls'" Subject: Re: Building a monitoring system In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 6 Sep 1996, Russ wrote: > Howdy folks, > > I'm going to take the plunge into Unix by way of building a monitoring > system that would be dedicated to the task of reporting the actions of > the other machines on my very small network. Given my limited Unix > background, I figured the best way to approach this would be to ask > y'all what this box should be. > > I've got a 486DX-100 sitting here with 8MB of RAM and a el cheapo PCI > NE2000 clone NIC. I've got 1GB of drive and an ATI VGA Wonder VGA > adapter. A floppy, a Future Domain TMC3260 PCI SCSI-2 adapter, and a NEC > 3x SCSI CD round out the box. > > So; > > - what OS should I use (downloadable from the net would be preferred) Linux or FreeBSD. I prefer Linux, as it has, IMO, better SNMP and general network monitoring tools, plus lots of firewall toys. Either will suit your purposes equally well. > - will the OS support the hardware I described or do I need > more/different/better hardware I would consider upgrading the Ethernet cards to real cards: SMC, 3com, etc. Other than that, this should do. > - what packet monitor tool would be recommended, I would like something > that I can set filters on and run several filters at once into different > captures if possible tcpdump. > - could somebody lend me a bookmark file of Unix tools links for the > recommended OS If you are just talking about packet sniffing (no SNMP, etc.), then tcpdump with some perl on top is about the only way to go. A group in Australia is working on some more specialized packet sniffing tools; netman or something like that. The url escapes me. > - configuration recommendations would be appreciated Read the man pages, write a perl script to collate the output of tcpdump, and read the result when you have time. As far as the box goes, install the os, become root, and run tcpdump. There's not that much to it. > I've got similar functionality in my NT boxes, so its not that I can't > do this in NT. I want to put a dedicated box in place for this now so I > figured I'd give Unix a try at this before I put NT on it. If it works > well, I'll just leave it there, maybe allowing me to give you more > detailed dumps of NT activity that you can actually grep...;-] Now we get to the heart of the matter! See if you can reverse engineer Quake's network behaviour while you're at it. 8^) Good luck; mail if problems. __ Todd Graham Lewis Linux! Core Engineering Mindspring Enterprises tlewis@mindspring.com (800) 719 4664, x2804 From firewalls-owner Fri Sep 6 10:48:01 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA09616 for firewalls-outgoing; Fri, 6 Sep 1996 07:39:37 -0700 (PDT) Received: from gateway.damark.com (GATEWAY.DAMARK.COM [204.17.145.230]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id HAA09541 for ; Fri, 6 Sep 1996 07:39:12 -0700 (PDT) Received: by gateway.damark.com; id JAA27893; Fri, 6 Sep 1996 09:38:58 -0500 (CDT) Received: from sco.damark.com(172.31.254.231) by gateway.damark.com via smap (V3.1) id xme027887; Fri, 6 Sep 96 09:38:35 -0500 Received: by damark.com (5.65/1.2-eef) id AA12232; Fri, 6 Sep 96 09:37:47 -0500 Message-Id: <9609061437.AA12232@damark.com> From: "william.wells" To: FIREWALLS Subject: FW: C2 Myths Date: Fri, 06 Sep 96 09:36:00 +6C Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >From: Christopher Klaus >Date: Wed, 4 Sep 1996 11:17:22 -0400 (EDT) >There is a lot of hype among security products touting the fact that they >are C2 certified so that they are more secure than non-C2 security products. >I was wondering how many people really perceive that C2 brings them a more >secure product? >C2 - Controlled Access Protection. C2 provides protection for log-in >procedures, allows auditing of security-relevant events, and offers resource >isolation. >Operating systems such as MS-DOS, the MacOS, Windows, and OS/2 are >considered to have level D protection because they provide no security. To >be precise, these systems are not truly D-rated because they were never >submitted for evaluation. You are correct: C2 is a minimal security level. C2, if properly used, will go a long way to achieving reasonable security for internal business systems. C2, by itself, doesn't mean anything for firewalls nor provide security against hackers. The reason why I look for a C2 rating is that it does mean that basic security is present in the operating system; otherwise, I need to go dig through the manuals to see if the basics are around. In many cases, something approaching C2 can be achieved if the proper settings are used. C2 only provides the basic tools on which to build a basic level of security. For many users, C2 is when they begin to see security (you mean I really have to have a password and change it?). Once users (and more importantly, application coders) adjust to this minimal level of security, adding more security is generally not a major paradigm shift. My experience is that many of the proprietary computer systems which were (are?) used in business environments either were C2 or had established add-ons which made them C2 or better. In many cases, you couldn't turn off the security systems although you could make them impotent by how you used or ignored them. The importance of C2 is that there are security hooks built into the system. Its also interesting to me that many of the database engines, which frequently have their own network port, totally bypass their host's security system. Last I checked (several years ago but the informal discussions I've had don't make me think much has changed), they wouldn't pass a C2 security check (remember: C2 = a minimal security model). Does my firewall need C2. I don't really care. It needs a totally different security model since its protection goals are totally different. Do my internal servers need a C2 level of security? Yes. Not because "C2" is the goal but because they need at least that basic minimal level of security. William Wells Manager, Technical Support/Systems Administration Damark International, Inc william.wells@damark.com These opinions are mine and may or may not reflect those of Damark. From firewalls-owner Fri Sep 6 10:59:28 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA06460 for firewalls-outgoing; Fri, 6 Sep 1996 07:03:01 -0700 (PDT) Received: from hogw2.att.com (hogw2.att.com [204.179.186.34]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id HAA06384 for ; Fri, 6 Sep 1996 07:02:37 -0700 (PDT) From: mdr@vodka.sse.att.com Received: from vodka.sse.att.com by hoig2.att.att.com (SMI-8.6/EMS-1.2 sol2) id JAA09563; Fri, 6 Sep 1996 09:57:27 -0400 Message-Id: <199609061357.JAA09563@hoig2.att.att.com> Subject: Re: C2 certified OS that can run a firewall To: bdboyle@erenj.com (Bryan D. Boyle) Date: Fri, 6 Sep 1996 09:44:46 -0400 (EDT) Cc: wombat@mcfeely.bsfs.org, firewalls@greatcircle.com In-Reply-To: <323011AB.446B@erenj.com> from "Bryan D. Boyle" at Sep 6, 96 07:57:31 am X-Mailer: ELM [version 2.4 PL23-upenn2.7] MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Bryan D. Boyle wrote: > Rabid Wombat wrote: > > > > WTH does C2 security have to do with a system that should not have any > > user accounts on it, no user access to it? > > Nothing. But, it is a good buzzword that can be thrown around to make > it look like you know what you are talking about, when, in fact, if you > run the full suite of C2, you probably have opened up more holes in your > os than if you actually ran a stripped-down, tightly configured, and > heavily controlled system environment. A flatly false statement. C2 tightens up security -- its not a magic bullet, but then what is? Adding C2 does _NOT_ open more holes than it closes. > > But C2 is some sort of magic talisman for security. Like MTBE is a good > oxygenate for gasoline. It impresses those that don't know any better. This is a common misconception: i.e.; that C2 has no benefit for firewalls or network security. The audit trail alone is a _huge_ benefit for security. Proxy logging occurs only if the proxy cooperates by writing log entries. A real C2 system will log all security relevant events by all programs with or without their cooperation. C2 systems for application firewalls can and should be extended to audit network security events. Of course some firewalls don't have much of an OS to speak of. That doesn't mean that they don't need a security analysis of whatever it is that the _do_ have; it just means that C2 dosn't apply directly. > > Of course, if you don't run the system EXACTLY as the qualification > suite specified, the system is not rated at the level you think you are. The evaluation covers _one_ configuration. Trying to evaluate all possible permutations of configuration options would be impossible because of the sheer number of possible permutations. But a C2 configuration at least gives the admin a _baseline_ for how the system should be configured. If the admin deviates he has to _think_ "how does this impact the security of my system" (what a novel idea). Now I admit that it sounds pretty silly to take the stance "run this without any networking if you want to be secure". But in light of the reality of the situation thats not that far from the truth. The Red Book gives a trusted network interpretation of "C2". This includes a SECRECY POLICY that is "enforced on the network to prevent unauthorized users from reading the sensitive information entrusted to the network". So C2 _can_ be extended to encompase networking concepts. How well the OB maps into networking is an issue that might be worth discussing. But it can and does map. Conclusion: C2 is _not_ the holy grail of computer security, but C2 security has positive benefits for the firewall OS, especially for proxy application type firewalls. I do a lot of work with audit trails (logs) for firewalls and B1/C2 systems. It never ceases to amaze me how under appreciated those logs are. We have solved many complex mysteries by reviewing the log files. On our system, its as if every process running were saving a "truss" style output _all_ the time, but without noticable overhead. The OS related security events and the network security events are in the same log file, and every record is time stamped to the hundreth of a second. I can write log analysis programs that test the integrity in practice of my chroot jails and such. And whenever someone telnets to my host, I can see the connection records and _also_ that tlid forks and execs telnetd. Then I can see exactly which shared libraries telnetd binds to; and that it exec's login. Then I can see which libraries login binds to, and that it opens the utmp files, /etc/default/login, /etc/passwd, /etc/shadow ... This type of detailed logging is of tremendous value when you try to analyze a breakin. Mark Riggins Secure Systems Engineering AT&T Labs From firewalls-owner Fri Sep 6 11:05:15 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA13648 for firewalls-outgoing; Fri, 6 Sep 1996 08:09:57 -0700 (PDT) Received: from jarhead.msfc.nasa.gov (JARHEAD.MSFC.NASA.GOV [128.158.145.193]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id IAA13588 for ; Fri, 6 Sep 1996 08:09:32 -0700 (PDT) Received: (from donna@localhost) by jarhead.msfc.nasa.gov (8.6.12/8.6.12) id KAA09663 for Firewalls@GreatCircle.COM; Fri, 6 Sep 1996 10:09:09 -0500 Date: Fri, 6 Sep 1996 10:09:09 -0500 From: Donna Jones Message-Id: <199609061509.KAA09663@jarhead.msfc.nasa.gov> To: Firewalls@GreatCircle.COM Subject: Re: Firewalls-Digest V5 #347 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I have not been getting any firewall info for a couple weeks. Please make sure "jarhead@msfc.nasa.gov is on your mailing list. Thanks From firewalls-owner Fri Sep 6 11:32:32 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA18652 for firewalls-outgoing; Fri, 6 Sep 1996 08:53:17 -0700 (PDT) Received: from us.checkpoint.com (us.checkpoint.com [206.86.35.130]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id IAA18599 for ; Fri, 6 Sep 1996 08:52:48 -0700 (PDT) Received: from Barbara's HP.us.checkpoint.com (barbara-pc) by us.checkpoint.com (5.x/SMI-SVR4) id AA08903; Fri, 6 Sep 1996 08:53:42 -0700 Message-Id: <323048E8.4054@us.checkpoint.com> Date: Fri, 06 Sep 1996 08:53:12 -0700 From: "Barbara W. Jaarsma" Reply-To: barbara@us.checkpoint.com Organization: Checkpoint US Technical Support X-Mailer: Mozilla 3.0 (Win95; I) Mime-Version: 1.0 To: Dave Wreski Cc: firewalls@greatcircle.com Subject: Re: fw-1 2.0: Menu too large for screen References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Dave - Presumeably, this is FireWall-1? X11 is remarkably strange when it comes to displaying what it considers to be "too much" data. The definition of "too much" varies according to the position of the sun, the moon, the stars, etc. The workaround is to manually edit your objects.C file and turn display to false on objects you can live without displaying. I think the exact line is :show_in_menus (false) but I don't have the file handy to double check. I may have thrown in a space, and menus may actually be singular. -Barb Dave Wreski wrote: > > Argh. I am trying to add a host, and I am getting the following message: > > XView warning: Menu too large for screen (Command Menu package) > > I have been away for a while, and someone else must have made some > changes. Any idea what I can do to add a host? > > Thanks, > Dave Wreski > > -- > echo '16i[q]sa[ln0=aln100%Pln100/snlbx]sbA0D3F204445524F42snlbxq'|dc From firewalls-owner Fri Sep 6 11:52:47 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA14099 for firewalls-outgoing; Fri, 6 Sep 1996 08:13:09 -0700 (PDT) Received: from cypress.cycon.com (cypress.CYCON.COM [204.5.16.32]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id IAA13872 for ; Fri, 6 Sep 1996 08:12:03 -0700 (PDT) Received: from localhost (sconner@localhost) by cypress.cycon.com (8.7.5/8.7.3) with SMTP id KAA22585; Fri, 6 Sep 1996 10:38:53 -0400 Date: Fri, 6 Sep 1996 10:38:52 -0400 (EDT) From: Steve Conner To: "James Rippas (Technology)" cc: firewalls@GreatCircle.COM Subject: Re: traceroute In-Reply-To: <9609060853.ZM4508@alanis> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi James, You are correct in assuming that the traceroute requires a UDP port. The problem is that traceroute sends out the UDP packets on a random upper level port (>1023) and then listens for an ICMP reply. My suggestion is try opening outbound UDP for a single host and see if the ICMP packets can come back through. Some firewalls have problems handling the traceroute ICMP replies, but there are a couple of firewalls that I know of that can handle these replies properly. Steve --------------------------------------------------------------- Steve Conner Cypress Consulting, Inc. sconner@cycon.com 703-256-1279 Manager, Research & Development http://www.cycon.com CYCON Labyrinth, Firewall and Network Address Translator --------------------------------------------------------------- On Fri, 6 Sep 1996, James Rippas (Technology) wrote: > Hi, > > I'd like to know what ports/protocol I need to permit through a packet filter > for traceroute to work. I've tried just ICMP/traceroute, but that doesn't > work. I suspect I need to let a UDP port through, but I'm not sure. > > Thanks, > > -jim > From firewalls-owner Fri Sep 6 12:05:24 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA17733 for firewalls-outgoing; Fri, 6 Sep 1996 08:45:22 -0700 (PDT) Received: from beach.sctc.com (beach.sctc.com [192.55.214.50]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id IAA17624 for ; Fri, 6 Sep 1996 08:44:45 -0700 (PDT) Received: from beach.sctc.com (root@localhost) by beach.sctc.com (8.7.5/8.7.3) with ESMTP id KAA06655 for ; Fri, 6 Sep 1996 10:50:12 -0500 (CDT) Received: from sphinx.sctc.com (sphinx.sctc.com [172.17.192.3]) by beach.sctc.com (8.7.5/8.7.3) with ESMTP id KAA06651 for ; Fri, 6 Sep 1996 10:50:11 -0500 (CDT) Received: from shade.sctc.com (shade.sctc.com [172.17.192.48]) by sphinx.sctc.com (8.7.5/8.7.3) with SMTP id KAA10721; Fri, 6 Sep 1996 10:44:17 -0500 (CDT) Received: (from smith@localhost) by shade.sctc.com (8.6.12/8.6.9) id KAA07091; Fri, 6 Sep 1996 10:44:16 -0500 Date: Fri, 6 Sep 1996 10:44:16 -0500 From: Rick Smith Message-Id: <199609061544.KAA07091@shade.sctc.com> To: Firewalls@GreatCircle.COM Cc: smith@sctc.com Subject: Re: C2 certified OS that can run a firewall X-Newsreader: TIN [version 1.2 PL2] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Bill Stout says: : Using ancient government specs for leading edge technology is like trying : to wedge square pegs into round holes. Yes, but the ancient government specs have produced most of the systems today that provide the sort of protection needed to serve the Internet community including potentially hostile users. We largely ignored the TCSEC when building Sidewinder and its mandatory access control, though the team had lots of experience with TCSEC high assurance system development. Though it wasn't intended to be TCSEC compliant, Sidewinder still comes close. If we configured some security levels into the type enforcement tables, it would probably fall somewhere between B1 and B2, with a little B3. Rick. smith@sctc.com secure computing corporation From firewalls-owner Fri Sep 6 12:15:46 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA18732 for firewalls-outgoing; Fri, 6 Sep 1996 08:53:46 -0700 (PDT) Received: from deepeddy.DeepEddy.Com (DeepEddy.Com [192.12.3.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id IAA18596 for ; Fri, 6 Sep 1996 08:52:47 -0700 (PDT) Received: from deepeddy.DeepEddy.Com (localhost [127.0.0.1]) by deepeddy.DeepEddy.Com (8.7.3/8.7.2) with ESMTP id KAA23798; Fri, 6 Sep 1996 10:51:48 -0500 (CDT) Message-Id: <199609061551.KAA23798@deepeddy.DeepEddy.Com> X-Mailer: exmh version 1.6.7 5/3/96 To: rich Cc: firewalls@GreatCircle.COM, cwg@deepeddy.DeepEddy.Com Subject: Re: authenticated/encrypted sessions In-Reply-To: Your message of "Thu, 05 Sep 1996 18:44:22 PST." X-Url: http://www.DeepEddy.Com/~cwg Mime-Version: 1.0 Content-Type: multipart/signed; boundary="===_-1_Fri_Sep__6_10:51:43_CDT_1996"; micalc=pgp-md5; protocol="application/pgp-signature" Content-Transfer-Encoding: 7bit Date: Fri, 06 Sep 1996 10:51:44 -0500 From: Chris Garrigues Sender: firewalls-owner@GreatCircle.COM Precedence: bulk --===_-1_Fri_Sep__6_10:51:43_CDT_1996 Content-Type: text/plain; charset=us-ascii raf@ezunx.com said: > I want to set up authenticated and encrypted tunnels through a > firewall. the rub, NO COMMERCIAL products allowed. My thoughts -- > socks5 since I have to handle windows 3.1, win 95 and winNT apps as > well as Unix. socksified ssh? socks5 is a great system,but it isn't quite what you're talking about. ssh with socks support does what you want but is only "free" on Unix. There is a beta (or is it alpha?) version of a windows client available for free, but the released version will cost money. Of course, it is possible to configure things to use an ssh tunnel between two Unix boxes from other hosts on those networks, but you didn't say enough to tell if that's acceptable. Chris -- Chris Garrigues O- cwg@DeepEddy.Com Deep Eddy Internet Consulting +1 512 432 4046 609 Deep Eddy Avenue Austin, TX 78703-4513 http://www.DeepEddy.Com/~cwg/ --===_-1_Fri_Sep__6_10:51:43_CDT_1996 Content-Type: application/pgp-signature -----BEGIN PGP MESSAGE----- Version: 2.6.2 iQB1AwUBMjBIipaQnaaFII2dAQEGVAL+NTvbTznLP1h8HoPsfE9WIGvPcxkV1NSb l8OTDBj60BmUJHMtd8U2j/iZ5xBwj1TOLUx4p3YTFMbM2KlgzLHdgfkAnU191/1y WZA5KL/TFOaQFm5XiYJRuacjUcUuTgNJ =nZyY -----END PGP MESSAGE----- --===_-1_Fri_Sep__6_10:51:43_CDT_1996-- From firewalls-owner Fri Sep 6 12:21:41 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA15746 for firewalls-outgoing; Fri, 6 Sep 1996 08:27:07 -0700 (PDT) Received: from beach.sctc.com (beach.sctc.com [192.55.214.50]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id IAA15686 for ; Fri, 6 Sep 1996 08:26:43 -0700 (PDT) Received: from beach.sctc.com (root@localhost) by beach.sctc.com (8.7.5/8.7.3) with ESMTP id KAA05284; Fri, 6 Sep 1996 10:32:35 -0500 (CDT) Received: from sphinx.sctc.com (sphinx.sctc.com [172.17.192.3]) by beach.sctc.com (8.7.5/8.7.3) with ESMTP id KAA05280; Fri, 6 Sep 1996 10:32:35 -0500 (CDT) Received: from shade.sctc.com (shade.sctc.com [172.17.192.48]) by sphinx.sctc.com (8.7.5/8.7.3) with SMTP id KAA09790; Fri, 6 Sep 1996 10:26:41 -0500 (CDT) Received: (from smith@localhost) by shade.sctc.com (8.6.12/8.6.9) id KAA04970; Fri, 6 Sep 1996 10:26:41 -0500 Date: Fri, 6 Sep 1996 10:26:41 -0500 From: Rick Smith Message-Id: <199609061526.KAA04970@shade.sctc.com> To: firewalls@greatcircle.com Cc: smith@sctc.com, spencerj@dg-rtp.dg.com (Jon Spencer) Subject: Re: C2 certified OS that can run a firewall X-Newsreader: TIN [version 1.2 PL2] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk spencerj@dg-rtp.dg.com (Jon Spencer) writes: : (1) B1 is not much better than C2. B1 systems are designed and built to contain mandatory access control mechanisms. C2 is not. This is the crucial difference. : (2) The strengths of B2 and above are related to the high assurance issues : rather than to the features. At B2 you have a very good expectation : that the system actually works like it is supposed to. After that, you : must determine if the high assurance features really address the : threats in your environment. Most of the "high assurance" effort revolves around protecting secrets from being leaked by subverted software. This is not a major security threat to Internet servers and firewalls. Therefore, much of the high assurance spent on typical TCSEC systems is irrelevant to commercial applications. On the other hand, mandatory protection can *unconditionally* protect some portions of the system from direct access or modification by other portions. For example, executables or readable file contents can be protected from modification. Or network interfaces going to a sensitive network can be protected from access by software serving users on the Internet. This is very useful in commercial applications. : I would also argue the issue that TCSEC strictly addressed the military. True. But there's a nugget there -- mandatory protection -- that we need if we need to keep a system intact while serving potentially hostile consumers. It's a real alternative to sacrificial hosts. Rick. smith@sctc.com secure computing From firewalls-owner Fri Sep 6 12:29:04 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA12954 for firewalls-outgoing; Fri, 6 Sep 1996 08:05:03 -0700 (PDT) Received: from fsd1.fsdirect.com ([206.235.252.10]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id IAA12895 for ; Fri, 6 Sep 1996 08:04:39 -0700 (PDT) Received: from fsd1.fsdirect.com (fsd1.fsdirect.com [206.235.252.10]) by fsd1.fsdirect.com (8.7.5/8.7.3) with SMTP id LAA05569; Fri, 6 Sep 1996 11:00:31 -0400 (EDT) Date: Fri, 6 Sep 1996 11:00:31 -0400 (EDT) From: To: Adam Shostack cc: ssl-talk@netscape.com, firewalls@greatcircle.com Subject: Re: options for proxying SSL traffic? In-Reply-To: <199609060203.VAA03267@homeport.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This reminds me of another issue I had with firewall products. Although i had not made it obvious, the question was framed in the context that the web server would be in an arbitrary network behind the firewall. It seemed that a large chunk of firewalls out there do not offer flexible configurations as far as multiple network interfaces were concerned. How are large organizations (particularly financial institutions) dealing with this? Are there people still doing homebrew FWTK/screend setups for large organizations? For example, Borderware offered a third ethernet interface, but called it Something Special, and charged a huge chunk of money for just the 3rd interface (for DMZs). No more than 3 interfaces, too. In talking to resellers for TIS's Gauntlet, some of them were not willing to set up a firewall with more than 3 (and for one vendor, their limit was 2) interfaces. I was trying to arrange for 4. In fact, the most surprising thing I heard was that there were resellers who had not set up firewalls in any other configuration than 2 or 3 interfaces. I'm not sure if this cookbook approach implies a greater understanding on their part. This is on top of this stupid problem that product makers insist on weird terminology for the same things (how many different terms and acronyms are there for DMZ?), and will (intentionally, or unintentionally) obscure details such as underlying OS (e.g. what OS does Borderware's black box reside on? their literature points to BSDI or *bsd, but is never stated). Junya Ho FSDirect v: 416 368 3920 x5411 f: 416 368 5505 On Thu, 5 Sep 1996, Adam Shostack wrote: > I'd go for a demilitarized zone, a third interface off the firewall > with just the web server. > > Web servers tend to be big, complex, buggy bits of software with > things like user written cgis that just blow your security. So, if > you proxy a connection through the firewall to a box thats likely to > be broken into, you need protection from that box. > > Adam > > > junya@fsdirect.com wrote: > > | If a network connected to the internet was using a proxy firewall (say, > | Gauntlet or fwtk), and had an web server behind the firewall which had > | SSL enabled, what options does the firewall administrator have to ensure > | that people outside can access the web server inside w/SSL? > | > | Someone at TIS said all that needed to be done was to use plug-gw (a > | generic proxy which just passes bytes) so that the firewall passes > | traffic. However, given that internal web browsers require a specific SSL > | proxy service to access SSL enabled web servers on the outside, I don't > | feel quite convinced. (won't browsers care that the host they're > | connecting to is different from what the passed certificate information > | says?) > | > | If it's the case that a SSL proxy service is needed for incoming requests, > | it would seem like the rules would have to be fairly stringent so that > | someone would not take advantage of it to probe the internal network - > | like having an HTTP proxy for incoming requests. > | > | Can someone explain, before I actually try it out? > | > | > | Junya Ho > | FSDirect > | v: 416 368 3920 x5411 > | f: 416 368 5505 > | > | > > > -- > "It is seldom that liberty of any kind is lost all at once." > -Hume > > From firewalls-owner Fri Sep 6 12:55:39 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA26742 for firewalls-outgoing; Fri, 6 Sep 1996 10:05:46 -0700 (PDT) Received: from morebbs.com (morebbs.com [206.165.150.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id KAA26682 for ; Fri, 6 Sep 1996 10:05:29 -0700 (PDT) From: potlicker@morebbs.com Received: by morebbs.com id 0IDGX001 Fri, 06 Sep 96 13:04:45 Message-ID: <9609061304.0IDGX00@morebbs.com> Organization: MORE BBS X-Mailer: TBBS/TIGER v1.0/PRIMP 1.56p Date: Fri, 06 Sep 96 13:04:45 Subject: Re: mail & win95 To: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Thanks for all the feedback. Answers to a couple of the questions asked follow. 1) These folks only want to run a client on Win 95, which can then pick up mail from their smtp firewall. 2) It is the guts of the cc:Mail crashing, not the SMTP gateway that it uses to connect to the firewall. Apparently many tables got changed and show users in post offices where they are not. When mail comes in to these users it is then rejected as "User xxxxx is not registered" Apparently this caused a loop on some List servers on the Internet. The users are still there but the mail never reaches the correct post office. 3) Some other shops apparently also have users trying to bypass cc:Mail connections to Internet mail because of unreliability. 4) I am not The Dawg. I admire his skills and imitate his style. Don't think he will be back in the US until the statute of limitations runs out. 5) Web searches produced a lot of useless leads. The feedback from this list was FAR more helpful. PoT_LiCkEr From firewalls-owner Fri Sep 6 12:55:35 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA28066 for firewalls-outgoing; Fri, 6 Sep 1996 10:19:04 -0700 (PDT) Received: from sapa.inka.de (sapa.inka.de [193.197.84.6]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id KAA28024 for ; Fri, 6 Sep 1996 10:18:45 -0700 (PDT) Received: from uu.inka.de (root@[193.197.84.8]) by sapa.inka.de with smtp (S3.1.29.1) id ; Fri, 6 Sep 96 19:17 MET DST Received: from lina (lists@lina.inka.de) by uu.inka.de with bsmtp (S3.1.29.1) id ; Fri, 6 Sep 96 19:17 MET DST Received: by lina id m0uz4Pc-0004jQC (Debian /\oo/\ Smail3.1.29.1 #29.37); Fri, 6 Sep 96 19:09 MET DST Message-Id: From: lists@lina.inka.de (Bernd Eckenfels) Subject: Re: smap alternative? To: ioh@wii.com (Il Oh) Date: Fri, 6 Sep 1996 19:09:46 +0200 (MET DST) Cc: firewalls@greatcircle.com In-Reply-To: from "Il Oh" at Sep 6, 96 07:50:23 am X-Mailer: ELM [version 2.4 PL25 PGP2] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, > Is there another product that works like smap? I don't like the > licensing restrictions on it. just use a secure MTA like qmail. If you take a close look at smap you will see that it realy doesnt do very much at all. It is not very restrictive on the addresses and passes a lot of insane data... I dont think it is much protection. Use qmail on a DMZ Host (or on the firewall,it is realy nice and secure afaik). Greetings Bernd From firewalls-owner Fri Sep 6 13:30:30 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA29720 for firewalls-outgoing; Fri, 6 Sep 1996 10:44:40 -0700 (PDT) Received: from tango.lightech.com.ar (spy.lightech.com.ar [200.0.253.134]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id KAA29669 for ; Fri, 6 Sep 1996 10:44:11 -0700 (PDT) Received: from salsa (router1-p06.pccp.com.ar [200.0.253.22]) by tango.lightech.com.ar (8.6.8.1/SCA-6.6) with SMTP id QAA10649; Fri, 6 Sep 1996 16:48:24 GMT Message-ID: <32305514.2428@lightech.com.ar> Date: Fri, 06 Sep 1996 13:45:08 -0300 From: Adrian Setton Reply-To: asetton@lightech.com.ar Organization: LighTech X-Mailer: Mozilla 3.0b6 (Win95; I) MIME-Version: 1.0 To: firewalls@GreatCircle.COM CC: "James Rippas (Technology)" Subject: Re: traceroute References: <9609060853.ZM4508@alanis> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Traceroute uses high UDP ports to High UDP ports as outgoing packets (from the machine where you are running traceroute, packets from ports over 32768). The incoming packets are ICMP TTL exceeded messages (ICMP Type 11, Code 0) from the intermidate routers and ICMP port unreachable (ICMP Type 3, Code 3) from the final node. At least, this is what I've seen in my latest dream ... Regards ... -- Adrian F. Setton LighTech Voice: (54-1) 420-4110 Ayacucho 563. Piso 13 Dto "A" FAX: (54-1) 315-1343 Buenos Aires e-mail: asetton@lightech.com.ar Argentina URL: http://www.lightech.com.ar From firewalls-owner Fri Sep 6 13:52:59 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA28929 for firewalls-outgoing; Fri, 6 Sep 1996 10:35:57 -0700 (PDT) Received: from mail.marben.com (losgatos.marben.com [206.86.34.51]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id KAA28922 for ; Fri, 6 Sep 1996 10:35:46 -0700 (PDT) Received: (from girsch@localhost) by mail.marben.com (SMI-8.6/SMI-SVR4/MPI-AG) id KAA19394; Fri, 6 Sep 1996 10:33:56 -0700 From: girsch@marben.com (Arnaud Girsch) Message-Id: <199609061733.KAA19394@mail.marben.com> Subject: Re: traceroute To: apilosov@cantor.com Date: Fri, 6 Sep 1996 10:33:55 -0700 (PDT) Cc: firewalls@GreatCircle.COM, jrippas@fcmc.com In-Reply-To: <9608068420.AA842036712@smtpgwy.ny.cantor.com> from "apilosov@cantor.com" at Sep 6, 96 12:01:21 pm X-Organization: Marben Products, Inc. X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > AFAIK, traceroute operates by sending UDP packet destined for > random port. So you can't really enable traceroute past packet filter. > Maybe you can try looking at exact format of UDP packet traceroute sends > and allow packets with just that combination of bytes. > But I bet someone smart can hack this setup. > > I'd like to know what ports/protocol I need to permit through a packet filter > for traceroute to work. I've tried just ICMP/traceroute, but that doesn't > work. I suspect I need to let a UDP port through, but I'm not sure. > > Thanks, traceroute sends UDP packets, not at random ports, but at port number starting at 33434 (by default). The starting port can be changed, but the default is always the same ... Then it increases port+1 each time it adds a hop. It excpects ICMP time exceed answers from all hops on the way. Arnaud. -- Arnaud Girsch -+- agirsch@marben.com -+- Marben Products, Inc. - San Jose, CA From firewalls-owner Fri Sep 6 14:11:52 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA25778 for firewalls-outgoing; Fri, 6 Sep 1996 09:58:00 -0700 (PDT) Received: from main.geminisecure.com (main.geminisecure.com [205.179.16.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id JAA25749 for ; Fri, 6 Sep 1996 09:57:45 -0700 (PDT) Received: (from leonard@localhost) by main.geminisecure.com (8.6.9/8.6.9) id JAA04983; Fri, 6 Sep 1996 09:56:02 -0700 Date: Fri, 6 Sep 1996 09:56:02 -0700 (PDT) From: Leonard Miyata To: Bernd Eckenfels cc: firewalls@GreatCircle.COM Subject: Re: C2 Myths In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi Instead of the term "NSA" and "People with programming experience", replace with the sentence "Engineers who are experienced in exploiting bad programming (e.g. the Unix gets() call) to create Security Holes, and have access to the COMPLETE O.S source code with months of time to study it" This is what is actually done during a TCSEC evalution process Personal opinions provided by Leonard Miyata aka leonard@geminisecure.com GEMINI COMPUTERS INC. http://www.geminisecure.com On Fri, 6 Sep 1996, Bernd Eckenfels wrote: > Hi, > > > A1 - Verified Design. The highest level demands formal security verification > > methods to ensure that security controls protect classified and other > > sensitive information. Even the National Security Agency cannot break in. > > > > B3 - Security Domains. This level is intended to protect systems from people > > with programming experience. > > > > B2 - Structured Protection. Hackers should not be able to break into a > > system with B2-level security. > > > > B1 - Labeled Protection. At this level, a really good hacker could possible > > break in, but users can't. > > > > C2 - Controlled Access Protection. C2 provides protection for log-in > > procedures, allows auditing of security-relevant events, and offers resource > > isolation. > > > > C1 - Discretionary Protection. This level enables users to set access > > controls to protect private or project information. > > > > D - Minimal Protection. The lowest level is reserved for systems that have > > been evaluated but have failed to meet the requirements for a higher > > evaluation class. > > sorry, this is not very usefull... "Users" "Hackers" "peaple with programming > experience" "NSA" is not a usefull (nor realistic) atributation(sp?) for > secrity classes. > > Greetings > Bernd > -- > (OO) -- Bernd_Eckenfels@Wittumstrasse13.76646Bruchsal.de -- > ( .. ) ecki@{lina.inka.de,linux.de} http://home.pages.de/~eckes/ > o--o *plush* 2048/A2C51749 eckes@irc +4972573817 *plush* > (O____O) If privacy is outlawed only Outlaws have privacy > From firewalls-owner Fri Sep 6 14:59:33 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA01945 for firewalls-outgoing; Fri, 6 Sep 1996 11:00:33 -0700 (PDT) Received: from smurfland.cit.buffalo.edu (smurfland.cit.buffalo.edu [128.205.10.10]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id KAA01789 for ; Fri, 6 Sep 1996 10:59:57 -0700 (PDT) Received: (jcmurphy@localhost) by smurfland.cit.buffalo.edu (8.7.4/8.6.4) id NAA08097; Fri, 6 Sep 1996 13:59:15 -0400 (EDT) From: Jeff Murphy Message-Id: <199609061759.NAA08097@smurfland.cit.buffalo.edu> Subject: Re: Building a monitoring system To: tlewis@mindspring.com (Todd Graham Lewis) Date: Fri, 6 Sep 1996 13:59:14 -0400 (EDT) Cc: Russ.Cooper@RC.Toronto.on.ca, Firewalls@GreatCircle.COM In-Reply-To: from "Todd Graham Lewis" at Sep 6, 96 12:21:54 pm X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >If you are just talking about packet sniffing (no SNMP, etc.), then >tcpdump with some perl on top is about the only way to go. A group in >Australia is working on some more specialized packet sniffing tools; >netman or something like that. The url escapes me. ftp://ftp.cs.curtin.edu.au/pub/netman jeff From firewalls-owner Fri Sep 6 15:04:01 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA03514 for firewalls-outgoing; Fri, 6 Sep 1996 11:11:27 -0700 (PDT) Received: from mailbox.neosoft.com (mailbox.neosoft.com [206.109.1.16]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id LAA03330 for ; Fri, 6 Sep 1996 11:10:24 -0700 (PDT) Received: from fw.nmti.com (fw.baileynm.com [206.109.159.11]) by mailbox.neosoft.com (8.7.5/8.7.3) with SMTP id NAA02081; Fri, 6 Sep 1996 13:10:08 -0500 (CDT) Received: from web.nmti.com(198.178.0.201) by fw.nmti.com via smap (V1.3) id sma022867; Fri Sep 6 13:09:47 1996 Received: from sonic.nmti.com (peter@sonic.nmti.com [198.178.0.2]) by web.nmti.com (8.6.12/8.6.9) with SMTP id NAA22608; Fri, 6 Sep 1996 13:09:47 -0500 Received: by sonic.nmti.com; id AA13720; Fri, 6 Sep 1996 13:09:46 -0500 From: peter@baileynm.com (Peter da Silva) Message-Id: <9609061809.AA13720@sonic.nmti.com.nmti.com> Subject: Re: C2 certified OS that can run a firewall To: mcnabb@argus.cu-online.com (Paul McNabb) Date: Fri, 6 Sep 1996 13:09:46 -0500 (CDT) Cc: wombat@mcfeely.bsfs.org, firewalls@GreatCircle.COM In-Reply-To: <199609061411.JAA19248@argus.cu-online.com> from "Paul McNabb" at Sep 6, 96 09:11:03 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > 1) You could have the activity of the daemons and other processes > audited in case of a problem. This could be very useful when trying > to track a problem or security hole. This is a feature of C2. > 2) The object reuse requirements would make it less likely that a > daemon or other process could be tricked into sending info from a > previous network request. This is a feature of C1. > 3) The TCB protections will make it less likely that bugs and holes > in programs can circumvent or damage the system operation. This is a feature of C1. > 4) Daemons could be run in a mode that doesn't have access to any > file or other resource on the system (e.g., on UNIX, run a daemon > as user "noroot"). C2 does not require such a mode exist. > C2 (and all other trusted systems) provides security enhancements > in ways that are useful even when no user is on the system. To be precise, systems require certain security concerns be met to satisfy C2. These concerns, however, are so weak that apart from the auditing requirements just about *any* operating system that has any meaningful security model satisfies C2. Stock bog standard UNIX satisfies C1, and the only requirement it misses under C2 is auditing. Most of the enhancements people add for C2 UNIX systems are not C2 requirements at all. Particularly, there is no C2 requirement for either access control lists or modifying the standard password file (shadowing passwords are a good idea, but C2 doesn't say anything about them). From firewalls-owner Fri Sep 6 15:14:12 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA15965 for firewalls-outgoing; Fri, 6 Sep 1996 12:31:27 -0700 (PDT) Received: from ahcbsd1.ovnet.com (ahcbsd1.ovnet.com [198.77.6.50]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id MAA15874 for ; Fri, 6 Sep 1996 12:30:54 -0700 (PDT) From: dckinder@ahcbsd1.ovnet.com Received: from dckinder.ovnet.com (xtsb10.ovnet.com [198.77.6.109]) by ahcbsd1.ovnet.com (8.7.4/8.7.3) with SMTP id PAA04177 for ; Fri, 6 Sep 1996 15:46:38 -0400 (EDT) Message-Id: <199609061946.PAA04177@ahcbsd1.ovnet.com> Comments: Authenticated sender is To: firewalls@GreatCircle.COM Date: Fri, 6 Sep 1996 15:28:07 +0000 Subject: NT Security X-mailer: Pegasus Mail for Windows (v2.42) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am an attorney who is interested in the field of computer crime and security and who is trying to get a technical understanding of the subject matter. So far, most of the literature I have been able to discover pertains to UNIX-based security questions. On the basis of these readings, I am beginning to feel I can follow most of the postings on this list. I'm the type of guy who likes to do ten times as much homework as the other guy - that's how I do things. So far, however, I have been unable to obtain technical information on NT-based security questions. I would like to be able to have at least a journeyman's understanding of this subject as well. If somebody could direct me to a website or a book or other source of information that deals specifically with NT security, I would appreciate it. Duncan C. Kinder dckinder@ovnet.com From firewalls-owner Fri Sep 6 15:40:48 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA06280 for firewalls-outgoing; Fri, 6 Sep 1996 11:27:45 -0700 (PDT) Received: from grab (grab.coslabs.com [199.233.92.34]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id LAA06218 for ; Fri, 6 Sep 1996 11:27:22 -0700 (PDT) Received: from future.mulligan.com by grab (SMI-8.6/SMI-SVR4) id MAA02219; Fri, 6 Sep 1996 12:27:06 -0600 Received: from future by future.mulligan.com (SMI-8.6/SMI-SVR4) id MAA06532; Fri, 6 Sep 1996 12:27:00 -0600 Message-Id: <199609061827.MAA06532@future.mulligan.com> To: apilosov@cantor.com Cc: firewalls@GreatCircle.COM, jrippas@fcmc.com Subject: Re: traceroute In-Reply-To: Your message of "Fri, 06 Sep 96 12:01:21 EST" References: <9608068420.AA842036712@smtpgwy.ny.cantor.com> X-Mailer: Mew version 1.05 on Emacs 19.31.1 Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Date: Fri, 06 Sep 1996 12:27:00 -0600 From: Geoff Mulligan Sender: firewalls-owner@GreatCircle.COM Precedence: bulk From: apilosov@cantor.com > AFAIK, traceroute operates by sending UDP packet destined for > random port. So you can't really enable traceroute past packet > filter. Maybe you can try looking at exact format of UDP packet > traceroute sends and allow packets with just that combination of > bytes. But I bet someone smart can hack this setup. While in theory the ports could be random, in practice they don't seem to be. The Unix version of traceroute from Berkeley starts with port 33434 and increments the port number by one for each next hop. It would probably work to allow outbound UDP packets between ports 33434 and 33600 thereby allowing a traceroute through 165 intermediate hops. The packet filter must also allow ICMP type 3 and type 11 packets inbound. geoff From firewalls-owner Fri Sep 6 15:41:50 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA09180 for firewalls-outgoing; Fri, 6 Sep 1996 11:45:14 -0700 (PDT) Received: from firewall.idoc.state.il.us (idoc.state.il.us [163.191.155.5]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id LAA09063 for ; Fri, 6 Sep 1996 11:44:38 -0700 (PDT) From: tjdavis@idoc.state.il.us Received: (from uucp@localhost) by firewall.idoc.state.il.us (8.6.12/8.6.9) id MAA08369; Fri, 6 Sep 1996 12:40:22 GMT Received: from toad.idoc.state.il.us(172.16.1.2) by firewall.idoc.state.il.us via smap (V2.0alpha) id xma008366; Fri, 6 Sep 96 12:40:00 GMTContent-Length: 2281 Message-ID: X-Mailer: XFMail 0.4 [p0] on Linux Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8bit MIME-Version: 1.0 In-Reply-To: <199609061441.KAA26082@syl.syl.nj.nec.com> Date: Fri, 06 Sep 1996 13:27:39 -0000 () Organization: Illinois Department of Corrections To: Ashish Bisarya Subject: Re: SOCKS5 Server for Windows NT from NEC Cc: Rajesh Joshi , socks@socks.nec.com, socks5@socks.nec.com, firewalls@GreatCircle.COM, ntsocks@syl.nj.nec.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Netscrape uses Socks4. You must enable ALL authentication in your socks5.conf. If you didn't, it is probably failing on an authentication error. One way to check is to run socks5 in console mode with debugging turned on (socks5 -s -d). It should d isplay a failed message at the point where authentication is done. There is probably a message along the lines of 'Socks4: no authentication method found' On 06-Sep-96 Ashish Bisarya wrote: >>In message <199609040946.OAA24095@comm10>, Rajesh Joshi writes: >>Hi all, >> >>We have downloaded SOCKS5 Server for Windows NT from NEC and copied >>simple configuration file from samples to the directory containing socks5.exe >> >>The socks service starts but when we try to connect to application server usin >>g >>netscape through socks server then it is not going through. >> >>Is this some configuration problem ? Can anybody throw some light on this ? >>Whether anybody has successfully installed the SOCKS5 server for Windows NT >>? >> >>Thanks in advance >> >>-- > >There are a few of things that you should check on: > >1. Have you taken a look at the Event Log for any type of error or warning >messages? The service may have trouble with your configuration file location >or format. > >2. Within Netscape make sure you are setting your SOCKS host to your server >machine. We did notice problems using Netscape 2.x, but Netscape 3.0 is >working quite well. > >3. Make sure your socks5.conf has the appropriate permit line for your network? > >4. set SOCKS5_DEBUG and SOCKS5_LOG_STDERR in the config file to see debug >messages on stderr on the Socks server which will give you a lot more >information about what is going on. You will have to start the socks server on >command line with the -debug flag so that it does not start as a service. > >Hope this helps, >Ashish >****************************************************************** >Ashish Bisarya | NEC Systems Laboratory, Inc. >phone: (609) 734-6114 | Open Systems Technology Center >fax: (609) 734-6002 | 4 Independence Way, 3rd Floor >ashish@syl.nj.nec.com | Princeton, NJ 08540 ---------------------------------- Todd J. Davis tjdavis@idoc.state.il.us IL Department of Corrections (217) 522-2666 ext 6358 ---------------------------------- From firewalls-owner Fri Sep 6 15:58:50 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA22971 for firewalls-outgoing; Fri, 6 Sep 1996 13:15:42 -0700 (PDT) Received: from telemann.inoc.dl.nec.com (telemann.inoc.dl.nec.com [143.101.112.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id NAA22950 for ; Fri, 6 Sep 1996 13:15:28 -0700 (PDT) Received: from shredder.syl.dl.nec.com (shredder.syl.dl.nec.com [143.101.64.3]) by telemann.inoc.dl.nec.com (8.7.3/8.7.3) with ESMTP id PAA12871 for ; Fri, 6 Sep 1996 15:15:17 -0500 (CDT) Received: by shredder.syl.dl.nec.com (8.7.5/YDL1.9.1-940729.15) id PAA28531(shredder.syl.dl.nec.com); Fri, 6 Sep 1996 15:15:16 -0500 (CDT) Received: by babs.syl.dl.nec.com (8.7.1/YDL1.9.1-940729.15) id PAA28832(babs.syl.dl.nec.com); Fri, 6 Sep 1996 15:15:15 -0500 (CDT) To: firewalls@GreatCircle.com Date: 6 Sep 1996 20:15:08 GMT From: "Kermit Tensmeyer" Message-ID: <01bb9c30$04f48e80$c970658f@deacon-blue> Organization: NEC USA CNAD/INOC Path: syl.dl.nec.com!vivaldi.inoc.dl.nec.com!news-admin References: Subject: Re: RealAudio? - Newsgroups: necus.internet.mirror.firewalls Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This is a multi-part message in MIME format. ------=_NextPart_000_01BB9C06.1C2934E0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Gilbert Rankin wrote in article ... > A little over a week ago I posed the following question to the list and= > would like to thank everyone who responded. > > > My employer is considering putting a RealAudio server on our public web site. > > There is some concern that many of our customers will not be able to access > > the server because they are behind a firewall and due to the conservative > > approach that many companies take toward new proprietary protocols. > > If you maintain a firewall, have a moment and responding wouldn't violate your > > security policy would you please send me, _not_ the list a short note saying > > whether you do or do not allow RealAudio traffic through your firewall. sorry late hit. We can use RealAudio with a socksv5 server. PC users use sockscap16. Win95 and NT use sockscap32 to start an image of the RA before the browser winds up. When the brower spawns off a request to the RA tool, it gets the socksified one. Works really well, from this point of view. Some of our users have problems if they are on a internal network with a large number of network collisions. It's been a good tool to identify the network problems in ways that a manager can understand. The udp interface works better than the tcp interface. Our other alternative was to build the RA proxy and run it with xintetd, but it just looks too scary to place on my firewall.. -- Kermit Tensmeyer NEC InterNet Operations Centre (INOC) kermit@cnad.dl.nec.com Dallas, Texas ------=_NextPart_000_01BB9C06.1C2934E0 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable

Gilbert Rankin <gilbert@netcom.com> = wrote in article = <v03007801ae439c29bb13@[204.162.78.110]>...
> A little over = a week ago I posed the following question to the list and=3D
> =  would like to thank everyone who responded.
>
> > = My employer is considering putting a RealAudio server on our public web = site.
> > There is some concern that many of our customers = will not be able to access
> > the server because they are = behind a firewall and due to the conservative

> > approach = that many companies take toward new proprietary protocols.
> > = If you maintain a firewall, have a moment and responding wouldn't = violate your
> > security policy would you please send =  me, _not_ the list a short note saying
> > whether you do = or do not allow RealAudio traffic through your firewall.

sorry = late hit.

We can use RealAudio with a socksv5 server.

PC = users use sockscap16. Win95 and NT use sockscap32 to start an image of = the RA before the browser winds up. When the brower spawns off a request = to the RA tool, it gets the socksified one.

Works really well, = from this point of view. Some of our users have problems if they are on = a internal network with a large number of network collisions. It's been = a good tool to identify the network problems in ways that a manager can = understand.  

The udp interface works better than the tcp = interface.

Our other alternative was to build the RA proxy and = run it with xintetd, but it just looks too scary to place on my = firewall..


--
Kermit Tensmeyer =       NEC InterNet Operations Centre = (INOC)
kermit@cnad.dl.nec.com =             &= nbsp;Dallas, Texas



------=_NextPart_000_01BB9C06.1C2934E0-- From firewalls-owner Fri Sep 6 16:38:53 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id QAA15269 for firewalls-outgoing; Fri, 6 Sep 1996 16:04:42 -0700 (PDT) Received: from mcfeely.bsfs.org (mcfeely.bsfs.org [204.91.13.34]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id QAA15155 for ; Fri, 6 Sep 1996 16:04:02 -0700 (PDT) Received: (from wombat@localhost) by mcfeely.bsfs.org (8.6.12/8.6.12) id RAA00520; Fri, 6 Sep 1996 17:56:25 -0400 Date: Fri, 6 Sep 1996 17:56:22 -0400 (EDT) From: Rabid Wombat To: Paul McNabb cc: firewalls@GreatCircle.COM Subject: Re: C2 certified OS that can run a firewall In-Reply-To: <199609061411.JAA19248@argus.cu-online.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 6 Sep 1996, Paul McNabb wrote: > > Date: Thu, 5 Sep 1996 20:19:41 -0400 (EDT) > > From: Rabid Wombat > > > > On Thu, 5 Sep 1996, Jon Spencer wrote: > > > > > > Of course C2 security is better than no security, but C2 was never > > > > > > Welll ....... it is if you understand its limitations. Otherwise ... > > > > > > > WTH does C2 security have to do with a system that should not have any > > user accounts on it, no user access to it? > > Well, let's see. > > 1) You could have the activity of the daemons and other processes > audited in case of a problem. This could be very useful when trying > to track a problem or security hole. > Maybe. The biggest point for a "secure" OS vs. a "hardened" OS is that I might want to be able to audit the actions of the person who has control of the firewall system. This isn't a C2 thing, though, as I recall, but comes up in the "B" rating. I could be wrong here, as I don't dig into the rainbow books so much anymore. > 2) The object reuse requirements would make it less likely that a > daemon or other process could be tricked into sending info from a > previous network request. > Are you refering to proxies being tricked, or applying this argument to ispection as well? > 3) The TCB protections will make it less likely that bugs and holes > in programs can circumvent or damage the system operation. > > 4) Daemons could be run in a mode that doesn't have access to any > file or other resource on the system (e.g., on UNIX, run a daemon > as user "noroot"). > This does not require C2 certification, though. > 5) The overall functioning of the system would be analyzed and you > could feel better about its reliability and security (although at > C2 this is somewhat weak). Yes, it is weak at C2. Also, most of the "C2" systems out there are "designed to C2 specifications" or some other marketing snake oil. This does not make me feel better about anything. I'd rather take the word of others in the field regarding OS hardening, than take the word of anyone's marketing department regarding "C2." > > C2 (and all other trusted systems) provides security enhancements > in ways that are useful even when no user is on the system. Add to > that the assurances that come from well-design and well-reviewed code, > and trusted systems make a lot of sense in a lot of instances. There > is a lot of smoke in the air about trusted products, and a lot of > misconceptions and misleading statements by both sides (those who > claim supernatural protection by trusted systems and those who claim > it's all a crock). > M$ used to ship NT with "everyone" having rights to the system directory. This may still be the case, for all I know; I haven't had occaision/misfortune to work with NT lately. I don't care who certifies what - if the system ships with any sort of potential "hole" as a default, and it is up to the administrator to harden the OS, guess where your security and peace of mind will have to come from? Not your OS rating. > But you are correct in part. As stated in various places in the Rainbow > Series, there are places where a trusted system will add no appreciable > benefit to an operation. You could build a firewall machine in such a > way to eliminate the need for a trusted operating system, but I think > you would probably want to take your hardware and configuration through > an evaluation and get a rating -- something easy like C2, or, for real > assurance, B2 or B3. > The whole orange book system was designed to protect the users from each other, the system from the users, and, to some extent, the system from intruders, as you work your way up the rating scale. Go high enough, and you have somewhat of an arguement that you're protecting the firewall system from intruders; but not at C2. Everytime I see anybody talking about C2 and firewalls, I expect an NT rant on the next line. The last firewall big "hole" I recall hearing about involved a system that, for a brief moment following boot, allowed packets through unchecked while the firewall software was still initializing. A C2 rating would not have made any difference. IMHO, it only gives a false sense of security. "Off course it's foolproof - it's rated C2 ...". just my $.02 - r.w. > paul > > ------------------------------------------------------------ > Paul McNabb mcnabb@argus.cu-online.com > Argus Systems Group, Inc. TEL 217-384-6300 > 1405A East Florida Avenue FAX 217-384-6404 > Urbana, IL 61801 USA > ------------------------------------------------------------ > From firewalls-owner Fri Sep 6 16:48:54 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA04643 for firewalls-outgoing; Fri, 6 Sep 1996 14:48:58 -0700 (PDT) Received: from guardian.colonial.com.au (guardian.colonial.com.au [140.168.249.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id OAA04530 for ; Fri, 6 Sep 1996 14:48:06 -0700 (PDT) Received: by guardian.colonial.com.au; id HAA19759; Sat, 7 Sep 1996 07:47:40 +1000 Received: from norman.cmutual.com.au(140.168.8.9) by guardian.colonial.com.au via smap (g3.0.1) id sma019757; Sat, 7 Sep 96 07:47:18 +1000 Received: from mailgw.sbnsw.com.au ([140.168.11.10]) by norman.cmutual.com.au (post.office MTA v1.9.3 ID# 0-12362) with SMTP id AAA25886 for ; Sat, 7 Sep 1996 07:47:14 +1100 Received: by mailgw.sbnsw.com.au; Sat, 7 Sep 96 7:50:47 +1000 Date: Sat, 7 Sep 96 7:50:47 +60000 Message-ID: X-Priority: 3 (Normal) To: From: Subject: Undeliverable Message X-Incognito-SN: 606 X-Incognito-Format: VERSION=2.01a ENCRYPTED=NO Sender: firewalls-owner@GreatCircle.COM Precedence: bulk To: Cc: Subject: Firewalls-Digest V5 #496 Message not delivered to recipients below. Press F1 for help with VNM error codes. VNM3043: Paul Moen@Security@EDP VNM3043 -- MAILBOX IS FULL The message cannot be delivered because the recipient's mailbox contains the maximum number of messages, as set by the system administrator. The recipient must delete some messages before any other messages can be delivered. The maximum message limit for a user's mailbox is 10,000. The default message limit is 1000 messages. Administrators can set message limits using the Mailbox Settings function available in the Manage User menu (MUSER). When a user's mailbox reaches the limit, the user must delete some of the messages before the mailbox can accept any more incoming messages. ---------------------- Original Message Follows ---------------------- The original message was larger than the viewing area. It cannot be displayed as is. Therefore, it has been stored in the file `mail.txt'. Please view this file in order to read the message. Thank you. From firewalls-owner Fri Sep 6 16:51:32 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id QAA18591 for firewalls-outgoing; Fri, 6 Sep 1996 16:26:45 -0700 (PDT) Received: from mail13.digital.com (mail13.digital.com [192.208.46.30]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id QAA18575 for ; Fri, 6 Sep 1996 16:26:33 -0700 (PDT) Received: from whyvms.ako.dec.com by mail13.digital.com (8.7.5/UNX 1.2/1.0/WV) id TAA00477; Fri, 6 Sep 1996 19:18:40 -0400 (EDT) Received: from isbu-mail.ljo.dec.com by whyvms.ako.dec.com (5.65/MS-010395) id AA10119; Fri, 6 Sep 1996 18:28:38 -0400 Received: from tun-4.imc.das.dec.com [16.136.208.4] (HELO jimlester) by isbu-mail.ljo.dec.com (AltaVista Mail V1.0/1.0 BL17 listener) id 0000_00ab_3230_a5af_0379; Fri, 06 Sep 1996 18:29:03 -0400 Message-Id: <1.5.4.32.19960906232909.006f8dd0@isbu-mail.ljo.dec.com> X-Sender: jim.lester@isbu-mail.ljo.dec.com X-Mailer: Windows Eudora Light Version 1.5.4 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Fri, 06 Sep 1996 18:29:09 -0500 To: lists@lina.inka.de (Bernd Eckenfels), firewalls@GreatCircle.COM From: Jim Lester Subject: Re: Mail and win95 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In addition, Digital has a MSmail and ccMail gateway for their Altavista Mail server. This allows these users to access the internet or internet mail to automatically find its way to the internal mail users. The server and gateways may be downloaded for evaluation at http://altavista.software.digital.com. At 04:31 AM 9/6/96 +0200, Bernd Eckenfels wrote: >Hi, > >> A question has come up at Big Co. as to how to bypass their cc:Mail >> entirely and go from Windows 95 machines directly to their firewall. >> That's cos their cc:Mail crashed again and delayed mail for power users. > >Are you talking about an MTA on the W95 System or a pop3 MUA? The later ius >easy, use netscape or eudora or MS Exchange Client (from PLUS Package) to >acess a POP3 Server and Send SMTP Mail. Of course you need a MTA Host (How >about Linux with smail and qpopper?). Zhis is much better than running a >mailer on a desktop system. Of course this is not a firewall question. > >Greetings >Bernd > Jim Lester, Business Alliance Manager Altavista Internet Software Digital Equipment Corporation 404.843.9645 From firewalls-owner Fri Sep 6 16:59:00 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA29848 for firewalls-outgoing; Fri, 6 Sep 1996 14:14:15 -0700 (PDT) Received: from hidata.com (hidata.com [205.158.61.34]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id OAA29769 for ; Fri, 6 Sep 1996 14:13:47 -0700 (PDT) Received: by hidata.com; id AA09679; Fri, 6 Sep 96 14:13:34 PDT Received: from osc.hidata.com(205.158.62.10) by hds-gw.hidata.com via smap (V3.1.1) id xma009677; Fri, 6 Sep 96 14:13:18 -0700 Received: from clag by osc.osc.hidata.com (SMI-8.6/SMI-SVR4) id OAA16795; Fri, 6 Sep 1996 14:13:17 -0700 Message-Id: <2.2.32.19960906211125.0074ad5c@osc.hidata.com> X-Sender: bstout@osc.hidata.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Fri, 06 Sep 1996 14:11:25 -0700 To: Firewalls@GreatCircle.COM From: Bill Stout Subject: RE: NT port activity list Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I replied to the list, David, if you want me to reply direct only, let me know. This exchange show different interesting views of NT security. >>If you type 'netstat /?' at the command prompt, and it'll say "Server >>side connections not normally shown" for the -a variable. Just to be >I don't think it will show listening ports, but does show connected server It would be nice if 'netstat -a' listed the listening ports on NT. ;) >>protect the open ports first, then study the security of each port, >>because each service uses a different security mechanism. SMB and >>the NT logon process cares about the integrated NT security mechanisms, >>and for initial connection only, but SQLserver and other apps may >>not care about integrated NT security, and have as an option alternative >>user authentication systems. I think other kernel resources that >>don't use a redirector or go through the NETBIOS stack also divert >>around integrated security. > >SQL server (at least MS's) does use integrated NT security. I have no idea >what "kernel resources" could _possibly_ divert around the OS security given >that _every_ kernel resource has security attributes, including an ACL. Yup, SQLserver can use integrated security, but also has other options to bypass NT security and use other authentication systems. As do other apps like IIS. Exchange is the one app that can't bypass NT security, as far as I know. An SMB Session does not use NT security, the O.S. internally matches the UID of the SMB session to an access token (The table UID/token table was built during the first SMB session setup to that particular server). Then ACLs are used internally against that token assumed to belong to that UID. Only internally does NT use security access tokens, tokens are never sent across the net, so unless tokens accompany network traffic, NT security can't directly control network access. Since NT Security only works internally by relying on access tokens and ACLs, everything coming in externally is somehow mapped to an access token of a user, a service, or privilege. ...(waiting for flames) Interesting thing happened to me once, tested an NT webserver on a DMZ with IP as it's own single-host Domain, put a network card with NETBEUI on an internal net with a different NT domain on it, and before I could setup a one-way domain trust relationship, the event log of the new NT4/IIS system started filling with application-specific license violations of NETBIOS clients belonging to my other domain to server services on the new system which I didn't intend to access. NETBEUI issue, unrelated to TCP/IP, but interesting traffic from an untrusted, separate domain. Might as well have been IP though. Bill Stout _______________________________________________________________________________ Senior Systems Admin NT/UNIX/I-net/Routers/Mainframes/Janitor ;) Hitachi Data Systems 408-970-4822 --- Disclaimer: I speak only for myself ___________"Infowar, Cyber-war, yes, 'they' _are_ out to get you..."___________ From firewalls-owner Fri Sep 6 19:47:05 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id TAA02552 for firewalls-outgoing; Fri, 6 Sep 1996 19:28:49 -0700 (PDT) Received: from perseus.ultra.net (perseus.ultra.net [199.232.56.6]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id TAA02545 for ; Fri, 6 Sep 1996 19:28:40 -0700 (PDT) Received: from sploink (firewall-user@joesmac.ultranet.com [199.232.59.222]) by perseus.ultra.net (8.7.4/dae0.6) with SMTP id WAA31331; Fri, 6 Sep 1996 22:28:23 -0400 (EDT) Message-ID: <3230DDB6.420C@joesmac.ultranet.com> Date: Fri, 06 Sep 1996 22:28:06 -0400 From: Joe Judge Organization: Whatever ... X-Mailer: Mozilla 3.0 (X11; I; SunOS 5.5 sun4m) MIME-Version: 1.0 To: "James Rippas (Technology)" CC: firewalls@GreatCircle.COM Subject: Re: traceroute through a packet filter References: <9609060753.ZM4439@alanis> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ... am I wrong, or isn't it loose source routing that it needs? I can't remember. I'll try to play some games through my ipfilter host and watch the logs and/or snoop. - joe James Rippas (Technology) wrote: > > Hi, > > I'd like to know what ports/protocol I need to permit through a packet filter > for traceroute to work. I've tried just ICMP/traceroute, but that doesn't > work. I suspect I need to let a UDP port through, but I'm not sure. > > Thanks, > > -jim From firewalls-owner Fri Sep 6 19:59:05 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id TAA02759 for firewalls-outgoing; Fri, 6 Sep 1996 19:33:37 -0700 (PDT) Received: from perseus.ultra.net (perseus.ultra.net [199.232.56.6]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id TAA02750 for ; Fri, 6 Sep 1996 19:33:27 -0700 (PDT) Received: from sploink (firewall-user@joesmac.ultranet.com [199.232.59.222]) by perseus.ultra.net (8.7.4/dae0.6) with SMTP id WAA32695; Fri, 6 Sep 1996 22:32:36 -0400 (EDT) Message-ID: <3230DEB3.6C30@joesmac.ultranet.com> Date: Fri, 06 Sep 1996 22:32:19 -0400 From: Joe Judge Organization: Whatever ... X-Mailer: Mozilla 3.0 (X11; I; SunOS 5.5 sun4m) MIME-Version: 1.0 To: Bernd Eckenfels CC: Il Oh , firewalls@GreatCircle.COM Subject: Re: smap alternative? References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk a couple years ago, I remember the net had some *very* simple SMTP server code ... supported just the commands to suck a piece of email in -- then handed it to some mailer program. Would that work? I think I have the code sitting on an old AT&T 3B2 on the 'net. - joe Bernd Eckenfels wrote: > > Hi, > > > Is there another product that works like smap? I don't like the > > licensing restrictions on it. > > just use a secure MTA like qmail. If you take a close look at smap you will > see that it realy doesnt do very much at all. It is not very restrictive on > the addresses and passes a lot of insane data... I dont think it is much > protection. Use qmail on a DMZ Host (or on the firewall,it is realy nice and > secure afaik). > > Greetings > Bernd From firewalls-owner Fri Sep 6 20:14:16 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id TAA03657 for firewalls-outgoing; Fri, 6 Sep 1996 19:51:53 -0700 (PDT) Received: from sprite (sprite.acsacs.com [206.16.240.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id TAA03650 for ; Fri, 6 Sep 1996 19:51:42 -0700 (PDT) Date: Fri, 6 Sep 1996 19:51:26 -0700 (PDT) From: "Daniel J Blander - Sr. Systems Engineer for ACS" X-Sender: phaedrus@ferrari To: firewalls@greatcircle.com Subject: Radius Security Issues Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am looking at getting a clear (and fairly thorough) understanding of security issues and firewall considerations when passing Radius information from Dial-In Access Servers, through a firewall (of any sort) to Radius Servers. My intention is to secure the Radius Servers as best possible and preventing changes and hacks to the Radius systems..... Radius Servers will *only* be running Radius with all other services turned off and removed (sans telnet/ssh via other paths). The Access Server would be accessible to the Internet (and vice-versa) but the Radius Server would sit behind a firewall/router. Provided that I only allow the udp port 1645 in and out will I be okay, or is the daemon a random high port like most other services (I haven't finished the RADIUS-ietf draft yet). How secure/unsecure is the radius daemon, and what are the best methods for protecting it (can a simple router with correctly set access-lists cut it or does it require more in-depth monitoring?) How much damage can snooping of the packets do and hijacking sessions? I am fairly well versed in most other security issues overall so generalistic answers such as "disable all other services on your Radius server" etcetera are not what I'm looking for. And I do understand the many weaknesses in UDP (although if there are specific attacks on RADIUS due to the UDP I would like to know that). Thanks in advance - you may send replies directly if you prefer. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Daniel Blander =8^) Sr. Systems Engineer Applied Computer Solutions ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Phone: (714) 842.7800 Fax: (714) 842.8299 Email: Daniel.Blander@acsacs.com ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The Official Applied Computer Solutions Home Page and Tech Tip of the Week: http://www.acsacs.com ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From firewalls-owner Fri Sep 6 22:02:09 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id VAA13397 for firewalls-outgoing; Fri, 6 Sep 1996 21:49:53 -0700 (PDT) Received: from gateway2.ey.com (gateway2.ey.com [199.50.26.3]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id VAA13374 for ; Fri, 6 Sep 1996 21:49:12 -0700 (PDT) From: Joseph.Cupano@EY.COM Received: by gateway2.ey.com id AA27892 (InterLock SMTP Gateway 3.0 for firewalls@GreatCircle.COM); Sat, 7 Sep 1996 00:47:17 -0400 Received: by gateway2.ey.com (Protected-side Proxy Mail Agent-1); Sat, 7 Sep 1996 00:47:17 -0400 X400-Originator: Joseph.Cupano@EY.COM X400-Recipients: firewalls@GreatCircle.COM X400-Mts-Identifier: [/PRMD=ERNSTYOUNG/ADMD=ATTMAIL/C=US/;0014500005094926000002] X400-Content-Type: P2-1988 (22) Message-Id: <0014500005094926000002*@MHS> To: " - (052)firewalls(a)GreatCircle.COM" Subject: Re: mail & win95 Date: Sat, 7 Sep 1996 00:41:48 -0400 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk How about using Exchange as the client (POP) since it comes with Win95 anyway. From firewalls-owner Fri Sep 6 22:14:04 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id WAA14398 for firewalls-outgoing; Fri, 6 Sep 1996 22:05:42 -0700 (PDT) Received: from halon.sybase.com (halon.sybase.com [192.138.151.33]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id WAA14391 for ; Fri, 6 Sep 1996 22:05:29 -0700 (PDT) Received: from smtp1.sybase.com (sybgate) by halon.sybase.com (5.x/SMI-SVR4/SybFW4.0) id AA11787; Fri, 6 Sep 1996 22:06:54 -0700 Received: from notesgw2.sybase.com by smtp1.sybase.com (4.1/SMI-4.1/SybH3.5-030896) id AA27438; Fri, 6 Sep 96 22:05:14 PDT Received: by notesgw2.sybase.com (5.x/SMI-4.1/SybEGW3.3) id AA25490; Fri, 6 Sep 1996 22:05:08 -0700 Message-Id: <9609070505.AA25490@notesgw2.sybase.com> Received: by SybaseNotes (Lotus Notes Mail Gateway for SMTP V1.1) id E2CFE53E7A046C4B8825639E001C1173; Fri, 6 Sep 96 22:05:07 EDT To: Kim Cc: firewalls From: Ryan Russell/SYBASE Date: 6 Sep 96 22:07:27 EDT Subject: Re: firewall-1 delay is tolerable ? X-Lotus-Type: Reply All Mime-Version: 1.0 Content-Type: Text/Plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk What do you consider a great delay? On my SS20, I get about 2 or 3 ms delay, about the same as a plain router. Ryan ---------- Previous Message ---------- To: firewalls cc: From: cgkim @ kotel.co.kr (Kim) @ smtp Date: 09/06/96 05:59:44 PM Subject: firewall-1 delay is tolerable ? I am using FW-1 2.0 on sparc 1000 with 2 cpu. Ping and traceroute passing firewall through indicate the delay on there is great and such delay is very clear by compairing it with pings in outside router. Also the system collision indicator shows excessive ,I think, collision status. Do you have any nice improvements about this ? - Kim. From firewalls-owner Sat Sep 7 00:29:03 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id AAA22220 for firewalls-outgoing; Sat, 7 Sep 1996 00:23:01 -0700 (PDT) Received: from guardian.colonial.com.au (guardian.colonial.com.au [140.168.249.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id AAA22214 for ; Sat, 7 Sep 1996 00:22:50 -0700 (PDT) Received: by guardian.colonial.com.au; id RAA22681; Sat, 7 Sep 1996 17:22:35 +1000 Received: from norman.cmutual.com.au(140.168.8.9) by guardian.colonial.com.au via smap (g3.0.1) id sma022676; Sat, 7 Sep 96 17:22:12 +1000 Received: from mailgw.sbnsw.com.au ([140.168.11.10]) by norman.cmutual.com.au (post.office MTA v1.9.3 ID# 0-12362) with SMTP id AAA8790 for ; Sat, 7 Sep 1996 17:22:10 +1100 Received: by mailgw.sbnsw.com.au; Sat, 7 Sep 96 17:25:49 +1000 Date: Sat, 7 Sep 96 17:25:50 +60000 Message-ID: X-Priority: 3 (Normal) To: From: Subject: Undeliverable Message X-Incognito-SN: 606 X-Incognito-Format: VERSION=2.01a ENCRYPTED=NO Sender: firewalls-owner@GreatCircle.COM Precedence: bulk To: Cc: Subject: Firewalls-Digest V5 #497 Message not delivered to recipients below. Press F1 for help with VNM error codes. VNM3043: Paul Moen@Security@EDP VNM3043 -- MAILBOX IS FULL The message cannot be delivered because the recipient's mailbox contains the maximum number of messages, as set by the system administrator. The recipient must delete some messages before any other messages can be delivered. The maximum message limit for a user's mailbox is 10,000. The default message limit is 1000 messages. Administrators can set message limits using the Mailbox Settings function available in the Manage User menu (MUSER). When a user's mailbox reaches the limit, the user must delete some of the messages before the mailbox can accept any more incoming messages. ---------------------- Original Message Follows ---------------------- The original message was larger than the viewing area. It cannot be displayed as is. Therefore, it has been stored in the file `mail.txt'. Please view this file in order to read the message. Thank you. From firewalls-owner Sat Sep 7 01:29:03 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id BAA24908 for firewalls-outgoing; Sat, 7 Sep 1996 01:11:25 -0700 (PDT) Received: from minotaur.labyrinth.net.au (minotaur.labyrinth.net.au [203.9.148.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id BAA24878 for ; Sat, 7 Sep 1996 01:10:45 -0700 (PDT) Received: (from mail@localhost) by minotaur.labyrinth.net.au (8.7.2/8.7.2) id SAA23540 for ; Sat, 7 Sep 1996 18:09:51 +1000 (EST) X-Authentication-Warning: minotaur.labyrinth.net.au: mail set sender to using -f Received: from gate.quick.com.au(203.12.250.130) by minotaur.labyrinth.net.au via smap (V1.3) id sma023523; Sat Sep 7 18:09:40 1996 Received: (from sjg@localhost) by zen.quick.com.au (8.7.3/8.6.9) id SAA24731; Sat, 7 Sep 1996 18:09:34 +1000 (EST) Date: Sat, 7 Sep 1996 18:09:34 +1000 (EST) From: "Simon J. Gerraty" Message-Id: <199609070809.SAA24731@zen.quick.com.au> To: firewalls@greatcircle.com Subject: Re: options for proxying SSL traffic? Newsgroups: lists.firewalls References: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk junya@fsdirect.com writes: >this? Are there people still doing homebrew FWTK/screend setups for large >organizations? Yes. A screened subnet is still the easiest way to accomodate a bunch of external WWW,ftp etc servers without compromising your security. Just because most fw vendors expect you to use their box as your connection, there is no reason you can't use gauntlet or ftwk bastion behind a router. The router may even be cheaper than the Nth ethernet on your vendors fw box. --sjg From firewalls-owner Sat Sep 7 01:59:18 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id BAA28815 for firewalls-outgoing; Sat, 7 Sep 1996 01:50:43 -0700 (PDT) Received: from guardian.colonial.com.au (guardian.colonial.com.au [140.168.249.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id BAA28749 for ; Sat, 7 Sep 1996 01:50:15 -0700 (PDT) Received: by guardian.colonial.com.au; id SAA23046; Sat, 7 Sep 1996 18:50:04 +1000 Received: from norman.cmutual.com.au(140.168.8.9) by guardian.colonial.com.au via smap (g3.0.1) id sma023044; Sat, 7 Sep 96 18:50:01 +1000 Received: from mailgw.sbnsw.com.au ([140.168.11.10]) by norman.cmutual.com.au (post.office MTA v1.9.3 ID# 0-12362) with SMTP id AAA11834 for ; Sat, 7 Sep 1996 18:49:59 +1100 Received: by mailgw.sbnsw.com.au; Sat, 7 Sep 96 18:53:45 +1000 Date: Sat, 7 Sep 96 18:53:44 +60000 Message-ID: X-Priority: 3 (Normal) To: From: Subject: Undeliverable Message X-Incognito-SN: 606 X-Incognito-Format: VERSION=2.01a ENCRYPTED=NO Sender: firewalls-owner@GreatCircle.COM Precedence: bulk To: Cc: Subject: Firewalls-Digest V5 #498 Message not delivered to recipients below. Press F1 for help with VNM error codes. VNM3043: Paul Moen@Security@EDP VNM3043 -- MAILBOX IS FULL The message cannot be delivered because the recipient's mailbox contains the maximum number of messages, as set by the system administrator. The recipient must delete some messages before any other messages can be delivered. The maximum message limit for a user's mailbox is 10,000. The default message limit is 1000 messages. Administrators can set message limits using the Mailbox Settings function available in the Manage User menu (MUSER). When a user's mailbox reaches the limit, the user must delete some of the messages before the mailbox can accept any more incoming messages. ---------------------- Original Message Follows ---------------------- Firewalls-Digest Saturday, September 7 1996 Volume 05 : Number 498 In this issue: Undeliverable Message See the end of the digest for information on subscribing to the Firewalls or Firewalls-Digest mailing lists and on how to retrieve back issues. ---------------------------------------------------------------------- Date: Sat, 7 Sep 96 17:25:50 +60000 From: Subject: Undeliverable Message To: Cc: Subject: Firewalls-Digest V5 #497 Message not delivered to recipients below. Press F1 for help with VNM error codes. VNM3043: Paul Moen@Security@EDP VNM3043 -- MAILBOX IS FULL The message cannot be delivered because the recipient's mailbox contains the maximum number of messages, as set by the system administrator. The recipient must delete some messages before any other messages can be delivered. The maximum message limit for a user's mailbox is 10,000. The default message limit is 1000 messages. Administrators can set message limits using the Mailbox Settings function available in the Manage User menu (MUSER). When a user's mailbox reaches the limit, the user must delete some of the messages before the mailbox can accept any more incoming messages. - ---------------------- Original Message Follows ---------------------- The original message was larger than the viewing area. It cannot be displayed as is. Therefore, it has been stored in the file `mail.txt'. Please view this file in order to read the message. Thank you. ------------------------------ End of Firewalls-Digest V5 #498 ******************************* To unsubscribe from Firewalls-Digest, send the following command in the body of a message to "Majordomo@GreatCircle.COM": unsubscribe firewalls-digest If you want to subscribe or unsubscribe an address other than the account the mail is coming from, such as a local redistribution list, then append that address to the command; for example, to subscribe "local-firewalls": subscribe firewalls-digest local-firewalls@your.domain.net A non-digest (direct mail) version of this list is also available; to subscribe to that instead, replace all instances of "firewalls-digest" in the commands above with "firewalls". Compressed back issues are available for anonymous FTP from FTP.GreatCircle.COM, in pub/firewalls/digest/vNN.nMMM.Z (where "NN" is the volume number, and "MMM" is the issue number). From firewalls-owner Sat Sep 7 05:29:04 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA05483 for firewalls-outgoing; Sat, 7 Sep 1996 05:15:55 -0700 (PDT) Received: from nebula.online.ee (nebula.online.ee [194.106.96.11]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id FAA05476 for ; Sat, 7 Sep 1996 05:15:43 -0700 (PDT) Received: from localhost by nebula.online.ee (5.x/SMI-4.1) id AA25907; Sat, 7 Sep 1996 15:15:18 +0300 Organization: MicroLink OnLine Date: Sat, 7 Sep 1996 15:15:17 +0300 (EET DST) From: =?ISO-8859-1?Q?J=FCri_Kaljundi?= X-Sender: jk@nebula To: Firewalls@GreatCircle.COM Cc: Wayne.Gifford@East.Sun.COM Subject: Re: authenticated/encrypted sessions In-Reply-To: <199609061911.MAA13215@miles.greatcircle.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Wayne.Gifford@East.Sun.COM (Wayne Gifford - Internet Commerce Group) wrote: >> I want to set up authenticated and encrypted tunnels through a >> firewall. the rub, NO COMMERCIAL products allowed. My thoughts -- >> socks5 since I have to handle windows 3.1, win 95 and winNT apps >> as well as Unix. > >Go to http://skip.incog.com and grab the SKIP source code and roll your >own. This might be the choice for US people, but everywhere else you must forget using any US products for encryption. The weak export versions only give people the false sense of security, while actually the products are easily breakable. Sun SKIP is nice for playing around, but not for real use. As far as I understand, this applies to most of the firewall products also, most of them are using either weak encryption or proprietary algorithms. SSH (www.ssh.fi) is one strong product I know of, another possibility would be using SSLtelnet which is based on SSLeay library. Juri Kaljundi jk@stallion.ee From firewalls-owner Sat Sep 7 06:29:05 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA07777 for firewalls-outgoing; Sat, 7 Sep 1996 06:11:03 -0700 (PDT) Received: from mercury.Sun.COM (mercury.Sun.COM [192.9.25.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id GAA07770 for ; Sat, 7 Sep 1996 06:10:53 -0700 (PDT) From: Wayne.Gifford@East.Sun.COM Received: by mercury.Sun.COM (Sun.COM) id GAA16661; Sat, 7 Sep 1996 06:10:44 -0700 Received: from congress.East.Sun.COM by East.Sun.COM (5.x/SMI-5.3) id AA18602; Sat, 7 Sep 1996 09:10:41 -0400 Received: from world (hobo143.East.Sun.COM) by congress.East.Sun.COM (4.1/SMI-4.1) id AA01720; Sat, 7 Sep 96 09:10:37 EDT Date: Sat, 7 Sep 1996 09:10:37 -0400 (EDT) Reply-To: Subject: Re: authenticated/encrypted sessions To: =?ISO-8859-1?Q?J=FCri_Kaljundi?= Cc: Firewalls@GreatCircle.COM In-Reply-To: "Your message with ID" Message-Id: Content-Type: text X-Sun-Text-Type: ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk = => > => >Go to http://skip.incog.com and grab the SKIP source code and roll your => >own. => => This might be the choice for US people, but everywhere else you must => forget using any US products for encryption. The weak export versions only => give people the false sense of security, while actually the products are => easily breakable. Sun SKIP is nice for playing around, but not for real => use. As far as I understand, this applies to most of the firewall products => also, most of them are using either weak encryption or proprietary => algorithms. => => SSH (www.ssh.fi) is one strong product I know of, another possibility => would be using SSLtelnet which is based on SSLeay library. => => Juri Kaljundi => jk@stallion.ee Yes, the export control laws are a pain (although I do want to get business cards that have my title as "International Munitions Dealer") Well, I'm sorry. I should have pointed at the international location for SKIP sources as well. SKIP is a protocol so there isn't any way the US can prevent people from implementing their own versions. You can also find SKIP source at the Swiss Federal Institute of Technology http://www.tik.ee.ethz.ch/~skip/ Or buy a commercial version from Sasha @ Elvis+ in Moscow http://elvis.ru/skip If you are really into it you can write your own implementation from the ietf drafts at http://skip.incog.com/drafts/draft-ietf-ipsec-skip-07.txt If you write your own, you can use whatever key length you like and use the encryption algorithm of choice. giff => From firewalls-owner Sat Sep 7 07:59:04 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA11005 for firewalls-outgoing; Sat, 7 Sep 1996 07:50:57 -0700 (PDT) Received: from typhoon.dial.pipex.net (typhoon.dial.pipex.net [158.43.128.46]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id HAA10998 for ; Sat, 7 Sep 1996 07:50:47 -0700 (PDT) Received: from progpc11.central.oa by typhoon.dial.pipex.net (8.7.5/) id PAA19010; Sat, 7 Sep 1996 15:50:18 +0100 (BST) Message-Id: <199609071450.PAA19010@typhoon.dial.pipex.net> Comments: Authenticated sender is From: "Ben Goodyear" Organization: Carlton UK Television To: firewalls@greatcircle.com Date: Sat, 7 Sep 1996 15:55:55 +0000 Subject: Address Translation problem X-mailer: Pegasus Mail for Windows (v2.23) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hiya, I'm using Firewall-1 address translation to hide our network behind the firewall - that works fine but I can't get to the Mail machine on our internal network. I've used the source static and destination static rules for the address of the mail machine, done the proxy arp, but it doesn't work. By using the "snoop" command I've discovered the mail machine can send things through the firewall, but the responses don't make it back - they just get dropped by the firewall - without even a log entry. It was suggested I need to add a static host route to the firewall from the translated address to the real address of the mail machine - however I can't do this as it's not a "directly connected network" - so I get a Network Unreachable message from the route command. I tried adding the next hop network instead but that doesn't work either. The address of the mail machine isn't covered by the other hide rules. Any suggestions? I'm really stuck on this one. Regards, Ben From firewalls-owner Sat Sep 7 10:48:46 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA15364 for firewalls-outgoing; Sat, 7 Sep 1996 10:39:15 -0700 (PDT) Received: from netvigator.com (imsp004.netvigator.com [205.252.144.228]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id KAA15356 for ; Sat, 7 Sep 1996 10:39:05 -0700 (PDT) Received: from whost by netvigator.com (SMI-8.6/SMI-SVR4) id BAA19374; Sun, 8 Sep 1996 01:32:21 +0800 Message-ID: <3231B2AB.24D9@netvigator.com> Date: Sun, 08 Sep 1996 01:36:43 +0800 From: eric chan Reply-To: eric.chan@netvigator.com Organization: Hongkong Telecom IMS X-Mailer: Mozilla 3.0b6Gold (Win95; I) MIME-Version: 1.0 To: Henk Baert CC: Firewalls Mailing List Subject: Re: Sendmail Configuration- References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Henk Baert wrote: > > VAN LAERE > MEMO Datum : > 28-08-1996 > Betreft : Sendmail Configuration > > Hi, > > I am trying to set up my sendmail configuration so that all outgoing mail has > an origin as user@domainname (instead of user@hostname.domainname). > > I tried to figure it out myself, but don't get it completely right. The > problem is in Rulesets 10/11 en 20/21 that decode sending adresses. > > Any suggestion to code it correctly ? > > Thanks a lot. > > Henk Baert > (henk.baert@vanlaere.be) Check with your DNS record about the domain you talking about especially the MX setting. Eric From firewalls-owner Sat Sep 7 10:59:06 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA15482 for firewalls-outgoing; Sat, 7 Sep 1996 10:47:22 -0700 (PDT) Received: from mcfeely.bsfs.org (mcfeely.bsfs.org [204.91.13.34]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id KAA15475 for ; Sat, 7 Sep 1996 10:47:11 -0700 (PDT) Received: (from wombat@localhost) by mcfeely.bsfs.org (8.6.12/8.6.12) id MAA03534; Sat, 7 Sep 1996 12:12:25 -0400 Date: Sat, 7 Sep 1996 12:12:21 -0400 (EDT) From: Rabid Wombat To: Russ cc: "'Firewalls'" Subject: Re: Building a monitoring system In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 6 Sep 1996, Russ wrote: > Howdy folks, > > I'm going to take the plunge into Unix by way of building a monitoring > system that would be dedicated to the task of reporting the actions of > the other machines on my very small network. Given my limited Unix > background, I figured the best way to approach this would be to ask > y'all what this box should be. > I already dropped Russ more detail off list, but here's my favorite url for UNIX tools: ftp://coast.cs.purdue.edu/pub/tools/unix/ Welcome to the Dark Side(tm), Russ. - r.w. From firewalls-owner Sat Sep 7 12:59:08 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA22447 for firewalls-outgoing; Sat, 7 Sep 1996 12:51:12 -0700 (PDT) Received: from menger.eecs.stevens-tech.edu (menger.eecs.stevens-tech.edu [155.246.89.81]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id MAA22411 for ; Sat, 7 Sep 1996 12:50:55 -0700 (PDT) Received: from home.spfld.com (amullick.u97.stevens-tech.edu [155.246.216.20]) by menger.eecs.stevens-tech.edu (8.7.5/8.7.3) with ESMTP id PAA20042 for ; Sat, 7 Sep 1996 15:50:31 -0400 (EDT) Received: from localhost (apu@localhost) by home.spfld.com (8.7.6/8.7.3) with SMTP id PAA10516 for ; Sat, 7 Sep 1996 15:47:46 -0400 X-Authentication-Warning: home.spfld.com: apu owned process doing -bs Date: Sat, 7 Sep 1996 15:47:46 -0400 (EDT) From: Apu To: Firewalls mailing list Subject: Vulnerability from Internet of non-IP hosts? Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Am I missing something obvious or am I correct in believing that a machine (Mac & Windows clients, Netware & OS/2-based Notes servers) that is not configured to accept IP cannot be subverted via an IP only WAN connection (Internet connection)? The machines in question would be running any or all of IPX, AppleTalk and "NetBoo-y" ... I'm also excluding vulnerability posed by an IP-based attack on a machine which speaks IP but also communicates with the non-IP machine via one of these other protocols, as well as simple denial-of-service attacks based on just saturating a network link to make it unusable. (If it makes a difference, the situation would be using a Cisco router with an IP-only feature set, so one could even mess with the router in terms of the other protocols.) _ | | |-| | |pu From firewalls-owner Sat Sep 7 16:36:32 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id QAA02230 for firewalls-outgoing; Sat, 7 Sep 1996 16:15:15 -0700 (PDT) Received: (mcb@localhost) by miles.greatcircle.com (8.7.4/Miles-960830-1) id QAA02188 for firewalls@greatcircle.com; Sat, 7 Sep 1996 16:14:59 -0700 (PDT) Received: from mtigwc01.worldnet.att.net (mailhost.worldnet.att.net [204.127.129.3]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id QAA19680 for ; Fri, 6 Sep 1996 16:38:16 -0700 (PDT) Received: from default ([207.116.35.238]) by mtigwc01.worldnet.att.net (post.office MTA v2.0 0613 ) with SMTP id AAA24721 for ; Fri, 6 Sep 1996 23:38:05 +0000 Message-ID: <3230B604.5886@worldnet.att.net> Date: Fri, 06 Sep 1996 19:38:44 -0400 From: "Safi H. Newman" X-Mailer: Mozilla 2.01E (Win95; U) MIME-Version: 1.0 To: Firewalls@GreatCircle.com Subject: NT Security Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In response to Duncan C. Kinder's request for information about Nt--based security, there is a NT Security listserv. Send an e-mail to Majordomo@iss.net; no subject; message should read subscribe NT Security . Safi H. Newman shnewman@worldnet.att.net From firewalls-owner Sat Sep 7 16:44:13 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id QAA04348 for firewalls-outgoing; Sat, 7 Sep 1996 16:39:19 -0700 (PDT) Received: (mcb@localhost) by miles.greatcircle.com (8.7.4/Miles-960830-1) id QAA01920 for firewalls@greatcircle.com; Sat, 7 Sep 1996 16:12:08 -0700 (PDT) Received: from gate.abacus.ch (gate.abacus.ch [193.246.120.4]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id BAA11905 for ; Fri, 6 Sep 1996 01:29:18 -0700 (PDT) Received: from caliban.abacus.ch ([192.168.0.2]) by gate.abacus.ch via smtpd (for miles.greatcircle.com [198.102.244.34]) with SMTP; 6 Sep 1996 10:32:47 UT Received: from cc:Mail (PU Serial #1590) by caliban.abacus.ch (PostalUnion/SMTP(tm) v2.1.9c for Windows NT(tm)) id AA-1996Sep06.092823.1590.10676; Fri, 06 Sep 1996 09:30:48 GMT From: Felber@abacus.ch (Hubert Felber) To: firewalls@greatcircle.com Message-ID: <1996Sep06.092823.1590.10676@caliban.abacus.ch> X-Conversion-ID: X-Mailer: cc:Mail via PostalUnion/SMTP for Windows NT Mime-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: quoted-printable Organization: ABACUS Research AG Date: Fri, 06 Sep 1996 09:30:48 GMT Subject: curios traceroute Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, = Can anyone explain me the following traceroute? = 1. question: the last 3 addresses are private internet addresses. = Why do I see them on the list? = = 2. Why is the station 194.209.14.36 not in the list = = = Tracing the route to 194.209.14.36 = 1 SWISG1-S4.SWITCH.CH (130.59.195.2) 16 msec 16 msec 12 msec 2 SWIEZ7-S5-3.SWITCH.CH (130.59.32.2) 20 msec 20 msec 20 msec 3 SWIEG1-F0-0.SWITCH.CH (130.59.20.211) 16 msec 16 msec 20 msec 4 ZH00-SRL0.UNISOURCE.CH (193.246.104.130) 24 msec 28 msec 20 msec 5 ZH21-ETH0.UNISOURCE.CH (164.128.44.38) 20 msec ZH11-ETH0.UNISOURCE.CH (164.128.44.37) 20 msec ZH21-ETH0.UNISOURCE.CH (164.128.44.38) 20 msec 6 164.128.41.66 36 msec 32 msec 164.128.41.70 64 msec 7 164.128.45.35 32 msec * 64 msec 8 192.168.1.1 36 msec 32 msec 68 msec 9 10.0.1.58 128 msec 116 msec 76 msec 10 192.168.2.42 !H !H !H = = --- Hubert Felber (felber@abacus.ch) __ ___ _ __ ABACUS Research AG /\ | \ /\/ __)| | | \ 9006 St. Gallen, Switzerland / \| _// \| | | | |\ ~ Phone +41 71 243 35 11 / /\ \ \ /\ \_| |_| | \ Fax +41 71 243 35 00 /_/ \_\_// \_\_)___/\__/ From firewalls-owner Sat Sep 7 17:59:07 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA10312 for firewalls-outgoing; Sat, 7 Sep 1996 17:50:50 -0700 (PDT) Received: from lexicon.ins.com (lexicon.ins.com [199.0.193.11]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id RAA10294 for ; Sat, 7 Sep 1996 17:50:39 -0700 (PDT) Received: from ragans-compaq (mtv2-dynamic227.ins.com [199.0.193.227]) by lexicon.ins.com (8.7.5/8.7.3) with SMTP id RAA26114; Sat, 7 Sep 1996 17:43:35 -0700 (PDT) Message-Id: <3.0b11.32.19960907194030.009b28c4@lexicon.ins.com> X-Sender: ragan@lexicon.ins.com X-Mailer: Windows Eudora Pro Version 3.0b11 (32) Date: Sat, 07 Sep 1996 19:40:33 -0500 To: Henk Baert From: Charles Ragan Subject: Re: Sendmail Configuration- Cc: Firewalls Mailing List Mime-Version: 1.0 Content-Type: text/enriched; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Try this kool tool. 0 0, 0 0,ffffhttp://www.completeis.com/sendmail/ Charles At 01:36 AM 9/8/96 +0800, eric chan wrote: >Henk Baert wrote: >> >> VAN LAERE >> MEMO Datum : >> 28-08-1996 >> Betreft : Sendmail Configuration >> >> Hi, >> >> I am trying to set up my sendmail configuration so that all outgoing mail has >> an origin as user@domainname (instead of user@hostname.domainname). >> >> I tried to figure it out myself, but don't get it completely right. The >> problem is in Rulesets 10/11 en 20/21 that decode sending adresses. >> >> Any suggestion to code it correctly ? >> >> Thanks a lot. >> >> Henk Baert >> (henk.baert@vanlaere.be) > >Check with your DNS record about the domain you talking about especially >the MX setting. > >Eric > > ----------------------------------------------------- Charles B. Ragan, Jr. International Network Services (214) 392-3545 14160 Dallas Parkway Suite 200 Charles_Ragan@ins.com Dallas, TX 75040 Cisco Certified IE (CCIE) Text Page - 1-800-INS-1-INS Master CNE Direct Page - 1-888-360-5812 Microsoft SE Certified Banyan Engineer "Semper Fi" - USMC Retired ----------------------------------------------------- From firewalls-owner Sat Sep 7 18:14:06 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA10087 for firewalls-outgoing; Sat, 7 Sep 1996 17:42:03 -0700 (PDT) Received: from lexicon.ins.com (lexicon.ins.com [199.0.193.11]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id RAA09949 for ; Sat, 7 Sep 1996 17:41:32 -0700 (PDT) Received: from ragans-compaq (mtv2-dynamic227.ins.com [199.0.193.227]) by lexicon.ins.com (8.7.5/8.7.3) with SMTP id RAA25689; Sat, 7 Sep 1996 17:41:15 -0700 (PDT) Message-Id: <3.0b11.32.19960907193809.006d3b20@lexicon.ins.com> X-Sender: ragan@lexicon.ins.com X-Mailer: Windows Eudora Pro Version 3.0b11 (32) Date: Sat, 07 Sep 1996 19:38:13 -0500 To: Felber@abacus.ch (Hubert Felber), firewalls@GreatCircle.COM From: Charles Ragan Subject: Re: curios traceroute Cc: bridge@DIAL-SWITCH.CH Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk It appears that someone is leaking. Consistency in yours and mine is; Tracing route to 194.209.14.36 over a maximum of 30 hops 11 464 ms 333 ms 334 ms UBN-gw5.ALTER.NET [137.39.129.26] 12 357 ms 342 ms 330 ms zh11-eth0.unisource.ch [164.128.44.37] 13 442 ms 369 ms 438 ms 164.128.41.70 14 440 ms * 396 ms 164.128.45.35 15 362 ms 368 ms 471 ms 192.168.1.1 16 479 ms 395 ms 374 ms 10.0.1.58 17 192.168.2.42 reports: Destination host unreachable. Unisource Business Networks (Schweiz) AG (NET-UBN-CH) Schermenwaldstrasse 13 CH-3063 Ittigen Netname: UBN-CH Netnumber: 164.128.0.0 Coordinator: Bridge, Philip (PB334) bridge@DIAL-SWITCH.CH +41 31 688 8262 (FAX) +41 31 688 8152 Domain System inverse mapping provided by: UBNSRV.UNISOURCE.CH 164.128.36.34 SCSNMS.SWITCH.CH 130.59.1.30 Record last updated on 13-Jun-95. At 09:30 AM 9/6/96 GMT, Hubert Felber wrote: > Hi, > Can anyone explain me the following traceroute? > 1. question: the last 3 addresses are private internet addresses. Why do I see them on the list? 2. Why is the station 194.209.14.36 not in the list > Tracing the route to 194.209.14.36 > 1 SWISG1-S4.SWITCH.CH (130.59.195.2) 16 msec 16 msec 12 msec > 2 SWIEZ7-S5-3.SWITCH.CH (130.59.32.2) 20 msec 20 msec 20 msec > 3 SWIEG1-F0-0.SWITCH.CH (130.59.20.211) 16 msec 16 msec 20 msec > 4 ZH00-SRL0.UNISOURCE.CH (193.246.104.130) 24 msec 28 msec 20 msec > 5 ZH21-ETH0.UNISOURCE.CH (164.128.44.38) 20 msec > ZH11-ETH0.UNISOURCE.CH (164.128.44.37) 20 msec > ZH21-ETH0.UNISOURCE.CH (164.128.44.38) 20 msec > 6 164.128.41.66 36 msec 32 msec > 164.128.41.70 64 msec > 7 164.128.45.35 32 msec * 64 msec > 8 192.168.1.1 36 msec 32 msec 68 msec > 9 10.0.1.58 128 msec 116 msec 76 msec > 10 192.168.2.42 !H !H !H >--- >Hubert Felber (felber@abacus.ch) __ ___ _ __ >ABACUS Research AG /\ | \ /\/ __)| | | \ >9006 St. Gallen, Switzerland / \| _// \| | | | |\ ~ >Phone +41 71 243 35 11 / /\ \ \ /\ \_| |_| | \ >Fax +41 71 243 35 00 /_/ \_\_// \_\_)___/\__/ > > > ----------------------------------------------------- Charles B. Ragan, Jr. International Network Services (214) 392-3545 14160 Dallas Parkway Suite 200 Charles_Ragan@ins.com Dallas, TX 75040 Cisco Certified IE (CCIE) Text Page - 1-800-INS-1-INS Master CNE Direct Page - 1-888-360-5812 Microsoft SE Certified Banyan Engineer "Semper Fi" - USMC Retired ----------------------------------------------------- From firewalls-owner Sat Sep 7 22:29:06 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id WAA21947 for firewalls-outgoing; Sat, 7 Sep 1996 22:23:09 -0700 (PDT) Received: from databus.databus.com (databus.databus.com [198.186.154.34]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id WAA21938 for ; Sat, 7 Sep 1996 22:22:57 -0700 (PDT) From: Barney Wolff To: firewalls@GreatCircle.COM Date: Sun, 8 Sep 1996 01:12 EDT Subject: Re: curios traceroute Content-Type: text/plain Message-ID: <323258270.546d@databus.databus.com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I believe that this is not a leak, but simply somebody using the private space for network infrastructure. On the one hand, this has the major advantage that outsiders cannot attack your routers. On the other, either you must suppress the ICMP TTL-exceeded packets from those routers, resulting in a false appearance of an outage in your network, or allow them out, with the result that outsiders send queries to the firewalls list :-) I tend to favor the idea, although I have not actually done it. Barney Wolff > Date: Sat, 07 Sep 1996 19:38:13 -0500 > To: Felber@abacus.ch (Hubert Felber), firewalls@GreatCircle.COM > From: Charles Ragan > Subject: Re: curios traceroute > Cc: bridge@DIAL-SWITCH.CH > Content-Length: 2661 > > It appears that someone is leaking. Consistency in yours and mine is; > > Tracing route to 194.209.14.36 over a maximum of 30 hops > > 11 464 ms 333 ms 334 ms UBN-gw5.ALTER.NET [137.39.129.26] > 12 357 ms 342 ms 330 ms zh11-eth0.unisource.ch [164.128.44.37] > 13 442 ms 369 ms 438 ms 164.128.41.70 > 14 440 ms * 396 ms 164.128.45.35 > 15 362 ms 368 ms 471 ms 192.168.1.1 > 16 479 ms 395 ms 374 ms 10.0.1.58 > 17 192.168.2.42 reports: Destination host unreachable. > > Unisource Business Networks (Schweiz) AG (NET-UBN-CH) > Schermenwaldstrasse 13 > CH-3063 Ittigen > > Netname: UBN-CH > Netnumber: 164.128.0.0 > > Coordinator: > Bridge, Philip (PB334) bridge@DIAL-SWITCH.CH > +41 31 688 8262 (FAX) +41 31 688 8152 > > Domain System inverse mapping provided by: > > UBNSRV.UNISOURCE.CH 164.128.36.34 > SCSNMS.SWITCH.CH 130.59.1.30 > > Record last updated on 13-Jun-95. > > At 09:30 AM 9/6/96 GMT, Hubert Felber wrote: > > Hi, > > Can anyone explain me the following traceroute? > > 1. question: the last 3 addresses are private internet addresses. Why > do I see them on the list? 2. Why is the station 194.209.14.36 not in the list > > Tracing the route to 194.209.14.36 > > 1 SWISG1-S4.SWITCH.CH (130.59.195.2) 16 msec 16 msec 12 msec > > 2 SWIEZ7-S5-3.SWITCH.CH (130.59.32.2) 20 msec 20 msec 20 msec > > 3 SWIEG1-F0-0.SWITCH.CH (130.59.20.211) 16 msec 16 msec 20 msec > > 4 ZH00-SRL0.UNISOURCE.CH (193.246.104.130) 24 msec 28 msec 20 msec > > 5 ZH21-ETH0.UNISOURCE.CH (164.128.44.38) 20 msec > > ZH11-ETH0.UNISOURCE.CH (164.128.44.37) 20 msec > > ZH21-ETH0.UNISOURCE.CH (164.128.44.38) 20 msec > > 6 164.128.41.66 36 msec 32 msec > > 164.128.41.70 64 msec > > 7 164.128.45.35 32 msec * 64 msec > > 8 192.168.1.1 36 msec 32 msec 68 msec > > 9 10.0.1.58 128 msec 116 msec 76 msec > > 10 192.168.2.42 !H !H !H > >--- > >Hubert Felber (felber@abacus.ch) __ ___ _ __ > >ABACUS Research AG /\ | \ /\/ __)| | | \ > >9006 St. Gallen, Switzerland / \| _// \| | | | |\ ~ > >Phone +41 71 243 35 11 / /\ \ \ /\ \_| |_| | \ > >Fax +41 71 243 35 00 /_/ \_\_// \_\_)___/\__/ > > > > > > > ----------------------------------------------------- > Charles B. Ragan, Jr. International Network Services > (214) 392-3545 14160 Dallas Parkway Suite 200 > Charles_Ragan@ins.com Dallas, TX 75040 > Cisco Certified IE (CCIE) Text Page - 1-800-INS-1-INS > Master CNE Direct Page - 1-888-360-5812 > Microsoft SE > Certified Banyan Engineer "Semper Fi" - USMC Retired > ----------------------------------------------------- > > > > From firewalls-owner Sun Sep 8 00:14:06 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id AAA27591 for firewalls-outgoing; Sun, 8 Sep 1996 00:02:44 -0700 (PDT) Received: from lexicon.ins.com (lexicon.ins.com [199.0.193.11]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id AAA27578 for ; Sun, 8 Sep 1996 00:02:29 -0700 (PDT) Received: from chrpc.ins.com (mtv2-dynamic227.ins.com [199.0.193.227]) by lexicon.ins.com (8.7.5/8.7.3) with SMTP id AAA00540; Sun, 8 Sep 1996 00:02:09 -0700 (PDT) Message-Id: <3.0b11.32.19960908015903.00754e14@lexicon.ins.com> X-Sender: ragan@lexicon.ins.com X-Mailer: Windows Eudora Pro Version 3.0b11 (32) Date: Sun, 08 Sep 1996 01:59:06 -0500 To: Barney Wolff , firewalls@GreatCircle.COM From: Charles Ragan Subject: Re: curios traceroute Mime-Version: 1.0 Content-Type: text/enriched; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk To me, it's a leak. ANYTHING sourced from the private address space in rfc1918 on the 'outside' is a leak. You can read more about it here; http://compute.merit.edu/help.html A Cisco example provided by Paul Vixie on compute.merit.edu to 'help' block these addresses among others. access-list 100 deny ip host 0.0.0.0 any access-list 100 deny ip 127.0.0.0 0.255.255.255 255.0.0.0 0.255.255.255 access-list 100 deny ip 10.0.0.0 0.255.255.255 255.0.0.0 0.255.255.255 access-list 100 deny ip 172.16.0.0 0.15.255.255 255.240.0.0 0.15.255.255 access-list 100 deny ip 192.168.0.0 0.0.255.255 255.255.0.0 0.0.255.255 access-list 100 deny ip 192.0.2.0 0.0.0.255 255.255.255.0 0.0.0.255 access-list 100 deny ip 128.0.0.0 0.0.255.255 255.255.0.0 0.0.255.255 access-list 100 deny ip 191.255.0.0 0.0.255.255 255.255.0.0 0.0.255.255 access-list 100 deny ip 192.0.0.0 0.0.0.255 255.255.255.0 0.0.0.255 access-list 100 deny ip 223.255.255.0 0.0.0.255 255.255.255.0 0.0.0.255 access-list 100 deny ip 224.0.0.0 31.255.255.255 224.0.0.0 31.255.255.255 access-list 100 deny ip any 255.255.255.128 0.0.0.127 access-list 100 permit ip any any Charles At 01:12 AM 9/8/96 EDT, Barney Wolff wrote: >I believe that this is not a leak, but simply somebody using the private >space for network infrastructure. On the one hand, this has the major >advantage that outsiders cannot attack your routers. On the other, either >you must suppress the ICMP TTL-exceeded packets from those routers, >resulting in a false appearance of an outage in your network, or allow >them out, with the result that outsiders send queries to the firewalls >list :-) > >I tend to favor the idea, although I have not actually done it. > >Barney Wolff < > >> Date: Sat, 07 Sep 1996 19:38:13 -0500 >> To: Felber@abacus.ch (Hubert Felber), firewalls@GreatCircle.COM >> From: Charles Ragan < >> Subject: Re: curios traceroute >> Cc: bridge@DIAL-SWITCH.CH >> Content-Length: 2661 >> >> It appears that someone is leaking. Consistency in yours and mine is; >> >> Tracing route to 194.209.14.36 over a maximum of 30 hops >> >> 11 464 ms 333 ms 334 ms UBN-gw5.ALTER.NET [137.39.129.26] >> 12 357 ms 342 ms 330 ms zh11-eth0.unisource.ch [164.128.44.37] >> 13 442 ms 369 ms 438 ms 164.128.41.70 >> 14 440 ms * 396 ms 164.128.45.35 >> 15 362 ms 368 ms 471 ms 192.168.1.1 >> 16 479 ms 395 ms 374 ms 10.0.1.58 >> 17 192.168.2.42 reports: Destination host unreachable. >> >> Unisource Business Networks (Schweiz) AG (NET-UBN-CH) >> Schermenwaldstrasse 13 >> CH-3063 Ittigen >> >> Netname: UBN-CH >> Netnumber: 164.128.0.0 >> >> Coordinator: >> Bridge, Philip (PB334) bridge@DIAL-SWITCH.CH >> +41 31 688 8262 (FAX) +41 31 688 8152 >> >> Domain System inverse mapping provided by: >> >> UBNSRV.UNISOURCE.CH 164.128.36.34 >> SCSNMS.SWITCH.CH 130.59.1.30 >> >> Record last updated on 13-Jun-95. >> >> At 09:30 AM 9/6/96 GMT, Hubert Felber wrote: >> > Hi, >> > Can anyone explain me the following traceroute? >> > 1. question: the last 3 addresses are private internet addresses. Why >> do I see them on the list? 2. Why is the station 194.209.14.36 not in the list >> > Tracing the route to 194.209.14.36 >> > 1 SWISG1-S4.SWITCH.CH (130.59.195.2) 16 msec 16 msec 12 msec >> > 2 SWIEZ7-S5-3.SWITCH.CH (130.59.32.2) 20 msec 20 msec 20 msec >> > 3 SWIEG1-F0-0.SWITCH.CH (130.59.20.211) 16 msec 16 msec 20 msec >> > 4 ZH00-SRL0.UNISOURCE.CH (193.246.104.130) 24 msec 28 msec 20 msec >> > 5 ZH21-ETH0.UNISOURCE.CH (164.128.44.38) 20 msec >> > ZH11-ETH0.UNISOURCE.CH (164.128.44.37) 20 msec >> > ZH21-ETH0.UNISOURCE.CH (164.128.44.38) 20 msec >> > 6 164.128.41.66 36 msec 32 msec >> > 164.128.41.70 64 msec >> > 7 164.128.45.35 32 msec * 64 msec >> > 8 192.168.1.1 36 msec 32 msec 68 msec >> > 9 10.0.1.58 128 msec 116 msec 76 msec >> > 10 192.168.2.42 !H !H !H >> >--- >> >Hubert Felber (felber@abacus.ch) __ ___ _ __ >> >ABACUS Research AG /\ | \ /\/ __)| | | \ >> >9006 St. Gallen, Switzerland / \| _// \| | | | |\ ~ >> >Phone +41 71 243 35 11 / /\ \ \ /\ \_| |_| | \ >> >Fax +41 71 243 35 00 /_/ \_\_// \_\_)___/\__/ >> > >> > >> > >> ----------------------------------------------------- >> Charles B. Ragan, Jr. International Network Services >> (214) 392-3545 14160 Dallas Parkway Suite 200 >> Charles_Ragan@ins.com Dallas, TX 75040 >> Cisco Certified IE (CCIE) Text Page - 1-800-INS-1-INS >> Master CNE Direct Page - 1-888-360-5812 >> Microsoft SE >> Certified Banyan Engineer "Semper Fi" - USMC Retired >> ----------------------------------------------------- >> >> >> >> > > ----------------------------------------------------- Charles B. Ragan, Jr. International Network Services (214) 392-3545 14160 Dallas Parkway Suite 200 Charles_Ragan@ins.com Dallas, TX 75040 Cisco Certified IE (CCIE) Text Page - 1-800-INS-1-INS Master CNE Direct Page - 1-888-360-5812 Microsoft SE Certified Banyan Engineer "Semper Fi" - USMC Retired ----------------------------------------------------- From firewalls-owner Sun Sep 8 00:59:06 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id AAA29685 for firewalls-outgoing; Sun, 8 Sep 1996 00:54:29 -0700 (PDT) Received: from databus.databus.com (databus.databus.com [198.186.154.34]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id AAA29667 for ; Sun, 8 Sep 1996 00:54:20 -0700 (PDT) From: Barney Wolff To: firewalls@GreatCircle.COM Date: Sun, 8 Sep 1996 03:44 EDT Subject: Re: curios traceroute Content-Type: text/plain Message-ID: <32327ba20.568c@databus.databus.com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Date: Sun, 08 Sep 1996 01:59:06 -0500 > To: Barney Wolff , firewalls@GreatCircle.COM > From: Charles Ragan > Subject: Re: curios traceroute > Content-Length: 5517 > > To me, it's a leak. ANYTHING sourced from the private address space in > > rfc1918 on the 'outside' is a leak. Please describe what harm has been done. Routes to the private space have not been advertised, after all. A connection of any sort has not been attempted with those addresses as source or destination. I do understand that RFC1918 says that packets with those addresses shall not be transfered across inter-enterprise links. I do not understand what harm will be caused by TTL-exceeded packet from such an address, and would welcome enlightenment. Barney Wolff From firewalls-owner Sun Sep 8 02:29:13 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id CAA06667 for firewalls-outgoing; Sun, 8 Sep 1996 02:08:20 -0700 (PDT) Received: from guardian.colonial.com.au (guardian.colonial.com.au [140.168.249.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id CAA06661 for ; Sun, 8 Sep 1996 02:08:03 -0700 (PDT) Received: by guardian.colonial.com.au; id TAA28524; Sun, 8 Sep 1996 19:07:54 +1000 Received: from norman.cmutual.com.au(140.168.8.9) by guardian.colonial.com.au via smap (g3.0.1) id sma028522; Sun, 8 Sep 96 19:07:50 +1000 Received: from mailgw.sbnsw.com.au ([140.168.11.10]) by norman.cmutual.com.au (post.office MTA v1.9.3 ID# 0-12362) with SMTP id AAA17850 for ; Sun, 8 Sep 1996 19:07:49 +1100 Received: by mailgw.sbnsw.com.au; Sun, 8 Sep 96 19:12:18 +1000 Date: Sun, 8 Sep 96 19:12:18 +60000 Message-ID: X-Priority: 3 (Normal) To: From: Subject: Undeliverable Message X-Incognito-SN: 606 X-Incognito-Format: VERSION=2.01a ENCRYPTED=NO Sender: firewalls-owner@GreatCircle.COM Precedence: bulk To: Cc: Subject: Firewalls-Digest V5 #499 Message not delivered to recipients below. Press F1 for help with VNM error codes. VNM3043: Paul Moen@Security@EDP VNM3043 -- MAILBOX IS FULL The message cannot be delivered because the recipient's mailbox contains the maximum number of messages, as set by the system administrator. The recipient must delete some messages before any other messages can be delivered. The maximum message limit for a user's mailbox is 10,000. The default message limit is 1000 messages. Administrators can set message limits using the Mailbox Settings function available in the Manage User menu (MUSER). When a user's mailbox reaches the limit, the user must delete some of the messages before the mailbox can accept any more incoming messages. ---------------------- Original Message Follows ---------------------- The original message was larger than the viewing area. It cannot be displayed as is. Therefore, it has been stored in the file `mail.txt'. Please view this file in order to read the message. Thank you. From firewalls-owner Sun Sep 8 02:44:06 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id CAA07261 for firewalls-outgoing; Sun, 8 Sep 1996 02:28:31 -0700 (PDT) Received: from hq.si.net (hq.si.net [192.156.192.10]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id CAA07254 for ; Sun, 8 Sep 1996 02:28:24 -0700 (PDT) Received: (from mlu@localhost) by hq.si.net (8.7.3/8.7.3) id FAA23173 for firewalls@GreatCircle.COM; Sun, 8 Sep 1996 05:31:20 -0400 (EDT) Date: Sun, 8 Sep 1996 05:31:20 -0400 (EDT) From: Ming Lu Message-Id: <199609080931.FAA23173@hq.si.net> To: firewalls@GreatCircle.COM Subject: wu-ftpd question Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi all: I know that this forum is exactly right place to put this question, but I don't really know where to ask for help... I am setting up a anonymous ftp server which is using wu-ftpd as daemon. I am trying to let the ftpserver pop up some messages whenever someone logins into the server. Does anyone out there know how to do it? Any help will be greatly appreciated. Thanks in advance. Ming From firewalls-owner Sun Sep 8 02:56:08 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id CAA06713 for firewalls-outgoing; Sun, 8 Sep 1996 02:09:26 -0700 (PDT) Received: from charon.freport.wa.gov.au (charon.freport.wa.gov.au [203.60.15.33]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id CAA06669 for ; Sun, 8 Sep 1996 02:08:38 -0700 (PDT) Received: (from smap@localhost) by charon.freport.wa.gov.au (8.7.5/8.7.3) id RAA27214 for ; Sun, 8 Sep 1996 17:08:19 +0800 (WST) Received: from unknown(192.168.22.11) by charon via smap (V1.3) id sma027212; Sun Sep 8 17:08:10 1996 Received: (from baldo_d@localhost) by wol.freport.wa.gov.au (8.7.5/8.7.3) id RAA07604 for firewalls@greatcircle.com; Sun, 8 Sep 1996 17:06:52 +0800 (WST) From: Daniel Baldoni Message-Id: <199609080906.RAA07604@wol.freport.wa.gov.au> Subject: Oddly changing FW-1 files To: firewalls@greatcircle.com Date: Sun, 8 Sep 1996 17:06:51 +0800 (WST) Organisation: Fremantle Port Authority X-URI: http://www.freport.wa.gov.au/dept/isb/daniel.html X-Mailer: ELM [version 2.4ME+ PL24 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk G'day folks, A regular TripWire check across our bastion has shown a change in a file I can't explain and I was wondering if anybody out there can help me nail down a cause (hopefully, other than an intruder). The file in question is modules/fwmod.5.3.o under the Firewall-1 installation. At approximately the indicated file-change time, the Firewall-1 license was upgraded but our operations staff have not listed that file in their regular TripWire reports to me (and the new license went in about 2 weeks ago). So, can anybody out there shed some light on this? Thanks in advance. -----------------------------------------------------+------------------------- Phone: +61-9-430-3439 | Systems Administrator FAX: +61-9-439-3431 | Fremantle Port Authority URL: http://www.freport.wa.gov.au/dept/isb/daniel | 1 Cliff Street -----------------------------------------------------+ Fremantle #include | Western Australia, 6160 -----------------------------------------------------+------------------------- "Any time there's something so ridiculous (...) that no rational systems programmer would even consider trying it, they send for me" - Paraphrased from "King of the Murgos" by David Eddings From firewalls-owner Sun Sep 8 07:33:24 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA15268 for firewalls-outgoing; Sun, 8 Sep 1996 07:15:01 -0700 (PDT) Received: from night.dataphone.se (night.dataphone.se [194.23.92.80]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id HAA15258 for ; Sun, 8 Sep 1996 07:14:52 -0700 (PDT) Received: (from tri@localhost) by night.dataphone.se (8.6.12/8.6.9) id QAA03892; Sun, 8 Sep 1996 16:14:39 +0200 Date: Sun, 8 Sep 1996 16:14:39 +0200 (MET DST) From: Magnus Bergman To: Ming Lu cc: firewalls@GreatCircle.COM Subject: Re: wu-ftpd question In-Reply-To: <199609080931.FAA23173@hq.si.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Sun, 8 Sep 1996, Ming Lu wrote: > Hi all: > > I know that this forum is exactly right place to put this question, but I don't > really know where to ask for help... > > I am setting up a anonymous ftp server which is using wu-ftpd as daemon. I am > trying to let the ftpserver pop up some messages whenever someone logins into > the server. Does anyone out there know how to do it? Any help will be greatly > appreciated. The source to wu-ftp is freely available. Just make the addition or have someone do it for you. //Tri From firewalls-owner Sun Sep 8 07:59:07 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA16476 for firewalls-outgoing; Sun, 8 Sep 1996 07:49:43 -0700 (PDT) Received: from usenix.ORG (usenix-gw.usenix.ORG [131.106.1.254]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id HAA16469 for ; Sun, 8 Sep 1996 07:49:32 -0700 (PDT) Received: (from rubin@localhost) by usenix.ORG (8.7.5/8.7.3) id HAA03572; Sun, 8 Sep 1996 07:51:23 -0700 (PDT) Date: Sun, 8 Sep 1996 07:51:23 -0700 (PDT) From: Aviel Rubin Message-Id: <199609081451.HAA03572@usenix.ORG> To: rubin@bellcore.com Subject: ANNOUNCEMENT AND CALL FOR PAPERS - 1998 USENIX Security Conference Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ************************************************************************* ANNOUNCEMENT AND CALL FOR PAPERS 7th USENIX Security Symposium January 26-29, 1998 Marriott Hotel-- San Antonio, Texas Sponsored by the USENIX Association, the UNIX and Advanced Computing Systems Professional and Technical Association In cooperation with: The CERT Coordination Center. Important Dates for Refereed Papers Papers due: September 9, 1997 Author notification: October 8, 1997 Camera-ready final papers due: December 9, 1997 Registration Materials Available: End October, 1997 (Authors, see "How to Submit a Refereed Paper" below.) Program Chair Avi Rubin, Bellcore Program Committee Carlisle Adams, Nortel Dave Balenson, Trusted Information Systems Steve Bellovin, AT&T Research Dan Boneh, Princeton University Diane Coe, Mitre Ed Felten, Princeton University Li Gong, JavaSoft Peter Honeyman, CITI, University of Michigan Hugo Krawczyk, IBM Watson Labs Jack Lacy, AT&T Research Hilarie Orman, DARPA/ITO Mike Reiter, AT&T Research David Wagner, University of California, Berkeley Readers Katherine T. Fithen, CERT Trent Jaeger, IBM Watson Labs Invited talks coordinator: Greg Rose, Qualcomm Conference home page: OVERVIEW The goal of this symposium is to bring together researchers, practitioners, system programmers, and others interested in the latest advances in security and applications of cryptography. This will be a four day symposium with two days of tutorials, followed by two days of refereed paper presentations, invited talks, works-in-progress presentations, and panel discussions. TUTORIALS Monday and Tuesday, January 26-27 Tutorials for both technical staff and managers will provide immediately useful, practical information on topics such as local and network security precautions, what cryptography can and cannot do, security mechanisms and policies, firewalls and monitoring systems. If you are interested in proposing a tutorial, contact the tutorial coordinator, Dan Klein: phone (412)421-2332 email . TECHNICAL SESSIONS Wednesday and Thursday, January 28-29 In addition to the keynote presentation, the technical program includes refereed papers, invited talks, a work in progress session, and panel sessions. There will be Birds-of-a-Feather sessions the last two evenings. You are invited to make suggestions to the program committee via email to . Papers that have been formally reviewed and accepted will be presented during the symposium and published in the symposium proceedings, published by USENIX and provided free to technical session attendees. Additional copies will be available for purchase from USENIX. SYMPOSIUM TOPICS Refereed paper submissions are being solicited in areas including but not limited to: * Adaptive security and system management * Analysis of malicious code * Applications of cryptographic techniques * Attacks against networks/machines * Computer misuse and anomaly detection * Copyright protection (technical solutions) * Cryptographic & other security tools * File and file system security * Network security * New firewall technologies * Security in heterogeneous environments * Security incident investigation and response * Security of Mobile Code * User/system authentication * World Wide Web security Note that this symposium is not about new codes, ciphers, nor cryptanalysis for its own sake. Papers must represent novel scientific contributions in computer security with direct relevance to the engineering of secure systems for the commercial sector. HOW TO SUBMIT A REFEREED PAPER (Please read carefully.) The guidelines for submission are a bit different from previous years. Authors must submit a mature paper in postscript format. Any incomplete sections (there shouldn't be many) should be outlined in enough detail to make it clear that they could be finished easily. Full papers are encouraged, and should be about 8 to 15 typeset pages. Submissions must be received by September 9, 1997. Along with your paper, please submit a separate email message containing the title, all authors, and their complete contact information (phone, fax, postal address, email), including an indication of which author is the contact author. Authors will be notified of acceptance on October 8, 1997. All submissions will be judged on originality, relevance, and correctness. Each accepted submission may be assigned a member of the program committee to act as its shepherd through the preparation of the final paper. The assigned member will act as a conduit for feedback from the committee to the authors. Camera-ready final papers are due on December 9, 1997. If you would like to receive detailed guidelines for submission and examples of extended abstracts, you may send email to: or telephone the USENIX Association office at (510) 528-8649. The Security Symposium, like most conferences and journals, requires that papers not be submitted simultaneously to another conference or publication and that submitted papers not be previously or subsequently published elsewhere. Papers accompanied by non-disclosure agreement forms are not acceptable and will be returned to the author(s) unread. All submissions are held in the highest confidentiality prior to publication in the Proceedings, both as a matter of policy and in accord with the U.S. Copyright Act of 1976. There will be one or two prizes awarded for best paper(s). WHERE TO SUBMIT For reliability, please send one copy of your paper to the program committee via each of two of the following methods. All submissions will be acknowledged. o Preferred Method: email (Postscript) to: o Alternate Method: postal delivery to Security Symposium USENIX 2560 Ninth St., Ste. #215 Berkeley CA 94710 U.S.A. Phone: (510) 528-8649 o Fax: (510) 548-5738 Vendor Exhibits Demonstrate your security product to our technically astute attendees responsible for security at their sites. We invite you to take part in the Vendor Display. The informal, table-top display allows you to meet with attendees informally and demonstrate in detail your security solutions. Contact CynthiaDeno Email: cynthia@usenix.org Phone: 408.335.9445 Fax 408.335.5327 Works-in-Progress Session (WIPs) The last session of the symposium will be a Works-in-Progress session consisting of five minute presentations. Speakers should provide a one or two paragraph abstract to the program chair by 6:00 pm on January 28, 1998 at the conference. These should be provided in person, not via email. The chair will post the schedule of presentations by noon on the 29th. Experience at other conferences has shown that usually, all of them are accepted. The five minute time limit will be strictly enforced. INVITED TALKS There will be several invited talks at the conference in parallel with the refereed papers. If you have suggestions for possible speakers, please send them to . REGISTRATION MATERIALS Materials containing all details of the technical and tutorial programs, registration fees and forms, and hotel information will be available at the end of October 1997. To receive the registration materials, please contact: USENIX Conference Office 22672 Lambert Street, Suite 613 Lake Forest, CA USA 92630 Phone: (714) 588-8649 Fax: (714) 588-9706 Email: Information can also be found under the Conference home page: . From firewalls-owner Sun Sep 8 08:59:07 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA19962 for firewalls-outgoing; Sun, 8 Sep 1996 08:48:43 -0700 (PDT) Received: from kbass.fred.net (kbass.fred.net [205.177.221.50]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id IAA19949 for ; Sun, 8 Sep 1996 08:48:31 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by kbass.fred.net (8.7.4/8.7.3) with SMTP id LAA00291 for ; Sun, 8 Sep 1996 11:48:28 -0400 Date: Sun, 8 Sep 1996 11:48:28 -0400 (EDT) From: Ken Bass X-Sender: kbass@kbass To: Firewalls@GreatCircle.COM Subject: Re: Firewalls-Digest V5 #499 In-Reply-To: <199609080800.BAA29907@miles.greatcircle.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > ------------------------------ > > Date: Sun, 08 Sep 1996 01:36:43 +0800 > From: eric chan > Subject: Re: Sendmail Configuration- > > Henk Baert wrote: > > > > VAN LAERE > > MEMO Datum : > > 28-08-1996 > > Betreft : Sendmail Configuration > > > > Hi, > > > > I am trying to set up my sendmail configuration so that all outgoing mail has > > an origin as user@domainname (instead of user@hostname.domainname). > > > > I tried to figure it out myself, but don't get it completely right. The > > problem is in Rulesets 10/11 en 20/21 that decode sending adresses. > > > > Any suggestion to code it correctly ? > > > > Thanks a lot. > > > > Henk Baert > > (henk.baert@vanlaere.be) > > Check with your DNS record about the domain you talking about especially > the MX setting. > > Eric > > Isn't it as simple as changing the 'DM' line in sendmail.cf. That tells sendmail to 'masquerade' as a domain. Just do DMdomainname From firewalls-owner Sun Sep 8 10:17:33 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA22862 for firewalls-outgoing; Sun, 8 Sep 1996 09:59:13 -0700 (PDT) Received: from m4.sprynet.com (m4.sprynet.com [165.121.1.96]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id JAA22854 for ; Sun, 8 Sep 1996 09:59:04 -0700 (PDT) Received: from local.com (hd54-186.compuserve.com [199.174.239.186]) by m4.sprynet.com (8.6.12/8.6.12) with SMTP id JAA12874 for ; Sun, 8 Sep 1996 09:56:57 -0700 Message-Id: <199609081656.JAA12874@m4.sprynet.com> Comments: Authenticated sender is From: "Jesse" To: firewalls@GreatCircle.com Date: Wed, 8 Jan 1986 10:57:36 +0000 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: FreeBSD Firewall Package X-mailer: Pegasus Mail for Win32 (v2.42a) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello Everyone! Sorry to bother you, but we are just putting in a new server at my workplace, and I was wondering if anyone had any suggestions on Free/Commercial 4.4BSD or FreeBSD firewall or proxy packages. From firewalls-owner Sun Sep 8 10:59:08 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA24790 for firewalls-outgoing; Sun, 8 Sep 1996 10:47:13 -0700 (PDT) Received: from apu.rcp.net.pe (apu.rcp.net.pe [161.132.5.16]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id KAA24739 for ; Sun, 8 Sep 1996 10:46:48 -0700 (PDT) Received: by apu.rcp.net.pe via sendmail with stdio id for firewalls@GreatCircle.COM; Sun, 8 Sep 96 12:42:24 -0400 (WET DST) Message-Id: From: vadillo@apu.rcp.net.pe (Enrique Vadillo) Subject: Re: wu-ftpd question To: tri@night.dataphone.se (Magnus Bergman) Date: Sun, 8 Sep 1996 12:42:24 -0400 (EDT) Cc: mlu@hq.si.net, firewalls@GreatCircle.COM In-Reply-To: from Magnus Bergman at "Sep 8, 96 04:14:39 pm" X-Mailer: ELM [version 2.4ME+ PL22 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Just create a welcome.msg text file in your "/" ftp directory, it will show it. Enrique Vadillo- ---- Ming Lu escribio ---- > > > > I am setting up a anonymous ftp server which is using wu-ftpd as > > daemon. I am trying to let the ftpserver pop up some messages > > whenever someone logins into the server. Does anyone out there know > > how to do it? Any help will be greatly appreciated. From firewalls-owner Sun Sep 8 11:17:13 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA25919 for firewalls-outgoing; Sun, 8 Sep 1996 10:58:37 -0700 (PDT) Received: from blue.misnet.com (blue.misnet.com [204.177.124.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id KAA25834 for ; Sun, 8 Sep 1996 10:58:12 -0700 (PDT) Received: (from inter@localhost) by blue.misnet.com (8.7.3/8.7.3) id MAA14913; Sun, 8 Sep 1996 12:44:05 -0500 (CDT) Date: Sun, 8 Sep 1996 12:44:04 -0500 (CDT) From: inter To: Ming Lu cc: firewalls@GreatCircle.COM Subject: Re: wu-ftpd question In-Reply-To: <199609080931.FAA23173@hq.si.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Sun, 8 Sep 1996, Ming Lu wrote: > Hi all: > > I know that this forum is exactly right place to put this question, but I don't > really know where to ask for help... > > I am setting up a anonymous ftp server which is using wu-ftpd as daemon. I am > trying to let the ftpserver pop up some messages whenever someone logins into > the server. Does anyone out there know how to do it? Any help will be greatly > appreciated. > > Thanks in advance. > > Ming > Easy .. make a welcome.msg in the root dir of ftp.. then make a message.msg in every other dir.. include what you want to say in the messages.. From firewalls-owner Sun Sep 8 11:44:52 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA27899 for firewalls-outgoing; Sun, 8 Sep 1996 11:28:17 -0700 (PDT) Received: from homeport.org (lighthouse.homeport.org [205.136.65.198]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id LAA27890 for ; Sun, 8 Sep 1996 11:28:06 -0700 (PDT) Received: (adam@localhost) by homeport.org (8.6.9/8.6.9) id OAA13417; Sun, 8 Sep 1996 14:32:48 -0500 From: Adam Shostack Message-Id: <199609081932.OAA13417@homeport.org> Subject: Re: options for proxying SSL traffic? To: junya@fsdirect.com Date: Sun, 8 Sep 1996 14:32:48 -0500 (EST) Cc: ssl-talk@netscape.com, firewalls@greatcircle.com In-Reply-To: from "junya@fsdirect.com" at Sep 6, 96 11:00:31 am X-Mailer: ELM [version 2.4 PL24 ME8b] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Its pretty unfortunate that some vendors can't offer multiple interfaces, or that they charge an arm and a leg for 'em. However, my workaround would be to tell the vendors 'no thanks,' and buy a new interface for the filtering router (assuming you have one?). Since you only let ports 80 and 443 to the web server, you wouldn't gain a whole lot by putting proxies there. Adam junya@fsdirect.com wrote: | This reminds me of another issue I had with firewall products. Although | i had not made it obvious, the question was framed in the context that the | web server would be in an arbitrary network behind the firewall. It seemed | that a large chunk of firewalls out there do not offer flexible | configurations as far as multiple network interfaces were concerned. How | are large organizations (particularly financial institutions) dealing with | this? Are there people still doing homebrew FWTK/screend setups for large | organizations? | | For example, Borderware offered a third ethernet interface, but called it | Something Special, and charged a huge chunk of money for just the 3rd | interface (for DMZs). No more than 3 interfaces, too. | | In talking to resellers for TIS's Gauntlet, some of them were not willing | to set up a firewall with more than 3 (and for one vendor, their limit was | 2) interfaces. I was trying to arrange for 4. | On Thu, 5 Sep 1996, Adam Shostack wrote: | > I'd go for a demilitarized zone, a third interface off the firewall | > with just the web server. -- "It is seldom that liberty of any kind is lost all at once." -Hume From firewalls-owner Sun Sep 8 15:44:08 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id PAA08817 for firewalls-outgoing; Sun, 8 Sep 1996 15:38:42 -0700 (PDT) Received: from po2.andrew.cmu.edu (PO2.ANDREW.CMU.EDU [128.2.10.102]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id PAA08809; Sun, 8 Sep 1996 15:38:31 -0700 (PDT) Received: (from postman@localhost) by po2.andrew.cmu.edu (8.7.5/8.7.3) id SAA17561; Sun, 8 Sep 1996 18:38:22 -0400 Received: via switchmail; Sun, 8 Sep 1996 18:38:22 -0400 (EDT) Received: from pcs28.andrew.cmu.edu via qmail ID ; Sun, 8 Sep 1996 18:38:07 -0400 (EDT) Received: from pcs28.andrew.cmu.edu via qmail ID ; Sun, 8 Sep 1996 18:38:06 -0400 (EDT) Received: from mms.4.60.Jun.27.1996.03.05.56.sun4.41.EzMail.Linux.2.0.CUILIB.3.45.SNAP.NOT.LINKED.pcs28.andrew.cmu.edu.sun4m.412 via MS.5.6.pcs28.andrew.cmu.edu.sun4_41; Sun, 8 Sep 1996 18:38:06 -0400 (EDT) Message-ID: Date: Sun, 8 Sep 1996 18:38:06 -0400 (EDT) From: Zachary Roger Amsden To: firewalls@greatcircle.com, "Paul D. Robertson" Subject: Re: TN3270 and TN5250 through a firewall using OS/2 Clients Cc: Firewalls@GreatCircle.COM In-Reply-To: References: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Excerpts from internet.computing.firewalls: 30-Aug-96 Re: TN3270 and TN5250 throu.. by "Paul D. Robertson"@clar > > In both cases the connection attempt has failed with the client providing a > > message it was unable to shift into transparent mode. > > > > Why would a proxy written for Port 23 not be able to accomodate all forms of > > telnet? Another complication here is that the telnet protocol (and variants) are technically not proxyable. First, the client needs to connect to the proxy, then to the remote site. However, the telnet options it needs to negotiate with the remote site may not be supported by the proxy, and not all proxies deal well with this. If you can do a telnet options trace, try it, and you may get much better debugging information. Zachary Amsden amsden@andrew.cmu.edu From firewalls-owner Sun Sep 8 18:29:08 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id SAA13981 for firewalls-outgoing; Sun, 8 Sep 1996 18:24:44 -0700 (PDT) Received: from saturn.koto.nikkei.co.jp (saturn.koto.nikkei.co.jp [138.101.199.8]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id SAA13974 for ; Sun, 8 Sep 1996 18:24:35 -0700 (PDT) Received: from saturn (localhost [127.0.0.1]) by saturn.koto.nikkei.co.jp (8.7.3/8.7.3) with ESMTP id KAA07950 for ; Mon, 9 Sep 1996 10:22:39 +0900 (JST) Message-Id: <199609090122.KAA07950@saturn.koto.nikkei.co.jp> To: Firewalls@GreatCircle.COM Subject: Re: Firewall-1,Sun,CISCO,Class"B"address Date: Mon, 09 Sep 1996 10:22:39 +0900 From: Nobuhiko Yoshimoto Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > I have a Sun > > Sparc5 running SunOS 4.1.3, with this I have Firewall-1 2.0 running on > > top of it. I also have a CISCO 4000 setup as an Internal router. The > > problem that I'm having is that I'm unable to receive information back to > > my machines sitting behind the Internal router. The exact trouble seems > > to be the firewall does not know how to route back into my "Internal" > > networks. The setup is like this: > > > > > > Internet ------ ISP Router ----- FW ----- CISCO 4000 ------ Internal Nets > > 172.16.1.0 172.16.2.0 172.16.* > > > > I intially set the routing table on the FW to be > > > > DEST Nexthop > > 172.16.1 172.16.1.1 (local) > > 172.16.2 172.16.2.1 (local) > > default ISP router > > 172.16.0.0 CISCO 4000 > > This didn't work. > > I turned routed on within the Firewall, but when I did, the default route > > (0.0.0.0) from the CISCO added a *new* default route to the Firewall. > > > > default Cisco > > > > and it took precedence over the one I installed. Since the FW and the > > CISCO ping-ponged packets all day, nothing communicated. The default > > route of the CISCO router is overriding the default route that I have set > > on the FW. I have set the Metric Flag on the router to be higher that > > the FW in hopoes that the FW would take precednece, but this did not > > work. IS there a way to set something up on the SUN to force its default > > route to be used or is there a way to stop the CISCO's default route from > > taking over. I also tried not setting the 'route of last resort' on the > > CISCO hoping that the RIP update from the FW would fill in the default > > route. It didn't. Shouldn't this work? Is there a way on the CISCO to > > set a default route and not have it sent out in a routing update? BTW, > > what is the proper way to set the default route on a CISCO? I've been > > using: > To suppress broadcasting the default route from CISCO,configure as > below: > > router rip > network 172.16.0.0 > distribute-list access-list# out interface_name_to_FW > > access-list access-list# deny 0.0.0.0 > access-list access-list# permit any > > > > > ip route 0.0.0.0 172.16.2.1 > > > > Has anyone else with a class "B" address run into this problem before? I > > know this can be solved if I obtained a class C, subnet it, and use it on > > either side of the FW. That way there would be an unambigious route to > > 172.16 from the FW's point of view. However that's not an option right > > now. Any help is appreciated. > > > > I'm running class B class network with FW-1 and CISCO4500 like > yours. I've installed gated-R3.5Beta3 on FW machine (SS-5/Solaris2.4) > and run it instead of in.routed. On the configuration file > (/etc/gated.conf), I defined the default route to ISP and configured > it to be broadcasted to internal network through the ethernet > port. This default route is distributed to all the internal network > by CISCO 4500. > > Anyway gated is very fine. I strongly recommend to install it on your > FW machine.You can get the latest version from > ftp://ftp.gated.merit.edu/research.and.development/gated > > Nobuhiko Yoshimoto > > Nihon Keizaishimbun Inc. (The Nikkei) > yoshi@nikkei.co.jp From firewalls-owner Sun Sep 8 20:03:05 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id TAA17565 for firewalls-outgoing; Sun, 8 Sep 1996 19:46:28 -0700 (PDT) Received: from diablo.cisco.com (diablo.cisco.com [171.68.223.106]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id TAA17558 for ; Sun, 8 Sep 1996 19:46:19 -0700 (PDT) Received: from emailid90-pc.cisco.com (c4robo8.cisco.com [171.68.13.104]) by diablo.cisco.com (8.6.12/CISCO.SERVER.1.1) with SMTP id TAA28015 for ; Sun, 8 Sep 1996 19:46:11 -0700 Message-Id: <2.2.32.19960909044113.00706250@diablo.cisco.com> X-Sender: clonvick@diablo.cisco.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Sun, 08 Sep 1996 21:41:13 -0700 To: firewalls@greatcircle.com From: Chris Lonvick Subject: Re: curios traceroute Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello All, Gererally, ISPs don't propogate the destination of RFC-1918 networks through the Internet. They usually have a chuckle then zap them from the routing tables. What you're seeing is a NAT that doesn't dig into the packet. NATs _must_ know to change the IP source and destination addresses. This, however, is not the end. Certain protocols embed the IP addresses into the packet payload. For example, to get certain commands to work properly in ftp, the NAT must know to recognize these types of packets and then reach inside the payload and change the addresses there as well. Your traceroute program is not looking at the IP source/destination addresses but is utilizing some of the data inside the payload of the packet (which the NAT is not translating) to generate its report. Look at the source code of your traceroute program and RFC-729. Thanks, Chris Lonvick Cisco Systems Consulting Engineering +1-713-778-5663 From firewalls-owner Sun Sep 8 21:14:07 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id UAA22528 for firewalls-outgoing; Sun, 8 Sep 1996 20:56:13 -0700 (PDT) Received: from lexicon.ins.com (lexicon.ins.com [199.0.193.11]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id UAA22521 for ; Sun, 8 Sep 1996 20:56:04 -0700 (PDT) Received: from chrpc.ins.com (mtv2-dynamic226.ins.com [199.0.193.226]) by lexicon.ins.com (8.7.5/8.7.3) with SMTP id UAA11435; Sun, 8 Sep 1996 20:55:41 -0700 (PDT) Message-Id: <3.0b11.32.19960908225232.008b715c@lexicon.ins.com> X-Sender: ragan@lexicon.ins.com X-Mailer: Windows Eudora Pro Version 3.0b11 (32) Date: Sun, 08 Sep 1996 22:52:35 -0500 To: Barney Wolff , firewalls@GreatCircle.COM From: Charles Ragan Subject: Re: curios traceroute Mime-Version: 1.0 Content-Type: text/enriched; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Barney, I agree that there is no obvious added danger (although, what are the other icmp capabilities...echo, echo_reply, source-quench..?). At the same time, don't know how much it would slow down an intruder....... In about 3 minutes - 164.128.45.35 (the last legal address in the traceroute) Sun SPARCstation Solaris2. CheckPoint FireWall-1 Version 2.0b Last booted - Tuesday August 20, 1996 8:30am 6 Interfaces counting loopback; lo0 - 127.0.0.1 255.0.0.0 le0 - 194.209.12.17 255.255.255.240 MAC address 080020782CD1 qe0 - 164.128.45.35 255.255.255.224 qe1 - 194.209.12.49 255.255.255.240 qe2 - 194.209.12.129 255.255.255.240 qe3 - 192.168.1.5 255.255.255.0 **Note that the next router that responded to the ttl was 192.168.1.1 (hanging off of the qe3 ethernet segment above) 13 647 ms 687 ms 698 ms 164.128.41.70 14 805 ms 685 ms 641 ms 164.128.45.35 15 823 ms * 822 ms 192.168.1.1 16 711 ms 635 ms 695 ms 10.0.1.58 I guess that I'm just in a 'filter all' and 'NAT' frame of mind when it comes to 1918. I've sent an e-mail to the db-admin@ra.net to query what their philosphy/opinion (if any) on the matter. Charles BTW - my apologies for the 'curtness' of my previous e-mail(s), it was around 3:00am ;-) (looks like I had put my manners to bed...) At 03:44 AM 9/8/96 EDT, Barney Wolff wrote: >> Date: Sun, 08 Sep 1996 01:59:06 -0500 >> To: Barney Wolff <, firewalls@GreatCircle.COM >> From: Charles Ragan < >> Subject: Re: curios traceroute >> Content-Length: 5517 >> >> To me, it's a leak. ANYTHING sourced from the private address space in >> >> rfc1918 on the 'outside' is a leak. > >Please describe what harm has been done. Routes to the private space >have not been advertised, after all. A connection of any sort has not >been attempted with those addresses as source or destination. > >I do understand that RFC1918 says that packets with those addresses >shall not be transfered across inter-enterprise links. I do not >understand what harm will be caused by TTL-exceeded packet from such >an address, and would welcome enlightenment. > >Barney Wolff < > > ----------------------------------------------------- Charles B. Ragan, Jr. International Network Services (214) 392-3545 14160 Dallas Parkway Suite 200 Charles_Ragan@ins.com Dallas, TX 75040 Cisco Certified IE (CCIE) Text Page - 1-800-INS-1-INS Master CNE Direct Page - 1-888-360-5812 Microsoft SE Certified Banyan Engineer "Semper Fi" - USMC Retired ----------------------------------------------------- From firewalls-owner Sun Sep 8 21:45:56 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id VAA23802 for firewalls-outgoing; Sun, 8 Sep 1996 21:29:29 -0700 (PDT) Received: from lexicon.ins.com (lexicon.ins.com [199.0.193.11]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id VAA23766 for ; Sun, 8 Sep 1996 21:29:14 -0700 (PDT) Received: from chrpc.ins.com (mtv2-dynamic226.ins.com [199.0.193.226]) by lexicon.ins.com (8.7.5/8.7.3) with SMTP id VAA11685; Sun, 8 Sep 1996 21:29:00 -0700 (PDT) Message-Id: <3.0b11.32.19960908232552.008b844c@lexicon.ins.com> X-Sender: ragan@lexicon.ins.com X-Mailer: Windows Eudora Pro Version 3.0b11 (32) Date: Sun, 08 Sep 1996 23:25:54 -0500 To: Chris Lonvick , firewalls@GreatCircle.COM From: Charles Ragan Subject: Re: curios traceroute Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Chris, Thanks for the heads up and info! You mis-typed rfc 792 (729 is the IAC for telnet ;-) So....let me see if I have this straight (since I've only digested it!) - The last box that these traceroutes were traversing with a legal address was a Solaris box running Firewall-1. There is possibility of some translation happening, and it could be our tracert code that is pulling the information from the payload of the datagram..... Perhaps that's an enhancement in the tracert from MS? ;-) >From RFC 792, pg 2: Source Address The address of the gateway or host that composes the ICMP message. Unless otherwise noted, this can be any of a gateway's addresses. The Solaris box was running multiple addresses (one of them rfc1918) - it appears that Firewall-1 was sourcing the packet from that address. Do you think that in this case, it wasn't a 'payload' grabbing by the tracert utility? I was using the MS tracert, and the original poster was using something else that signified the host unreachable by '!H'. Thanks. Charles At 09:41 PM 9/8/96 -0700, Chris Lonvick wrote: >Hello All, > >Gererally, ISPs don't propogate the destination of RFC-1918 networks through >the Internet. They usually have a chuckle then zap them from the routing >tables. What you're seeing is a NAT that doesn't dig into the packet. NATs >_must_ know to change the IP source and destination addresses. This, >however, is not the end. Certain protocols embed the IP addresses into the >packet payload. For example, to get certain commands to work properly in >ftp, the NAT must know to recognize these types of packets and then reach >inside the payload and change the addresses there as well. Your traceroute >program is not looking at the IP source/destination addresses but is >utilizing some of the data inside the payload of the packet (which the NAT >is not translating) to generate its report. Look at the source code of your >traceroute program and RFC-729. > >Thanks, >Chris Lonvick >Cisco Systems >Consulting Engineering >+1-713-778-5663 > > ----------------------------------------------------- Charles B. Ragan, Jr. International Network Services (214) 392-3545 14160 Dallas Parkway Suite 200 Charles_Ragan@ins.com Dallas, TX 75040 Cisco Certified IE (CCIE) Text Page - 1-800-INS-1-INS Master CNE Direct Page - 1-888-360-5812 Microsoft SE Certified Banyan Engineer "Semper Fi" - USMC Retired ----------------------------------------------------- From firewalls-owner Mon Sep 9 03:29:10 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id DAA09759 for firewalls-outgoing; Mon, 9 Sep 1996 03:20:54 -0700 (PDT) Received: from relay.cryptonet.it (relay.cryptonet.it [194.185.79.195]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id DAA09751 for ; Mon, 9 Sep 1996 03:20:38 -0700 (PDT) Message-Id: <199609091043.MAA11302@relay.cryptonet.it> Received: from enigma.cryptonet.it(192.168.1.1) by relay.cryptonet.it via smap (V1.3) id sma011300; Mon Sep 9 12:43:41 1996 From: Stefano Taino Subject: SNG multihomed works ? To: firewalls@greatcircle.com Date: Mon, 9 Sep 1996 12:24:10 +0200 (METDST) X-Organization: CryptoNet S.r.l. - Sicurezza, Reti, Sistemi - X-Phone-Number: ++39 2 7533205 X-Fax-Number: ++39 2 7533220 X-Pgp-Key-Fingerprint: 5D D9 26 91 AB 24 12 CB 76 22 DE 43 47 2D CF 28 X-Mailer: ELM [version 2.4 PL24 PGP5a] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Does anyone have experience with SNG (IBM Firewall) in a multi-homed configuration ? In the SNG manual, there is the sentence "SNG should be work with 3 network interfaces". I'd like to have a confirmation. -- Stefano. -- Stefano Taino, Technical Manager