From firewalls-owner Sun Sep 1 00:34:17 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id AAA16348 for firewalls-outgoing; Sun, 1 Sep 1996 00:27:34 -0700 (PDT) Received: from whfirewall.nwtel.ca (whfirewall.nwtel.ca [199.85.228.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id AAA16323 for ; Sun, 1 Sep 1996 00:27:24 -0700 (PDT) Received: from whfirewall.nwtel.ca (daemon@localhost) by whfirewall.nwtel.ca (8.6.12/8.6.12) with ESMTP id AAA27602 for ; Sun, 1 Sep 1996 00:00:44 -0700 Received: from nwtel.ca (omega.nwtel.ca [198.135.216.209]) by whfirewall.nwtel.ca (8.6.12/8.6.12) with SMTP id AAA27598 for ; Sun, 1 Sep 1996 00:00:43 -0700 Received: from WHTHYT-Message_Server by nwtel.ca with Novell_GroupWise; Sun, 01 Sep 1996 00:30:13 -0700 Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Sun, 01 Sep 1996 00:18:16 -0700 From: Rod Carty To: firewalls@GreatCircle.COM Subject: Firewall-1,Sun,CISCO,Class"B"address -Reply Sender: firewalls-owner@GreatCircle.COM Precedence: bulk When I set up the default gateway routing through our firewall, I used the following commands on the Cisco router that is between our firewall and our Intranet: ip default-network 199.85.231.0 This identifies the default network, or route, which is the one between the router and the firewall. This should work fine regardless of whether you are using a Class B or a Class C network number. If you type the command 'show ip route' on any other Cisco router in your Intranet after your routing protocol has had time to update, you should see a similar entry to the following: Gateway of last resort is 198.135.216.223 to network 199.85.231.0 I have another Cisco router on the Internet side of the firewall as well, with another default-network command in it facing toward our ISP's network. Note that these default network commands always face outward, into the Internet. The firewall is set up the same as well, with the default-route facing outward, not inward. The reason for this is that inward, or toward the Intranet, all the network numbers are known - it is only outward, or toward the Internet, where network numbers and their route is not explicitly known. The firewall and the routers have to be configured so they know about all network numbers on your Intranet. Then, any ip address on a network they don't explicitly know about they will assume is on the Internet and use the default route. I used static route entries on the firewall for all network numbers in our Intranet, and IGRP on all our Intranet Cisco routers. No need this way to run RIP between the firewall and the Cisco router, configure the router to redistribute RIP, etc. The single Cisco router between our firewall and our ISP required no routing protocol, since the firewall we purchased gives us address isolation. (The only ip address visible from the Internet side of our firewall is the ip address of the external interface of the firewall.) The Internet-side router knows about the ip network between the firewall and itself from the ip address configured on the interface, so needs no additional routing declarations there, and an address on any other ip network has to be on the Internet, so the default-network routing command applies. If your firewall doesn't give you address isolation, I recommend you use static routing entries on your Internet-side router for all your Intranet-side ip network numbers. This will be much more secure than configuring your firewall to allow IGRP or some other routing protocol to pass to and from your Internet-side router. (I expect your firewall does provide address isolation, since I see you've listed the first of the 16 Class B Reserved Network numbers in your example, but I decided to give complete information here for Posterity.....) One other consideration, in case you only have one ip network number on your Intranet, is a default gateway configuration on each PC, etc. If you only have been using one network number until now you wouldn't have needed it before. The default gateway ip address to use would be the address of your Cisco router that connects them to the firewall. As in all cases, the default gateway ip address must be, a) on the same ip network as the host requiring it, and b) a router that is part of the routing protocol you are using, so it knows how to route to all other networks. And finally, for security purposes, I recommend you disallow telnet sessions to the Internet-side router as I did on ours. This means you have to physically connect a terminal or similar device to a TTY port on the Cisco router to work on it yourself, but it makes it so no one from the Internet can putz around on your router either. It's not really that big of a deal if you permanently attach an async line off a terminal server port to, say the console port of the Cisco router. If you do connect it permanently, just make sure you block incoming telnet connections on the async line too so you don't have a backdoor around your firewall. Hope this fixes it for you. Rod C-- >>> John H. Kerr 08/31/96 02:27pm >>> I was wondering if anyone has a solution to this problem. I have a Sun Sparc5 running SunOS 4.1.3, with this I have Firewall-1 2.0 running on top of it. I also have a CISCO 4000 setup as an Internal router. The problem that I'm having is that I'm unable to receive information back to my machines sitting behind the Internal router. The exact trouble seems to be the firewall does not know how to route back into my "Internal" networks. The setup is like this: Internet ------ ISP Router ----- FW ----- CISCO 4000 ------ Internal Nets 172.16.1.0 172.16.2.0 172.16.* I intially set the routing table on the FW to be DEST Nexthop 172.16.1 172.16.1.1 (local) 172.16.2 172.16.2.1 (local) default ISP router 172.16.0.0 CISCO 4000 This didn't work. I turned routed on within the Firewall, but when I did, the default route (0.0.0.0) from the CISCO added a *new* default route to the Firewall. default Cisco and it took precedence over the one I installed. Since the FW and the CISCO ping-ponged packets all day, nothing communicated. The default route of the CISCO router is overriding the default route that I have set on the FW. I have set the Metric Flag on the router to be higher that the FW in hopoes that the FW would take precednece, but this did not work. IS there a way to set something up on the SUN to force its default route to be used or is there a way to stop the CISCO's default route from taking over. I also tried not setting the 'route of last resort' on the CISCO hoping that the RIP update from the FW would fill in the default route. It didn't. Shouldn't this work? Is there a way on the CISCO to set a default route and not have it sent out in a routing update? BTW, what is the proper way to set the default route on a CISCO? I've been using: ip route 0.0.0.0 172.16.2.1 Has anyone else with a class "B" address run into this problem before? I know this can be solved if I obtained a class C, subnet it, and use it on either side of the FW. That way there would be an unambigious route to 172.16 from the FW's point of view. However that's not an option right now. Any help is appreciated. From firewalls-owner Sun Sep 1 02:04:22 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id BAA22149 for firewalls-outgoing; Sun, 1 Sep 1996 01:47:51 -0700 (PDT) Received: from po.dbs.com.sg (po.dbs.com.sg [203.120.44.8]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id BAA22133 for ; Sun, 1 Sep 1996 01:47:42 -0700 (PDT) Received: from dbs.com.sg by po.dbs.com.sg (SMI-8.6/SMI-SVR4) id QAA13691; Sun, 1 Sep 1996 16:46:35 +0800 Received: from T1#u#DM1-Message_Server by dbs.com.sg with Novell_GroupWise; Sun, 01 Sep 1996 16:45:28 +0800 Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Sun, 01 Sep 1996 16:37:56 +0800 From: Chin Cheng Baey To: Firewalls@GreatCircle.COM Subject: Firewalls-Digest V5 #488 -Reply Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'm away for reservist. Will return on 10 Sep 96. You may wish to resend your mail to the following: NAME USERID TEL SUBJECT ====== ======= ======== ======== Say Wee DSSDNSW 228-1630 CONSOLIDATED SERVER & VIRUSES Adeline DSSDAFG 321-5186 VIRUS HOT-LINE Andrew DSSDAWG 321-5351 ANY OTHER MATTERS From firewalls-owner Sun Sep 1 05:19:18 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA00319 for firewalls-outgoing; Sun, 1 Sep 1996 05:05:59 -0700 (PDT) Received: from su1.in.net (su1.in.net [199.0.62.2]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id FAA00300 for ; Sun, 1 Sep 1996 05:05:51 -0700 (PDT) Received: from pm2-10.in.net by su1.in.net with SMTP (5.65/1.2-eef) id AA20349; Sun, 1 Sep 96 07:06:04 -0400 Date: Sun, 1 Sep 96 07:06:04 -0400 Message-Id: <9609011106.AA20349@su1.in.net> X-Sender: frankw@in.net X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" X-Priority: 2 (High) To: firewalls@GreatCircle.com From: Frank Willoughby Subject: Re: S/key & secureid Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 10:52 PM 8/31/96 -0400, "Gary G. Hull" allegedly wrote: >On Thu, 29 Aug 1996 potlicker@morebbs.com wrote: > >> Anyone one else had trouble or success getting Secure ID to run on a >> TIS Gauntlet? >> PoT_LiCkEr 8< [snip] >We had great success getting securid running on our TIS. All we had to do > was register the TIS box with the master server, move a copy > of the sdconf.rec file to the /var/ace directory on the TIS and > remove the existing securid file. A new securid file is created > by the system at the time the first authentication login is > accomplished. > Hope this helps. Good luck.... > > |/ > ---o0o-@@-o0o--------- > > Gary G. Hull - Technical Consultant > email: gary_hull@glaxowellcome.com Hopefully, the SecurID connection is being used to authenticate internal users before they go to the Internet and not for incoming connections. Using SecurID (or Digital Pathways, S/Key, etc) is *lethal* if you are planning on using it to authenticate users from the Internet who wish to access a system on your internal network which is protected by the firewall. The reason is that the user may have his/her session hijacked by an attacker. Please note that this is *NOT* a security problem with Gauntlet or any other firewall. The problem is relying on authentication-only mechanisms for protection. Implementing User->Firewall encryption will help to solve this problem. Again, I strongly advise against using SecurID (or any other authentication- only solution) for incoming Internet connections to an internal system. Best Regards, Frank Any sufficiently advanced bug is indistinguishable from a feature. -- Rich Kulawiec The opinions expressed above are of the author and may not necessarily be representative of Fortified Networks Inc. Fortified Networks Inc. - Information Security Consulting http://www.fortified.com Phone: (317) 573-0800 FAX: (317) 573-0817 Home of the Free Internet Firewall Evaluation Checklist From firewalls-owner Sun Sep 1 11:08:19 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA12194 for firewalls-outgoing; Sun, 1 Sep 1996 10:59:22 -0700 (PDT) Received: from io.org (io.org [198.133.36.1]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id KAA12172 for ; Sun, 1 Sep 1996 10:59:14 -0700 (PDT) Received: from Taurus (eagle.net4.io.org [199.166.239.227]) by io.org (8.6.12/8.6.12) with SMTP id NAA00156 for ; Sun, 1 Sep 1996 13:58:59 -0400 Date: Sun, 1 Sep 1996 13:58:59 -0400 Message-Id: <199609011758.NAA00156@io.org> X-Sender: jeffm@io.org X-Mailer: Windows Eudora Light Version 1.5.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: Firewalls@GreatCircle.COM From: "Jefferson M. Mousseau" Subject: FW-1 2.0 & FTP Problem Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I've got a small problem & was wondering if anyone out there new the answer to it? We swapped out an NT web server with a Sun box running Solaris. We'd given internal FTP access to the server and everything worked fine under NT but now under Solaris although the FTP session is being allowed the ack back (i.e. on port 38863) is being denied. I checked the source port range specified but it is blank. Does anyone know why FW-1 2.0 is denying this? Will the upgrade to 2.1 help? Regards Jeff From firewalls-owner Sun Sep 1 17:59:11 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA05012 for firewalls-outgoing; Sun, 1 Sep 1996 17:07:24 -0700 (PDT) Received: (mcb@localhost) by miles.greatcircle.com (8.7.4/Miles-960830-1) id RAA04952 for firewalls@greatcircle.com; Sun, 1 Sep 1996 17:07:10 -0700 (PDT) Received: from mail.rc.toronto.on.ca ([207.6.29.231]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id IAA20359 for ; Fri, 30 Aug 1996 08:25:06 -0700 (PDT) Received: by mail.rc.toronto.on.ca with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.993.5) id <01BB9665.52156DE0@mail.rc.toronto.on.ca>; Fri, 30 Aug 1996 11:20:59 -0400 Message-ID: From: Russ To: "'Firewalls'" , "'MS DCOM List'" , "'Mark Ryland'" Subject: RE: Blocking non-http (executable) content Date: Fri, 30 Aug 1996 11:20:52 -0400 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.993.5 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >This feature has been requested by many customers. The inability of >DCOM to be used through HTTP-passing firewalls is considered by some to >significantly reduce its utility as an Internet technology, since they >want to use DCOM to talk directly between the COM objects making up the >ActiveX web browser and the objects extending the ActiveX web server. >Only admins can configure an NT server to use a new DCOM transport, so >use of HTTP as a DCOM transport can be controlled by security-conscious >users. Exchange Server uses RPC, but allows for the Information Store and Directory Service to be statically assigned port numbers that the portmapper returns to a requesting client, why? So those ports can have explicitly defined ACLs on port-based Firewalls. This is how the industry has been doing it for years, and it works very well thank you very much. Through MSX's mechanisms, full NT authentication is possible and the client functions normally. So don't go telling me its what the customers want or need, that's just marketing fluff. You wanna run something over HTTP its typically because customers are not going to be able to get their Firewall admins to open new and unknown ports for your innovation, so you stuff it down HTTP where Firewall admins typically have already given them access, hence your statement about "punching holes through Firewalls", why else would you have said that? Both the ActiveX web browser objects and the Denali objects can talk on any port they want, so its not the technology that's saying it has to be over HTTP. As for security-conscious users being able to control the use of HTTP as a DCOM transport, if that were true, then Firewalls would be virtually unnecessary because we'd all be nice and never do anything we weren't told we could do. We'd also never install something on our machines that we hadn't completely tested and understood ourselves. Do you think that every NT admin in a large organization is going to fully understand the security implications of every aspect of every product they install on their NT Servers? The question isn't whether or not they are supposed to do it or not, its whether a Firewall administrator has some method to >prevent it in the event that it does happen. > >This is a chimera -- there is no way you can hope to restrict the use of >HTTP by these schemes such that malicious people can't use it >maliciously. ASCII text is just source code for script engine, right? Yes, which is why people scrutinize products to determine if they are well written or not. If I can send a script through to a browser and get it to do something, say, like opening a Word document *without* alerting a user that its potentially dangerous, alarm bells start ringing throughout the industry, or hadn't you noticed? And what are you suggesting here, that there is no way to secure a site from malicious people, and therefore we shouldn't try? Are you in the insurance business? > >It is impossible in principle to write filters that can recognize all >"bad code/data" coming through on a given port. If code can be place on >the inside of the firewall (or a bad person can get access to the >network to turn sent data into code, either directly or with some kind >of VM/interpreter), then any data coming through can be malicious, >period. Which is why most Firewall'd sites don't allow inbound FTP or connection-less protocols like UDP. Your statement is correct, but its also precisely why Firewalls are built, to prevent such actions, and as I said earlier, is why people look closely at each new feature for the browsers to determine if an exploit exists. I've said before that ActiveX does not provide any security for the user that can be relied on, but I also said that something would have to be done to allow people to control its use. >I don't understand what this comment means. DCOM does not pass >"instructions" in the sense that you seem to mean over the wire, it >passes a packet with an method number and (typically) an opaque blob of >marshaled that can't do anything unless there is, on the other side of >the connection, a complex set of machinery (the DCOM runtime) as well as >an instantiated object and stub corresponding to the requested method >(and capable of unmarshaling the data, if any). It's just an >object-enhanced RPC system, no different from a security perspective >than ONC or DCE RPC. Unlike "mobile code" technology, there is no way >in the base DCOM system to pass arbitrary instructions over the network >that will blindly be executed by the runtime on the remote system. >There must be corresponding code on the remote system that is ready and >willing to perform the requested operations. The comment did not mean what you think it did. The instructions I was referring to were instructions to objects within the DCOM runtime, and if my marketing information is correct, DCOM is going to become a cornerstone of future versions of NT. How does a site administrator, responsible for security, control LAN administrators throughout the organization who each have administrative access to their machines? Are you buying MissionCritical software to give us a finer granularity of administrative control over NT's user model? If not, then every organization typically allows their NT admins to do pretty much what they want, and then use audits and Firewall logs to determine if people are complying or not. If DCOM is running over HTTP, what information am I getting as a site administrator to tell me what my LAN admins are doing? The real world says that by far the majority of Firewall administrators have no access to NT Event logs, nor would they know what to do with them if they did. If each product that used DCOM over IP, at least from Microsoft, were to use its own port as Exchange does, what would be the problem with this? >HTTP itself is essentially an RPC system. It encodes requests and >replies, allows arbitrary commands and data to be sent both ways, etc. >(It just doesn't do automatic data marshaling.) If you have malicious >or buggy code on either or both sides of a "standard" (whatever that is) >HTTP connection, then a malicious person may be able to do nasty things. > Running DCOM over HTTP adds absolutely zero new security risks -- an >RPC system running over an RPC system is not less secure than just an >RPC system alone. I didn't say it added a *new* security risk, I said it shouldn't be done and Microsoft should not promote it. Running RPC over HTTP is just as bad, and today, no NT product use RPC over HTTP, so why should DCOM allow it? HTTP is not a transport protocol, IP is, and your statement proves that you see HTTP as a transport protocol. HTTP doesn't have any mechanisms to deal with differentiating traffic types as IP does. >Fundamental fact is that port-base firewalls are of limited utility for >creating a truly secure environment. The main reason is that it is >impossible in principle to prevent people from using assigned ports for >a completely different purpose. Let's suppose you decide to let only >HTTP traffic through and, further, suppose you somehow mesmerize the >vendors into not using HTTP for anything "illegitimate" other than >"true" HTTP (whatever that means -- it whole point of these protocols is >extensibility). So what -- a malicious person on the inside of the >firewall will simply open the HTTP port with an entirely different >program, and send/receive all the nasty things in the world to their >accomplices outside. Worse yet, the nasty person sends their innocent >friend within the organization a nice little "chess program" on a floppy >that does everything the nasty person needs surreptitiously. Fundamental fact is that port-based Firewalls are typically only one part of a Firewall solution, but their value should be ignored as you suggest. Your scenarios are all true, I could use HTTP for anything, that's not my fear. If a port-based firewall directs HTTP traffic to a proxy server, then its the proxy servers job to determine what the traffic is doing and send or reject appropriately. The more stuff we cram down HTTP and call acceptable, the harder it will be to filter out the unacceptable stuff. I realize that you say this is impossible and so we shouldn't try, but far too many CEO's disagree with you for us to ignore. So, as a customer, I say that vendors should pay heed to the needs of Firewall administrators and make an effort to assist, not destroy, the tools we have. You obviously disagree and so I ask, what do you think we should do? > >(True, if you have a secure environment where only secure operating >systems are allowed to connect to the network, and you configure those >operating systems to allow only admins to installed executable code, and >you don't allow your users to be admins of their machines, and you test >all the executable code you install carefully to make sure it doesn't >have any backdoors, then you have a fighting chance. But how many >organizations don't allow DOS/Windows/Mac on their networks? And how >many don't allow NT and UNIX users to admin their own machines?) Again, you're restating your point that hackers will always get in no matter what Firewall admins do. > >Port-based firewalls prevent some bad behavior by UNSOPHISTICATED users >and hackers. Like car door locks, they're very worthwhile for that >reason. But the a pro can get through your port firewall as fast has a >pro can get into your car with a slim-jim. They typically act as the front line in a Firewall solution, so are you saying that they should be tossed? If you have a car alarm then don't lock your doors, it will only cause more damage if their locked? Look, your limiting your remark to port-based Firewalls does not solve the issue that proxy servers have with trying to sort out and allow ACLs to be placed on the different data traversing HTTP. I'd be saying the same thing if you build an NT Administration tool that used RPC over HTTP, so its not a DCOM thing here. Cheers, Russ > From firewalls-owner Sun Sep 1 18:54:08 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id SAA14414 for firewalls-outgoing; Sun, 1 Sep 1996 18:40:08 -0700 (PDT) Received: from mars.planet.net.au (mars.planet.net.au [203.15.90.4]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id SAA14407 for ; Sun, 1 Sep 1996 18:40:00 -0700 (PDT) Received: (from neale@localhost) by mars.planet.net.au (8.6.12/8.6.12) id LAA28439; Mon, 2 Sep 1996 11:40:26 +1000 Date: Mon, 2 Sep 1996 11:40:26 +1000 (EST) From: Neale Banks To: firewalls list Subject: Ascend numbered interfaces Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Recently, Ascend introduced support for "numbered" interfaces. From the release notes: --snip------------------------------------ The Pipeline will accept IP packets whose destination is a numbered interface listed in a Connection profile, considering them to be destined for the Pipeline itself. (The packet may actually arrive over any interface, and the numbered interface corresponding to the packet's destination address need not be in the active state.) --snip------------------------------------ Interesting that it will accept packets over *any* interface, destined for that _or_any_other_ interface. Any thoughts regarding if this is a security risk? Ob firewalls: using static filtering or Ascend's firewalling (ie Morningstar dynamic filtering) this should be controllable. Any remaining security risks? ----------------------------------------------------------------- Neale Banks Ph: +61 3 9205 0333 Senior Consultant Fx: +61 3 9819 0533 Integration Design P/L neale@idesign.com.au Planet Internet neale@planet.net.au ** Internet Consulting Services ** Video Conferencing Systems ** ** Network Management * Cable Management ** Help Desk Software ** ** Communications Consulting ** Electronic Paging & Faxing S/W ** ----------------------------------------------------------------- From firewalls-owner Sun Sep 1 22:55:31 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id WAA25822 for firewalls-outgoing; Sun, 1 Sep 1996 22:49:36 -0700 (PDT) Received: from firewall.ddeorg.soft.net (firewall.ddeorg.soft.net [164.164.74.3]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id WAA25815 for ; Sun, 1 Sep 1996 22:49:22 -0700 (PDT) Received: by firewall.ddeorg.soft.net (5.61/9.3) id AA08254; Mon, 2 Sep 96 11:19:37 +0530 Received: from orion.ddeorg.soft.net by ddeorg.soft.net (5.61/9.3) with SMTP id AA22536; Mon, 2 Sep 96 11:19:36 +0530 Received: from localhost by orion.ddeorg.soft.net (8.7.5/9.7) with SMTP id LAA08392; Mon, 2 Sep 1996 11:17:56 +0530 (IST) Message-Id: <199609020547.LAA08392@orion.ddeorg.soft.net> X-Mailer: exmh version 1.6.6 3/24/96 To: Firewalls@greatcircle.com Subject: Apology Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Mon, 02 Sep 1996 11:17:56 +0530 From: Rajaram Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'm sorry for the test mails sent to all. It was a mishap made by my novice friend who tested his mail delivery presorting (using my mail-id). No sooner did I detect it than he tested. I assure you all this will not happen again. -Rajaram From firewalls-owner Mon Sep 2 02:09:15 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id BAA07461 for firewalls-outgoing; Mon, 2 Sep 1996 01:55:00 -0700 (PDT) Received: from edelweb.fr (edelweb.fr [193.51.12.16]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id BAA07437 for ; Mon, 2 Sep 1996 01:54:51 -0700 (PDT) Received: from champagne.edelweb.fr (champagne.edelweb.fr [193.51.14.161]) by edelweb.fr (8.7.5/8.6.9) with ESMTP id KAA11944; Mon, 2 Sep 1996 10:54:16 +0200 (MET DST) Received: from mercier.gctech.edelweb.fr (mercier.gctech.edelweb.fr [193.51.14.7]) by champagne.edelweb.fr (8.6.10/8.6.6) with ESMTP id KAA20645; Mon, 2 Sep 1996 10:54:15 +0200 Received: from localhost (ben@localhost) by mercier.gctech.edelweb.fr (8.6.10/8.6.6) with SMTP id KAA10432; Mon, 2 Sep 1996 10:54:14 +0200 Date: Mon, 2 Sep 1996 10:54:14 +0200 (MET DST) From: Ben X-Sender: ben@mercier.gctech.edelweb.fr To: Avraham Hayam cc: firewalls@greatcircle.com Subject: Re: Re [2] Re: Data/Network/Computer Security personnel In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Bullshit. This isn't 'elementary discusion' with 'respect [for] others ideas', this is pure and simple advertising. Don't attempt to draw attention away from the point of your post which was to advertise by switching the onus or using smoke and mirrors. Ben. Ben. ____ Ben Samman.................................................ben@edelweb.fr Paris, France Illudium Q36 Explosive Space Modulator On Sat, 31 Aug 1996, Avraham Hayam wrote: > To Michel Mac Runnel, > > If you call my mail junk mail, you should be removed immediately from the > list and from every list. People who dont respect others ideas, and don't > have elementary discussion culture, should not take part in newsgroups. > > Avraham Hayam > > > On Fri, 30 Aug 1996, Michael Mac Runnel wrote: > > > *** ORIGINATED BY ON 11:34PM 08/30/1996 *** > > Greetings, > > > > To design, build and maintain trusted computer systems and trusted > > networks, i.e. a full "Secuirty Envelpe" around and in your Data bases, > > Networks and Computers you need a qualified IT systems security manager > > - ITSM who reprts directly to the company general manger. The ITSM will > > need a qulified staff in the various computers, networks, applications > > etc. that are in use in the company. > > > > Avraham hayam > > ITSSC - Information technology Systems Security Consultants > > P.O.Box 11233 Jerusalem, 91112 ISRAEL. > > Phone: + 972 - 2 - 6761803; Fax: + 972 - 2 - 6769263 > > E-Mail: hayam@actcom.co.il > > > > *** ANNOTATED BY MIKEM ON 07:47PM 08/30/1996 *** > > I do not want any more junk mail and I definatly will not need your > > services. > > > > List operator... remove my name from the list! > > > Ben. ____ Ben Samman.................................................ben@edelweb.fr Paris, France Illudium Q36 Explosive Space Modulator From firewalls-owner Mon Sep 2 07:59:21 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA19601 for firewalls-outgoing; Mon, 2 Sep 1996 07:50:45 -0700 (PDT) Received: from tounes.ati.tn ([193.94.51.21]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id HAA19591 for ; Mon, 2 Sep 1996 07:50:34 -0700 (PDT) Received: from carthage.ati.tn (carthage.ati.tn [193.94.51.20]) by tounes.ati.tn (8.6.9/8.6.9) with SMTP id PAA07030 for ; Mon, 2 Sep 1996 15:48:54 GMT Received: by carthage.ati.tn with Microsoft Exchange (IMC 4.12.736) id <01BB98E6.21CC2E70@carthage.ati.tn>; Mon, 2 Sep 1996 15:48:05 -0000 Message-ID: From: MONDHER GAM To: GreatCircle Subject: The use of TIS plug-gw ? Date: Mon, 2 Sep 1996 15:58:00 -0000 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.12.736 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >From : Mondher GAM Systems & Security Engineer NETCOM-Ltd Tunis-TUNISIA e-mail : mondher.gam@netcom.com.tn to: Firewalls@GreatCircle.COM I want to know the use of the generic proxy TIS plug-gw in a firewalled-system ? and how can we configure it ( hard & soft configuration ) to securize the internal network? Thanks in advance . Regards Mondher GAM Systems & Security Engineer NETCOM-Ltd From firewalls-owner Mon Sep 2 08:09:23 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA19600 for firewalls-outgoing; Mon, 2 Sep 1996 07:50:41 -0700 (PDT) Received: from tounes.ati.tn ([193.94.51.21]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id HAA19585 for ; Mon, 2 Sep 1996 07:50:30 -0700 (PDT) Received: from carthage.ati.tn (carthage.ati.tn [193.94.51.20]) by tounes.ati.tn (8.6.9/8.6.9) with SMTP id PAA07026 for ; Mon, 2 Sep 1996 15:48:54 GMT Received: by carthage.ati.tn with Microsoft Exchange (IMC 4.12.736) id <01BB98E6.2193B950@carthage.ati.tn>; Mon, 2 Sep 1996 15:48:05 -0000 Message-ID: From: MONDHER GAM To: GreatCircle Subject: What is the use of the TIS Plug-gw ? Date: Mon, 2 Sep 1996 15:58:00 -0000 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.12.736 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >From : Mondher GAM Systems & Security Engineer NETCOM-Ltd Tunis-TUNISIA e-mail : mondher.gam@netcom.com.tn to: Firewalls@GreatCircle.COM I want to know the use if the generic proxy TIS plug-gw in a firewalled-system ? and how can we configure it ( hard & soft configuration ) to securize the internal network? Thanks in advance . Regards Mondher GAM Systems & Security Engineer NETCOM-Ltd From firewalls-owner Mon Sep 2 08:54:12 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA23094 for firewalls-outgoing; Mon, 2 Sep 1996 08:49:14 -0700 (PDT) Received: from dfw-ix8.ix.netcom.com (dfw-ix8.ix.netcom.com [206.214.98.8]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id IAA23074 for ; Mon, 2 Sep 1996 08:49:07 -0700 (PDT) Received: from sherwinl.pop3.ix.netcom.com (atl-ga11-08.ix.netcom.com [199.183.210.168]) by dfw-ix8.ix.netcom.com (8.6.13/8.6.12) with SMTP id IAA25133 for ; Mon, 2 Sep 1996 08:48:39 -0700 Message-ID: <322B2EE3.10D8@.ix.netcom.com> Date: Mon, 02 Sep 1996 12:00:51 -0700 From: Sherwin Loudermilk X-Mailer: Mozilla 2.01 (Win95; U) MIME-Version: 1.0 To: Firewalls@GreatCircle.COM Subject: Please stop References: <199608272136.OAA28003@miles.greatcircle.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Can you please stop sending me e-mail messages. Thanks From firewalls-owner Mon Sep 2 09:39:12 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA26612 for firewalls-outgoing; Mon, 2 Sep 1996 09:26:42 -0700 (PDT) Received: from infoweb.magi.com (infoweb.magi.com [204.191.213.20]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id JAA26603 for ; Mon, 2 Sep 1996 09:26:36 -0700 (PDT) Received: from nmorrow.istar.ca (ts10-06.ott.iSTAR.ca [204.191.145.206]) by infoweb.magi.com (8.7.3/8.7.3) with SMTP id MAA18325 for ; Mon, 2 Sep 1996 12:26:16 -0400 (EDT) Date: Mon, 2 Sep 1996 12:26:16 -0400 (EDT) Message-Id: <199609021626.MAA18325@infoweb.magi.com> X-Sender: nmorrow@magi.com X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@GreatCircle.COM From: nmorrow@magi.com (Norman Morrow) Subject: Spoofing Messages in the Log files Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am administering two firewalls, and I get a high number of spoofing attempts from the inside of the network, in other words external IP addresses in our internal network. We have done a lot of research into this problem, and we believe most of this traffic is benign, we have not notice any malicious activity. I feel that a lot of this traffic is due to incorrectly configured workstations or laptops. For instance, I plugged in an unconfigured NT workstation onto my test environment and I got the an entry in my log file of the address "1.2.3.4 " trying to go through the firewall. Naturally, the firewall thought this was spoofing. I would appreciate knowing what other people think about internal spoofing, am I right to think most of this is due to mis-configurations, and how many entries would be an "industry standard" for this type of traffic. Thanks, Norman J. Morrow From firewalls-owner Mon Sep 2 10:09:16 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA28859 for firewalls-outgoing; Mon, 2 Sep 1996 10:02:51 -0700 (PDT) Received: from mail.medialab.com (goat.medialab.com [204.144.184.10]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id KAA28838 for ; Mon, 2 Sep 1996 10:02:43 -0700 (PDT) Received: from [206.168.172.12] by mail.medialab.com with SMTP (Apple Internet Mail Server 1.1.1); Mon, 2 Sep 1996 11:04:54 -0600 X-Sender: rjj@mail.medialab.com Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Mon, 2 Sep 1996 11:02:19 -0600 To: Sherwin Loudermilk , Firewalls@GreatCircle.COM From: "Richard Johnson" Subject: Re: Please stop Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 13:00 9/2/96, Sherwin Loudermilk wrote: >Received: from relay5.UU.NET (192.48.96.15) by mail.medialab.com > with SMTP (Apple Internet Mail Server 1.1.1); Mon, 2 Sep 1996 10:32:37 -0600 >Received: from miles.greatcircle.com by relay5.UU.NET with ESMTP > (peer crosschecked as: miles.greatcircle.com [198.102.244.34]) > id QQbflh19478; Mon, 2 Sep 1996 12:15:25 -0400 (EDT) >Received: (majordom@localhost) by miles.greatcircle.com >(8.7.1-lists/Lists-960417-1) id IAA23094 for firewalls-outgoing; Mon, 2 >Sep 1996 08:49:14 -0700 (PDT) >Received: from dfw-ix8.ix.netcom.com (dfw-ix8.ix.netcom.com >[206.214.98.8]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP >id IAA23074 for ; Mon, 2 Sep 1996 08:49:07 >-0700 (PDT) >Received: from sherwinl.pop3.ix.netcom.com (atl-ga11-08.ix.netcom.com >[199.183.210.168]) by dfw-ix8.ix.netcom.com (8.6.13/8.6.12) with SMTP id >IAA25133 for ; Mon, 2 Sep 1996 08:48:39 -0700 >Message-ID: <322B2EE3.10D8@.ix.netcom.com> >Date: Mon, 02 Sep 1996 12:00:51 -0700 >From: Sherwin Loudermilk >X-Mailer: Mozilla 2.01 (Win95; U) >MIME-Version: 1.0 >To: Firewalls@GreatCircle.COM >Subject: Please stop >References: <199608272136.OAA28003@miles.greatcircle.com> >Content-Type: text/plain; charset=us-ascii >Content-Transfer-Encoding: 7bit >Sender: firewalls-owner@GreatCircle.COM >Precedence: bulk > >Can you please stop sending me e-mail messages. > Thanks > Please remove yourself from the mailing list. Follow the instructions you received and saved when you subscribed. Sending your broken unsubscribe attempt to all the subscribers on the list is useless, not to mention rude. We can't unsubscribe you. Richard From firewalls-owner Mon Sep 2 13:39:14 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA11361 for firewalls-outgoing; Mon, 2 Sep 1996 13:34:08 -0700 (PDT) Received: from idsc.gov.eg (IDSC.GOV.EG [163.121.2.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id NAA11354 for ; Mon, 2 Sep 1996 13:34:00 -0700 (PDT) Received: from iti-idsc.gov.eg by idsc.gov.eg (5.0/SMI-SVR4) id AA26981; Mon, 2 Sep 1996 23:30:55 GMT Received: by iti-idsc.gov.eg (5.x/SMI-SVR4) id AA08343; Mon, 2 Sep 1996 21:43:05 -0200 Date: Mon, 2 Sep 1996 21:43:05 -0200 (GMT) From: Ghada Farouk To: Firewalls@greatcircle.com Subject: Master Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am a computer communication engineer. I started my master I want to choose a point for search in firewalls. The problem is I can't determine the hot subjects these days can anyone help me? Thank you all. Mohamed Amin From firewalls-owner Mon Sep 2 14:09:15 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA12582 for firewalls-outgoing; Mon, 2 Sep 1996 13:58:15 -0700 (PDT) Received: from morebbs.com (morebbs.com [206.165.150.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id NAA12555 for ; Mon, 2 Sep 1996 13:58:06 -0700 (PDT) From: potlicker@morebbs.com Received: by morebbs.com id 0NTA0003 Mon, 02 Sep 96 16:57:03 Message-ID: <9609021657.0NTA000@morebbs.com> Organization: MORE BBS X-Mailer: TBBS/TIGER v1.0/PRIMP 1.56p Date: Mon, 02 Sep 96 16:57:03 Subject: Re:s/key & securid To: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I didn't give a full back ground in the original post. Eyevynd is setting up Secure ID on a TIS Gauntlet to allow inbound connections that will work with encryption. About a year ago we were fiddling about with a Secure ID server and we had a client set up to connect to the server, had the user enter the number and followed this with user-id and password exchange followed by a crypto session. We were trying to grab the connection as soon as the number and user info was sent to the server but before the crypto started up. Theoretically our connection hi-jacking packet sniffer should have been able to grab the connection. In reality we never could. The Secure ID timing parameters were very sensitive and we killed connections instead of grabbing connections. I saw a couple of sites where people were allowed to connect in from the Internet using clear text for a few days when they were travelling. Afterwards their access was blocked again but other people tried logging in as them for weeks afterwards. This lead me to conclude there are plenty of folks watching the Internet to see who has inbound access to which network. You would be surprised which networks Bill Clinton tries logging into. Of course I don't think this guy is the real President. PoT_LiCkEr From firewalls-owner Mon Sep 2 14:27:22 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA14648 for firewalls-outgoing; Mon, 2 Sep 1996 14:19:28 -0700 (PDT) Received: from mcfeely.bsfs.org (mcfeely.bsfs.org [204.91.13.34]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id OAA14637 for ; Mon, 2 Sep 1996 14:19:21 -0700 (PDT) Received: (from wombat@localhost) by mcfeely.bsfs.org (8.6.12/8.6.12) id RAA22403; Mon, 2 Sep 1996 17:18:58 -0400 Date: Mon, 2 Sep 1996 17:18:52 -0400 (EDT) From: Rabid Wombat To: firewalls@greatcircle.com Subject: [OFF TOPIC][HUMOR] Password Guidelines (**) (fwd) Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Sorry for wasting the time of you anal-retentive types, but I had to pass this on for those with a sense of humor. Flames to /dev/null - r.w. ----------------------------------------------------------------------- Paul Ashton Newsgroups: comp.security.unix Subject: Advice on password security guidelines Hi, my boss has asked me for comments and improvements on his new password security policy. To me, it seems a bit severe. If anyone can offer any additional suggestions please do, here goes... For immediate issue: Password changing guidelines V2.2b Due to new security policies, the following guidelines have been issued to assist in choosing new passwords. Please follow them closely. Passwords must conform to at least 21 of the following attributes. 1. Minimum length 8 characters 2. Not in any dictionary. 3. No word or phrase bearing any connection to the holder. 4. Containing no characters in the ASCII character set. 5. No characters typeable on a Sun type 5 keyboard 6. No subset of one character or more must have appeared on Usenet news, /dev/mem, rand(3), or the King James bible (version 0.1alpha) 7. Must be quantum theoretically secure, i.e. must automatically change if observed (to protect against net sniffing). 8. Binary representation must not contain any of the sequences 00 01 10 11, commonly known about in hacker circles. 9. Be provably different from all other passwords on the internet. 10. Not be representable in any human language or written script. 11. Colour passwords must use a minimum 32 bit pallette. 12. Changed prior to every use. 13. Resistant to revelation under threat of physical violence. 14. Contain tissue samples of at least 3 vital organs. 15. Incontravertible by OJ Simpsons lawyers. 16. Undecodable by virtue of application of 0 way hash function. 17. Odourless, silent, invisible, tasteless, weightless, shapeless, lacking form and inert. 18. Contain non-linear random S-boxes (without a backdoor). 19. Self-escrowable to enable authorities to capture kiddie-porn people and baddies but not the goodies ("but we'll only decode it with a court order, honest"). 20. Not decryptable by exhaustive application of possible one time pads. Due to the severity of the restrictions, if the password is entered incorrectly 3 times at login time, you will be asked if you would like to pick a new one. Please add guidelines to the above and adjust the minimum conformation requirement, if applicable. From firewalls-owner Mon Sep 2 14:39:22 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA14773 for firewalls-outgoing; Mon, 2 Sep 1996 14:20:36 -0700 (PDT) Received: from dsacg1.dsac.dla.mil (dsacg1.dsac.dla.mil [131.78.1.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id OAA14755 for ; Mon, 2 Sep 1996 14:20:24 -0700 (PDT) Received: by dsacg1.dsac.dla.mil (1.38.193.5/1.40 (DSDC Columbus DSDCG1)) id AA28212; Mon, 2 Sep 1996 17:19:57 -0400 From: nto2584@dsacg1.dsac.dla.mil (Steven C. Payne) Message-Id: <9609022119.AA28212@dsacg1.dsac.dla.mil> Subject: Re: TN3270 and TN5250 through a firewall using OS/2 Clients To: mikeep03@Interpath.com (Mike Parsons) Date: Mon, 2 Sep 96 17:19:57 EDT Cc: firewalls@greatcircle.com In-Reply-To: <2.2.16.19960830155947.64bf2b5c@mail.interpath.net>; from "Mike Parsons" at Aug 30, 96 11:59 am Mailer: Elm [revision: 70.85.2.1] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > What experiences have folks had with using the WARP Connect TN3270 and > TN5250 clients to go through a proxy host? My experience has not been good. > In both cases the connection attempt has failed with the client providing a > message it was unable to shift into transparent mode. > > Why would a proxy written for Port 23 not be able to accomodate all forms of > telnet? > > Thanks in advance for your help. > > Hi, We just installed a firewall 2 weeks ago at one of our supported site and we had to ensure that tn3270 would work through the firewall and it surely does. I had ported a copy of tn3270 to our HP-9000's and I tested the connections with this 3270 everything I was able to try worked. There should be no reason anyone elses tn3270 client wouldn't work. take care stevp From firewalls-owner Mon Sep 2 16:58:18 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id QAA27316 for firewalls-outgoing; Mon, 2 Sep 1996 16:48:44 -0700 (PDT) Received: from hidata.com (hidata.com [205.158.61.34]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id QAA27309 for ; Mon, 2 Sep 1996 16:48:37 -0700 (PDT) Received: by hidata.com; id AA22861; Mon, 2 Sep 96 16:48:20 PDT Received: from osc.hidata.com(205.158.62.10) by hds-gw.hidata.com via smap (V3.1.1) id xma022856; Mon, 2 Sep 96 16:48:04 -0700 Received: from clag by osc.osc.hidata.com (SMI-8.6/SMI-SVR4) id QAA21374; Mon, 2 Sep 1996 16:48:03 -0700 Message-Id: <2.2.32.19960902234636.006d5178@osc.hidata.com> X-Sender: bstout@osc.hidata.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Mon, 02 Sep 1996 16:46:36 -0700 To: Russ , "'Firewalls'" From: Bill Stout Subject: RE: Blocking non-http (executable) content Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Technical Evangelist in Microsoft's DRG group, commented that >(paraphrased) HTTP be used as a transport for DCOM so people can (if >they want to) take advantage of punching through port-based firewalls. >This represents, IMO, a call to all Firewall vendors to do one thing, >build a unified HTTP filter. Having sat through Steve Ballmere's (Co-founder/VP Microsoft) keynote address at the NT Solutions conference, and reading this thread, something just dawned on me. Microsoft is using Catapult to gain experience with proxies, for a widely distributed html/other browser desktop for Windows. Ballmere demonstrated a preliminary desktop for NT 5.0, which had a centrally administrable browser-like desktop. He mentioned that HTML was far too limiting for desktop/forms use, and (I wish I paid more attention here) OLE? was to be the preliminary browsing (exploring) desktop language of choice. Hmm. An OLE Proxy via Catapult only. Next all other firewall vendors will have to play catch-up with Microsoft. P.S.- Clinton wants to allow private data/voice snooping by 'law enforcement' without requiring court order if re-elected. And to create 'tracking databases', initial purpose: to track the horrid criminal-type-of-the-month. And stronger Gun control, to pull the teeth out of us pheasants. And Dole wants to limit freedom of speech on the internet? It's 'Vote Libetarian' time. Bill Stout _______________________________________________________________________________ Senior Systems Admin NT/UNIX/I-net/Routers/Mainframes/Janitor ;) Hitachi Data Systems 408-970-4822 --- Disclaimer: I speak only for myself ___________"Infowar, Cyber-war, yes, 'they' _are_ out to get you..."___________ From firewalls-owner Mon Sep 2 19:09:20 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id SAA04131 for firewalls-outgoing; Mon, 2 Sep 1996 18:57:52 -0700 (PDT) Received: from istar.ca (istar.ca [204.191.136.4]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id SAA04123 for ; Mon, 2 Sep 1996 18:57:46 -0700 (PDT) Received: from ts32-13.tor.iSTAR.ca (ts32-13.tor.iSTAR.ca [204.191.140.53]) by istar.ca (8.7.3/8.7) with SMTP id WAA21134 for ; Mon, 2 Sep 1996 22:06:53 -0400 (EDT) Received: by ts32-13.tor.iSTAR.ca with Microsoft Mail id <01BB9919.B26339A0@ts32-13.tor.iSTAR.ca>; Mon, 2 Sep 1996 21:57:12 -0400 Message-ID: <01BB9919.B26339A0@ts32-13.tor.iSTAR.ca> From: Gene Lee To: "'Firewalls@GreatCircle.COM'" Subject: RE: Please stop Date: Mon, 2 Sep 1996 21:57:11 -0400 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Monday, September 02, 1996 1:02 PM, Richard Johnson[SMTP:rjj@medialab.com] wrote: >At 13:00 9/2/96, Sherwin Loudermilk wrote: >>Received: from relay5.UU.NET (192.48.96.15) by mail.medialab.com >> with SMTP (Apple Internet Mail Server 1.1.1); Mon, 2 Sep 1996 10:32:37 -0600 >>Received: from miles.greatcircle.com by relay5.UU.NET with ESMTP >> (peer crosschecked as: miles.greatcircle.com [198.102.244.34]) >> id QQbflh19478; Mon, 2 Sep 1996 12:15:25 -0400 (EDT) >>Received: (majordom@localhost) by miles.greatcircle.com >>(8.7.1-lists/Lists-960417-1) id IAA23094 for firewalls-outgoing; Mon, 2 >>Sep 1996 08:49:14 -0700 (PDT) >>Received: from dfw-ix8.ix.netcom.com (dfw-ix8.ix.netcom.com >>[206.214.98.8]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP >>id IAA23074 for ; Mon, 2 Sep 1996 08:49:07 >>-0700 (PDT) >>Received: from sherwinl.pop3.ix.netcom.com (atl-ga11-08.ix.netcom.com >>[199.183.210.168]) by dfw-ix8.ix.netcom.com (8.6.13/8.6.12) with SMTP id >>IAA25133 for ; Mon, 2 Sep 1996 08:48:39 -0700 >>Message-ID: <322B2EE3.10D8@.ix.netcom.com> >>Date: Mon, 02 Sep 1996 12:00:51 -0700 >>From: Sherwin Loudermilk >>X-Mailer: Mozilla 2.01 (Win95; U) >>MIME-Version: 1.0 >>To: Firewalls@GreatCircle.COM >>Subject: Please stop >>References: <199608272136.OAA28003@miles.greatcircle.com> >>Content-Type: text/plain; charset=us-ascii >>Content-Transfer-Encoding: 7bit >>Sender: firewalls-owner@GreatCircle.COM >>Precedence: bulk >> >>Can you please stop sending me e-mail messages. >> Thanks >> >Please remove yourself from the mailing list. Follow the instructions you >received and saved when you subscribed. > >Sending your broken unsubscribe attempt to all the subscribers on the list >is useless, not to mention rude. We can't unsubscribe you. Based on the number of "Don't send me e-mail" traffic lately on here, I'm beginning to suspect someone is adding e-mail addresses to mailing lists as part of a retribution/prank. -- Gene Lee genel@inforamp.net genelee@vnet.ibm.com From firewalls-owner Mon Sep 2 20:27:32 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id UAA09996 for firewalls-outgoing; Mon, 2 Sep 1996 20:10:46 -0700 (PDT) Received: from diablo.cisco.com (diablo.cisco.com [171.68.223.106]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id UAA09989 for ; Mon, 2 Sep 1996 20:10:39 -0700 (PDT) Received: from emailid90-pc.cisco.com (c3robo9.cisco.com [171.68.13.73]) by diablo.cisco.com (8.6.12/CISCO.SERVER.1.1) with SMTP id UAA08985; Mon, 2 Sep 1996 20:10:17 -0700 Message-Id: <2.2.32.19960903050537.006e51a8@diablo.cisco.com> X-Sender: clonvick@diablo.cisco.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Mon, 02 Sep 1996 22:05:37 -0700 To: firewalls@GreatCircle.COM, jonesmd@unifiedtech.com From: Chris Lonvick Subject: Re: PIX router Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello Mike, The PIX currently performs network layer protection and RFC-1631 Network Address Translation. As someone mentioned in a later post, there will be many new features in the upcoming release and many more in the future. Without knowing the specifics of your case, I can only give you some very general rules about how it can be used. The PIX has been implemented as a stand alone security device between a sensitive area of a network (i.e. - financial dept.) and the rest of a network. It's also been implemented as part of a firewall system, between the Internet and a private network. Rather than go into a lot of detail here, please look at http://www.cisco.com/univ-src/3.9/data/doc/cintrnet/ics/icssecur.htm#HDR10 - a Security white paper (see Fig. 3.1) and http://www.cisco.com/warp/public/751/pix/pie_ds.htm - a PIX spec sheet (see Fig. 2). As with anything, I urge you to fully define your expectations and then find a security device which can meet them. Thanks, Chris Lonvick Cisco Systems Consulting Engineering +1-713-778-5663 >I'm looking for information on why (or why not) a Cisco PIX box is >adequate as a firewall. My gut feeling is that it does part of the job, >but that it's not something you should rely on as a complete solution. > > Mike Jones > Unified Technologies > > From firewalls-owner Mon Sep 2 21:11:41 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id VAA14877 for firewalls-outgoing; Mon, 2 Sep 1996 21:05:08 -0700 (PDT) Received: from dns.networx.com.au (dns.networx.com.au [203.21.140.4]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id VAA14859 for ; Mon, 2 Sep 1996 21:04:57 -0700 (PDT) Received: from DEMO.networx.com.au (203.21.140.5) by dns.networx.com.au (EMWAC SMTPRS 0.80) with SMTP id ; Tue, 03 Sep 1996 13:56:44 +1000 Message-ID: From: "Leon O'Brien" To: Subject: Network monitoring tools Date: Tue, 3 Sep 1996 13:58:08 +1000 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1155 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I need to obtain a good network monitoring tool or analyser, our company is experiencing difficulties with WWW and have been informed that a network analyser would be benefitial. I thank all who help, even though it is not related to this list Leon O'Brien Managing Director NetWorx Pty Ltd leon@networx.com.au From firewalls-owner Tue Sep 3 00:09:35 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id AAA26964 for firewalls-outgoing; Tue, 3 Sep 1996 00:03:29 -0700 (PDT) Received: from mail.transpac.net (nic.transpac.net [194.52.1.10]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id AAA26953 for ; Tue, 3 Sep 1996 00:03:22 -0700 (PDT) Received: from alf.ihc.se (alf.ihc.se [194.52.187.254]) by mail.transpac.net (8.7.5/8.7.3) with SMTP id JAA09416 for ; Tue, 3 Sep 1996 09:02:26 +0200 (MET DST) Received: by alf.ihc.se; (5.65v3.2/1.3/10May95) id AA15149; Tue, 3 Sep 1996 09:06:29 +0200 Message-Id: <9609030704.AA09243@ns.ihc.se> To: "firewalls@greatcircle.com" Subject: C2 certified OS that can run a firewall Date: Tue, 03 Sep 96 09:03:16 -0500 From: "Mattias Lindstr\vm" X-Mailer: E-Mail Connection v2.5.03 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk -- [ From: Mattias Lindström * EMC.Ver #2.5.02 ] -- Taking up the thread again after healing my wounds. More seriously, Everybody that posted was more or less agreed on that MS is not to be trusted (as always) and that the Orange Book doesnt mention networking. Everybody were more or less discussing A1 or B2 or some other letter number combination security level, but nobody mentioned C2. Is there any OS out there that are C2 (not A1 or B2 or anuthing else, just C2) certified that can run a firewall with the C2 "stamp" applied? I dont want to hear that so and so are developing this and that for that OS, I want specific details. TNT, Mattias -- Mattias Lindstrom NT and Security Consultant This email is for the use of authorized users only. Individuals using this email without authority, or in excess of their authority, are subject to having all of their activities monitored and recorded by systempersonnel. From firewalls-owner Tue Sep 3 02:09:16 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id BAA06320 for firewalls-outgoing; Tue, 3 Sep 1996 01:55:51 -0700 (PDT) Received: from h01.scientia.com (h01.scientia.com [194.216.183.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id BAA06286 for ; Tue, 3 Sep 1996 01:55:38 -0700 (PDT) Received: by h01.scientia.com with SMTP id JAA03623 for ; Tue, 3 Sep 1996 09:55:16 +0100 Message-Id: <199609030855.JAA03623@h01.scientia.com> X-Sender: firewall@pop-server X-Mailer: Windows Eudora Light Version 1.5.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Tue, 03 Sep 1996 08:54:37 +0100 To: firewalls@greatcircle.com From: Ian Miller Subject: RE: Blocking non-http (executable) content Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 16:46 02/09/96 -0700, Bill Stout wrote: >Hmm. An OLE Proxy via Catapult only. Next all other firewall vendors >will have to play catch-up with Microsoft. > Given the power of OLE and its near total lack of even elementary integrity checking let alone security checking, OLE is one of the last services anyone should allow through a Firewall with or without proxies. (If you want a VPN, you can use a general NetBUI encrypted tunnel so don't need proxies.) I think that the trend towards increasing programmable features (e.g. Word/Excel macros, Java/Active-X etc.) is wholly incompatible with achieving secure networks. Regretably I fear this won't be appreciated by a lot non-technical managers until lots of real damage has been done. Ian From firewalls-owner Tue Sep 3 03:39:12 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id DAA12698 for firewalls-outgoing; Tue, 3 Sep 1996 03:22:48 -0700 (PDT) Received: from fireball.smartnet.co.za (fireball.smartnet.co.za [196.25.20.3]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id DAA12691 for ; Tue, 3 Sep 1996 03:22:36 -0700 (PDT) Received: from [196.25.20.135] (doctor.smartnet.co.za [196.25.20.135]) by fireball.smartnet.co.za (8.6.12/8.6.9) with SMTP id MAA15638 for ; Tue, 3 Sep 1996 12:45:43 +0200 Message-Id: <199609031045.MAA15638@fireball.smartnet.co.za> Comments: Authenticated sender is From: "Geoffrey Ellison" Organization: SmartNet, South Africa To: Firewalls@GreatCircle.COM Date: Tue, 3 Sep 1996 12:18:44 +0200 Subject: Re: WWW servers (Again) Reply-to: geoff@smartnet.co.za X-mailer: Pegasus Mail for Windows (v2.42a) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hey y'all. I still haven't seen a response to this in the list so I'm sending it again. If any you know about multihoming NT, please respond. Dennis said: > Windows NT and IIS (Internet information server) does this quite > well. Under Windows NT you can have 254 IP addresses/fqdn bound to > each nic installed. IIS also is very configurable on what ip's to > use and how. Whooah! Is this NT3.5x? My documentation says that I can configure up to five IP addresses per network interface. The word out on the net is that you can hack the registry to give you something like 10 - 16 addresses. It is said that anything more than that is asking for trouble. If there is a way to have up to 254 IP's per interface I would very much like to know what it is. Also, what is the server load for this type of thing? If 254 is the theoretical max, what is the practical max, assuming a 64M RAM 586 serving HTTP. Geoff. ====================================================== _ _ <@ @> +------oOO----(_)-------------+ | Geoffrey Ellison | | Manager: Technical Services | | SmartNet | | geoff@smartnet.co.za | +---------------------oOO-----+ \| |__|__| |/ || || ooO Ooo ====================================================== PGP public key available on request. From firewalls-owner Tue Sep 3 04:09:12 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id DAA13472 for firewalls-outgoing; Tue, 3 Sep 1996 03:50:49 -0700 (PDT) Received: from tounes.ati.tn ([193.94.51.21]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id DAA13441 for ; Tue, 3 Sep 1996 03:50:30 -0700 (PDT) Received: from carthage.ati.tn (carthage.ati.tn [193.94.51.20]) by tounes.ati.tn (8.6.9/8.6.9) with SMTP id LAA03201 for ; Tue, 3 Sep 1996 11:49:26 GMT Received: by carthage.ati.tn with Microsoft Exchange (IMC 4.12.736) id <01BB998D.E8DAEA40@carthage.ati.tn>; Tue, 3 Sep 1996 11:49:05 -0000 Message-ID: From: MONDHER GAM To: "Firewalls@GreatCircle.COM" Subject: RE: Master Date: Tue, 3 Sep 1996 11:59:00 -0000 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.12.736 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >From : Mondher GAM Systems & Security Engineer NETCOM-Ltd Tunis-TUNISIA e-mail : mondher.gam@netcom.com.tn to: Firewalls@GreatCircle.COM >I am a computer communication engineer. I started my master >I want to choose a point for search in firewalls. >The problem is I can't determine the hot subjects these days >can anyone help me? > ########################################################################### I'm a computer-scinence enginneer specialized in Networks & computer communications , and , I have already used the TIS Internet Firewall toolkit to implement our proper firewall system for my university and that was in terms of my final project of studies. I have in this context already used the topology of dual homed gateway, and the testing of all the services-proxies and everything was allright. Now I'm working in a company specialized in the networking domain, where I'm the security administrator and system engineer . I have already contacted Mr Ranum ( who has worked on the TIS Firewall Toolkit ) and I advize you to look up to these two points, after of course setting-up a firewall architecture inside your local site : i). the first is about the ARP ( Adress Resolution Protocole ). How can we realize the correspondance between the physical ethernet hard adress and the IP logical adress? That is of course for getting a stronger measure of security. ii). the second one is about UDP protocole. We all know, that many services are UDP based such as SNMP and NFS and it's thus more important to take security measures for this connectioneless protocole. So, how can we securize it? and what are the works that had been made for this protocole? In fact, the TIS FW Toolkit does not provide any security measures for the UDP-based services. So it's a best guess. Good luck for your master Mohamed, and please contact me for any documents or information need. ########################################################################## ######## Nothing is impossible, all taht exists is incapable people ######## ########################################################################## Mondher GAM Systems & Security Engineer NETCOM-Ltd Tunis-TUNISIA From firewalls-owner Tue Sep 3 05:24:22 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA21393 for firewalls-outgoing; Tue, 3 Sep 1996 05:14:16 -0700 (PDT) Received: from inet1.tek.com (inet1.tek.com [134.62.48.21]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id FAA21386; Tue, 3 Sep 1996 05:14:10 -0700 (PDT) From: kesavan.p.nair@bangate1.tek.com Received: by inet1.tek.com id ; Tue, 3 Sep 1996 05:13:53 -0700 Received: from bangate.tek.com(128.181.153.52) by inet1 via smap (V1.3) id sma033323; Tue Sep 3 05:10:53 1996 Received: by bangate2.tek.com with VINES-ISMTP; Tue, 3 Sep 96 5:11:12 PDT Date: Mon, 2 Sep 96 16:29:01 IST Message-Id: X-Priority: 3 (Normal) To: Cc: Subject: Info needed - Internet web server on a firewalled network Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Iam developing an Internet based secure application which will reside on a web server accessible to internet but within firewall. I have following questions for Firewall gurus out there to answer on general setup of HTTP servers facing internet on a secured(firewalled network). Please do give a general overview of how your web server is set in relation to your firewall. How is your firewall implemented in terms of HTTP ? Is your Web server to the external world inside the firewall or outside firewall? In case your web server is outside the firewall,does it have provisions to access machines inside YOUR firewall in a secured manner? How do u achieve this. In case your webserver is inside,How is the security structure regards Kesavan.p.nair@tek.com From firewalls-owner Tue Sep 3 06:09:11 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA24459 for firewalls-outgoing; Tue, 3 Sep 1996 06:02:45 -0700 (PDT) Received: from relay4.smtp.psi.net (relay4.smtp.psi.net [38.9.52.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id GAA24450 for ; Tue, 3 Sep 1996 06:02:38 -0700 (PDT) Received: from bscgnj.com by relay4.smtp.psi.net (8.7.5/SMI-5.4-PSI) id JAA09469; Tue, 3 Sep 1996 09:02:21 -0400 (EDT) Received: from BSCG_NJ/SpoolDir by bscgnj.com (Mercury 1.21); 3 Sep 96 09:02:24 -0500 Received: from SpoolDir by BSCG_NJ (Mercury 1.30); 3 Sep 96 09:02:17 -0500 From: "Stefan Kwiatkowski" Organization: Bay State Computer Group of NJ To: Firewalls@GreatCircle.COM Date: Tue, 3 Sep 1996 09:02:09 EDT MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Shiva and firewalls [Eagle] X-mailer: Pegasus Mail for Windows (v2.33) Message-ID: <8BF7A84390@bscgnj.com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Has anyone setup a Shiva LanRover outside of a firewall, and still maintained accessibility from the internal network? Does Shiva use a UDP port to make a Comm connection from the Clients? All thoughts appreciated. From firewalls-owner Tue Sep 3 07:09:27 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA27724 for firewalls-outgoing; Tue, 3 Sep 1996 06:41:40 -0700 (PDT) Received: from tcs_gateway1.treas.gov (tcs_gateway1.treas.gov [204.151.245.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id GAA27700 for ; Tue, 3 Sep 1996 06:41:12 -0700 (PDT) Received: by tcs_gateway1.treas.gov id AA19834 (InterLock SMTP Gateway 3.0 for firewalls@GreatCircle.COM); Tue, 3 Sep 1996 09:40:41 -0400 Received: by tcs_gateway1.treas.gov (Internal Mail Agent-4); Tue, 3 Sep 1996 09:40:41 -0400 Received: by tcs_gateway1.treas.gov (Internal Mail Agent-3); Tue, 3 Sep 1996 09:40:41 -0400 Received: by tcs_gateway1.treas.gov (Internal Mail Agent-2); Tue, 3 Sep 1996 09:40:41 -0400 Received: by tcs_gateway1.treas.gov (Internal Mail Agent-1); Tue, 3 Sep 1996 09:40:41 -0400 Date: Tue, 3 Sep 1996 09:43:54 -0400 From: meritj@fincen.treas.gov (Jim Meritt) Message-Id: <199609031343.JAA23294@dirham.fincen.gov> To: firewalls@GreatCircle.COM Subject: locate unauthorized connections Sender: firewalls-owner@GreatCircle.COM Precedence: bulk A problem after a firewall - no matter how secure the firewall is itself - is that users put (for whatever reason) connections to the "secure" side that act as backdoors. How do you determine if such a thing has been done (after the connection has been made but before disaster befalls)? I'm looking at the output of netstat on every node at both the routes and the remote nodes connected to. I use a simple script to extract the information from netstat and netstat -r. Does anyone have other recommendations? Jim Meritt From firewalls-owner Tue Sep 3 08:55:55 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA05727 for firewalls-outgoing; Tue, 3 Sep 1996 08:42:41 -0700 (PDT) Received: from bdncs1.dynawell.ch (bdncs1.dynawell.ch [194.209.41.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id IAA05704 for ; Tue, 3 Sep 1996 08:42:32 -0700 (PDT) Received: by bdncs1.dynawell.ch with Microsoft Exchange (IMC 4.12.736) id <01BB99BF.7D2AA290@bdncs1.dynawell.ch>; Tue, 3 Sep 1996 17:44:00 +0200 Message-ID: From: Peter Schumacher To: "'Firewalls@GreatCircle.COM'" Subject: RE: Subject: C2 certified OS that can run a firewall Date: Tue, 3 Sep 1996 17:43:58 +0200 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.12.736 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Digital UNIX is a C2 certified OS. The Alta Vista Firewall Software runs on it. Fore more information check out the Alta Vista Firewall at www.networks.digital.com >Peter.Schumacher@netpartner.ch From firewalls-owner Tue Sep 3 09:09:58 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA05756 for firewalls-outgoing; Tue, 3 Sep 1996 08:43:34 -0700 (PDT) Received: from telxon (telxon.mis.telxon.com [149.23.2.4]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id IAA05749 for ; Tue, 3 Sep 1996 08:43:23 -0700 (PDT) Received: from exchange.mis.telxon.com by telxon (SMI-8.6/SMI-SVR4) id LAA23354; Tue, 3 Sep 1996 11:42:57 -0400 Received: by exchange.mis.telxon.com with Microsoft Exchange (IMC 4.0.838.14) id <01BB998D.34B92D10@exchange.mis.telxon.com>; Tue, 3 Sep 1996 11:44:03 -0400 Message-ID: From: "Wojno, Jim" To: "'firewalls@greatcircle.com'" Subject: Firewall-1 Logs Date: Tue, 3 Sep 1996 11:44:02 -0400 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.838.14 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk To All: We are in the process of determining how much disk space we will require for a Firewall-1 unit. We will be using a SPARC-20, and currently have about 400 to 500 active Internet users. We would like to keep at least one month worth of logging data on-line. Approximately how much disk space would you recommend we have available to accomodate this. Any input on this would be appreciated. If this topic has already been discussed, please feel free to contact me directly off-list. Jim Wojno Systems Administrator Telxon Corporation jwojn@telxon.com From firewalls-owner Tue Sep 3 09:44:22 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA05896 for firewalls-outgoing; Tue, 3 Sep 1996 08:46:38 -0700 (PDT) Received: from apu.connectix.com (apu.connectix.com [204.247.159.242]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id IAA05875 for ; Tue, 3 Sep 1996 08:46:30 -0700 (PDT) Received: from [204.118.199.198] (snowball.connectix.com [204.118.199.198]) by apu.connectix.com (8.7.5/8.6.9) with SMTP id IAA05440 for ; Tue, 3 Sep 1996 08:46:08 -0700 Date: Tue, 3 Sep 1996 08:46:08 -0700 Message-Id: <199609031546.IAA05440@apu.connectix.com> Subject: Denied packets with no protocol?? From: Rob Sansom To: Mime-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Anybody know what this is??? It appears to be from a dial in terminal server in Germany. denied 5 141.2.28.130 -> 204.247.159.244, 1 packet Aug 30 14:33:03 gate247159.connectix.com 2377: %SEC-6-IPACCESSLOGNP: list 120 denied 10 141.2.28.130 -> 204.247.159.244, 1 packet Aug 30 14:35:32 gate247159.connectix.com 2378: %SEC-6-IPACCESSLOGNP: list 120 denied 3 141.2.28.130 -> 204.247.159.244, 1 packet Aug 30 14:35:39 gate247159.connectix.com 2379: %SEC-6-IPACCESSLOGNP: list 120 denied 9 141.2.28.130 -> 204.247.159.244, 1 packet Aug 30 14:38:27 gate247159.connectix.com 2380: %SEC-6-IPACCESSLOGNP: list 120 denied 10 141.2.28.130 -> 204.247.159.244, 3 packets Aug 30 14:44:27 gate247159.connectix.com 2381: %SEC-6-IPACCESSLOGNP: list 120 denied 10 141.2.28.130 -> 204.247.159.244, 1 packet Aug 30 14:54:45 gate247159.connectix.com 2382: %SEC-6-IPACCESSLOGNP: list 120 denied 15 141.2.28.130 -> 204.247.159.244, 1 packet Aug 30 14:54:45 gate247159.connectix.com 2383: %SEC-6-IPACCESSLOGNP: list 120 denied 11 141.2.28.130 -> 204.247.159.244, 1 packet Aug 30 14:56:27 gate247159.connectix.com 2384: %SEC-6-IPACCESSLOGNP: list 120 denied 10 141.2.28.130 -> 204.247.159.244, 2 packets Aug 30 14:56:45 gate247159.connectix.com 2385: %SEC-6-IPACCESSLOGNP: list 120 denied 4 141.2.28.130 -> 204.247.159.244, 1 packet Aug 30 14:57:27 gate247159.connectix.com 2386: %SEC-6-IPACCESSLOGNP: list 120 denied 5 141.2.28.130 -> 204.247.159.244, 1 packet Aug 30 15:01:41 gate247159.connectix.com 2387: %SEC-6-IPACCESSLOGNP: list 120 denied 12 141.2.28.130 -> 204.247.159.244, 1 packet Aug 30 15:03:16 gate247159.connectix.com 2388: %SEC-6-IPACCESSLOGNP: list 120 denied 14 141.2.28.130 -> 204.247.159.244, 1 packet Aug 30 15:03:27 gate247159.connectix.com 2389: %SEC-6-IPACCESSLOGNP: list 120 denied 15 141.2.28.130 -> 204.247.159.244, 1 packet Aug 30 15:03:27 gate247159.connectix.com 2390: %SEC-6-IPACCESSLOGNP: list 120 denied 11 141.2.28.130 -> 204.247.159.244, 1 packet Aug 30 15:03:27 gate247159.connectix.com 2391: %SEC-6-IPACCESSLOGNP: list 120 denied 9 141.2.28.130 -> 204.247.159.244, 1 packet Aug 30 15:03:29 gate247159.connectix.com 2392: %SEC-6-IPACCESSLOGNP: list 120 denied 8 141.2.28.130 -> 204.247.159.244, 1 packet Aug 30 15:07:27 gate247159.connectix.com 2393: %SEC-6-IPACCESSLOGNP: list 120 denied 12 141.2.28.130 -> 204.247.159.244, 5 packets Aug 30 15:08:27 gate247159.connectix.com 2394: %SEC-6-IPACCESSLOGNP: list 120 denied 14 141.2.28.130 -> 204.247.159.244, 2 packets Aug 30 15:18:34 gate247159.connectix.com 2395: %SEC-6-IPACCESSLOGP: list 120 Rob Sansom Network Admin. Connectix Corp (415) 638-7398 sansom@connectix.com From firewalls-owner Tue Sep 3 09:54:40 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA08768 for firewalls-outgoing; Tue, 3 Sep 1996 09:30:08 -0700 (PDT) Received: from manzanita. ([139.87.180.206]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id JAA08523 for ; Tue, 3 Sep 1996 09:29:16 -0700 (PDT) Received: by manzanita. (SMI-8.6/SMI-SVR4) id JAA19744; Tue, 3 Sep 1996 09:29:45 -0700 Date: Tue, 3 Sep 1996 09:29:45 -0700 From: bobk@manzanita (Bob Konigsberg) Message-Id: <199609031629.JAA19744@manzanita.> To: firewalls@GreatCircle.COM, nmorrow@magi.com Subject: Re: Spoofing Messages in the Log files X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Internal "spoofing" is also due to the fact that many people simply make up a network number for labs and such, not realizing that this prevents Internet access to the particular network in question. The solution to this is either central administration of private IP networks (a la RFC 1918), or router policies that don't allow the propagation of such network numbers beyond the boundaries of the labs. Another possibility is internal firewalling of "unauthorized" traffic. I've had to use all of these methods, depending on the situation. BobK From firewalls-owner Tue Sep 3 10:01:52 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA10355 for firewalls-outgoing; Tue, 3 Sep 1996 09:44:46 -0700 (PDT) Received: from hidata.com (hidata.com [205.158.61.34]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id JAA10207 for ; Tue, 3 Sep 1996 09:44:15 -0700 (PDT) Received: by hidata.com; id AA24429; Tue, 3 Sep 96 09:43:56 PDT Received: from osc.hidata.com(205.158.62.10) by hds-gw.hidata.com via smap (V3.1.1) id xma024427; Tue, 3 Sep 96 09:43:51 -0700 Received: from clag by osc.osc.hidata.com (SMI-8.6/SMI-SVR4) id JAA23346; Tue, 3 Sep 1996 09:43:50 -0700 Message-Id: <2.2.32.19960903164226.009d64a8@osc.hidata.com> X-Sender: bstout@osc.hidata.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Date: Tue, 03 Sep 1996 09:42:26 -0700 To: Firewalls@GreatCircle.COM From: Bill Stout Subject: Re: NT port activity list Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I started this thread out of interest in NT Firewalls and Webservers. Let me know if this is too unrelated and I will take this elsewhere. Amazing what you learn by reading. Windows NT Resource Kit 3.51=20 Windows NT Networking - Part III 'TCP/IP'. I haven't completed a Satan scan against an NT system yet, but this is what I got so far. Also much of the system-level communication is still a mystery; logon process, etc (RPC?). NT TCP/IP is divided into the following separate categories;=20 =B7 =91Core protocols=92 - TCP, IP, UDP, ARP, ICMP, PPP and SLIP. =B7 API support - Windows Sockets v1.1, RPC, NetBIOS, and Network DDE. =B7 Basic TCP/IP utilities - finger, ftp, lpr, rcp, rexec, rsh, telnet,=20 and tftp. =B7 Diagnostic tools - arp, hostname, ipconfig, lpq, nbtstat, netstat,=20 ping, route, and tracert. =B7 Services and Administration tools - FTP Server, WINS, DHCP, and=20 TCP/IP Printing. =B7 SNMP agent =B7 Client software for =91Simple network protocols=92 - chargen, daytime,= =20 discard, echo, quotd. =B7 Path MTU discovery - discovers datagram size for all routers between=20 Windows NT computer and any system on a WAN. (RFC 1191) =B7 IGMP - Internet Gateway Multicast Protocol =20 The following is a partial list of available IP network ports in NT: Port Name Description RFC 1 icmp Internet Control Message Protocol 792 2 igmp Internet Group Management Protocol 1112 7 echo Ping 862 9 discard Discard (sink null) 863 13 daytime Daytime 867 15 netstat Network Statistics=09 17 quotd Quote of the Day=20 (\winnt\system32\drivers\etc\quotes) 865 19 chargen Character Generator 864 20 ftp-data File Transfer Protocol (Data) 959 21 ftp File Transfer Protocol (Control) 959 23 telnet Telnet 854 53 domain Domain Name Service 1034,1035 69 tftp Trivial File Transfer Protocol Used by Bootp, DHCP 783,1534,1541 79 finger Finger 1194 137 netbios_ns NetBIOS Name Service =20 Typically UDPAlso used by 'nbtstat' Node Status Request 1001,1002 138 netbios_dgm NetBIOS Datagram Service 1001,1002 139 netbios_ssn NetBIOS Session Service 1001,1002 161 snmp SNMP Messages 1157 162 snmptrap SNMP Traps 1157 530 courier RPC=09 515 printer LPD Spooler 1179 Other installed services: 775 sms_db =09 777 sms_update =09 1433 tds Tabular Data Stream DB-library SQLserver Please edit this list if you have more data (ISS, Raptor, MS?). Bill Stout ____________________________________________________________________________= ___ Senior Systems Admin NT/UNIX/I-net/Routers/Mainframes/Janitor ;) Hitachi Data Systems 408-970-4822 --- Disclaimer: I speak only for= myself ___________"Infowar, Cyber-war, yes, 'they' _are_ out to get= you..."___________ From firewalls-owner Tue Sep 3 10:13:51 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA11373 for firewalls-outgoing; Tue, 3 Sep 1996 09:52:53 -0700 (PDT) Received: from hp3.xlconnect.com ([166.80.10.80]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id JAA11214 for ; Tue, 3 Sep 1996 09:51:50 -0700 (PDT) Received: by hp3.xlconnect.com with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.993.5) id <01BB9996.E168B360@hp3.xlconnect.com>; Tue, 3 Sep 1996 12:53:18 -0400 Message-ID: X-MS-TNEF-Correlator: From: "Larson, Erik @TFN Cin" To: "'Firewalls@GreatCircle.COM'" , "'geoff@smartnet.co.za'" Subject: RE: WWW servers (Again) Date: Tue, 3 Sep 1996 12:52:24 -0400 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.993.5 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="---- =_NextPart_000_01BB9996.E16D4740" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------ =_NextPart_000_01BB9996.E16D4740 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit According to a Microsoft developer that I spoke with last week, NT 3.5.1 can be hacked with the known registry edit hack to allow up to 254 IP addresses/nic. NT 4.0 can support up to 500/nic. He said that several ISPs were already rolling out the NT 4.0 solution. Given that UUNet is 13% owned by Microsoft I would venture to say that they are probably the first to roll out these features and you might be able to get more information from them. -ekl ---------- From: Geoffrey Ellison[SMTP:geoff@smartnet.co.za] Sent: Tuesday, September 03, 1996 6:18 AM To: Firewalls@GreatCircle.COM Subject: Re: WWW servers (Again) Hey y'all. I still haven't seen a response to this in the list so I'm sending it again. If any you know about multihoming NT, please respond. Dennis said: > Windows NT and IIS (Internet information server) does this quite > well. Under Windows NT you can have 254 IP addresses/fqdn bound to > each nic installed. IIS also is very configurable on what ip's to > use and how. Whooah! Is this NT3.5x? My documentation says that I can configure up to five IP addresses per network interface. The word out on the net is that you can hack the registry to give you something like 10 - 16 addresses. It is said that anything more than that is asking for trouble. If there is a way to have up to 254 IP's per interface I would very much like to know what it is. Also, what is the server load for this type of thing? If 254 is the theoretical max, what is the practical max, assuming a 64M RAM 586 serving HTTP. Geoff. ====================================================== _ _ <@ @> +------oOO----(_)-------------+ | Geoffrey Ellison | | Manager: Technical Services | | SmartNet | | geoff@smartnet.co.za | +---------------------oOO-----+ \| |__|__| |/ || || ooO Ooo ====================================================== PGP public key available on request. ------ =_NextPart_000_01BB9996.E16D4740 Content-Type: application/ms-tnef Content-Transfer-Encoding: base64 eJ8+IhMQAQaQCAAEAAAAAAABAAEAAQeQBgAIAAAA5AQAAAAAAADoAAEIgAcAGAAAAElQTS5NaWNy b3NvZnQgTWFpbC5Ob3RlADEIAQmAAQAhAAAAMkRDRUY3QzRBMjAyRDAxMUE2QkUwMDIwQUZGNjE1 NEMAPQcBIIADAA4AAADMBwkAAwAMADUAEQACADMBAQWAAwAOAAAAzAcJAAMADAA0ABgAAgA5AQEN gAQAAgAAAAIAAgABBIABABgAAABSRTogV1dXIHNlcnZlcnMgKEFnYWluKQBxBwEDkAYA7AgAABkA AAADAC4AAAAAAAMANgAAAAAAAwAGEMG1ZgkDAAcQzwUAAB4ACBABAAAAZQAAAEFDQ09SRElOR1RP QU1JQ1JPU09GVERFVkVMT1BFUlRIQVRJU1BPS0VXSVRITEFTVFdFRUssTlQzNTFDQU5CRUhBQ0tF RFdJVEhUSEVLTk9XTlJFR0lTVFJZRURJVEhBQ0tUT0EAAAAAAwAQEAAAAAADABEQAQAAAAIBCRAB AAAALgYAACoGAACpCwAATFpGdfglmM7/AAoBDwIVAqQD5AXrAoMAUBMDVAIAY2gKwHNldO4yBgAG wwKDMgPGBxMCg7ozEw19CoAIzwnZOxX/eDI1NQKACoENsQtgbvBnMTAzFCALChLyDAFWYwBAE3Bj BaFkC4BnoCB0byBhBdBpBQAob3NvAYAgDbB2ZT0VkHAEkBtwEcAFQEkgwHNwb2tlIAPwHRAqIAtg cwVAdwngayyBB7BUIDMuNS4awFpjA5FiHcARwGMdsGSHHdQdEB3Aa25vdwOghRYAZwQAdHJ5IAmA Nx3wH9Mbc2wVkAfgdXArG3IYMDQdUFAboGRklxYABBAHkC8DAGMuHtLoNC4wH2NzIwAdkAAgUSL1 NTAwJGRIHcBz3wtwIDAdExHwHJByB0AdUPxTUAQgHoAWACKRFgAj0P8hsANgIrAbQghgBUAgoiTF MxwgCkB0aQIgJKBHaecckAOgHRNVVQfABUAEAHAgMTMlKcAhECAhYtchsBvYHWB3CGBsIDArgf50 CHAdwBuBJxAhsB0TIKFXIbAKwB3AcANgYgGgbPMvYh3AZmkR4CnxG5ApUv8pxhHwMSApAC7CBCAA cCAwgnkIYCBtaWdoBUD3H7EwoS7zZyxBBGAooQuAfQIQcgDAKwIxIANhIJJt1i4KhQqFLR6gbDbM CosZKYAxOCZgAgBpLTE8NDQN8AzQOjMLWTE22wqgA2B0BZAFQC08VwqH1zsLDDA71kYDYTo9XjvW uwyCK1BlHDADUC/xRSlxARwgbltTTVRQOnM00EExQHMAwAAgLQB0wi4FoC56YV08/z4NLwZgAjA/ P0BLVApQc2T/L1AewAZgBTA2kB+wBcAZMAEewDE5OTYgNjqbObATcE1Dzz4NVG9GDx1AS0YxQAfQ IqFzQEcpKPF0QzFAYzRwLkPGT0oPRM91Ymo8EUw/aUBLUmVSEFdUMCehcqMn0QQgKEFnC3EpOF/5 OWMzNjrXFCIMATvWJuD5IbB5JyKhJKA2zB1hKwD3MeERwCuBJyeSK5EbsCQB/x2QAIAu8x0QLHEL gCCTQcHzJ5EbkEknNlAR8DNQG0KbIfEKhWFVEiSgSWYzMd9YgTORIOI0QSnSbS5QKwD+aANwG0Ie 4B7AC1ApADKB9VtkZDa9RAnwAwAEICcS2jo2zD5UIAuAZCEAB6HbHvAzQkkoMFTgSQIwBJHXLEI1 eVR0KRxgbweRXCP0cXUd8GVklx6AWNIsAH8zUBzhZSkzgh9yWnIjXy/4ZnFkH5EIYDNRG4Bkl/sp ABGwICRxNVEeUCKhCYD/afFmEgdAXTEscSfRIbAFoN81cDPQCHA0UzXxdx0iBSB2J2hhbdh1MoEz QmDgd4U2vVdg4G9haCEdUOdoZR7gHxF4PwXQIbBlUPxjdQeAAjBnVS9QaGIdM/8fcnDWHcAjAAqF G4ExMGvR3yOqMFAc4UMhLjByIlALgP1mgWYA0E9QR9AgsXtBIDDvKdI18SCiZrNzeRYdIms4/yJC ILEhRzSiecIzghwgB4B/XCEbUSmAHbEZIDeQLJA2/15WI+ZfESxTJxhfYYFENRPvHRErpSxxHkBr G0I1gXkW/wNgUbBPQVkdX0AgoTUyMyH/HdAvUhuQa7MjCnJBHNJ7l/8uCSGgCoVgkG6RgaMbgV/j 93HULFIkoEFwER7AcdRoYv8m8VSDHiB08CAwNYFcE3kW/nkc0CnAiLIbQXYgXzFsAn+P1SChNSEr AB9wAyAAwHj/j2wwYADQlCOM1pSSHkAlcONhAxuwNjRNB/BJ8CZAzjhJgFRyG0JIVEJANr37QRM2 tj2a35vvnP+dIAqFO56fnzdfoDCeP6FtPEBYIEA+oH9qACs8VG/ET088UihfKTxYPFH2K6LPagB8 oWRBHqampe+9pvJNAHBewASQUhBUBZD+aCRxKAEGYZiAfAAEIKj/+6booWJTQuIsMqy5rC+m9f9C f0OBru+jfbPtpGWlz6FjxFxcrVh8X1+3gqaI9i+1j7mdfKcQuqC4r7vc8XTgTyBPdOA2zJ0vvz/T wE+eCFBHI7Bwh3Fu0fsdsDABdgtwC2BxZRYAaND/B5BDQFXfOtcaNTvWCoUVIQIAx4AAAB4AcAAB AAAAGAAAAFJFOiBXV1cgc2VydmVycyAoQWdhaW4pAAIBcQABAAAAFgAAAAG7moDWge2nkiUGQBHQ n8xERVNUAAAAAEAAOQBAZCdIuJm7AQMA8T8JBAAAAgEUNAEAAAAQAAAAVJShwCl/EBulhwgAKyol FwMAJgAAAAAAAgH5PwEAAABPAAAAAAAAANynQMjAQhAatLkIACsv4YIBAAAAAAAAAC9PPVhMQ09O TkVDVC9PVT1YTENPTk5FQ1QvQ049UkVDSVBJRU5UUy9DTj1FTEFSU09OAAAeAPg/AQAAAA0AAABM YXJzb24sIEVyaWsAAAAAAgH7PwEAAABPAAAAAAAAANynQMjAQhAatLkIACsv4YIBAAAAAAAAAC9P PVhMQ09OTkVDVC9PVT1YTENPTk5FQ1QvQ049UkVDSVBJRU5UUy9DTj1FTEFSU09OAAAeAPo/AQAA AA0AAABMYXJzb24sIEVyaWsAAAAAQAAHMIDD6gy4mbsBQAAIMLC652e4mbsBAwANNP0/AAAeAD0A AQAAAAUAAABSRTogAAAAAAsAKQAAAAAACwAjAAAAAAACAX8AAQAAAEgAAAA8Yz1VUyVhPV8lcD1Y TENvbm5lY3QlbD1YTENPTk5FQ1QvWExDT05ORUNULzAwMDBGN0I1QGhwMy54bGNvbm5lY3QuY29t PgCHyQ== ------ =_NextPart_000_01BB9996.E16D4740-- From firewalls-owner Tue Sep 3 10:51:36 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA15899 for firewalls-outgoing; Tue, 3 Sep 1996 10:38:34 -0700 (PDT) Received: from intfw.bear.com (intfw.bear.com [206.25.172.66]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id KAA15855 for ; Tue, 3 Sep 1996 10:38:20 -0700 (PDT) Received: by intfw.bear.com (4.1/SMI-4.1) id AA12245; Tue, 3 Sep 96 13:35:51 EDT Received: from fastbear(165.168.74.3) by intfw via smap (V1.3) id sma011207; Tue Sep 3 13:27:35 1996 Received: from ursa2.bear.com by fastbear.bear.com (4.1/SMI-4.1/1.0 AMR 12/15/94) id AA05530; Tue, 3 Sep 96 13:29:37 EDT Received: from whip_xfr.bear.com (whip-xfr) by ursa2.bear.com (4.1/SMI-4.1/AMR+DJMS(2)) id AA11458; Tue, 3 Sep 96 13:28:11 EDT Received: from wizard.bsnet by whip_xfr.bear.com (SMI-8.6/SMI-SVR4) id NAA12627; Tue, 3 Sep 1996 13:27:24 -0400 Received: from neptune.bsnet by wizard.bsnet (SMI-8.6/SMI-SVR4) id NAA05229; Tue, 3 Sep 1996 13:27:25 -0400 Received: by neptune.bsnet (SMI-8.6/SMI-SVR4) id NAA05963; Tue, 3 Sep 1996 13:27:22 -0400 Date: Tue, 3 Sep 1996 13:27:22 -0400 From: sj@bear.com (Shahryar Jahangir) Message-Id: <199609031727.NAA05963@neptune.bsnet> To: firewalls@greatcircle.com, jwojn@telxon.com Subject: Re: Firewall-1 Logs Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Content-Md5: Qqee2Y+UpV6oI5iLYIwpQQ== Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Jim, Firewall-1 logging is configurable. If you plan on doing detailed logging of all incoming and outgoing connections, your log file (just the log file not the errors file) may reach anywhere between 5-10 MB (again depending upon your internet usage and logging style). This usually happens if you are tracking http proxy connections. However, if you don'r care whether or not someone accesses playboy.com etc, you can skip (or at compact logging) the http outbound loging which will cut down tremendously on your log size. So, the size of your filesystem/drive depends upon your logging structure. For heavy logging, I use a separate filesys as well as drive (1 GB). But we, as a financial firm, have more to record than most other orgs. I also keep past logs online. Hope this gives you some guidance. luck sj :->From jwojn@telxon.com Tue Sep 3 12:57:44 1996 :->From: "Wojno, Jim" :->To: "'firewalls@greatcircle.com'" :->Subject: Firewall-1 Logs :->Date: Tue, 3 Sep 1996 11:44:02 -0400 :->Mime-Version: 1.0 :->Content-Transfer-Encoding: 7bit :-> :->To All: :-> :->We are in the process of determining how much disk space we will require :->for a Firewall-1 unit. We will be using a SPARC-20, and currently have :->about 400 to 500 active Internet users. We would like to keep at least :->one month worth of logging data on-line. Approximately how much disk :->space would you recommend we have available to accomodate this. :-> :->Any input on this would be appreciated. If this topic has already been :->discussed, please feel free to contact me directly off-list. :-> :->Jim Wojno :->Systems Administrator :->Telxon Corporation :->jwojn@telxon.com -- ******************************************************************************* Bear Stearns is not responsible for any recommendation, solicitation, offer or agreement or any information about any transaction, customer account or account activity contained in this communication. ******************************************************************************* From firewalls-owner Tue Sep 3 10:58:55 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA17996 for firewalls-outgoing; Tue, 3 Sep 1996 10:51:22 -0700 (PDT) Received: from tavor.openu.ac.il (tavor.openu.ac.il [147.233.128.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id KAA17977 for ; Tue, 3 Sep 1996 10:51:06 -0700 (PDT) Received: from localhost (nullhost.openu.ac.il)[] by tavor.openu.ac.il with SMTP id AA18345 (5.67a8/IDA-1.5 for ); Tue, 3 Sep 1996 20:49:41 +0300 Date: Tue, 3 Sep 1996 20:49:39 +0300 (IDT) From: Rafi Sadowsky X-Sender: rafi@tavor To: Rob Sansom Cc: firewalls@greatcircle.com Subject: Re: Denied packets with no protocol?? In-Reply-To: <199609031546.IAA05440@apu.connectix.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk you get this (no type) normally with an ip deny rule ( no subprotocol e.g. TCP,UDP,ICMP... ) what is the deny rule that caused it ? -- Rafi Sadowsky rafi@tavor.openu.ac.il [postmaster@openu.ac.il] FAX: +972-3-6460744 On Tue, 3 Sep 1996, Rob Sansom wrote: > Anybody know what this is??? It appears to be from a dial in terminal > server in Germany. > > denied 5 141.2.28.130 -> 204.247.159.244, 1 packet > Aug 30 14:33:03 gate247159.connectix.com 2377: %SEC-6-IPACCESSLOGNP: list > 120 denied 10 141.2.28.130 -> 204.247.159.244, 1 packet > Aug 30 14:35:32 gate247159.connectix.com 2378: %SEC-6-IPACCESSLOGNP: list > 120 denied 3 141.2.28.130 -> 204.247.159.244, 1 packet > Aug 30 14:35:39 gate247159.connectix.com 2379: %SEC-6-IPACCESSLOGNP: list > 120 denied 9 141.2.28.130 -> 204.247.159.244, 1 packet > Aug 30 14:38:27 gate247159.connectix.com 2380: %SEC-6-IPACCESSLOGNP: list > 120 denied 10 141.2.28.130 -> 204.247.159.244, 3 packets > Aug 30 14:44:27 gate247159.connectix.com 2381: %SEC-6-IPACCESSLOGNP: list > 120 denied 10 141.2.28.130 -> 204.247.159.244, 1 packet > Aug 30 14:54:45 gate247159.connectix.com 2382: %SEC-6-IPACCESSLOGNP: list > 120 denied 15 141.2.28.130 -> 204.247.159.244, 1 packet > Aug 30 14:54:45 gate247159.connectix.com 2383: %SEC-6-IPACCESSLOGNP: list > 120 denied 11 141.2.28.130 -> 204.247.159.244, 1 packet > Aug 30 14:56:27 gate247159.connectix.com 2384: %SEC-6-IPACCESSLOGNP: list > 120 denied 10 141.2.28.130 -> 204.247.159.244, 2 packets > Aug 30 14:56:45 gate247159.connectix.com 2385: %SEC-6-IPACCESSLOGNP: list > 120 denied 4 141.2.28.130 -> 204.247.159.244, 1 packet > Aug 30 14:57:27 gate247159.connectix.com 2386: %SEC-6-IPACCESSLOGNP: list > 120 denied 5 141.2.28.130 -> 204.247.159.244, 1 packet > Aug 30 15:01:41 gate247159.connectix.com 2387: %SEC-6-IPACCESSLOGNP: list > 120 denied 12 141.2.28.130 -> 204.247.159.244, 1 packet > Aug 30 15:03:16 gate247159.connectix.com 2388: %SEC-6-IPACCESSLOGNP: list > 120 denied 14 141.2.28.130 -> 204.247.159.244, 1 packet > Aug 30 15:03:27 gate247159.connectix.com 2389: %SEC-6-IPACCESSLOGNP: list > 120 denied 15 141.2.28.130 -> 204.247.159.244, 1 packet > Aug 30 15:03:27 gate247159.connectix.com 2390: %SEC-6-IPACCESSLOGNP: list > 120 denied 11 141.2.28.130 -> 204.247.159.244, 1 packet > Aug 30 15:03:27 gate247159.connectix.com 2391: %SEC-6-IPACCESSLOGNP: list > 120 denied 9 141.2.28.130 -> 204.247.159.244, 1 packet > Aug 30 15:03:29 gate247159.connectix.com 2392: %SEC-6-IPACCESSLOGNP: list > 120 denied 8 141.2.28.130 -> 204.247.159.244, 1 packet > Aug 30 15:07:27 gate247159.connectix.com 2393: %SEC-6-IPACCESSLOGNP: list > 120 denied 12 141.2.28.130 -> 204.247.159.244, 5 packets > Aug 30 15:08:27 gate247159.connectix.com 2394: %SEC-6-IPACCESSLOGNP: list > 120 denied 14 141.2.28.130 -> 204.247.159.244, 2 packets > Aug 30 15:18:34 gate247159.connectix.com 2395: %SEC-6-IPACCESSLOGP: list > 120 > > Rob Sansom > Network Admin. > Connectix Corp > (415) 638-7398 > sansom@connectix.com > From firewalls-owner Tue Sep 3 11:13:40 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA19344 for firewalls-outgoing; Tue, 3 Sep 1996 10:59:59 -0700 (PDT) Received: from beach.sctc.com (beach.sctc.com [192.55.214.50]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id KAA19281 for ; Tue, 3 Sep 1996 10:59:40 -0700 (PDT) Received: from beach.sctc.com (root@localhost) by beach.sctc.com (8.7.5/8.7.3) with ESMTP id NAA28920 for ; Tue, 3 Sep 1996 13:05:22 -0500 (CDT) Received: from sphinx.sctc.com (sphinx.sctc.com [172.17.192.3]) by beach.sctc.com (8.7.5/8.7.3) with ESMTP id NAA28916 for ; Tue, 3 Sep 1996 13:05:22 -0500 (CDT) Received: from shade.sctc.com (shade.sctc.com [172.17.192.48]) by sphinx.sctc.com (8.7.5/8.7.3) with SMTP id MAA26476; Tue, 3 Sep 1996 12:59:29 -0500 (CDT) Received: (from smith@localhost) by shade.sctc.com (8.6.12/8.6.9) id MAA13978; Tue, 3 Sep 1996 12:59:28 -0500 Date: Tue, 3 Sep 1996 12:59:28 -0500 From: Rick Smith Message-Id: <199609031759.MAA13978@shade.sctc.com> To: firewalls@greatcircle.com Cc: smith@sctc.com Subject: Re: C2 certified OS that can run a firewall X-Newsreader: TIN [version 1.2 PL2] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk If you need strong protection (otherwise, why care about NCSC evaluations) then you should take a look at the C2 specification and realize that it's not intended for strong protection. Rick. smith@sctc.com secure computing corporation From firewalls-owner Tue Sep 3 12:03:58 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA23740 for firewalls-outgoing; Tue, 3 Sep 1996 11:34:26 -0700 (PDT) Received: from mailbox.neosoft.com (mailbox.neosoft.com [206.109.1.16]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id LAA23696 for ; Tue, 3 Sep 1996 11:34:05 -0700 (PDT) Received: from fw.nmti.com (fw.baileynm.com [206.109.159.11]) by mailbox.neosoft.com (8.7.5/8.7.3) with SMTP id NAA18300; Tue, 3 Sep 1996 13:33:43 -0500 (CDT) Received: from web.nmti.com(198.178.0.201) by fw.nmti.com via smap (V1.3) id sma009510; Thu Aug 29 08:20:17 1996 Received: from sonic.nmti.com (peter@sonic.nmti.com [198.178.0.2]) by web.nmti.com (8.6.12/8.6.9) with SMTP id IAA02666; Thu, 29 Aug 1996 08:20:16 -0500 Received: by sonic.nmti.com; id AA01232; Thu, 29 Aug 1996 08:20:15 -0500 From: peter@baileynm.com (Peter da Silva) Message-Id: <9608291320.AA01232@sonic.nmti.com.nmti.com> Subject: Re: Win NT PPTP vs. VPN To: endrizzi@master.the-link.com Date: Thu, 29 Aug 1996 08:20:15 -0500 (CDT) Cc: firewalls@GreatCircle.COM In-Reply-To: <199608290229.VAA17801@master.the-link.com> from "endrizzi@master.the-link.com" at Aug 28, 96 09:07:05 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > 1)MS is 90% of the desktop market and after NT squishes Novell, MS will > also be 90% of the NOS market. Given the way companies are backing out of NT and going back to Nightmare for enterprise networking...? From firewalls-owner Tue Sep 3 12:14:03 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA26904 for firewalls-outgoing; Tue, 3 Sep 1996 11:58:46 -0700 (PDT) Received: from mailbox.neosoft.com (mailbox.neosoft.com [206.109.1.16]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id LAA26861 for ; Tue, 3 Sep 1996 11:58:34 -0700 (PDT) Received: from fw.nmti.com (fw.baileynm.com [206.109.159.11]) by mailbox.neosoft.com (8.7.5/8.7.3) with SMTP id NAA21506; Tue, 3 Sep 1996 13:58:12 -0500 (CDT) Received: from web.nmti.com(198.178.0.201) by fw.nmti.com via smap (V1.3) id sma002540; Tue Sep 3 11:45:49 1996 Received: from sonic.nmti.com (peter@sonic.nmti.com [198.178.0.2]) by web.nmti.com (8.6.12/8.6.9) with SMTP id LAA05514; Tue, 3 Sep 1996 11:45:48 -0500 Received: by sonic.nmti.com; id AA14943; Tue, 3 Sep 1996 11:45:47 -0500 From: peter@baileynm.com (Peter da Silva) Message-Id: <9609031645.AA14943@sonic.nmti.com.nmti.com> Subject: Re: C2 certified OS that can run a firewall To: mattias.lindstrom@ihc.se (Mattias Lindstr_vm) Date: Tue, 3 Sep 1996 11:45:47 -0500 (CDT) Cc: firewalls@GreatCircle.COM In-Reply-To: <9609030704.AA09243@ns.ihc.se> from "Mattias Lindstr\vm" at Sep 3, 96 09:03:16 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text X-Bogus-To: mattias.lindstrom@ihc.se (Mattias Lindstr\vm) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Is there any OS out there that are C2 (not A1 or B2 or anuthing else, just > C2) certified that can run a firewall with the C2 "stamp" applied? What specific features of C2 (over, say, C1) do you need? Or are you just looking for the stamp? From firewalls-owner Tue Sep 3 12:29:56 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA25715 for firewalls-outgoing; Tue, 3 Sep 1996 11:48:06 -0700 (PDT) Received: from mailbox.neosoft.com (mailbox.neosoft.com [206.109.1.16]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id LAA25646 for ; Tue, 3 Sep 1996 11:47:38 -0700 (PDT) Received: from fw.nmti.com (fw.baileynm.com [206.109.159.11]) by mailbox.neosoft.com (8.7.5/8.7.3) with SMTP id NAA19947; Tue, 3 Sep 1996 13:46:52 -0500 (CDT) Received: from web.nmti.com(198.178.0.201) by fw.nmti.com via smap (V1.3) id sma024059; Sat Aug 31 11:16:36 1996 Received: from sonic.nmti.com (peter@sonic.nmti.com [198.178.0.2]) by web.nmti.com (8.6.12/8.6.9) with SMTP id LAA07153; Sat, 31 Aug 1996 11:16:36 -0500 Received: by sonic.nmti.com; id AA16580; Sat, 31 Aug 1996 11:16:35 -0500 From: peter@baileynm.com (Peter da Silva) Message-Id: <9608311616.AA16580@sonic.nmti.com.nmti.com> Subject: Re: NT port activity list To: bill.stout@hidata.com (Bill Stout) Date: Sat, 31 Aug 1996 11:16:34 -0500 (CDT) Cc: Firewalls@GreatCircle.COM In-Reply-To: <2.2.32.19960831000931.00db5ef8@osc.hidata.com> from "Bill Stout" at Aug 30, 96 05:09:31 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I just sniffed NTWS4.0 beta and got: TCP services on fubar [198.178.0.183]: echo 7/tcp discard 9/tcp daytime 13/tcp chargen 19/tcp ftp 21/tcp (note, this is only open if you enable ftp access during setup) The netbios services didn't show up under a scan. From firewalls-owner Tue Sep 3 12:50:47 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA27199 for firewalls-outgoing; Tue, 3 Sep 1996 12:00:20 -0700 (PDT) Received: from mailbox.neosoft.com (mailbox.neosoft.com [206.109.1.16]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id LAA27036 for ; Tue, 3 Sep 1996 11:59:34 -0700 (PDT) Received: from fw.nmti.com (fw.baileynm.com [206.109.159.11]) by mailbox.neosoft.com (8.7.5/8.7.3) with SMTP id NAA21181; Tue, 3 Sep 1996 13:56:15 -0500 (CDT) Received: from web.nmti.com(198.178.0.201) by fw.nmti.com via smap (V1.3) id sma001368; Tue Sep 3 08:49:22 1996 Received: from sonic.nmti.com (peter@sonic.nmti.com [198.178.0.2]) by web.nmti.com (8.6.12/8.6.9) with SMTP id IAA29418; Tue, 3 Sep 1996 08:49:22 -0500 Received: by sonic.nmti.com; id AA11026; Tue, 3 Sep 1996 08:49:21 -0500 From: peter@baileynm.com (Peter da Silva) Message-Id: <9609031349.AA11026@sonic.nmti.com.nmti.com> Subject: Re: Blocking non-http (executable) content To: Russ.Cooper@RC.Toronto.on.ca (Russ) Date: Tue, 3 Sep 1996 08:49:21 -0500 (CDT) Cc: Firewalls@GreatCircle.COM, DCOM@Listserv.msn.com, markry@microsoft.com In-Reply-To: from "Russ" at Aug 30, 96 11:20:52 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > HTTP is not a transport protocol, IP is, and your statement > proves that you see HTTP as a transport protocol. HTTP doesn't have any > mechanisms to deal with differentiating traffic types as IP does. Um, yeh, actually Russ... it does. The problem is that browsers ignore these tags if they're inconvenient, so in practice they're only marginally useful. From firewalls-owner Tue Sep 3 12:59:06 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA01729 for firewalls-outgoing; Tue, 3 Sep 1996 12:40:54 -0700 (PDT) Received: from mailbox.neosoft.com (mailbox.neosoft.com [206.109.1.16]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id MAA01702 for ; Tue, 3 Sep 1996 12:40:38 -0700 (PDT) Received: from fw.nmti.com (fw.baileynm.com [206.109.159.11]) by mailbox.neosoft.com (8.7.5/8.7.3) with SMTP id OAA26266; Tue, 3 Sep 1996 14:40:17 -0500 (CDT) Received: from web.nmti.com(198.178.0.201) by fw.nmti.com via smap (V1.3) id sma004513; Tue Sep 3 14:34:29 1996 Received: from sonic.nmti.com (peter@sonic.nmti.com [198.178.0.2]) by web.nmti.com (8.6.12/8.6.9) with SMTP id OAA12122; Tue, 3 Sep 1996 14:34:29 -0500 Received: by sonic.nmti.com; id AA30172; Tue, 3 Sep 1996 14:34:28 -0500 From: peter@baileynm.com (Peter da Silva) Message-Id: <9609031934.AA30172@sonic.nmti.com.nmti.com> Subject: Re: Firewalls-Digest V5 #484 To: Russ.Cooper@RC.Toronto.on.ca (Russ) Date: Tue, 3 Sep 1996 14:34:28 -0500 (CDT) Cc: Bernhard_Schneck@GeNUA.DE, peter@baileynm.com, toranix@ultranet.com, jsong@amer.net, Firewalls@GreatCircle.COM In-Reply-To: from "Russ" at Sep 3, 96 03:07:24 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Just because you hack my webserver does not translate into access to my > SQL server for anything other than the defined access that the webserver > had, which could quite easily be read-only. Then it's not in the same trust boundary. End of subject. From firewalls-owner Tue Sep 3 13:19:52 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA01992 for firewalls-outgoing; Tue, 3 Sep 1996 12:43:15 -0700 (PDT) Received: from hap.arnold.af.mil (smokey.arnold.af.mil [132.45.120.11]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id MAA01945 for ; Tue, 3 Sep 1996 12:42:53 -0700 (PDT) Received: from zone.aedc (zone.arnold.af.mil [134.137.226.32]) by hap.arnold.af.mil (8.6.10/8.6.9) with ESMTP id OAA03800 for <@hap.aedc:firewalls@GreatCircle.COM>; Tue, 3 Sep 1996 14:45:54 -0500 Received: by zone.aedc (940816.SGI.8.6.9/930416.SGI) for firewalls@GreatCircle.COM id OAA27397; Tue, 3 Sep 1996 14:41:44 -0500 From: "Sean Fuller" Message-Id: <9609031441.ZM27395@zone.aedc> Date: Tue, 3 Sep 1996 14:41:43 -0500 In-Reply-To: "Any virtual telnet proxy gateways about?" (Aug 30, 6:42am) References: <841405326FriCDT.firewalls-owner@GreatCircle.COM> X-Mailer: Z-Mail (3.2.2 10apr95 MediaMail) To: firewalls@GreatCircle.COM Subject: Re: Any virtual telnet proxy gateways about? Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I modified our telnet proxy here to automatically connect certain users to a machine while allowing other users full access to the telnet gateways functionality. Sorry, I can't give out the code, but you can find out which host the client is coming from by calling getpeername() and then you can force a command in the usercmd() function of TIS FWTK by using a sprintf(buf, "connect %s", desthost) at the beginning rather than prompting the user for a telnet gateway command. I hope this helps. ------------------------------------------------- #include /* Sean Fuller */ From firewalls-owner Tue Sep 3 13:25:12 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA24265 for firewalls-outgoing; Tue, 3 Sep 1996 11:37:33 -0700 (PDT) Received: from mailbox.neosoft.com (mailbox.neosoft.com [206.109.1.16]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id LAA24100 for ; Tue, 3 Sep 1996 11:36:51 -0700 (PDT) Received: from fw.nmti.com (fw.baileynm.com [206.109.159.11]) by mailbox.neosoft.com (8.7.5/8.7.3) with SMTP id NAA18612; Tue, 3 Sep 1996 13:36:15 -0500 (CDT) Received: from web.nmti.com(198.178.0.201) by fw.nmti.com via smap (V1.3) id sma011047; Thu Aug 29 11:37:53 1996 Received: from sonic.nmti.com (peter@sonic.nmti.com [198.178.0.2]) by web.nmti.com (8.6.12/8.6.9) with SMTP id LAA09776; Thu, 29 Aug 1996 11:37:53 -0500 Received: by sonic.nmti.com; id AA07879; Thu, 29 Aug 1996 11:37:52 -0500 From: peter@baileynm.com (Peter da Silva) Message-Id: <9608291637.AA07879@sonic.nmti.com.nmti.com> Subject: Re: Dcom Rollout (fwd) To: proberts@clark.net (Paul D. Robertson) Date: Thu, 29 Aug 1996 11:37:52 -0500 (CDT) Cc: firewalls@GreatCircle.COM In-Reply-To: from "Paul D. Robertson" at Aug 29, 96 11:00:15 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Is it just me, or does everyone else see a problem with every vendor in > the world encapsulating over HTTP so the users can get right through the > firewall? It's not just you. > IMNSHO we need a way to identify and block non-content HTTP. Stealthed IP-over-HTTP would be a piece of cake. Just package the packets in POST/RESPONSE pairs, and poll. I don't think there's anything we can do against hostile software vendors (people coming up with COOL APPS that grovel through your Netscape.INI files to find your proxies without saying anything about it). We need to come up with a tagging plan for cooperative vendors to go along with. What mime type do Microsoft's product use? From firewalls-owner Tue Sep 3 13:31:47 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA01146 for firewalls-outgoing; Tue, 3 Sep 1996 12:36:23 -0700 (PDT) Received: from mail11.digital.com (mail11.digital.com [192.208.46.10]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id MAA01139 for ; Tue, 3 Sep 1996 12:36:16 -0700 (PDT) Received: from akonts.ako.dec.com by mail11.digital.com (8.7.5/UNX 1.2/1.0/WV) id PAA18676; Tue, 3 Sep 1996 15:24:02 -0400 (EDT) Received: from isbu-mail.ljo.dec.com by akonts.ako.dec.com (5.65/MS-010395) id AA07942; Tue, 3 Sep 1996 15:22:15 -0400 Received: from tun-30.imc.das.dec.com [16.136.208.30] (HELO jimlester) by isbu-mail.ljo.dec.com (AltaVista Mail V1.0/1.0 BL17 listener) id 0000_00ab_322c_85cd_3cb7; Tue, 03 Sep 1996 15:23:57 -0400 Message-Id: <1.5.4.32.19960903202448.006dee78@isbu-mail.ljo.dec.com> X-Sender: jim.lester@isbu-mail.ljo.dec.com X-Mailer: Windows Eudora Light Version 1.5.4 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Tue, 03 Sep 1996 15:24:48 -0500 To: Peter Schumacher , "'Firewalls@GreatCircle.COM'" From: Jim Lester Subject: RE: Subject: C2 certified OS that can run a firewall Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Digital also offers their firewall on NT and BSDI. The Unix and NT versions are certified by NCSA. Digital also offers a tunnel server which is firewall independent and provide remote access from static or dynamic ip addresses with 128bit encryption. For more information visit Digital's homepage at http://altavista.software.digital.com. Or email me directly. I work for Digital. At 05:43 PM 9/3/96 +0200, Peter Schumacher wrote: > >Digital UNIX is a C2 certified OS. The Alta Vista Firewall Software runs on >it. > >Fore more information check out the Alta Vista Firewall >at www.networks.digital.com > >>Peter.Schumacher@netpartner.ch > From firewalls-owner Tue Sep 3 13:44:29 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA25067 for firewalls-outgoing; Tue, 3 Sep 1996 11:43:09 -0700 (PDT) Received: from mailbox.neosoft.com (mailbox.neosoft.com [206.109.1.16]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id LAA25008 for ; Tue, 3 Sep 1996 11:42:48 -0700 (PDT) Received: from fw.nmti.com (fw.baileynm.com [206.109.159.11]) by mailbox.neosoft.com (8.7.5/8.7.3) with SMTP id NAA19454; Tue, 3 Sep 1996 13:42:23 -0500 (CDT) Received: from web.nmti.com(198.178.0.201) by fw.nmti.com via smap (V1.3) id sma017592; Fri Aug 30 09:25:43 1996 Received: from sonic.nmti.com (peter@sonic.nmti.com [198.178.0.2]) by web.nmti.com (8.6.12/8.6.9) with SMTP id JAA20698; Fri, 30 Aug 1996 09:25:43 -0500 Received: by sonic.nmti.com; id AA01067; Fri, 30 Aug 1996 09:25:42 -0500 From: peter@baileynm.com (Peter da Silva) Message-Id: <9608301425.AA01067@sonic.nmti.com.nmti.com> Subject: Re: Blocking non-http (executable) content To: Russ.Cooper@RC.Toronto.on.ca (Russ) Date: Fri, 30 Aug 1996 09:25:42 -0500 (CDT) Cc: Firewalls@GreatCircle.COM, DCOM@Listserv.msn.com In-Reply-To: from "Russ" at Aug 30, 96 09:26:32 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > If, for example, every standard HTTP proxy recognized images, which > typically have some sort of header text, and ASCII text, then the proxy > could prevent any code blocks that contain anything else. This would > eliminate the need to constantly modify the proxy for new innovations. Tunnel 1: begin 664 packet MKJhJKHsjkHJKAShjkHJKDFHKJDWHFJKWHDJKFHJKFDLWJDHJKWHJKCHJK MjhewfgdkjfhjkhKJHWJQKhJKH JKhJK HWQJKHKJhDJKH DJKWHJKDjhj 'kljdshsjk end Tunnel 2: lorum ipsem dolor sic amet. gang five sleep dupe new diet green lemming infinity truth sex gnoll trust 1984 meddle plug sing. Basically, if we can't come up with a platform to let them easily punch through firewalls with our approval, they'll do it without. SOCKS used to be thought of as a security problem. By comparison with this it might be our last best hope. From firewalls-owner Tue Sep 3 13:47:16 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA25283 for firewalls-outgoing; Tue, 3 Sep 1996 11:44:48 -0700 (PDT) Received: from mailbox.neosoft.com (mailbox.neosoft.com [206.109.1.16]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id LAA25207 for ; Tue, 3 Sep 1996 11:44:20 -0700 (PDT) Received: from fw.nmti.com (fw.baileynm.com [206.109.159.11]) by mailbox.neosoft.com (8.7.5/8.7.3) with SMTP id NAA19583; Tue, 3 Sep 1996 13:43:40 -0500 (CDT) Received: from web.nmti.com(198.178.0.201) by fw.nmti.com via smap (V1.3) id sma018878; Fri Aug 30 11:39:22 1996 Received: from sonic.nmti.com (peter@sonic.nmti.com [198.178.0.2]) by web.nmti.com (8.6.12/8.6.9) with SMTP id LAA25689; Fri, 30 Aug 1996 11:39:22 -0500 Received: by sonic.nmti.com; id AA22076; Fri, 30 Aug 1996 11:39:21 -0500 From: peter@baileynm.com (Peter da Silva) Message-Id: <9608301639.AA22076@sonic.nmti.com.nmti.com> Subject: Re: Blocking non-http (executable) content To: markry@microsoft.com (Mark Ryland) Date: Fri, 30 Aug 1996 11:39:20 -0500 (CDT) Cc: Firewalls@GreatCircle.COM, DCOM@Listserv.msn.com, Russ.Cooper@RC.Toronto.on.ca In-Reply-To: from "Mark Ryland" at Aug 30, 96 07:32:58 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Running DCOM over HTTP adds absolutely zero new security risks -- an > RPC system running over an RPC system is not less secure than just an > RPC system alone. The type of transport mechanism used to ship information over a link (though if you extend things far enough, you can describe IP as an RPC mechanism if that's the sort of argument you want to make) is irrelevant to the security implications of the link. It's the boxes at the ends of the link that are the problem. With HTTP, the boxes don't trust each other. This means that both clients and servers limit what the information (commands, programs, scripts, what have you) can do. And even then there's holes. > Fundamental fact is that port-base firewalls are of limited utility for > creating a truly secure environment. That's true. You want application specific gateways. But if you can't do that then you want to be able to restrict access by host and port. It's not perfect, but it's better than nothing. Also, it's a situation where things are by default closed, and the admin has to take a definite step to open them up. With HTTP things are open by default. It's not perfect, but it's better than nothing. > Port-based firewalls prevent some bad behavior by UNSOPHISTICATED users > and hackers. Like car door locks, they're very worthwhile for that > reason. But the a pro can get through your port firewall as fast has a > pro can get into your car with a slim-jim. Are you really characterising Microsoft as "a pro with a slim-jim"? While there are many people who would be in agreement, I think that's probably a little extreme. Shouldn't a company in Microsoft's position be providing a *good* example? How about a DCOM application proxy, available in source, that can be slipped into existing firewalls with a minimum of bother. Oh, and while we're on the subject of Microsoft and security and HTTP, how about the source to the Font Page CGIs or at least a format spec... a lot of people are justifiably concerned about this chunk of untestable binary code Microsoft wants us to drop into cgi-bin... From firewalls-owner Tue Sep 3 13:50:47 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA28700 for firewalls-outgoing; Tue, 3 Sep 1996 12:12:47 -0700 (PDT) Received: from mail.rc.toronto.on.ca ([207.6.29.231]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id MAA28630 for ; Tue, 3 Sep 1996 12:12:03 -0700 (PDT) Received: by mail.rc.toronto.on.ca with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.993.5) id <01BB99A9.9E6F5600@mail.rc.toronto.on.ca>; Tue, 3 Sep 1996 15:07:26 -0400 Message-ID: From: Russ To: "'Bernhard_Schneck@GeNUA.DE'" , "'peter@baileynm.com'" Cc: "'toranix@ultranet.com'" , "'jsong@amer.net'" , "'Firewalls@GreatCircle.COM'" Subject: RE: Firewalls-Digest V5 #484 Date: Tue, 3 Sep 1996 15:07:24 -0400 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.993.5 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Peter said... >To put it another way: systems that trust each other are effectively >the same system. > >If any system is in the same trust boundary as your webserver, then if >the webserver is compromised so is it. Could we just take a step back a sec here and think about what we're saying??? Just because you hack my webserver does not translate into access to my SQL server for anything other than the defined access that the webserver had, which could quite easily be read-only. Even if the webserver had write access to the SQL server, this does not translate to the SQL server being compromised in the sense that you could then magically send it instructions to do something on the internal network. Please don't take this the wrong way, but far too many people assume far too much when they start talking like "and if I can hack your machine, I can do anything I want". No, Peter, I'm not saying you said that, but the idea is there in yours, and others statements. So we've all heard that a Trojan could be placed into an NT registry (a poorly secured one), and that a file could be transferred to a machine through an FTP server that allows inbound writes (again, a poorly secured one), so this means we have some program installed on the NT box awaiting the next boot. This program will then do what, exactly? What is the exploit that you are using to discover whether or not that NT box can access the internal box with any kind of rights that would allow it to place a copy of itself (or some other files you've previously left on the external NT box) on the internal box? If its not external, it probably won't be running FTP, right? So you are now using a share, assuming you have access to it (i.e. C$). Oh, but then, you are exploiting the poorly configured NT registry on the internal box again, once again, with the assumption that you somehow have access to it? Remember, if the systems are properly configured, the external NT box can only access the Internal box for SQL, so how do you execute a program on the webserver that does anything to the internal box? The external box would be part of its own domain, untrusted from the internal domain, so accounts that exist on the webserver would not be valid within the internal domain. Since the external box doesn't have a copy of the SAM, how are you accessing the internal registry? See, in NT, unless you are putting things into the registry, you can't remotely log on to it, you can't get a command prompt. AND ITS EASY TO SECURE THE REGISTRY, just remove Everybody Read access from the HKEY_LOCAL_SYSTEM hive, viola, a secure registry that cannot be connected to by anyone other than Administrators Group (and your entire environment will be very happy, unless you are running some form of multi-user NT extension). I often think that far too many people assume far too much about NT security, which ends up with them assuming that exploits which have never been reported become easily done, if you just knew how... I said it before, and I'll say it again, NetBEUI can be used to create protocol isolation which does not require encryption to connect an external Internet NT box to an internal NT box that is also connected to an internal network. This connection does by-pass a firewall, but it is a tool that a Firewall administrator can use to effect a solution that has been thought out and planned, which will also avoid some of the problems associated with creating such a connection through a Firewall. Until such time as there is a proper NT proxy for Firewalls, this is the method I believe has the highest level of assurance. If you don't think so, then please be specific about the exploits that could be used against such a connection. Making assumptions about what you could do if you only had a program to do it skirts the issues and obscures the security that NT provides. Anyone can speculate to no end about what an unknown, undefined program could do to such a connection, without ever having to face the realities of the environment. I fail to see how this helps anyone, or proves anyone's point. Cheers, Russ From firewalls-owner Tue Sep 3 13:55:48 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA25999 for firewalls-outgoing; Tue, 3 Sep 1996 11:50:11 -0700 (PDT) Received: from keeper.tribune.com (keeper.tribune.com [163.192.21.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id LAA25817 for ; Tue, 3 Sep 1996 11:49:13 -0700 (PDT) From: Help_desk@tribune.com Received: by keeper.tribune.com; id NAA18109; Tue, 3 Sep 1996 13:45:40 -0500 Received: from tco-link2.tis-in.trb(163.192.23.15) by keeper.tribune.com via smap (V3.1) id xma018101; Tue, 3 Sep 96 13:45:37 -0500 Received: from ccMail by smtpout.tribune.com (IMA Internet Exchange 1.04b) id 22c7d700; Tue, 3 Sep 96 13:48:16 -0500 Mime-Version: 1.0 Date: Tue, 3 Sep 1996 13:42:51 -0500 Message-ID: <22c7d700@tribune.com> Subject: Re: Re: Firewalls-Digest #484 To: Firewall mailing list Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable Content-Description: cc:Mail note part Sender: firewalls-owner@GreatCircle.COM Precedence: bulk How about hearing from some more of you on this one? Hear are some thing= s that = I have been thinking about.... (more below) =A6Date: Thu, 29 Aug 1996 14:46:20 +0200 =A6From: Bernhard Schneck = = =A6Subject: Re: Firewalls-Digest V5 #484 = = =A6 = = =A6 > One extra note: Connecting the Web server directly to your database= = =A6 > would be a breach of security, you would in effect be providing any= = =A6 > hacker a direct line into your internal network, bypassing any = = =A6 > firewall/router security. = = =A6 = = =A6That's what I was thinking about (mostly). = = =A6 = = =A6When you allow access to internal data from external sources, you = = =A6*should* assume that any access can be with hostile intent. = = =A6 = = =A6In Jenjen's case (users access an external web server, which queries = = =A6the internal database and returns query results in HTMLized form), = = =A6this would mean that she/he has to assume that web server security = = =A6has been breached and the web server is under full control of the = = =A6attackers. =A6 =A6Two things may happen: =A6- - the attackers gain access to data in the database =A6- - the attackers send wrong responses to users querying the service =A6 =A6Only mutual authentication between user and database will solve the =A6second problem, so let's stick to the first for now. =A6 =A6Encrypting the data stream between web server and database will not =A6help in this case, as some sort of keys will have to reside on the =A6web server (which was taken over by The Bad Guys). =A6 =A6Using challenge/response between server and database won't help =A6either ... again, The Bad Guys are already on the web server and can =A6fake those, too. =A6 =A6A private network connection (using any type of protocol) between =A6server and database won't help, unless the server has no way to speak =A6that protocol (but then, how would it send legitimate queries to the =A6database? :-) =A6What will help (at least somewhat) is =A6 =A6- - do not allow the web server to run any SQL statement against the =A6 database (The Bad Guys might plug in their own select statements) =A6 but use a restricted, well defined proxy protocol to a separate =A6 internal service with tight security, which will then access the =A6 database. =A6 --> Anyone will be able to access the data, but only in a (more or =A6 less) controlled fashion. I tend to agree on not allowing SQL to be executed on the Webserver. Unl= ess = your applications are very simple, that your are writing an API or a prot= ocol = for each application. This is job security, but may not be scaleable. Th= e other thing I hate about this is that it starts looking like "security through = obscurity" again. Anyone else have a "path" worth strolling down? Something else I ran across the other day: Vendor A has developed a search/retrieval/server product. If I have cont= ent = that I think users will pay for, I install the server product behind a FW= to = protect that investment in the content. Now we haven't talked about how = to = interface to the payment switch yet.... I install Vendor A's CGI on my W3 server outside the FW and install a plu= g-gw on a high numbered port to only accept incoming connects from my W3 server b= ound = for Vendor A's server. I find out that Vendor A's CGI is only a IP gatew= ay from the client to the Vendor A's server (there is nothing to the CGI, open so= cket, = connect, print STDIN to STDOUT). This tells me that the API/protocol mus= t be in the HTML form, this application is probably very simple. How secure is a CGI like this? (Vulnerablity: W3 server security) What I like about this is that there is no information (other than the = connecting address and the embedded API/values in the HTML form) on the W= 3 = server about the back-end service. It appears to be vulnerable to denial= of = service attacks (anyone can POST to this CGI and the W3 server will conta= ct = Vendor A's server thru the FW, consuming resources on the W3, FW and Vend= or A's = box). Your thoughts? If I use a Secure/Commerce W3 server, will SSL or SHTTP be foiled by Vend= or A's = CGI approach, but doesn't this mean that Vendor A's server would have to = support SSL and SHTTP also? If it does support one or both, there application st= arts to look a lot like a modified secure W3 server doesn't it? Now continuing on with this discussion: If the W3 server is taken over, = it can = talk to only one port on the FW bound for Vendor A's server. We are left= with = placing trust in Vendor A's application team for our network security. I= f this = application is secure, why is it behind the FW? They seem to be followin= g the = guide lines set forth by the NCSA Web Site Certification criteria. =A6 =A6- - challenge/response between the end user and the database on every =A6 transaction (`authenticated' state should not be kept) =A6 --> The Bad Guys can wait for such an access and sniff the data or =A6 can replace the web server and send their own queries using the =A6 intercepted user's authentication. =A6 =A6- - authenticated+encrypted links (eg. IPSEC AH/ESP) between end user =A6 and database *not* going through the web server (remember, it has =A6 been taken over! If it decrypts somehow, The Bad Guys are in) =A6 --> The Bad Guys will need to either break the encryption or the =A6 key exchage mechanism (which is supposed to be hard) =A6 =A6Unless you use a non subvertible channel between enduser and database,= =A6you're prone to snooping, if not worse! =A6 =A6Again: Encryption between web server and database may not be enough. =A6 =A6\Bernhard. =A6 From firewalls-owner Tue Sep 3 13:59:38 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA23805 for firewalls-outgoing; Tue, 3 Sep 1996 11:35:03 -0700 (PDT) Received: from mailbox.neosoft.com (mailbox.neosoft.com [206.109.1.16]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id LAA23751 for ; Tue, 3 Sep 1996 11:34:44 -0700 (PDT) Received: from fw.nmti.com (fw.baileynm.com [206.109.159.11]) by mailbox.neosoft.com (8.7.5/8.7.3) with SMTP id NAA18340; Tue, 3 Sep 1996 13:34:08 -0500 (CDT) Received: from web.nmti.com(198.178.0.201) by fw.nmti.com via smap (V1.3) id sma009612; Thu Aug 29 08:45:51 1996 Received: from sonic.nmti.com (peter@sonic.nmti.com [198.178.0.2]) by web.nmti.com (8.6.12/8.6.9) with SMTP id IAA03315; Thu, 29 Aug 1996 08:45:50 -0500 Received: by sonic.nmti.com; id AA01577; Thu, 29 Aug 1996 08:45:49 -0500 From: peter@baileynm.com (Peter da Silva) Message-Id: <9608291345.AA01577@sonic.nmti.com.nmti.com> Subject: Re: Firewalls-Digest V5 #484 To: Bernhard_Schneck@GeNUA.DE (Bernhard Schneck) Date: Thu, 29 Aug 1996 08:45:49 -0500 (CDT) Cc: toranix@ultranet.com, jsong@amer.net, Russ.Cooper@rc.toronto.on.ca, Firewalls@GreatCircle.COM In-Reply-To: <199608291246.OAA22790@auryn.genua.de> from "Bernhard Schneck" at Aug 29, 96 02:46:20 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Again: Encryption between web server and database may not be enough. To put it another way: systems that trust each other are effectively the same system. If any system is in the same trust boundary as your webserver, then if the webserver is compromised so is it. From firewalls-owner Tue Sep 3 14:32:40 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA04998 for firewalls-outgoing; Tue, 3 Sep 1996 13:05:25 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id NAA04907 for ; Tue, 3 Sep 1996 13:05:03 -0700 (PDT) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) id NAA01172; Tue, 3 Sep 1996 13:04:11 -0700 Received: from smokey.arnold.af.mil(132.45.120.11) by mycroft via smap (V1.3mjr) id sma001170; Tue Sep 3 13:04:02 1996 Received: from zone.aedc (zone.arnold.af.mil [134.137.226.32]) by hap.arnold.af.mil (8.6.10/8.6.9) with ESMTP id PAA04225 for <@hap.aedc:firewalls@GreatCircle.COM>; Tue, 3 Sep 1996 15:05:53 -0500 Received: by zone.aedc (940816.SGI.8.6.9/930416.SGI) for firewalls@GreatCircle.COM id PAA27420; Tue, 3 Sep 1996 15:02:08 -0500 From: "Sean Fuller" Message-Id: <9609031502.ZM27418@zone.aedc> Date: Tue, 3 Sep 1996 15:02:07 -0500 In-Reply-To: "TN3270 and TN5250 through a firewall using OS/2 Clients" (Aug 30, 11:43am) References: <841423389FriCDT.firewalls-owner@GreatCircle.COM> X-Mailer: Z-Mail (3.2.2 10apr95 MediaMail) To: firewalls@GreatCircle.COM Subject: Re: TN3270 and TN5250 through a firewall using OS/2 Clients Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Why would a proxy written for Port 23 not be able to accomodate all forms of >telnet? I can tell you why my proxy does not currently support tn3270. It is because I do not send a 3270 data stream for the initial login. Instead, I use line mode. Emulating a 3270 data stream is a lot harder. I plan on supporting it soon because it was requested by our users, one of which is my wife who is a DBA on the mainframe here. If I did not have to converse with the client before allowing them through the firewall, it would be easy to write a proxy to allow passthrough. :) Actually, I'm a Unix guy now and, of course, I deny 3270 because :) :) it is an IBM Mainframe protocol and non-Unix things suck. :) From firewalls-owner Tue Sep 3 14:43:43 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA15881 for firewalls-outgoing; Tue, 3 Sep 1996 14:32:10 -0700 (PDT) Received: from mail.marben.com (losgatos.marben.com [206.86.34.51]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id OAA15846 for ; Tue, 3 Sep 1996 14:31:54 -0700 (PDT) Received: (from girsch@localhost) by mail.marben.com (SMI-8.6/SMI-SVR4/MPI-AG) id OAA06149; Tue, 3 Sep 1996 14:31:08 -0700 From: girsch@marben.com (Arnaud Girsch) Message-Id: <199609032131.OAA06149@mail.marben.com> Subject: Re: NT port activity list To: peter@baileynm.com (Peter da Silva) Date: Tue, 3 Sep 1996 14:31:06 -0700 (PDT) Cc: bill.stout@hidata.com, Firewalls@GreatCircle.COM In-Reply-To: <9608311616.AA16580@sonic.nmti.com.nmti.com> from "Peter da Silva" at Aug 31, 96 11:16:34 am X-Organization: Marben Products, Inc. X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > I just sniffed NTWS4.0 beta and got: > > TCP services on fubar [198.178.0.183]: > echo 7/tcp > discard 9/tcp > daytime 13/tcp > chargen 19/tcp > ftp 21/tcp (note, this is only open if you enable > ftp access during setup) > > The netbios services didn't show up under a scan. hum ... I was wondering why a 'netstat -a' ala Unix doesn't show all ports in listen state, as one would expect. Arnaud. -- Arnaud Girsch -+- agirsch@marben.com -+- Marben Products, Inc. - San Jose, CA From firewalls-owner Tue Sep 3 14:59:14 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA15230 for firewalls-outgoing; Tue, 3 Sep 1996 14:23:47 -0700 (PDT) Received: from icicle.winternet.com (NS.WINTERNET.COM [198.174.169.5]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id OAA15216 for ; Tue, 3 Sep 1996 14:23:31 -0700 (PDT) Received: (from adm@localhost) by icicle.winternet.com (8.7.5/8.7.5) id QAA02063; Tue, 3 Sep 1996 16:22:53 -0500 (CDT) Date: Tue, 3 Sep 1996 16:22:53 -0500 (CDT) Posted-Date: Tue, 3 Sep 1996 16:22:53 -0500 (CDT) Received: from parka.winternet.com(198.174.169.9) by icicle.winternet.com via smap (V2.0alpha) id xma001967; Tue, 3 Sep 96 16:22:14 -0500Date: Tue, 3 Sep 1996 16:20:10 -0500 (CDT) From: Ron DuFresne To: Peter da Silva cc: endrizzi@master.the-link.com, firewalls@GreatCircle.COM Subject: Re: Win NT PPTP vs. VPN In-Reply-To: <9608291320.AA01232@sonic.nmti.com.nmti.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 29 Aug 1996, Peter da Silva wrote: > > 1)MS is 90% of the desktop market and after NT squishes Novell, MS will > > also be 90% of the NOS market. > > Given the way companies are backing out of NT and going back to Nightmare > for enterprise networking...? > > Peter, Is that the way your seeing things out where ya'll is now? I've seen just the opposite. Folks rolling up the netware servers and moving NT out on the networks... Later, Ron DuFresne ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything. From firewalls-owner Tue Sep 3 15:14:18 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA16622 for firewalls-outgoing; Tue, 3 Sep 1996 14:42:12 -0700 (PDT) Received: from hidata.com (hidata.com [205.158.61.34]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id OAA16582 for ; Tue, 3 Sep 1996 14:41:56 -0700 (PDT) Received: by hidata.com; id AA25870; Tue, 3 Sep 96 14:41:38 PDT Received: from osc.hidata.com(205.158.62.10) by hds-gw.hidata.com via smap (V3.1.1) id xma025868; Tue, 3 Sep 96 14:41:35 -0700 Received: from clag by osc.osc.hidata.com (SMI-8.6/SMI-SVR4) id OAA25529; Tue, 3 Sep 1996 14:41:34 -0700 Message-Id: <2.2.32.19960903214011.006cddd0@osc.hidata.com> X-Sender: bstout@osc.hidata.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Tue, 03 Sep 1996 14:40:11 -0700 To: girsch@marben.com (Arnaud Girsch), peter@baileynm.com (Peter da Silva) From: Bill Stout Subject: Re: NT port activity list Cc: Firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >> I just sniffed NTWS4.0 beta and got: >> >> TCP services on fubar [198.178.0.183]: >> echo 7/tcp >> discard 9/tcp >> daytime 13/tcp >> chargen 19/tcp >> ftp 21/tcp (note, this is only open if you enable >> ftp access during setup) >> >> The netbios services didn't show up under a scan. > >hum ... I was wondering why a 'netstat -a' ala Unix doesn't show all ports >in listen state, as one would expect. Type 'netstat /?' at the command prompt, under the -a variable it states that 'server side connections are normally not shown'. :( Sounds like something to hack at, or throw a huge Satan scan at. Bill Stout _______________________________________________________________________________ Senior Systems Admin NT/UNIX/I-net/Routers/Mainframes/Janitor ;) Hitachi Data Systems 408-970-4822 --- Disclaimer: I speak only for myself ___________"Infowar, Cyber-war, yes, 'they' _are_ out to get you..."___________ From firewalls-owner Tue Sep 3 15:28:39 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id PAA19322 for firewalls-outgoing; Tue, 3 Sep 1996 15:04:44 -0700 (PDT) Received: from thoughtport.thoughtport.net (ThoughtPort.COM [199.171.224.105]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id PAA19264 for ; Tue, 3 Sep 1996 15:04:25 -0700 (PDT) Received: from jon.cypher-sage.com (tpa-206-41-182-2.ThoughtPort.COM [206.41.182.2]) by thoughtport.thoughtport.net (8.7.5/8.7.3/tpa-mailhost+bbum-hacquage) with SMTP id RAA05984; Tue, 3 Sep 1996 17:03:54 -0500 (CDT) Received: by jon.cypher-sage.com with Microsoft Mail id <01BB99B9.A657EC00@jon.cypher-sage.com>; Tue, 3 Sep 1996 17:02:12 -0500 Message-ID: <01BB99B9.A657EC00@jon.cypher-sage.com> From: Jon Tegethoff To: "'firewalls@GreatCircle.COM'" , "'Frank Willoughby'" Subject: RE: S/key & secureid Date: Tue, 3 Sep 1996 17:02:10 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Frank Willoughby said: >Hopefully, the SecurID connection is being used to authenticate internal >users before they go to the Internet and not for incoming connections. > >Using SecurID (or Digital Pathways, S/Key, etc) is *lethal* if you are >planning on using it to authenticate users from the Internet who wish >to access a system on your internal network which is protected by the >firewall. The reason is that the user may have his/her session hijacked >by an attacker. >Please note that this is *NOT* a security problem with Gauntlet or any >other firewall. The problem is relying on authentication-only mechanisms >for protection. Implementing User->Firewall encryption will help to solve >this problem. > >Again, I strongly advise against using SecurID (or any other authentication- >only solution) for incoming Internet connections to an internal system. Since there is a significant reason in many cases to have remote users communicating through a firewall, what do you currently consider the best method with todays technology. My preference is a combination of two factor authentication (like SecurID or one of the challenge/response cards) used together with an encryption tunnel like Raptor Eagle's). Jon Tegethoff From firewalls-owner Tue Sep 3 16:50:28 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id QAA01495 for firewalls-outgoing; Tue, 3 Sep 1996 16:09:09 -0700 (PDT) Received: from explorateur.quaternet.fr (nonsense.explorateur.quaternet.fr [194.51.191.161]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id QAA01450 for ; Tue, 3 Sep 1996 16:08:54 -0700 (PDT) From: Ben@explorateur.quaternet.fr Received: from ([193.55.44.106]) by explorateur.quaternet.fr (8.6.12/8.6.9) with SMTP id BAA10037 for Firewalls@GreatCircle.COM; Wed, 4 Sep 1996 01:17:52 +0100 Date: Wed, 4 Sep 1996 01:17:52 +0100 Message-Id: <199609040017.BAA10037@explorateur.quaternet.fr> Apparently-To: Firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk suscribe me From firewalls-owner Tue Sep 3 17:13:44 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA10102 for firewalls-outgoing; Tue, 3 Sep 1996 17:01:58 -0700 (PDT) Received: from cet.cet.com (cet.cet.com [206.96.91.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id RAA10029 for ; Tue, 3 Sep 1996 17:01:34 -0700 (PDT) Received: from cet.cet.com (roberth@cet.cet.com [206.96.91.1]) by cet.cet.com (8.6.12/8.6.12) with SMTP id RAA10634; Tue, 3 Sep 1996 17:01:13 -0700 Date: Tue, 3 Sep 1996 17:01:13 -0700 (PDT) From: Robert Hanson To: Rick Smith cc: firewalls@GreatCircle.COM Subject: Re: C2 certified OS that can run a firewall In-Reply-To: <199609031759.MAA13978@shade.sctc.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk what is intended for "strong" protection then? tia... ---> Robert H. Hanson LAN/WAN Consultant - Internet Service Provider Otis Orchards, Wa. Cutting Edge Communications www.cet.com (509) 927-9541 finger: info@cet.com or email: roberth@cet.com On Tue, 3 Sep 1996, Rick Smith wrote: > If you need strong protection (otherwise, why care about NCSC > evaluations) then you should take a look at the C2 specification and > realize that it's not intended for strong protection. > > Rick. > smith@sctc.com secure computing corporation > From firewalls-owner Tue Sep 3 17:28:43 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA12163 for firewalls-outgoing; Tue, 3 Sep 1996 17:23:33 -0700 (PDT) Received: from silence.secnet.com (silence.secnet.com [204.191.222.34]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id RAA12154 for ; Tue, 3 Sep 1996 17:23:24 -0700 (PDT) Received: (from peiterz@localhost) by silence.secnet.com (8.8.Beta.1/secnet) id LAA01415 for firewalls@greatcircle.com; Wed, 4 Sep 1996 11:38:40 -0600 (MDT) Date: Wed, 4 Sep 1996 11:38:40 -0600 (MDT) From: Peiter Z Message-Id: <199609041738.LAA01415@silence.secnet.com> To: firewalls@greatcircle.com Subject: SecurID White Paper Sender: firewalls-owner@GreatCircle.COM Precedence: bulk SecurID Vulnerabilities White-Paper Due to increased recent interest that has been witnessed on the net about the SecurID token cards and potential vulnerabilities with their use, we offer a white paper on some of the vulnerabilities that we believe have been witnessed and/or speculated upon. This paper is being put forth into the public domain by Secure Networks Incorporated and is available at the following URL : ftp://ftp.secnet.com/pub/papers/securid.ps Topics dealt with in the paper include: . Race attacks based upon fixed length responses (still valid even with the current patch) . Denial of Service attacks based upon server patches . Server - Slave separation and replay attacks . Vulnerabilities in the communications with the ACE Server . A quick analysis of the communications with the ACE Server . Problems with out-of-band authentication We hope this paper provides insight, enlightenment, and is helpful to the security community in general. thanks and enjoy, Secure Networks Inc. From firewalls-owner Tue Sep 3 18:19:22 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id SAA17290 for firewalls-outgoing; Tue, 3 Sep 1996 18:13:12 -0700 (PDT) Received: from sapa.inka.de (sapa.inka.de [193.197.84.6]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id SAA17283 for ; Tue, 3 Sep 1996 18:13:02 -0700 (PDT) Received: from uu.inka.de (root@[193.197.84.8]) by sapa.inka.de with smtp (S3.1.29.1) id ; Wed, 4 Sep 96 03:03 MET DST Received: from lina (lists@lina.inka.de) by uu.inka.de with bsmtp (S3.1.29.1) id ; Wed, 4 Sep 96 03:03 MET DST Received: by lina id m0uy6Ic-0004kJC (Debian /\oo/\ Smail3.1.29.1 #29.37); Wed, 4 Sep 96 02:58 MET DST Message-Id: From: lists@lina.inka.de (Bernd Eckenfels) Subject: Re: SecurID White Paper To: peiterz@secnet.com (Peiter Z) Date: Wed, 4 Sep 1996 02:58:33 +0200 (MET DST) Cc: firewalls@greatcircle.com In-Reply-To: <199609041738.LAA01415@silence.secnet.com> from "Peiter Z" at Sep 4, 96 11:38:40 am X-Mailer: ELM [version 2.4 PL25 PGP2] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, > Topics dealt with in the paper include: > . Race attacks based upon fixed length responses (still valid even with > the current patch) > . Denial of Service attacks based upon server patches > . Server - Slave separation and replay attacks > . Vulnerabilities in the communications with the ACE Server > . A quick analysis of the communications with the ACE Server > . Problems with out-of-band authentication What about the Relationship between the Serial Number of a Card (or any other nformation printed on it) and the Seed of the PNG? How does a Admin announce new Cards to the Ace Server? Is this a "keep it secret" thing, or is it cryptogrfically secure? Greetings Bernd From firewalls-owner Tue Sep 3 19:17:26 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id TAA19971 for firewalls-outgoing; Tue, 3 Sep 1996 19:01:54 -0700 (PDT) Received: from morebbs.com (morebbs.com [206.165.150.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id TAA19942 for ; Tue, 3 Sep 1996 19:01:44 -0700 (PDT) From: potlicker@morebbs.com Received: by morebbs.com id 0UXLH00B Tue, 03 Sep 96 22:01:09 Message-ID: <9609032201.0UXLH00@morebbs.com> Organization: MORE BBS X-Mailer: TBBS/TIGER v1.0/PRIMP 1.56p Date: Tue, 03 Sep 96 22:01:09 Subject: No toolz at cdm To: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Several folks asked for copies of cDm toolz to assist them in their research. Unfortunately we ain't got no toolz any more. During the past year the cDm has fallen on hard times. First the Dawg of which we are forbidden to speak got involved in some national security stuff. The Naughty Schoolgirls Association (mainly Catholics) had this real slinky Chinese Filipina chick called Belle get the Dawg to set up a multi-media pentium. I told the Dawg "Forget the short skirt and tight white panties. Her godamn eyebrows and those full red lips are tattooed on." Stupid Dawg wouldn't listen. While he was helping her set up the pentium and running his yap, the bug detector that Father Frank had given him started vibrating in his pocket. The Dawg excused himself to take a piss and disappeared. We haven't seen him since. He logged in remotely and deleted most of our philes. All I was able to recover were a couple of packet sniffers in a hidden directory he forgot about. What a prideful bastard. Hard to believe he founded the church. Then Father Frank was forced to serve penance for his research into the radio system used to control the subway system. Finally EyeVynd de Reindeer left us for a real job. EyeVynd is alternately warm and snotty. Takes great pride in writing his own tools and is very reluctant to share them with anyone else. He is also very cagey about giving away copies of anything he pilfered. I would truly like to help others who are engaged in purely educational research but we just don't have anything left. PoT_LiCkEr From firewalls-owner Tue Sep 3 20:16:24 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id UAA24716 for firewalls-outgoing; Tue, 3 Sep 1996 20:00:20 -0700 (PDT) Received: from homeport.org (lighthouse.homeport.org [205.136.65.198]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id UAA24691 for ; Tue, 3 Sep 1996 20:00:11 -0700 (PDT) Received: (adam@localhost) by homeport.org (8.6.9/8.6.9) id XAA04413; Tue, 3 Sep 1996 23:05:05 -0500 From: Adam Shostack Message-Id: <199609040405.XAA04413@homeport.org> Subject: Re: SecurID White Paper To: lists@lina.inka.de (Bernd Eckenfels) Date: Tue, 3 Sep 1996 23:05:05 -0500 (EST) Cc: peiterz@secnet.com, firewalls@GreatCircle.COM In-Reply-To: from "Bernd Eckenfels" at Sep 4, 96 02:58:33 am X-Mailer: ELM [version 2.4 PL24 ME8b] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Bernd Eckenfels wrote: | > Topics dealt with in the paper include: | > . Race attacks based upon fixed length responses (still valid even with | > the current patch) | > . Denial of Service attacks based upon server patches | > . Server - Slave separation and replay attacks | > . Vulnerabilities in the communications with the ACE Server | > . A quick analysis of the communications with the ACE Server | > . Problems with out-of-band authentication | | What about the Relationship between the Serial Number of a Card (or any | other nformation printed on it) and the Seed of the PNG? How does a Admin There is none. There are real problems, as Peiter points out. This is not one of them. | announce new Cards to the Ace Server? Is this a "keep it secret" thing, or | is it cryptogrfically secure? The card records (which include data on the seed) are des encrypted, and only sent to the site contact at the appropriate address. I've suggested PGP to them. Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume From firewalls-owner Wed Sep 4 04:32:31 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id EAA16338 for firewalls-outgoing; Wed, 4 Sep 1996 04:13:40 -0700 (PDT) Received: from inet1.tek.com (inet1.tek.com [134.62.48.21]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id EAA16328; Wed, 4 Sep 1996 04:13:28 -0700 (PDT) From: kesavan.p.nair@bangate1.tek.com Received: by inet1.tek.com id ; Wed, 4 Sep 1996 04:13:04 -0700 Received: from bangate.tek.com(128.181.153.52) by inet1 via smap (V1.3) id sma042263; Wed Sep 4 04:12:37 1996 Received: by bangate2.tek.com with VINES-ISMTP; Wed, 4 Sep 96 4:13:13 PDT Date: Tue, 3 Sep 96 15:39:52 IST Message-Id: X-Priority: 3 (Normal) To: , Subject: Queries on HTTP server and firewalls Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, Please go through the attachment enclosed and answer my queries Regards Kesavan P Nair We are developing some Internet based secured application which should work across firewalls in a secured manner.I need some information on firewalls and general structure of how HTTP server sits in terms of firewall. In the following diagrams I have shown 2 firewall scenarios which I believe is the most common.I have put down my earlier queries here once again.Please forward your comments CASE A +----------+ +-----+ | | |SMTP | +----+ -----SMTP request--->|Firewall |--------------->|Relay|-----| | | |Gateway | |Host | |--->| | | | +-----+ | A | | | +-----+ |--->| | -----HTTP request--->| |--------------->|HTTP |-----| | | +----------+ |Host | +----+ | to | |world| +-----+ CASE B +----------+ +-----+ | | |SMTP | +----+ -----SMTP request--->|Firewall |--------------->|Relay|-----| | | |Gateway | |Host | |--->| | +-----+ | | +-----+ | A | |HTTP | | | |--->| | --HTTP req->|Host |->| |----------------------------| | | |to | +----------+ +----+ |World| +-----+ Case A: Http host to the world is inside , the firewall makes sure that HTTP requests from outside are acceptable only to "HTTP Host to World" Case B: Http host is outside the firewall.But the "HTTP Host to world" can access the resources of A which is inside the firewall. In both the cases the SMTP request to host A will be fulfilled(by store and forward).In case of the HTTP request,I have shown the HTTP request being forwarded to A,please intrepret this as a request for resources from A by HTTP host to answer the external HTTP HOST's request. Iam sure that enough verification + authentication can be done by this HTTP host before fulfilling the external HTTP request(whenever there is a need for resources from inside the network). My query is that how many of you out there has seen one of these setups where the HTTP request from outside could be fulfilled with accessing A's resources and what are your comments on the feasibilty of these setups Please forward your comments to kesavan.p.nair@tek.com My address Kesavan P Nair Tektronix(India)Ltd Tek Towers Hayes Road Bangalore - 25 India. Tel +91 80 227 5577 Fax +91 80 227 5588 From firewalls-owner Wed Sep 4 05:29:36 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA19450 for firewalls-outgoing; Wed, 4 Sep 1996 05:27:39 -0700 (PDT) Received: from nebula.online.ee (nebula.online.ee [194.106.96.11]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id FAA19392 for ; Wed, 4 Sep 1996 05:26:58 -0700 (PDT) Received: from localhost by nebula.online.ee (5.x/SMI-4.1) id AA24942; Wed, 4 Sep 1996 15:26:08 +0300 Organization: MicroLink OnLine Date: Wed, 4 Sep 1996 15:26:07 +0300 (EET DST) From: =?ISO-8859-1?Q?J=FCri_Kaljundi?= X-Sender: jk@nebula To: Firewalls@GreatCircle.COM Subject: RE: S/key & secureid In-Reply-To: <199609040800.BAA07209@miles.greatcircle.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=ISO-8859-1 Content-Transfer-Encoding: QUOTED-PRINTABLE Sender: firewalls-owner@GreatCircle.COM Precedence: bulk From: Jon Tegethoff > > >Again, I strongly advise against using SecurID (or any other authenticat= ion- > >only solution) for incoming Internet connections to an internal system. >=20 > Since there is a significant reason in many cases to have remote us= ers=20 > communicating through a firewall, what do you currently consider the best= =20 > method with todays technology. My preference is a combination of two fac= tor=20 > authentication (like SecurID or one of the challenge/response cards) used= =20 > together with an encryption tunnel like Raptor Eagle's). SSH and F-Secure products are quite good for secure login. SSH forms a secure tunnel between the remote user and unix host, and SSH does support SecurID tokens for authentication. It does mean you probably should allow incoming SSH connections (tcp port 22) and run SSH daemon on the unix machine. The best part is that SSH does not use some weak breakable US-export encryption, but strong IDEA or 3DES.=20 Have a look at http://www.ssh.fi/ or http://www.datafellows.com/f-secure/ J=FCri Kaljundi AS Stallion jk@stallion.ee From firewalls-owner Wed Sep 4 07:29:05 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA25395 for firewalls-outgoing; Wed, 4 Sep 1996 07:18:20 -0700 (PDT) Received: from hermes.cu-online.com (hermes.cu-online.com [205.198.248.82]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id HAA25383 for ; Wed, 4 Sep 1996 07:18:14 -0700 (PDT) Received: from argus.cu-online.com (argus.cu-online.com [205.198.248.112]) by hermes.cu-online.com (8.7.5/8.7.5-cuo-s6) with SMTP id JAA16929 for ; Wed, 4 Sep 1996 09:28:56 -0500 (CDT) Received: by argus.cu-online.com (SMI-8.6/SMI-SVR4) id JAA13446; Wed, 4 Sep 1996 09:22:06 -0500 Date: Wed, 4 Sep 1996 09:22:06 -0500 From: mcnabb@argus.cu-online.com (Paul McNabb) Message-Id: <199609041422.JAA13446@argus.cu-online.com> To: firewalls@GreatCircle.COM Subject: RE: Subject: C2 certified OS that can run a firewall Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Is there any OS out there that are C2 (not A1 or B2 or anuthing else, just > C2) certified that can run a firewall with the C2 "stamp" applied? Argus has a certified C2 version of Solaris for both x86 and SPARC. paul ------------------------------------------------------------ Paul McNabb mcnabb@argus.cu-online.com Argus Systems Group, Inc. TEL 217-384-6300 1405A East Florida Avenue FAX 217-384-6404 Urbana, IL 61801 USA ------------------------------------------------------------ From firewalls-owner Wed Sep 4 07:43:46 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA25803 for firewalls-outgoing; Wed, 4 Sep 1996 07:32:29 -0700 (PDT) Received: from hermes.cu-online.com (hermes.cu-online.com [205.198.248.82]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id HAA25796 for ; Wed, 4 Sep 1996 07:32:23 -0700 (PDT) Received: from argus.cu-online.com (argus.cu-online.com [205.198.248.112]) by hermes.cu-online.com (8.7.5/8.7.5-cuo-s6) with SMTP id JAA17116 for ; Wed, 4 Sep 1996 09:43:05 -0500 (CDT) Received: by argus.cu-online.com (SMI-8.6/SMI-SVR4) id JAA13457; Wed, 4 Sep 1996 09:36:14 -0500 Date: Wed, 4 Sep 1996 09:36:14 -0500 From: mcnabb@argus.cu-online.com (Paul McNabb) Message-Id: <199609041436.JAA13457@argus.cu-online.com> To: firewalls@GreatCircle.com Subject: Re: C2 certified OS that can run a firewall Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Date: Tue, 3 Sep 1996 17:01:13 -0700 (PDT) > From: Robert Hanson > > what is intended for "strong" protection then? tia... About 5 years ago I wrote a short paper entitled "The Myths of C2" which discussed the misconception about what C2 really is. I'll dig it up and post it if anyone wants it. The bottom line is that C2 is designed for one of these two environments: 1) a hardened, restricted environment where everyone on the system or connected to the system is authorized to see all information on the system, such as at a military site, or 2) the system and its information is sufficiently unimportant so that the users are trusted to decide who gets access to what. Of course C2 security is better than no security, but C2 was never "designed for commercial use" as is sometimes written in articles and email. If you are in an environment where the system administrators want to *enforce* security on the users, B1 and higher security features are needed. But remember, none of the TCSEC ("Orange Book") security levels were designed for anything other than military/government use. It just happens that a lot of the security they specify is general- purpose and works well in all kinds of environments. paul ------------------------------------------------------------ Paul McNabb mcnabb@argus.cu-online.com Argus Systems Group, Inc. TEL 217-384-6300 1405A East Florida Avenue FAX 217-384-6404 Urbana, IL 61801 USA ------------------------------------------------------------ From firewalls-owner Wed Sep 4 07:58:58 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA26243 for firewalls-outgoing; Wed, 4 Sep 1996 07:46:15 -0700 (PDT) Received: from intfw.bear.com (intfw.bear.com [206.25.172.66]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id HAA26233 for ; Wed, 4 Sep 1996 07:45:56 -0700 (PDT) Received: by intfw.bear.com (4.1/SMI-4.1) id AA22490; Wed, 4 Sep 96 10:45:36 EDT Received: from fastbear(165.168.74.3) by intfw via smap (V1.3) id sma021718; Wed Sep 4 10:41:45 1996 Received: from ursa2.bear.com by fastbear.bear.com (4.1/SMI-4.1/1.0 AMR 12/15/94) id AA14291; Wed, 4 Sep 96 10:44:06 EDT Received: from whip_xfr.bear.com (whip-xfr) by ursa2.bear.com (4.1/SMI-4.1/AMR+DJMS(2)) id AA16141; Wed, 4 Sep 96 10:42:36 EDT Received: from wizard.bsnet by whip_xfr.bear.com (SMI-8.6/SMI-SVR4) id KAA11852; Wed, 4 Sep 1996 10:41:50 -0400 Received: from neptune.bsnet by wizard.bsnet (SMI-8.6/SMI-SVR4) id KAA16732; Wed, 4 Sep 1996 10:41:50 -0400 Received: by neptune.bsnet (SMI-8.6/SMI-SVR4) id KAA06430; Wed, 4 Sep 1996 10:41:49 -0400 Date: Wed, 4 Sep 1996 10:41:49 -0400 From: sj@bear.com (Shahryar Jahangir) Message-Id: <199609041441.KAA06430@neptune.bsnet> To: manderse@mordor@syseng.fbc.com Subject: Re: Firewalls-Digest: Re: Firewall-1 Logs Cc: firewalls-digest@GreatCircle.COM Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Content-Md5: jnja0P9qs8ARdTBUO7IP7g== Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi Mike, I don't have a PC connection as you mentioned. However, my logs are backed-up to various media. If I ever needed to check the integrity of my logs, I can compare them to any/all of my saved copies. sj ->From manderse@mordor@syseng.fbc.com Wed Sep 4 10:35:46 1996 :->From: "Mike Andersen" :->Date: Wed, 4 Sep 1996 09:38:04 -0400 :->To: sj@bear.com :->Subject: Firewalls-Digest: Re: Firewall-1 Logs :->Mime-Version: 1.0 :-> :->Hi Shahryar - :-> :->I see from your response to Jim that you keep a month of logs for your :->firewall. :->Though you don't mention it I assume that you also safe store the logs (say on :->a PC connected via a serial line) so that when you get compromised you have an :->clean log to go against? :-> :->Mike (CS Firstboston 212-322-1743) ........................................... Shahryar Jahangir Information Services Bear Stearns & Co. Inc. 245 Park Avenue New York, NY 10167 email: sj@bear.com Tele: 212 272 7764 Fax : 212 499 6977 ........................................... -- ******************************************************************************* Bear Stearns is not responsible for any recommendation, solicitation, offer or agreement or any information about any transaction, customer account or account activity contained in this communication. ******************************************************************************* From firewalls-owner Wed Sep 4 09:18:56 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA02901 for firewalls-outgoing; Wed, 4 Sep 1996 09:08:00 -0700 (PDT) Received: from halon.sybase.com (halon.sybase.com [192.138.151.33]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id JAA02883 for ; Wed, 4 Sep 1996 09:07:47 -0700 (PDT) Received: from smtp1.sybase.com (sybgate) by halon.sybase.com (5.x/SMI-SVR4/SybFW4.0) id AA12446; Wed, 4 Sep 1996 09:08:46 -0700 Received: from notesgw2.sybase.com by smtp1.sybase.com (4.1/SMI-4.1/SybH3.5-030896) id AA27971; Wed, 4 Sep 96 09:07:12 PDT Received: by notesgw2.sybase.com (5.x/SMI-4.1/SybEGW3.3) id AA01481; Wed, 4 Sep 1996 09:07:08 -0700 Message-Id: <9609041607.AA01481@notesgw2.sybase.com> Received: by SybaseNotes (Lotus Notes Mail Gateway for SMTP V1.1) id D1AB4D96C27F73E08825639B00586F71; Wed, 4 Sep 96 09:07:07 EDT To: "Wojno Jim" Cc: "'firewalls@greatcircle.com'" From: Ryan Russell/SYBASE Date: 4 Sep 96 9:06:36 EDT Subject: Re: Firewall-1 Logs X-Lotus-Type: Reply All Mime-Version: 1.0 Content-Type: Text/Plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I have a very similar setup. Running FW1 2.1, I'm getting up to 100MB of logs per day ( logging accepts and drops) Ryan ---------- Previous Message ---------- To: firewalls cc: From: jwojn @ telxon.com ("Wojno, Jim") @ smtp Date: 09/03/96 11:44:02 AM Subject: Firewall-1 Logs To All: We are in the process of determining how much disk space we will require for a Firewall-1 unit. We will be using a SPARC-20, and currently have about 400 to 500 active Internet users. We would like to keep at least one month worth of logging data on-line. Approximately how much disk space would you recommend we have available to accomodate this. Any input on this would be appreciated. If this topic has already been discussed, please feel free to contact me directly off-list. Jim Wojno Systems Administrator Telxon Corporation jwojn@telxon.com From firewalls-owner Wed Sep 4 10:28:54 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA08073 for firewalls-outgoing; Wed, 4 Sep 1996 10:21:09 -0700 (PDT) Received: from tuna.wang.com (TUNA.wang.com [150.124.136.4]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id KAA08066 for ; Wed, 4 Sep 1996 10:21:03 -0700 (PDT) Received: from mars.wangfed.com (mars.Wangfed.COM [159.94.10.1]) by tuna.wang.com (8.6.12/8.6.12tf1) with SMTP id NAA06410 for ; Wed, 4 Sep 1996 13:20:48 -0400 Received: from uc0009.wangfed.com (uc0009 [159.94.10.15]) by mars.wangfed.com (8.7.5/3.8) with SMTP for delivery to "" id NAA28921; Wed, 4 Sep 1996 13:26:35 -0400 (EDT) Received: from [159.94.14.48] by uc0009.wangfed.com (BULL 5.61++/B.O.S 02.01) id AA27435; Wed, 4 Sep 96 13:13:43 -0400 Date: Wed, 4 Sep 96 13:13:43 -0400 Message-Id: <9609041713.AA27435@uc0009.wangfed.com> From: "Wang Federal SSSO" Reply-To: "Wang Federal SSSO" To: firewalls@GreatCircle.COM Subject: Re: C2 certified OS that can run a firewall Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In message <199609041436.JAA13457@argus.cu-online.com> Paul McNabb writes: > But remember, none of the TCSEC ("Orange Book") security > levels were designed for anything other than military/government use. > It just happens that a lot of the security they specify is general- > purpose and works well in all kinds of environments. I guess that's what's meant by "technology transfer". But then, NASA didn't invent Velcro for commercial use either. ===== K.M. GOERTZEL Manager, Business Development Secure Systems and Services Operation WANG FEDERAL, Inc. 7900 Westpark Drive - MS 700 McLean, VA 22102-4299 USA +1-703-827 3914 +1-703-827 3161 (fax) goertzek@wangfed.com http://www.wangfed.com/products/ssso/homepage.html *** "The true artist has no pride, for he realizes art's demands are limitless, and though he may be admired or praised by others, he sees only darkly how far he is from his goal, when a greater inspiration shall shine before him like a distant sun." -- Ludwig van Beethoven From firewalls-owner Wed Sep 4 10:43:43 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA08394 for firewalls-outgoing; Wed, 4 Sep 1996 10:27:37 -0700 (PDT) Received: from tuna.wang.com (TUNA.wang.com [150.124.136.4]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id KAA08385 for ; Wed, 4 Sep 1996 10:27:30 -0700 (PDT) Received: from mars.wangfed.com (mars.Wangfed.COM [159.94.10.1]) by tuna.wang.com (8.6.12/8.6.12tf1) with SMTP id NAA06554 for ; Wed, 4 Sep 1996 13:27:17 -0400 Received: from uc0009.wangfed.com (uc0009 [159.94.10.15]) by mars.wangfed.com (8.7.5/3.8) with SMTP for delivery to "" id NAA28970; Wed, 4 Sep 1996 13:33:04 -0400 (EDT) Received: from [159.94.14.48] by uc0009.wangfed.com (BULL 5.61++/B.O.S 02.01) id AA27491; Wed, 4 Sep 96 13:20:12 -0400 Date: Wed, 4 Sep 96 13:20:12 -0400 Message-Id: <9609041720.AA27491@uc0009.wangfed.com> From: "Wang Federal SSSO" Reply-To: "Wang Federal SSSO" To: firewalls@GreatCircle.COM Subject: Desperately Seeking CyberGuard and Norman Users Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'd very much like to hear from anyone who has had hands-on experience with the CyberGuard or Norman firewall - either users or evaluators. Please e-mail me directly. K.M. GOERTZEL |*| Manager, Business Development Secure Systems and Services Operation |*| WANG FEDERAL, Inc. 7900 Westpark Drive - MS 700 |*| McLean, VA 22102-4299 USA +1-703-827 3914 |*| +1-703-827 3161 (fax) | goertzek@wangfed.com http://www.wangfed.com/products/ssso/homepage.html *** "The true artist has no pride, for he realizes art's demands are limitless, and though he may be admired or praised by others, he sees only darkly how far he is from his goal, when a greater inspiration shall shine before him like a distant sun." -- Ludwig van Beethoven From firewalls-owner Wed Sep 4 11:43:52 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA14758 for firewalls-outgoing; Wed, 4 Sep 1996 11:41:16 -0700 (PDT) Received: from iron.octet.com (iron.octet.com [204.141.97.10]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id LAA14751 for ; Wed, 4 Sep 1996 11:41:08 -0700 (PDT) Received: from dialup213.octet.com (dialup213.octet.com [204.141.97.213]) by iron.octet.com (8.7.5/8.7.3) with SMTP id OAA25666; Wed, 4 Sep 1996 14:39:37 -0400 (EDT) Date: Wed, 4 Sep 1996 14:39:37 -0400 (EDT) Message-Id: <199609041839.OAA25666@iron.octet.com> X-Sender: runnerfx@octet.com X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: potlicker@morebbs.com, firewalls@GreatCircle.COM From: runnerfx@octet.com (Wearen Life) Subject: Re: No toolz at cdm Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Pot_licker you do know your eleet right? =) At 10:01 PM 9/3/96, potlicker@morebbs.com wrote: > >Several folks asked for copies of cDm toolz to assist them in their research. >Unfortunately we ain't got no toolz any more. During the past year the cDm >has fallen on hard times. > >First the Dawg of which we are forbidden to speak got involved in some >national security stuff. The Naughty Schoolgirls Association (mainly >Catholics) had this real slinky Chinese Filipina chick called Belle get >the Dawg to set up a multi-media pentium. I told the Dawg "Forget the short >skirt and tight white panties. Her godamn eyebrows and those full red lips >are tattooed on." Stupid Dawg wouldn't listen. While he was helping her >set up the pentium and running his yap, the bug detector that Father Frank >had given him started vibrating in his pocket. The Dawg excused himself to >take a piss and disappeared. We haven't seen him since. He logged in >remotely and deleted most of our philes. All I was able to recover were a >couple of packet sniffers in a hidden directory he forgot about. What a >prideful bastard. Hard to believe he founded the church. > >Then Father Frank was forced to serve penance for his research into the >radio system used to control the subway system. > >Finally EyeVynd de Reindeer left us for a real job. EyeVynd is alternately >warm and snotty. Takes great pride in writing his own tools and is very >reluctant to share them with anyone else. He is also very cagey about >giving away copies of anything he pilfered. > >I would truly like to help others who are engaged in purely educational >research but we just don't have anything left. > > PoT_LiCkEr > > > > From firewalls-owner Wed Sep 4 12:16:59 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA16749 for firewalls-outgoing; Wed, 4 Sep 1996 12:05:22 -0700 (PDT) Received: from emh7.monroe.army.mil (emh7.monroe.army.mil [150.184.22.4]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id MAA16704 for ; Wed, 4 Sep 1996 12:05:08 -0700 (PDT) X-Nvlenv-01Date-Posted: 4-Sep-1996 15:02:00 -0400; at NGM.JWC To: firewalls@greatcircle.com Message-Id: Subject: Dialin From: HARRELLJ@emh7.monroe.army.mil (Harrell, Mr Jonathan) Date: 04 Sep 96 15:03:26 EDT In-Reply-To: <04742D3201E43A7C@-SMF-> References: <04742D3202E43A7C@-SMF-> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk We am currently integrating an application based (proxy) firewall into our Novell/IPX and SUN/IP lan. Our current dialin capability is through a cubix dialin server (reachout software) acting as a workstation on the LAN, and it only passes screen, keyboard, and cursor movement to our remote PC. We then attach to our one of our Novell servers (by IPX---our IP id statically given to the workstation by lanworkgroups). The management would like to put our current dialin hardware outside of the firewall and use Fortezza cards {yes, DMS :-( } for authentication. Problems I see: 1)Firewall can't see remote authentication token without seeing the remote computer that is dialing in with the current hardware 2)Cubix computers now talk IPX (not IP). So what is a standard architecture/configuration for dialin outside of Firewalls using authentication? It has to be simple---what am I missing? All ISPs do it don't they? Would it be better to put a SUN outside of the Firewall for dialin, and then just FTP in to get files and/or forward email from the inside server? All opinions are helpful. Dialin Server | Here's what I'm thinking: router-------------Firewall----Internal LAN | WEB Server Thanks.. V/R, Jonathan Harrell From firewalls-owner Wed Sep 4 12:45:23 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA18591 for firewalls-outgoing; Wed, 4 Sep 1996 12:31:13 -0700 (PDT) Received: from rasputin (dreco.com [205.241.119.161]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id MAA18563 for ; Wed, 4 Sep 1996 12:31:01 -0700 (PDT) Received: from [205.241.113.9] by rasputin via smtpd (for miles.greatcircle.com [198.102.244.34]) with SMTP; 23 May 1996 19:31:33 UT Received: by srvex01u.dreco.com with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.993.5) id <01BB9A6D.1098E930@srvex01u.dreco.com>; Wed, 4 Sep 1996 14:26:30 -0500 Message-ID: X-MS-TNEF-Correlator: From: David Kimball To: "'Firewalls@GreatCircle.COM'" Cc: "'Bill Stout'" Subject: RE: NT port activity list Date: Wed, 4 Sep 1996 14:26:29 -0500 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.993.5 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="---- =_NextPart_000_01BB9A6D.10A08A50" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------ =_NextPart_000_01BB9A6D.10A08A50 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable I know I go stupid from time to time. However, I was under the=20 impression that all the ports open on an shrink wraped NT box was=20 evrething that is listed in the services phile in the /drivers/etc=20 dir. No, nix that. Rather they are alternately open/not open depending=20 on the actual services/software installed. Am I missing something=20 here? David Kimball wk 713.965.9122 Systems Administration fx 713.341.9581 NT/Exchange/SMS/Blah/Blah/Blah Dreco, Inc. Tomorrow, tomorrow, tomorrow...creeps this petty pace. From now til' the end of time..... ---------- From: Bill Stout[SMTP:bill.stout@hidata.com] Sent: Tuesday, September 03, 1996 11:42 AM To: Firewalls@GreatCircle.COM Subject: Re: NT port activity list I started this thread out of interest in NT Firewalls and Webservers. Let me know if this is too unrelated and I will take this elsewhere. Amazing what you learn by reading. Windows NT Resource Kit 3.51 Windows NT Networking - Part III 'TCP/IP'. I haven't completed a Satan scan against an NT system yet, but this is what I got so far. Also much of the system-level communication is still a mystery; logon process, etc (RPC?). NT TCP/IP is divided into the following separate categories; =B7 'Core protocols' - TCP, IP, UDP, ARP, ICMP, PPP and SLIP. =B7 API support - Windows Sockets v1.1, RPC, NetBIOS, and Network DDE. =B7 Basic TCP/IP utilities - finger, ftp, lpr, rcp, rexec, rsh, telnet,=20 and tftp. =B7 Diagnostic tools - arp, hostname, ipconfig, lpq, nbtstat, netstat, ping, route, and tracert. =B7 Services and Administration tools - FTP Server, WINS, DHCP, and TCP/IP Printing. =B7 SNMP agent =B7 Client software for 'Simple network protocols' - chargen, daytime, discard, echo, quotd. =B7 Path MTU discovery - discovers datagram size for all routers between = Windows NT computer and any system on a WAN. (RFC 1191) =B7 IGMP - Internet Gateway Multicast Protocol The following is a partial list of available IP network ports in NT: Port Name Description RFC 1 icmp Internet Control Message Protocol 792 2 igmp Internet Group Management Protocol 1112 7 echo Ping 862 9 discard Discard (sink null) 863 13 daytime Daytime 867 15 netstat Network Statistics=09 17 quotd Quote of the Day (\winnt\system32\drivers\etc\quotes) 865 19 chargen Character Generator 864 20 ftp-data File Transfer Protocol (Data) 959 21 ftp File Transfer Protocol (Control) 959 23 telnet Telnet 854 53 domain Domain Name Service 1034,1035 69 tftp Trivial File Transfer Protocol Used by Bootp, DHCP=20 783,1534,1541 79 finger Finger 1194 137 netbios_ns NetBIOS Name Service Typically UDPAlso used by 'nbtstat' Node Status Request 1001,1002 138 netbios_dgm NetBIOS Datagram Service 1001,1002 139 netbios_ssn NetBIOS Session Service 1001,1002 161 snmp SNMP Messages 1157 162 snmptrap SNMP Traps 1157 530 courier RPC=09 515 printer LPD Spooler 1179 Other installed services: 775 sms_db =09 777 sms_update =09 1433 tds Tabular Data Stream DB-library SQLserver Please edit this list if you have more data (ISS, Raptor, MS?). Bill Stout _______________________________________________________________________ = ________ Senior Systems Admin NT/UNIX/I-net/Routers/Mainframes/Janitor ;) Hitachi Data Systems 408-970-4822 --- Disclaimer: I speak only=20 for myself ___________"Infowar, Cyber-war, yes, 'they' _are_ out to get=20 you..."___________ ------ =_NextPart_000_01BB9A6D.10A08A50 Content-Type: application/ms-tnef Content-Transfer-Encoding: base64 eJ8+Ih8TAQaQCAAEAAAAAAABAAEAAQeQBgAIAAAA5AQAAAAAAADoAAEIgAcAGAAAAElQTS5NaWNy b3NvZnQgTWFpbC5Ob3RlADEIAQWAAwAOAAAAzAcJAAQADgAaAB0AAwAoAQEggAMADgAAAMwHCQAE AA4AGgAdAAMAKAEBCYABACEAAAAyNTk0NEU3QTE2MDFEMDExODI4NzAwQTAyNDI5NjE3RADABgEN gAQAAgAAAAIAAgABBIABABoAAABSRTogTlQgcG9ydCBhY3Rpdml0eSBsaXN0AOEIAQOQBgAEDgAA GgAAAB4AcAABAAAAFgAAAE5UIHBvcnQgYWN0aXZpdHkgbGlzdAAAAAIBcQABAAAAGwAAAAG7mbw5 Q3pOjHcBFhHQgocAoCQpYX0ANocVZQADAC4AAAAAAAMABhBZ0ohNAwAHEDIKAAAeAAgQAQAAAGUA AABJS05PV0lHT1NUVVBJREZST01USU1FVE9USU1FSE9XRVZFUixJV0FTVU5ERVJUSEVJTVBSRVNT SU9OVEhBVEFMTFRIRVBPUlRTT1BFTk9OQU5TSFJJTktXUkFQRUROVEJPWFdBAAAAAAMAEBAAAAAA AwAREAsAAAACAQkQAQAAABoLAAAWCwAAWBUAAExaRnU6PPW6/wAKAQ8CFQKkA+QF6wKDAFATA1QC AGNoCsBzZXTuMgYABsMCgzIDxgcTAoPiMxEncHJxEiAHbQKDIjQPemhlbAMgRGxaZwKDNQ9/EIc2 Ew19FwqACM8J2TsbeTEyOI8KIx1RHJoKFDI1NQKABwqBDbELYG5nMTAzLxQgCwoS8gwBYxLgIEkw IGtubwfgIdBnbwAgc3R1cGlkIHkDUiB0B3EjQCJwI1IupCBIIhBldgSQLCHB5HdhBCB1bgSBI0AX IH4gB3AUwAeQAJACICVxYW8FQAdAAyAlgnAbIQQgb55wCfAnkAOgA5FzaAUQZG5rJNByYSewIuBO 9FQgBuB4JNMkYBuAJYBNC4BnJmQEACBsBAB0DykBC4AlcxHwcnZpYzUHkXAqMGwloSuEL2QTBRAk cXMvEgBjIGTkaXIkEE5vJKADACmAuyZyJBBSJpAXICVjeSaw/xuAJrErMASgJpAXMC/gJ6L+LyIA BUAnow2wJ7EuECpROyZDMCFjIqAHQCvXL3P+bwGAJOAwEQuAIpAmwQmA7SQQQSMwIdBtBAEqQjPw 5weAKiQvcWU/Co8LkRfy+DE3IDb1NvcLZBZSOHivC0YUISFUAFBiF2BhLBB1IuBLB3BiJsI9Dz10 dwEooDcxMy45NjW7PuAdUDI29QawKyFtE2H+ZDWAAwAikCjQI1AmQT1yjmYpgD1xPrIzNDE+4Bg1 ODE29SkwL0V4IxGxH/BlL1MF4C9C7QtgaEQYNvVEG4AFoCSh6G5jLjisVANwBbADYO53JKAjoEcu LkjABQAJ4N5wBCAqISxREgB0L+A3IHssMCQQRiMSIgE29SNQbO4nJXMyESeQZiPETKI5jP87wjkO OD83LyEpT48LISsACDE4MALRaS0xNN40DfAM0FPDC1kxGaAUwPcxYAWQBUAtVec5HVT1DDA7VWZK cjpW7lVmDIIgQosDEAMgUyOgdXRbQ+DQVFA6YlqxLiKQWxFqQCowZCaQYUjgA3Bdv1aPV50GYAIw WM9Z21QKUHpzXHB5JKAGYAUwQCBiZyVRICAkoDE5PvBigDHkOjQSIEFNXQ9XnUcAO19PWdtGLiAH 0CbBc0BWRxuAJpBDLiBjLKAujENPY19eD3VialWh82WPWdtSZWtgKTEnQjLiPS1waUnhKwJR71Lz Mzb/VGcZogwBVWYh0DShACApAf9JYyWAaBFMEVsgTCILgDBhfweQKrEDoCkxZ2coESLgV9xlYivi LZFGFkwSADVw3yOAIfMGkElUcpJvInAlIH8bgAtgKzJ1MiTBWrIBkGvvI4FJchcwEfB3NqJGHTUw 3GF6KkJ6cCaReQhgKvD7aCAEoWIv4HLiKkEkEHVg/QuAZCIQB6EpQG1AM/AIcO8sMDyBBUA+0DVO B335B8CLNCAFsGsqQi0gUHIRAyHAggAgJ1RDUC94SVAnRh0h0BHAJHBu/icFQFzBC1ASAHiyBgEB kOUoMWMDkWFnC3F0AQORvSkxcz/zfHASACSgYnNB/0liT/Uq0XwzIkIFQDPwIvCbCsB9wUFn0CJw bXURsPdMIyuyP/MtLKAkcAMgXMH/ihADAIWAQQKH6CKQWrKE8KJtP/JyeTsq8G8iYDcDoFVhLDFz JKAt0ihS8FBDPylGHT1wKTGCVP8qwi4QPFErQyOiJZECEBdA/yIQNcMx8ArAMKGEQDChImDtCIFz jgBP9icBsIIwCFDvMBFVYo6gBvBzS5CBkIJR0yShlqFVRJahQY9gJKE0Q02WoVCYEHUjU0zngpBG FpUDQVBx0SKwbbO7gZB99lOOoHmwJ3F2QlAeMSSgj2EkoIDhQklPnlMkoHUygOUXYERFmNv+QiTw LCCQ5lsgAxBuUJRBX4GBU5BDoSSRAYBwJKBs3xTAJKBocKCxG4B4BZChEfcoUEeBFzBuhyKQN3Uy ADDroKCY20QHMGciAI0RLfDfeAF1AYGQCsCgsWik8TCQrweAJKAFIAWgblOQZ6DC+nEugWIncAGQ hzGicafk/5A3IsAf8KERWxGmkaNTKND/LDAAIJjbBmEsFHUyQG2lVo5GW3CroySCV0lOnJG8REiW knUykDeQ9VAocfcjUH2hqvtOl9CFsV8RlJp+QysAXxE18TQVAhAFwCf+UyXBLKGicZ0zlbsRsrJh /ySgYWEjUqKpLhCFcQsgjvHzEbAucXF1MWA1AJSagbDTJYAF0FRVuBNvJHEv4H+BkLrGkXFcgQnA pnAigGn+erREJsKpw7vxYhA0IAnh/5AoffmEUr2idSMAcC/ghqUzJ/J1YEFOJBCPUEZDy2LRPzAp lJpJR7IhgZB3ReAwYnahRzChJOAv4E3+dTBQjAF0AbCwldSQNpA2/lSSeyrRhPBQISNQMzErAv9M IjxAC3ALYAJgI4CRMbUnaydTdDM6OKxQbcJaU073pnFaUz1yRAeQBQMmMczn/86vzwPB8U/1AFBa YiwgJdC/zwbDtwhQAjADYAMgTSYB57JRxVfM5Tc5P2YS8NDT3mfRP8QhqcHVgE0AcLJR/weAs6HF Zs8CYuAdUE/1TcDvWmK4slpEzwJQKkLar9u+9Dg2P2Y527JaU7glzSQt3hUoNbEooG7E0Gwp69u/ 3KIz0EYz3Ye3FM0k1+J549/cOTfQRjXdhqhF3+RznQZa8EDxpQJzWlPQRu9PYN2VuRPkdVG5ISOA imXP4yGQKOxfj0BcXJLxAjD77ZCGpDMS8A2gLWTtkC3R3+2QuRIHkN/h3MA10EbdYndaU7Z17HND EcEy8SVRR78J8ASQJpAFsM4v3GY01Ib2MN2GoJEtXHLzwmdgLKG2VCjQAIBmJVHXtyg8MO8BkN/g zOVCcDnUhk4A9aj/88f23/fl0mX4n9TRFCBaYruiRPPEVP7JAC/cODX09v414dgVwStxzSQDJMyi q6ZnAM/YUSAgNCwgEfBWNv/w56OSBSb7cG4xMzH7L8WbuwrvCxBVEfAi4H0hQngQ76CirxILH0HR OGJg5iAGUv8B4EKm1FD1l6Aj+sYQiBHf/wWoYpD09j7A6XHmdlugpPA+XxjRnCYEPgp/F6hUeb8i wIWAWsDrsJcRicN1DDX6J6e1JxcPG4guYB+g5/O/GdBtMeoAc/IdzwYhMJuw1x7xP2bhwDgUbWTV YBWH//hSvGMEnx6/4ZPdYRSLjtD/dEEVpa4wNaEygSJvI2/Qc/42+dFaUyXg1XiyA9LlFWH7K78T JjXlp9zQKalA0fqD/7IDCWFJMS/vLJ8CNPWB8ST/ftGfsBs0j2Hoqn+Q5jFaU8eOgHOjMJNMUESF AG2w39PAEW8SzNRQj8xPipGIMT+GATzRhMF1oqvyyxY3N/00xnNAMCEAV+BaYuiqO4A/FFY8Ipnw XHHM1OirNDPr4dD+ZGQv2FTJYMTQRUJP9mJa8HLhhvBEQoswacZik4C7MVNRTHWkyy3/fMF6UEvg 3gCHhMiEd1F8go+D0ooAlXL2UyhJU67hzlIu4PMxl5BNU4+fT/X7WqhP9V9K/0wPTR9OL07Y/2j1 XwGtMFAxhrPH0KyDkJOgL1VOSViwcC2icbQvUr2UL9cAcKBmvHG5rBAvSsCQblC9ETvCdn5IblCq kIewQbVQ1RbgNAAwOC05NzAtNPw4Mi4BgYBXQN6kcIHjcPZya2BxwnBoIJ1grUAZIZe0Yo2R/4Bm So9fItHQp7RgtBGXkEN5YhEtW0OvhxCO4YQgeoB5lkBftCFeX3MjkjHXQHxjLl5AIr9PP2+vabHU 8HELaPV9aPACAGJwAABAADkAANTd+JaauwEDAPE/CQQAAAMAJgAAAAAAAwA2AAAAAAACAUcAAQAA AC8AAABjPVVTO2E9IDtwPURSRUNPO2w9U1JWRVgwMVUtOTYwOTA0MTkyNjI5Wi0xNDExAAACAfk/ AQAAAEYAAAAAAAAA3KdAyMBCEBq0uQgAKy/hggEAAAAAAAAAL089RFJFQ08vT1U9VVNBL0NOPVJF Q0lQSUVOVFMvQ049REtJTUJBTEwAAAAeAPg/AQAAAA4AAABEYXZpZCBLaW1iYWxsAAAAAgH7PwEA AABGAAAAAAAAANynQMjAQhAatLkIACsv4YIBAAAAAAAAAC9PPURSRUNPL09VPVVTQS9DTj1SRUNJ UElFTlRTL0NOPURLSU1CQUxMAAAAHgD6PwEAAAAOAAAARGF2aWQgS2ltYmFsbAAAAEAABzAwdmVf lpq7AUAACDAg5Rf5lpq7AQMADTT9PwAAAgEUNAEAAAAQAAAAVJShwCl/EBulhwgAKyolFx4APQAB AAAABQAAAFJFOiAAAAAACwApAAEAAAALACMAAAAAAAIBfwABAAAARAAAADxjPVVTJWE9XyVwPURS RUNPJWw9U1JWRVgwMVUtOTYwOTA0MTkyNjI5Wi0xNDExQHNydmV4MDF1LmRyZWNvLmNvbT4A8Bs= ------ =_NextPart_000_01BB9A6D.10A08A50-- From firewalls-owner Wed Sep 4 13:00:51 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA20050 for firewalls-outgoing; Wed, 4 Sep 1996 12:51:21 -0700 (PDT) Received: from hp01.vak12ed.edu (hp01.vak12ed.edu [141.104.150.251]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id MAA19434 for ; Wed, 4 Sep 1996 12:50:35 -0700 (PDT) Message-Id: <199609041950.MAA19434@miles.greatcircle.com> Received: by hp01.vak12ed.edu (1.37.109.18/16.2) id AA084436250; Wed, 4 Sep 1996 15:44:10 -0400 From: "W.C. Epperson" Subject: Re: Blocking non-http To: firewalls@greatcircle.com Date: Wed, 04 Sep 1996 15:44:10 EDT Reply-To: epperson@vak12ed.edu X-Mailer: Elm [revision: 109.18] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Russ is alleged to have said: > HTTP is not a transport protocol, IP is, and your statement > proves that you see HTTP as a transport protocol. HTTP doesn't have any > mechanisms to deal with differentiating traffic types as IP does. Well. Most of us were laboring under the misconception, induced by RFC1812, et al., that IP was a network protocol and tcp/udp were transport protocols.... -- W.C. Epperson "...above all, to have the meaning of a word Senior SE clearly understood before using it.... Information Security Officer --John Stuart Mill-- DBA Emeritus Curmudgeon-for-Life Virginia Dept. of Education epperson@pen.k12.va.us From firewalls-owner Wed Sep 4 14:15:46 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA27022 for firewalls-outgoing; Wed, 4 Sep 1996 14:06:42 -0700 (PDT) Received: from rock.anchorage.net (rock.anchorage.net [204.17.241.163]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id OAA26987 for ; Wed, 4 Sep 1996 14:06:15 -0700 (PDT) Received: from jabpc.jabsoft.com (jabpc.jabsoft.com [199.237.0.200]) by rock.anchorage.net (8.6.12/8.6.9) with SMTP id NAA00928 for ; Wed, 4 Sep 1996 13:01:07 -0300 Received: by jabpc.jabsoft.com with Microsoft Mail id <01BB9A61.C8546560@jabpc.jabsoft.com>; Wed, 4 Sep 1996 13:05:44 -0800 Message-ID: <01BB9A61.C8546560@jabpc.jabsoft.com> From: Jeffrey Barber To: "'firewalls@GreatCircle.COM'" Subject: IP Masquerading Date: Wed, 4 Sep 1996 13:05:42 -0800 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello All, I am a Windows and Linux user. With Linux I can configure it to do IP = Masquerading. This allows me to have multiple computers on my local net = access the internet thru 1 internet connection with only 1 valid IP = address. What happens is the Linux computer changes the source address = to that of the valid IP address and when the response comes back, Linux = then passes the data back to the requesting local computer. This process = is not using any proxy's and I have full TCP/IP capability from all = local computers. I guess this may be what some call IP Spoofing. This = process is very usefull for we all heard that there may be a shortage of = IP Address. This will solve the problem or at least cut down on the = requests for additional Address from the NIC. My question is, can NT 3.51 or NT 4.0 be configured to do the same = thing, possibly using some kind of firewall software. Also can it be = done without using proxies. The IP Masquerading process is part of the = Linux kernel and I am hoping that a kernel modification can be done to = NT if this process is not already there. This can be a HUGE Plus for NT = if Microsoft can do it. TIA jab@rock.anchorage.net System Administrator From firewalls-owner Wed Sep 4 14:28:52 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA26744 for firewalls-outgoing; Wed, 4 Sep 1996 14:02:00 -0700 (PDT) Received: from relay4.smtp.psi.net (relay4.smtp.psi.net [38.9.52.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id OAA26737 for ; Wed, 4 Sep 1996 14:01:52 -0700 (PDT) Received: from bscgnj.com by relay4.smtp.psi.net (8.7.5/SMI-5.4-PSI) id RAA23109; Wed, 4 Sep 1996 17:01:22 -0400 (EDT) Received: from BSCG_NJ/SpoolDir by bscgnj.com (Mercury 1.21); 4 Sep 96 17:01:28 -0500 Received: from SpoolDir by BSCG_NJ (Mercury 1.30); 4 Sep 96 17:01:10 -0500 From: "Stefan Kwiatkowski" Organization: Bay State Computer Group of NJ To: firewalls@greatcircle.com Date: Wed, 4 Sep 1996 17:01:07 EDT MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Firewalls and Dial-in CC: steved@bscg.com, bobp@bscg.com X-mailer: Pegasus Mail for Windows (v2.33) Message-ID: <1FA38A5FC7@bscgnj.com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I have been probing around to find out if a Shiva LanRover (dial-in/out server) can be situated outside of a firewall while still maintaining full functionality for internal users. So far, the answer seems to be yes. Our helpful Shiva rep pointed out that the LanRover can use a UDP port for access over a network, providing Comm redirection for internal Windows users. |...t NETWORK---Firewall-----LanRover/E |...e |...l |...c |...o Shiva typically depicts the Dial-in/out solution with a LanRover placed INSIDE the firewall. But... I know that the LanRover is fairly secure yet I am using an illigitimate class B address, and wish to maintain eventual address anonymity on the Internet (using the firewall as an IP translator with Dual DNS, when we get there). Using Raptor Eagle for my firewall , I will be able to allow for UDP port access so that internal users can get to the Shiva LanRover, and thereby map a COM port and dial out. Dialing in should be no problem since the LanRover has its own IP address (legitimate class C BTW) and can be granted access by the firewall. Experiences? Near-Death encounters? Comments and Contributions gratefully accepted. From firewalls-owner Wed Sep 4 15:04:13 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA29288 for firewalls-outgoing; Wed, 4 Sep 1996 14:48:32 -0700 (PDT) Received: from apu.connectix.com (apu.connectix.com [204.247.159.242]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id OAA29254 for ; Wed, 4 Sep 1996 14:48:21 -0700 (PDT) Received: from [204.118.199.198] (snowball.connectix.com [204.118.199.198]) by apu.connectix.com (8.7.5/8.6.9) with SMTP id OAA03480 for ; Wed, 4 Sep 1996 14:48:42 -0700 Date: Wed, 4 Sep 1996 14:48:42 -0700 Message-Id: <199609042148.OAA03480@apu.connectix.com> Subject: Protocol probes From: Rob Sansom To: Mime-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk For the past few days, I have been getting these in my logs: denied 5 141.2.28.188 -> 204.247.159.244, 1 packet denied 2 141.2.28.188 -> 204.247.159.244, 1 packet denied 2 141.2.28.188 -> 204.247.159.244, 6 packets denied 2 141.2.28.188 -> 204.247.159.244, 2 packets denied 10 141.2.28.188 -> 204.247.159.244, 1 packet denied 2 141.2.28.188 -> 204.247.159.244, 3 packets denied 7 141.2.28.160 -> 204.247.159.244, 1 packet denied 15 141.2.28.160 -> 204.247.159.244, 1 packet denied 0 141.2.28.160 -> 204.247.159.244, 1 packet denied 7 141.2.28.160 -> 204.247.159.244, 1 packet denied 13 141.2.28.160 -> 204.247.159.244, 1 packet After a bit of research, I have decided that this is a protocol probe. If I read RFC 1700 right: 0 Reserved [JBP] 1 ICMP Internet Control Message [RFC792,JBP] 2 IGMP Internet Group Management [RFC1112,JBP] 3 GGP Gateway-to-Gateway [RFC823,MB] 4 IP IP in IP (encasulation) [JBP] 5 ST Stream [RFC1190,IEN119,JWF] 6 TCP Transmission Control [RFC793,JBP] 7 UCL UCL [PK] 8 EGP Exterior Gateway Protocol [RFC888,DLM1] 9 IGP any private interior gateway [JBP] 10 BBN-RCC-MON BBN RCC Monitoring [SGC] 11 NVP-II Network Voice Protocol [RFC741,SC3] 12 PUP PUP [PUP,XEROX] 13 ARGUS ARGUS [RWS4] 14 EMCON EMCON [BN7] 15 XNET Cross Net Debugger [IEN158,JFH2] 16 CHAOS Chaos [NC3] Someone is trying to see what sort of protocols might get past my router. Am I totally off base? Has anyone had experience with this before? Here are some more goodies 141.2.28.188 = dialin188.rz.uni-frankfurt.de 141.2.28.160 = dialin160.rz.uni-frankfurt.de 204.247.159.244 = www.connectix.com I see no reason (other than foul play), why terminal servers would wan't to send this stuff to our web server. What's ARGUS anyway? Thanks in advance, Rob Sansom Network Admin. Connectix Corp (415) 638-7398 sansom@connectix.com From firewalls-owner Wed Sep 4 17:44:32 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA07632 for firewalls-outgoing; Wed, 4 Sep 1996 17:31:29 -0700 (PDT) Received: from apu.rcp.net.pe (apu.rcp.net.pe [161.132.5.16]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id RAA07625 for ; Wed, 4 Sep 1996 17:31:21 -0700 (PDT) Received: by apu.rcp.net.pe via sendmail with stdio id for Firewalls@GreatCircle.COM; Wed, 4 Sep 96 19:29:07 -0400 (WET DST) Message-Id: From: vadillo@apu.rcp.net.pe (Enrique Vadillo) Subject: Firewall for NT To: Firewalls@GreatCircle.COM Date: Wed, 4 Sep 1996 19:29:07 -0400 (EDT) X-Mailer: ELM [version 2.4ME+ PL22 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi all, I am looking for any recommendation you can send me about the best *proved* firewall there can be for Windows NT, we have to use a Windows NT server as a firewall for some Micro$oft-based subsystem and i would like to just receive some recommendations from you guys out there who have already dealt with some firewall on NT. I would prefer to receive all the mails to my personal email address, and if the list is interested, i can summarize the results of my request for the best featured firewall for NT after ten days. Enrique Vadillo- -- R&D at RCP - Internet Peru Fax: +51 1 241-1320 Phone: +51 1 241-5688 Web Site: http://www.rcp.net.pe (PERU) Mirror Web Site: http://ekeko.rcp.net.pe (USA) From firewalls-owner Wed Sep 4 17:59:15 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA08164 for firewalls-outgoing; Wed, 4 Sep 1996 17:48:24 -0700 (PDT) Received: from hidata.com (hidata.com [205.158.61.34]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id RAA08156 for ; Wed, 4 Sep 1996 17:48:18 -0700 (PDT) Received: by hidata.com; id AA01693; Wed, 4 Sep 96 17:48:05 PDT Received: from osc.hidata.com(205.158.62.10) by hds-gw.hidata.com via smap (V3.1.1) id xma001684; Wed, 4 Sep 96 17:47:41 -0700 Received: from clag by osc.osc.hidata.com (SMI-8.6/SMI-SVR4) id RAA03136; Wed, 4 Sep 1996 17:47:39 -0700 Message-Id: <2.2.32.19960905004537.0070a460@osc.hidata.com> X-Sender: bstout@osc.hidata.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 04 Sep 1996 17:45:37 -0700 To: Jeffrey Barber , "'firewalls@GreatCircle.COM'" From: Bill Stout Subject: Re: IP Masquerading Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I think that's what a proxy's for. See Catapult. At 01:05 PM 9/4/96 -0800, Jeffrey Barber wrote: >Hello All, > I am a Windows and Linux user. With Linux I can configure it to do IP Masquerading. This allows me to have multiple computers on my local net access the internet thru 1 internet connection with only 1 valid IP address. What happens is the Linux computer changes the source address to that of the valid IP address and when the response comes back, Linux then passes the data back to the requesting local computer. This process is not using any proxy's and I have full TCP/IP capability from all local computers. I guess this may be what some call IP Spoofing. This process is very usefull for we all heard that there may be a shortage of IP Address. This will solve the problem or at least cut down on the requests for additional Address from the NIC. > >My question is, can NT 3.51 or NT 4.0 be configured to do the same thing, possibly using some kind of firewall software. Also can it be done without using proxies. The IP Masquerading process is part of the Linux kernel and I am hoping that a kernel modification can be done to NT if this process is not already there. This can be a HUGE Plus for NT if Microsoft can do it. > >TIA >jab@rock.anchorage.net >System Administrator > > > > > From firewalls-owner Wed Sep 4 18:13:42 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA08091 for firewalls-outgoing; Wed, 4 Sep 1996 17:45:37 -0700 (PDT) Received: from hidata.com (hidata.com [205.158.61.34]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id RAA08075 for ; Wed, 4 Sep 1996 17:45:19 -0700 (PDT) Received: by hidata.com; id AA01667; Wed, 4 Sep 96 17:45:05 PDT Received: from osc.hidata.com(205.158.62.10) by hds-gw.hidata.com via smap (V3.1.1) id xma001665; Wed, 4 Sep 96 17:44:52 -0700 Received: from clag by osc.osc.hidata.com (SMI-8.6/SMI-SVR4) id RAA03130; Wed, 4 Sep 1996 17:44:51 -0700 Message-Id: <2.2.32.19960905004249.006f0b14@osc.hidata.com> X-Sender: bstout@osc.hidata.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 04 Sep 1996 17:42:49 -0700 To: David Kimball , "'Firewalls@GreatCircle.COM'" From: Bill Stout Subject: RE: NT port activity list Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'm thinking to myself as I type this, so excuse the verbosity. Betcha I sector fault more often than you. Some services are 'open' automatically, like a rumoured SMB 'back door' that SMS and other services use, and tftp(DHCP), etc. Others services are not obvious, and a list of what is and isn't obvious doesn't exist in NT (1st step of security, know what doors are there, then which are open). UNIX has the /etc/inetd.conf file and the 'netstat -a' command to control and audit open ports. Simple and clean-cut. With NT you need to grep through the Registry via various Control Panel utilites or regedit32, and 'netstat -a' lists client side ports only. Seems complex and obscure. NT's TCP/IP (4-Transport) talks up to Services (6-Presentation) via NETBIOS (5-Session), but TCP/IP also talks to WinSock Apps, and the User shell /Program Manager(7-Applicaition) through NETBIOS. I don't know what else lurks in the kernel besides services, and listens to the stack. Which is why I ask. Maybe that's why UNIX folk dislike NT Network Security, it's much harder to find what doors are open in NT, and to control them with confidence. Bill At 02:26 PM 9/4/96 -0500, David Kimball wrote: >I know I go stupid from time to time. However, I was under the >impression that all the ports open on an shrink wraped NT box was >evrething that is listed in the services phile in the /drivers/etc >dir. No, nix that. Rather they are alternately open/not open depending >on the actual services/software installed. Am I missing something >here? From firewalls-owner Wed Sep 4 18:58:53 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id SAA14098 for firewalls-outgoing; Wed, 4 Sep 1996 18:46:00 -0700 (PDT) Received: from darkwing.pacific.net.sg (darkwing.pacific.net.sg [203.120.89.89]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id SAA14081 for ; Wed, 4 Sep 1996 18:45:51 -0700 (PDT) Received: (qmail-queue invoked from smtpd); 5 Sep 1996 01:43:58 -0000 Received: from darkwing.pacific.net.sg (203.120.89.89) by darkwing.pacific.net.sg with SMTP; 5 Sep 1996 01:43:58 -0000 Date: Thu, 5 Sep 1996 09:43:58 +0800 (SST) From: Ng Pheng Siong To: Paul McNabb cc: firewalls@GreatCircle.com Subject: Re: C2 certified OS that can run a firewall In-Reply-To: <199609041436.JAA13457@argus.cu-online.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 4 Sep 1996, Paul McNabb wrote: > About 5 years ago I wrote a short paper entitled "The Myths of C2" which > discussed the misconception about what C2 really is. I'll dig it up and > post it if anyone wants it. Yes, please. TIA. I am looking at the Aug'96 paper copy of Byte: has an article entitled "Air-Tight Windows NT" which talks about NT's C2 rating. Author is one Jim Reynolds , who "was a member of the NSA's Windows NT eval team." (Yes, NSA as in "No Such Agency".) -- Ng Pheng Siong * Finger for PGP key. Pacific Internet Pte Ltd * Singapore Fast, secure, cheap. Pick two. From firewalls-owner Thu Sep 5 02:58:49 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id CAA02343 for firewalls-outgoing; Thu, 5 Sep 1996 02:43:19 -0700 (PDT) Received: from s.wipinfo.soft.net (s.wipinfo.soft.net [164.164.6.6]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id CAA02336 for ; Thu, 5 Sep 1996 02:43:00 -0700 (PDT) Received: by s.wipinfo.soft.net (4.1/SMI-4.1) id AA24937; Thu, 5 Sep 96 15:19:12 IST Received: from by rolex.rnd.blr (4.1/SMI-4.1) id AD04124; Thu, 5 Sep 96 15:17:33+050 Received: (from rjoshi@localhost) by comm10 (8.6.12/8.6.9) id OAA24095; Wed, 4 Sep 1996 14:46:13 +0500 From: Rajesh Joshi Message-Id: <199609040946.OAA24095@comm10> Subject: SOCKS5 Server for Windows NT from NEC To: socks@socks.nec.com, socks5@socks.nec.com, firewalls@GreatCircle.COM Date: Wed, 4 Sep 1996 14:46:13 +0500 (GMT+0500) Cc: rjoshi@comm10 (Rajesh Joshi) X-Mailer: ELM [version 2.4 PL24] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi all, We have downloaded SOCKS5 Server for Windows NT from NEC and copied simple configuration file from samples to the directory containing socks5.exe The socks service starts but when we try to connect to application server using netscape through socks server then it is not going through. Is this some configuration problem ? Can anybody throw some light on this ? Whether anybody has successfully installed the SOCKS5 server for Windows NT ? Thanks in advance -- |==============================================================================| | RAJESH B JOSHI | | Sr. Engineer R & D (Software), Communications Group, Wipro Infotech Ltd. | |------------------------------------------------------------------------------| | There's NO THRILL in easy sailing when the skies are clear and blue, | | There's NO JOY in merely doing things which ANY ONE can do, | | But there is some satisfaction that is MIGHTY SWEET to take, | | When you reach a DESTINATION that you thought you'd NEVER make. | |==============================================================================| From firewalls-owner Thu Sep 5 03:28:53 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id DAA03528 for firewalls-outgoing; Thu, 5 Sep 1996 03:13:57 -0700 (PDT) Received: from mail.transpac.net (nic.transpac.net [194.52.1.10]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id DAA03492 for ; Thu, 5 Sep 1996 03:13:39 -0700 (PDT) Received: from alf.ihc.se (alf.ihc.se [194.52.187.254]) by mail.transpac.net (8.7.5/8.7.3) with SMTP id MAA14792; Thu, 5 Sep 1996 12:12:01 +0200 (MET DST) Received: by alf.ihc.se; (5.65v3.2/1.3/10May95) id AA05479; Thu, 5 Sep 1996 12:14:41 +0200 Message-Id: <9609051011.AA14406@ns.ihc.se> To: "firewalls@greatcircle.com" , "vadillo@apu.rcp.net.pe" Subject: Firewall for NT Date: Thu, 05 Sep 96 12:10:43 -0500 From: "Mattias Lindstr\vm" X-Mailer: E-Mail Connection v2.5.03 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk -- [ From: Mattias Lindström * EMC.Ver #2.5.02 ] -- Date: Wed, 4 Sep 1996 19:29:07 -0400 (EDT) From: vadillo@apu.rcp.net.pe (Enrique Vadillo) Subject: Firewall for NT Hi. Take a look at AltaVista Firewall for Windows NT. It is beutiful and beats the sh*t out of Raptor Eagle NT. Not that drastic maybe but I like Digital´s more than I like Raptor´s It has the usual Windows GUI and is intuitive, easy and fast to use. Pure "goodiness" I like it a lot and have 2 installations up and running. It is much more easy to set up than Raptors and is more Easywprked. I have installed Raptor for 3 clients and I like that one too, but AltaVista is nicer to work with. TNT, Mattias ________Your posting______ Hi all, I am looking for any recommendation you can send me about the best *proved* firewall there can be for Windows NT, we have to use a Windows NT server as a firewall for some Micro$oft-based subsystem and i would like to just receive some recommendations from you guys out there who have already dealt with some firewall on NT. I would prefer to receive all the mails to my personal email address, and if the list is interested, i can summarize the results of my request for the best featured firewall for NT after ten days. Enrique Vadillo- - -- R&D at RCP - Internet Peru Fax: +51 1 241-1320 Phone: +51 1 241-5688 Web Site: http://www.rcp.net.pe (PERU) Mirror Web Site: http://ekeko.rcp.net.pe (USA) ________Your posting______ -- Mattias Lindstrom NT and Security Consultant This email is for the use of authorized users only. Individuals using this email without authority, or in excess of their authority, are subject to having all of their activities monitored and recorded by systempersonnel. From firewalls-owner Thu Sep 5 05:44:04 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA10267 for firewalls-outgoing; Thu, 5 Sep 1996 05:32:37 -0700 (PDT) Received: from sierra.corsof.com (sierra.corsof.com [198.22.44.240]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id FAA10250 for ; Thu, 5 Sep 1996 05:32:28 -0700 (PDT) Received: from granite.corsof.com by sierra.corsof.com with SMTP (8.6.12/16.2) id IAA14348; Thu, 5 Sep 1996 08:32:34 -0400 Received: from dana.corsof.com by granite.corsof.com with SMTP (1.38.193.4/16.2) id AA05238; Thu, 5 Sep 1996 08:32:26 -0400 Message-Id: <1.5.4.32.19960905123754.00688bac@pop.corsof.com> X-Sender: dana@pop.corsof.com X-Mailer: Windows Eudora Light Version 1.5.4 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Thu, 05 Sep 1996 08:37:54 -0400 To: Firewalls@greatcircle.com From: Dana Nowell Subject: RE: Firewall for NT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 4 Sep 1996 19:29:07 -0400 (EDT), Enrique Vadillo asked: > >Hi all, > >I am looking for any recommendation you can send me about the best *proved* >firewall there can be for Windows NT, we have to use a Windows NT server >as a firewall for some Micro$oft-based subsystem and i would like to just >receive some recommendations from you guys out there who have already dealt >with some firewall on NT. > >I would prefer to receive all the mails to my personal email address, and >if the list is interested, i can summarize the results of my request for >the best featured firewall for NT after ten days. > > OK, I couldn't resist, humor switch on for the humor impaired .. Well it really depends on what you are mean when you say best. If your main interest is feature set, it is difficult to beat the IP_FORWARDING firewall in number of different packet types passed between your internet router and your internal network. Most other firewalls supply only a subset of the IP_FORWARDING firewall's set of packet types. The IP_FORWARDING firewall has the added advantage of being one of the cheaper firewalls on the market. If you are one of those security concious geeks (as opposed to a security unconcious end-user) I'd recommend the AirGap Firewall as the most secure. In design the AirGap firewall is VERY similar to the IP_FORWARDING firewall. You install the IP_FORWARDING firewall and cut the cable between the firewall and the router, then separate the cut ends by a two foot air gap. This firewall design passes the smallest subset of packets from your internet router to your internal network. It is also one of the cheaper firewalls on the market, costing about $5 US more than the IP_FORWARDING firewall (for the cheapo wire cutters). Now if you are a marketing or MIS management type looking for a buzzword compliant firewall, I'm afraid I can not be much help. First it depends alot on your current buzzword dictionary and second, there is currently ALOT of competition in this particular area. Since this area is constantly under change, I'm afraid whatever firewall you buy from this category will quickly become dated. I'd recommend your avoid this category if at all possible. I hope this information was of some help. Humor switch off. Dana Nowell Voice (603) 595-7480 EXT 28 Cornerstone Software Inc. FAX (603) 882-7313 Work: DanaNowell@corsof.com Home: dana@nowell.mv.com MIME attachments preferred, BINHEX and uuencoded acceptable. As usual, I speak only for myself. From firewalls-owner Thu Sep 5 07:14:12 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA15697 for firewalls-outgoing; Thu, 5 Sep 1996 07:11:57 -0700 (PDT) Received: from radar (radar.vertx.com [207.170.65.10]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id HAA15688 for ; Thu, 5 Sep 1996 07:11:49 -0700 (PDT) Received: from localhost by radar (SMI-8.6/SMI-SVR4) id JAA09502; Thu, 5 Sep 1996 09:10:40 -0500 Date: Thu, 5 Sep 1996 09:10:39 -0500 (CDT) From: David Marcoux To: firewalls@greatcircle.com Subject: Secure Access Firwall (Ascend)?? In-Reply-To: <199609040946.OAA24095@comm10> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Has anyone tried the new product from Ascend called "Secure Access Firewall?" I am very curious about the product. ------------------------------------------------------------------ David Marcoux System Administrator / Web Master dmarcoux@vertx.com Vertex Software Corporation http://www.vertx.com (512) 328-3700 voice From firewalls-owner Thu Sep 5 07:44:18 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA15631 for firewalls-outgoing; Thu, 5 Sep 1996 07:09:53 -0700 (PDT) Received: from pony-express.ims.advantis.com (pony-express.ims.advantis.com [165.87.194.144]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id HAA15624 for ; Thu, 5 Sep 1996 07:09:47 -0700 (PDT) Received: (from Unknown UID 5@localhost) by pony-express.ims.advantis.com (8.6.9/95.10.11) id KAA24518; Thu, 5 Sep 1996 10:09:59 -0400 Received: from carfax.ims.advantis.com(164.120.180.21) by pony-express.ims.advantis.com via smap (V1.3) id sma021953; Thu Sep 5 10:09:57 1996 Received: by carfax.ims.advantis.com (AIX 3.2/UCB 5.64/4.03) id AA48063; Thu, 5 Sep 1996 10:15:27 -0400 Date: Thu, 5 Sep 1996 10:15:27 -0400 (EDT) From: Peter Yau To: Jeffrey Barber Cc: "'firewalls@GreatCircle.COM'" Subject: Re: IP Masquerading In-Reply-To: <01BB9A61.C8546560@jabpc.jabsoft.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Sounds more like NAT- Network Address Translation rather than ip spoofing is the correct term. On Wed, 4 Sep 1996, Jeffrey Barber wrote: > Hello All, > I am a Windows and Linux user. With Linux I can configure it to do IP Masquerading. This allows me to have multiple computers on my local net access the internet thru 1 internet connection with only 1 valid IP address. What happens is the Linux computer changes the source address to that of the valid IP address and when the response comes back, Linux then passes the data back to the requesting local computer. This process is not using any proxy's and I have full TCP/IP capability from all local computers. I guess this may be what some call IP Spoofing. This process is very usefull for we all heard that there may be a shortage of IP Address. This will solve the problem or at least cut down on the requests for additional Address from the NIC. > > My question is, can NT 3.51 or NT 4.0 be configured to do the same thing, possibly using some kind of firewall software. Also can it be done without using proxies. The IP Masquerading process is part of the Linux kernel and I am hoping that a kernel modification can be done to NT if this process is not already there. This can be a HUGE Plus for NT if Microsoft can do it. > > TIA > jab@rock.anchorage.net > System Administrator > > > > From firewalls-owner Thu Sep 5 07:47:22 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA15814 for firewalls-outgoing; Thu, 5 Sep 1996 07:13:57 -0700 (PDT) Received: from gateway.ppg.com (gateway.ppg.com [199.221.65.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id HAA15762 for ; Thu, 5 Sep 1996 07:13:42 -0700 (PDT) Received: by gateway.ppg.com id AA17477 (SMTP Gateway for firewalls@GreatCircle.COM); Thu, 5 Sep 1996 10:13:19 -0400 Message-Id: <199609051413.AA17477@gateway.ppg.com> Received: by gateway.ppg.com (Protected-side Proxy Mail Agent-2); Thu, 5 Sep 1996 10:13:19 -0400 Received: by gateway.ppg.com (Protected-side Proxy Mail Agent-1); Thu, 5 Sep 1996 10:13:19 -0400 From: "Sacherich, Larry" To: "'Firewalls-Digest-L'" Cc: "'Enrique Vadillo'" Subject: Re: Firewall for NT (and NCSA Certifications) Date: Thu, 05 Sep 96 10:04:00 PDT X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk After reviewing the NCSA firewall site, I was still confused as to which platforms / operating systems were being approved. In particular, are there any Windows NT firewall systems NCSA approved? And the answer is NO. Even firewalls like the Raptor Eagle that is available for both Unix and Windows NT operating systems was only approved for Unix. Attached is the NCSA response. NCSA Firewall Certifications http://www.ncsa.com/fpfs/fwpress2.html Larry Sacherich sacherich@ppg.com ========================================================= The opinions expressed are those of the writer and not of PPG Industries, Inc. nor of any PPG-associated companies. ========================================================= ---------- > From: JD McCown > Subject: Re: Multi-platform Multiple O/S Certifications ? > Date: Monday, July 29, 1996 1:45PM > > On 23 Jul 1996 sacherich@ppg.com wrote: > > > Many vendors offer multi-platform and multiple operating system firewall > > solutions. That is, a product may be available for a RISC and Intel > > platform, running Unix (BSDI, HPUX, AIX, etc) or Windows NT operating > > system. It is unclear from you Web pages what combination the NCSA > > Certification applies to. > > How we handle this issue is about to change, however under the 1.0 > certification, we certify products in one of the following categories: > Unix-BSD origin, Unix-SysV origin, NT, Proprietary/Other. (A caveat was > also included for Solaris 2.5 ports, as the networking code in that > version was substantially altered from earlier Solaris versions.) > > Because our certification involves quarterly retests, we perform the > testing against "other" ports than the one initially certified. > > The 1.0 results were as follows: > > ASG Turnstyle 2.1 BSDI 1.1 Intel > Border Borderware 3.1.1 BSD/Janus Intel > Milkyway Blackhole 2.0 SunOS 4.1.4 Sparc > Checkpoint Checkpoint FW 2.0C Solaris 2.4 Sparc > DEC DEC FW for Unix 2.0 DEC/Unix 3.2C Alpha > (aka Altavista FW) > GTA GFX Internet FW 2.5 BSDI 1.1 Intel > Harris Cyberguard 2.1.2 Unix/MLS 6.2 Motorola > IBM SNG 2.1.0.0 AIX 4.1.0 IBM Risc > Livermore Portus 2.1 AIX 4.1.4 PowerPC > ON Onguard 1.02 S32OS Intel > Radguard Cryptowall 1.0 Embedded Proprietary > Raptor Eagle 3.1 SunOS 4.1.4 Sparc > Sun SPF-100 1.0 Proprietary Sparc (?) > Technologic Interceptor 3.1 BSDI 1.1 Intel > TIS Gauntlet 3.1 BSDI 2.0.1 Intel > NEC PrivateNET 1.0.1A BSDI 2.1 Intel > > The processor architecture is not a category per se but is useful. > > > Can you provide me a list of certified firewalls _showing_ the platforms > > and operating system tested per vendor? We are nearing the end of an > > evaluation and would like to have that information quickly. > > See the above, give me a call if you have questions. > > - Jon McCown, NCSA Labs > > > Thanks in advance, > > > > Larry Sacherich > > sacherich@ppg.com > > PPG Industries, Inc. > From firewalls-owner Thu Sep 5 07:53:49 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA15586 for firewalls-outgoing; Thu, 5 Sep 1996 07:05:32 -0700 (PDT) Received: from keeper.tribune.com (keeper.tribune.com [163.192.21.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id HAA15563 for ; Thu, 5 Sep 1996 07:05:15 -0700 (PDT) From: LLynch@tribune.com Received: by keeper.tribune.com; id JAA01491; Thu, 5 Sep 1996 09:01:48 -0500 Received: from tco-link2.tis-in.trb(163.192.23.15) by keeper.tribune.com via smap (V3.1) id xma001465; Thu, 5 Sep 96 09:01:39 -0500 Received: from ccMail by smtpout.tribune.com (IMA Internet Exchange 1.04b) id 22edded0; Thu, 5 Sep 96 09:04:29 -0500 Mime-Version: 1.0 Date: Thu, 5 Sep 1996 08:56:02 -0500 Message-ID: <22edded0@tribune.com> Subject: Re: Re: Firewalls-Digest #484 To: Firewall mailing list Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable Content-Description: cc:Mail note part Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Date: Thu, 29 Aug 1996 14:46:20 +0200 From: Bernhard Schneck = = Subject: Re: Firewalls-Digest V5 #484 = = =A6 = = =A6 > One extra note: Connecting the Web server directly to your database= = =A6 > would be a breach of security, you would in effect be providing any= = =A6 > hacker a direct line into your internal network, bypassing any = = =A6 > firewall/router security. = = =A6 = = =A6That's what I was thinking about (mostly). = = =A6 = = =A6When you allow access to internal data from external sources, you = = =A6*should* assume that any access can be with hostile intent. = = =A6 = = =A6In Jenjen's case (users access an external web server, which queries = = =A6the internal database and returns query results in HTMLized form), = = =A6this would mean that she/he has to assume that web server security = = =A6has been breached and the web server is under full control of the = = =A6attackers. =A6 =A6Two things may happen: =A6- - the attackers gain access to data in the database =A6- - the attackers send wrong responses to users querying the service =A6 =A6Only mutual authentication between user and database will solve the =A6second problem, so let's stick to the first for now. =A6 =A6Encrypting the data stream between web server and database will not =A6help in this case, as some sort of keys will have to reside on the =A6web server (which was taken over by The Bad Guys). =A6 =A6Using challenge/response between server and database won't help =A6either ... again, The Bad Guys are already on the web server and can =A6fake those, too. =A6 =A6A private network connection (using any type of protocol) between =A6server and database won't help, unless the server has no way to speak =A6that protocol (but then, how would it send legitimate queries to the =A6database? :-) =A6What will help (at least somewhat) is =A6 =A6- - do not allow the web server to run any SQL statement against the =A6 database (The Bad Guys might plug in their own select statements) =A6 but use a restricted, well defined proxy protocol to a separate =A6 internal service with tight security, which will then access the =A6 database. =A6 --> Anyone will be able to access the data, but only in a (more or =A6 less) controlled fashion. I was thinking as you, not allowing SQL to be executed on the Webserver. = Unless your applications are very simple, that your are writing an API or a prot= ocol = for each application. This is job security, but may not be scaleable. Th= e other thing I hate about this is that it starts looking like "security through = obscurity" again. Is there a pointer to a more information on this subje= ct? Something else I ran across the other day: Vendor A has developed a search/retrieval/server product. If I have cont= ent = that I think users will pay for, I install the server product behind a FW= to = protect that investment in the content. Now we haven't talked about how = to = interface to the payment switch yet.... I install Vendor A's CGI on my W3 server outside the FW and install a plu= g-gw on a high numbered port to only accept incoming connects from my W3 server b= ound = for Vendor A's server. I find out that Vendor A's CGI is only a IP gatew= ay from the client to the Vendor A's server (there is nothing to the CGI, open so= cket, = connect, print STDIN to STDOUT). This tells me that the API/protocol mus= t be in the HTML form, this application is probably very simple. How secure is a CGI like this? (Vulnerablity: W3 server security) What I like about this is that there is no information (other than the = connecting address and the embedded API/values in the HTML form) on the W= 3 = server about the back-end service. It appears to be vulnerable to denial= of = service attacks (anyone can POST to this CGI and the W3 server will conta= ct = Vendor A's server thru the FW, consuming resources on the W3, FW and Vend= or A's = box). Your thoughts? If I use a Secure/Commerce W3 server, will SSL or SHTTP be foiled by Vend= or A's = CGI approach, but doesn't this mean that Vendor A's server would have to = support SSL and SHTTP also? If it does support one or both, there application st= arts to look a lot like a modified secure W3 server doesn't it? Now continuing on with this discussion: If the W3 server is taken over, = it can = talk to only one port on the FW bound for Vendor A's server. We are left= with = placing trust in Vendor A's application team for our network security. I= f this = application is secure, why is it behind the FW? They seem to be followin= g the = guide lines set forth by the NCSA Web Site Certification criteria. =A6 =A6- - challenge/response between the end user and the database on every =A6 transaction (`authenticated' state should not be kept) =A6 --> The Bad Guys can wait for such an access and sniff the data or =A6 can replace the web server and send their own queries using the =A6 intercepted user's authentication. =A6 =A6- - authenticated+encrypted links (eg. IPSEC AH/ESP) between end user =A6 and database *not* going through the web server (remember, it has =A6 been taken over! If it decrypts somehow, The Bad Guys are in) =A6 --> The Bad Guys will need to either break the encryption or the =A6 key exchage mechanism (which is supposed to be hard) =A6 =A6Unless you use a non subvertible channel between enduser and database,= =A6you're prone to snooping, if not worse! =A6 =A6Again: Encryption between web server and database may not be enough. =A6 =A6\Bernhard. =A6 From firewalls-owner Thu Sep 5 08:14:41 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA19048 for firewalls-outgoing; Thu, 5 Sep 1996 08:01:33 -0700 (PDT) Received: from relay.nswc.navy.mil (relay.nswc.navy.mil [128.38.1.41]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id IAA19031 for ; Thu, 5 Sep 1996 08:01:23 -0700 (PDT) From: lresch@nswc.navy.mil Received: from oanews (oanews.nswc.navy.mil) by relay.nswc.navy.mil (4.1/SMI-4.1) id AA24896; Thu, 5 Sep 96 11:00:49 EDT Received: by oanews (4.1/SMI-4.1) id AA08735; Thu, 5 Sep 96 10:59:20 EDT Message-Id: <9609051459.AA08735@oanews> Subject: IPX Router/Gateway To: firewalls@GreatCircle.com (Firewalls Mailing List) Date: Thu, 5 Sep 96 10:59:19 EDT X-Mailer: ELM [version 2.3 PL11] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk We have recently implemented a firewall for our network here but we need to verify the user who is accessing the Internet outside of the firewall. The firewall logs the IP of the connections, but our internal IPs are tied to specific machines and our users are not. The firewall accredits TELNET and FTP (user name and password) to get out (which is fine), but we are having to do a work around for HTTP until the next release of the firewall comes out. Our internal network is Netware 4.1 running pure IPX and our users have IP only for accessing our UNIX workstations. Does anyone have any suggestions for accredidation of the user? I am also thinking about some kind of IPX to IP router/gateway that can log the user (possibly require a single session log in) for accessing the firewall and then turn off accreditation at the firewall. This would also help to block the workstations accessing the Internet which we do not want.... Thanks. +----------------------------------------------------+ | Larry Resch | | lresch@nswc.navy.mil | | | | My thoughts are mine alone, and do not necessarily | | reflect the thoughts of those for whom I work. | +----------------------------------------------------+ From firewalls-owner Thu Sep 5 09:23:31 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA26219 for firewalls-outgoing; Thu, 5 Sep 1996 09:12:55 -0700 (PDT) Received: from fsd1.fsdirect.com ([206.235.252.10]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id JAA26212 for ; Thu, 5 Sep 1996 09:12:49 -0700 (PDT) Received: from fsd1.fsdirect.com (fsd1.fsdirect.com [206.235.252.10]) by fsd1.fsdirect.com (8.7.5/8.7.3) with SMTP id MAA00568; Thu, 5 Sep 1996 12:08:51 -0400 (EDT) Date: Thu, 5 Sep 1996 12:08:51 -0400 (EDT) From: To: ssl-talk@netscape.com, firewalls@greatcircle.com Subject: options for proxying SSL traffic? Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk If a network connected to the internet was using a proxy firewall (say, Gauntlet or fwtk), and had an web server behind the firewall which had SSL enabled, what options does the firewall administrator have to ensure that people outside can access the web server inside w/SSL? Someone at TIS said all that needed to be done was to use plug-gw (a generic proxy which just passes bytes) so that the firewall passes traffic. However, given that internal web browsers require a specific SSL proxy service to access SSL enabled web servers on the outside, I don't feel quite convinced. (won't browsers care that the host they're connecting to is different from what the passed certificate information says?) If it's the case that a SSL proxy service is needed for incoming requests, it would seem like the rules would have to be fairly stringent so that someone would not take advantage of it to probe the internal network - like having an HTTP proxy for incoming requests. Can someone explain, before I actually try it out? Junya Ho FSDirect v: 416 368 3920 x5411 f: 416 368 5505 From firewalls-owner Thu Sep 5 09:43:50 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA27668 for firewalls-outgoing; Thu, 5 Sep 1996 09:41:57 -0700 (PDT) Received: from halon.sybase.com (halon.sybase.com [192.138.151.33]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id JAA27650 for ; Thu, 5 Sep 1996 09:41:48 -0700 (PDT) Received: from smtp1.sybase.com (sybgate) by halon.sybase.com (5.x/SMI-SVR4/SybFW4.0) id AA03592; Thu, 5 Sep 1996 09:43:14 -0700 Received: from notesgw2.sybase.com by smtp1.sybase.com (4.1/SMI-4.1/SybH3.5-030896) id AA16183; Thu, 5 Sep 96 09:41:29 PDT Received: by notesgw2.sybase.com (5.x/SMI-4.1/SybEGW3.3) id AA07536; Thu, 5 Sep 1996 09:41:23 -0700 Message-Id: <9609051641.AA07536@notesgw2.sybase.com> Received: by SybaseNotes (Lotus Notes Mail Gateway for SMTP V1.1) id E3FCA0A357CDE2088825639C005BAA00; Thu, 5 Sep 96 09:41:21 EDT To: "John H. Kerr" Cc: firewalls From: Ryan Russell/SYBASE Date: 5 Sep 96 9:42:53 EDT Subject: Re: Firewall-1,Sun,CISCO,Class"B"address X-Lotus-Type: Reply All Mime-Version: 1.0 Content-Type: Text/Plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk SunOS can't deal with variable-length subnet masks, so having 172.16.1.0 and 172.16.0.0 in it's route tables will just confuse it. Either change the inside interface address to a subnet mask of 255.255.0.0 and use proxy arp on the Cisco, or put in a route entry for each subnet on the inside with a subnet mask of 255.255.255.0 Ryan ---------- Previous Message ---------- To: firewalls cc: From: jhkerr @ ashton.csc.com ("John H. Kerr") @ smtp Date: 08/31/96 05:27:32 PM Subject: Firewall-1,Sun,CISCO,Class"B"address I was wondering if anyone has a solution to this problem. I have a Sun Sparc5 running SunOS 4.1.3, with this I have Firewall-1 2.0 running on top of it. I also have a CISCO 4000 setup as an Internal router. The problem that I'm having is that I'm unable to receive information back to my machines sitting behind the Internal router. The exact trouble seems to be the firewall does not know how to route back into my "Internal" networks. The setup is like this: Internet ------ ISP Router ----- FW ----- CISCO 4000 ------ Internal Nets 172.16.1.0 172.16.2.0 172.16.* I intially set the routing table on the FW to be DEST Nexthop 172.16.1 172.16.1.1 (local) 172.16.2 172.16.2.1 (local) default ISP router 172.16.0.0 CISCO 4000 This didn't work. I turned routed on within the Firewall, but when I did, the default route (0.0.0.0) from the CISCO added a *new* default route to the Firewall. default Cisco and it took precedence over the one I installed. Since the FW and the CISCO ping-ponged packets all day, nothing communicated. The default route of the CISCO router is overriding the default route that I have set on the FW. I have set the Metric Flag on the router to be higher that the FW in hopoes that the FW would take precednece, but this did not work. IS there a way to set something up on the SUN to force its default route to be used or is there a way to stop the CISCO's default route from taking over. I also tried not setting the 'route of last resort' on the CISCO hoping that the RIP update from the FW would fill in the default route. It didn't. Shouldn't this work? Is there a way on the CISCO to set a default route and not have it sent out in a routing update? BTW, what is the proper way to set the default route on a CISCO? I've been using: ip route 0.0.0.0 172.16.2.1 Has anyone else with a class "B" address run into this problem before? I know this can be solved if I obtained a class C, subnet it, and use it on either side of the FW. That way there would be an unambigious route to 172.16 from the FW's point of view. However that's not an option right now. Any help is appreciated. From firewalls-owner Thu Sep 5 11:14:02 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA04332 for firewalls-outgoing; Thu, 5 Sep 1996 11:02:55 -0700 (PDT) Received: from keeper.tribune.com (keeper.tribune.com [163.192.21.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id LAA04315 for ; Thu, 5 Sep 1996 11:02:36 -0700 (PDT) From: LLynch@tribune.com Received: by keeper.tribune.com; id MAA07513; Thu, 5 Sep 1996 12:59:20 -0500 Received: from tco-link2.tis-in.trb(163.192.23.15) by keeper.tribune.com via smap (V3.1) id xma007436; Thu, 5 Sep 96 12:59:01 -0500 Received: from ccMail by smtpout.tribune.com (IMA Internet Exchange 1.04b) id 22f158c0; Thu, 5 Sep 96 13:01:48 -0500 Mime-Version: 1.0 Date: Thu, 5 Sep 1996 12:57:30 -0500 Message-ID: <22f158c0@tribune.com> Subject: Re: Re: Firewalls-Digest #484 To: firewalls@greatcircle.com Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable Content-Description: cc:Mail note part Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Date: Thu, 29 Aug 1996 14:46:20 +0200 From: Bernhard Schneck = = Subject: Re: Firewalls-Digest V5 #484 = = =A6 = = =A6 > One extra note: Connecting the Web server directly to your database= = =A6 > would be a breach of security, you would in effect be providing any= = =A6 > hacker a direct line into your internal network, bypassing any = = =A6 > firewall/router security. = = =A6 = = =A6That's what I was thinking about (mostly). = = =A6 = = =A6When you allow access to internal data from external sources, you = = =A6*should* assume that any access can be with hostile intent. = = =A6 = = =A6In Jenjen's case (users access an external web server, which queries = = =A6the internal database and returns query results in HTMLized form), = = =A6this would mean that she/he has to assume that web server security = = =A6has been breached and the web server is under full control of the = = =A6attackers. =A6 =A6Two things may happen: =A6- - the attackers gain access to data in the database =A6- - the attackers send wrong responses to users querying the service =A6 =A6Only mutual authentication between user and database will solve the =A6second problem, so let's stick to the first for now. =A6 =A6Encrypting the data stream between web server and database will not =A6help in this case, as some sort of keys will have to reside on the =A6web server (which was taken over by The Bad Guys). =A6 =A6Using challenge/response between server and database won't help =A6either ... again, The Bad Guys are already on the web server and can =A6fake those, too. =A6 =A6A private network connection (using any type of protocol) between =A6server and database won't help, unless the server has no way to speak =A6that protocol (but then, how would it send legitimate queries to the =A6database? :-) =A6What will help (at least somewhat) is =A6 =A6- - do not allow the web server to run any SQL statement against the =A6 database (The Bad Guys might plug in their own select statements) =A6 but use a restricted, well defined proxy protocol to a separate =A6 internal service with tight security, which will then access the =A6 database. =A6 --> Anyone will be able to access the data, but only in a (more or =A6 less) controlled fashion. I was thinking as you, not allowing SQL to be executed on the Webserver. = Unless your applications are very simple, that your are writing an API or a prot= ocol = for each application. This is job security, but may not be scaleable. Th= e other thing I hate about this is that it starts looking like "security through = obscurity" again. Is there a pointer to a more information on this subje= ct? Something else I ran across the other day: Vendor A has developed a search/retrieval/server product. If I have cont= ent = that I think users will pay for, I install the server product behind a FW= to = protect that investment in the content. Now we haven't talked about how = to = interface to the payment switch yet.... I install Vendor A's CGI on my W3 server outside the FW and install a plu= g-gw on a high numbered port to only accept incoming connects from my W3 server b= ound = for Vendor A's server. I find out that Vendor A's CGI is only a IP gatew= ay from the client to the Vendor A's server (there is nothing to the CGI, open so= cket, = connect, print STDIN to STDOUT). This tells me that the API/protocol mus= t be in the HTML form, this application is probably very simple. How secure is a CGI like this? (Vulnerablity: W3 server security) What I like about this is that there is no information (other than the = connecting address and the embedded API/values in the HTML form) on the W= 3 = server about the back-end service. It appears to be vulnerable to denial= of = service attacks (anyone can POST to this CGI and the W3 server will conta= ct = Vendor A's server thru the FW, consuming resources on the W3, FW and Vend= or A's = box). Your thoughts? If I use a Secure/Commerce W3 server, will SSL or SHTTP be foiled by Vend= or A's = CGI approach, but doesn't this mean that Vendor A's server would have to = support SSL and SHTTP also? If it does support one or both, there application st= arts to look a lot like a modified secure W3 server doesn't it? Now continuing on with this discussion: If the W3 server is taken over, = it can = talk to only one port on the FW bound for Vendor A's server. We are left= with = placing trust in Vendor A's application team for our network security. I= f this = application is secure, why is it behind the FW? They seem to be followin= g the = guide lines set forth by the NCSA Web Site Certification criteria. =A6 =A6- - challenge/response between the end user and the database on every =A6 transaction (`authenticated' state should not be kept) =A6 --> The Bad Guys can wait for such an access and sniff the data or =A6 can replace the web server and send their own queries using the =A6 intercepted user's authentication. =A6 =A6- - authenticated+encrypted links (eg. IPSEC AH/ESP) between end user =A6 and database *not* going through the web server (remember, it has =A6 been taken over! If it decrypts somehow, The Bad Guys are in) =A6 --> The Bad Guys will need to either break the encryption or the =A6 key exchage mechanism (which is supposed to be hard) =A6 =A6Unless you use a non subvertible channel between enduser and database,= =A6you're prone to snooping, if not worse! =A6 =A6Again: Encryption between web server and database may not be enough. =A6 =A6\Bernhard. =A6 From firewalls-owner Thu Sep 5 13:44:16 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA11390 for firewalls-outgoing; Thu, 5 Sep 1996 13:32:04 -0700 (PDT) Received: from morebbs.com (morebbs.com [206.165.150.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id NAA11372 for ; Thu, 5 Sep 1996 13:31:40 -0700 (PDT) From: potlicker@morebbs.com Received: by morebbs.com id 0N79E004 Thu, 05 Sep 96 16:30:56 Message-ID: <9609051630.0N79E00@morebbs.com> Organization: MORE BBS X-Mailer: TBBS/TIGER v1.0/PRIMP 1.56p Date: Thu, 05 Sep 96 16:30:56 Subject: Mail and win95 To: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk A question has come up at Big Co. as to how to bypass their cc:Mail entirely and go from Windows 95 machines directly to their firewall. That's cos their cc:Mail crashed again and delayed mail for power users. Does anyone on the list know of freeware, shareware or commerical progams to run sendmail or popmail3 on a Windows 95 workstation? The Windows 95 workstations are 66 mhz 486's with 32 MB RAM and two 1 GB hard disks. PoT_LiCkEr From firewalls-owner Thu Sep 5 14:13:58 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA12449 for firewalls-outgoing; Thu, 5 Sep 1996 14:01:19 -0700 (PDT) Received: from orca.sitesonthe.net (orca.sitesonthe.net [207.16.80.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id OAA12425 for ; Thu, 5 Sep 1996 14:01:02 -0700 (PDT) Received: from golgi.sitesonthe.net by orca.sitesonthe.net (SMI-8.6/SMI-SVR4) id RAA03479; Thu, 5 Sep 1996 17:07:04 -0400 Message-ID: <322F40BB.632A@sitesonthe.net> Date: Thu, 05 Sep 1996 17:06:04 -0400 From: Robert Evans Reply-To: pedro@orca.sitesonthe.net Organization: GETtheNET, Inc. X-Mailer: Mozilla 3.0 (Win95; I) MIME-Version: 1.0 To: firewalls@greatcircle.com Subject: Appropriate List Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, We are working with a Netware network and we want to put a www server up. We're using a Sparc box for the www server and want to pass the IP packets across the netware network. We looked at Sunsoft's Webscout, which is a client server package that does ip tunneling and puts a modified winsock.dll on each client. Will this allow all types of ip and udp traffic to traverse the Novell Network, is there going to be any problems with routing the packets to the www Server? Any suggestions from folks with experience in this area is greatly appreciated. I know this may not be an exactly appropriate place to post, but any help could be emailed directly, and pointers to more appropriate lists would be greatly appreciated. Thanks In advance. Bob -- GETtheNET, Inc. Heyburn Building 332 W. Broadway Suite 911 Louisville, KY 40202 502 585 4638 http://WWW.SitesOnThe.Net/ From firewalls-owner Thu Sep 5 14:44:10 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA14999 for firewalls-outgoing; Thu, 5 Sep 1996 14:38:45 -0700 (PDT) Received: from gate.ups.com (gate.ups.com [198.80.14.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id OAA14947 for ; Thu, 5 Sep 1996 14:38:22 -0700 (PDT) Received: from is.ups.com (smtp.telecom.ups.com) by gate.ups.com with SMTP id AA07618 (InterLock SMTP Gateway 3.0 for ); Thu, 5 Sep 1996 17:37:42 -0400 Received: from butthead.ups.com by is.ups.com (5.x/SMI-SVR4) id AA26687; Thu, 5 Sep 1996 17:37:05 -0400 Received: from localhost by butthead.ups.com (SMI-8.6/SMI-SVR4) id RAA21049; Thu, 5 Sep 1996 17:37:40 -0400 Date: Thu, 5 Sep 1996 17:37:39 -0400 (EDT) From: Dave Wreski X-Sender: tel1dvw@butthead To: firewalls@greatcircle.com Subject: fw-1 2.0: Menu too large for screen Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Argh. I am trying to add a host, and I am getting the following message: XView warning: Menu too large for screen (Command Menu package) I have been away for a while, and someone else must have made some changes. Any idea what I can do to add a host? Thanks, Dave Wreski -- echo '16i[q]sa[ln0=aln100%Pln100/snlbx]sbA0D3F204445524F42snlbxq'|dc From firewalls-owner Thu Sep 5 15:29:11 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id PAA18590 for firewalls-outgoing; Thu, 5 Sep 1996 15:21:07 -0700 (PDT) Received: from smurfland.cit.buffalo.edu (smurfland.cit.buffalo.edu [128.205.10.10]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id PAA18531 for ; Thu, 5 Sep 1996 15:20:51 -0700 (PDT) Received: (jcmurphy@localhost) by smurfland.cit.buffalo.edu (8.7.4/8.6.4) id SAA14315; Thu, 5 Sep 1996 18:17:16 -0400 (EDT) From: Jeff Murphy Message-Id: <199609052217.SAA14315@smurfland.cit.buffalo.edu> Subject: Re: fw-1 2.0: Menu too large for screen To: tel1dvw@is.ups.com (Dave Wreski) Date: Thu, 5 Sep 1996 18:17:16 -0400 (EDT) Cc: firewalls@greatcircle.com In-Reply-To: from "Dave Wreski" at Sep 5, 96 05:37:39 pm X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Dave Wreski writes: > > > >Argh. I am trying to add a host, and I am getting the following message: > >XView warning: Menu too large for screen (Command Menu package) > >I have been away for a while, and someone else must have made some >changes. Any idea what I can do to add a host? > >Thanks, >Dave Wreski untick the "display in menu" check box in the host properties sheet. The hosts are no longer displayed in the "add" popup menu, only groups. From firewalls-owner Thu Sep 5 15:43:57 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id PAA18648 for firewalls-outgoing; Thu, 5 Sep 1996 15:21:53 -0700 (PDT) Received: from dg-rtp.dg.com (dg-rtp.rtp.dg.com [128.222.1.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id PAA18641 for ; Thu, 5 Sep 1996 15:21:41 -0700 (PDT) Received: from splinter.rtp.dg.com by dg-rtp.dg.com (5.4R3.10/dg-rtp-v02) id AA17891; Thu, 5 Sep 1996 18:21:16 -0400 Received: by splinter.rtp.dg.com (8.6.10/200.15.1.2) id SAA23622; Thu, 5 Sep 1996 18:19:39 -0400 From: spencerj@dg-rtp.dg.com (Jon Spencer) Message-Id: <199609052219.SAA23622@splinter.rtp.dg.com> Subject: Re: C2 certified OS that can run a firewall To: mcnabb@argus.cu-online.com (Paul McNabb) Date: Thu, 5 Sep 1996 18:19:32 -0400 (EDT) Cc: firewalls@greatcircle.com In-Reply-To: <199609041436.JAA13457@argus.cu-online.com> from "Paul McNabb" at Sep 4, 96 09:36:14 am X-Mailer: ELM [version 2.4 PL23] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Of course C2 security is better than no security, but C2 was never Welll ....... it is if you understand its limitations. Otherwise ... > "designed for commercial use" as is sometimes written in articles and > email. If you are in an environment where the system administrators > want to *enforce* security on the users, B1 and higher security features > are needed. But remember, none of the TCSEC ("Orange Book") security > levels were designed for anything other than military/government use. > It just happens that a lot of the security they specify is general- > purpose and works well in all kinds of environments. (1) B1 is not much better than C2. (2) The strengths of B2 and above are related to the high assurance issues rather than to the features. At B2 you have a very good expectation that the system actually works like it is supposed to. After that, you must determine if the high assurance features really address the threats in your environment. I would also argue the issue that TCSEC strictly addressed the military. The issues addressed by the TCSEC primarily, at B2 and above, focus on "how do you know it works - prove it!" The sad truth is that people who generated TCSEC systems focused on meeting precisely their interpretation of the minimum system that met the TCSEC requirements. That is not the TCSEC's fault. -- Jon F. Spencer spencerj@rtp.dg.com (uunet!rtp.dg.com!spencerj) Data General Corp. Phone : (919)248-6246 62 T.W. Alexander Dr, MS #119 FAX : (919)248-6108 Research Triangle Park, NC 27709 Office RTP 121/9 Reality is an illusion - perception is what counts. No success can compensate for failure in the home. President David O. McKay ***** UCC 1-207 ******** From firewalls-owner Thu Sep 5 16:31:18 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id QAA22158 for firewalls-outgoing; Thu, 5 Sep 1996 16:17:19 -0700 (PDT) Received: from tsc3.express-hr.com (tsc3.express-hr.com [204.180.103.66]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id QAA22130 for ; Thu, 5 Sep 1996 16:16:58 -0700 (PDT) Received: by tsc3.express-hr.com with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.993.5) id <01BB9B57.665CFA10@tsc3.express-hr.com>; Thu, 5 Sep 1996 18:23:56 -0500 Message-ID: From: Bill Maples To: "'firewalls@greatcircle.com'" , "'David Marcoux'" Subject: RE: Secure Access Firwall (Ascend)?? Date: Thu, 5 Sep 1996 18:23:44 -0500 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.993.5 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am in the process of installing it today. The features are better than I had expected. I don't have all the settings done correctly yet but is very user friendly. I would suggest that you go to Ascend's home page "www.ascend.com" and download the Secure Access Manager software package. It is the actual package that you will use to administer the router. You can set everything up in the software and build your own firewall, you just won't have a router to send the firewall to. I today enabled WWW and SMTP Mail along with outbound FTP, but I am missing some protocol because I still can't get www to work. I'll try to reply back once I get it up and going. ---------- From: David Marcoux[SMTP:dmarcoux@radar.vertx.com] Sent: Thursday, September 05, 1996 9:11 AM To: firewalls@greatcircle.com Subject: Secure Access Firwall (Ascend)?? Has anyone tried the new product from Ascend called "Secure Access Firewall?" I am very curious about the product. ------------------------------------------------------------------ David Marcoux System Administrator / Web Master dmarcoux@vertx.com Vertex Software Corporation http://www.vertx.com (512) 328-3700 voice From firewalls-owner Thu Sep 5 18:06:38 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA27927 for firewalls-outgoing; Thu, 5 Sep 1996 17:20:39 -0700 (PDT) Received: from mcfeely.bsfs.org (mcfeely.bsfs.org [204.91.13.34]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id RAA27894 for ; Thu, 5 Sep 1996 17:20:10 -0700 (PDT) Received: (from wombat@localhost) by mcfeely.bsfs.org (8.6.12/8.6.12) id UAA29927; Thu, 5 Sep 1996 20:19:46 -0400 Date: Thu, 5 Sep 1996 20:19:41 -0400 (EDT) From: Rabid Wombat To: Jon Spencer cc: Paul McNabb , firewalls@GreatCircle.COM Subject: Re: C2 certified OS that can run a firewall In-Reply-To: <199609052219.SAA23622@splinter.rtp.dg.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 5 Sep 1996, Jon Spencer wrote: > > Of course C2 security is better than no security, but C2 was never > > Welll ....... it is if you understand its limitations. Otherwise ... > WTH does C2 security have to do with a system that should not have any user accounts on it, no user access to it? -r.w. From firewalls-owner Thu Sep 5 18:12:18 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA26357 for firewalls-outgoing; Thu, 5 Sep 1996 17:03:42 -0700 (PDT) Received: from mcfeely.bsfs.org (mcfeely.bsfs.org [204.91.13.34]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id RAA26327 for ; Thu, 5 Sep 1996 17:03:30 -0700 (PDT) Received: (from wombat@localhost) by mcfeely.bsfs.org (8.6.12/8.6.12) id TAA29906; Thu, 5 Sep 1996 19:58:43 -0400 Date: Thu, 5 Sep 1996 19:58:38 -0400 (EDT) From: Rabid Wombat To: HARRELLJ@emh7.monroe.army.mil cc: firewalls@GreatCircle.COM Subject: Re: Dialin In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Could you load both IPX and IP stacks on the CUBIX processors? If so, look into running your remote control software (PC Anywhere supports IP connectivity) via a PPP dial-up connection into a terminal server on a bastion segment; use the terminal server to authenticate users. You could implement TACACS+ or RADIUS on the TS. Once you're through the TS and into the CUBIX (you can deny access to other devices at the TS and router sevicing the bastion segment), log into PCAnywhere, take control of the CUBIX processor, and access your Novell assets via IPX. -r.w. On 4 Sep 1996 HARRELLJ@emh7.monroe.army.mil wrote: > We am currently integrating an application based (proxy) firewall into > our Novell/IPX and SUN/IP lan. Our current dialin capability is through > a cubix dialin server (reachout software) acting as a workstation on the > LAN, and it only passes screen, keyboard, and cursor movement to our > remote PC. We then attach to our one of our Novell servers (by IPX---our > IP id statically given to the workstation by lanworkgroups). The > management would like to put our current dialin hardware outside of the > firewall and use Fortezza cards {yes, DMS :-( } for authentication. > Problems I see: 1)Firewall can't see remote authentication token without > seeing the remote computer that is dialing in with the current hardware > 2)Cubix computers now talk IPX (not IP). So what is a standard > architecture/configuration for dialin outside of Firewalls using > authentication? It has to be simple---what am I missing? All ISPs do it > don't they? Would it be better to put a SUN outside of the Firewall for > dialin, and then just FTP in to get files and/or forward email from the > inside server? All opinions are helpful. > > > > Dialin Server > > | > > Here's what I'm thinking: router-------------Firewall----Internal > LAN > > | > > WEB Server > > > > Thanks.. > > > > > > V/R, > > > > Jonathan Harrell > > > > From firewalls-owner Thu Sep 5 18:11:17 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA26428 for firewalls-outgoing; Thu, 5 Sep 1996 17:04:29 -0700 (PDT) Received: (mcb@localhost) by miles.greatcircle.com (8.7.4/Miles-960830-1) id RAA26406 for firewalls@greatcircle.com; Thu, 5 Sep 1996 17:04:21 -0700 (PDT) Received: from remise (alb-nm2-10.ix.netcom.com [204.32.171.74]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id WAA03938 for ; Tue, 3 Sep 1996 22:38:29 -0700 (PDT) Received: from localhost (mcn@localhost) by remise (950413.SGI.8.6.12/950213.SGI.AUTOCF) via SMTP id XAA02230; Tue, 3 Sep 1996 23:36:08 -0600 Message-Id: <199609040536.XAA02230@remise> X-Mailer: exmh version 1.6.7 5/3/96 To: Peiter Z Cc: firewalls@greatcircle.com, bugtraq@netspace.org, best-of-security@suburbia.net Subject: Re: BoS: SecurID White Paper In-reply-to: peiterz's message of Wed, 04 Sep 1996 11:37:56 -0600. <199609041737.LAA01403@silence.secnet.com> Reply-To: mcn@EnGarde.com Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Tue, 03 Sep 1996 23:36:07 -0600 From: Mike Neuman Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I apologize for the cross post, but I believe this encompasses all of the mailing lists to which the original announcement was sent. > SecurID Vulnerabilities White-Paper > > Due to increased recent interest that has been witnessed on the net > about the SecurID token cards and potential vulnerabilities with their > use, we offer a white paper on some of the vulnerabilities that we believe > have been witnessed and/or speculated upon. I appreciate the conclusion of the paper which finally does proclaim that SecureID (and other one time password tokens) are extremely vulnerable. The vulnerabilities described seem to be overly esoteric, however. Unmentioned is perhaps the most serious flaw in one-time password systems: session hijacking atttacks. It's trivial for an intruder to monitor the network, waiting for a user to legitimately authenticate themselves. Once authenticated, the intruder can hijack that user's connection and assume his credentials. This type of attack can even be automated. (If you believe hijacking is only a theoretical attack, see http://www.engarde.com/software/ipwatcher . Versions of our software have existed for about 4 years, and recently we've begun seeing some public domain hijacking tools available). The author does mention the use of combination encrypted sessions and one time passwords, which seems to be the best solution at present. -Mike mcn@EnGarde.com From firewalls-owner Thu Sep 5 18:40:23 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA26925 for firewalls-outgoing; Thu, 5 Sep 1996 17:08:26 -0700 (PDT) Received: (mcb@localhost) by miles.greatcircle.com (8.7.4/Miles-960830-1) id RAA26751 for firewalls@greatcircle.com; Thu, 5 Sep 1996 17:07:39 -0700 (PDT) Received: from tuna.wang.com (TUNA.wang.com [150.124.136.4]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id KAA07810 for ; Wed, 4 Sep 1996 10:17:27 -0700 (PDT) Received: from mars.wangfed.com (mars.Wangfed.COM [159.94.10.1]) by tuna.wang.com (8.6.12/8.6.12tf1) with SMTP id NAA06278 for ; Wed, 4 Sep 1996 13:16:48 -0400 Received: from uc0009.wangfed.com (uc0009 [159.94.10.15]) by mars.wangfed.com (8.7.5/3.8) with SMTP for delivery to "" id NAA28892; Wed, 4 Sep 1996 13:22:35 -0400 (EDT) Received: from [159.94.14.48] by uc0009.wangfed.com (BULL 5.61++/B.O.S 02.01) id AA27404; Wed, 4 Sep 96 13:09:43 -0400 Date: Wed, 4 Sep 96 13:09:43 -0400 Message-Id: <9609041709.AA27404@uc0009.wangfed.com> From: "Wang Federal SSSO" Reply-To: "Wang Federal SSSO" To: firewalls@GreatCircle.COM Subject: Re: C2 certified OS that can run a firewall Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In message Robert Hanson writes: > what is intended for "strong" protection then? tia... It depends on which religion you subscribe to. If it's the NCSC religion, "strong" protection (which they call "high assurance") doesn't kick in until you're running on at least a B2-evaluated system (B3 and A1 will also do the trick). The notion behind "high assurance" is that covert channel analysis has been performed to ensure that mechanisms used by the operating system itself to exchange data between its own processes/objects cannot be subverted to bypass system security policy and exchange meaningful human-readable information (or, ostensibly, trojan horse code). The practical notion behind it is that a high assurance system will not only be difficult to hack from the outside, it will be difficult to compromise by expert users on the inside. It will also make auditing of security administrator logins and logouts impossible to circumvent, even by the security administrator, so there is always *some* kind of audit trail even of the "superuser". "Medium assurance" (B1) and "High Assurance" (B2-A1) systems also provide two access policies - discretionary, which is also provided on C-level systems, and mandatory, which is unique to B and A level systems. Used intelligently, a mandatory policy can help further protect firewall executable images and configuration files from hacker attack, and can also isolate the firewall from the underlying operating system in a way that is harder to circumvent than using discretionary access controls alone. Anyone who's really interested in this stuff can take a look at the the NCSC's Orange and Yellow Books. Those of the ITSEC persuasion will discover that their Protestantism isn't all that different from NCSC's Catholicism when it comes to defining "high assurance". The difference is that the ITSEC separates features from assurance when it rates a system, so that one could ostensibly have a system with all sorts of security features that are found in high assurance systems, with no corresponding level of assurance that the features work as designed and documented. I guess this is because (allegedly) in the commercial world (and, frighteningly, in much of the government) people don't care about independent certification of a vendor's security claims. For example, why would anyone in his right mind trust a vendor's word on whether the "hardened" UNIX on which its firewall runs actually has all the security "holes" removed. Or whether an unevaluated system truly has the assurance the vendor claims it does? Oh well. There are a lot of folks who want to do away with the FDA, too, and leave it up to the individual drug companies to assure us their products are safe. I don't know if I'm too cynical, but I kind of like knowing that the organisation certifying the safeness of a drug - or the assurance of an operating system - isn't the same organisation that has a vested interest in selling that drug or organisation. REALITY CHECK: Nothing the underlying operating system does can guarantee the correctness of the firewall application code. However, the operating system *can* be used to isolate that code in a way that will ensure that if the firewall code contains some (intentionally or unintentionally) malicious code, that malicious code cannot attack the operating system. ===== K.M. GOERTZEL Manager, Business Development Secure Systems and Services Operation WANG FEDERAL, Inc. 7900 Westpark Drive - MS 700 McLean, VA 22102-4299 USA +1-703-827 3914 +1-703-827 3161 (fax) goertzek@wangfed.com http://www.wangfed.com/products/ssso/homepage.html *** "The true artist has no pride, for he realizes art's demands are limitless, and though he may be admired or praised by others, he sees only darkly how far he is from his goal, when a greater inspiration shall shine before him like a distant sun." -- Ludwig van Beethoven From firewalls-owner Thu Sep 5 18:57:03 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA26646 for firewalls-outgoing; Thu, 5 Sep 1996 17:06:52 -0700 (PDT) Received: (mcb@localhost) by miles.greatcircle.com (8.7.4/Miles-960830-1) id RAA26624 for firewalls@greatcircle.com; Thu, 5 Sep 1996 17:06:41 -0700 (PDT) Received: from phoenix.iss.net (phoenix.iss.net [204.241.60.5]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id IAA28862 for ; Wed, 4 Sep 1996 08:19:23 -0700 (PDT) Received: (from cklaus@localhost) by phoenix.iss.net (8.6.13/8.6.12) id LAA31427 for firewalls@greatcircle.com; Wed, 4 Sep 1996 11:17:22 -0400 From: Christopher Klaus Message-Id: <199609041517.LAA31427@phoenix.iss.net> Subject: C2 Myths To: firewalls@greatcircle.com Date: Wed, 4 Sep 1996 11:17:22 -0400 (EDT) X-Mailer: ELM [version 2.4 PL24 PGP2] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk There is a lot of hype among security products touting the fact that they are C2 certified so that they are more secure than non-C2 security products. I was wondering how many people really perceive that C2 brings them a more secure product? Here's an interesting article from InfoWorld (www.infoworld.com) that explains C2 and tries to explain what benefits a C2 product provides. Exploding the C2 myth C2-level security had its place in the past, but today's systems need security that is much more robust By Ben Rothke Publication Date: August 26, 1996 (Vol. 18, Issue 35) The label "C2 certified" is enough to make some users feel secure and cozy with what they perceive to be the Holy Grail of secure computing. Although C2-certified systems are often described as overly secure, the C2 designation is really the most bare-bones approach to a secure system. The term C2 is being used to sell computer security products and operating systems the same way as phrases such as "100 percent organic," "doctor recommended," and "completely guaranteed" are used to sell vitamins. However, requiring C2 security in your corporation's security products and operating systems doesn't protect them from attack. In fact, you need to look to much more robust security products to protect systems at both the desktop and the network level. With-in the network operating systems realm, for example, NetWare and Windows NT Workstation are touted as C2 certified. Although C2 is a good starting point, it was never intended to be the one-and-only guarantee that security measures are up to snuff. Further complicating this issue are the different designations given to products. Some products boast that they are "C2 compliant," "C2 certifiable," "designed to C2," or "under C2 evaluation." But the term "designed to meet C2" does not mean the same thing as "evaluated at C2." Many vendors have been marketing their systems as designed to meet C2 requirements. This sounds impressive but actually is more likely to mean that a product is in evaluation, or a company is "thinking about someday having it evaluated." The C2 specification and the six related security levels are hampered by a slow and time-consuming certification process. Remember, the U.S. government does the testing. Certification can easily take longer than a year; it often takes as many as two years to complete. During that time, a product could go through an interim release, which would render the latest version uncertified because certification only applies to a specific version. For example, even though NT Workstation and NT Server 3.51 were C2-certified, Microsoft Corp. has to reapply for the certification of NT, Version 4.0. SEVEN LEVELS. The C2 security designation is just one of seven security levels specified in the Department of Defense's Trusted Computer System Evaluation Criteria (TCSEC). The TCSEC is also known as the Orange Book (because of its orange cover). The need to measure trust and security led to the development of the TCSEC, which was first issued in 1985. It was created by the Department of Defense and the National Computer Security Center (NCSC). Seven security levels are listed, from the highest impenetrability to the lowest, in the Orange Book. A1 - Verified Design. The highest level demands formal security verification methods to ensure that security controls protect classified and other sensitive information. Even the National Security Agency cannot break in. B3 - Security Domains. This level is intended to protect systems from people with programming experience. B2 - Structured Protection. Hackers should not be able to break into a system with B2-level security. B1 - Labeled Protection. At this level, a really good hacker could possible break in, but users can't. C2 - Controlled Access Protection. C2 provides protection for log-in procedures, allows auditing of security-relevant events, and offers resource isolation. C1 - Discretionary Protection. This level enables users to set access controls to protect private or project information. D - Minimal Protection. The lowest level is reserved for systems that have been evaluated but have failed to meet the requirements for a higher evaluation class. POPULAR YET INSECURE. Some of the most important stipulations of C2-level security are discretionary access control, auditing, identification and authentication, and object reuse. Of these, the term most often used when discussing C2 is access control. Access control simply means that you can designate and control who can use any object within an operating system, from the file and directory level to printers and systems management. C2 also has provisions for system auditing to determine what users have done and where they have been within the system. The identification and authentication stipulation requires the system to use passwords to protect data from being accessed by unauthorized users. But even when a product meets these and other requirements and is C2 certified, that doesn't mean the system is bulletproof. The Orange Book is simply a book of basic specifications. One can have a C2 system that allows a user to have the password "password." Further, C2 certification does not require any tiger team penetration testing or any real requirement that holes identified in the system get fixed. (Tiger teams were first created by the military to test system security by staging attacks on sensitive computer systems.) Operating systems such as MS-DOS, the MacOS, Windows, and OS/2 are considered to have level D protection because they provide no security. To be precise, these systems are not truly D-rated because they were never submitted for evaluation. DATED INTENTIONS. The design intentions of the C2 planners were impressive, but C2 has not held up over the years. The Orange Book has its roots in the U.S. military, which has security needs that are not comparable to a nonmilitary organization. The specification starts with the premise that every system is under attack. Although true in many situations, it is incorrect to accept that premise in all situations. Security experts say C2 levels of security are inadequate for protecting a computer from well-known attacks. C2 security relies entirely on discretionary access control, which means that all protective measures on the system are under the control of individual users. In particular, there are administrative users, such as Unix root or NetWare 3.x supervisors, and there are supervisor-equivalent users, who can circumvent any protection placed on system resources. Thus, an attacker can bypass any system security measure by penetrating an administrative user account or by tricking such a user to execute a Trojan horse program. C2 was a really good concept for its time, but it is somewhat dated, according to Padgett Peterson, a security expert based in Orlando, Fla. A big problem today is that people are trying to stretch Orange Book criteria and apply them to network environments. However, NT is only certified when not connected to a network, according to both the Trusted Products List and Microsoft's own documentation. But other security experts believe that in spite of all its flaws, the Orange Book has a lot to offer to companies that have yet to secure their systems. "I never liked the Orange Book approach much, but it does have one benefit: It induces people who have to comply with it to make safer systems in general, even if I disagree with some of the desired functionality," says William Cheswick, a computer security expert and author of the 1994 book Firewalls and Internet Security: Repelling the Wily Hacker. "Commercial systems these days could be improved by following some of the Orange Book advice. Right now they are often wide open," Cheswick says. BEYOND C2. Companies such as Mergent International Inc., in Rocky Hill, Conn., and Fischer International Systems Corp., in Naples, Fla., offer products that go beyond making local workstations C2-compliant by providing additional security as well. Mergent's desktop security product, PC/DACS, available for DOS, Windows, and Windows 95, offers features such as encryption and a time-out option that lets users walk away without leaving their workstations vulnerable to attack. The TCSEC criteria were a notable commodity in their day. But new security standards are sorely needed today, and they are indeed being worked on. The TCSEC criteria are a long way from being effective. They can at times be inadequate, and they are often utterly ineffective when it comes to creating a secure corporate computing environment. So when a salesperson shows you a glossy brochure in which every 10th term is C2, don't get too excited. Rather than being the end of your search for a secure computing environment, C2 is just the beginning. Ben Rothke is a New York-based network and security engineer for Citibank North America. The views expressed are his own. He can be reached via e-mail at 74710.3325@compuserve.com. The Orange Book's purpose The Orange Book has its roots in principles of a state-machine model developed by Bell and LaPadula in the early 1970s. That model has fallen into disuse today and is clearly no longer viewed as state of the art. The complete set of Trusted Computer System Evaluation Criteria (TCSEC) manuals are known as the Rainbow series, due to the different colors of the manuals. The Rainbow series currently is made up of more than 20 books. These numerous interpretations clarify Orange Book requirements with respect to specific system components. In 1987, the NCSC created the Red Book, which is an interpretation of Orange Book security requirements that are applicable to the network computing environment. TCSEC criteria are developed around the concept of a Trusted Computing Base (TCB). The Orange Book defines the TCB as "The totality of protection mechanisms within a computer system, including hardware, firmware, and software, the combination of which is responsible for enforcing a security policy." The government attempted to update the Rainbow series, but it never got beyond the stage of a first draft. Work on a document known as the Common Criteria began as the European TCSEC in 1993. Version 1.0 of the Common Criteria is now available. It was somewhat modified first by Canada and then by the United States. More information can be found at http://csrc.ncsl.nist.gov/nistpubs/cc. The Orange Book offers this explanation of its goals: The TCSEC criteria defined in the Orange Book classify systems in four broad hierarchical divisions of enhanced security protection. They provide a basis for the evaluation of effectiveness of security controls built into automatic data processing system products. The criteria were developed with three objectives in mind: * to provide users with a yardstick with which to assess the degree of trust that can be placed in computer systems for the secure processing of classified or other sensitive information; * to provide guidance to manufacturers with regard to what to build into their new, widely available trusted commercial products in order to satisfy trust requirements for sensitive applications; and * to provide a basis for specifying security requirements in acquisition specifications. For more information on the Orange Book and C2, readers should consult Computer Security Basics, by Russell & Gangemi. The Orange Book is available online at http://www.disa.mil/MLS/info/orange. You can also order copies of the Orange Book from the Superintendent of Documents in the U.S. Government Printing Office at (202) 512-1800. SCC takes a different security path Secure Computing Corp. (SCC), in Roseville, Minn., has taken a unique approach to security with its Sidewinder Internet Firewall product. The company has effectively said, "To heck with C2, we will design something that works." SCC has designed its systems with the utmost security in mind, and it says that C2 is too limited in the real world. SCC says that even the mandatory access control mechanism customarily provided in B- and A-level systems is far too permissive for implementing guard and firewall systems. Instead, the company uses Type Enforcement, a patented mandatory access control mechanism it developed that provides a finer degree of control. SCC implemented this mechanism in its Secure Network Server Mail Guard, a system for passing e-mail between classified and unclassified networks that offers a high level of security protection and verification. High security systems incorporate mandatory access control systems, such as the multilevel security mechanisms in B- or A-level systems, or Sidewinder's Type Enforcement. These mandatory systems prevent all users from circumventing vital access restrictions. On Sidewinder, for example, the Type Enforcement restrictions prevent even the highly privileged Internet mail server from accessing other portions of the system. In fact, the mail system can only pass messages to internal users by way of a separate, protected filtering process. Thus, if the Internet mail software is attacked and corrupted, the attacker is still blocked from penetrating the internal network. The mandatory protections applied to the mail software can only be disabled by taking the system down and restarting it, with its network connections disabled. SCC validates its approach by having over a decade of experience developing highly assured computing systems in accordance with the National Computer Security Center's (NCSC) Orange Book requirements. Based on SCC's experience, Sidewinder would earn a B2- or B3-level certification if SCC did additional analytical and documentation tasks. SCC says that because its Sidewinder product was originally developed for the commercial market, there is very limited value to NCSC evaluations in the commercial market. Therefore, there is little cost justification for the additional work required to complete an NCSC evaluation. For more information, contact SCC at (800) 692-5625, or visit the company's Web site at http://www.sctc.com. -- Christopher William Klaus Voice: (770)395-0150. Fax: (770)395-1972 Internet Security Systems, Inc. "Internet Scanner finds Ste. 660,41 Perimeter Center East,Atlanta,GA 30346 your network security holes Web: http://www.iss.net/ Email: cklaus@iss.net before the hackers do." From firewalls-owner Thu Sep 5 18:59:01 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id QAA25807 for firewalls-outgoing; Thu, 5 Sep 1996 16:59:17 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id QAA25642 for ; Thu, 5 Sep 1996 16:58:31 -0700 (PDT) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) id QAA11276; Thu, 5 Sep 1996 16:57:39 -0700 Received: from hidata.com(205.158.61.34) by mycroft via smap (V1.3mjr) id sma011274; Thu Sep 5 16:56:49 1996 Received: by hidata.com; id AA05519; Thu, 5 Sep 96 16:57:20 PDT Received: from osc.hidata.com(205.158.62.10) by hds-gw.hidata.com via smap (V3.1.1) id xma005517; Thu, 5 Sep 96 16:57:02 -0700 Received: from clag by osc.osc.hidata.com (SMI-8.6/SMI-SVR4) id QAA12253; Thu, 5 Sep 1996 16:56:57 -0700 Message-Id: <2.2.32.19960905235504.0036cf30@osc.hidata.com> X-Sender: bstout@osc.hidata.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Thu, 05 Sep 1996 16:55:04 -0700 To: Firewalls@GreatCircle.COM From: Bill Stout Subject: Re: C2 certified OS that can run a firewall Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 06:19 PM 9/5/96 -0400, you wrote: >> Of course C2 security is better than no security, but C2 was never >> ... >Welll ....... it is if you understand its limitations. Otherwise ... >(1) B1 is not much better than C2. >(2) The strengths of B2 and above are related to the high assurance issues > rather than to the features. At B2 you have a very good expectation >I would also argue the issue that TCSEC strictly addressed the military. Using ancient government specs for leading edge technology is like trying to wedge square pegs into round holes. Since none of the existing certification processes comply with our requirements for firewalls, why not write our own security certification? Let Gatekeepers write an RFC as a customer writes a RFQ. The "Great Circle Firewall-List certification version 1.0", or gcfl-1. There. I said it. 'Make it so', and 'Engage'. Bill Stout _______________________________________________________________________________ Senior Systems Admin NT/UNIX/I-net/Routers/Mainframes/Janitor ;) Hitachi Data Systems 408-970-4822 --- Disclaimer: I speak only for myself ___________"Infowar, Cyber-war, yes, 'they' _are_ out to get you..."___________ From firewalls-owner Thu Sep 5 19:04:22 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA01260 for firewalls-outgoing; Thu, 5 Sep 1996 17:59:12 -0700 (PDT) Received: from homeport.org (lighthouse.homeport.org [205.136.65.198]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id RAA01128 for ; Thu, 5 Sep 1996 17:58:32 -0700 (PDT) Received: (adam@localhost) by homeport.org (8.6.9/8.6.9) id VAA03267; Thu, 5 Sep 1996 21:03:46 -0500 From: Adam Shostack Message-Id: <199609060203.VAA03267@homeport.org> Subject: Re: options for proxying SSL traffic? To: junya@fsdirect.com Date: Thu, 5 Sep 1996 21:03:46 -0500 (EST) Cc: ssl-talk@netscape.com, firewalls@greatcircle.com In-Reply-To: from "junya@fsdirect.com" at Sep 5, 96 12:08:51 pm X-Mailer: ELM [version 2.4 PL24 ME8b] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'd go for a demilitarized zone, a third interface off the firewall with just the web server. Web servers tend to be big, complex, buggy bits of software with things like user written cgis that just blow your security. So, if you proxy a connection through the firewall to a box thats likely to be broken into, you need protection from that box. Adam junya@fsdirect.com wrote: | If a network connected to the internet was using a proxy firewall (say, | Gauntlet or fwtk), and had an web server behind the firewall which had | SSL enabled, what options does the firewall administrator have to ensure | that people outside can access the web server inside w/SSL? | | Someone at TIS said all that needed to be done was to use plug-gw (a | generic proxy which just passes bytes) so that the firewall passes | traffic. However, given that internal web browsers require a specific SSL | proxy service to access SSL enabled web servers on the outside, I don't | feel quite convinced. (won't browsers care that the host they're | connecting to is different from what the passed certificate information | says?) | | If it's the case that a SSL proxy service is needed for incoming requests, | it would seem like the rules would have to be fairly stringent so that | someone would not take advantage of it to probe the internal network - | like having an HTTP proxy for incoming requests. | | Can someone explain, before I actually try it out? | | | Junya Ho | FSDirect | v: 416 368 3920 x5411 | f: 416 368 5505 | | -- "It is seldom that liberty of any kind is lost all at once." -Hume From firewalls-owner Thu Sep 5 19:09:14 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id SAA07286 for firewalls-outgoing; Thu, 5 Sep 1996 18:43:06 -0700 (PDT) Received: from norway.it.earthlink.net (norway-c.it.earthlink.net [204.119.177.49]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id SAA07270 for ; Thu, 5 Sep 1996 18:42:52 -0700 (PDT) Received: from x.earthlnk.net (pool014.Max18.Orlando.FL.DYNIP.ALTER.NET [153.37.188.206]) by norway.it.earthlink.net (8.7.5/8.7.3) with SMTP id SAA08542 for ; Thu, 5 Sep 1996 18:35:10 -0700 (PDT) Date: Thu, 5 Sep 96 18:44:22 PST From: rich Subject: authenticated/encrypted sessions To: firewalls@greatcircle.com X-PRIORITY: 3 (Normal) X-Mailer: Chameleon 4.6.3, TCP/IP for Windows, NetManage Inc. Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, This should be a simple one (yeah right) that should generate lots of responses (I hope). I want to set up authenticated and encrypted tunnels through a firewall. the rub, NO COMMERCIAL products allowed. My thoughts -- socks5 since I have to handle windows 3.1, win 95 and winNT apps as well as Unix. So, Comments? Suggestions? Strange Sounds? ADVANCE, rich o' |,=./ `o (o o) -----ooO--(_)--Ooo------- ** Remember -- If you can keep your head when all others around you are losing theirs... You're probably not paying attention! From firewalls-owner Thu Sep 5 19:59:28 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id TAA14527 for firewalls-outgoing; Thu, 5 Sep 1996 19:37:56 -0700 (PDT) Received: from dallas-cs-000.novare.net ([205.229.104.10]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id TAA14466 for ; Thu, 5 Sep 1996 19:37:35 -0700 (PDT) Received: from muggles (mark@muggles.novare.net [205.229.105.72]) by dallas-cs-000.novare.net (8.7.5/8.6.9) with SMTP id VAA10597 for ; Thu, 5 Sep 1996 21:36:21 -0500 Message-ID: <322F9189.7ADCFED4@novare.net> Date: Thu, 05 Sep 1996 21:50:49 -0500 From: mark Organization: novare international advanced weapons division X-Mailer: Mozilla 3.0 (X11; I; Linux 2.0.6 i586) MIME-Version: 1.0 To: firewalls@greatcircle.com Subject: a linux firewall admin'd with ipfwadm Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk anyone done it and if so can you offer any pointers? i have the reading material, but some anecdotal wisdom would be helpful. and i'll be happy to dicuss configuration specifics if necessary. thanks, mark From firewalls-owner Thu Sep 5 20:14:52 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id TAA14824 for firewalls-outgoing; Thu, 5 Sep 1996 19:39:52 -0700 (PDT) Received: from sapa.inka.de (sapa.inka.de [193.197.84.6]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id TAA14789 for ; Thu, 5 Sep 1996 19:39:30 -0700 (PDT) Received: from uu.inka.de (root@[193.197.84.8]) by sapa.inka.de with smtp (S3.1.29.1) id ; Fri, 6 Sep 96 04:38 MET DST Received: from lina (lists@lina.inka.de) by uu.inka.de with bsmtp (S3.1.29.1) id ; Fri, 6 Sep 96 04:38 MET DST Received: by lina id m0uyqhj-0004jQC (Debian /\oo/\ Smail3.1.29.1 #29.37); Fri, 6 Sep 96 04:31 MET DST Message-Id: From: lists@lina.inka.de (Bernd Eckenfels) Subject: Re: Mail and win95 To: firewalls@greatcircle.com Date: Fri, 6 Sep 1996 04:31:34 +0200 (MET DST) In-Reply-To: <9609051630.0N79E00@morebbs.com> from "potlicker@morebbs.com" at Sep 5, 96 04:30:56 pm X-Mailer: ELM [version 2.4 PL25 PGP2] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, > A question has come up at Big Co. as to how to bypass their cc:Mail > entirely and go from Windows 95 machines directly to their firewall. > That's cos their cc:Mail crashed again and delayed mail for power users. Are you talking about an MTA on the W95 System or a pop3 MUA? The later ius easy, use netscape or eudora or MS Exchange Client (from PLUS Package) to acess a POP3 Server and Send SMTP Mail. Of course you need a MTA Host (How about Linux with smail and qpopper?). Zhis is much better than running a mailer on a desktop system. Of course this is not a firewall question. Greetings Bernd From firewalls-owner Thu Sep 5 20:48:06 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id UAA24174 for firewalls-outgoing; Thu, 5 Sep 1996 20:35:37 -0700 (PDT) Received: from omega.IntraNet.com (omega.IntraNet.com [192.148.106.20]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id UAA24136 for ; Thu, 5 Sep 1996 20:35:25 -0700 (PDT) Received: by omega.IntraNet.com; (5.65/1.1.8.3/20May95-0100AM) id AA09890; Thu, 5 Sep 1996 23:40:43 -0400 Received: by giant.IntraNet.com (DECUS UUCP /2.0/2.0/2.0/); Thu, 5 Sep 96 23:23:40 EDT Received: by intranet.com (MX V4.2 VAX) id 1; Thu, 05 Sep 1996 23:23:38 EDT Date: Thu, 05 Sep 1996 23:23:37 EDT From: "G. Del Merritt" To: Firewalls@GreatCircle.COM Message-Id: <009A7F09.BAB2B644.1@intranet.com> Subject: Re: Firewalls-Digest V5 #494 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In-reply-to: "potlicker@morebbs.com"'s message of 05 Sep 96 16:30:56 > : >Does anyone on the list know of freeware, shareware or commerical >progams to run sendmail or popmail3 on a Windows 95 workstation? >The Windows 95 workstations are 66 mhz 486's with 32 MB RAM and two 1 GB >hard disks. Mosaic can do SMTP to any node with a proper MX record. It's pretty free. Don't know off hand of standalone pop clients for windoze. -- Del Merritt, ** del@IntraNet.com IntraNet, Inc., One Gateway Center #700, Newton, MA 02158 Voice: 617-527-7020; FAX: 617-527-1761 Just say no to Clipper. You may not add me to a commercial mailing list or send me commercial advertising without my consent. From firewalls-owner Thu Sep 5 21:04:03 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id UAA24320 for firewalls-outgoing; Thu, 5 Sep 1996 20:37:17 -0700 (PDT) Received: from ns.helec.co.nz ([202.49.84.17]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id UAA24302 for ; Thu, 5 Sep 1996 20:36:57 -0700 (PDT) Received: from dev.helec.co.nz (gw.helec.co.nz [202.49.84.24]) by ns.helec.co.nz (8.7.4/8.7.3) with ESMTP id WAA01260 for ; Thu, 5 Sep 1996 22:54:10 +1200 Received: (from john@localhost) by dev.helec.co.nz (8.7.4/8.7.3) id WAA06651 for Firewalls@GreatCircle.COM; Thu, 5 Sep 1996 22:57:04 +1200 From: john@helec.co.nz (John L Hardcastle) Message-Id: <9609052257.ZM6650@dev.helec.co.nz> Date: Thu, 5 Sep 1996 22:57:03 +0000 In-Reply-To: firewalls-digest-owner@GreatCircle.COM (Firewalls-Digest) "Firewalls-Digest V5 #493" (Sep 5, 1:00am) References: <199609050800.BAA26701@miles.greatcircle.com> X-Mailer: Z-Mail (3.2.1 24feb96 Caldera) To: Firewalls@GreatCircle.COM Subject: NT port activity list Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk From: Bill Stout[SMTP:bill.stout@hidata.com] > Sent: Tuesday, September 03, 1996 11:42 AM > To: Firewalls@GreatCircle.COM > Subject: Re: NT port activity list Like you Bill, I'm intrigued by this subject and would like to know more, and I've been chatting with Russ offline. > I haven't completed a Satan scan against an NT system yet, but this > is what I got so far. Also much of the system-level communication > is still a mystery; logon process, etc (RPC?). My approach, if I had time, would be to set up an NT server on a small LAN with one host sniffing the NT traffic and another flailing the NT server with Satan. NT boxes seem to love to advertize their services. It should be an easy exercise to generate a fair list of all the things NT responds to and just how it responds would be quite educational.... One could use tcpdump or similar, capture the NT traffic to a file and analyze it with Unix tools. Perhaps someone would like to do this and let us all know the outcome? Its important to know all the potentially dangerous services which should be blocked or carefully handled by a firewall. I bet there are some builtins no one knows about yet, like license crawlers. Oh, imagination and the fascination of the unknown! Any far-siders talking out there? Any one in the know from M$ itself reading this and feeling public spirited? Hot topic... BTW you can learn quite a lot from your own firewall logs if you turn on logging for every denied service and connection...... -- John L Hardcastle, Director, HARDCASTLE ELECTRONICS LIMITED P O Box 74028 Market Rd, Auckland 5 Level 7, Eden House, 44 Khyber Pass Rd, Grafton, Auckland, NEW ZEALAND Tel +64.9.366.1502 Fax +64.9.366.1554 Internet: john@helec.co.nz http://www.helec.co.nz/~helec From firewalls-owner Thu Sep 5 21:19:08 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id VAA28171 for firewalls-outgoing; Thu, 5 Sep 1996 21:03:12 -0700 (PDT) Received: from sapa.inka.de (sapa.inka.de [193.197.84.6]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id VAA28119 for ; Thu, 5 Sep 1996 21:02:57 -0700 (PDT) Received: from uu.inka.de (root@[193.197.84.8]) by sapa.inka.de with smtp (S3.1.29.1) id ; Fri, 6 Sep 96 06:02 MET DST Received: from lina (lists@lina.inka.de) by uu.inka.de with bsmtp (S3.1.29.1) id ; Fri, 6 Sep 96 06:02 MET DST Received: by lina id m0uyrzY-0004jQC (Debian /\oo/\ Smail3.1.29.1 #29.37); Fri, 6 Sep 96 05:54 MET DST Message-Id: From: lists@lina.inka.de (Bernd Eckenfels) Subject: Re: C2 Myths To: cklaus@iss.net (Christopher Klaus) Date: Fri, 6 Sep 1996 05:54:02 +0200 (MET DST) Cc: firewalls@greatcircle.com In-Reply-To: <199609041517.LAA31427@phoenix.iss.net> from "Christopher Klaus" at Sep 4, 96 11:17:22 am X-Mailer: ELM [version 2.4 PL25 PGP2] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, > A1 - Verified Design. The highest level demands formal security verification > methods to ensure that security controls protect classified and other > sensitive information. Even the National Security Agency cannot break in. > > B3 - Security Domains. This level is intended to protect systems from people > with programming experience. > > B2 - Structured Protection. Hackers should not be able to break into a > system with B2-level security. > > B1 - Labeled Protection. At this level, a really good hacker could possible > break in, but users can't. > > C2 - Controlled Access Protection. C2 provides protection for log-in > procedures, allows auditing of security-relevant events, and offers resource > isolation. > > C1 - Discretionary Protection. This level enables users to set access > controls to protect private or project information. > > D - Minimal Protection. The lowest level is reserved for systems that have > been evaluated but have failed to meet the requirements for a higher > evaluation class. sorry, this is not very usefull... "Users" "Hackers" "peaple with programming experience" "NSA" is not a usefull (nor realistic) atributation(sp?) for secrity classes. Greetings Bernd -- (OO) -- Bernd_Eckenfels@Wittumstrasse13.76646Bruchsal.de -- ( .. ) ecki@{lina.inka.de,linux.de} http://home.pages.de/~eckes/ o--o *plush* 2048/A2C51749 eckes@irc +4972573817 *plush* (O____O) If privacy is outlawed only Outlaws have privacy From firewalls-owner Thu Sep 5 23:14:13 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id XAA06098 for firewalls-outgoing; Thu, 5 Sep 1996 23:04:13 -0700 (PDT) Received: from gate1.scandpower.no (gate1.scandpower.no [193.91.254.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id XAA06090 for ; Thu, 5 Sep 1996 23:04:05 -0700 (PDT) Received: by gate1.scandpower.no; (5.65v3.2/1.3/10May95) id AA32407; Fri, 6 Sep 1996 08:04:09 +0200 Message-Id: <2.2.16.19960906061714.2c37c812@bill.halden.scandpower.no> X-Sender: bak@bill.halden.scandpower.no X-Mailer: Windows Eudora Pro Version 2.2 (16) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Fri, 06 Sep 1996 08:17:14 +0200 To: firewalls@greatcircle.com From: Bjorn-Arild Kydland Subject: RADIUS protocol specifications Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Does anyone have a pointer to the RADIUS protocol specification? ***************************************************************** Bjorn-Arild Kydland E-mail: bjorn-arild.kydland@halden.scandpower.no Scandpower A/S X.400 G=bjorn-arild S=kydland OU1=halden Os Alle 9 P=scandpower A=telemax C=no N-1777 Halden NORWAY Phone (+47) 69184100 Fax (+47) 69184435 Pager (+47) 96514696 ***************************************************************** From firewalls-owner Fri Sep 6 01:27:48 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id BAA10751 for firewalls-outgoing; Fri, 6 Sep 1996 01:08:11 -0700 (PDT) Received: from cet.cet.com (cet.cet.com [206.96.91.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id BAA10744 for ; Fri, 6 Sep 1996 01:08:04 -0700 (PDT) Received: from cet.cet.com (roberth@cet.cet.com [206.96.91.1]) by cet.cet.com (8.6.12/8.6.12) with SMTP id BAA00921; Fri, 6 Sep 1996 01:07:40 -0700 Date: Fri, 6 Sep 1996 01:07:40 -0700 (PDT) From: Robert Hanson To: Bjorn-Arild Kydland cc: firewalls@GreatCircle.COM Subject: Re: RADIUS protocol specifications In-Reply-To: <2.2.16.19960906061714.2c37c812@bill.halden.scandpower.no> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk check www.livingston.com or ftp.livingston.com it's there somewhere ---> Robert H. Hanson LAN/WAN Consultant - Internet Service Provider Otis Orchards, Wa. Cutting Edge Communications www.cet.com (509) 927-9541 finger: info@cet.com or email: roberth@cet.com On Fri, 6 Sep 1996, Bjorn-Arild Kydland wrote: > Does anyone have a pointer to the RADIUS protocol specification? > ***************************************************************** > Bjorn-Arild Kydland E-mail: bjorn-arild.kydland@halden.scandpower.no > Scandpower A/S X.400 G=bjorn-arild S=kydland OU1=halden > Os Alle 9 P=scandpower A=telemax C=no > N-1777 Halden > NORWAY > > Phone (+47) 69184100 Fax (+47) 69184435 > Pager (+47) 96514696 > ***************************************************************** > From firewalls-owner Fri Sep 6 02:59:05 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id CAA15920 for firewalls-outgoing; Fri, 6 Sep 1996 02:33:53 -0700 (PDT) Received: from rara.kotel.co.kr (rara.kotel.co.kr [147.6.15.64]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id CAA15820 for ; Fri, 6 Sep 1996 02:33:08 -0700 (PDT) Received: by rara.kotel.co.kr (8.6.9H1/8.6.4) id RAA18104; Fri, 6 Sep 1996 17:59:48 +1000 From: Kim Message-Id: <199609060759.RAA18104@rara.kotel.co.kr> Subject: firewall-1 delay is tolerable ? To: firewalls@GreatCircle.COM Date: Fri, 6 Sep 1996 17:59:44 +0900 (GMT+9:00) X-Mailer: ELM [version 2.4 PL21-h4] MIME-Version: 1.0 Content-Type: text/plain; charset=iso-2022-kr Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am using FW-1 2.0 on sparc 1000 with 2 cpu. Ping and traceroute passing firewall through indicate the delay on there is great and such delay is very clear by compairing it with pings in outside router. Also the system collision indicator shows excessive ,I think, collision status. Do you have any nice improvements about this ? - Kim. From firewalls-owner Fri Sep 6 04:17:16 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id DAA22229 for firewalls-outgoing; Fri, 6 Sep 1996 03:55:22 -0700 (PDT) Received: from lint.cisco.com (lint.cisco.com [171.68.223.44]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id DAA22186 for ; Fri, 6 Sep 1996 03:54:57 -0700 (PDT) Received: from pferguso-pc.cisco.com ([171.68.52.54]) by lint.cisco.com (8.6.10/CISCO.SERVER.1.1) with SMTP id DAA09492; Fri, 6 Sep 1996 03:54:16 -0700 Message-Id: <2.2.32.19960906105430.006d62cc@lint.cisco.com> X-Sender: pferguso@lint.cisco.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Fri, 06 Sep 1996 06:54:30 -0400 To: Bjorn-Arild Kydland From: Paul Ferguson Subject: Re: RADIUS protocol specifications Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 08:17 AM 9/6/96 +0200, Bjorn-Arild Kydland wrote: > >Does anyone have a pointer to the RADIUS protocol specification? The RADIUS 'specification' is still an I-D [Internet Draft]: Remote Authentication Dial In User Service (RADIUS) http://www.internic.net/internet-drafts/draft-ietf-radius-radius-05.txt - paul >***************************************************************** >Bjorn-Arild Kydland E-mail: bjorn-arild.kydland@halden.scandpower.no >Scandpower A/S X.400 G=bjorn-arild S=kydland OU1=halden >Os Alle 9 P=scandpower A=telemax C=no >N-1777 Halden >NORWAY > >Phone (+47) 69184100 Fax (+47) 69184435 >Pager (+47) 96514696 >***************************************************************** > -- Paul Ferguson || || Consulting Engineering || || Reston, Virginia USA |||| |||| tel: +1.703.716.9538 ..:||||||:..:||||||:.. e-mail: pferguso@cisco.com c i s c o S y s t e m s From firewalls-owner Fri Sep 6 05:14:25 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id EAA25054 for firewalls-outgoing; Fri, 6 Sep 1996 04:58:51 -0700 (PDT) Received: from gateway.fcmc.com (gateway.fcmc.com [207.17.186.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id EAA25024 for ; Fri, 6 Sep 1996 04:58:30 -0700 (PDT) Received: by gateway.fcmc.com; id HAA05712; Fri, 6 Sep 1996 07:53:40 -0400 Received: from unknown(192.129.90.50) by vone.fcmc.com via smap (g3.0.3) id xma005710; Fri, 6 Sep 96 07:53:35 -0400 Received: from anderson.fcmc.com by moonraker.fcmc.COM (4.1/SMI-4.1) id AA20149; Fri, 6 Sep 96 07:58:14 EDT Received: from alanis.fcmc.com by anderson.fcmc.com (4.1/SMI-4.1) id AA02542; Fri, 6 Sep 96 07:58:10 EDT Received: by alanis.fcmc.com (SMI-8.6/SMI-SVR4) id HAA04441; Fri, 6 Sep 1996 07:53:12 -0400 From: "James Rippas (Technology)" Message-Id: <9609060753.ZM4439@alanis> Date: Fri, 6 Sep 1996 07:53:11 -0400 X-Mailer: Z-Mail (3.2.1 10oct95) To: firewalls@greatcircle.com Subject: traceroute through a packet filter Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, I'd like to know what ports/protocol I need to permit through a packet filter for traceroute to work. I've tried just ICMP/traceroute, but that doesn't work. I suspect I need to let a UDP port through, but I'm not sure. Thanks, -jim From firewalls-owner Fri Sep 6 05:32:09 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA26332 for firewalls-outgoing; Fri, 6 Sep 1996 05:17:05 -0700 (PDT) Received: from zang.com (zang.com [204.119.251.100]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id FAA26191 for ; Fri, 6 Sep 1996 05:16:28 -0700 (PDT) Received: (from mark@localhost) by zang.com (8.6.9/zang) id CAA09218 for firewalls@greatcircle.com; Fri, 6 Sep 1996 02:14:11 -1000 From: Mark (Mookie) Message-Id: <199609061214.CAA09218@zang.com> Subject: Need static NAT product pointers To: firewalls@greatcircle.com Date: Fri, 6 Sep 1996 02:14:09 -1000 (HST) X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, I am looking for NAT products which can do static mappings of external registered IP addresses to internal RFC1597 addresses. External IPs should always be presented as the same individual internal IP every time. I do NOT want dynamic pools. What I am after is: external nat internal host 1.2.3.4 ---------|===========|------- 172.16.1.4 host 1.2.3.5 ---------| |------- 172.16.1.5 host 1.2.3.6 ---------| |------- 172.16.1.6 host 3.4.5.6 ---------| |------- 172.16.9.6 host 3.4.5.7 ---------| |------- 172.16.9.7 host 3.4.5.8 ---------|===========|------- 172.16.9.8 The above mappings should be permanent so that each time the external connects through the NAT machine, the same IP address as used before is assigned for the new connection. No other hosts should be able to reuse the internal IP. Highly desirable is the ability to filter and do next-hop-enforcing on all packets. Hosts which have not been defined for mapping should be rejected, with optional logging. Please email me replies directly. Thanks, Mark mark@zang.com From firewalls-owner Fri Sep 6 05:47:23 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id EAA25082 for firewalls-outgoing; Fri, 6 Sep 1996 04:59:06 -0700 (PDT) Received: from ereapp.erenj.com (ereapp.ERENJ.COM [159.70.31.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id EAA25033 for ; Fri, 6 Sep 1996 04:58:37 -0700 (PDT) Received: (from smap@localhost) by ereapp.erenj.com (8.7.4/8.7.3) id HAA05525; Fri, 6 Sep 1996 07:57:49 -0400 Received: from eredns.erenj.com(159.70.1.252) by ereapp.erenj.com via smap (V1.3) id sma005510; Fri Sep 6 07:57:33 1996 Received: from stargate.erenj.com (stargate.erenj.com [159.70.1.8]) by eredns.erenj.com (8.7.4/8.7.3) with SMTP id HAA19753; Fri, 6 Sep 1996 07:57:32 -0400 Received: from stargate.erenj.com by stargate.erenj.com; (5.65v3.2/1.1.8.2/12Feb96-1009AM/bdboyle@erenj.com) id AA20184; Fri, 6 Sep 1996 07:57:31 -0400 Message-Id: <323011AB.446B@erenj.com> Date: Fri, 06 Sep 1996 07:57:31 -0400 From: "Bryan D. Boyle" Organization: Exxon Research and Engineering Co. X-Mailer: Mozilla 3.0 (X11; I; OSF1 V4.0 alpha) Mime-Version: 1.0 To: Rabid Wombat Cc: firewalls@greatcircle.com Subject: Re: C2 certified OS that can run a firewall References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Rabid Wombat wrote: > > On Thu, 5 Sep 1996, Jon Spencer wrote: > > > > Of course C2 security is better than no security, but C2 was never > > > > Welll ....... it is if you understand its limitations. Otherwise ... > > > > WTH does C2 security have to do with a system that should not have any > user accounts on it, no user access to it? Nothing. But, it is a good buzzword that can be thrown around to make it look like you know what you are talking about, when, in fact, if you run the full suite of C2, you probably have opened up more holes in your os than if you actually ran a stripped-down, tightly configured, and heavily controlled system environment. But C2 is some sort of magic talisman for security. Like MTBE is a good oxygenate for gasoline. It impresses those that don't know any better. Of course, if you don't run the system EXACTLY as the qualification suite specified, the system is not rated at the level you think you are. -- Bryan D. Boyle | EMAIL: bdboyle@erenj.com 908-730-3338 #include | http://www.access.digex.net/~bdboyle/index.html "They that can give up liberty to obtain a little temporary safety deserve neither liberty nor safety." - Benjamin Franklin, Historical Review of Pennsylvania From firewalls-owner Fri Sep 6 06:14:25 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA27038 for firewalls-outgoing; Fri, 6 Sep 1996 05:35:08 -0700 (PDT) Received: from itchy.mindspring.com (itchy.mindspring.com [204.180.128.6]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id FAA27031 for ; Fri, 6 Sep 1996 05:34:57 -0700 (PDT) Received: from [168.121.206.219] (user-168-121-206-219.dialup.mindspring.com [168.121.206.219]) by itchy.mindspring.com (8.7.5/8.7.3) with SMTP id IAA05296; Fri, 6 Sep 1996 08:34:41 -0400 (EDT) Date: Fri, 6 Sep 1996 08:34:41 -0400 (EDT) Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: Christopher Klaus From: pelicans@mindspring.com (BeachCruiser) Subject: Re: C2 Myths Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >SCC takes a different security path > >Secure Computing Corp. (SCC), in Roseville, Minn., has taken a unique >approach to security with its Sidewinder Internet Firewall product. >For more information, contact SCC at (800) 692-5625, or visit the company's >Web site at http://www.sctc.com. Great post Christopher. ...and these ads just keep getting get better and better. :-) ___________________________ Bob McKisson Cypress Systems Corporation P. O. Box 809 Virginia Beach, VA 23451 (757) 425-4195 Voice (757) 425-4196 FAX (757) 442-0008 STU-III pelicans@mindspring.com From firewalls-owner Fri Sep 6 06:24:43 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA27222 for firewalls-outgoing; Fri, 6 Sep 1996 05:37:32 -0700 (PDT) Received: from mercury.Sun.COM (mercury.Sun.COM [192.9.25.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id FAA27214 for ; Fri, 6 Sep 1996 05:37:17 -0700 (PDT) Received: by mercury.Sun.COM (Sun.COM) id FAA22482; Fri, 6 Sep 1996 05:37:06 -0700 Received: from congress.East.Sun.COM by East.Sun.COM (5.x/SMI-5.3) id AA04675; Fri, 6 Sep 1996 08:37:04 -0400 Received: from rest1000.East.Sun.COM by congress.East.Sun.COM (4.1/SMI-4.1) id AA03865; Fri, 6 Sep 96 08:37:02 EDT Received: by rest1000.East.Sun.COM (5.0/SMI-SVR4) id AA19439; Fri, 6 Sep 1996 08:40:07 -0400 From: Wayne.Gifford@East.Sun.COM (Wayne Gifford - Internet Commerce Group) Message-Id: <9609061240.AA19439@rest1000.East.Sun.COM> Subject: Re: authenticated/encrypted sessions To: firewalls@greatcircle.com Date: Fri, 6 Sep 1996 08:40:06 -0500 (EDT) In-Reply-To: from "rich" at Sep 5, 96 06:44:22 pm X-Mailer: ELM [version 2.4 PL21] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > Hi, > > This should be a simple one (yeah right) that should generate lots > of responses (I hope). > > I want to set up authenticated and encrypted tunnels through a > firewall. the rub, NO COMMERCIAL products allowed. My thoughts -- > socks5 since I have to handle windows 3.1, win 95 and winNT apps > as well as Unix. > > So, Comments? Suggestions? Strange Sounds? > Go to http://skip.incog.com and grab the SKIP source code and roll your own. giff -- Wayne Gifford giff@incog.com Sun Internet Commerce Group Phone 415-336-0253 http://www.incog.com Phax 415-336-0673 From firewalls-owner Fri Sep 6 06:30:35 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA29320 for firewalls-outgoing; Fri, 6 Sep 1996 06:00:03 -0700 (PDT) Received: from gateway.fcmc.com (gateway.fcmc.com [207.17.186.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id FAA29202 for ; Fri, 6 Sep 1996 05:59:29 -0700 (PDT) Received: by gateway.fcmc.com; id IAA06747; Fri, 6 Sep 1996 08:54:40 -0400 Received: from unknown(192.129.90.50) by vone.fcmc.com via smap (g3.0.3) id xma006741; Fri, 6 Sep 96 08:54:20 -0400 Received: from anderson.fcmc.com by moonraker.fcmc.COM (4.1/SMI-4.1) id AA20673; Fri, 6 Sep 96 08:58:59 EDT Received: from alanis.fcmc.com by anderson.fcmc.com (4.1/SMI-4.1) id AA03487; Fri, 6 Sep 96 08:58:55 EDT Received: by alanis.fcmc.com (SMI-8.6/SMI-SVR4) id IAA04510; Fri, 6 Sep 1996 08:53:56 -0400 From: "James Rippas (Technology)" Message-Id: <9609060853.ZM4508@alanis> Date: Fri, 6 Sep 1996 08:53:56 -0400 X-Mailer: Z-Mail (3.2.1 10oct95) To: firewalls@GreatCircle.COM Subject: traceroute Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, I'd like to know what ports/protocol I need to permit through a packet filter for traceroute to work. I've tried just ICMP/traceroute, but that doesn't work. I suspect I need to let a UDP port through, but I'm not sure. Thanks, -jim From firewalls-owner Fri Sep 6 06:50:33 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA29604 for firewalls-outgoing; Fri, 6 Sep 1996 06:01:37 -0700 (PDT) Received: from mail.rc.toronto.on.ca ([207.6.29.231]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id GAA29563 for ; Fri, 6 Sep 1996 06:01:16 -0700 (PDT) Received: by mail.rc.toronto.on.ca with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.993.5) id <01BB9BD1.E61003E0@mail.rc.toronto.on.ca>; Fri, 6 Sep 1996 09:00:49 -0400 Message-ID: From: Russ To: "'Firewalls'" Subject: Building a monitoring system Date: Fri, 6 Sep 1996 09:00:45 -0400 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.993.5 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Howdy folks, I'm going to take the plunge into Unix by way of building a monitoring system that would be dedicated to the task of reporting the actions of the other machines on my very small network. Given my limited Unix background, I figured the best way to approach this would be to ask y'all what this box should be. I've got a 486DX-100 sitting here with 8MB of RAM and a el cheapo PCI NE2000 clone NIC. I've got 1GB of drive and an ATI VGA Wonder VGA adapter. A floppy, a Future Domain TMC3260 PCI SCSI-2 adapter, and a NEC 3x SCSI CD round out the box. So; - what OS should I use (downloadable from the net would be preferred) - will the OS support the hardware I described or do I need more/different/better hardware - what packet monitor tool would be recommended, I would like something that I can set filters on and run several filters at once into different captures if possible - could somebody lend me a bookmark file of Unix tools links for the recommended OS - configuration recommendations would be appreciated I've got similar functionality in my NT boxes, so its not that I can't do this in NT. I want to put a dedicated box in place for this now so I figured I'd give Unix a try at this before I put NT on it. If it works well, I'll just leave it there, maybe allowing me to give you more detailed dumps of NT activity that you can actually grep...;-] A lot of people have been very helpful to me over time, and I have really appreciated that help, so I ask you to respond to me in private email once again and make your suggestions. I promise to summarize the system once its put together and post it to the list. Cheers, Russ Cheers, Russ From firewalls-owner Fri Sep 6 07:21:10 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA04644 for firewalls-outgoing; Fri, 6 Sep 1996 06:45:37 -0700 (PDT) Received: from dns.eng.auburn.edu (dns.eng.auburn.edu [131.204.10.13]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id GAA04626 for ; Fri, 6 Sep 1996 06:45:21 -0700 (PDT) Received: from netman.eng.auburn.edu (netman.eng.auburn.edu [131.204.12.24]) by dns.eng.auburn.edu (8.7.5/8.6.4) with ESMTP id IAA07680; Fri, 6 Sep 1996 08:45:07 -0500 (CDT) From: Doug Hughes Received: (doug@localhost) by netman.eng.auburn.edu (SMI-8.6/8.6.4) id IAA28913; Fri, 6 Sep 1996 08:45:06 -0500 Date: Fri, 6 Sep 1996 08:45:06 -0500 Subject: Re: authenticated/encrypted sessions To: rich Cc: firewalls@GreatCircle.COM Message-Id: X-Mailer: TkMail 4.0beta6 In-Reply-To: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk What about designing a proxy for stel or ssh? A proxy would probably be harder to do in this instance than a packet filter of some sort because they both have active man in the middle prevention which might get in your way depending on how you implement your proxy. -- ____________________________________________________________________________ Doug Hughes Engineering Network Services System/Net Admin Auburn University doug@eng.auburn.edu From firewalls-owner Fri Sep 6 07:21:18 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA28948 for firewalls-outgoing; Fri, 6 Sep 1996 05:57:38 -0700 (PDT) Received: from lint.cisco.com (lint.cisco.com [171.68.223.44]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id FAA28908 for ; Fri, 6 Sep 1996 05:57:23 -0700 (PDT) Received: from pferguso-pc.cisco.com ([171.68.52.54]) by lint.cisco.com (8.6.10/CISCO.SERVER.1.1) with SMTP id FAA08029; Fri, 6 Sep 1996 05:56:33 -0700 Message-Id: <2.2.32.19960906125633.0071a95c@lint.cisco.com> X-Sender: pferguso@lint.cisco.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Fri, 06 Sep 1996 08:56:33 -0400 To: Mark (Mookie) From: Paul Ferguson Subject: Re: Need static NAT product pointers Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The cisco/NTI Private Internet eXchange [PIX] has the ability to do this: http://www.translation.com Also, the upcoming release of cisco IOS 11.2 will integrate NAT functionality into the router software; this particular functionality will also allow you to do as you've described. - paul At 02:14 AM 9/6/96 -1000, Mookie wrote: >Hi, > >I am looking for NAT products which can do static mappings of external >registered IP addresses to internal RFC1597 addresses. External IPs >should always be presented as the same individual internal IP every time. I >do NOT want dynamic pools. What I am after is: > >external nat internal > >host 1.2.3.4 ---------|===========|------- 172.16.1.4 >host 1.2.3.5 ---------| |------- 172.16.1.5 >host 1.2.3.6 ---------| |------- 172.16.1.6 >host 3.4.5.6 ---------| |------- 172.16.9.6 >host 3.4.5.7 ---------| |------- 172.16.9.7 >host 3.4.5.8 ---------|===========|------- 172.16.9.8 > >The above mappings should be permanent so that each time the external >connects through the NAT machine, the same IP address as used before is >assigned for the new connection. No other hosts should be able to reuse >the internal IP. > >Highly desirable is the ability to filter and do next-hop-enforcing >on all packets. Hosts which have not been defined for mapping should >be rejected, with optional logging. > >Please email me replies directly. > >Thanks, >Mark >mark@zang.com > -- Paul Ferguson || || Consulting Engineering || || Reston, Virginia USA |||| |||| tel: +1.703.716.9538 ..:||||||:..:||||||:.. e-mail: pferguso@cisco.com c i s c o S y s t e m s From firewalls-owner Fri Sep 6 07:43:08 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA05512 for firewalls-outgoing; Fri, 6 Sep 1996 06:56:24 -0700 (PDT) Received: from odo (odo.acdnj.itt.com [151.190.1.25]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id GAA05494 for ; Fri, 6 Sep 1996 06:56:10 -0700 (PDT) Date: Fri, 6 Sep 1996 09:40:33 -0400 Message-Id: <96090609403338@odo.acdnj.itt.com> From: nabadm@odo.acdnj.itt.com (set chaos/total) To: Firewalls@greatcircle.com Subject: Re: Subject: C2 certified OS that can run a firewall X-VMS-To: SMTP%"Firewalls@GreatCircle.COM" X-VMS-Cc: NABADM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > >Digital UNIX is a C2 certified OS. The Alta Vista Firewall Software runs on >it. > As far as I know Digital UNIX is NOT C2 certified. (Which reminds me, my NSA catalog hasn't arrived.) However, it was designed to be C2 compliant. When we went to run Digital UNIX in classified system high mode we had to sit down with the DIS AIS representative and demonstrate to him every aspect of C2 compliance in order to get permission to use it. Object reuse was especially difficult to demonstrate, since we had to show that blocks on the disk were zeroed when deallocated. (I believe Digital UNIX satisfies the object reuse requirement by zeroing on deallocate. Some OSs do zero on allocate, some can do both.) --------------------------------------------------------------------------- "Crisis over back to panic mode!" --------------------------------------------------------------------------- N.A. Bogart nabadm@odo.acdnj.itt.com OpenVMS & Security Systems Manager nbogart@avionics.itt.com ITT Avionics (201) 284-5117 VOICE(MAIL) 100 Kingsland Road (201) 284-3947 FAX Clifton NJ 07014 (201) 730-2681 PAGER --------------------------------------------------------------------------- -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 4.0 Business Edition mQCNAjHhYaQAAAEEAMOlLciHvPWZbfk53ih4NjUfLvJAMs2ABD/njhYMM99zlwf0 76PJ8ItYVD97Fmbtd8iNN61PZQ0YiwHqPRDeKx+JAKsMGgh+X+VA2S2CRL+jT+s3 dOypfX3LBs1GzB5sEKjjf4S4uadoEXkgBXHEhIuUaRcpP3veDtuPMEONq1pZAAUR tCpOYW5jeSBBLiBCb2dhcnQgPG5ib2dhcnRAYXZpb25pY3MuaXR0LmNvbT4= =6sdj -----END PGP PUBLIC KEY BLOCK----- From firewalls-owner Fri Sep 6 08:07:24 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA05005 for firewalls-outgoing; Fri, 6 Sep 1996 06:49:27 -0700 (PDT) Received: from ereapp.erenj.com (ereapp.ERENJ.COM [159.70.31.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id GAA04988 for ; Fri, 6 Sep 1996 06:49:12 -0700 (PDT) Received: (from smap@localhost) by ereapp.erenj.com (8.7.4/8.7.3) id JAA09100 for ; Fri, 6 Sep 1996 09:48:51 -0400 Received: from eredns.erenj.com(159.70.1.252) by ereapp.erenj.com via smap (V1.3) id sma009069; Fri Sep 6 09:48:24 1996 Received: from stargate.erenj.com (stargate.erenj.com [159.70.1.8]) by eredns.erenj.com (8.7.4/8.7.3) with SMTP id JAA20507 for ; Fri, 6 Sep 1996 09:48:22 -0400 Received: from stargate.erenj.com by stargate.erenj.com; (5.65v3.2/1.1.8.2/12Feb96-1009AM/bdboyle@erenj.com) id AA20404; Fri, 6 Sep 1996 09:48:21 -0400 Message-Id: <32302BA5.ABD@erenj.com> Date: Fri, 06 Sep 1996 09:48:21 -0400 From: "Bryan D. Boyle" Organization: Exxon Research and Engineering Co. X-Mailer: Mozilla 3.0 (X11; I; OSF1 V4.0 alpha) Mime-Version: 1.0 To: firewalls@GreatCircle.COM Subject: Re: C2 Myths References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk BeachCruiser wrote: > > > > >SCC takes a different security path > > > >Secure Computing Corp. (SCC), in Roseville, Minn., has taken a unique > >approach to security with its Sidewinder Internet Firewall product. > > > >Web site at http://www.sctc.com. > > Great post Christopher. > ...and these ads just keep getting get better and better. :-) Of course, there is a somewhat comprehensive list of all reported firewall products (the first, and, non-vendor specific...) at: http://www.access.digex.net/~bdboyle/firewall.vendor.html where you can click and surf to all the marketing verborehea you can stand. This is non-commercial, and maintained by someone with no financial interest in any vendor products. So, as such, it is honest...:) -- Bryan D. Boyle | EMAIL: bdboyle@erenj.com 908-730-3338 #include | http://www.access.digex.net/~bdboyle/index.html "They that can give up liberty to obtain a little temporary safety deserve neither liberty nor safety." - Benjamin Franklin, Historical Review of Pennsylvania From firewalls-owner Fri Sep 6 08:16:15 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA03253 for firewalls-outgoing; Fri, 6 Sep 1996 06:32:13 -0700 (PDT) Received: from stortek.com (stortek.com [129.80.22.249]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id GAA03234 for ; Fri, 6 Sep 1996 06:31:54 -0700 (PDT) Received: from coltano.stortek.com by stortek.com with SMTP id AA22467 (5.65c/IDA-1.4.4 for ); Fri, 6 Sep 1996 07:31:01 -0600 Received: (from jim@localhost) by coltano.stortek.com (8.7.4/8.7.3) id HAA06879; Fri, 6 Sep 1996 07:28:42 -0600 (MDT) Date: Fri, 6 Sep 1996 07:28:42 -0600 (MDT) From: Jim Wamsley 303-673-8163 Message-Id: <199609061328.HAA06879@coltano.stortek.com> To: firewalls@GreatCircle.COM, raf@ezunx.com Subject: Re: authenticated/encrypted sessions Organization: Storage Technology Corporation X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk WARNING BLATANT CDOMMERCIALISM TO FOLLOW Network Systems Corporation, a division of StorageTek, has two products to allow exactly what you are asking to do. The Borderguard and the Security Router. Each has a capability known as network control facility. these devices can either be your firewall or set directly behind your firewall, and establish authenticated encrypted sleeves across the Internet to a like device on the far side. Various encryption algorithms are available. look at the web site http://www.network.com/SecurityProducts.html ______________________________________________________________ [ Jim Wamsley, Network Engineering ] [ StorageTek 2270 S. 88th St, M.S. 4379, Louisville, CO 80028 ] [ Audible: (303) 673-8163 Logical jim_wamsley@stortek.com ] [ Everything to Excess! ] [ To enjoy life to the fullest, you must take big bites. ] [ Moderation is for monks. ] [ Lazarus Long ] [______________________________________________________________] > From firewalls-owner@GreatCircle.COM Thu Sep 5 21:30 MDT 1996 > Date: Thu, 5 Sep 96 18:44:22 PST > From: rich > Subject: authenticated/encrypted sessions > To: firewalls@GreatCircle.COM > X-Priority: 3 (Normal) > Mime-Version: 1.0 > > Hi, > > This should be a simple one (yeah right) that should generate lots > of responses (I hope). > > I want to set up authenticated and encrypted tunnels through a > firewall. the rub, NO COMMERCIAL products allowed. My thoughts -- > socks5 since I have to handle windows 3.1, win 95 and winNT apps > as well as Unix. > > So, Comments? Suggestions? Strange Sounds? > > ADVANCE, > rich > > o' |,=./ `o > (o o) > -----ooO--(_)--Ooo------- > > ** Remember -- If you can keep your head when all others around > you are losing theirs... > > You're probably not paying attention! > From firewalls-owner Fri Sep 6 08:44:27 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA11164 for firewalls-outgoing; Fri, 6 Sep 1996 07:51:37 -0700 (PDT) Received: from shaft.wii.com (mail.wii.com [204.156.32.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id HAA11064 for ; Fri, 6 Sep 1996 07:51:02 -0700 (PDT) Received: (from smap@localhost) by shaft.wii.com (8.7.5/8.7.3) id HAA01346 for ; Fri, 6 Sep 1996 07:50:43 -0700 Received: from sunshine.tech.wii.com(1.1.19.105) by shaft via smap (V1.3) id sma001344; Fri Sep 6 07:50:26 1996 Received: (from ioh@localhost) by sunshine.tech.wii.com (8.7.5/8.7.3) id HAA25526; Fri, 6 Sep 1996 07:50:24 -0700 Date: Fri, 6 Sep 1996 07:50:23 -0700 (PDT) From: Il Oh To: firewalls@greatcircle.com Subject: smap alternative? Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Is there another product that works like smap? I don't like the licensing restrictions on it. From firewalls-owner Fri Sep 6 08:44:48 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA08796 for firewalls-outgoing; Fri, 6 Sep 1996 07:29:39 -0700 (PDT) Received: from cet.cet.com (cet.cet.com [206.96.91.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id HAA08758 for ; Fri, 6 Sep 1996 07:29:21 -0700 (PDT) Received: from cet.cet.com (roberth@cet.cet.com [206.96.91.1]) by cet.cet.com (8.6.12/8.6.12) with SMTP id HAA15197; Fri, 6 Sep 1996 07:28:42 -0700 Date: Fri, 6 Sep 1996 07:28:42 -0700 (PDT) From: Robert Hanson To: Kim cc: firewalls@GreatCircle.COM Subject: Re: firewall-1 delay is tolerable ? In-Reply-To: <199609060759.RAA18104@rara.kotel.co.kr> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ethernet switch? you can get a good one from smc for less than a thou ---> Robert H. Hanson LAN/WAN Consultant - Internet Service Provider Otis Orchards, Wa. Cutting Edge Communications www.cet.com (509) 927-9541 finger: info@cet.com or email: roberth@cet.com On Fri, 6 Sep 1996, Kim wrote: > I am using FW-1 2.0 on sparc 1000 with 2 cpu. > Ping and traceroute passing firewall through indicate the delay on there > is great and such delay is very clear by compairing it with pings in outside > router. > Also the system collision indicator shows excessive ,I think, collision status. > Do you have any nice improvements about this ? > - Kim. > From firewalls-owner Fri Sep 6 09:23:29 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA20851 for firewalls-outgoing; Fri, 6 Sep 1996 09:09:16 -0700 (PDT) Received: from rodin.ny.cantor.com (rodin.cantor.com [198.80.21.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id JAA20792 for ; Fri, 6 Sep 1996 09:08:58 -0700 (PDT) From: apilosov@cantor.com Received: by rodin.ny.cantor.com (8.6.9) id MAA21152; Fri, 6 Sep 1996 12:07:40 -0400 Received: from smtpgwy.ny.cantor.com(148.106.20.145) by rodin.ny.cantor.com via smap (V1.3) id sma020874; Fri Sep 6 12:05:38 1996 Received: from cc:Mail by smtpgwy.ny.cantor.com id AA842036712; Fri, 06 Sep 96 12:01:21 EST Date: Fri, 06 Sep 96 12:01:21 EST Message-Id: <9608068420.AA842036712@smtpgwy.ny.cantor.com> To: firewalls@GreatCircle.COM, "James Rippas (Technology)" Subject: Re: traceroute Sender: firewalls-owner@GreatCircle.COM Precedence: bulk AFAIK, traceroute operates by sending UDP packet destined for random port. So you can't really enable traceroute past packet filter. Maybe you can try looking at exact format of UDP packet traceroute sends and allow packets with just that combination of bytes. But I bet someone smart can hack this setup. --alex ______________________________ Reply Separator _________________________________ Subject: traceroute Author: "James Rippas (Technology)" at Internet Date: 9/6/96 11:03 AM Hi, I'd like to know what ports/protocol I need to permit through a packet filter for traceroute to work. I've tried just ICMP/traceroute, but that doesn't work. I suspect I need to let a UDP port through, but I'm not sure. Thanks, -jim From firewalls-owner Fri Sep 6 09:52:48 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA09936 for firewalls-outgoing; Fri, 6 Sep 1996 07:42:15 -0700 (PDT) Received: from goya.eunet.es (goya.eunet.es [193.127.1.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id HAA09891 for ; Fri, 6 Sep 1996 07:41:55 -0700 (PDT) Received: (uucp@localhost) by goya.eunet.es (8.7.5/13.34) id QAA03032 for Firewalls@GreatCircle.COM; Fri, 6 Sep 1996 16:33:00 +0200 (MET DST) Received: from livolo by dym.tiasa.es (5.x/6.3) id AA01520 for Firewalls@GreatCircle.COM; b Message-Id: <32303F12.691@tiasa.es> Date: Fri, 06 Sep 1996 16:11:14 +0100 From: Jose Manuel Dominguez Organization: TIASA X-Mailer: Mozilla 3.0 (X11; I; SunOS 5.5 sun4m) Mime-Version: 1.0 To: Firewalls@GreatCircle.COM Subject: [Fwd: Firewall for UNIX ??] Content-Type: multipart/mixed; boundary="------------4A7B474F2D22" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This is a multi-part message in MIME format. --------------4A7B474F2D22 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit -- --- Jose M. Dominguez (TIASA) Tecnologia Informatica Avanzada S.A. Miguel Angel 23, 2 Ph: 34-1- 310 25 57 Ext 206 28010 Madrid (Spain) Fax: 34-1- 308 68 79 --------------4A7B474F2D22 Content-Type: message/rfc822 Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-ID: <32301F4B.1D62@tiasa.es> Date: Fri, 06 Sep 1996 13:55:39 +0100 From: Jose Manuel Dominguez Organization: TIASA X-Mailer: Mozilla 3.0 (X11; I; SunOS 5.5 sun4m) MIME-Version: 1.0 To: firewalls@greatcircle.com Subject: Firewall for UNIX ?? Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Hi all, Does anybody know where to find a demo firewall for a Unix system based?? I would like to know, as well, the hardware requeriments for the implementation of a firewall system which is intended to be the truster of a 10 PCs and 1 Sun Sparc 20 Network. I'd thank any informacion supplied. Thanks in advance, --- Jose M. Dominguez (TIASA) Tecnologia Informatica Avanzada S.A. Miguel Angel 23, 2 Ph: 34-1- 310 25 57 Ext 206 28010 Madrid (Spain) Fax: 34-1- 308 68 79 --------------4A7B474F2D22-- From firewalls-owner Fri Sep 6 10:21:38 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA10337 for firewalls-outgoing; Fri, 6 Sep 1996 07:45:04 -0700 (PDT) Received: from syl.syl.nj.nec.com (syl.syl.nj.nec.com [138.15.50.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id HAA10246 for ; Fri, 6 Sep 1996 07:44:20 -0700 (PDT) Received: from syl.nj.nec.com (syl.syl.nj.nec.com [138.15.50.1]) by syl.syl.nj.nec.com (8.7.5/8.7.3) with ESMTP id KAA26082; Fri, 6 Sep 1996 10:41:45 -0400 (EDT) Message-Id: <199609061441.KAA26082@syl.syl.nj.nec.com> X-Mailer: exmh version 1.5.1 12/2/94 To: Rajesh Joshi cc: ashish@syl.nj.nec.com, socks@socks.nec.com, socks5@socks.nec.com, firewalls@GreatCircle.COM, ntsocks@syl.nj.nec.com Subject: Re: SOCKS5 Server for Windows NT from NEC In-reply-to: Your message of "Wed, 04 Sep 1996 14:46:13 +0500." <199609040946.OAA24095@comm10> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Fri, 06 Sep 1996 10:41:44 -0400 From: Ashish Bisarya Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In message <199609040946.OAA24095@comm10>, Rajesh Joshi writes: >Hi all, > >We have downloaded SOCKS5 Server for Windows NT from NEC and copied >simple configuration file from samples to the directory containing socks5.exe > >The socks service starts but when we try to connect to application server usin >g >netscape through socks server then it is not going through. > >Is this some configuration problem ? Can anybody throw some light on this ? >Whether anybody has successfully installed the SOCKS5 server for Windows NT >? > >Thanks in advance > >-- There are a few of things that you should check on: 1. Have you taken a look at the Event Log for any type of error or warning messages? The service may have trouble with your configuration file location or format. 2. Within Netscape make sure you are setting your SOCKS host to your server machine. We did notice problems using Netscape 2.x, but Netscape 3.0 is working quite well. 3. Make sure your socks5.conf has the appropriate permit line for your network? 4. set SOCKS5_DEBUG and SOCKS5_LOG_STDERR in the config file to see debug messages on stderr on the Socks server which will give you a lot more information about what is going on. You will have to start the socks server on command line with the -debug flag so that it does not start as a service. Hope this helps, Ashish ****************************************************************** Ashish Bisarya | NEC Systems Laboratory, Inc. phone: (609) 734-6114 | Open Systems Technology Center fax: (609) 734-6002 | 4 Independence Way, 3rd Floor ashish@syl.nj.nec.com | Princeton, NJ 08540 From firewalls-owner Fri Sep 6 10:23:02 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA06997 for firewalls-outgoing; Fri, 6 Sep 1996 07:08:49 -0700 (PDT) Received: from hermes.cu-online.com (hermes.cu-online.com [205.198.248.82]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id HAA06972 for ; Fri, 6 Sep 1996 07:08:36 -0700 (PDT) Received: from argus.cu-online.com (argus.cu-online.com [205.198.248.112]) by hermes.cu-online.com (8.7.5/8.7.5-cuo-s6) with SMTP id JAA21875; Fri, 6 Sep 1996 09:18:55 -0500 (CDT) Received: by argus.cu-online.com (SMI-8.6/SMI-SVR4) id JAA19248; Fri, 6 Sep 1996 09:11:03 -0500 Date: Fri, 6 Sep 1996 09:11:03 -0500 From: mcnabb@argus.cu-online.com (Paul McNabb) Message-Id: <199609061411.JAA19248@argus.cu-online.com> To: wombat@mcfeely.bsfs.org Cc: firewalls@GreatCircle.COM Subject: Re: C2 certified OS that can run a firewall Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Date: Thu, 5 Sep 1996 20:19:41 -0400 (EDT) > From: Rabid Wombat > > On Thu, 5 Sep 1996, Jon Spencer wrote: > > > > Of course C2 security is better than no security, but C2 was never > > > > Welll ....... it is if you understand its limitations. Otherwise ... > > > > WTH does C2 security have to do with a system that should not have any > user accounts on it, no user access to it? Well, let's see. 1) You could have the activity of the daemons and other processes audited in case of a problem. This could be very useful when trying to track a problem or security hole. 2) The object reuse requirements would make it less likely that a daemon or other process could be tricked into sending info from a previous network request. 3) The TCB protections will make it less likely that bugs and holes in programs can circumvent or damage the system operation. 4) Daemons could be run in a mode that doesn't have access to any file or other resource on the system (e.g., on UNIX, run a daemon as user "noroot"). 5) The overall functioning of the system would be analyzed and you could feel better about its reliability and security (although at C2 this is somewhat weak). C2 (and all other trusted systems) provides security enhancements in ways that are useful even when no user is on the system. Add to that the assurances that come from well-design and well-reviewed code, and trusted systems make a lot of sense in a lot of instances. There is a lot of smoke in the air about trusted products, and a lot of misconceptions and misleading statements by both sides (those who claim supernatural protection by trusted systems and those who claim it's all a crock). But you are correct in part. As stated in various places in the Rainbow Series, there are places where a trusted system will add no appreciable benefit to an operation. You could build a firewall machine in such a way to eliminate the need for a trusted operating system, but I think you would probably want to take your hardware and configuration through an evaluation and get a rating -- something easy like C2, or, for real assurance, B2 or B3. paul ------------------------------------------------------------ Paul McNabb mcnabb@argus.cu-online.com Argus Systems Group, Inc. TEL 217-384-6300 1405A East Florida Avenue FAX 217-384-6404 Urbana, IL 61801 USA ------------------------------------------------------------ From firewalls-owner Fri Sep 6 10:26:55 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA22228 for firewalls-outgoing; Fri, 6 Sep 1996 09:22:29 -0700 (PDT) Received: from reflections.mindspring.com (reflections.mindspring.com [204.180.142.192]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id JAA22210 for ; Fri, 6 Sep 1996 09:22:18 -0700 (PDT) Received: from reflections.mindspring.com (localhost [127.0.0.1]) by reflections.mindspring.com (8.7.1/8.7.1) with SMTP id MAA14400; Fri, 6 Sep 1996 12:21:58 -0400 Date: Fri, 6 Sep 1996 12:21:54 -0400 (EDT) From: Todd Graham Lewis To: Russ cc: "'Firewalls'" Subject: Re: Building a monitoring system In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 6 Sep 1996, Russ wrote: > Howdy folks, > > I'm going to take the plunge into Unix by way of building a monitoring > system that would be dedicated to the task of reporting the actions of > the other machines on my very small network. Given my limited Unix > background, I figured the best way to approach this would be to ask > y'all what this box should be. > > I've got a 486DX-100 sitting here with 8MB of RAM and a el cheapo PCI > NE2000 clone NIC. I've got 1GB of drive and an ATI VGA Wonder VGA > adapter. A floppy, a Future Domain TMC3260 PCI SCSI-2 adapter, and a NEC > 3x SCSI CD round out the box. > > So; > > - what OS should I use (downloadable from the net would be preferred) Linux or FreeBSD. I prefer Linux, as it has, IMO, better SNMP and general network monitoring tools, plus lots of firewall toys. Either will suit your purposes equally well. > - will the OS support the hardware I described or do I need > more/different/better hardware I would consider upgrading the Ethernet cards to real cards: SMC, 3com, etc. Other than that, this should do. > - what packet monitor tool would be recommended, I would like something > that I can set filters on and run several filters at once into different > captures if possible tcpdump. > - could somebody lend me a bookmark file of Unix tools links for the > recommended OS If you are just talking about packet sniffing (no SNMP, etc.), then tcpdump with some perl on top is about the only way to go. A group in Australia is working on some more specialized packet sniffing tools; netman or something like that. The url escapes me. > - configuration recommendations would be appreciated Read the man pages, write a perl script to collate the output of tcpdump, and read the result when you have time. As far as the box goes, install the os, become root, and run tcpdump. There's not that much to it. > I've got similar functionality in my NT boxes, so its not that I can't > do this in NT. I want to put a dedicated box in place for this now so I > figured I'd give Unix a try at this before I put NT on it. If it works > well, I'll just leave it there, maybe allowing me to give you more > detailed dumps of NT activity that you can actually grep...;-] Now we get to the heart of the matter! See if you can reverse engineer Quake's network behaviour while you're at it. 8^) Good luck; mail if problems. __ Todd Graham Lewis Linux! Core Engineering Mindspring Enterprises tlewis@mindspring.com (800) 719 4664, x2804 From firewalls-owner Fri Sep 6 10:48:01 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA09616 for firewalls-outgoing; Fri, 6 Sep 1996 07:39:37 -0700 (PDT) Received: from gateway.damark.com (GATEWAY.DAMARK.COM [204.17.145.230]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id HAA09541 for ; Fri, 6 Sep 1996 07:39:12 -0700 (PDT) Received: by gateway.damark.com; id JAA27893; Fri, 6 Sep 1996 09:38:58 -0500 (CDT) Received: from sco.damark.com(172.31.254.231) by gateway.damark.com via smap (V3.1) id xme027887; Fri, 6 Sep 96 09:38:35 -0500 Received: by damark.com (5.65/1.2-eef) id AA12232; Fri, 6 Sep 96 09:37:47 -0500 Message-Id: <9609061437.AA12232@damark.com> From: "william.wells" To: FIREWALLS Subject: FW: C2 Myths Date: Fri, 06 Sep 96 09:36:00 +6C Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >From: Christopher Klaus >Date: Wed, 4 Sep 1996 11:17:22 -0400 (EDT) >There is a lot of hype among security products touting the fact that they >are C2 certified so that they are more secure than non-C2 security products. >I was wondering how many people really perceive that C2 brings them a more >secure product? >C2 - Controlled Access Protection. C2 provides protection for log-in >procedures, allows auditing of security-relevant events, and offers resource >isolation. >Operating systems such as MS-DOS, the MacOS, Windows, and OS/2 are >considered to have level D protection because they provide no security. To >be precise, these systems are not truly D-rated because they were never >submitted for evaluation. You are correct: C2 is a minimal security level. C2, if properly used, will go a long way to achieving reasonable security for internal business systems. C2, by itself, doesn't mean anything for firewalls nor provide security against hackers. The reason why I look for a C2 rating is that it does mean that basic security is present in the operating system; otherwise, I need to go dig through the manuals to see if the basics are around. In many cases, something approaching C2 can be achieved if the proper settings are used. C2 only provides the basic tools on which to build a basic level of security. For many users, C2 is when they begin to see security (you mean I really have to have a password and change it?). Once users (and more importantly, application coders) adjust to this minimal level of security, adding more security is generally not a major paradigm shift. My experience is that many of the proprietary computer systems which were (are?) used in business environments either were C2 or had established add-ons which made them C2 or better. In many cases, you couldn't turn off the security systems although you could make them impotent by how you used or ignored them. The importance of C2 is that there are security hooks built into the system. Its also interesting to me that many of the database engines, which frequently have their own network port, totally bypass their host's security system. Last I checked (several years ago but the informal discussions I've had don't make me think much has changed), they wouldn't pass a C2 security check (remember: C2 = a minimal security model). Does my firewall need C2. I don't really care. It needs a totally different security model since its protection goals are totally different. Do my internal servers need a C2 level of security? Yes. Not because "C2" is the goal but because they need at least that basic minimal level of security. William Wells Manager, Technical Support/Systems Administration Damark International, Inc william.wells@damark.com These opinions are mine and may or may not reflect those of Damark. From firewalls-owner Fri Sep 6 10:59:28 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA06460 for firewalls-outgoing; Fri, 6 Sep 1996 07:03:01 -0700 (PDT) Received: from hogw2.att.com (hogw2.att.com [204.179.186.34]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id HAA06384 for ; Fri, 6 Sep 1996 07:02:37 -0700 (PDT) From: mdr@vodka.sse.att.com Received: from vodka.sse.att.com by hoig2.att.att.com (SMI-8.6/EMS-1.2 sol2) id JAA09563; Fri, 6 Sep 1996 09:57:27 -0400 Message-Id: <199609061357.JAA09563@hoig2.att.att.com> Subject: Re: C2 certified OS that can run a firewall To: bdboyle@erenj.com (Bryan D. Boyle) Date: Fri, 6 Sep 1996 09:44:46 -0400 (EDT) Cc: wombat@mcfeely.bsfs.org, firewalls@greatcircle.com In-Reply-To: <323011AB.446B@erenj.com> from "Bryan D. Boyle" at Sep 6, 96 07:57:31 am X-Mailer: ELM [version 2.4 PL23-upenn2.7] MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Bryan D. Boyle wrote: > Rabid Wombat wrote: > > > > WTH does C2 security have to do with a system that should not have any > > user accounts on it, no user access to it? > > Nothing. But, it is a good buzzword that can be thrown around to make > it look like you know what you are talking about, when, in fact, if you > run the full suite of C2, you probably have opened up more holes in your > os than if you actually ran a stripped-down, tightly configured, and > heavily controlled system environment. A flatly false statement. C2 tightens up security -- its not a magic bullet, but then what is? Adding C2 does _NOT_ open more holes than it closes. > > But C2 is some sort of magic talisman for security. Like MTBE is a good > oxygenate for gasoline. It impresses those that don't know any better. This is a common misconception: i.e.; that C2 has no benefit for firewalls or network security. The audit trail alone is a _huge_ benefit for security. Proxy logging occurs only if the proxy cooperates by writing log entries. A real C2 system will log all security relevant events by all programs with or without their cooperation. C2 systems for application firewalls can and should be extended to audit network security events. Of course some firewalls don't have much of an OS to speak of. That doesn't mean that they don't need a security analysis of whatever it is that the _do_ have; it just means that C2 dosn't apply directly. > > Of course, if you don't run the system EXACTLY as the qualification > suite specified, the system is not rated at the level you think you are. The evaluation covers _one_ configuration. Trying to evaluate all possible permutations of configuration options would be impossible because of the sheer number of possible permutations. But a C2 configuration at least gives the admin a _baseline_ for how the system should be configured. If the admin deviates he has to _think_ "how does this impact the security of my system" (what a novel idea). Now I admit that it sounds pretty silly to take the stance "run this without any networking if you want to be secure". But in light of the reality of the situation thats not that far from the truth. The Red Book gives a trusted network interpretation of "C2". This includes a SECRECY POLICY that is "enforced on the network to prevent unauthorized users from reading the sensitive information entrusted to the network". So C2 _can_ be extended to encompase networking concepts. How well the OB maps into networking is an issue that might be worth discussing. But it can and does map. Conclusion: C2 is _not_ the holy grail of computer security, but C2 security has positive benefits for the firewall OS, especially for proxy application type firewalls. I do a lot of work with audit trails (logs) for firewalls and B1/C2 systems. It never ceases to amaze me how under appreciated those logs are. We have solved many complex mysteries by reviewing the log files. On our system, its as if every process running were saving a "truss" style output _all_ the time, but without noticable overhead. The OS related security events and the network security events are in the same log file, and every record is time stamped to the hundreth of a second. I can write log analysis programs that test the integrity in practice of my chroot jails and such. And whenever someone telnets to my host, I can see the connection records and _also_ that tlid forks and execs telnetd. Then I can see exactly which shared libraries telnetd binds to; and that it exec's login. Then I can see which libraries login binds to, and that it opens the utmp files, /etc/default/login, /etc/passwd, /etc/shadow ... This type of detailed logging is of tremendous value when you try to analyze a breakin. Mark Riggins Secure Systems Engineering AT&T Labs From firewalls-owner Fri Sep 6 11:05:15 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA13648 for firewalls-outgoing; Fri, 6 Sep 1996 08:09:57 -0700 (PDT) Received: from jarhead.msfc.nasa.gov (JARHEAD.MSFC.NASA.GOV [128.158.145.193]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id IAA13588 for ; Fri, 6 Sep 1996 08:09:32 -0700 (PDT) Received: (from donna@localhost) by jarhead.msfc.nasa.gov (8.6.12/8.6.12) id KAA09663 for Firewalls@GreatCircle.COM; Fri, 6 Sep 1996 10:09:09 -0500 Date: Fri, 6 Sep 1996 10:09:09 -0500 From: Donna Jones Message-Id: <199609061509.KAA09663@jarhead.msfc.nasa.gov> To: Firewalls@GreatCircle.COM Subject: Re: Firewalls-Digest V5 #347 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I have not been getting any firewall info for a couple weeks. Please make sure "jarhead@msfc.nasa.gov is on your mailing list. Thanks From firewalls-owner Fri Sep 6 11:32:32 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA18652 for firewalls-outgoing; Fri, 6 Sep 1996 08:53:17 -0700 (PDT) Received: from us.checkpoint.com (us.checkpoint.com [206.86.35.130]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id IAA18599 for ; Fri, 6 Sep 1996 08:52:48 -0700 (PDT) Received: from Barbara's HP.us.checkpoint.com (barbara-pc) by us.checkpoint.com (5.x/SMI-SVR4) id AA08903; Fri, 6 Sep 1996 08:53:42 -0700 Message-Id: <323048E8.4054@us.checkpoint.com> Date: Fri, 06 Sep 1996 08:53:12 -0700 From: "Barbara W. Jaarsma" Reply-To: barbara@us.checkpoint.com Organization: Checkpoint US Technical Support X-Mailer: Mozilla 3.0 (Win95; I) Mime-Version: 1.0 To: Dave Wreski Cc: firewalls@greatcircle.com Subject: Re: fw-1 2.0: Menu too large for screen References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Dave - Presumeably, this is FireWall-1? X11 is remarkably strange when it comes to displaying what it considers to be "too much" data. The definition of "too much" varies according to the position of the sun, the moon, the stars, etc. The workaround is to manually edit your objects.C file and turn display to false on objects you can live without displaying. I think the exact line is :show_in_menus (false) but I don't have the file handy to double check. I may have thrown in a space, and menus may actually be singular. -Barb Dave Wreski wrote: > > Argh. I am trying to add a host, and I am getting the following message: > > XView warning: Menu too large for screen (Command Menu package) > > I have been away for a while, and someone else must have made some > changes. Any idea what I can do to add a host? > > Thanks, > Dave Wreski > > -- > echo '16i[q]sa[ln0=aln100%Pln100/snlbx]sbA0D3F204445524F42snlbxq'|dc From firewalls-owner Fri Sep 6 11:52:47 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA14099 for firewalls-outgoing; Fri, 6 Sep 1996 08:13:09 -0700 (PDT) Received: from cypress.cycon.com (cypress.CYCON.COM [204.5.16.32]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id IAA13872 for ; Fri, 6 Sep 1996 08:12:03 -0700 (PDT) Received: from localhost (sconner@localhost) by cypress.cycon.com (8.7.5/8.7.3) with SMTP id KAA22585; Fri, 6 Sep 1996 10:38:53 -0400 Date: Fri, 6 Sep 1996 10:38:52 -0400 (EDT) From: Steve Conner To: "James Rippas (Technology)" cc: firewalls@GreatCircle.COM Subject: Re: traceroute In-Reply-To: <9609060853.ZM4508@alanis> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi James, You are correct in assuming that the traceroute requires a UDP port. The problem is that traceroute sends out the UDP packets on a random upper level port (>1023) and then listens for an ICMP reply. My suggestion is try opening outbound UDP for a single host and see if the ICMP packets can come back through. Some firewalls have problems handling the traceroute ICMP replies, but there are a couple of firewalls that I know of that can handle these replies properly. Steve --------------------------------------------------------------- Steve Conner Cypress Consulting, Inc. sconner@cycon.com 703-256-1279 Manager, Research & Development http://www.cycon.com CYCON Labyrinth, Firewall and Network Address Translator --------------------------------------------------------------- On Fri, 6 Sep 1996, James Rippas (Technology) wrote: > Hi, > > I'd like to know what ports/protocol I need to permit through a packet filter > for traceroute to work. I've tried just ICMP/traceroute, but that doesn't > work. I suspect I need to let a UDP port through, but I'm not sure. > > Thanks, > > -jim > From firewalls-owner Fri Sep 6 12:05:24 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA17733 for firewalls-outgoing; Fri, 6 Sep 1996 08:45:22 -0700 (PDT) Received: from beach.sctc.com (beach.sctc.com [192.55.214.50]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id IAA17624 for ; Fri, 6 Sep 1996 08:44:45 -0700 (PDT) Received: from beach.sctc.com (root@localhost) by beach.sctc.com (8.7.5/8.7.3) with ESMTP id KAA06655 for ; Fri, 6 Sep 1996 10:50:12 -0500 (CDT) Received: from sphinx.sctc.com (sphinx.sctc.com [172.17.192.3]) by beach.sctc.com (8.7.5/8.7.3) with ESMTP id KAA06651 for ; Fri, 6 Sep 1996 10:50:11 -0500 (CDT) Received: from shade.sctc.com (shade.sctc.com [172.17.192.48]) by sphinx.sctc.com (8.7.5/8.7.3) with SMTP id KAA10721; Fri, 6 Sep 1996 10:44:17 -0500 (CDT) Received: (from smith@localhost) by shade.sctc.com (8.6.12/8.6.9) id KAA07091; Fri, 6 Sep 1996 10:44:16 -0500 Date: Fri, 6 Sep 1996 10:44:16 -0500 From: Rick Smith Message-Id: <199609061544.KAA07091@shade.sctc.com> To: Firewalls@GreatCircle.COM Cc: smith@sctc.com Subject: Re: C2 certified OS that can run a firewall X-Newsreader: TIN [version 1.2 PL2] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Bill Stout says: : Using ancient government specs for leading edge technology is like trying : to wedge square pegs into round holes. Yes, but the ancient government specs have produced most of the systems today that provide the sort of protection needed to serve the Internet community including potentially hostile users. We largely ignored the TCSEC when building Sidewinder and its mandatory access control, though the team had lots of experience with TCSEC high assurance system development. Though it wasn't intended to be TCSEC compliant, Sidewinder still comes close. If we configured some security levels into the type enforcement tables, it would probably fall somewhere between B1 and B2, with a little B3. Rick. smith@sctc.com secure computing corporation From firewalls-owner Fri Sep 6 12:15:46 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA18732 for firewalls-outgoing; Fri, 6 Sep 1996 08:53:46 -0700 (PDT) Received: from deepeddy.DeepEddy.Com (DeepEddy.Com [192.12.3.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id IAA18596 for ; Fri, 6 Sep 1996 08:52:47 -0700 (PDT) Received: from deepeddy.DeepEddy.Com (localhost [127.0.0.1]) by deepeddy.DeepEddy.Com (8.7.3/8.7.2) with ESMTP id KAA23798; Fri, 6 Sep 1996 10:51:48 -0500 (CDT) Message-Id: <199609061551.KAA23798@deepeddy.DeepEddy.Com> X-Mailer: exmh version 1.6.7 5/3/96 To: rich Cc: firewalls@GreatCircle.COM, cwg@deepeddy.DeepEddy.Com Subject: Re: authenticated/encrypted sessions In-Reply-To: Your message of "Thu, 05 Sep 1996 18:44:22 PST." X-Url: http://www.DeepEddy.Com/~cwg Mime-Version: 1.0 Content-Type: multipart/signed; boundary="===_-1_Fri_Sep__6_10:51:43_CDT_1996"; micalc=pgp-md5; protocol="application/pgp-signature" Content-Transfer-Encoding: 7bit Date: Fri, 06 Sep 1996 10:51:44 -0500 From: Chris Garrigues Sender: firewalls-owner@GreatCircle.COM Precedence: bulk --===_-1_Fri_Sep__6_10:51:43_CDT_1996 Content-Type: text/plain; charset=us-ascii raf@ezunx.com said: > I want to set up authenticated and encrypted tunnels through a > firewall. the rub, NO COMMERCIAL products allowed. My thoughts -- > socks5 since I have to handle windows 3.1, win 95 and winNT apps as > well as Unix. socksified ssh? socks5 is a great system,but it isn't quite what you're talking about. ssh with socks support does what you want but is only "free" on Unix. There is a beta (or is it alpha?) version of a windows client available for free, but the released version will cost money. Of course, it is possible to configure things to use an ssh tunnel between two Unix boxes from other hosts on those networks, but you didn't say enough to tell if that's acceptable. Chris -- Chris Garrigues O- cwg@DeepEddy.Com Deep Eddy Internet Consulting +1 512 432 4046 609 Deep Eddy Avenue Austin, TX 78703-4513 http://www.DeepEddy.Com/~cwg/ --===_-1_Fri_Sep__6_10:51:43_CDT_1996 Content-Type: application/pgp-signature -----BEGIN PGP MESSAGE----- Version: 2.6.2 iQB1AwUBMjBIipaQnaaFII2dAQEGVAL+NTvbTznLP1h8HoPsfE9WIGvPcxkV1NSb l8OTDBj60BmUJHMtd8U2j/iZ5xBwj1TOLUx4p3YTFMbM2KlgzLHdgfkAnU191/1y WZA5KL/TFOaQFm5XiYJRuacjUcUuTgNJ =nZyY -----END PGP MESSAGE----- --===_-1_Fri_Sep__6_10:51:43_CDT_1996-- From firewalls-owner Fri Sep 6 12:21:41 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA15746 for firewalls-outgoing; Fri, 6 Sep 1996 08:27:07 -0700 (PDT) Received: from beach.sctc.com (beach.sctc.com [192.55.214.50]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id IAA15686 for ; Fri, 6 Sep 1996 08:26:43 -0700 (PDT) Received: from beach.sctc.com (root@localhost) by beach.sctc.com (8.7.5/8.7.3) with ESMTP id KAA05284; Fri, 6 Sep 1996 10:32:35 -0500 (CDT) Received: from sphinx.sctc.com (sphinx.sctc.com [172.17.192.3]) by beach.sctc.com (8.7.5/8.7.3) with ESMTP id KAA05280; Fri, 6 Sep 1996 10:32:35 -0500 (CDT) Received: from shade.sctc.com (shade.sctc.com [172.17.192.48]) by sphinx.sctc.com (8.7.5/8.7.3) with SMTP id KAA09790; Fri, 6 Sep 1996 10:26:41 -0500 (CDT) Received: (from smith@localhost) by shade.sctc.com (8.6.12/8.6.9) id KAA04970; Fri, 6 Sep 1996 10:26:41 -0500 Date: Fri, 6 Sep 1996 10:26:41 -0500 From: Rick Smith Message-Id: <199609061526.KAA04970@shade.sctc.com> To: firewalls@greatcircle.com Cc: smith@sctc.com, spencerj@dg-rtp.dg.com (Jon Spencer) Subject: Re: C2 certified OS that can run a firewall X-Newsreader: TIN [version 1.2 PL2] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk spencerj@dg-rtp.dg.com (Jon Spencer) writes: : (1) B1 is not much better than C2. B1 systems are designed and built to contain mandatory access control mechanisms. C2 is not. This is the crucial difference. : (2) The strengths of B2 and above are related to the high assurance issues : rather than to the features. At B2 you have a very good expectation : that the system actually works like it is supposed to. After that, you : must determine if the high assurance features really address the : threats in your environment. Most of the "high assurance" effort revolves around protecting secrets from being leaked by subverted software. This is not a major security threat to Internet servers and firewalls. Therefore, much of the high assurance spent on typical TCSEC systems is irrelevant to commercial applications. On the other hand, mandatory protection can *unconditionally* protect some portions of the system from direct access or modification by other portions. For example, executables or readable file contents can be protected from modification. Or network interfaces going to a sensitive network can be protected from access by software serving users on the Internet. This is very useful in commercial applications. : I would also argue the issue that TCSEC strictly addressed the military. True. But there's a nugget there -- mandatory protection -- that we need if we need to keep a system intact while serving potentially hostile consumers. It's a real alternative to sacrificial hosts. Rick. smith@sctc.com secure computing From firewalls-owner Fri Sep 6 12:29:04 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA12954 for firewalls-outgoing; Fri, 6 Sep 1996 08:05:03 -0700 (PDT) Received: from fsd1.fsdirect.com ([206.235.252.10]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id IAA12895 for ; Fri, 6 Sep 1996 08:04:39 -0700 (PDT) Received: from fsd1.fsdirect.com (fsd1.fsdirect.com [206.235.252.10]) by fsd1.fsdirect.com (8.7.5/8.7.3) with SMTP id LAA05569; Fri, 6 Sep 1996 11:00:31 -0400 (EDT) Date: Fri, 6 Sep 1996 11:00:31 -0400 (EDT) From: To: Adam Shostack cc: ssl-talk@netscape.com, firewalls@greatcircle.com Subject: Re: options for proxying SSL traffic? In-Reply-To: <199609060203.VAA03267@homeport.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This reminds me of another issue I had with firewall products. Although i had not made it obvious, the question was framed in the context that the web server would be in an arbitrary network behind the firewall. It seemed that a large chunk of firewalls out there do not offer flexible configurations as far as multiple network interfaces were concerned. How are large organizations (particularly financial institutions) dealing with this? Are there people still doing homebrew FWTK/screend setups for large organizations? For example, Borderware offered a third ethernet interface, but called it Something Special, and charged a huge chunk of money for just the 3rd interface (for DMZs). No more than 3 interfaces, too. In talking to resellers for TIS's Gauntlet, some of them were not willing to set up a firewall with more than 3 (and for one vendor, their limit was 2) interfaces. I was trying to arrange for 4. In fact, the most surprising thing I heard was that there were resellers who had not set up firewalls in any other configuration than 2 or 3 interfaces. I'm not sure if this cookbook approach implies a greater understanding on their part. This is on top of this stupid problem that product makers insist on weird terminology for the same things (how many different terms and acronyms are there for DMZ?), and will (intentionally, or unintentionally) obscure details such as underlying OS (e.g. what OS does Borderware's black box reside on? their literature points to BSDI or *bsd, but is never stated). Junya Ho FSDirect v: 416 368 3920 x5411 f: 416 368 5505 On Thu, 5 Sep 1996, Adam Shostack wrote: > I'd go for a demilitarized zone, a third interface off the firewall > with just the web server. > > Web servers tend to be big, complex, buggy bits of software with > things like user written cgis that just blow your security. So, if > you proxy a connection through the firewall to a box thats likely to > be broken into, you need protection from that box. > > Adam > > > junya@fsdirect.com wrote: > > | If a network connected to the internet was using a proxy firewall (say, > | Gauntlet or fwtk), and had an web server behind the firewall which had > | SSL enabled, what options does the firewall administrator have to ensure > | that people outside can access the web server inside w/SSL? > | > | Someone at TIS said all that needed to be done was to use plug-gw (a > | generic proxy which just passes bytes) so that the firewall passes > | traffic. However, given that internal web browsers require a specific SSL > | proxy service to access SSL enabled web servers on the outside, I don't > | feel quite convinced. (won't browsers care that the host they're > | connecting to is different from what the passed certificate information > | says?) > | > | If it's the case that a SSL proxy service is needed for incoming requests, > | it would seem like the rules would have to be fairly stringent so that > | someone would not take advantage of it to probe the internal network - > | like having an HTTP proxy for incoming requests. > | > | Can someone explain, before I actually try it out? > | > | > | Junya Ho > | FSDirect > | v: 416 368 3920 x5411 > | f: 416 368 5505 > | > | > > > -- > "It is seldom that liberty of any kind is lost all at once." > -Hume > > From firewalls-owner Fri Sep 6 12:55:39 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA26742 for firewalls-outgoing; Fri, 6 Sep 1996 10:05:46 -0700 (PDT) Received: from morebbs.com (morebbs.com [206.165.150.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id KAA26682 for ; Fri, 6 Sep 1996 10:05:29 -0700 (PDT) From: potlicker@morebbs.com Received: by morebbs.com id 0IDGX001 Fri, 06 Sep 96 13:04:45 Message-ID: <9609061304.0IDGX00@morebbs.com> Organization: MORE BBS X-Mailer: TBBS/TIGER v1.0/PRIMP 1.56p Date: Fri, 06 Sep 96 13:04:45 Subject: Re: mail & win95 To: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Thanks for all the feedback. Answers to a couple of the questions asked follow. 1) These folks only want to run a client on Win 95, which can then pick up mail from their smtp firewall. 2) It is the guts of the cc:Mail crashing, not the SMTP gateway that it uses to connect to the firewall. Apparently many tables got changed and show users in post offices where they are not. When mail comes in to these users it is then rejected as "User xxxxx is not registered" Apparently this caused a loop on some List servers on the Internet. The users are still there but the mail never reaches the correct post office. 3) Some other shops apparently also have users trying to bypass cc:Mail connections to Internet mail because of unreliability. 4) I am not The Dawg. I admire his skills and imitate his style. Don't think he will be back in the US until the statute of limitations runs out. 5) Web searches produced a lot of useless leads. The feedback from this list was FAR more helpful. PoT_LiCkEr From firewalls-owner Fri Sep 6 12:55:35 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA28066 for firewalls-outgoing; Fri, 6 Sep 1996 10:19:04 -0700 (PDT) Received: from sapa.inka.de (sapa.inka.de [193.197.84.6]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id KAA28024 for ; Fri, 6 Sep 1996 10:18:45 -0700 (PDT) Received: from uu.inka.de (root@[193.197.84.8]) by sapa.inka.de with smtp (S3.1.29.1) id ; Fri, 6 Sep 96 19:17 MET DST Received: from lina (lists@lina.inka.de) by uu.inka.de with bsmtp (S3.1.29.1) id ; Fri, 6 Sep 96 19:17 MET DST Received: by lina id m0uz4Pc-0004jQC (Debian /\oo/\ Smail3.1.29.1 #29.37); Fri, 6 Sep 96 19:09 MET DST Message-Id: From: lists@lina.inka.de (Bernd Eckenfels) Subject: Re: smap alternative? To: ioh@wii.com (Il Oh) Date: Fri, 6 Sep 1996 19:09:46 +0200 (MET DST) Cc: firewalls@greatcircle.com In-Reply-To: from "Il Oh" at Sep 6, 96 07:50:23 am X-Mailer: ELM [version 2.4 PL25 PGP2] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, > Is there another product that works like smap? I don't like the > licensing restrictions on it. just use a secure MTA like qmail. If you take a close look at smap you will see that it realy doesnt do very much at all. It is not very restrictive on the addresses and passes a lot of insane data... I dont think it is much protection. Use qmail on a DMZ Host (or on the firewall,it is realy nice and secure afaik). Greetings Bernd From firewalls-owner Fri Sep 6 13:30:30 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA29720 for firewalls-outgoing; Fri, 6 Sep 1996 10:44:40 -0700 (PDT) Received: from tango.lightech.com.ar (spy.lightech.com.ar [200.0.253.134]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id KAA29669 for ; Fri, 6 Sep 1996 10:44:11 -0700 (PDT) Received: from salsa (router1-p06.pccp.com.ar [200.0.253.22]) by tango.lightech.com.ar (8.6.8.1/SCA-6.6) with SMTP id QAA10649; Fri, 6 Sep 1996 16:48:24 GMT Message-ID: <32305514.2428@lightech.com.ar> Date: Fri, 06 Sep 1996 13:45:08 -0300 From: Adrian Setton Reply-To: asetton@lightech.com.ar Organization: LighTech X-Mailer: Mozilla 3.0b6 (Win95; I) MIME-Version: 1.0 To: firewalls@GreatCircle.COM CC: "James Rippas (Technology)" Subject: Re: traceroute References: <9609060853.ZM4508@alanis> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Traceroute uses high UDP ports to High UDP ports as outgoing packets (from the machine where you are running traceroute, packets from ports over 32768). The incoming packets are ICMP TTL exceeded messages (ICMP Type 11, Code 0) from the intermidate routers and ICMP port unreachable (ICMP Type 3, Code 3) from the final node. At least, this is what I've seen in my latest dream ... Regards ... -- Adrian F. Setton LighTech Voice: (54-1) 420-4110 Ayacucho 563. Piso 13 Dto "A" FAX: (54-1) 315-1343 Buenos Aires e-mail: asetton@lightech.com.ar Argentina URL: http://www.lightech.com.ar From firewalls-owner Fri Sep 6 13:52:59 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA28929 for firewalls-outgoing; Fri, 6 Sep 1996 10:35:57 -0700 (PDT) Received: from mail.marben.com (losgatos.marben.com [206.86.34.51]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id KAA28922 for ; Fri, 6 Sep 1996 10:35:46 -0700 (PDT) Received: (from girsch@localhost) by mail.marben.com (SMI-8.6/SMI-SVR4/MPI-AG) id KAA19394; Fri, 6 Sep 1996 10:33:56 -0700 From: girsch@marben.com (Arnaud Girsch) Message-Id: <199609061733.KAA19394@mail.marben.com> Subject: Re: traceroute To: apilosov@cantor.com Date: Fri, 6 Sep 1996 10:33:55 -0700 (PDT) Cc: firewalls@GreatCircle.COM, jrippas@fcmc.com In-Reply-To: <9608068420.AA842036712@smtpgwy.ny.cantor.com> from "apilosov@cantor.com" at Sep 6, 96 12:01:21 pm X-Organization: Marben Products, Inc. X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > AFAIK, traceroute operates by sending UDP packet destined for > random port. So you can't really enable traceroute past packet filter. > Maybe you can try looking at exact format of UDP packet traceroute sends > and allow packets with just that combination of bytes. > But I bet someone smart can hack this setup. > > I'd like to know what ports/protocol I need to permit through a packet filter > for traceroute to work. I've tried just ICMP/traceroute, but that doesn't > work. I suspect I need to let a UDP port through, but I'm not sure. > > Thanks, traceroute sends UDP packets, not at random ports, but at port number starting at 33434 (by default). The starting port can be changed, but the default is always the same ... Then it increases port+1 each time it adds a hop. It excpects ICMP time exceed answers from all hops on the way. Arnaud. -- Arnaud Girsch -+- agirsch@marben.com -+- Marben Products, Inc. - San Jose, CA From firewalls-owner Fri Sep 6 14:11:52 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA25778 for firewalls-outgoing; Fri, 6 Sep 1996 09:58:00 -0700 (PDT) Received: from main.geminisecure.com (main.geminisecure.com [205.179.16.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id JAA25749 for ; Fri, 6 Sep 1996 09:57:45 -0700 (PDT) Received: (from leonard@localhost) by main.geminisecure.com (8.6.9/8.6.9) id JAA04983; Fri, 6 Sep 1996 09:56:02 -0700 Date: Fri, 6 Sep 1996 09:56:02 -0700 (PDT) From: Leonard Miyata To: Bernd Eckenfels cc: firewalls@GreatCircle.COM Subject: Re: C2 Myths In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi Instead of the term "NSA" and "People with programming experience", replace with the sentence "Engineers who are experienced in exploiting bad programming (e.g. the Unix gets() call) to create Security Holes, and have access to the COMPLETE O.S source code with months of time to study it" This is what is actually done during a TCSEC evalution process Personal opinions provided by Leonard Miyata aka leonard@geminisecure.com GEMINI COMPUTERS INC. http://www.geminisecure.com On Fri, 6 Sep 1996, Bernd Eckenfels wrote: > Hi, > > > A1 - Verified Design. The highest level demands formal security verification > > methods to ensure that security controls protect classified and other > > sensitive information. Even the National Security Agency cannot break in. > > > > B3 - Security Domains. This level is intended to protect systems from people > > with programming experience. > > > > B2 - Structured Protection. Hackers should not be able to break into a > > system with B2-level security. > > > > B1 - Labeled Protection. At this level, a really good hacker could possible > > break in, but users can't. > > > > C2 - Controlled Access Protection. C2 provides protection for log-in > > procedures, allows auditing of security-relevant events, and offers resource > > isolation. > > > > C1 - Discretionary Protection. This level enables users to set access > > controls to protect private or project information. > > > > D - Minimal Protection. The lowest level is reserved for systems that have > > been evaluated but have failed to meet the requirements for a higher > > evaluation class. > > sorry, this is not very usefull... "Users" "Hackers" "peaple with programming > experience" "NSA" is not a usefull (nor realistic) atributation(sp?) for > secrity classes. > > Greetings > Bernd > -- > (OO) -- Bernd_Eckenfels@Wittumstrasse13.76646Bruchsal.de -- > ( .. ) ecki@{lina.inka.de,linux.de} http://home.pages.de/~eckes/ > o--o *plush* 2048/A2C51749 eckes@irc +4972573817 *plush* > (O____O) If privacy is outlawed only Outlaws have privacy > From firewalls-owner Fri Sep 6 14:59:33 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA01945 for firewalls-outgoing; Fri, 6 Sep 1996 11:00:33 -0700 (PDT) Received: from smurfland.cit.buffalo.edu (smurfland.cit.buffalo.edu [128.205.10.10]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id KAA01789 for ; Fri, 6 Sep 1996 10:59:57 -0700 (PDT) Received: (jcmurphy@localhost) by smurfland.cit.buffalo.edu (8.7.4/8.6.4) id NAA08097; Fri, 6 Sep 1996 13:59:15 -0400 (EDT) From: Jeff Murphy Message-Id: <199609061759.NAA08097@smurfland.cit.buffalo.edu> Subject: Re: Building a monitoring system To: tlewis@mindspring.com (Todd Graham Lewis) Date: Fri, 6 Sep 1996 13:59:14 -0400 (EDT) Cc: Russ.Cooper@RC.Toronto.on.ca, Firewalls@GreatCircle.COM In-Reply-To: from "Todd Graham Lewis" at Sep 6, 96 12:21:54 pm X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >If you are just talking about packet sniffing (no SNMP, etc.), then >tcpdump with some perl on top is about the only way to go. A group in >Australia is working on some more specialized packet sniffing tools; >netman or something like that. The url escapes me. ftp://ftp.cs.curtin.edu.au/pub/netman jeff From firewalls-owner Fri Sep 6 15:04:01 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA03514 for firewalls-outgoing; Fri, 6 Sep 1996 11:11:27 -0700 (PDT) Received: from mailbox.neosoft.com (mailbox.neosoft.com [206.109.1.16]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id LAA03330 for ; Fri, 6 Sep 1996 11:10:24 -0700 (PDT) Received: from fw.nmti.com (fw.baileynm.com [206.109.159.11]) by mailbox.neosoft.com (8.7.5/8.7.3) with SMTP id NAA02081; Fri, 6 Sep 1996 13:10:08 -0500 (CDT) Received: from web.nmti.com(198.178.0.201) by fw.nmti.com via smap (V1.3) id sma022867; Fri Sep 6 13:09:47 1996 Received: from sonic.nmti.com (peter@sonic.nmti.com [198.178.0.2]) by web.nmti.com (8.6.12/8.6.9) with SMTP id NAA22608; Fri, 6 Sep 1996 13:09:47 -0500 Received: by sonic.nmti.com; id AA13720; Fri, 6 Sep 1996 13:09:46 -0500 From: peter@baileynm.com (Peter da Silva) Message-Id: <9609061809.AA13720@sonic.nmti.com.nmti.com> Subject: Re: C2 certified OS that can run a firewall To: mcnabb@argus.cu-online.com (Paul McNabb) Date: Fri, 6 Sep 1996 13:09:46 -0500 (CDT) Cc: wombat@mcfeely.bsfs.org, firewalls@GreatCircle.COM In-Reply-To: <199609061411.JAA19248@argus.cu-online.com> from "Paul McNabb" at Sep 6, 96 09:11:03 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > 1) You could have the activity of the daemons and other processes > audited in case of a problem. This could be very useful when trying > to track a problem or security hole. This is a feature of C2. > 2) The object reuse requirements would make it less likely that a > daemon or other process could be tricked into sending info from a > previous network request. This is a feature of C1. > 3) The TCB protections will make it less likely that bugs and holes > in programs can circumvent or damage the system operation. This is a feature of C1. > 4) Daemons could be run in a mode that doesn't have access to any > file or other resource on the system (e.g., on UNIX, run a daemon > as user "noroot"). C2 does not require such a mode exist. > C2 (and all other trusted systems) provides security enhancements > in ways that are useful even when no user is on the system. To be precise, systems require certain security concerns be met to satisfy C2. These concerns, however, are so weak that apart from the auditing requirements just about *any* operating system that has any meaningful security model satisfies C2. Stock bog standard UNIX satisfies C1, and the only requirement it misses under C2 is auditing. Most of the enhancements people add for C2 UNIX systems are not C2 requirements at all. Particularly, there is no C2 requirement for either access control lists or modifying the standard password file (shadowing passwords are a good idea, but C2 doesn't say anything about them). From firewalls-owner Fri Sep 6 15:14:12 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA15965 for firewalls-outgoing; Fri, 6 Sep 1996 12:31:27 -0700 (PDT) Received: from ahcbsd1.ovnet.com (ahcbsd1.ovnet.com [198.77.6.50]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id MAA15874 for ; Fri, 6 Sep 1996 12:30:54 -0700 (PDT) From: dckinder@ahcbsd1.ovnet.com Received: from dckinder.ovnet.com (xtsb10.ovnet.com [198.77.6.109]) by ahcbsd1.ovnet.com (8.7.4/8.7.3) with SMTP id PAA04177 for ; Fri, 6 Sep 1996 15:46:38 -0400 (EDT) Message-Id: <199609061946.PAA04177@ahcbsd1.ovnet.com> Comments: Authenticated sender is To: firewalls@GreatCircle.COM Date: Fri, 6 Sep 1996 15:28:07 +0000 Subject: NT Security X-mailer: Pegasus Mail for Windows (v2.42) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am an attorney who is interested in the field of computer crime and security and who is trying to get a technical understanding of the subject matter. So far, most of the literature I have been able to discover pertains to UNIX-based security questions. On the basis of these readings, I am beginning to feel I can follow most of the postings on this list. I'm the type of guy who likes to do ten times as much homework as the other guy - that's how I do things. So far, however, I have been unable to obtain technical information on NT-based security questions. I would like to be able to have at least a journeyman's understanding of this subject as well. If somebody could direct me to a website or a book or other source of information that deals specifically with NT security, I would appreciate it. Duncan C. Kinder dckinder@ovnet.com From firewalls-owner Fri Sep 6 15:40:48 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA06280 for firewalls-outgoing; Fri, 6 Sep 1996 11:27:45 -0700 (PDT) Received: from grab (grab.coslabs.com [199.233.92.34]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id LAA06218 for ; Fri, 6 Sep 1996 11:27:22 -0700 (PDT) Received: from future.mulligan.com by grab (SMI-8.6/SMI-SVR4) id MAA02219; Fri, 6 Sep 1996 12:27:06 -0600 Received: from future by future.mulligan.com (SMI-8.6/SMI-SVR4) id MAA06532; Fri, 6 Sep 1996 12:27:00 -0600 Message-Id: <199609061827.MAA06532@future.mulligan.com> To: apilosov@cantor.com Cc: firewalls@GreatCircle.COM, jrippas@fcmc.com Subject: Re: traceroute In-Reply-To: Your message of "Fri, 06 Sep 96 12:01:21 EST" References: <9608068420.AA842036712@smtpgwy.ny.cantor.com> X-Mailer: Mew version 1.05 on Emacs 19.31.1 Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Date: Fri, 06 Sep 1996 12:27:00 -0600 From: Geoff Mulligan Sender: firewalls-owner@GreatCircle.COM Precedence: bulk From: apilosov@cantor.com > AFAIK, traceroute operates by sending UDP packet destined for > random port. So you can't really enable traceroute past packet > filter. Maybe you can try looking at exact format of UDP packet > traceroute sends and allow packets with just that combination of > bytes. But I bet someone smart can hack this setup. While in theory the ports could be random, in practice they don't seem to be. The Unix version of traceroute from Berkeley starts with port 33434 and increments the port number by one for each next hop. It would probably work to allow outbound UDP packets between ports 33434 and 33600 thereby allowing a traceroute through 165 intermediate hops. The packet filter must also allow ICMP type 3 and type 11 packets inbound. geoff From firewalls-owner Fri Sep 6 15:41:50 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA09180 for firewalls-outgoing; Fri, 6 Sep 1996 11:45:14 -0700 (PDT) Received: from firewall.idoc.state.il.us (idoc.state.il.us [163.191.155.5]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id LAA09063 for ; Fri, 6 Sep 1996 11:44:38 -0700 (PDT) From: tjdavis@idoc.state.il.us Received: (from uucp@localhost) by firewall.idoc.state.il.us (8.6.12/8.6.9) id MAA08369; Fri, 6 Sep 1996 12:40:22 GMT Received: from toad.idoc.state.il.us(172.16.1.2) by firewall.idoc.state.il.us via smap (V2.0alpha) id xma008366; Fri, 6 Sep 96 12:40:00 GMTContent-Length: 2281 Message-ID: X-Mailer: XFMail 0.4 [p0] on Linux Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8bit MIME-Version: 1.0 In-Reply-To: <199609061441.KAA26082@syl.syl.nj.nec.com> Date: Fri, 06 Sep 1996 13:27:39 -0000 () Organization: Illinois Department of Corrections To: Ashish Bisarya Subject: Re: SOCKS5 Server for Windows NT from NEC Cc: Rajesh Joshi , socks@socks.nec.com, socks5@socks.nec.com, firewalls@GreatCircle.COM, ntsocks@syl.nj.nec.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Netscrape uses Socks4. You must enable ALL authentication in your socks5.conf. If you didn't, it is probably failing on an authentication error. One way to check is to run socks5 in console mode with debugging turned on (socks5 -s -d). It should d isplay a failed message at the point where authentication is done. There is probably a message along the lines of 'Socks4: no authentication method found' On 06-Sep-96 Ashish Bisarya wrote: >>In message <199609040946.OAA24095@comm10>, Rajesh Joshi writes: >>Hi all, >> >>We have downloaded SOCKS5 Server for Windows NT from NEC and copied >>simple configuration file from samples to the directory containing socks5.exe >> >>The socks service starts but when we try to connect to application server usin >>g >>netscape through socks server then it is not going through. >> >>Is this some configuration problem ? Can anybody throw some light on this ? >>Whether anybody has successfully installed the SOCKS5 server for Windows NT >>? >> >>Thanks in advance >> >>-- > >There are a few of things that you should check on: > >1. Have you taken a look at the Event Log for any type of error or warning >messages? The service may have trouble with your configuration file location >or format. > >2. Within Netscape make sure you are setting your SOCKS host to your server >machine. We did notice problems using Netscape 2.x, but Netscape 3.0 is >working quite well. > >3. Make sure your socks5.conf has the appropriate permit line for your network? > >4. set SOCKS5_DEBUG and SOCKS5_LOG_STDERR in the config file to see debug >messages on stderr on the Socks server which will give you a lot more >information about what is going on. You will have to start the socks server on >command line with the -debug flag so that it does not start as a service. > >Hope this helps, >Ashish >****************************************************************** >Ashish Bisarya | NEC Systems Laboratory, Inc. >phone: (609) 734-6114 | Open Systems Technology Center >fax: (609) 734-6002 | 4 Independence Way, 3rd Floor >ashish@syl.nj.nec.com | Princeton, NJ 08540 ---------------------------------- Todd J. Davis tjdavis@idoc.state.il.us IL Department of Corrections (217) 522-2666 ext 6358 ---------------------------------- From firewalls-owner Fri Sep 6 15:58:50 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA22971 for firewalls-outgoing; Fri, 6 Sep 1996 13:15:42 -0700 (PDT) Received: from telemann.inoc.dl.nec.com (telemann.inoc.dl.nec.com [143.101.112.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id NAA22950 for ; Fri, 6 Sep 1996 13:15:28 -0700 (PDT) Received: from shredder.syl.dl.nec.com (shredder.syl.dl.nec.com [143.101.64.3]) by telemann.inoc.dl.nec.com (8.7.3/8.7.3) with ESMTP id PAA12871 for ; Fri, 6 Sep 1996 15:15:17 -0500 (CDT) Received: by shredder.syl.dl.nec.com (8.7.5/YDL1.9.1-940729.15) id PAA28531(shredder.syl.dl.nec.com); Fri, 6 Sep 1996 15:15:16 -0500 (CDT) Received: by babs.syl.dl.nec.com (8.7.1/YDL1.9.1-940729.15) id PAA28832(babs.syl.dl.nec.com); Fri, 6 Sep 1996 15:15:15 -0500 (CDT) To: firewalls@GreatCircle.com Date: 6 Sep 1996 20:15:08 GMT From: "Kermit Tensmeyer" Message-ID: <01bb9c30$04f48e80$c970658f@deacon-blue> Organization: NEC USA CNAD/INOC Path: syl.dl.nec.com!vivaldi.inoc.dl.nec.com!news-admin References: Subject: Re: RealAudio? - Newsgroups: necus.internet.mirror.firewalls Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This is a multi-part message in MIME format. ------=_NextPart_000_01BB9C06.1C2934E0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Gilbert Rankin wrote in article ... > A little over a week ago I posed the following question to the list and= > would like to thank everyone who responded. > > > My employer is considering putting a RealAudio server on our public web site. > > There is some concern that many of our customers will not be able to access > > the server because they are behind a firewall and due to the conservative > > approach that many companies take toward new proprietary protocols. > > If you maintain a firewall, have a moment and responding wouldn't violate your > > security policy would you please send me, _not_ the list a short note saying > > whether you do or do not allow RealAudio traffic through your firewall. sorry late hit. We can use RealAudio with a socksv5 server. PC users use sockscap16. Win95 and NT use sockscap32 to start an image of the RA before the browser winds up. When the brower spawns off a request to the RA tool, it gets the socksified one. Works really well, from this point of view. Some of our users have problems if they are on a internal network with a large number of network collisions. It's been a good tool to identify the network problems in ways that a manager can understand. The udp interface works better than the tcp interface. Our other alternative was to build the RA proxy and run it with xintetd, but it just looks too scary to place on my firewall.. -- Kermit Tensmeyer NEC InterNet Operations Centre (INOC) kermit@cnad.dl.nec.com Dallas, Texas ------=_NextPart_000_01BB9C06.1C2934E0 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable

Gilbert Rankin <gilbert@netcom.com> = wrote in article = <v03007801ae439c29bb13@[204.162.78.110]>...
> A little over = a week ago I posed the following question to the list and=3D
> =  would like to thank everyone who responded.
>
> > = My employer is considering putting a RealAudio server on our public web = site.
> > There is some concern that many of our customers = will not be able to access
> > the server because they are = behind a firewall and due to the conservative

> > approach = that many companies take toward new proprietary protocols.
> > = If you maintain a firewall, have a moment and responding wouldn't = violate your
> > security policy would you please send =  me, _not_ the list a short note saying
> > whether you do = or do not allow RealAudio traffic through your firewall.

sorry = late hit.

We can use RealAudio with a socksv5 server.

PC = users use sockscap16. Win95 and NT use sockscap32 to start an image of = the RA before the browser winds up. When the brower spawns off a request = to the RA tool, it gets the socksified one.

Works really well, = from this point of view. Some of our users have problems if they are on = a internal network with a large number of network collisions. It's been = a good tool to identify the network problems in ways that a manager can = understand.  

The udp interface works better than the tcp = interface.

Our other alternative was to build the RA proxy and = run it with xintetd, but it just looks too scary to place on my = firewall..


--
Kermit Tensmeyer =       NEC InterNet Operations Centre = (INOC)
kermit@cnad.dl.nec.com =             &= nbsp;Dallas, Texas



------=_NextPart_000_01BB9C06.1C2934E0-- From firewalls-owner Fri Sep 6 16:38:53 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id QAA15269 for firewalls-outgoing; Fri, 6 Sep 1996 16:04:42 -0700 (PDT) Received: from mcfeely.bsfs.org (mcfeely.bsfs.org [204.91.13.34]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id QAA15155 for ; Fri, 6 Sep 1996 16:04:02 -0700 (PDT) Received: (from wombat@localhost) by mcfeely.bsfs.org (8.6.12/8.6.12) id RAA00520; Fri, 6 Sep 1996 17:56:25 -0400 Date: Fri, 6 Sep 1996 17:56:22 -0400 (EDT) From: Rabid Wombat To: Paul McNabb cc: firewalls@GreatCircle.COM Subject: Re: C2 certified OS that can run a firewall In-Reply-To: <199609061411.JAA19248@argus.cu-online.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 6 Sep 1996, Paul McNabb wrote: > > Date: Thu, 5 Sep 1996 20:19:41 -0400 (EDT) > > From: Rabid Wombat > > > > On Thu, 5 Sep 1996, Jon Spencer wrote: > > > > > > Of course C2 security is better than no security, but C2 was never > > > > > > Welll ....... it is if you understand its limitations. Otherwise ... > > > > > > > WTH does C2 security have to do with a system that should not have any > > user accounts on it, no user access to it? > > Well, let's see. > > 1) You could have the activity of the daemons and other processes > audited in case of a problem. This could be very useful when trying > to track a problem or security hole. > Maybe. The biggest point for a "secure" OS vs. a "hardened" OS is that I might want to be able to audit the actions of the person who has control of the firewall system. This isn't a C2 thing, though, as I recall, but comes up in the "B" rating. I could be wrong here, as I don't dig into the rainbow books so much anymore. > 2) The object reuse requirements would make it less likely that a > daemon or other process could be tricked into sending info from a > previous network request. > Are you refering to proxies being tricked, or applying this argument to ispection as well? > 3) The TCB protections will make it less likely that bugs and holes > in programs can circumvent or damage the system operation. > > 4) Daemons could be run in a mode that doesn't have access to any > file or other resource on the system (e.g., on UNIX, run a daemon > as user "noroot"). > This does not require C2 certification, though. > 5) The overall functioning of the system would be analyzed and you > could feel better about its reliability and security (although at > C2 this is somewhat weak). Yes, it is weak at C2. Also, most of the "C2" systems out there are "designed to C2 specifications" or some other marketing snake oil. This does not make me feel better about anything. I'd rather take the word of others in the field regarding OS hardening, than take the word of anyone's marketing department regarding "C2." > > C2 (and all other trusted systems) provides security enhancements > in ways that are useful even when no user is on the system. Add to > that the assurances that come from well-design and well-reviewed code, > and trusted systems make a lot of sense in a lot of instances. There > is a lot of smoke in the air about trusted products, and a lot of > misconceptions and misleading statements by both sides (those who > claim supernatural protection by trusted systems and those who claim > it's all a crock). > M$ used to ship NT with "everyone" having rights to the system directory. This may still be the case, for all I know; I haven't had occaision/misfortune to work with NT lately. I don't care who certifies what - if the system ships with any sort of potential "hole" as a default, and it is up to the administrator to harden the OS, guess where your security and peace of mind will have to come from? Not your OS rating. > But you are correct in part. As stated in various places in the Rainbow > Series, there are places where a trusted system will add no appreciable > benefit to an operation. You could build a firewall machine in such a > way to eliminate the need for a trusted operating system, but I think > you would probably want to take your hardware and configuration through > an evaluation and get a rating -- something easy like C2, or, for real > assurance, B2 or B3. > The whole orange book system was designed to protect the users from each other, the system from the users, and, to some extent, the system from intruders, as you work your way up the rating scale. Go high enough, and you have somewhat of an arguement that you're protecting the firewall system from intruders; but not at C2. Everytime I see anybody talking about C2 and firewalls, I expect an NT rant on the next line. The last firewall big "hole" I recall hearing about involved a system that, for a brief moment following boot, allowed packets through unchecked while the firewall software was still initializing. A C2 rating would not have made any difference. IMHO, it only gives a false sense of security. "Off course it's foolproof - it's rated C2 ...". just my $.02 - r.w. > paul > > ------------------------------------------------------------ > Paul McNabb mcnabb@argus.cu-online.com > Argus Systems Group, Inc. TEL 217-384-6300 > 1405A East Florida Avenue FAX 217-384-6404 > Urbana, IL 61801 USA > ------------------------------------------------------------ > From firewalls-owner Fri Sep 6 16:48:54 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA04643 for firewalls-outgoing; Fri, 6 Sep 1996 14:48:58 -0700 (PDT) Received: from guardian.colonial.com.au (guardian.colonial.com.au [140.168.249.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id OAA04530 for ; Fri, 6 Sep 1996 14:48:06 -0700 (PDT) Received: by guardian.colonial.com.au; id HAA19759; Sat, 7 Sep 1996 07:47:40 +1000 Received: from norman.cmutual.com.au(140.168.8.9) by guardian.colonial.com.au via smap (g3.0.1) id sma019757; Sat, 7 Sep 96 07:47:18 +1000 Received: from mailgw.sbnsw.com.au ([140.168.11.10]) by norman.cmutual.com.au (post.office MTA v1.9.3 ID# 0-12362) with SMTP id AAA25886 for ; Sat, 7 Sep 1996 07:47:14 +1100 Received: by mailgw.sbnsw.com.au; Sat, 7 Sep 96 7:50:47 +1000 Date: Sat, 7 Sep 96 7:50:47 +60000 Message-ID: X-Priority: 3 (Normal) To: From: Subject: Undeliverable Message X-Incognito-SN: 606 X-Incognito-Format: VERSION=2.01a ENCRYPTED=NO Sender: firewalls-owner@GreatCircle.COM Precedence: bulk To: Cc: Subject: Firewalls-Digest V5 #496 Message not delivered to recipients below. Press F1 for help with VNM error codes. VNM3043: Paul Moen@Security@EDP VNM3043 -- MAILBOX IS FULL The message cannot be delivered because the recipient's mailbox contains the maximum number of messages, as set by the system administrator. The recipient must delete some messages before any other messages can be delivered. The maximum message limit for a user's mailbox is 10,000. The default message limit is 1000 messages. Administrators can set message limits using the Mailbox Settings function available in the Manage User menu (MUSER). When a user's mailbox reaches the limit, the user must delete some of the messages before the mailbox can accept any more incoming messages. ---------------------- Original Message Follows ---------------------- The original message was larger than the viewing area. It cannot be displayed as is. Therefore, it has been stored in the file `mail.txt'. Please view this file in order to read the message. Thank you. From firewalls-owner Fri Sep 6 16:51:32 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id QAA18591 for firewalls-outgoing; Fri, 6 Sep 1996 16:26:45 -0700 (PDT) Received: from mail13.digital.com (mail13.digital.com [192.208.46.30]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id QAA18575 for ; Fri, 6 Sep 1996 16:26:33 -0700 (PDT) Received: from whyvms.ako.dec.com by mail13.digital.com (8.7.5/UNX 1.2/1.0/WV) id TAA00477; Fri, 6 Sep 1996 19:18:40 -0400 (EDT) Received: from isbu-mail.ljo.dec.com by whyvms.ako.dec.com (5.65/MS-010395) id AA10119; Fri, 6 Sep 1996 18:28:38 -0400 Received: from tun-4.imc.das.dec.com [16.136.208.4] (HELO jimlester) by isbu-mail.ljo.dec.com (AltaVista Mail V1.0/1.0 BL17 listener) id 0000_00ab_3230_a5af_0379; Fri, 06 Sep 1996 18:29:03 -0400 Message-Id: <1.5.4.32.19960906232909.006f8dd0@isbu-mail.ljo.dec.com> X-Sender: jim.lester@isbu-mail.ljo.dec.com X-Mailer: Windows Eudora Light Version 1.5.4 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Fri, 06 Sep 1996 18:29:09 -0500 To: lists@lina.inka.de (Bernd Eckenfels), firewalls@GreatCircle.COM From: Jim Lester Subject: Re: Mail and win95 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In addition, Digital has a MSmail and ccMail gateway for their Altavista Mail server. This allows these users to access the internet or internet mail to automatically find its way to the internal mail users. The server and gateways may be downloaded for evaluation at http://altavista.software.digital.com. At 04:31 AM 9/6/96 +0200, Bernd Eckenfels wrote: >Hi, > >> A question has come up at Big Co. as to how to bypass their cc:Mail >> entirely and go from Windows 95 machines directly to their firewall. >> That's cos their cc:Mail crashed again and delayed mail for power users. > >Are you talking about an MTA on the W95 System or a pop3 MUA? The later ius >easy, use netscape or eudora or MS Exchange Client (from PLUS Package) to >acess a POP3 Server and Send SMTP Mail. Of course you need a MTA Host (How >about Linux with smail and qpopper?). Zhis is much better than running a >mailer on a desktop system. Of course this is not a firewall question. > >Greetings >Bernd > Jim Lester, Business Alliance Manager Altavista Internet Software Digital Equipment Corporation 404.843.9645 From firewalls-owner Fri Sep 6 16:59:00 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA29848 for firewalls-outgoing; Fri, 6 Sep 1996 14:14:15 -0700 (PDT) Received: from hidata.com (hidata.com [205.158.61.34]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id OAA29769 for ; Fri, 6 Sep 1996 14:13:47 -0700 (PDT) Received: by hidata.com; id AA09679; Fri, 6 Sep 96 14:13:34 PDT Received: from osc.hidata.com(205.158.62.10) by hds-gw.hidata.com via smap (V3.1.1) id xma009677; Fri, 6 Sep 96 14:13:18 -0700 Received: from clag by osc.osc.hidata.com (SMI-8.6/SMI-SVR4) id OAA16795; Fri, 6 Sep 1996 14:13:17 -0700 Message-Id: <2.2.32.19960906211125.0074ad5c@osc.hidata.com> X-Sender: bstout@osc.hidata.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Fri, 06 Sep 1996 14:11:25 -0700 To: Firewalls@GreatCircle.COM From: Bill Stout Subject: RE: NT port activity list Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I replied to the list, David, if you want me to reply direct only, let me know. This exchange show different interesting views of NT security. >>If you type 'netstat /?' at the command prompt, and it'll say "Server >>side connections not normally shown" for the -a variable. Just to be >I don't think it will show listening ports, but does show connected server It would be nice if 'netstat -a' listed the listening ports on NT. ;) >>protect the open ports first, then study the security of each port, >>because each service uses a different security mechanism. SMB and >>the NT logon process cares about the integrated NT security mechanisms, >>and for initial connection only, but SQLserver and other apps may >>not care about integrated NT security, and have as an option alternative >>user authentication systems. I think other kernel resources that >>don't use a redirector or go through the NETBIOS stack also divert >>around integrated security. > >SQL server (at least MS's) does use integrated NT security. I have no idea >what "kernel resources" could _possibly_ divert around the OS security given >that _every_ kernel resource has security attributes, including an ACL. Yup, SQLserver can use integrated security, but also has other options to bypass NT security and use other authentication systems. As do other apps like IIS. Exchange is the one app that can't bypass NT security, as far as I know. An SMB Session does not use NT security, the O.S. internally matches the UID of the SMB session to an access token (The table UID/token table was built during the first SMB session setup to that particular server). Then ACLs are used internally against that token assumed to belong to that UID. Only internally does NT use security access tokens, tokens are never sent across the net, so unless tokens accompany network traffic, NT security can't directly control network access. Since NT Security only works internally by relying on access tokens and ACLs, everything coming in externally is somehow mapped to an access token of a user, a service, or privilege. ...(waiting for flames) Interesting thing happened to me once, tested an NT webserver on a DMZ with IP as it's own single-host Domain, put a network card with NETBEUI on an internal net with a different NT domain on it, and before I could setup a one-way domain trust relationship, the event log of the new NT4/IIS system started filling with application-specific license violations of NETBIOS clients belonging to my other domain to server services on the new system which I didn't intend to access. NETBEUI issue, unrelated to TCP/IP, but interesting traffic from an untrusted, separate domain. Might as well have been IP though. Bill Stout _______________________________________________________________________________ Senior Systems Admin NT/UNIX/I-net/Routers/Mainframes/Janitor ;) Hitachi Data Systems 408-970-4822 --- Disclaimer: I speak only for myself ___________"Infowar, Cyber-war, yes, 'they' _are_ out to get you..."___________ From firewalls-owner Fri Sep 6 19:47:05 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id TAA02552 for firewalls-outgoing; Fri, 6 Sep 1996 19:28:49 -0700 (PDT) Received: from perseus.ultra.net (perseus.ultra.net [199.232.56.6]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id TAA02545 for ; Fri, 6 Sep 1996 19:28:40 -0700 (PDT) Received: from sploink (firewall-user@joesmac.ultranet.com [199.232.59.222]) by perseus.ultra.net (8.7.4/dae0.6) with SMTP id WAA31331; Fri, 6 Sep 1996 22:28:23 -0400 (EDT) Message-ID: <3230DDB6.420C@joesmac.ultranet.com> Date: Fri, 06 Sep 1996 22:28:06 -0400 From: Joe Judge Organization: Whatever ... X-Mailer: Mozilla 3.0 (X11; I; SunOS 5.5 sun4m) MIME-Version: 1.0 To: "James Rippas (Technology)" CC: firewalls@GreatCircle.COM Subject: Re: traceroute through a packet filter References: <9609060753.ZM4439@alanis> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ... am I wrong, or isn't it loose source routing that it needs? I can't remember. I'll try to play some games through my ipfilter host and watch the logs and/or snoop. - joe James Rippas (Technology) wrote: > > Hi, > > I'd like to know what ports/protocol I need to permit through a packet filter > for traceroute to work. I've tried just ICMP/traceroute, but that doesn't > work. I suspect I need to let a UDP port through, but I'm not sure. > > Thanks, > > -jim From firewalls-owner Fri Sep 6 19:59:05 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id TAA02759 for firewalls-outgoing; Fri, 6 Sep 1996 19:33:37 -0700 (PDT) Received: from perseus.ultra.net (perseus.ultra.net [199.232.56.6]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id TAA02750 for ; Fri, 6 Sep 1996 19:33:27 -0700 (PDT) Received: from sploink (firewall-user@joesmac.ultranet.com [199.232.59.222]) by perseus.ultra.net (8.7.4/dae0.6) with SMTP id WAA32695; Fri, 6 Sep 1996 22:32:36 -0400 (EDT) Message-ID: <3230DEB3.6C30@joesmac.ultranet.com> Date: Fri, 06 Sep 1996 22:32:19 -0400 From: Joe Judge Organization: Whatever ... X-Mailer: Mozilla 3.0 (X11; I; SunOS 5.5 sun4m) MIME-Version: 1.0 To: Bernd Eckenfels CC: Il Oh , firewalls@GreatCircle.COM Subject: Re: smap alternative? References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk a couple years ago, I remember the net had some *very* simple SMTP server code ... supported just the commands to suck a piece of email in -- then handed it to some mailer program. Would that work? I think I have the code sitting on an old AT&T 3B2 on the 'net. - joe Bernd Eckenfels wrote: > > Hi, > > > Is there another product that works like smap? I don't like the > > licensing restrictions on it. > > just use a secure MTA like qmail. If you take a close look at smap you will > see that it realy doesnt do very much at all. It is not very restrictive on > the addresses and passes a lot of insane data... I dont think it is much > protection. Use qmail on a DMZ Host (or on the firewall,it is realy nice and > secure afaik). > > Greetings > Bernd From firewalls-owner Fri Sep 6 20:14:16 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id TAA03657 for firewalls-outgoing; Fri, 6 Sep 1996 19:51:53 -0700 (PDT) Received: from sprite (sprite.acsacs.com [206.16.240.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id TAA03650 for ; Fri, 6 Sep 1996 19:51:42 -0700 (PDT) Date: Fri, 6 Sep 1996 19:51:26 -0700 (PDT) From: "Daniel J Blander - Sr. Systems Engineer for ACS" X-Sender: phaedrus@ferrari To: firewalls@greatcircle.com Subject: Radius Security Issues Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am looking at getting a clear (and fairly thorough) understanding of security issues and firewall considerations when passing Radius information from Dial-In Access Servers, through a firewall (of any sort) to Radius Servers. My intention is to secure the Radius Servers as best possible and preventing changes and hacks to the Radius systems..... Radius Servers will *only* be running Radius with all other services turned off and removed (sans telnet/ssh via other paths). The Access Server would be accessible to the Internet (and vice-versa) but the Radius Server would sit behind a firewall/router. Provided that I only allow the udp port 1645 in and out will I be okay, or is the daemon a random high port like most other services (I haven't finished the RADIUS-ietf draft yet). How secure/unsecure is the radius daemon, and what are the best methods for protecting it (can a simple router with correctly set access-lists cut it or does it require more in-depth monitoring?) How much damage can snooping of the packets do and hijacking sessions? I am fairly well versed in most other security issues overall so generalistic answers such as "disable all other services on your Radius server" etcetera are not what I'm looking for. And I do understand the many weaknesses in UDP (although if there are specific attacks on RADIUS due to the UDP I would like to know that). Thanks in advance - you may send replies directly if you prefer. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Daniel Blander =8^) Sr. Systems Engineer Applied Computer Solutions ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Phone: (714) 842.7800 Fax: (714) 842.8299 Email: Daniel.Blander@acsacs.com ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The Official Applied Computer Solutions Home Page and Tech Tip of the Week: http://www.acsacs.com ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From firewalls-owner Fri Sep 6 22:02:09 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id VAA13397 for firewalls-outgoing; Fri, 6 Sep 1996 21:49:53 -0700 (PDT) Received: from gateway2.ey.com (gateway2.ey.com [199.50.26.3]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id VAA13374 for ; Fri, 6 Sep 1996 21:49:12 -0700 (PDT) From: Joseph.Cupano@EY.COM Received: by gateway2.ey.com id AA27892 (InterLock SMTP Gateway 3.0 for firewalls@GreatCircle.COM); Sat, 7 Sep 1996 00:47:17 -0400 Received: by gateway2.ey.com (Protected-side Proxy Mail Agent-1); Sat, 7 Sep 1996 00:47:17 -0400 X400-Originator: Joseph.Cupano@EY.COM X400-Recipients: firewalls@GreatCircle.COM X400-Mts-Identifier: [/PRMD=ERNSTYOUNG/ADMD=ATTMAIL/C=US/;0014500005094926000002] X400-Content-Type: P2-1988 (22) Message-Id: <0014500005094926000002*@MHS> To: " - (052)firewalls(a)GreatCircle.COM" Subject: Re: mail & win95 Date: Sat, 7 Sep 1996 00:41:48 -0400 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk How about using Exchange as the client (POP) since it comes with Win95 anyway. From firewalls-owner Fri Sep 6 22:14:04 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id WAA14398 for firewalls-outgoing; Fri, 6 Sep 1996 22:05:42 -0700 (PDT) Received: from halon.sybase.com (halon.sybase.com [192.138.151.33]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id WAA14391 for ; Fri, 6 Sep 1996 22:05:29 -0700 (PDT) Received: from smtp1.sybase.com (sybgate) by halon.sybase.com (5.x/SMI-SVR4/SybFW4.0) id AA11787; Fri, 6 Sep 1996 22:06:54 -0700 Received: from notesgw2.sybase.com by smtp1.sybase.com (4.1/SMI-4.1/SybH3.5-030896) id AA27438; Fri, 6 Sep 96 22:05:14 PDT Received: by notesgw2.sybase.com (5.x/SMI-4.1/SybEGW3.3) id AA25490; Fri, 6 Sep 1996 22:05:08 -0700 Message-Id: <9609070505.AA25490@notesgw2.sybase.com> Received: by SybaseNotes (Lotus Notes Mail Gateway for SMTP V1.1) id E2CFE53E7A046C4B8825639E001C1173; Fri, 6 Sep 96 22:05:07 EDT To: Kim Cc: firewalls From: Ryan Russell/SYBASE Date: 6 Sep 96 22:07:27 EDT Subject: Re: firewall-1 delay is tolerable ? X-Lotus-Type: Reply All Mime-Version: 1.0 Content-Type: Text/Plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk What do you consider a great delay? On my SS20, I get about 2 or 3 ms delay, about the same as a plain router. Ryan ---------- Previous Message ---------- To: firewalls cc: From: cgkim @ kotel.co.kr (Kim) @ smtp Date: 09/06/96 05:59:44 PM Subject: firewall-1 delay is tolerable ? I am using FW-1 2.0 on sparc 1000 with 2 cpu. Ping and traceroute passing firewall through indicate the delay on there is great and such delay is very clear by compairing it with pings in outside router. Also the system collision indicator shows excessive ,I think, collision status. Do you have any nice improvements about this ? - Kim. From firewalls-owner Sat Sep 7 00:29:03 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id AAA22220 for firewalls-outgoing; Sat, 7 Sep 1996 00:23:01 -0700 (PDT) Received: from guardian.colonial.com.au (guardian.colonial.com.au [140.168.249.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id AAA22214 for ; Sat, 7 Sep 1996 00:22:50 -0700 (PDT) Received: by guardian.colonial.com.au; id RAA22681; Sat, 7 Sep 1996 17:22:35 +1000 Received: from norman.cmutual.com.au(140.168.8.9) by guardian.colonial.com.au via smap (g3.0.1) id sma022676; Sat, 7 Sep 96 17:22:12 +1000 Received: from mailgw.sbnsw.com.au ([140.168.11.10]) by norman.cmutual.com.au (post.office MTA v1.9.3 ID# 0-12362) with SMTP id AAA8790 for ; Sat, 7 Sep 1996 17:22:10 +1100 Received: by mailgw.sbnsw.com.au; Sat, 7 Sep 96 17:25:49 +1000 Date: Sat, 7 Sep 96 17:25:50 +60000 Message-ID: X-Priority: 3 (Normal) To: From: Subject: Undeliverable Message X-Incognito-SN: 606 X-Incognito-Format: VERSION=2.01a ENCRYPTED=NO Sender: firewalls-owner@GreatCircle.COM Precedence: bulk To: Cc: Subject: Firewalls-Digest V5 #497 Message not delivered to recipients below. Press F1 for help with VNM error codes. VNM3043: Paul Moen@Security@EDP VNM3043 -- MAILBOX IS FULL The message cannot be delivered because the recipient's mailbox contains the maximum number of messages, as set by the system administrator. The recipient must delete some messages before any other messages can be delivered. The maximum message limit for a user's mailbox is 10,000. The default message limit is 1000 messages. Administrators can set message limits using the Mailbox Settings function available in the Manage User menu (MUSER). When a user's mailbox reaches the limit, the user must delete some of the messages before the mailbox can accept any more incoming messages. ---------------------- Original Message Follows ---------------------- The original message was larger than the viewing area. It cannot be displayed as is. Therefore, it has been stored in the file `mail.txt'. Please view this file in order to read the message. Thank you. From firewalls-owner Sat Sep 7 01:29:03 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id BAA24908 for firewalls-outgoing; Sat, 7 Sep 1996 01:11:25 -0700 (PDT) Received: from minotaur.labyrinth.net.au (minotaur.labyrinth.net.au [203.9.148.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id BAA24878 for ; Sat, 7 Sep 1996 01:10:45 -0700 (PDT) Received: (from mail@localhost) by minotaur.labyrinth.net.au (8.7.2/8.7.2) id SAA23540 for ; Sat, 7 Sep 1996 18:09:51 +1000 (EST) X-Authentication-Warning: minotaur.labyrinth.net.au: mail set sender to using -f Received: from gate.quick.com.au(203.12.250.130) by minotaur.labyrinth.net.au via smap (V1.3) id sma023523; Sat Sep 7 18:09:40 1996 Received: (from sjg@localhost) by zen.quick.com.au (8.7.3/8.6.9) id SAA24731; Sat, 7 Sep 1996 18:09:34 +1000 (EST) Date: Sat, 7 Sep 1996 18:09:34 +1000 (EST) From: "Simon J. Gerraty" Message-Id: <199609070809.SAA24731@zen.quick.com.au> To: firewalls@greatcircle.com Subject: Re: options for proxying SSL traffic? Newsgroups: lists.firewalls References: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk junya@fsdirect.com writes: >this? Are there people still doing homebrew FWTK/screend setups for large >organizations? Yes. A screened subnet is still the easiest way to accomodate a bunch of external WWW,ftp etc servers without compromising your security. Just because most fw vendors expect you to use their box as your connection, there is no reason you can't use gauntlet or ftwk bastion behind a router. The router may even be cheaper than the Nth ethernet on your vendors fw box. --sjg From firewalls-owner Sat Sep 7 01:59:18 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id BAA28815 for firewalls-outgoing; Sat, 7 Sep 1996 01:50:43 -0700 (PDT) Received: from guardian.colonial.com.au (guardian.colonial.com.au [140.168.249.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id BAA28749 for ; Sat, 7 Sep 1996 01:50:15 -0700 (PDT) Received: by guardian.colonial.com.au; id SAA23046; Sat, 7 Sep 1996 18:50:04 +1000 Received: from norman.cmutual.com.au(140.168.8.9) by guardian.colonial.com.au via smap (g3.0.1) id sma023044; Sat, 7 Sep 96 18:50:01 +1000 Received: from mailgw.sbnsw.com.au ([140.168.11.10]) by norman.cmutual.com.au (post.office MTA v1.9.3 ID# 0-12362) with SMTP id AAA11834 for ; Sat, 7 Sep 1996 18:49:59 +1100 Received: by mailgw.sbnsw.com.au; Sat, 7 Sep 96 18:53:45 +1000 Date: Sat, 7 Sep 96 18:53:44 +60000 Message-ID: X-Priority: 3 (Normal) To: From: Subject: Undeliverable Message X-Incognito-SN: 606 X-Incognito-Format: VERSION=2.01a ENCRYPTED=NO Sender: firewalls-owner@GreatCircle.COM Precedence: bulk To: Cc: Subject: Firewalls-Digest V5 #498 Message not delivered to recipients below. Press F1 for help with VNM error codes. VNM3043: Paul Moen@Security@EDP VNM3043 -- MAILBOX IS FULL The message cannot be delivered because the recipient's mailbox contains the maximum number of messages, as set by the system administrator. The recipient must delete some messages before any other messages can be delivered. The maximum message limit for a user's mailbox is 10,000. The default message limit is 1000 messages. Administrators can set message limits using the Mailbox Settings function available in the Manage User menu (MUSER). When a user's mailbox reaches the limit, the user must delete some of the messages before the mailbox can accept any more incoming messages. ---------------------- Original Message Follows ---------------------- Firewalls-Digest Saturday, September 7 1996 Volume 05 : Number 498 In this issue: Undeliverable Message See the end of the digest for information on subscribing to the Firewalls or Firewalls-Digest mailing lists and on how to retrieve back issues. ---------------------------------------------------------------------- Date: Sat, 7 Sep 96 17:25:50 +60000 From: Subject: Undeliverable Message To: Cc: Subject: Firewalls-Digest V5 #497 Message not delivered to recipients below. Press F1 for help with VNM error codes. VNM3043: Paul Moen@Security@EDP VNM3043 -- MAILBOX IS FULL The message cannot be delivered because the recipient's mailbox contains the maximum number of messages, as set by the system administrator. The recipient must delete some messages before any other messages can be delivered. The maximum message limit for a user's mailbox is 10,000. The default message limit is 1000 messages. Administrators can set message limits using the Mailbox Settings function available in the Manage User menu (MUSER). When a user's mailbox reaches the limit, the user must delete some of the messages before the mailbox can accept any more incoming messages. - ---------------------- Original Message Follows ---------------------- The original message was larger than the viewing area. It cannot be displayed as is. Therefore, it has been stored in the file `mail.txt'. Please view this file in order to read the message. Thank you. ------------------------------ End of Firewalls-Digest V5 #498 ******************************* To unsubscribe from Firewalls-Digest, send the following command in the body of a message to "Majordomo@GreatCircle.COM": unsubscribe firewalls-digest If you want to subscribe or unsubscribe an address other than the account the mail is coming from, such as a local redistribution list, then append that address to the command; for example, to subscribe "local-firewalls": subscribe firewalls-digest local-firewalls@your.domain.net A non-digest (direct mail) version of this list is also available; to subscribe to that instead, replace all instances of "firewalls-digest" in the commands above with "firewalls". Compressed back issues are available for anonymous FTP from FTP.GreatCircle.COM, in pub/firewalls/digest/vNN.nMMM.Z (where "NN" is the volume number, and "MMM" is the issue number). From firewalls-owner Sat Sep 7 05:29:04 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA05483 for firewalls-outgoing; Sat, 7 Sep 1996 05:15:55 -0700 (PDT) Received: from nebula.online.ee (nebula.online.ee [194.106.96.11]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id FAA05476 for ; Sat, 7 Sep 1996 05:15:43 -0700 (PDT) Received: from localhost by nebula.online.ee (5.x/SMI-4.1) id AA25907; Sat, 7 Sep 1996 15:15:18 +0300 Organization: MicroLink OnLine Date: Sat, 7 Sep 1996 15:15:17 +0300 (EET DST) From: =?ISO-8859-1?Q?J=FCri_Kaljundi?= X-Sender: jk@nebula To: Firewalls@GreatCircle.COM Cc: Wayne.Gifford@East.Sun.COM Subject: Re: authenticated/encrypted sessions In-Reply-To: <199609061911.MAA13215@miles.greatcircle.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Wayne.Gifford@East.Sun.COM (Wayne Gifford - Internet Commerce Group) wrote: >> I want to set up authenticated and encrypted tunnels through a >> firewall. the rub, NO COMMERCIAL products allowed. My thoughts -- >> socks5 since I have to handle windows 3.1, win 95 and winNT apps >> as well as Unix. > >Go to http://skip.incog.com and grab the SKIP source code and roll your >own. This might be the choice for US people, but everywhere else you must forget using any US products for encryption. The weak export versions only give people the false sense of security, while actually the products are easily breakable. Sun SKIP is nice for playing around, but not for real use. As far as I understand, this applies to most of the firewall products also, most of them are using either weak encryption or proprietary algorithms. SSH (www.ssh.fi) is one strong product I know of, another possibility would be using SSLtelnet which is based on SSLeay library. Juri Kaljundi jk@stallion.ee From firewalls-owner Sat Sep 7 06:29:05 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA07777 for firewalls-outgoing; Sat, 7 Sep 1996 06:11:03 -0700 (PDT) Received: from mercury.Sun.COM (mercury.Sun.COM [192.9.25.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id GAA07770 for ; Sat, 7 Sep 1996 06:10:53 -0700 (PDT) From: Wayne.Gifford@East.Sun.COM Received: by mercury.Sun.COM (Sun.COM) id GAA16661; Sat, 7 Sep 1996 06:10:44 -0700 Received: from congress.East.Sun.COM by East.Sun.COM (5.x/SMI-5.3) id AA18602; Sat, 7 Sep 1996 09:10:41 -0400 Received: from world (hobo143.East.Sun.COM) by congress.East.Sun.COM (4.1/SMI-4.1) id AA01720; Sat, 7 Sep 96 09:10:37 EDT Date: Sat, 7 Sep 1996 09:10:37 -0400 (EDT) Reply-To: Subject: Re: authenticated/encrypted sessions To: =?ISO-8859-1?Q?J=FCri_Kaljundi?= Cc: Firewalls@GreatCircle.COM In-Reply-To: "Your message with ID" Message-Id: Content-Type: text X-Sun-Text-Type: ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk = => > => >Go to http://skip.incog.com and grab the SKIP source code and roll your => >own. => => This might be the choice for US people, but everywhere else you must => forget using any US products for encryption. The weak export versions only => give people the false sense of security, while actually the products are => easily breakable. Sun SKIP is nice for playing around, but not for real => use. As far as I understand, this applies to most of the firewall products => also, most of them are using either weak encryption or proprietary => algorithms. => => SSH (www.ssh.fi) is one strong product I know of, another possibility => would be using SSLtelnet which is based on SSLeay library. => => Juri Kaljundi => jk@stallion.ee Yes, the export control laws are a pain (although I do want to get business cards that have my title as "International Munitions Dealer") Well, I'm sorry. I should have pointed at the international location for SKIP sources as well. SKIP is a protocol so there isn't any way the US can prevent people from implementing their own versions. You can also find SKIP source at the Swiss Federal Institute of Technology http://www.tik.ee.ethz.ch/~skip/ Or buy a commercial version from Sasha @ Elvis+ in Moscow http://elvis.ru/skip If you are really into it you can write your own implementation from the ietf drafts at http://skip.incog.com/drafts/draft-ietf-ipsec-skip-07.txt If you write your own, you can use whatever key length you like and use the encryption algorithm of choice. giff => From firewalls-owner Sat Sep 7 07:59:04 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA11005 for firewalls-outgoing; Sat, 7 Sep 1996 07:50:57 -0700 (PDT) Received: from typhoon.dial.pipex.net (typhoon.dial.pipex.net [158.43.128.46]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id HAA10998 for ; Sat, 7 Sep 1996 07:50:47 -0700 (PDT) Received: from progpc11.central.oa by typhoon.dial.pipex.net (8.7.5/) id PAA19010; Sat, 7 Sep 1996 15:50:18 +0100 (BST) Message-Id: <199609071450.PAA19010@typhoon.dial.pipex.net> Comments: Authenticated sender is From: "Ben Goodyear" Organization: Carlton UK Television To: firewalls@greatcircle.com Date: Sat, 7 Sep 1996 15:55:55 +0000 Subject: Address Translation problem X-mailer: Pegasus Mail for Windows (v2.23) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hiya, I'm using Firewall-1 address translation to hide our network behind the firewall - that works fine but I can't get to the Mail machine on our internal network. I've used the source static and destination static rules for the address of the mail machine, done the proxy arp, but it doesn't work. By using the "snoop" command I've discovered the mail machine can send things through the firewall, but the responses don't make it back - they just get dropped by the firewall - without even a log entry. It was suggested I need to add a static host route to the firewall from the translated address to the real address of the mail machine - however I can't do this as it's not a "directly connected network" - so I get a Network Unreachable message from the route command. I tried adding the next hop network instead but that doesn't work either. The address of the mail machine isn't covered by the other hide rules. Any suggestions? I'm really stuck on this one. Regards, Ben From firewalls-owner Sat Sep 7 10:48:46 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA15364 for firewalls-outgoing; Sat, 7 Sep 1996 10:39:15 -0700 (PDT) Received: from netvigator.com (imsp004.netvigator.com [205.252.144.228]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id KAA15356 for ; Sat, 7 Sep 1996 10:39:05 -0700 (PDT) Received: from whost by netvigator.com (SMI-8.6/SMI-SVR4) id BAA19374; Sun, 8 Sep 1996 01:32:21 +0800 Message-ID: <3231B2AB.24D9@netvigator.com> Date: Sun, 08 Sep 1996 01:36:43 +0800 From: eric chan Reply-To: eric.chan@netvigator.com Organization: Hongkong Telecom IMS X-Mailer: Mozilla 3.0b6Gold (Win95; I) MIME-Version: 1.0 To: Henk Baert CC: Firewalls Mailing List Subject: Re: Sendmail Configuration- References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Henk Baert wrote: > > VAN LAERE > MEMO Datum : > 28-08-1996 > Betreft : Sendmail Configuration > > Hi, > > I am trying to set up my sendmail configuration so that all outgoing mail has > an origin as user@domainname (instead of user@hostname.domainname). > > I tried to figure it out myself, but don't get it completely right. The > problem is in Rulesets 10/11 en 20/21 that decode sending adresses. > > Any suggestion to code it correctly ? > > Thanks a lot. > > Henk Baert > (henk.baert@vanlaere.be) Check with your DNS record about the domain you talking about especially the MX setting. Eric From firewalls-owner Sat Sep 7 10:59:06 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA15482 for firewalls-outgoing; Sat, 7 Sep 1996 10:47:22 -0700 (PDT) Received: from mcfeely.bsfs.org (mcfeely.bsfs.org [204.91.13.34]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id KAA15475 for ; Sat, 7 Sep 1996 10:47:11 -0700 (PDT) Received: (from wombat@localhost) by mcfeely.bsfs.org (8.6.12/8.6.12) id MAA03534; Sat, 7 Sep 1996 12:12:25 -0400 Date: Sat, 7 Sep 1996 12:12:21 -0400 (EDT) From: Rabid Wombat To: Russ cc: "'Firewalls'" Subject: Re: Building a monitoring system In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 6 Sep 1996, Russ wrote: > Howdy folks, > > I'm going to take the plunge into Unix by way of building a monitoring > system that would be dedicated to the task of reporting the actions of > the other machines on my very small network. Given my limited Unix > background, I figured the best way to approach this would be to ask > y'all what this box should be. > I already dropped Russ more detail off list, but here's my favorite url for UNIX tools: ftp://coast.cs.purdue.edu/pub/tools/unix/ Welcome to the Dark Side(tm), Russ. - r.w. From firewalls-owner Sat Sep 7 12:59:08 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA22447 for firewalls-outgoing; Sat, 7 Sep 1996 12:51:12 -0700 (PDT) Received: from menger.eecs.stevens-tech.edu (menger.eecs.stevens-tech.edu [155.246.89.81]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id MAA22411 for ; Sat, 7 Sep 1996 12:50:55 -0700 (PDT) Received: from home.spfld.com (amullick.u97.stevens-tech.edu [155.246.216.20]) by menger.eecs.stevens-tech.edu (8.7.5/8.7.3) with ESMTP id PAA20042 for ; Sat, 7 Sep 1996 15:50:31 -0400 (EDT) Received: from localhost (apu@localhost) by home.spfld.com (8.7.6/8.7.3) with SMTP id PAA10516 for ; Sat, 7 Sep 1996 15:47:46 -0400 X-Authentication-Warning: home.spfld.com: apu owned process doing -bs Date: Sat, 7 Sep 1996 15:47:46 -0400 (EDT) From: Apu To: Firewalls mailing list Subject: Vulnerability from Internet of non-IP hosts? Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Am I missing something obvious or am I correct in believing that a machine (Mac & Windows clients, Netware & OS/2-based Notes servers) that is not configured to accept IP cannot be subverted via an IP only WAN connection (Internet connection)? The machines in question would be running any or all of IPX, AppleTalk and "NetBoo-y" ... I'm also excluding vulnerability posed by an IP-based attack on a machine which speaks IP but also communicates with the non-IP machine via one of these other protocols, as well as simple denial-of-service attacks based on just saturating a network link to make it unusable. (If it makes a difference, the situation would be using a Cisco router with an IP-only feature set, so one could even mess with the router in terms of the other protocols.) _ | | |-| | |pu From firewalls-owner Sat Sep 7 16:36:32 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id QAA02230 for firewalls-outgoing; Sat, 7 Sep 1996 16:15:15 -0700 (PDT) Received: (mcb@localhost) by miles.greatcircle.com (8.7.4/Miles-960830-1) id QAA02188 for firewalls@greatcircle.com; Sat, 7 Sep 1996 16:14:59 -0700 (PDT) Received: from mtigwc01.worldnet.att.net (mailhost.worldnet.att.net [204.127.129.3]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id QAA19680 for ; Fri, 6 Sep 1996 16:38:16 -0700 (PDT) Received: from default ([207.116.35.238]) by mtigwc01.worldnet.att.net (post.office MTA v2.0 0613 ) with SMTP id AAA24721 for ; Fri, 6 Sep 1996 23:38:05 +0000 Message-ID: <3230B604.5886@worldnet.att.net> Date: Fri, 06 Sep 1996 19:38:44 -0400 From: "Safi H. Newman" X-Mailer: Mozilla 2.01E (Win95; U) MIME-Version: 1.0 To: Firewalls@GreatCircle.com Subject: NT Security Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In response to Duncan C. Kinder's request for information about Nt--based security, there is a NT Security listserv. Send an e-mail to Majordomo@iss.net; no subject; message should read subscribe NT Security . Safi H. Newman shnewman@worldnet.att.net From firewalls-owner Sat Sep 7 16:44:13 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id QAA04348 for firewalls-outgoing; Sat, 7 Sep 1996 16:39:19 -0700 (PDT) Received: (mcb@localhost) by miles.greatcircle.com (8.7.4/Miles-960830-1) id QAA01920 for firewalls@greatcircle.com; Sat, 7 Sep 1996 16:12:08 -0700 (PDT) Received: from gate.abacus.ch (gate.abacus.ch [193.246.120.4]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id BAA11905 for ; Fri, 6 Sep 1996 01:29:18 -0700 (PDT) Received: from caliban.abacus.ch ([192.168.0.2]) by gate.abacus.ch via smtpd (for miles.greatcircle.com [198.102.244.34]) with SMTP; 6 Sep 1996 10:32:47 UT Received: from cc:Mail (PU Serial #1590) by caliban.abacus.ch (PostalUnion/SMTP(tm) v2.1.9c for Windows NT(tm)) id AA-1996Sep06.092823.1590.10676; Fri, 06 Sep 1996 09:30:48 GMT From: Felber@abacus.ch (Hubert Felber) To: firewalls@greatcircle.com Message-ID: <1996Sep06.092823.1590.10676@caliban.abacus.ch> X-Conversion-ID: X-Mailer: cc:Mail via PostalUnion/SMTP for Windows NT Mime-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: quoted-printable Organization: ABACUS Research AG Date: Fri, 06 Sep 1996 09:30:48 GMT Subject: curios traceroute Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, = Can anyone explain me the following traceroute? = 1. question: the last 3 addresses are private internet addresses. = Why do I see them on the list? = = 2. Why is the station 194.209.14.36 not in the list = = = Tracing the route to 194.209.14.36 = 1 SWISG1-S4.SWITCH.CH (130.59.195.2) 16 msec 16 msec 12 msec 2 SWIEZ7-S5-3.SWITCH.CH (130.59.32.2) 20 msec 20 msec 20 msec 3 SWIEG1-F0-0.SWITCH.CH (130.59.20.211) 16 msec 16 msec 20 msec 4 ZH00-SRL0.UNISOURCE.CH (193.246.104.130) 24 msec 28 msec 20 msec 5 ZH21-ETH0.UNISOURCE.CH (164.128.44.38) 20 msec ZH11-ETH0.UNISOURCE.CH (164.128.44.37) 20 msec ZH21-ETH0.UNISOURCE.CH (164.128.44.38) 20 msec 6 164.128.41.66 36 msec 32 msec 164.128.41.70 64 msec 7 164.128.45.35 32 msec * 64 msec 8 192.168.1.1 36 msec 32 msec 68 msec 9 10.0.1.58 128 msec 116 msec 76 msec 10 192.168.2.42 !H !H !H = = --- Hubert Felber (felber@abacus.ch) __ ___ _ __ ABACUS Research AG /\ | \ /\/ __)| | | \ 9006 St. Gallen, Switzerland / \| _// \| | | | |\ ~ Phone +41 71 243 35 11 / /\ \ \ /\ \_| |_| | \ Fax +41 71 243 35 00 /_/ \_\_// \_\_)___/\__/ From firewalls-owner Sat Sep 7 17:59:07 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA10312 for firewalls-outgoing; Sat, 7 Sep 1996 17:50:50 -0700 (PDT) Received: from lexicon.ins.com (lexicon.ins.com [199.0.193.11]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id RAA10294 for ; Sat, 7 Sep 1996 17:50:39 -0700 (PDT) Received: from ragans-compaq (mtv2-dynamic227.ins.com [199.0.193.227]) by lexicon.ins.com (8.7.5/8.7.3) with SMTP id RAA26114; Sat, 7 Sep 1996 17:43:35 -0700 (PDT) Message-Id: <3.0b11.32.19960907194030.009b28c4@lexicon.ins.com> X-Sender: ragan@lexicon.ins.com X-Mailer: Windows Eudora Pro Version 3.0b11 (32) Date: Sat, 07 Sep 1996 19:40:33 -0500 To: Henk Baert From: Charles Ragan Subject: Re: Sendmail Configuration- Cc: Firewalls Mailing List Mime-Version: 1.0 Content-Type: text/enriched; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Try this kool tool. 0 0, 0 0,ffffhttp://www.completeis.com/sendmail/ Charles At 01:36 AM 9/8/96 +0800, eric chan wrote: >Henk Baert wrote: >> >> VAN LAERE >> MEMO Datum : >> 28-08-1996 >> Betreft : Sendmail Configuration >> >> Hi, >> >> I am trying to set up my sendmail configuration so that all outgoing mail has >> an origin as user@domainname (instead of user@hostname.domainname). >> >> I tried to figure it out myself, but don't get it completely right. The >> problem is in Rulesets 10/11 en 20/21 that decode sending adresses. >> >> Any suggestion to code it correctly ? >> >> Thanks a lot. >> >> Henk Baert >> (henk.baert@vanlaere.be) > >Check with your DNS record about the domain you talking about especially >the MX setting. > >Eric > > ----------------------------------------------------- Charles B. Ragan, Jr. International Network Services (214) 392-3545 14160 Dallas Parkway Suite 200 Charles_Ragan@ins.com Dallas, TX 75040 Cisco Certified IE (CCIE) Text Page - 1-800-INS-1-INS Master CNE Direct Page - 1-888-360-5812 Microsoft SE Certified Banyan Engineer "Semper Fi" - USMC Retired ----------------------------------------------------- From firewalls-owner Sat Sep 7 18:14:06 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA10087 for firewalls-outgoing; Sat, 7 Sep 1996 17:42:03 -0700 (PDT) Received: from lexicon.ins.com (lexicon.ins.com [199.0.193.11]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id RAA09949 for ; Sat, 7 Sep 1996 17:41:32 -0700 (PDT) Received: from ragans-compaq (mtv2-dynamic227.ins.com [199.0.193.227]) by lexicon.ins.com (8.7.5/8.7.3) with SMTP id RAA25689; Sat, 7 Sep 1996 17:41:15 -0700 (PDT) Message-Id: <3.0b11.32.19960907193809.006d3b20@lexicon.ins.com> X-Sender: ragan@lexicon.ins.com X-Mailer: Windows Eudora Pro Version 3.0b11 (32) Date: Sat, 07 Sep 1996 19:38:13 -0500 To: Felber@abacus.ch (Hubert Felber), firewalls@GreatCircle.COM From: Charles Ragan Subject: Re: curios traceroute Cc: bridge@DIAL-SWITCH.CH Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk It appears that someone is leaking. Consistency in yours and mine is; Tracing route to 194.209.14.36 over a maximum of 30 hops 11 464 ms 333 ms 334 ms UBN-gw5.ALTER.NET [137.39.129.26] 12 357 ms 342 ms 330 ms zh11-eth0.unisource.ch [164.128.44.37] 13 442 ms 369 ms 438 ms 164.128.41.70 14 440 ms * 396 ms 164.128.45.35 15 362 ms 368 ms 471 ms 192.168.1.1 16 479 ms 395 ms 374 ms 10.0.1.58 17 192.168.2.42 reports: Destination host unreachable. Unisource Business Networks (Schweiz) AG (NET-UBN-CH) Schermenwaldstrasse 13 CH-3063 Ittigen Netname: UBN-CH Netnumber: 164.128.0.0 Coordinator: Bridge, Philip (PB334) bridge@DIAL-SWITCH.CH +41 31 688 8262 (FAX) +41 31 688 8152 Domain System inverse mapping provided by: UBNSRV.UNISOURCE.CH 164.128.36.34 SCSNMS.SWITCH.CH 130.59.1.30 Record last updated on 13-Jun-95. At 09:30 AM 9/6/96 GMT, Hubert Felber wrote: > Hi, > Can anyone explain me the following traceroute? > 1. question: the last 3 addresses are private internet addresses. Why do I see them on the list? 2. Why is the station 194.209.14.36 not in the list > Tracing the route to 194.209.14.36 > 1 SWISG1-S4.SWITCH.CH (130.59.195.2) 16 msec 16 msec 12 msec > 2 SWIEZ7-S5-3.SWITCH.CH (130.59.32.2) 20 msec 20 msec 20 msec > 3 SWIEG1-F0-0.SWITCH.CH (130.59.20.211) 16 msec 16 msec 20 msec > 4 ZH00-SRL0.UNISOURCE.CH (193.246.104.130) 24 msec 28 msec 20 msec > 5 ZH21-ETH0.UNISOURCE.CH (164.128.44.38) 20 msec > ZH11-ETH0.UNISOURCE.CH (164.128.44.37) 20 msec > ZH21-ETH0.UNISOURCE.CH (164.128.44.38) 20 msec > 6 164.128.41.66 36 msec 32 msec > 164.128.41.70 64 msec > 7 164.128.45.35 32 msec * 64 msec > 8 192.168.1.1 36 msec 32 msec 68 msec > 9 10.0.1.58 128 msec 116 msec 76 msec > 10 192.168.2.42 !H !H !H >--- >Hubert Felber (felber@abacus.ch) __ ___ _ __ >ABACUS Research AG /\ | \ /\/ __)| | | \ >9006 St. Gallen, Switzerland / \| _// \| | | | |\ ~ >Phone +41 71 243 35 11 / /\ \ \ /\ \_| |_| | \ >Fax +41 71 243 35 00 /_/ \_\_// \_\_)___/\__/ > > > ----------------------------------------------------- Charles B. Ragan, Jr. International Network Services (214) 392-3545 14160 Dallas Parkway Suite 200 Charles_Ragan@ins.com Dallas, TX 75040 Cisco Certified IE (CCIE) Text Page - 1-800-INS-1-INS Master CNE Direct Page - 1-888-360-5812 Microsoft SE Certified Banyan Engineer "Semper Fi" - USMC Retired ----------------------------------------------------- From firewalls-owner Sat Sep 7 22:29:06 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id WAA21947 for firewalls-outgoing; Sat, 7 Sep 1996 22:23:09 -0700 (PDT) Received: from databus.databus.com (databus.databus.com [198.186.154.34]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id WAA21938 for ; Sat, 7 Sep 1996 22:22:57 -0700 (PDT) From: Barney Wolff To: firewalls@GreatCircle.COM Date: Sun, 8 Sep 1996 01:12 EDT Subject: Re: curios traceroute Content-Type: text/plain Message-ID: <323258270.546d@databus.databus.com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I believe that this is not a leak, but simply somebody using the private space for network infrastructure. On the one hand, this has the major advantage that outsiders cannot attack your routers. On the other, either you must suppress the ICMP TTL-exceeded packets from those routers, resulting in a false appearance of an outage in your network, or allow them out, with the result that outsiders send queries to the firewalls list :-) I tend to favor the idea, although I have not actually done it. Barney Wolff > Date: Sat, 07 Sep 1996 19:38:13 -0500 > To: Felber@abacus.ch (Hubert Felber), firewalls@GreatCircle.COM > From: Charles Ragan > Subject: Re: curios traceroute > Cc: bridge@DIAL-SWITCH.CH > Content-Length: 2661 > > It appears that someone is leaking. Consistency in yours and mine is; > > Tracing route to 194.209.14.36 over a maximum of 30 hops > > 11 464 ms 333 ms 334 ms UBN-gw5.ALTER.NET [137.39.129.26] > 12 357 ms 342 ms 330 ms zh11-eth0.unisource.ch [164.128.44.37] > 13 442 ms 369 ms 438 ms 164.128.41.70 > 14 440 ms * 396 ms 164.128.45.35 > 15 362 ms 368 ms 471 ms 192.168.1.1 > 16 479 ms 395 ms 374 ms 10.0.1.58 > 17 192.168.2.42 reports: Destination host unreachable. > > Unisource Business Networks (Schweiz) AG (NET-UBN-CH) > Schermenwaldstrasse 13 > CH-3063 Ittigen > > Netname: UBN-CH > Netnumber: 164.128.0.0 > > Coordinator: > Bridge, Philip (PB334) bridge@DIAL-SWITCH.CH > +41 31 688 8262 (FAX) +41 31 688 8152 > > Domain System inverse mapping provided by: > > UBNSRV.UNISOURCE.CH 164.128.36.34 > SCSNMS.SWITCH.CH 130.59.1.30 > > Record last updated on 13-Jun-95. > > At 09:30 AM 9/6/96 GMT, Hubert Felber wrote: > > Hi, > > Can anyone explain me the following traceroute? > > 1. question: the last 3 addresses are private internet addresses. Why > do I see them on the list? 2. Why is the station 194.209.14.36 not in the list > > Tracing the route to 194.209.14.36 > > 1 SWISG1-S4.SWITCH.CH (130.59.195.2) 16 msec 16 msec 12 msec > > 2 SWIEZ7-S5-3.SWITCH.CH (130.59.32.2) 20 msec 20 msec 20 msec > > 3 SWIEG1-F0-0.SWITCH.CH (130.59.20.211) 16 msec 16 msec 20 msec > > 4 ZH00-SRL0.UNISOURCE.CH (193.246.104.130) 24 msec 28 msec 20 msec > > 5 ZH21-ETH0.UNISOURCE.CH (164.128.44.38) 20 msec > > ZH11-ETH0.UNISOURCE.CH (164.128.44.37) 20 msec > > ZH21-ETH0.UNISOURCE.CH (164.128.44.38) 20 msec > > 6 164.128.41.66 36 msec 32 msec > > 164.128.41.70 64 msec > > 7 164.128.45.35 32 msec * 64 msec > > 8 192.168.1.1 36 msec 32 msec 68 msec > > 9 10.0.1.58 128 msec 116 msec 76 msec > > 10 192.168.2.42 !H !H !H > >--- > >Hubert Felber (felber@abacus.ch) __ ___ _ __ > >ABACUS Research AG /\ | \ /\/ __)| | | \ > >9006 St. Gallen, Switzerland / \| _// \| | | | |\ ~ > >Phone +41 71 243 35 11 / /\ \ \ /\ \_| |_| | \ > >Fax +41 71 243 35 00 /_/ \_\_// \_\_)___/\__/ > > > > > > > ----------------------------------------------------- > Charles B. Ragan, Jr. International Network Services > (214) 392-3545 14160 Dallas Parkway Suite 200 > Charles_Ragan@ins.com Dallas, TX 75040 > Cisco Certified IE (CCIE) Text Page - 1-800-INS-1-INS > Master CNE Direct Page - 1-888-360-5812 > Microsoft SE > Certified Banyan Engineer "Semper Fi" - USMC Retired > ----------------------------------------------------- > > > > From firewalls-owner Sun Sep 8 00:14:06 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id AAA27591 for firewalls-outgoing; Sun, 8 Sep 1996 00:02:44 -0700 (PDT) Received: from lexicon.ins.com (lexicon.ins.com [199.0.193.11]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id AAA27578 for ; Sun, 8 Sep 1996 00:02:29 -0700 (PDT) Received: from chrpc.ins.com (mtv2-dynamic227.ins.com [199.0.193.227]) by lexicon.ins.com (8.7.5/8.7.3) with SMTP id AAA00540; Sun, 8 Sep 1996 00:02:09 -0700 (PDT) Message-Id: <3.0b11.32.19960908015903.00754e14@lexicon.ins.com> X-Sender: ragan@lexicon.ins.com X-Mailer: Windows Eudora Pro Version 3.0b11 (32) Date: Sun, 08 Sep 1996 01:59:06 -0500 To: Barney Wolff , firewalls@GreatCircle.COM From: Charles Ragan Subject: Re: curios traceroute Mime-Version: 1.0 Content-Type: text/enriched; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk To me, it's a leak. ANYTHING sourced from the private address space in rfc1918 on the 'outside' is a leak. You can read more about it here; http://compute.merit.edu/help.html A Cisco example provided by Paul Vixie on compute.merit.edu to 'help' block these addresses among others. access-list 100 deny ip host 0.0.0.0 any access-list 100 deny ip 127.0.0.0 0.255.255.255 255.0.0.0 0.255.255.255 access-list 100 deny ip 10.0.0.0 0.255.255.255 255.0.0.0 0.255.255.255 access-list 100 deny ip 172.16.0.0 0.15.255.255 255.240.0.0 0.15.255.255 access-list 100 deny ip 192.168.0.0 0.0.255.255 255.255.0.0 0.0.255.255 access-list 100 deny ip 192.0.2.0 0.0.0.255 255.255.255.0 0.0.0.255 access-list 100 deny ip 128.0.0.0 0.0.255.255 255.255.0.0 0.0.255.255 access-list 100 deny ip 191.255.0.0 0.0.255.255 255.255.0.0 0.0.255.255 access-list 100 deny ip 192.0.0.0 0.0.0.255 255.255.255.0 0.0.0.255 access-list 100 deny ip 223.255.255.0 0.0.0.255 255.255.255.0 0.0.0.255 access-list 100 deny ip 224.0.0.0 31.255.255.255 224.0.0.0 31.255.255.255 access-list 100 deny ip any 255.255.255.128 0.0.0.127 access-list 100 permit ip any any Charles At 01:12 AM 9/8/96 EDT, Barney Wolff wrote: >I believe that this is not a leak, but simply somebody using the private >space for network infrastructure. On the one hand, this has the major >advantage that outsiders cannot attack your routers. On the other, either >you must suppress the ICMP TTL-exceeded packets from those routers, >resulting in a false appearance of an outage in your network, or allow >them out, with the result that outsiders send queries to the firewalls >list :-) > >I tend to favor the idea, although I have not actually done it. > >Barney Wolff < > >> Date: Sat, 07 Sep 1996 19:38:13 -0500 >> To: Felber@abacus.ch (Hubert Felber), firewalls@GreatCircle.COM >> From: Charles Ragan < >> Subject: Re: curios traceroute >> Cc: bridge@DIAL-SWITCH.CH >> Content-Length: 2661 >> >> It appears that someone is leaking. Consistency in yours and mine is; >> >> Tracing route to 194.209.14.36 over a maximum of 30 hops >> >> 11 464 ms 333 ms 334 ms UBN-gw5.ALTER.NET [137.39.129.26] >> 12 357 ms 342 ms 330 ms zh11-eth0.unisource.ch [164.128.44.37] >> 13 442 ms 369 ms 438 ms 164.128.41.70 >> 14 440 ms * 396 ms 164.128.45.35 >> 15 362 ms 368 ms 471 ms 192.168.1.1 >> 16 479 ms 395 ms 374 ms 10.0.1.58 >> 17 192.168.2.42 reports: Destination host unreachable. >> >> Unisource Business Networks (Schweiz) AG (NET-UBN-CH) >> Schermenwaldstrasse 13 >> CH-3063 Ittigen >> >> Netname: UBN-CH >> Netnumber: 164.128.0.0 >> >> Coordinator: >> Bridge, Philip (PB334) bridge@DIAL-SWITCH.CH >> +41 31 688 8262 (FAX) +41 31 688 8152 >> >> Domain System inverse mapping provided by: >> >> UBNSRV.UNISOURCE.CH 164.128.36.34 >> SCSNMS.SWITCH.CH 130.59.1.30 >> >> Record last updated on 13-Jun-95. >> >> At 09:30 AM 9/6/96 GMT, Hubert Felber wrote: >> > Hi, >> > Can anyone explain me the following traceroute? >> > 1. question: the last 3 addresses are private internet addresses. Why >> do I see them on the list? 2. Why is the station 194.209.14.36 not in the list >> > Tracing the route to 194.209.14.36 >> > 1 SWISG1-S4.SWITCH.CH (130.59.195.2) 16 msec 16 msec 12 msec >> > 2 SWIEZ7-S5-3.SWITCH.CH (130.59.32.2) 20 msec 20 msec 20 msec >> > 3 SWIEG1-F0-0.SWITCH.CH (130.59.20.211) 16 msec 16 msec 20 msec >> > 4 ZH00-SRL0.UNISOURCE.CH (193.246.104.130) 24 msec 28 msec 20 msec >> > 5 ZH21-ETH0.UNISOURCE.CH (164.128.44.38) 20 msec >> > ZH11-ETH0.UNISOURCE.CH (164.128.44.37) 20 msec >> > ZH21-ETH0.UNISOURCE.CH (164.128.44.38) 20 msec >> > 6 164.128.41.66 36 msec 32 msec >> > 164.128.41.70 64 msec >> > 7 164.128.45.35 32 msec * 64 msec >> > 8 192.168.1.1 36 msec 32 msec 68 msec >> > 9 10.0.1.58 128 msec 116 msec 76 msec >> > 10 192.168.2.42 !H !H !H >> >--- >> >Hubert Felber (felber@abacus.ch) __ ___ _ __ >> >ABACUS Research AG /\ | \ /\/ __)| | | \ >> >9006 St. Gallen, Switzerland / \| _// \| | | | |\ ~ >> >Phone +41 71 243 35 11 / /\ \ \ /\ \_| |_| | \ >> >Fax +41 71 243 35 00 /_/ \_\_// \_\_)___/\__/ >> > >> > >> > >> ----------------------------------------------------- >> Charles B. Ragan, Jr. International Network Services >> (214) 392-3545 14160 Dallas Parkway Suite 200 >> Charles_Ragan@ins.com Dallas, TX 75040 >> Cisco Certified IE (CCIE) Text Page - 1-800-INS-1-INS >> Master CNE Direct Page - 1-888-360-5812 >> Microsoft SE >> Certified Banyan Engineer "Semper Fi" - USMC Retired >> ----------------------------------------------------- >> >> >> >> > > ----------------------------------------------------- Charles B. Ragan, Jr. International Network Services (214) 392-3545 14160 Dallas Parkway Suite 200 Charles_Ragan@ins.com Dallas, TX 75040 Cisco Certified IE (CCIE) Text Page - 1-800-INS-1-INS Master CNE Direct Page - 1-888-360-5812 Microsoft SE Certified Banyan Engineer "Semper Fi" - USMC Retired ----------------------------------------------------- From firewalls-owner Sun Sep 8 00:59:06 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id AAA29685 for firewalls-outgoing; Sun, 8 Sep 1996 00:54:29 -0700 (PDT) Received: from databus.databus.com (databus.databus.com [198.186.154.34]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id AAA29667 for ; Sun, 8 Sep 1996 00:54:20 -0700 (PDT) From: Barney Wolff To: firewalls@GreatCircle.COM Date: Sun, 8 Sep 1996 03:44 EDT Subject: Re: curios traceroute Content-Type: text/plain Message-ID: <32327ba20.568c@databus.databus.com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Date: Sun, 08 Sep 1996 01:59:06 -0500 > To: Barney Wolff , firewalls@GreatCircle.COM > From: Charles Ragan > Subject: Re: curios traceroute > Content-Length: 5517 > > To me, it's a leak. ANYTHING sourced from the private address space in > > rfc1918 on the 'outside' is a leak. Please describe what harm has been done. Routes to the private space have not been advertised, after all. A connection of any sort has not been attempted with those addresses as source or destination. I do understand that RFC1918 says that packets with those addresses shall not be transfered across inter-enterprise links. I do not understand what harm will be caused by TTL-exceeded packet from such an address, and would welcome enlightenment. Barney Wolff From firewalls-owner Sun Sep 8 02:29:13 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id CAA06667 for firewalls-outgoing; Sun, 8 Sep 1996 02:08:20 -0700 (PDT) Received: from guardian.colonial.com.au (guardian.colonial.com.au [140.168.249.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id CAA06661 for ; Sun, 8 Sep 1996 02:08:03 -0700 (PDT) Received: by guardian.colonial.com.au; id TAA28524; Sun, 8 Sep 1996 19:07:54 +1000 Received: from norman.cmutual.com.au(140.168.8.9) by guardian.colonial.com.au via smap (g3.0.1) id sma028522; Sun, 8 Sep 96 19:07:50 +1000 Received: from mailgw.sbnsw.com.au ([140.168.11.10]) by norman.cmutual.com.au (post.office MTA v1.9.3 ID# 0-12362) with SMTP id AAA17850 for ; Sun, 8 Sep 1996 19:07:49 +1100 Received: by mailgw.sbnsw.com.au; Sun, 8 Sep 96 19:12:18 +1000 Date: Sun, 8 Sep 96 19:12:18 +60000 Message-ID: X-Priority: 3 (Normal) To: From: Subject: Undeliverable Message X-Incognito-SN: 606 X-Incognito-Format: VERSION=2.01a ENCRYPTED=NO Sender: firewalls-owner@GreatCircle.COM Precedence: bulk To: Cc: Subject: Firewalls-Digest V5 #499 Message not delivered to recipients below. Press F1 for help with VNM error codes. VNM3043: Paul Moen@Security@EDP VNM3043 -- MAILBOX IS FULL The message cannot be delivered because the recipient's mailbox contains the maximum number of messages, as set by the system administrator. The recipient must delete some messages before any other messages can be delivered. The maximum message limit for a user's mailbox is 10,000. The default message limit is 1000 messages. Administrators can set message limits using the Mailbox Settings function available in the Manage User menu (MUSER). When a user's mailbox reaches the limit, the user must delete some of the messages before the mailbox can accept any more incoming messages. ---------------------- Original Message Follows ---------------------- The original message was larger than the viewing area. It cannot be displayed as is. Therefore, it has been stored in the file `mail.txt'. Please view this file in order to read the message. Thank you. From firewalls-owner Sun Sep 8 02:44:06 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id CAA07261 for firewalls-outgoing; Sun, 8 Sep 1996 02:28:31 -0700 (PDT) Received: from hq.si.net (hq.si.net [192.156.192.10]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id CAA07254 for ; Sun, 8 Sep 1996 02:28:24 -0700 (PDT) Received: (from mlu@localhost) by hq.si.net (8.7.3/8.7.3) id FAA23173 for firewalls@GreatCircle.COM; Sun, 8 Sep 1996 05:31:20 -0400 (EDT) Date: Sun, 8 Sep 1996 05:31:20 -0400 (EDT) From: Ming Lu Message-Id: <199609080931.FAA23173@hq.si.net> To: firewalls@GreatCircle.COM Subject: wu-ftpd question Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi all: I know that this forum is exactly right place to put this question, but I don't really know where to ask for help... I am setting up a anonymous ftp server which is using wu-ftpd as daemon. I am trying to let the ftpserver pop up some messages whenever someone logins into the server. Does anyone out there know how to do it? Any help will be greatly appreciated. Thanks in advance. Ming From firewalls-owner Sun Sep 8 02:56:08 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id CAA06713 for firewalls-outgoing; Sun, 8 Sep 1996 02:09:26 -0700 (PDT) Received: from charon.freport.wa.gov.au (charon.freport.wa.gov.au [203.60.15.33]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id CAA06669 for ; Sun, 8 Sep 1996 02:08:38 -0700 (PDT) Received: (from smap@localhost) by charon.freport.wa.gov.au (8.7.5/8.7.3) id RAA27214 for ; Sun, 8 Sep 1996 17:08:19 +0800 (WST) Received: from unknown(192.168.22.11) by charon via smap (V1.3) id sma027212; Sun Sep 8 17:08:10 1996 Received: (from baldo_d@localhost) by wol.freport.wa.gov.au (8.7.5/8.7.3) id RAA07604 for firewalls@greatcircle.com; Sun, 8 Sep 1996 17:06:52 +0800 (WST) From: Daniel Baldoni Message-Id: <199609080906.RAA07604@wol.freport.wa.gov.au> Subject: Oddly changing FW-1 files To: firewalls@greatcircle.com Date: Sun, 8 Sep 1996 17:06:51 +0800 (WST) Organisation: Fremantle Port Authority X-URI: http://www.freport.wa.gov.au/dept/isb/daniel.html X-Mailer: ELM [version 2.4ME+ PL24 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk G'day folks, A regular TripWire check across our bastion has shown a change in a file I can't explain and I was wondering if anybody out there can help me nail down a cause (hopefully, other than an intruder). The file in question is modules/fwmod.5.3.o under the Firewall-1 installation. At approximately the indicated file-change time, the Firewall-1 license was upgraded but our operations staff have not listed that file in their regular TripWire reports to me (and the new license went in about 2 weeks ago). So, can anybody out there shed some light on this? Thanks in advance. -----------------------------------------------------+------------------------- Phone: +61-9-430-3439 | Systems Administrator FAX: +61-9-439-3431 | Fremantle Port Authority URL: http://www.freport.wa.gov.au/dept/isb/daniel | 1 Cliff Street -----------------------------------------------------+ Fremantle #include | Western Australia, 6160 -----------------------------------------------------+------------------------- "Any time there's something so ridiculous (...) that no rational systems programmer would even consider trying it, they send for me" - Paraphrased from "King of the Murgos" by David Eddings From firewalls-owner Sun Sep 8 07:33:24 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA15268 for firewalls-outgoing; Sun, 8 Sep 1996 07:15:01 -0700 (PDT) Received: from night.dataphone.se (night.dataphone.se [194.23.92.80]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id HAA15258 for ; Sun, 8 Sep 1996 07:14:52 -0700 (PDT) Received: (from tri@localhost) by night.dataphone.se (8.6.12/8.6.9) id QAA03892; Sun, 8 Sep 1996 16:14:39 +0200 Date: Sun, 8 Sep 1996 16:14:39 +0200 (MET DST) From: Magnus Bergman To: Ming Lu cc: firewalls@GreatCircle.COM Subject: Re: wu-ftpd question In-Reply-To: <199609080931.FAA23173@hq.si.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Sun, 8 Sep 1996, Ming Lu wrote: > Hi all: > > I know that this forum is exactly right place to put this question, but I don't > really know where to ask for help... > > I am setting up a anonymous ftp server which is using wu-ftpd as daemon. I am > trying to let the ftpserver pop up some messages whenever someone logins into > the server. Does anyone out there know how to do it? Any help will be greatly > appreciated. The source to wu-ftp is freely available. Just make the addition or have someone do it for you. //Tri From firewalls-owner Sun Sep 8 07:59:07 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA16476 for firewalls-outgoing; Sun, 8 Sep 1996 07:49:43 -0700 (PDT) Received: from usenix.ORG (usenix-gw.usenix.ORG [131.106.1.254]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id HAA16469 for ; Sun, 8 Sep 1996 07:49:32 -0700 (PDT) Received: (from rubin@localhost) by usenix.ORG (8.7.5/8.7.3) id HAA03572; Sun, 8 Sep 1996 07:51:23 -0700 (PDT) Date: Sun, 8 Sep 1996 07:51:23 -0700 (PDT) From: Aviel Rubin Message-Id: <199609081451.HAA03572@usenix.ORG> To: rubin@bellcore.com Subject: ANNOUNCEMENT AND CALL FOR PAPERS - 1998 USENIX Security Conference Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ************************************************************************* ANNOUNCEMENT AND CALL FOR PAPERS 7th USENIX Security Symposium January 26-29, 1998 Marriott Hotel-- San Antonio, Texas Sponsored by the USENIX Association, the UNIX and Advanced Computing Systems Professional and Technical Association In cooperation with: The CERT Coordination Center. Important Dates for Refereed Papers Papers due: September 9, 1997 Author notification: October 8, 1997 Camera-ready final papers due: December 9, 1997 Registration Materials Available: End October, 1997 (Authors, see "How to Submit a Refereed Paper" below.) Program Chair Avi Rubin, Bellcore Program Committee Carlisle Adams, Nortel Dave Balenson, Trusted Information Systems Steve Bellovin, AT&T Research Dan Boneh, Princeton University Diane Coe, Mitre Ed Felten, Princeton University Li Gong, JavaSoft Peter Honeyman, CITI, University of Michigan Hugo Krawczyk, IBM Watson Labs Jack Lacy, AT&T Research Hilarie Orman, DARPA/ITO Mike Reiter, AT&T Research David Wagner, University of California, Berkeley Readers Katherine T. Fithen, CERT Trent Jaeger, IBM Watson Labs Invited talks coordinator: Greg Rose, Qualcomm Conference home page: OVERVIEW The goal of this symposium is to bring together researchers, practitioners, system programmers, and others interested in the latest advances in security and applications of cryptography. This will be a four day symposium with two days of tutorials, followed by two days of refereed paper presentations, invited talks, works-in-progress presentations, and panel discussions. TUTORIALS Monday and Tuesday, January 26-27 Tutorials for both technical staff and managers will provide immediately useful, practical information on topics such as local and network security precautions, what cryptography can and cannot do, security mechanisms and policies, firewalls and monitoring systems. If you are interested in proposing a tutorial, contact the tutorial coordinator, Dan Klein: phone (412)421-2332 email . TECHNICAL SESSIONS Wednesday and Thursday, January 28-29 In addition to the keynote presentation, the technical program includes refereed papers, invited talks, a work in progress session, and panel sessions. There will be Birds-of-a-Feather sessions the last two evenings. You are invited to make suggestions to the program committee via email to . Papers that have been formally reviewed and accepted will be presented during the symposium and published in the symposium proceedings, published by USENIX and provided free to technical session attendees. Additional copies will be available for purchase from USENIX. SYMPOSIUM TOPICS Refereed paper submissions are being solicited in areas including but not limited to: * Adaptive security and system management * Analysis of malicious code * Applications of cryptographic techniques * Attacks against networks/machines * Computer misuse and anomaly detection * Copyright protection (technical solutions) * Cryptographic & other security tools * File and file system security * Network security * New firewall technologies * Security in heterogeneous environments * Security incident investigation and response * Security of Mobile Code * User/system authentication * World Wide Web security Note that this symposium is not about new codes, ciphers, nor cryptanalysis for its own sake. Papers must represent novel scientific contributions in computer security with direct relevance to the engineering of secure systems for the commercial sector. HOW TO SUBMIT A REFEREED PAPER (Please read carefully.) The guidelines for submission are a bit different from previous years. Authors must submit a mature paper in postscript format. Any incomplete sections (there shouldn't be many) should be outlined in enough detail to make it clear that they could be finished easily. Full papers are encouraged, and should be about 8 to 15 typeset pages. Submissions must be received by September 9, 1997. Along with your paper, please submit a separate email message containing the title, all authors, and their complete contact information (phone, fax, postal address, email), including an indication of which author is the contact author. Authors will be notified of acceptance on October 8, 1997. All submissions will be judged on originality, relevance, and correctness. Each accepted submission may be assigned a member of the program committee to act as its shepherd through the preparation of the final paper. The assigned member will act as a conduit for feedback from the committee to the authors. Camera-ready final papers are due on December 9, 1997. If you would like to receive detailed guidelines for submission and examples of extended abstracts, you may send email to: or telephone the USENIX Association office at (510) 528-8649. The Security Symposium, like most conferences and journals, requires that papers not be submitted simultaneously to another conference or publication and that submitted papers not be previously or subsequently published elsewhere. Papers accompanied by non-disclosure agreement forms are not acceptable and will be returned to the author(s) unread. All submissions are held in the highest confidentiality prior to publication in the Proceedings, both as a matter of policy and in accord with the U.S. Copyright Act of 1976. There will be one or two prizes awarded for best paper(s). WHERE TO SUBMIT For reliability, please send one copy of your paper to the program committee via each of two of the following methods. All submissions will be acknowledged. o Preferred Method: email (Postscript) to: o Alternate Method: postal delivery to Security Symposium USENIX 2560 Ninth St., Ste. #215 Berkeley CA 94710 U.S.A. Phone: (510) 528-8649 o Fax: (510) 548-5738 Vendor Exhibits Demonstrate your security product to our technically astute attendees responsible for security at their sites. We invite you to take part in the Vendor Display. The informal, table-top display allows you to meet with attendees informally and demonstrate in detail your security solutions. Contact CynthiaDeno Email: cynthia@usenix.org Phone: 408.335.9445 Fax 408.335.5327 Works-in-Progress Session (WIPs) The last session of the symposium will be a Works-in-Progress session consisting of five minute presentations. Speakers should provide a one or two paragraph abstract to the program chair by 6:00 pm on January 28, 1998 at the conference. These should be provided in person, not via email. The chair will post the schedule of presentations by noon on the 29th. Experience at other conferences has shown that usually, all of them are accepted. The five minute time limit will be strictly enforced. INVITED TALKS There will be several invited talks at the conference in parallel with the refereed papers. If you have suggestions for possible speakers, please send them to . REGISTRATION MATERIALS Materials containing all details of the technical and tutorial programs, registration fees and forms, and hotel information will be available at the end of October 1997. To receive the registration materials, please contact: USENIX Conference Office 22672 Lambert Street, Suite 613 Lake Forest, CA USA 92630 Phone: (714) 588-8649 Fax: (714) 588-9706 Email: Information can also be found under the Conference home page: . From firewalls-owner Sun Sep 8 08:59:07 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA19962 for firewalls-outgoing; Sun, 8 Sep 1996 08:48:43 -0700 (PDT) Received: from kbass.fred.net (kbass.fred.net [205.177.221.50]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id IAA19949 for ; Sun, 8 Sep 1996 08:48:31 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by kbass.fred.net (8.7.4/8.7.3) with SMTP id LAA00291 for ; Sun, 8 Sep 1996 11:48:28 -0400 Date: Sun, 8 Sep 1996 11:48:28 -0400 (EDT) From: Ken Bass X-Sender: kbass@kbass To: Firewalls@GreatCircle.COM Subject: Re: Firewalls-Digest V5 #499 In-Reply-To: <199609080800.BAA29907@miles.greatcircle.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > ------------------------------ > > Date: Sun, 08 Sep 1996 01:36:43 +0800 > From: eric chan > Subject: Re: Sendmail Configuration- > > Henk Baert wrote: > > > > VAN LAERE > > MEMO Datum : > > 28-08-1996 > > Betreft : Sendmail Configuration > > > > Hi, > > > > I am trying to set up my sendmail configuration so that all outgoing mail has > > an origin as user@domainname (instead of user@hostname.domainname). > > > > I tried to figure it out myself, but don't get it completely right. The > > problem is in Rulesets 10/11 en 20/21 that decode sending adresses. > > > > Any suggestion to code it correctly ? > > > > Thanks a lot. > > > > Henk Baert > > (henk.baert@vanlaere.be) > > Check with your DNS record about the domain you talking about especially > the MX setting. > > Eric > > Isn't it as simple as changing the 'DM' line in sendmail.cf. That tells sendmail to 'masquerade' as a domain. Just do DMdomainname From firewalls-owner Sun Sep 8 10:17:33 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA22862 for firewalls-outgoing; Sun, 8 Sep 1996 09:59:13 -0700 (PDT) Received: from m4.sprynet.com (m4.sprynet.com [165.121.1.96]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id JAA22854 for ; Sun, 8 Sep 1996 09:59:04 -0700 (PDT) Received: from local.com (hd54-186.compuserve.com [199.174.239.186]) by m4.sprynet.com (8.6.12/8.6.12) with SMTP id JAA12874 for ; Sun, 8 Sep 1996 09:56:57 -0700 Message-Id: <199609081656.JAA12874@m4.sprynet.com> Comments: Authenticated sender is From: "Jesse" To: firewalls@GreatCircle.com Date: Wed, 8 Jan 1986 10:57:36 +0000 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: FreeBSD Firewall Package X-mailer: Pegasus Mail for Win32 (v2.42a) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello Everyone! Sorry to bother you, but we are just putting in a new server at my workplace, and I was wondering if anyone had any suggestions on Free/Commercial 4.4BSD or FreeBSD firewall or proxy packages. From firewalls-owner Sun Sep 8 10:59:08 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA24790 for firewalls-outgoing; Sun, 8 Sep 1996 10:47:13 -0700 (PDT) Received: from apu.rcp.net.pe (apu.rcp.net.pe [161.132.5.16]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id KAA24739 for ; Sun, 8 Sep 1996 10:46:48 -0700 (PDT) Received: by apu.rcp.net.pe via sendmail with stdio id for firewalls@GreatCircle.COM; Sun, 8 Sep 96 12:42:24 -0400 (WET DST) Message-Id: From: vadillo@apu.rcp.net.pe (Enrique Vadillo) Subject: Re: wu-ftpd question To: tri@night.dataphone.se (Magnus Bergman) Date: Sun, 8 Sep 1996 12:42:24 -0400 (EDT) Cc: mlu@hq.si.net, firewalls@GreatCircle.COM In-Reply-To: from Magnus Bergman at "Sep 8, 96 04:14:39 pm" X-Mailer: ELM [version 2.4ME+ PL22 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Just create a welcome.msg text file in your "/" ftp directory, it will show it. Enrique Vadillo- ---- Ming Lu escribio ---- > > > > I am setting up a anonymous ftp server which is using wu-ftpd as > > daemon. I am trying to let the ftpserver pop up some messages > > whenever someone logins into the server. Does anyone out there know > > how to do it? Any help will be greatly appreciated. From firewalls-owner Sun Sep 8 11:17:13 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA25919 for firewalls-outgoing; Sun, 8 Sep 1996 10:58:37 -0700 (PDT) Received: from blue.misnet.com (blue.misnet.com [204.177.124.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id KAA25834 for ; Sun, 8 Sep 1996 10:58:12 -0700 (PDT) Received: (from inter@localhost) by blue.misnet.com (8.7.3/8.7.3) id MAA14913; Sun, 8 Sep 1996 12:44:05 -0500 (CDT) Date: Sun, 8 Sep 1996 12:44:04 -0500 (CDT) From: inter To: Ming Lu cc: firewalls@GreatCircle.COM Subject: Re: wu-ftpd question In-Reply-To: <199609080931.FAA23173@hq.si.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Sun, 8 Sep 1996, Ming Lu wrote: > Hi all: > > I know that this forum is exactly right place to put this question, but I don't > really know where to ask for help... > > I am setting up a anonymous ftp server which is using wu-ftpd as daemon. I am > trying to let the ftpserver pop up some messages whenever someone logins into > the server. Does anyone out there know how to do it? Any help will be greatly > appreciated. > > Thanks in advance. > > Ming > Easy .. make a welcome.msg in the root dir of ftp.. then make a message.msg in every other dir.. include what you want to say in the messages.. From firewalls-owner Sun Sep 8 11:44:52 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA27899 for firewalls-outgoing; Sun, 8 Sep 1996 11:28:17 -0700 (PDT) Received: from homeport.org (lighthouse.homeport.org [205.136.65.198]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id LAA27890 for ; Sun, 8 Sep 1996 11:28:06 -0700 (PDT) Received: (adam@localhost) by homeport.org (8.6.9/8.6.9) id OAA13417; Sun, 8 Sep 1996 14:32:48 -0500 From: Adam Shostack Message-Id: <199609081932.OAA13417@homeport.org> Subject: Re: options for proxying SSL traffic? To: junya@fsdirect.com Date: Sun, 8 Sep 1996 14:32:48 -0500 (EST) Cc: ssl-talk@netscape.com, firewalls@greatcircle.com In-Reply-To: from "junya@fsdirect.com" at Sep 6, 96 11:00:31 am X-Mailer: ELM [version 2.4 PL24 ME8b] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Its pretty unfortunate that some vendors can't offer multiple interfaces, or that they charge an arm and a leg for 'em. However, my workaround would be to tell the vendors 'no thanks,' and buy a new interface for the filtering router (assuming you have one?). Since you only let ports 80 and 443 to the web server, you wouldn't gain a whole lot by putting proxies there. Adam junya@fsdirect.com wrote: | This reminds me of another issue I had with firewall products. Although | i had not made it obvious, the question was framed in the context that the | web server would be in an arbitrary network behind the firewall. It seemed | that a large chunk of firewalls out there do not offer flexible | configurations as far as multiple network interfaces were concerned. How | are large organizations (particularly financial institutions) dealing with | this? Are there people still doing homebrew FWTK/screend setups for large | organizations? | | For example, Borderware offered a third ethernet interface, but called it | Something Special, and charged a huge chunk of money for just the 3rd | interface (for DMZs). No more than 3 interfaces, too. | | In talking to resellers for TIS's Gauntlet, some of them were not willing | to set up a firewall with more than 3 (and for one vendor, their limit was | 2) interfaces. I was trying to arrange for 4. | On Thu, 5 Sep 1996, Adam Shostack wrote: | > I'd go for a demilitarized zone, a third interface off the firewall | > with just the web server. -- "It is seldom that liberty of any kind is lost all at once." -Hume From firewalls-owner Sun Sep 8 15:44:08 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id PAA08817 for firewalls-outgoing; Sun, 8 Sep 1996 15:38:42 -0700 (PDT) Received: from po2.andrew.cmu.edu (PO2.ANDREW.CMU.EDU [128.2.10.102]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id PAA08809; Sun, 8 Sep 1996 15:38:31 -0700 (PDT) Received: (from postman@localhost) by po2.andrew.cmu.edu (8.7.5/8.7.3) id SAA17561; Sun, 8 Sep 1996 18:38:22 -0400 Received: via switchmail; Sun, 8 Sep 1996 18:38:22 -0400 (EDT) Received: from pcs28.andrew.cmu.edu via qmail ID ; Sun, 8 Sep 1996 18:38:07 -0400 (EDT) Received: from pcs28.andrew.cmu.edu via qmail ID ; Sun, 8 Sep 1996 18:38:06 -0400 (EDT) Received: from mms.4.60.Jun.27.1996.03.05.56.sun4.41.EzMail.Linux.2.0.CUILIB.3.45.SNAP.NOT.LINKED.pcs28.andrew.cmu.edu.sun4m.412 via MS.5.6.pcs28.andrew.cmu.edu.sun4_41; Sun, 8 Sep 1996 18:38:06 -0400 (EDT) Message-ID: Date: Sun, 8 Sep 1996 18:38:06 -0400 (EDT) From: Zachary Roger Amsden To: firewalls@greatcircle.com, "Paul D. Robertson" Subject: Re: TN3270 and TN5250 through a firewall using OS/2 Clients Cc: Firewalls@GreatCircle.COM In-Reply-To: References: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Excerpts from internet.computing.firewalls: 30-Aug-96 Re: TN3270 and TN5250 throu.. by "Paul D. Robertson"@clar > > In both cases the connection attempt has failed with the client providing a > > message it was unable to shift into transparent mode. > > > > Why would a proxy written for Port 23 not be able to accomodate all forms of > > telnet? Another complication here is that the telnet protocol (and variants) are technically not proxyable. First, the client needs to connect to the proxy, then to the remote site. However, the telnet options it needs to negotiate with the remote site may not be supported by the proxy, and not all proxies deal well with this. If you can do a telnet options trace, try it, and you may get much better debugging information. Zachary Amsden amsden@andrew.cmu.edu From firewalls-owner Sun Sep 8 18:29:08 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id SAA13981 for firewalls-outgoing; Sun, 8 Sep 1996 18:24:44 -0700 (PDT) Received: from saturn.koto.nikkei.co.jp (saturn.koto.nikkei.co.jp [138.101.199.8]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id SAA13974 for ; Sun, 8 Sep 1996 18:24:35 -0700 (PDT) Received: from saturn (localhost [127.0.0.1]) by saturn.koto.nikkei.co.jp (8.7.3/8.7.3) with ESMTP id KAA07950 for ; Mon, 9 Sep 1996 10:22:39 +0900 (JST) Message-Id: <199609090122.KAA07950@saturn.koto.nikkei.co.jp> To: Firewalls@GreatCircle.COM Subject: Re: Firewall-1,Sun,CISCO,Class"B"address Date: Mon, 09 Sep 1996 10:22:39 +0900 From: Nobuhiko Yoshimoto Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > I have a Sun > > Sparc5 running SunOS 4.1.3, with this I have Firewall-1 2.0 running on > > top of it. I also have a CISCO 4000 setup as an Internal router. The > > problem that I'm having is that I'm unable to receive information back to > > my machines sitting behind the Internal router. The exact trouble seems > > to be the firewall does not know how to route back into my "Internal" > > networks. The setup is like this: > > > > > > Internet ------ ISP Router ----- FW ----- CISCO 4000 ------ Internal Nets > > 172.16.1.0 172.16.2.0 172.16.* > > > > I intially set the routing table on the FW to be > > > > DEST Nexthop > > 172.16.1 172.16.1.1 (local) > > 172.16.2 172.16.2.1 (local) > > default ISP router > > 172.16.0.0 CISCO 4000 > > This didn't work. > > I turned routed on within the Firewall, but when I did, the default route > > (0.0.0.0) from the CISCO added a *new* default route to the Firewall. > > > > default Cisco > > > > and it took precedence over the one I installed. Since the FW and the > > CISCO ping-ponged packets all day, nothing communicated. The default > > route of the CISCO router is overriding the default route that I have set > > on the FW. I have set the Metric Flag on the router to be higher that > > the FW in hopoes that the FW would take precednece, but this did not > > work. IS there a way to set something up on the SUN to force its default > > route to be used or is there a way to stop the CISCO's default route from > > taking over. I also tried not setting the 'route of last resort' on the > > CISCO hoping that the RIP update from the FW would fill in the default > > route. It didn't. Shouldn't this work? Is there a way on the CISCO to > > set a default route and not have it sent out in a routing update? BTW, > > what is the proper way to set the default route on a CISCO? I've been > > using: > To suppress broadcasting the default route from CISCO,configure as > below: > > router rip > network 172.16.0.0 > distribute-list access-list# out interface_name_to_FW > > access-list access-list# deny 0.0.0.0 > access-list access-list# permit any > > > > > ip route 0.0.0.0 172.16.2.1 > > > > Has anyone else with a class "B" address run into this problem before? I > > know this can be solved if I obtained a class C, subnet it, and use it on > > either side of the FW. That way there would be an unambigious route to > > 172.16 from the FW's point of view. However that's not an option right > > now. Any help is appreciated. > > > > I'm running class B class network with FW-1 and CISCO4500 like > yours. I've installed gated-R3.5Beta3 on FW machine (SS-5/Solaris2.4) > and run it instead of in.routed. On the configuration file > (/etc/gated.conf), I defined the default route to ISP and configured > it to be broadcasted to internal network through the ethernet > port. This default route is distributed to all the internal network > by CISCO 4500. > > Anyway gated is very fine. I strongly recommend to install it on your > FW machine.You can get the latest version from > ftp://ftp.gated.merit.edu/research.and.development/gated > > Nobuhiko Yoshimoto > > Nihon Keizaishimbun Inc. (The Nikkei) > yoshi@nikkei.co.jp From firewalls-owner Sun Sep 8 20:03:05 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id TAA17565 for firewalls-outgoing; Sun, 8 Sep 1996 19:46:28 -0700 (PDT) Received: from diablo.cisco.com (diablo.cisco.com [171.68.223.106]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id TAA17558 for ; Sun, 8 Sep 1996 19:46:19 -0700 (PDT) Received: from emailid90-pc.cisco.com (c4robo8.cisco.com [171.68.13.104]) by diablo.cisco.com (8.6.12/CISCO.SERVER.1.1) with SMTP id TAA28015 for ; Sun, 8 Sep 1996 19:46:11 -0700 Message-Id: <2.2.32.19960909044113.00706250@diablo.cisco.com> X-Sender: clonvick@diablo.cisco.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Sun, 08 Sep 1996 21:41:13 -0700 To: firewalls@greatcircle.com From: Chris Lonvick Subject: Re: curios traceroute Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello All, Gererally, ISPs don't propogate the destination of RFC-1918 networks through the Internet. They usually have a chuckle then zap them from the routing tables. What you're seeing is a NAT that doesn't dig into the packet. NATs _must_ know to change the IP source and destination addresses. This, however, is not the end. Certain protocols embed the IP addresses into the packet payload. For example, to get certain commands to work properly in ftp, the NAT must know to recognize these types of packets and then reach inside the payload and change the addresses there as well. Your traceroute program is not looking at the IP source/destination addresses but is utilizing some of the data inside the payload of the packet (which the NAT is not translating) to generate its report. Look at the source code of your traceroute program and RFC-729. Thanks, Chris Lonvick Cisco Systems Consulting Engineering +1-713-778-5663 From firewalls-owner Sun Sep 8 21:14:07 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id UAA22528 for firewalls-outgoing; Sun, 8 Sep 1996 20:56:13 -0700 (PDT) Received: from lexicon.ins.com (lexicon.ins.com [199.0.193.11]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id UAA22521 for ; Sun, 8 Sep 1996 20:56:04 -0700 (PDT) Received: from chrpc.ins.com (mtv2-dynamic226.ins.com [199.0.193.226]) by lexicon.ins.com (8.7.5/8.7.3) with SMTP id UAA11435; Sun, 8 Sep 1996 20:55:41 -0700 (PDT) Message-Id: <3.0b11.32.19960908225232.008b715c@lexicon.ins.com> X-Sender: ragan@lexicon.ins.com X-Mailer: Windows Eudora Pro Version 3.0b11 (32) Date: Sun, 08 Sep 1996 22:52:35 -0500 To: Barney Wolff , firewalls@GreatCircle.COM From: Charles Ragan Subject: Re: curios traceroute Mime-Version: 1.0 Content-Type: text/enriched; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Barney, I agree that there is no obvious added danger (although, what are the other icmp capabilities...echo, echo_reply, source-quench..?). At the same time, don't know how much it would slow down an intruder....... In about 3 minutes - 164.128.45.35 (the last legal address in the traceroute) Sun SPARCstation Solaris2. CheckPoint FireWall-1 Version 2.0b Last booted - Tuesday August 20, 1996 8:30am 6 Interfaces counting loopback; lo0 - 127.0.0.1 255.0.0.0 le0 - 194.209.12.17 255.255.255.240 MAC address 080020782CD1 qe0 - 164.128.45.35 255.255.255.224 qe1 - 194.209.12.49 255.255.255.240 qe2 - 194.209.12.129 255.255.255.240 qe3 - 192.168.1.5 255.255.255.0 **Note that the next router that responded to the ttl was 192.168.1.1 (hanging off of the qe3 ethernet segment above) 13 647 ms 687 ms 698 ms 164.128.41.70 14 805 ms 685 ms 641 ms 164.128.45.35 15 823 ms * 822 ms 192.168.1.1 16 711 ms 635 ms 695 ms 10.0.1.58 I guess that I'm just in a 'filter all' and 'NAT' frame of mind when it comes to 1918. I've sent an e-mail to the db-admin@ra.net to query what their philosphy/opinion (if any) on the matter. Charles BTW - my apologies for the 'curtness' of my previous e-mail(s), it was around 3:00am ;-) (looks like I had put my manners to bed...) At 03:44 AM 9/8/96 EDT, Barney Wolff wrote: >> Date: Sun, 08 Sep 1996 01:59:06 -0500 >> To: Barney Wolff <, firewalls@GreatCircle.COM >> From: Charles Ragan < >> Subject: Re: curios traceroute >> Content-Length: 5517 >> >> To me, it's a leak. ANYTHING sourced from the private address space in >> >> rfc1918 on the 'outside' is a leak. > >Please describe what harm has been done. Routes to the private space >have not been advertised, after all. A connection of any sort has not >been attempted with those addresses as source or destination. > >I do understand that RFC1918 says that packets with those addresses >shall not be transfered across inter-enterprise links. I do not >understand what harm will be caused by TTL-exceeded packet from such >an address, and would welcome enlightenment. > >Barney Wolff < > > ----------------------------------------------------- Charles B. Ragan, Jr. International Network Services (214) 392-3545 14160 Dallas Parkway Suite 200 Charles_Ragan@ins.com Dallas, TX 75040 Cisco Certified IE (CCIE) Text Page - 1-800-INS-1-INS Master CNE Direct Page - 1-888-360-5812 Microsoft SE Certified Banyan Engineer "Semper Fi" - USMC Retired ----------------------------------------------------- From firewalls-owner Sun Sep 8 21:45:56 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id VAA23802 for firewalls-outgoing; Sun, 8 Sep 1996 21:29:29 -0700 (PDT) Received: from lexicon.ins.com (lexicon.ins.com [199.0.193.11]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id VAA23766 for ; Sun, 8 Sep 1996 21:29:14 -0700 (PDT) Received: from chrpc.ins.com (mtv2-dynamic226.ins.com [199.0.193.226]) by lexicon.ins.com (8.7.5/8.7.3) with SMTP id VAA11685; Sun, 8 Sep 1996 21:29:00 -0700 (PDT) Message-Id: <3.0b11.32.19960908232552.008b844c@lexicon.ins.com> X-Sender: ragan@lexicon.ins.com X-Mailer: Windows Eudora Pro Version 3.0b11 (32) Date: Sun, 08 Sep 1996 23:25:54 -0500 To: Chris Lonvick , firewalls@GreatCircle.COM From: Charles Ragan Subject: Re: curios traceroute Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Chris, Thanks for the heads up and info! You mis-typed rfc 792 (729 is the IAC for telnet ;-) So....let me see if I have this straight (since I've only digested it!) - The last box that these traceroutes were traversing with a legal address was a Solaris box running Firewall-1. There is possibility of some translation happening, and it could be our tracert code that is pulling the information from the payload of the datagram..... Perhaps that's an enhancement in the tracert from MS? ;-) >From RFC 792, pg 2: Source Address The address of the gateway or host that composes the ICMP message. Unless otherwise noted, this can be any of a gateway's addresses. The Solaris box was running multiple addresses (one of them rfc1918) - it appears that Firewall-1 was sourcing the packet from that address. Do you think that in this case, it wasn't a 'payload' grabbing by the tracert utility? I was using the MS tracert, and the original poster was using something else that signified the host unreachable by '!H'. Thanks. Charles At 09:41 PM 9/8/96 -0700, Chris Lonvick wrote: >Hello All, > >Gererally, ISPs don't propogate the destination of RFC-1918 networks through >the Internet. They usually have a chuckle then zap them from the routing >tables. What you're seeing is a NAT that doesn't dig into the packet. NATs >_must_ know to change the IP source and destination addresses. This, >however, is not the end. Certain protocols embed the IP addresses into the >packet payload. For example, to get certain commands to work properly in >ftp, the NAT must know to recognize these types of packets and then reach >inside the payload and change the addresses there as well. Your traceroute >program is not looking at the IP source/destination addresses but is >utilizing some of the data inside the payload of the packet (which the NAT >is not translating) to generate its report. Look at the source code of your >traceroute program and RFC-729. > >Thanks, >Chris Lonvick >Cisco Systems >Consulting Engineering >+1-713-778-5663 > > ----------------------------------------------------- Charles B. Ragan, Jr. International Network Services (214) 392-3545 14160 Dallas Parkway Suite 200 Charles_Ragan@ins.com Dallas, TX 75040 Cisco Certified IE (CCIE) Text Page - 1-800-INS-1-INS Master CNE Direct Page - 1-888-360-5812 Microsoft SE Certified Banyan Engineer "Semper Fi" - USMC Retired ----------------------------------------------------- From firewalls-owner Mon Sep 9 03:29:10 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id DAA09759 for firewalls-outgoing; Mon, 9 Sep 1996 03:20:54 -0700 (PDT) Received: from relay.cryptonet.it (relay.cryptonet.it [194.185.79.195]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id DAA09751 for ; Mon, 9 Sep 1996 03:20:38 -0700 (PDT) Message-Id: <199609091043.MAA11302@relay.cryptonet.it> Received: from enigma.cryptonet.it(192.168.1.1) by relay.cryptonet.it via smap (V1.3) id sma011300; Mon Sep 9 12:43:41 1996 From: Stefano Taino Subject: SNG multihomed works ? To: firewalls@greatcircle.com Date: Mon, 9 Sep 1996 12:24:10 +0200 (METDST) X-Organization: CryptoNet S.r.l. - Sicurezza, Reti, Sistemi - X-Phone-Number: ++39 2 7533205 X-Fax-Number: ++39 2 7533220 X-Pgp-Key-Fingerprint: 5D D9 26 91 AB 24 12 CB 76 22 DE 43 47 2D CF 28 X-Mailer: ELM [version 2.4 PL24 PGP5a] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Does anyone have experience with SNG (IBM Firewall) in a multi-homed configuration ? In the SNG manual, there is the sentence "SNG should be work with 3 network interfaces". I'd like to have a confirmation. -- Stefano. -- Stefano Taino, Technical Manager CryptoNet Srl. via 8va strada 24 20090 Segrate, MI email: taino@cryptonet.it phone: +39-2-7533205 fax: +39-2-7533220 From firewalls-owner Mon Sep 9 03:44:17 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id DAA09777 for firewalls-outgoing; Mon, 9 Sep 1996 03:22:17 -0700 (PDT) Received: from s.wipinfo.soft.net (s.wipinfo.soft.net [164.164.6.6]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id DAA09769 for ; Mon, 9 Sep 1996 03:21:57 -0700 (PDT) Received: by s.wipinfo.soft.net (4.1/SMI-4.1) id AA15545; Mon, 9 Sep 96 15:56:49 IST Received: from comm10 by rolex.rnd.blr (4.1/SMI-4.1) id AA13336; Mon, 9 Sep 96 15:58:07+050 Received: (from rjoshi@localhost) by comm10 (8.6.12/8.6.9) id PAA16490; Mon, 9 Sep 1996 15:52:24 +0500 From: Rajesh Joshi Message-Id: <199609091052.PAA16490@comm10> Subject: Re: SOCKS5 Server for Windows NT from NEC To: ashish@syl.nj.nec.com (Ashish Bisarya) Date: Mon, 9 Sep 1996 15:52:22 +0500 (GMT+0500) Cc: socks@socks.nec.com, socks5@socks.nec.com, firewalls@GreatCircle.COM In-Reply-To: <199609061441.KAA26082@syl.syl.nj.nec.com> from "Ashish Bisarya" at Sep 6, 96 10:41:44 am X-Mailer: ELM [version 2.4 PL24] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > In message <199609040946.OAA24095@comm10>, Rajesh Joshi writes: > >Hi all, > > > >We have downloaded SOCKS5 Server for Windows NT from NEC and copied > >simple configuration file from samples to the directory containing socks5.exe > > > >The socks service starts but when we try to connect to application server usin > >g > >netscape through socks server then it is not going through. > > > >Is this some configuration problem ? Can anybody throw some light on this ? > >Whether anybody has successfully installed the SOCKS5 server for Windows NT > >? > > > >Thanks in advance > > > >-- > > There are a few of things that you should check on: > > 1. Have you taken a look at the Event Log for any type of error or warning > messages? The service may have trouble with your configuration file location > or format. Error logged was SOCKS Server Info: RegQueryValueEx failed. Cannot open named pipe error=2 SOCKS Server Info: Could not open Registry Can you help in terms of more informaion now ? |==============================================================================| | RAJESH B JOSHI | | Sr. Engineer R & D (Software), Communications Group, Wipro Infotech Ltd. | |------------------------------------------------------------------------------| | There's NO THRILL in easy sailing when the skies are clear and blue, | | There's NO JOY in merely doing things which ANY ONE can do, | | But there is some satisfaction that is MIGHTY SWEET to take, | | When you reach a DESTINATION that you thought you'd NEVER make. | |==============================================================================| From firewalls-owner Mon Sep 9 04:29:33 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id EAA13151 for firewalls-outgoing; Mon, 9 Sep 1996 04:20:18 -0700 (PDT) Received: from cypress.cycon.com (cypress.CYCON.COM [204.5.16.32]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id EAA13130 for ; Mon, 9 Sep 1996 04:20:05 -0700 (PDT) Received: from localhost (sconner@localhost) by cypress.cycon.com (8.7.5/8.7.3) with SMTP id GAA06917; Mon, 9 Sep 1996 06:29:27 -0400 Date: Mon, 9 Sep 1996 06:29:26 -0400 (EDT) From: Steve Conner To: Jesse cc: firewalls@GreatCircle.COM Subject: Re: FreeBSD Firewall Package In-Reply-To: <199609081656.JAA12874@m4.sprynet.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello Jesse, My company, CYCON Technologies, currently offers a FreeBSD firewall called CYCON Labyrinth. It is a packet filtering firewall that not only provides statefull security but full network to network address translation. Please send me an email with your fax number and I will ship out our literature including the current pricing. Steve --------------------------------------------------------------- Steve Conner Cypress Consulting, Inc. sconner@cycon.com 703-256-1279 Manager, Research & Development http://www.cycon.com CYCON Labyrinth, Firewall and Network Address Translator --------------------------------------------------------------- On Wed, 8 Jan 1986, Jesse wrote: > Hello Everyone! Sorry to bother you, but we are just putting in a > new server at my workplace, and I was wondering if anyone had any > suggestions on Free/Commercial 4.4BSD or FreeBSD firewall or proxy > packages. > From firewalls-owner Mon Sep 9 04:59:33 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id EAA14865 for firewalls-outgoing; Mon, 9 Sep 1996 04:45:49 -0700 (PDT) Received: from finjan.com (mail.finjan.com [194.90.154.4]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id EAA14800 for ; Mon, 9 Sep 1996 04:45:19 -0700 (PDT) Received: from mail.finjan.com ([194.90.154.8]) by finjan.com (5.x/SMI-SVR4) id AA03892; Mon, 9 Sep 1996 14:44:52 +0200 Message-Id: <323410FB.344E@finjan.com> Date: Mon, 09 Sep 1996 14:43:39 +0200 From: Shmulik Suhami Organization: Finjan Software LTD. X-Mailer: Mozilla 3.0 (Win95; I) Mime-Version: 1.0 To: firewalls@greatcircle.com Cc: shlomo@mail.finjan.com Subject: Java Firewall Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Does anyone know of a Java enabled firewall? Is there a need for such a feature? Are there any products available? -- **************************** Shmulik Suhami Marketing Manager FINJAN Software Ltd. Tel: +972-9-658-440 Fax: +972-9-659-441 email: suhami@finjan.com Web: http://www.finjan.com/ **************************** From firewalls-owner Mon Sep 9 05:44:37 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA18358 for firewalls-outgoing; Mon, 9 Sep 1996 05:30:09 -0700 (PDT) Received: from mail.Clark.Net (mail.clark.net [168.143.0.10]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id FAA18338 for ; Mon, 9 Sep 1996 05:29:59 -0700 (PDT) Received: from clark.net (proberts@clark.net [168.143.0.7]) by mail.Clark.Net (8.7.3/8.6.5) with ESMTP id IAA10149; Mon, 9 Sep 1996 08:29:47 -0400 (EDT) Received: from localhost (proberts@localhost) by clark.net (8.7.1/8.7.1) with SMTP id IAA13064; Mon, 9 Sep 1996 08:29:46 -0400 (EDT) X-Authentication-Warning: clark.net: proberts owned process doing -bs Date: Mon, 9 Sep 1996 08:29:45 -0400 (EDT) From: "Paul D. Robertson" To: Stefano Taino cc: firewalls@GreatCircle.COM Subject: Re: SNG multihomed works ? In-Reply-To: <199609091043.MAA11302@relay.cryptonet.it> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 9 Sep 1996, Stefano Taino wrote: > Does anyone have experience with SNG (IBM Firewall) in a multi-homed > configuration ? > > In the SNG manual, there is the sentence "SNG should be work with 3 network > interfaces". > > I'd like to have a confirmation. I've seen the pre-2.0 version working with four or five interfaces in a production environment with no problems. Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts@clark.net which may have no basis whatsoever in fact." PSB#9280 From firewalls-owner Mon Sep 9 05:59:21 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA19794 for firewalls-outgoing; Mon, 9 Sep 1996 05:52:55 -0700 (PDT) Received: from pentagon-1dms0.army.mil (PENTAGON-1DMS0.ARMY.MIL [134.11.51.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id FAA19775 for ; Mon, 9 Sep 1996 05:52:40 -0700 (PDT) Received: from pentagon-reno.army.mil (PENTAGON-RENO.ARMY.MIL [199.10.34.131]) by pentagon-1dms0.army.mil (8.7.4/8.7.5) with SMTP id IAA06287 for ; Mon, 9 Sep 1996 08:47:01 -0400 (EDT) Received: by pentagon-reno.army.mil with NT SMTP Gateway ver 31 id <3234122D@pentagon-reno.army.mil>; Mon, 09 Sep 96 08:48:45 E From: "Phipps, Chuck, , PM-IMT" To: Firewalls Subject: FW-1 on ATM Link w/ LANE Date: Mon, 09 Sep 96 09:50:00 E Message-ID: <3234122D@pentagon-reno.army.mil> X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Is anyone running Checkpoint FW-1 on a Virtual Lan configuration. I am considering running the FW-1 on an HP-725 with HP-UX 9.05 OS. The box has a Fore Systems ATM NIC with two Virtual LANS utilizing LANE 1.0. My concern is performance degradation (will the FW-1 product pass the ATM 155 MB/s if not, what will it do)? I am also trying to determine potential test methods for checking the available bandwidth passed through the firewall. May use FW-1 to authenticate with SecurID and limit types of sessions allowed through the firewall. Thanks in advance. _______________________________________________________________ phippsc@pentagon-reno.army.mil US Army ISEC 703-693-2027 From firewalls-owner Mon Sep 9 06:44:40 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA22711 for firewalls-outgoing; Mon, 9 Sep 1996 06:28:10 -0700 (PDT) Received: from syl.syl.nj.nec.com (syl.syl.nj.nec.com [138.15.50.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id GAA22695 for ; Mon, 9 Sep 1996 06:27:59 -0700 (PDT) Received: (from naomi@localhost) by syl.syl.nj.nec.com (8.7.5/8.7.3) id JAA22234; Mon, 9 Sep 1996 09:26:28 -0400 (EDT) From: Naomi Takahashi Message-Id: <199609091326.JAA22234@syl.syl.nj.nec.com> Subject: Re: SOCKS5 Server for Windows NT from NEC To: rjoshi@wipinfo.soft.net (Rajesh Joshi) Date: Mon, 9 Sep 1996 09:26:27 -0400 (EDT) Cc: ashish@syl.nj.nec.com, socks@socks.nec.com, socks5@socks.nec.com, firewalls@GreatCircle.COM In-Reply-To: <199609091052.PAA16490@comm10> from "Rajesh Joshi" at Sep 9, 96 03:52:22 pm X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Error logged was > > SOCKS Server Info: RegQueryValueEx failed. Cannot open named pipe error=2 > SOCKS Server Info: Could not open Registry > > Can you help in terms of more informaion now ? The Socks server is trying to look for the registry key that holds the name of the Named Pipe that it uses to communicate with the Socks5 Watcher (stored in your registry at HKEY_LOCAL_MACHINE/SOFTWARE/NEC/NT Socks5/1.0/SOCKS Monitor File) Even if you are not running the Watcher, the Socks server still needs the information. Typically, its value is set to be "\\.\PIPE\mon.pip" You might try this out... Hope this helps. -- Naomi Takahashi (naomi@syl.nj.nec.com) NEC Systems Laboratory From firewalls-owner Mon Sep 9 07:06:36 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA24941 for firewalls-outgoing; Mon, 9 Sep 1996 06:46:59 -0700 (PDT) Received: from diablo.cisco.com (diablo.cisco.com [171.68.223.106]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id GAA24901 for ; Mon, 9 Sep 1996 06:46:33 -0700 (PDT) Received: from emailid90-pc.cisco.com ([171.68.41.109]) by diablo.cisco.com (8.6.12/CISCO.SERVER.1.1) with SMTP id GAA20661; Mon, 9 Sep 1996 06:45:49 -0700 Message-Id: <2.2.32.19960909154050.006f149c@diablo.cisco.com> X-Sender: clonvick@diablo.cisco.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Mon, 09 Sep 1996 08:40:50 -0700 To: Charles Ragan , firewalls@GreatCircle.COM From: Chris Lonvick Subject: Re: curios traceroute Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello Charles, Yeah, I'm going to have to get the spell checker to look for valid RFCs as well as words. :-) I'd always assumed that the trace route utilities were utilizing the record route option in IP and getting the path when they set TTL low enough to fail at the last router. When TTL=0, somewhere in the network, the device holding the packet would send an ICMP time exceeded message back to the source. This is described in Request For Comment seven hundred ninety-two :-). While it's creating this new packet, it takes the header of the destroyed IP packet and dumps it into the payload of the ICMP packet. >From the RFC: Internet Header + 64 bits of Data Datagram The internet header plus the first 64 bits of the original datagram's data. This data is used by the host to match ... As the original packet goes through the NAT towards the destination, the NAT will modify the source and destination addresses but it probably can't figure out what to do with the recorded route portion. The "internal" routers will continue to add their addresses to the header until TTL is exceeded. Then, when the ICMP packet is going back "outside", the NAT will again translate the source and destination but won't dig into the ICMP packet to modify the traced route portion of the embedded IP header. RFC-One thousand six hundred thirty-one gets a little hazy when it talks about address translation of ICMP packets through the NAT. It is not entirely clear if the IP header information in the ICMP part of the body really need to be modified. This depends on whether or not any host code actually looks at this IP header information. Indeed, it may be useful to provide the exact header seen by the router or host that issued the ICMP message to aid in debugging. In any event, no modifications are needed for the Echo and Timestamp messages, and NAT should never need to handle a Redirect message. SNMP messages could be modified, but it is even more dubious than for ICMP messages that it will be necessary. Is there anyone that would care to comment about how trace route programs actually work? Thanks, Chris Lonvick Cisco Systems Consulting Engineering +1-713-778-5663 At 11:25 PM 9/8/96 -0500, Charles Ragan wrote: >Chris, > >Thanks for the heads up and info! You mis-typed rfc 792 (729 is the IAC for >telnet ;-) > >So....let me see if I have this straight (since I've only digested it!) - --remainder deleted for brevity-- From firewalls-owner Mon Sep 9 07:57:08 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA00959 for firewalls-outgoing; Mon, 9 Sep 1996 07:43:14 -0700 (PDT) Received: from nymt.reuter.com (nymt.reuter.com [204.5.74.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id HAA00944 for ; Mon, 9 Sep 1996 07:43:02 -0700 (PDT) Received: by nymt.reuter.com (8.6.12) id KAA14890; Mon, 9 Sep 1996 10:43:32 -0400 Received: from zarquon(129.12.42.104) by nymt via smap (V1.3) id sma014879; Mon Sep 9 10:43:07 1996 Received: from titan.reuter. by zarquon (4.1) id AA10342; Mon, 9 Sep 96 10:35:27 EDT Received: by titan.reuter. (5.x/SMI-SVR4) id AA00384; Mon, 9 Sep 1996 10:36:36 -0400 From: grace@nymt.reuter.com (Grace Barraza) Message-Id: <9609091436.AA00384@titan.reuter.> Subject: su - userid To: firewalls@greatcircle.com Date: Mon, 9 Sep 1996 10:36:35 -0400 (EDT) X-Mailer: ELM [version 2.4 PL24] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, I know that this is not the right place, but thought that there must be a lot of capable people who can answer this . Our system administrator is not capable of distinguishing the fact of how to stop people from using some one else 's id. We are running NIS+. The process: su - root (On any client machine, of which you have the password.) Now su - userid (You get logged in as the 'userid' specified). Is there a way to stop this (Other than going to AFS. etc...). Thanks In advance. From firewalls-owner Mon Sep 9 08:45:02 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA01576 for firewalls-outgoing; Mon, 9 Sep 1996 07:51:06 -0700 (PDT) Received: from tcs_gateway1.treas.gov (tcs_gateway1.treas.gov [204.151.245.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id HAA01425 for ; Mon, 9 Sep 1996 07:49:33 -0700 (PDT) Received: by tcs_gateway1.treas.gov id AA04252 (InterLock SMTP Gateway 3.0 for firewalls@GreatCircle.COM); Mon, 9 Sep 1996 10:48:19 -0400 Received: by tcs_gateway1.treas.gov (Internal Mail Agent-4); Mon, 9 Sep 1996 10:48:19 -0400 Received: by tcs_gateway1.treas.gov (Internal Mail Agent-3); Mon, 9 Sep 1996 10:48:19 -0400 Received: by tcs_gateway1.treas.gov (Internal Mail Agent-2); Mon, 9 Sep 1996 10:48:19 -0400 Received: by tcs_gateway1.treas.gov (Internal Mail Agent-1); Mon, 9 Sep 1996 10:48:19 -0400 Date: Mon, 9 Sep 1996 10:51:26 -0400 From: meritj@fincen.treas.gov (Jim Meritt) Message-Id: <199609091451.KAA09889@dirham.fincen.gov> To: firewalls@GreatCircle.COM, sun-managers@ra.mcs.anl.gov Subject: Network Security/Unix Network Security Conterence Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Anyone have a POC/information on SANS 97? I've been to 95 & 96 and found them VERY worthwhile. Understand it'll be in Baltimore? Jim Meritt From firewalls-owner Mon Sep 9 08:46:38 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA01980 for firewalls-outgoing; Mon, 9 Sep 1996 07:56:38 -0700 (PDT) Received: from tcs_gateway1.treas.gov (tcs_gateway1.treas.gov [204.151.245.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id HAA01810 for ; Mon, 9 Sep 1996 07:55:22 -0700 (PDT) Received: by tcs_gateway1.treas.gov id (InterLock SMTP Gateway 3.0 for firewalls@GreatCircle.COM); Mon, 9 Sep 1996 10:53:12 -0400 Received: by tcs_gateway1.treas.gov (Internal Mail Agent-4); Mon, 9 Sep 1996 10:53:12 -0400 Received: by tcs_gateway1.treas.gov (Internal Mail Agent-3); Mon, 9 Sep 1996 10:53:12 -0400 Received: by tcs_gateway1.treas.gov (Internal Mail Agent-2); Mon, 9 Sep 1996 10:53:12 -0400 Received: by tcs_gateway1.treas.gov (Internal Mail Agent-1); Mon, 9 Sep 1996 10:53:12 -0400 Received: by tcs_gateway1.treas.gov (Internal Mail Agent-0); Mon, 9 Sep 1996 10:53:12 -0400 Date: Mon, 9 Sep 1996 10:51:26 -0400 From: meritj@fincen.treas.gov (Jim Meritt) Message-Id: <199609091451.KAA09889@dirham.fincen.gov> To: firewalls@GreatCircle.COM, sun-managers@ra.mcs.anl.gov Subject: Network Security/Unix Network Security Conterence Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Anyone have a POC/information on SANS 97? I've been to 95 & 96 and found them VERY worthwhile. Understand it'll be in Baltimore? Jim Meritt From firewalls-owner Mon Sep 9 08:47:49 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA02813 for firewalls-outgoing; Mon, 9 Sep 1996 08:03:58 -0700 (PDT) Received: from mailbox.neosoft.com (mailbox.neosoft.com [206.109.1.16]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id IAA02748 for ; Mon, 9 Sep 1996 08:03:21 -0700 (PDT) Received: from fw.nmti.com (fw.baileynm.com [206.109.159.11]) by mailbox.neosoft.com (8.7.5/8.7.3) with SMTP id KAA28747; Mon, 9 Sep 1996 10:03:02 -0500 (CDT) Received: from web.nmti.com(198.178.0.201) by fw.nmti.com via smap (V1.3) id sma003370; Mon Sep 9 09:03:38 1996 Received: from sonic.nmti.com (peter@sonic.nmti.com [198.178.0.2]) by web.nmti.com (8.6.12/8.6.9) with SMTP id JAA15252; Mon, 9 Sep 1996 09:03:37 -0500 Received: by sonic.nmti.com; id AA16447; Mon, 9 Sep 1996 09:03:36 -0500 From: peter@baileynm.com (Peter da Silva) Message-Id: <9609091403.AA16447@sonic.nmti.com.nmti.com> Subject: Re: curios traceroute To: barney@databus.com (Barney Wolff) Date: Mon, 9 Sep 1996 09:03:36 -0500 (CDT) Cc: firewalls@GreatCircle.COM In-Reply-To: <32327ba20.568c@databus.databus.com> from "Barney Wolff" at Sep 8, 96 03:44:00 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > I do understand that RFC1918 says that packets with those addresses > shall not be transfered across inter-enterprise links. I do not > understand what harm will be caused by TTL-exceeded packet from such > an address, and would welcome enlightenment. It opens you up to having someone using source-routing to diddle with your network if you're depending on the anonymity of the addresses for providing any protection (though of course that's a bad idea). From firewalls-owner Mon Sep 9 09:14:17 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA02746 for firewalls-outgoing; Mon, 9 Sep 1996 08:03:18 -0700 (PDT) Received: from mailbox.neosoft.com (mailbox.neosoft.com [206.109.1.16]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id IAA02675 for ; Mon, 9 Sep 1996 08:02:39 -0700 (PDT) Received: from fw.nmti.com (fw.baileynm.com [206.109.159.11]) by mailbox.neosoft.com (8.7.5/8.7.3) with SMTP id KAA28649; Mon, 9 Sep 1996 10:02:28 -0500 (CDT) Received: from web.nmti.com(198.178.0.201) by fw.nmti.com via smap (V1.3) id sma003225; Mon Sep 9 08:32:39 1996 Received: from sonic.nmti.com (peter@sonic.nmti.com [198.178.0.2]) by web.nmti.com (8.6.12/8.6.9) with SMTP id IAA14300; Mon, 9 Sep 1996 08:32:39 -0500 Received: by sonic.nmti.com; id AA15116; Mon, 9 Sep 1996 08:32:38 -0500 From: peter@baileynm.com (Peter da Silva) Message-Id: <9609091332.AA15116@sonic.nmti.com.nmti.com> Subject: Re: C2 certified OS that can run a firewall To: wombat@mcfeely.bsfs.org (Rabid Wombat) Date: Mon, 9 Sep 1996 08:32:38 -0500 (CDT) Cc: mcnabb@argus.cu-online.com, firewalls@GreatCircle.COM In-Reply-To: from "Rabid Wombat" at Sep 6, 96 05:56:22 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Maybe. The biggest point for a "secure" OS vs. a "hardened" OS is that I > might want to be able to audit the actions of the person who has control > of the firewall system. This isn't a C2 thing, though, as I recall, but > comes up in the "B" rating. I could be wrong here, as I don't dig into > the rainbow books so much anymore. That depends on how you interpret the book. DEC says no. Just about everyone else (Secureware, Microsoft, etc) says yes, because of 2.2.2.2: "The TCB shall be able to record the following types of events: [...] actions taken by computer operators and system administrators and/or system security officers..." What Microsoft and Secureware do is security by obscurity. They don't provide documentation and tools necessary to allow you to dig into the TCB and fiddle with it. Though I have found a way for Administrator to get read/write access to the SAM without rebooting in NT. It's not any big secret, I've seen several other people refer to it... it's like the old cron hole in UNIX many many years ago. > M$ used to ship NT with "everyone" having rights to the system directory. > This may still be the case, for all I know; It is on NT 4.0 beta, and on 3.51. The resource kit has a tool that puts your system into a C2 secure state, but lots of applications stop working and of course networking is disabled. From firewalls-owner Mon Sep 9 09:14:58 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA03868 for firewalls-outgoing; Mon, 9 Sep 1996 08:18:21 -0700 (PDT) Received: from databus.databus.com (databus.databus.com [198.186.154.34]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id IAA03854 for ; Mon, 9 Sep 1996 08:18:09 -0700 (PDT) From: Barney Wolff To: firewalls@GreatCircle.COM Date: Mon, 9 Sep 1996 11:09 EDT Subject: Re: curios traceroute Content-Type: text/plain Message-ID: <323435260.6ce5@databus.databus.com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Date: Mon, 09 Sep 1996 08:40:50 -0700 > From: Chris Lonvick > > Is there anyone that would care to comment about how trace route programs > actually work? They just send a UDP packet to a high-numbered port (where they hope nothing is listening), starting with TTL=1 and increasing. When TTL reaches 0, the device where it did so is supposed to send back an ICMP TTL-exceeded packet with the first part of the UDP packet sent. As traceroute sends packets with increasing TTL, they get further along the path to the destination. When TTL is high enough to actually reach the destination, the hope is that an ICMP port-unreachable will come back. Some ping programs have a -R or similar option which does use the record-route IP option. I've found that useful because routing is often asymmetric these days, but it's limited because of the limit on option size in the IP header. Barney Wolff From firewalls-owner Mon Sep 9 09:44:21 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA11179 for firewalls-outgoing; Mon, 9 Sep 1996 09:32:08 -0700 (PDT) Received: from dns.eng.auburn.edu (dns.eng.auburn.edu [131.204.10.13]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id JAA11135 for ; Mon, 9 Sep 1996 09:31:46 -0700 (PDT) Received: from nexus.eng.auburn.edu.eng.auburn.edu (nexus.eng.auburn.edu [131.204.12.98]) by dns.eng.auburn.edu (8.7.5/8.6.4) with SMTP id LAA14356; Mon, 9 Sep 1996 11:31:25 -0500 (CDT) Date: Mon, 9 Sep 1996 11:31:25 -0500 (CDT) From: Doug Hughes Message-Id: <199609091631.LAA14356@dns.eng.auburn.edu> To: firewalls@GreatCircle.COM, grace@nymt.reuter.com Subject: Re: su - userid Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > >Hi, > >I know that this is not the right place, but thought that there must be >a lot of capable people who can answer this . > >Our system administrator is not capable of distinguishing the fact of >how to stop people from using some one else 's id. >We are running NIS+. > >The process: > >su - root (On any client machine, of which you have the password.) > >Now >su - userid (You get logged in as the 'userid' specified). chmod 750 /bin/su chgrp staff /bin/su (or use whatever group all your admin people belong to.) However, this won't prevent people from using telnet, or rlogin, or any other of myriad ways to get to another's account. The problem is not su, it is of people sharing passwords. This is a people problem and not a technical one. From firewalls-owner Mon Sep 9 09:59:46 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA13604 for firewalls-outgoing; Mon, 9 Sep 1996 09:46:11 -0700 (PDT) Received: from GWSMTP.NU.COM (nu-mgt-1.nu.com [159.108.25.124]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id JAA13486 for ; Mon, 9 Sep 1996 09:45:33 -0700 (PDT) Received: from NU-Message_Server by GWSMTP.NU.COM with Novell_GroupWise; Mon, 09 Sep 1996 12:37:07 -0400 Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Mon, 09 Sep 1996 08:12:48 -0400 From: "JEFFREY P. BALLACHINO" To: firewalls-digest@GreatCircle.COM Subject: bootp and firewall-1 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I have a Synoptics 3000 hub on a protected network. I would like to allow this hub to load its image from a bootp server on our "public" network. I have configured a rule on the firewall (a SPARC 5 running Firewall-1 v2) to allow bootp and tftp between this hub and the bootp server. My problem is that bootp is always blocked by rule 0, which means some setting in my properties is incorrect. Also, in my log, the source of the bootp request is always blank. Why is the firewall unable to determine the source address of the bootp request? This may be the root of the problem. The destination is 255.255.255.255 which makes sense since the bootp request is a broadcast. Does anyone have any thoughts on this? thanks, jeff ballachino From firewalls-owner Mon Sep 9 10:14:28 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA08209 for firewalls-outgoing; Mon, 9 Sep 1996 09:10:27 -0700 (PDT) Received: from deepeddy.DeepEddy.Com (DeepEddy.Com [192.12.3.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id JAA08200 for ; Mon, 9 Sep 1996 09:10:02 -0700 (PDT) Received: from deepeddy.DeepEddy.Com (localhost [127.0.0.1]) by deepeddy.DeepEddy.Com (8.7.3/8.7.2) with ESMTP id LAA28731; Mon, 9 Sep 1996 11:09:02 -0500 (CDT) Message-Id: <199609091609.LAA28731@deepeddy.DeepEddy.Com> X-Mailer: exmh version 1.6.7 5/3/96 To: grace@nymt.reuter.com (Grace Barraza) Cc: firewalls@GreatCircle.COM, cwg@deepeddy.DeepEddy.Com Subject: Re: su - userid In-Reply-To: Your message of "Mon, 09 Sep 1996 10:36:35 EDT." <9609091436.AA00384@titan.reuter.> X-Url: http://www.DeepEddy.Com/~cwg Mime-Version: 1.0 Content-Type: multipart/signed; boundary="===_-1_Mon_Sep__9_11:08:58_CDT_1996"; micalc=pgp-md5; protocol="application/pgp-signature" Content-Transfer-Encoding: 7bit Date: Mon, 09 Sep 1996 11:08:59 -0500 From: Chris Garrigues Sender: firewalls-owner@GreatCircle.COM Precedence: bulk --===_-1_Mon_Sep__9_11:08:58_CDT_1996 Content-Type: text/plain; charset=us-ascii > Hi, > > I know that this is not the right place, but thought that there must be > a lot of capable people who can answer this . > > Our system administrator is not capable of distinguishing the fact of > how to stop people from using some one else 's id. > We are running NIS+. > > The process: > > su - root (On any client machine, of which you have the password.) > > Now > su - userid (You get logged in as the 'userid' specified). > > > Is there a way to stop this (Other than going to AFS. etc...). two solutions: a) don't use NFS (my personal preference, but it's hard to convince clients of this idea) or b) don't let anybody who isn't a system adminstrator have a root password (my other preference, and what my clients actually do) Repeat after me: NFS sucks! Chris -- Chris Garrigues O- cwg@DeepEddy.Com Deep Eddy Internet Consulting +1 512 432 4046 609 Deep Eddy Avenue Austin, TX 78703-4513 http://www.DeepEddy.Com/~cwg/ --===_-1_Mon_Sep__9_11:08:58_CDT_1996 Content-Type: application/pgp-signature -----BEGIN PGP MESSAGE----- Version: 2.6.2 iQB1AwUBMjRBFZaQnaaFII2dAQF44gL+PgVzj4iyZ5Yp0PD39CLtnAJV4BCXT/Vf aRexGAM79JEY27jWcCDGtdWy/r8j2SAHBJ2eynct1EHcmyF4kYc4lAjWoO7ymrtF bMWSm0cxy579iRf4jKryEOfTtQl49LDp =mwpW -----END PGP MESSAGE----- --===_-1_Mon_Sep__9_11:08:58_CDT_1996-- From firewalls-owner Mon Sep 9 10:29:48 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA05839 for firewalls-outgoing; Mon, 9 Sep 1996 08:42:47 -0700 (PDT) Received: from mcfeely.bsfs.org (mcfeely.bsfs.org [204.91.13.34]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id IAA05821 for ; Mon, 9 Sep 1996 08:42:30 -0700 (PDT) Received: (from wombat@localhost) by mcfeely.bsfs.org (8.6.12/8.6.12) id KAA01898; Mon, 9 Sep 1996 10:34:30 -0400 Date: Mon, 9 Sep 1996 10:34:26 -0400 (EDT) From: Rabid Wombat To: Peter da Silva cc: mcnabb@argus.cu-online.com, firewalls@GreatCircle.COM Subject: Re: C2 certified OS that can run a firewall In-Reply-To: <9609091332.AA15116@sonic.nmti.com.nmti.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > It is on NT 4.0 beta, and on 3.51. The resource kit has a tool that puts your > system into a C2 secure state, but lots of applications stop working and of > course networking is disabled. > That would make for a splendid firewall; no network access at all. Sorta like Marcus' wirecutters, but uses up more end-of-year funding. Keep plugging away folks, we're nearing enlightenment. - r.w. From firewalls-owner Mon Sep 9 11:00:08 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA22230 for firewalls-outgoing; Mon, 9 Sep 1996 10:48:37 -0700 (PDT) Received: from mail13.digital.com (mail13.digital.com [192.208.46.30]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id KAA22144 for ; Mon, 9 Sep 1996 10:48:12 -0700 (PDT) Received: from whyvms.ako.dec.com by mail13.digital.com (8.7.5/UNX 1.2/1.0/WV) id NAA19422; Mon, 9 Sep 1996 13:28:19 -0400 (EDT) Received: from isbu-mail.ljo.dec.com by whyvms.ako.dec.com (5.65/MS-010395) id AA02179; Mon, 9 Sep 1996 13:26:32 -0400 Received: from JIMLESTER [16.136.208.46] by isbu-mail.ljo.dec.com (AltaVista Mail V1.0/1.0 BL17 listener) id 0000_00ab_3234_53cb_49c6; Mon, 09 Sep 1996 13:28:43 -0400 Message-Id: <1.5.4.32.19960909182920.006ebeb0@isbu-mail.ljo.dec.com> X-Sender: jim.lester@isbu-mail.ljo.dec.com X-Mailer: Windows Eudora Light Version 1.5.4 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Mon, 09 Sep 1996 13:29:20 -0500 To: "Jesse" , firewalls@greatcircle.com From: Jim Lester Subject: Re: FreeBSD Firewall Package Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Please visit Digital's Altavista software homepage at http://altavista.software.digital.com. You can download their Altavista Firewall for BSDI. Email me if you have any problems. I work for DEC. At 10:57 AM 1/8/86 +0000, Jesse wrote: > Hello Everyone! Sorry to bother you, but we are just putting in a >new server at my workplace, and I was wondering if anyone had any >suggestions on Free/Commercial 4.4BSD or FreeBSD firewall or proxy >packages. > Jim Lester, Business Alliance Manager Altavista Internet Software Digital Equipment Corporation http://altavista.software.digital.com voice: 404.843.9645 From firewalls-owner Mon Sep 9 11:15:14 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA21152 for firewalls-outgoing; Mon, 9 Sep 1996 10:41:22 -0700 (PDT) Received: from slopok.roses.rockwell.com (slopok.roses.rockwell.com [141.102.33.160]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id KAA21067 for ; Mon, 9 Sep 1996 10:40:45 -0700 (PDT) Received: by slopok.roses.rockwell.com (5.65/DEC-Ultrix/4.3) id AA09723; Mon, 9 Sep 1996 10:40:38 -0700 From: crotherm@roses.rockwell.com (Mark A. Crother) Message-Id: <9609091740.AA09723@slopok.roses.rockwell.com> Subject: Re: su - userid To: Doug.Hughes@eng.auburn.edu (Doug Hughes) Date: Mon, 9 Sep 1996 10:40:37 -0700 (PDT) Cc: firewalls@GreatCircle.COM In-Reply-To: <199609091631.LAA14356@dns.eng.auburn.edu> from "Doug Hughes" at Sep 9, 96 11:31:25 am X-Mailer: ELM [version 2.4 PL25] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > > > >Hi, > > > >I know that this is not the right place, but thought that there must be > >a lot of capable people who can answer this . > > > >Our system administrator is not capable of distinguishing the fact of > >how to stop people from using some one else 's id. > >We are running NIS+. > > > >The process: > > > >su - root (On any client machine, of which you have the password.) > > > >Now > >su - userid (You get logged in as the 'userid' specified). > > chmod 750 /bin/su > chgrp staff /bin/su > (or use whatever group all your admin people belong to.) That won't work because because the client's root password is available to those who they wish to deny su, and with root you could just do chmod 755 /bin/su. Or for that matter, they could do anything they want on the client machine. > > However, this won't prevent people from using telnet, or rlogin, or > any other of myriad ways to get to another's account. The problem > is not su, it is of people sharing passwords. This is a people > problem and not a technical one. Agreed! root passwords belong only to sysadms if you wish to have a secure network. > > > -- Mark Crother crotherm@roses.rockwell.com Rockwell's Operational Software Engineering System (ROSES) Space Systems Division (SSD) All opinions are mine. From firewalls-owner Mon Sep 9 11:35:22 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA20005 for firewalls-outgoing; Mon, 9 Sep 1996 10:32:07 -0700 (PDT) Received: from slopok.roses.rockwell.com (slopok.roses.rockwell.com [141.102.33.160]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id KAA19897 for ; Mon, 9 Sep 1996 10:31:32 -0700 (PDT) Received: by slopok.roses.rockwell.com (5.65/DEC-Ultrix/4.3) id AA09668; Mon, 9 Sep 1996 10:31:23 -0700 From: crotherm@roses.rockwell.com (Mark A. Crother) Message-Id: <9609091731.AA09668@slopok.roses.rockwell.com> Subject: Re: su - userid To: grace@nymt.reuter.com (Grace Barraza) Date: Mon, 9 Sep 1996 10:31:22 -0700 (PDT) Cc: firewalls@GreatCircle.COM In-Reply-To: <9609091436.AA00384@titan.reuter.> from "Grace Barraza" at Sep 9, 96 10:36:35 am X-Mailer: ELM [version 2.4 PL25] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Not knowing much about NIS+, I would not know how to disable su'ing in that enviorment (assuming there is a way to, of which I don't know). But as a person who works at a site with many unix workstations on user's desks I have to ask one question: Why are users given root access at all? They certainly should not need it unless they are working as a sysadm. And if that is the case, then you should reconsider using NIS+ and keep to separate passwd files. As long as you have "trusted" unix machines in your network for which untrusted people have the root password, you will not have a "secure network". I would recommend all the unix boxes to have the same root password and ONLY the real sysadms have access to it. > Hi, > > I know that this is not the right place, but thought that there must be > a lot of capable people who can answer this . > > Our system administrator is not capable of distinguishing the fact of > how to stop people from using some one else 's id. > We are running NIS+. > > The process: > > su - root (On any client machine, of which you have the password.) > > Now > su - userid (You get logged in as the 'userid' specified). > > > Is there a way to stop this (Other than going to AFS. etc...). > > Thanks In advance. > > > > -- Mark Crother crotherm@roses.rockwell.com Rockwell's Operational Software Engineering System (ROSES) Space Systems Division (SSD) From firewalls-owner Mon Sep 9 11:37:28 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA22997 for firewalls-outgoing; Mon, 9 Sep 1996 10:54:56 -0700 (PDT) Received: from MicroCell.Ca (SMTLRMIS99.MICROCELL.NET [205.151.8.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id KAA22961 for ; Mon, 9 Sep 1996 10:54:41 -0700 (PDT) Received: from SMTLRMIS98.MicroCell.Inc by MicroCell.Ca (SMI-8.6/SMI-SVR4) id NAA00401; Mon, 9 Sep 1996 13:52:14 -0400 Sended-To: Received: from WMTLU001690.MicroCell.Inc by SMTLRMIS98.MicroCell.Inc (SMI-8.6/SMI-SVR4) id NAA00926; Mon, 9 Sep 1996 13:53:41 -0400 Received: by WMTLU001690.MicroCell.Inc (SMI-8.6/SMI-SVR4) id NAA02438; Mon, 9 Sep 1996 13:53:04 -0400 Date: Mon, 9 Sep 1996 13:53:04 -0400 From: cyrille@MicroCell.Net (Cyrille Thilloy) Message-Id: <199609091753.NAA02438@WMTLU001690.MicroCell.Inc> To: firewalls-digest@GreatCircle.COM Subject: FW-1 outgoing HTTP authentication X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi FW-1 gurus, I'm trying to set an authentication policy for my users outgoing access. The atelnetd and aftd deamons work directly as expected but what about the ahttpd one? It seems that if I want to authenticate the outgoing HTTP (from my LANs to any Internet Web server) packets I have to set some kind on proxy on the Firewalll and list it in the authentication menu... Is this the only way to do such thing or have you an simpler way? Thanks for your help, Cyrille.Thilloy@microcell.net From firewalls-owner Mon Sep 9 12:04:50 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA27036 for firewalls-outgoing; Mon, 9 Sep 1996 11:23:33 -0700 (PDT) Received: from relay.nswc.navy.mil (relay.nswc.navy.mil [128.38.1.41]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id LAA27023 for ; Mon, 9 Sep 1996 11:23:23 -0700 (PDT) From: lresch@nswc.navy.mil Received: from oanews (oanews.nswc.navy.mil) by relay.nswc.navy.mil (4.1/SMI-4.1) id AA24447; Mon, 9 Sep 96 14:22:57 EDT Received: by oanews (4.1/SMI-4.1) id AA27417; Mon, 9 Sep 96 14:21:21 EDT Message-Id: <9609091821.AA27417@oanews> Subject: Netware Password Cracking To: firewalls@GreatCircle.com (Firewalls Mailing List) Date: Mon, 9 Sep 96 14:21:21 EDT X-Mailer: ELM [version 2.3 PL11] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am looking for a utility that will let me try to break my user's passwords on a Netware 4.1 server. I am looking for something similar to the UNIX utilities as part of our system accredidation -- make sure people are not using simple-to-guess passwords.... Thanks. +----------------------------------------------------+ | Larry Resch | | lresch@nswc.navy.mil | | | | My thoughts are mine alone, and do not necessarily | | reflect the thoughts of those for whom I work. | +----------------------------------------------------+ From firewalls-owner Mon Sep 9 12:29:21 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA29010 for firewalls-outgoing; Mon, 9 Sep 1996 11:39:01 -0700 (PDT) Received: from pony-express.ims.advantis.com (pony-express.ims.advantis.com [165.87.194.144]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id LAA28987 for ; Mon, 9 Sep 1996 11:38:39 -0700 (PDT) Received: (from Unknown UID 5@localhost) by pony-express.ims.advantis.com (8.6.9/95.10.11) id OAA43135 for ; Mon, 9 Sep 1996 14:38:47 -0400 Received: from carfax.ims.advantis.com(164.120.180.21) by pony-express.ims.advantis.com via smap (V1.3) id sma007037; Mon Sep 9 14:38:37 1996 Received: by carfax.ims.advantis.com (AIX 3.2/UCB 5.64/4.03) id AA37933; Mon, 9 Sep 1996 14:44:16 -0400 Date: Mon, 9 Sep 1996 14:44:15 -0400 (EDT) From: Peter Yau To: Firewalls@GreatCircle.com Subject: Lotus Notes Security Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In addition to packet filtering on tcp 1352 for Lotus Notes traffic and the inherent "built-in" security nature of Notes, has anyone find the need to implement the application proxy for Notes as additional security measure? If so, what firewall can participate at the application level to understand a Notes network conversation. Furthermore, even if such does exist, how can it decrypt the line conversation between Notes nodes if encryption was enabled. I would prefer not to use a separate solution from Notes. Better to have support integrated into an existing firewall, i.e. Firewall-1. From firewalls-owner Mon Sep 9 12:44:33 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA05553 for firewalls-outgoing; Mon, 9 Sep 1996 12:34:11 -0700 (PDT) Received: from grab (grab.coslabs.com [199.233.92.34]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id MAA05470 for ; Mon, 9 Sep 1996 12:33:44 -0700 (PDT) Received: from future.mulligan.com by grab (SMI-8.6/SMI-SVR4) id NAA20516; Mon, 9 Sep 1996 13:33:34 -0600 Received: from future by future.mulligan.com (SMI-8.6/SMI-SVR4) id NAA05600; Mon, 9 Sep 1996 13:33:31 -0600 Message-Id: <199609091933.NAA05600@future.mulligan.com> To: Felber@abacus.ch Cc: firewalls@greatcircle.com Subject: Re: curios traceroute In-Reply-To: Your message of "Fri, 06 Sep 1996 09:30:48 GMT" References: <1996Sep06.092823.1590.10676@caliban.abacus.ch> X-Mailer: Mew version 1.05 on Emacs 19.31.1 Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Date: Mon, 09 Sep 1996 13:33:31 -0600 From: Geoff Mulligan Sender: firewalls-owner@GreatCircle.COM Precedence: bulk First, standard unix traceroute uses udp packets with increasing ttls to find the routers along the path to the host. As each successive router receives the udp packet it decrements the TTL until it's zero and then sends bak an icmp time exceeded message. Traceroute calculates the time since the orginal packet was sent and uses the source ip address in the icmp message to display the lines seens in the traceroute output. If your router or proxy or whatever box that is providing the private network isolation doesn't either stop or rewrite icmp messages, then they will leak out of you network as shown. The final destination (194.209.14.36) wasn't shown because the router 192.168.2.42 sent back icmp host unreachable messages rather then time exceeded messages and traceroute stopped. geoff From firewalls-owner Mon Sep 9 12:59:08 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA02612 for firewalls-outgoing; Mon, 9 Sep 1996 12:07:38 -0700 (PDT) Received: from wicked.neato.org (wicked.neato.org [198.70.96.252]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id MAA02573 for ; Mon, 9 Sep 1996 12:07:22 -0700 (PDT) Received: (from george@localhost) by wicked.neato.org (8.7.2/8.6.12) id MAA26554; Mon, 9 Sep 1996 12:08:58 -0700 (PDT) Date: Mon, 9 Sep 1996 12:08:58 -0700 (PDT) Message-Id: <199609091908.MAA26554@wicked.neato.org> To: firewalls@greatcircle.com, Daniel Baldoni Subject: Re: Oddly changing FW-1 files From: george@neato.org X-Remailed: true Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Daniel Baldoni wrote: > The file in question is modules/fwmod.5.3.o under the Firewall-1 > installation. At approximately the indicated file-change time, the > Firewall-1 license was upgraded but our operations staff have not > listed that file in their regular TripWire reports to me (and the new > license went in about 2 weeks ago). > So, can anybody out there shed some light on this? Thanks in advance. This is Checkpoint's back door so they can automatically update the code running on your firewall and keep you up to the latest edition without your interference. :-) Just kidding, I hope? Was the file actually changed or just the time stamp on the file? george From firewalls-owner Mon Sep 9 13:14:58 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA07946 for firewalls-outgoing; Mon, 9 Sep 1996 12:55:49 -0700 (PDT) Received: from hermes.intel.com (hermes.intel.com [143.183.152.3]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id MAA07890 for ; Mon, 9 Sep 1996 12:55:25 -0700 (PDT) Received: from ts4-09.tor.iSTAR.ca by hermes.intel.com (8.7.4/10.0i); Mon, 9 Sep 1996 12:54:34 -0700 Received: by ts4-09.tor.iSTAR.ca with Microsoft Mail id <01BB9E67.187EBDC0@ts4-09.tor.iSTAR.ca>; Mon, 9 Sep 1996 15:53:51 -0400 Message-ID: <01BB9E67.187EBDC0@ts4-09.tor.iSTAR.ca> From: Gene Lee To: "firewalls@GreatCircle.COM" Subject: RE: SNG multihomed works ? Date: Mon, 9 Sep 1996 15:39:02 -0400 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Monday, September 09, 1996 8:24 AM, Stefano Taino[SMTP:taino@cryptonet.it] wrote: >Does anyone have experience with SNG (IBM Firewall) in a multi-homed >configuration ? > >In the SNG manual, there is the sentence "SNG should be work with 3 network >interfaces". > >I'd like to have a confirmation. Stefano, SNG will work with up to 8 network adapters. What version of SNG are you running? -- Gene Lee genel@inforamp.net genelee@vnet.ibm.com From firewalls-owner Mon Sep 9 13:29:35 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA09677 for firewalls-outgoing; Mon, 9 Sep 1996 13:10:06 -0700 (PDT) Received: from gateway2.ey.com (gateway2.ey.com [199.50.26.3]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id NAA09550 for ; Mon, 9 Sep 1996 13:09:33 -0700 (PDT) From: Joseph.Cupano@ey.com Received: by gateway2.ey.com id AA12524 (InterLock SMTP Gateway 3.0 for firewalls@greatcircle.com); Mon, 9 Sep 1996 16:08:48 -0400 Received: by gateway2.ey.com (Protected-side Proxy Mail Agent-1); Mon, 9 Sep 1996 16:08:48 -0400 X400-Originator: Joseph.Cupano@EY.COM X400-Recipients: firewalls@greatcircle.com X400-Mts-Identifier: [/PRMD=ERNSTYOUNG/ADMD=ATTMAIL/C=US/;0014500005125969000002] X400-Content-Type: P2-1988 (22) Message-Id: <0014500005125969000002*@MHS> To: " - (052)firewalls(a)greatcircle.com" Subject: Lotus Notes Security Date: Mon, 9 Sep 1996 16:05:46 -0400 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Hello all! > >While Notes access through firewalls is a FAQ (short answer: use your >favorite circuit-level relay to pass traffic on port 1352 to your >notes server), I was looking for a true application level proxy. By >this I mean a proxy that would UNDERSTAND the protocol Notes uses, >and allow me the functionality to: Efficient and effective Notes firewall design best served by understanding the Notes environment. Notes is a complex application with granularity of access control from Server/Database/Document down to Field level. At the application-level, Notes provides the most granularity of control. So much so that when you try to firewall two networks that include Notes, the network layer is your weakest link. NOTES FIREWALL IMPLEMENTATION EXAMPLES PRIVATE-------N------FW-----N-----INTERNET N = Notes Server FW = Firewall This would be the typical paradigm followed by firewall experts who are network layer centric in their approach. The two Notes servers simply replicate at Port 1352. There is no direct control of the external Notes server. /----NFW----\ PRIVATE-----< >--------INTERNET \-----FW-----/ (Private network to two firewalls in parrallel, one network level firewall, second is Notes Firewall) In this scenario you have a Notes Firewall (pass-thru server) in parallel with the traditional firewall. The Notes Firewall would be a dual NIC (IP Forwarding disabled) on an NT or UNIX box . Security mechanisms within Notes would be utilized. (Client encryption, Pub/Priv key authentication, minimized version of Notes NAB on NFW.) No replication or additional database management is necessary except defining access limitations among the existing internal servers/databases. The NFW is a true application-level firewall, Notes being the application. Yes, you are trusting the security mechanisms (and local implementations.) In some firewall implementations, are we not trusting FTP data transfers ? RISK The risk is equivalent in both scenarios, the management and administration have only been simplified. For someone to successful attack a Notes environment they need a copy of your ID file (stored locally) and know your password. OUTSIDE OF SCOPE This scenario excludes the Domino or Notes 4.5 environments. 4.5 provides mechanisms for anonymous access and Domino permits basic authentication via HTTP. Regards, Joe From firewalls-owner Mon Sep 9 13:46:31 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA11719 for firewalls-outgoing; Mon, 9 Sep 1996 13:26:35 -0700 (PDT) Received: from gw.lsli.com (gw.lsli.com [206.50.87.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id NAA11662 for ; Mon, 9 Sep 1996 13:26:10 -0700 (PDT) From: firstcat@lsli.com Received: by gw.lsli.com (AIX 3.2/UCB 5.64/4.03) id AA18246; Mon, 9 Sep 1996 15:25:29 -0500 Message-Id: <9609092025.AA18246@gw.lsli.com> Received: by lsli.com via smwrap Version 2.2 id smwrapMUQC5r; Mon Sep 9 15:25:26 1996 Date: Mon, 9 Sep 96 15:21:45 Subject: RE: Lotus Notes Security To: Peter Yau Cc: " Message-ID:" Mime-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk LSLI's PORTUS firewall includes a Notes proxy. For more information contact LSLI. --- On Mon, 9 Sep 1996 14:44:15 -0400 (EDT) Peter Yau wrote: >In addition to packet filtering on tcp 1352 for Lotus Notes traffic and >the inherent "built-in" security nature of Notes, has anyone find the >need to implement the application proxy for Notes as additional security >measure? If so, what firewall can participate at the application level >to understand a Notes network conversation. Furthermore, even if such >does exist, how can it decrypt the line conversation between Notes nodes if >encryption was enabled. I would prefer not to use a separate solution from >Notes. Better to have support integrated into an existing firewall, i.e. -----------------End of Original Message----------------- ------------------------------------- Jay Lyall Channel Sales Director Livermore Software Laboratories, Intl. 2825 Wilcrest, Suite 160 Houston, Texas 77042-3358 1-713-974-3274 jay@lsli.com Date: 9/9/96 "I'm not a vegetarian because I love animals; I'm a vegetarian because I hate plants." --A. Whitney Brown ------------------------------------- From firewalls-owner Mon Sep 9 13:59:56 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA13606 for firewalls-outgoing; Mon, 9 Sep 1996 13:41:42 -0700 (PDT) Received: from nymt.reuter.com (nymt.reuter.com [204.5.74.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id NAA13456 for ; Mon, 9 Sep 1996 13:41:03 -0700 (PDT) Received: by nymt.reuter.com (8.6.12) id QAA16349; Mon, 9 Sep 1996 16:41:32 -0400 Received: from zarquon(129.12.42.104) by nymt via smap (V1.3) id sma016345; Mon Sep 9 16:41:07 1996 Received: from titan.reuter. by zarquon (4.1) id AA11001; Mon, 9 Sep 96 16:33:27 EDT Received: by titan.reuter. (5.x/SMI-SVR4) id AA01672; Mon, 9 Sep 1996 16:34:35 -0400 From: hsingh@nymt.reuter.com (Hardayal Singh) Message-Id: <9609092034.AA01672@titan.reuter.> Subject: telnet proxy .. To: Firewalls@greatcircle.com Date: Mon, 9 Sep 1996 16:34:34 -0400 (EDT) Cc: kuljeet@platsol.com X-Mailer: ELM [version 2.4 PL24] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, Before I go ahead and write this, I wanted to make sure if anybody has done this and any special concerns to be kept in mind. Also if there is something available as shareware etc. What we have currently ?. telnet machine-name_1 port-no_1 (The user can be on any machine, within the house ). The above results in formatted data being displayed with cursors. The problem with this is that everytime the user has to go through the same machine_name_1 and this being a server,requires direct access through a fire wall and also opens up the routing channel . What I want ? The user should abe able to type in Mod_tn_process_OR_another_process machine_name_2 port-no_2. ('Mod_tn_process_OR_another_process' should be able to run on any machine within the house) Now 'machine-name2' is a secure machine and is part of subnet which does not need any security. Also 'Mod_tn_process_OR_another_process' could be either a modified telnet process or another process which simply would recieve the same data from port_no_2 on machine_name_2 , as if it was getting data from port_no_1 on machine_name_1 (server) . In other words the 'Mod_tn_process_OR_another_process' should be smart enough to talk to the port_no_1 on machine_name_1 (server) but ACTUALLY doing this through port_no_2 on machine_name_2. In this, the necessity for every user having the necessary routing to the server backbone is eliminated by a secure subnet inbetween which will house machine_name_2. Regards hs From firewalls-owner Mon Sep 9 14:16:27 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA16781 for firewalls-outgoing; Mon, 9 Sep 1996 14:05:37 -0700 (PDT) Received: from hppa2.rimpex.cl (hppa2.rimpex.cl [200.14.65.194]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id OAA16765 for ; Mon, 9 Sep 1996 14:05:15 -0700 (PDT) Received: from localhost by hppa2.rimpex.cl with SMTP (1.38.193.4/16.2) id AA03914; Mon, 9 Sep 1996 17:04:36 -0400 Message-Id: <32348664.5971@rimpex.cl> Date: Mon, 09 Sep 1996 17:04:36 -0400 From: Rudolf Busch Organization: RimpexChile S.A. X-Mailer: Mozilla 3.0Gold (X11; I; HP-UX A.09.05 9000/715) Mime-Version: 1.0 To: firewalls@GreatCircle.COM Subject: libdes.a Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'am trying to compile S/Key (with additional modification from Marcus Ranum: MD4 + DES). But I need libdes.a. Can I use this library outside the US? Can I download this library from a US ftp server? TIA, Rudi -- Rudolf Busch mailto:rudolf.busch@rimpex.cl http://www.rimpex.cl/images/rudolf.busch.gif From firewalls-owner Mon Sep 9 14:29:09 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA14912 for firewalls-outgoing; Mon, 9 Sep 1996 13:50:55 -0700 (PDT) Received: from blue.misnet.com (blue.misnet.com [204.177.124.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id NAA14828 for ; Mon, 9 Sep 1996 13:50:29 -0700 (PDT) Received: (from inter@localhost) by blue.misnet.com (8.7.3/8.7.3) id PAA21782; Mon, 9 Sep 1996 15:50:27 -0500 (CDT) Date: Mon, 9 Sep 1996 15:50:26 -0500 (CDT) From: inter To: Steve Conner cc: Jesse , firewalls@GreatCircle.COM Subject: Re: FreeBSD Firewall Package In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 9 Sep 1996, Steve Conner wrote: > Hello Jesse, > > My company, CYCON Technologies, currently offers a FreeBSD firewall called > CYCON Labyrinth. It is a packet filtering firewall that not only provides > statefull security but full network to network address translation. > > Please send me an email with your fax number and I will ship out our > literature including the current pricing. > > Steve > > --------------------------------------------------------------- > Steve Conner Cypress Consulting, Inc. > sconner@cycon.com 703-256-1279 > Manager, Research & Development http://www.cycon.com > CYCON Labyrinth, Firewall and Network Address Translator > --------------------------------------------------------------- > > On Wed, 8 Jan 1986, Jesse wrote: > > > Hello Everyone! Sorry to bother you, but we are just putting in a > > new server at my workplace, and I was wondering if anyone had any > > suggestions on Free/Commercial 4.4BSD or FreeBSD firewall or proxy > > packages. > > > > This is what I think about firewalls.. If you provide a way in for 1 address/domain name then you provide a way in for the intruder. instead of systems spending so much money in denying service to ppl try spending money on better logs/a better way of tracing an intruder. There will allways be a way in.. the poit is will they get cought From firewalls-owner Mon Sep 9 14:59:23 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA21706 for firewalls-outgoing; Mon, 9 Sep 1996 14:43:34 -0700 (PDT) Received: from docws001.shl.com (docws001.shl.com [159.249.56.252]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id OAA21567 for ; Mon, 9 Sep 1996 14:43:03 -0700 (PDT) Received: from cocms1.calwdc.shl.com (cocms1.calwdc.shl.com [159.249.55.68]) by docws001.shl.com (8.7.3/8.7.3) with SMTP id QAA19330 for ; Mon, 9 Sep 1996 16:38:04 -0500 Received: by cocms1.calwdc.shl.com with Microsoft Exchange (IMC 4.0.837.3) id <01BB9E65.BFE67E60@cocms1.calwdc.shl.com>; Mon, 9 Sep 1996 15:44:13 -0600 Message-ID: From: "L'ROY Robert (MSMail)" To: "grace@nymt.reuter.com" Cc: Firewalls-List Subject: RE: su - userid Date: Mon, 9 Sep 1996 16:45:00 -0600 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.837.3 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Although, this is not apropos to the topic of this list, it is related through security issues, so I'll be brief... The real problem is access to the local root account and then to NFS/NIS+ distributed user accounts. The only way to stop access to the local root account is to set a password with eeprom. This should stop an attempt to reset the local root password. This does not address the issue of users sharing their personal passwords! Bob ---------- From: grace@nymt.reuter.com To: firewalls@GreatCircle.COM Subject: su - userid Date: Monday, September 09, 1996 8:36AM Hi, I know that this is not the right place, but thought that there must be a lot of capable people who can answer this . Our system administrator is not capable of distinguishing the fact of how to stop people from using some one else 's id. We are running NIS+. The process: su - root (On any client machine, of which you have the password.) Now su - userid (You get logged in as the 'userid' specified). Is there a way to stop this (Other than going to AFS. etc...). Thanks In advance. From firewalls-owner Mon Sep 9 15:37:46 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id PAA26598 for firewalls-outgoing; Mon, 9 Sep 1996 15:13:59 -0700 (PDT) Received: from racer.ncsc.org (extern1.ncsc.org [128.109.124.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id PAA26503 for ; Mon, 9 Sep 1996 15:13:34 -0700 (PDT) Received: (from dan@localhost) by racer.ncsc.org (8.7.5/8.6.12) id SAA16492 for firewalls@greatcircle.com; Mon, 9 Sep 1996 18:17:15 -0400 (EDT) Date: Mon, 9 Sep 1996 18:17:15 -0400 (EDT) From: Dan Netshow Message-Id: <199609092217.SAA16492@racer.ncsc.org> subject: commercial socks5 server? Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Are there any commercial socks5 servers available? thanks Dan Kelley The Netshow Company From firewalls-owner Mon Sep 9 16:44:35 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id QAA03381 for firewalls-outgoing; Mon, 9 Sep 1996 16:30:12 -0700 (PDT) Received: from burnout.cts.com (burnout.cts.com [204.216.216.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id QAA03348 for ; Mon, 9 Sep 1996 16:29:58 -0700 (PDT) Received: from rruda (rruda.osti.com [204.212.129.32]) by burnout.cts.com (8.6.12/8.6.9) with SMTP id QAA07049 for ; Mon, 9 Sep 1996 16:29:44 -0700 Received: by rruda with Microsoft Mail id <01BB9E6D.2D075620@rruda>; Mon, 9 Sep 1996 16:37:22 -0700 Message-ID: <01BB9E6D.2D075620@rruda> From: Richard Ruda To: "'GreatCircles firewall message host'" Subject: Modem hacking Date: Mon, 9 Sep 1996 16:37:11 -0700 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Can someone list the dangers of having modems installed in host PCs. = These modems would have direct outside telephone connections. These few PCs are part of a large firewalled network but firewall would = not protect hacking via these modems/PC's. What potential dangers are there to the network when: - Modem is set to listen for incoming calls at all times. - Modem is not set to listen for incoming calls but is host = activated/used for specific outside comms (for example for sending faxes = or specific dial-in to remote systems). Is there a danger whilst the = modem is in use and whilst idle? What else to look out for? Thanks, Richard R From firewalls-owner Mon Sep 9 16:59:22 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id QAA03921 for firewalls-outgoing; Mon, 9 Sep 1996 16:36:27 -0700 (PDT) Received: from relay3.smtp.psi.net (relay3.smtp.psi.net [38.8.210.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id QAA03892 for ; Mon, 9 Sep 1996 16:36:11 -0700 (PDT) Received: from internet-gw1 by relay3.smtp.psi.net (8.7.5/SMI-5.4-PSI) id TAA14326; Mon, 9 Sep 1996 19:36:02 -0400 (EDT) Received: from internet-gw2.HEA.COM by internet-gw1 (4.1/SMI-4.1/HEA-GCA-gw1-940329-1) id AA00373; Mon, 9 Sep 96 17:01:19 PDT Received: from dbwhdsk.hyundai.com by internet-gw2.HEA.COM (4.1/SMI-4.1/HEA-GCA-gw2-940329-1) id AA09746; Mon, 9 Sep 96 16:34:28 PDT Received: by dbwhdsk.hyundai.com (5.x/SMI-SVR4) id AA17274; Mon, 9 Sep 1996 16:29:34 -0700 Date: Mon, 9 Sep 1996 16:29:34 -0700 From: nsaputra@HEA.COM (Nancy Saputra X8387) Message-Id: <9609092329.AA17274@dbwhdsk.hyundai.com> To: firewalls@greatcircle.com Subject: secure http proxy? X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, Is there a proxy for secure http? What is the standard source and destination ports? Thanks, Nancy From firewalls-owner Mon Sep 9 17:33:44 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA06640 for firewalls-outgoing; Mon, 9 Sep 1996 17:19:09 -0700 (PDT) Received: from manzanita. ([139.87.180.206]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id RAA06625 for ; Mon, 9 Sep 1996 17:19:00 -0700 (PDT) Received: by manzanita. (SMI-8.6/SMI-SVR4) id RAA24565; Mon, 9 Sep 1996 17:19:55 -0700 Date: Mon, 9 Sep 1996 17:19:55 -0700 From: bobk@manzanita (Bob Konigsberg) Message-Id: <199609100019.RAA24565@manzanita.> To: rruda@osti.com Subject: Re: Modem hacking Cc: firewalls@greatcircle.com X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk My concerns are: 1) Remote PC, PC Anywhere (and similar products), someone could guess the password or worse the system doesn't have a password. Once in, they're on your net completely around any other barriers put up on the outside. 2) Some PC packages can be configured to route IP traffic. There are people who consider their personal connectivity to be more important (to them) than any security considerations someone else (like management) might have. 3) I don't mind dial-out capability only. If people really need this, then I recommend a modem pooling solution where dial-ins are met with either no answer, or a secured login prompt of some sort administered by people who know what they are doing. As a backup proposition (meaning if you HAVE to allow dial-ins), then set the modem to not answer until 10 or 12 rings. This is VERY WEAK security, but it will generally not answer demon-dialers which give up after 3-5 rings. In addition, get a demon-dialer yourself, and scan all incoming phone lines on a regular basis, and when you find modems that answer the phone, contact the owner/operator of said modem, and insist that they beef up their security. BobK From firewalls-owner Mon Sep 9 18:05:25 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA08389 for firewalls-outgoing; Mon, 9 Sep 1996 17:36:42 -0700 (PDT) Received: from ns1.insweb.com (ns1.insweb.com [206.151.34.5]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id RAA08228 for ; Mon, 9 Sep 1996 17:36:03 -0700 (PDT) Received: from mail.secure.insweb.com ([192.168.1.149]) by ns1.insweb.com (8.7.3/8.6.12) with SMTP id RAA24424 for ; Mon, 9 Sep 1996 17:34:10 -0700 (PDT) Received: by mail.secure.insweb.com with Microsoft Exchange (IMC 4.1.611) id <01BB9E74.E72DBD30@mail.secure.insweb.com>; Mon, 9 Sep 1996 17:32:41 -0700 Message-ID: From: "David J. Taylor" To: Steve Conner , inter Cc: Jesse , "firewalls@GreatCircle.COM" Subject: RE: FreeBSD Firewall Package Date: Mon, 9 Sep 1996 17:32:40 -0700 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.1.611 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="---- =_NextPart_000_01BB9E74.E730CA70" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. Contact your mail administrator for information about upgrading your reader to a version that supports MIME. ------ =_NextPart_000_01BB9E74.E730CA70 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable That's fine as long as you have 24x7 surveillance. But having logs = showing an address doesn't give you much comfort if the intruder came = in, did the damage and left before anyone could detect and stop him. I = would submit that prevention is still the best medicine. ---------- From: inter[SMTP:inter@blue.misnet.com] Sent: Monday, September 09, 1996 1:50 PM To: Steve Conner Cc: Jesse; firewalls@GreatCircle.COM Subject: Re: FreeBSD Firewall Package On Mon, 9 Sep 1996, Steve Conner wrote: > Hello Jesse, >=20 > My company, CYCON Technologies, currently offers a FreeBSD firewall = called > CYCON Labyrinth. It is a packet filtering firewall that not only = provides > statefull security but full network to network address translation. >=20 > Please send me an email with your fax number and I will ship out our > literature including the current pricing. >=20 > Steve >=20 > --------------------------------------------------------------- > Steve Conner Cypress Consulting, Inc. > sconner@cycon.com 703-256-1279 > Manager, Research & Development http://www.cycon.com > CYCON Labyrinth, Firewall and Network Address Translator=09 > --------------------------------------------------------------- >=20 > On Wed, 8 Jan 1986, Jesse wrote: >=20 > > Hello Everyone! Sorry to bother you, but we are just putting in a=20 > > new server at my workplace, and I was wondering if anyone had any=20 > > suggestions on Free/Commercial 4.4BSD or FreeBSD firewall or proxy=20 > > packages.=20 > >=20 >=20 >=20 This is what I think about firewalls.. If you provide a way in for 1 address/domain name then you provide a way = in for the intruder. instead of systems spending so much money in = denying=20 service to ppl try spending money on better logs/a better way of tracing = an intruder. There will allways be a way in.. the poit is will they get=20 cought ------ =_NextPart_000_01BB9E74.E730CA70-- From firewalls-owner Mon Sep 9 18:14:12 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA10666 for firewalls-outgoing; Mon, 9 Sep 1996 17:54:49 -0700 (PDT) Received: from gw.intuit.com (fw.intuit.com [199.2.32.4]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id RAA10616 for ; Mon, 9 Sep 1996 17:54:27 -0700 (PDT) Received: by gw.intuit.com (4.1/SMI-4.1) id AA19724; Mon, 9 Sep 96 17:55:04 PDT Received: from cliff.intuit.com(199.2.34.38) by gw.intuit.com via smap (V1.3) id sma019683; Mon Sep 9 17:54:35 1996 Received: from ra.intuit.com by cliff (4.1/SMI-4.1d) id AA26051; Mon, 9 Sep 96 17:53:22 PDT From: corby@intuit.com (Corby Anderson) Message-Id: <9609100053.AA26051@cliff> Subject: Re: secure http proxy? To: nsaputra@HEA.COM (Nancy Saputra X8387) Date: Mon, 9 Sep 1996 17:54:07 -0700 (PDT) Cc: firewalls@greatcircle.com In-Reply-To: <9609092329.AA17274@dbwhdsk.hyundai.com> from "Nancy Saputra X8387" at Sep 9, 96 04:29:34 pm X-Mailer: ELM [version 2.4 PL22] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Is there a proxy for secure http? What is the standard source and > destination ports? Ari Luotonen (then of CERN, now of Netscape) wrote an SSL patch to the cern httpd proxy version 3.0 and cern common library version 2.17. The patch and its configuration information is at: http://www.w3.org/pub/WWW/Daemon/Patch/SSL.patch Netscape also provides an SSL enabled proxy. Corby From firewalls-owner Mon Sep 9 18:44:15 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id SAA12954 for firewalls-outgoing; Mon, 9 Sep 1996 18:12:33 -0700 (PDT) Received: from homeport.org (lighthouse.homeport.org [205.136.65.198]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id SAA12881 for ; Mon, 9 Sep 1996 18:12:10 -0700 (PDT) Received: (adam@localhost) by homeport.org (8.6.9/8.6.9) id VAA18758; Mon, 9 Sep 1996 21:17:20 -0500 From: Adam Shostack Message-Id: <199609100217.VAA18758@homeport.org> Subject: Re: libdes.a To: rudolf.busch@rimpex.cl (Rudolf Busch) Date: Mon, 9 Sep 1996 21:17:20 -0500 (EST) Cc: firewalls@GreatCircle.COM In-Reply-To: <32348664.5971@rimpex.cl> from "Rudolf Busch" at Sep 9, 96 05:04:36 pm X-Mailer: ELM [version 2.4 PL24 ME8b] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Rudolf Busch wrote: | I'am trying to compile S/Key (with additional modification from | Marcus Ranum: MD4 + DES). | | But I need libdes.a. Can I use this library outside the US? | Can I download this library from a US ftp server? Yes you can use it outside the US, you simply can't get it from the US. Try ftp://idea.dsi.unimi.it/pub/crypt/libdes/ Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume From firewalls-owner Mon Sep 9 18:49:40 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA10017 for firewalls-outgoing; Mon, 9 Sep 1996 17:50:07 -0700 (PDT) Received: from ford.gbnet.org (ford.gbnet.org [192.188.96.10]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id RAA09999 for ; Mon, 9 Sep 1996 17:49:52 -0700 (PDT) Received: (from steve@localhost) by ford.gbnet.org (8.7.1/8.6.12) id BAA14127; Tue, 10 Sep 1996 01:49:50 +0100 (BST) From: Steve Kennedy Message-Id: <199609100049.BAA14127@ford.gbnet.org> Subject: Re: libdes.a To: rudolf.busch@rimpex.cl (Rudolf Busch) Date: Tue, 10 Sep 1996 01:49:50 +0100 (BST) Cc: firewalls@GreatCircle.COM In-Reply-To: <32348664.5971@rimpex.cl> from "Rudolf Busch" at Sep 9, 96 05:04:36 pm X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk According to Rudolf Busch > I'am trying to compile S/Key (with additional modification from > Marcus Ranum: MD4 + DES). > But I need libdes.a. Can I use this library outside the US? > Can I download this library from a US ftp server? The US ITAR regulations forbid the export of crypto technology (considered munitions). There is a very complete implementation of DES and various other alogorithms (SSLeay etc) on ftp://ftp.psy.uq.oz.au/pub/Crypto which I mirror on ftp://ftp.gbnet.net/pub/security/Crypto There is also a replacement for RSAREF (called RSAEURO) ftp://ftp.gbnet.net/pub/security/rsaeuro NOTE It is ILLEGAL to use RSAEURO in the US. Regards Steve -- home steve@gbnet.org * Flat 2, 43 Howitt Road, Belsize Pk, London NW3 4LU work steve@demon.net * tel +44-(0)171 483 1169 FAX +44-(0)181 444 6103 www http://www.gbnet.net/ * 07010 707 838 should follow me (hopefully) bits steve@gbnet.net * Orange mobile +44-(0)973 600050 Euro firewall info - send mail to majordomo@gbnet.net (subscribe firewalls-uk) From firewalls-owner Mon Sep 9 19:09:47 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA09381 for firewalls-outgoing; Mon, 9 Sep 1996 17:43:29 -0700 (PDT) Received: from user1.scranton.com (user1.scranton.com [204.186.119.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id RAA09292 for ; Mon, 9 Sep 1996 17:43:02 -0700 (PDT) Received: from localhost (moroni@localhost) by user1.scranton.com (8.6.12/8.6.9) with SMTP id UAA20729; Mon, 9 Sep 1996 20:44:41 -0400 X-Authentication-Warning: user1.scranton.com: moroni owned process doing -bs Date: Mon, 9 Sep 1996 20:44:41 -0400 (EDT) From: Moroni To: Richard Ruda cc: "'GreatCircles firewall message host'" Subject: Re: Modem hacking In-Reply-To: <01BB9E6D.2D075620@rruda> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Wha tyou are describing is a nightmare. The can be put on lines,remote accessing can occur ,Satan or something comparable can be used to look for security holes in your system if you are internet connected,commandeering can take place,info warefare or at least virus warefare,theft of of services or theft of intellectual property and other things too bad to describe. On Mon, 9 Sep 1996, Richard Ruda wrote: > Can someone list the dangers of having modems installed in host PCs. These modems would have direct outside telephone connections. > These few PCs are part of a large firewalled network but firewall would not protect hacking via these modems/PC's. > What potential dangers are there to the network when: > - Modem is set to listen for incoming calls at all times. > - Modem is not set to listen for incoming calls but is host activated/used for specific outside comms (for example for sending faxes or specific dial-in to remote systems). Is there a danger whilst the modem is in use and whilst idle? > What else to look out for? > > Thanks, > Richard R > From firewalls-owner Mon Sep 9 19:49:20 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id TAA23884 for firewalls-outgoing; Mon, 9 Sep 1996 19:34:10 -0700 (PDT) Received: from gw.research.megasoft.com (gw.research.megasoft.com [206.230.35.93]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id TAA23709 for ; Mon, 9 Sep 1996 19:33:30 -0700 (PDT) Received: from goffette.research.megasoft.com (goffette.research.megasoft.com [192.168.1.2]) by gw.research.megasoft.com (8.7.5/8.7.3-cmcurtin) with SMTP id WAA05906; Mon, 9 Sep 1996 22:27:36 -0400 (EDT) Received: by goffette.research.megasoft.com (940816.SGI.8.6.9/940406.SGI) id WAA04349; Mon, 9 Sep 1996 22:27:57 -0400 Date: Mon, 9 Sep 1996 22:27:57 -0400 Message-Id: <199609100227.WAA04349@goffette.research.megasoft.com> From: C Matthew Curtin To: Doug Hughes Cc: rich , firewalls@GreatCircle.COM Subject: Re: authenticated/encrypted sessions In-Reply-To: References: Reply-To: cmcurtin@research.megasoft.com X-Attribution: mattC Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >>>>> "Doug" == Doug Hughes writes: Doug> What about designing a proxy for stel or ssh? A proxy would Doug> probably be harder to do in this instance than a packet filter Doug> of some sort because they both have active man in the middle Doug> prevention which might get in your way depending on how you Doug> implement your proxy. I've been considering doing just that. Basically, it could be just another option on a FWTK tn-gw-type menu. Telnet to the proxy host in the clear, and from there, instead of doing a telnet remote.host, do ssh remote.host. This is fine if you're trying to keep your sessions across the Internet private, but little if you're trying to keep your sessions across your own networks private. Of course, this solution isn't really as elegant and transparant as built-in SOCKS support, for example, perhaps one that would even allow scp through the firewall... -- C Matthew Curtin MEGASOFT, INC Chief Scientist I speak only for myself. Don't whine to anyone but me about anything I say. Hacker Security Firewall Crypto PGP Privacy Unix Perl Java Internet Intranet cmcurtin@research.megasoft.com http://research.megasoft.com/people/cmcurtin/ From firewalls-owner Mon Sep 9 19:59:19 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id TAA27218 for firewalls-outgoing; Mon, 9 Sep 1996 19:53:15 -0700 (PDT) Received: from gw.research.megasoft.com (gw.research.megasoft.com [206.230.35.93]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id TAA27121 for ; Mon, 9 Sep 1996 19:52:38 -0700 (PDT) Received: from goffette.research.megasoft.com (goffette.research.megasoft.com [192.168.1.2]) by gw.research.megasoft.com (8.7.5/8.7.3-cmcurtin) with SMTP id WAA06089; Mon, 9 Sep 1996 22:46:16 -0400 (EDT) Received: by goffette.research.megasoft.com (940816.SGI.8.6.9/940406.SGI) id WAA04356; Mon, 9 Sep 1996 22:46:30 -0400 Date: Mon, 9 Sep 1996 22:46:30 -0400 Message-Id: <199609100246.WAA04356@goffette.research.megasoft.com> From: C Matthew Curtin To: Joe Judge Cc: Bernd Eckenfels , Il Oh , firewalls@GreatCircle.COM Subject: Re: smap alternative? In-Reply-To: <3230DEB3.6C30@joesmac.ultranet.com> References: <3230DEB3.6C30@joesmac.ultranet.com> Reply-To: cmcurtin@research.megasoft.com X-Attribution: mattC Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >>>>> "Joe" == Joe Judge writes: Joe> a couple years ago, I remember the net had some *very* simple Joe> SMTP server code ... supported just the commands to suck a piece Joe> of email in -- then handed it to some mailer program. Something along those lines is available from ftp://ftp.berkeley.edu/ucb/src/sendmail/sendmail_wrapper.c Basically, this just looks for silly things like newlines in environment variables, passing shell characters to popen, etc. But it's enough to demonstrate the concept, as well as be useful in preventing against some boneheaded things that people might be inclined to try. For the lazy, I've included the source here. -matt ------------------------- sendmail_wrapper.c ------------------------- /* ** sendmail_wrapper.c - wrap sendmail to prevent newlines in command line ** and clean up the environment. ** ** - v1.2 prevent exploitation of '-oR' on SunOS 4.1.x ** - v1.3 update installation instructions ** - v1.4 Parse options for SunOS sendmail to prevent ** shell characters being passed to popen ** - v1.5 Stop core dumps if someone supplies silly args ** - v1.6 Protect against possible syslog() buffer overrun ** Update installation instructions ** ** Authors: Eric Halil, Danny Smith ** AUSCERT ** c/o Prentice Centre ** The University of Queensland ** Qld. 4072. ** Australia ** auscert@auscert.org.au ** ** Disclaimer: The use of this program is at your own risk. It is ** designed to combat a particular vulnerability, and may ** not combat other vulnerabilities, either past or future. ** The decision to use this program is yours, as are the ** consequences of its use. ** ** This program is designed to be an interim relief measure ** until appropriate patches can be obtained from your vendor. ** ** Installation instructions ** ========================= ** ** 1. su to root. ** ** 2. Determine the location of sendmail. On SunOS and Ultrix ** systems, it is located in the /usr/lib directory. On BSDI ** systems, it is located in the /usr/sbin directory. For example ** purposes only, /usr/lib will be used in the following instructions ** steps. ** ** 3. Copy the sendmail program to sendmail.real. Change the permissions ** on the copy of sendmail. ** ** # cd /usr/lib ** # cp sendmail sendmail.real ** # chmod 0700 sendmail.real ** ** However, if the /usr file system is NFS-mounted by diskless or ** dataless NFS clients, you must allow non-root execution: ** ** # chmod 0711 sendmail.real ** ** 4. Determine the permissions, owner, and group of sendmail. This ** information will be used later. ** ** For BSD users: ** # ls -lg sendmail ** For System V users: ** # ls -l sendmail ** ** 5. Edit this wrapper program and define REAL_SENDMAIL. By default, ** REAL_SENDMAIL is defined as "/usr/lib/sendmail.real". ** ** 6. Compile this program in a directory other than /usr/lib. For ** example to use /tmp, first copy this file into /tmp. ** ** # cd /tmp ** # cc -O -o sendmail sendmail_wrapper.c ** ** 7. Kill the sendmail daemon. ** ** For SunOS and Ultrix: ** # kill -9 `head -1 /etc/sendmail.pid` ** # /usr/lib/sendmail -bd -q1h ** ** For BSDI: ** # kill -9 `head -1 /var/run/sendmail.pid` ** # /usr/sbin/sendmail -bd -q1h ** ** 8. Kill all running sendmail processes. ** ** Follow your vendor's guidelines or use the following commands. ** ** For BSD based systems: ** # ps -auxw | grep sendmail | grep -v grep ** # kill -9 (process id numbers) ** ** For System V based systems: ** # ps -ef | grep sendmail | grep -v grep ** # kill -9 (process id numbers) ** ** 9. Copy this new wrapper program into the directory containing sendmail. ** Make sure this directory and its parent directories are protected so ** only root is able to make changes to files in the directory. This ** will replace the existing sendmail. The following steps should be ** executed quickly. ** ** Users will not be able to send e-mail during the time when the ** wrapper is copied into place until the chmod command has been ** executed. Use the information from step #4 and set the permissions ** owner, and group of the new sendmail. For example: ** ** # cp sendmail /usr/lib/sendmail ** # cd /usr/lib ** # chown root sendmail ** # chgrp wheel sendmail ** # chmod 4511 sendmail ** ** 10. Restart the sendmail daemon. ** ** Follow your vendor's guidelines or use the following command. ** ** # /usr/lib/sendmail -bd -q1h ** ** 11. Test that mail still works. ** */ static char Version[] = "sendmail_wrapper V1.6 22-Sep-1995"; #include #ifdef sun #include static char ok_chars[] = "1234567890!@%-_=+:,./\ abcdefghijklmnopqrstuvwxyz\ ABCDEFGHIJKLMNOPQRSTUVWXYZ"; #endif /* ** REAL_SENDMAIL needs to be defined using the full pathname ** of the real sendmail. A few known locations have been defined. */ #ifdef sun #define REAL_SENDMAIL "/usr/lib/sendmail.real" #endif #ifdef ultrix #define REAL_SENDMAIL "/usr/lib/sendmail.real" #endif #if defined (__bsdi__) || defined(__386BSD__) || defined(__FreeBSD__) || defined(__NetBSD__) #define REAL_SENDMAIL "/usr/sbin/sendmail.real" #endif int main( argc, argv, envp) int argc; char *argv[]; char *envp[]; { char *cp; int i; int j; int status; /* ** Ensure that there are no newlines in the arguments */ for ( i = 1; i < argc; i++) { #ifdef sun if ( ( strncmp( argv[ i], "-f", 2) == 0) || ( strncmp( argv[ i], "-r", 2) == 0)) { if ( strlen( argv[ i]) > 2) { cp = argv[ i] + 2; } else { if ( ( i + 1) >= argc) { break; } cp = argv[ i + 1]; } if ( strspn( cp, ok_chars) < strlen( cp)) { syslog( LOG_MAIL | LOG_ERR, "Possible SunOS sendmail attack specifying '-%c %.20s' by uid %d\n", argv[ i][ 1], cp, getuid()); exit( 1); } } #endif for ( cp = argv[ i]; *cp != '\0'; cp++) { if ( ( *cp == '\r') || ( *cp == '\n')) { *cp = ' '; } } } /* ** While we are at it, let's clean up the environment ** Remove LD_*, IFS, and PATH environment variables before execing */ i = 0; while( envp[ i] != NULL) { if ( strncmp( envp[ i], "LD_", 3) == 0) { j = i; while ( envp[ j] != NULL) { envp[ j] = envp[ j + 1]; j++; } continue; } if ( strncmp( envp[ i], "IFS=", 4) == 0) { j = i; while ( envp[ j] != NULL) { envp[ j] = envp[ j + 1]; j++; } continue; } if ( strncmp( envp[ i], "PATH=", 5) == 0) { j = i; while ( envp[ j] != NULL) { envp[ j] = envp[ j + 1]; j++; } continue; } /* ** Now check for newlines in environment variables */ for ( cp = envp[ i]; *cp != '\0'; cp++) { if ( ( *cp == '\r') || ( *cp == '\n')) { *cp = ' '; } } /* ** next environment variable */ i++; } /* ** exec the real sendmail now */ status = execve( REAL_SENDMAIL, argv, envp); perror( "execve sendmail"); return( status); } -------------------------------- end --------------------------------- -- C Matthew Curtin MEGASOFT, INC Chief Scientist I speak only for myself. Don't whine to anyone but me about anything I say. Hacker Security Firewall Crypto PGP Privacy Unix Perl Java Internet Intranet cmcurtin@research.megasoft.com http://research.megasoft.com/people/cmcurtin/ From firewalls-owner Mon Sep 9 20:14:17 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id UAA28300 for firewalls-outgoing; Mon, 9 Sep 1996 20:02:19 -0700 (PDT) Received: from gw.research.megasoft.com (gw.research.megasoft.com [206.230.35.93]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id UAA28229 for ; Mon, 9 Sep 1996 20:01:53 -0700 (PDT) Received: from goffette.research.megasoft.com (goffette.research.megasoft.com [192.168.1.2]) by gw.research.megasoft.com (8.7.5/8.7.3-cmcurtin) with SMTP id WAA06167; Mon, 9 Sep 1996 22:56:09 -0400 (EDT) Received: by goffette.research.megasoft.com (940816.SGI.8.6.9/940406.SGI) id WAA04359; Mon, 9 Sep 1996 22:56:31 -0400 Date: Mon, 9 Sep 1996 22:56:31 -0400 Message-Id: <199609100256.WAA04359@goffette.research.megasoft.com> From: C Matthew Curtin To: Shmulik Suhami Cc: firewalls@GreatCircle.COM, shlomo@mail.finjan.com Subject: Re: Java Firewall In-Reply-To: <323410FB.344E@finjan.com> References: <323410FB.344E@finjan.com> Reply-To: cmcurtin@research.megasoft.com X-Attribution: mattC Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >>>>> "Shmulik" == Shmulik Suhami writes: Shmulik> Does anyone know of a Java enabled firewall? Is there a need Shmulik> for such a feature? Are there any products available? -- What problem are you trying to solve that requires a "Java enabled" firewall? What exactly is a "Java enabled" firewall? On the issue of Java on firewalls, or Java in secure environments... Java is very new stuff. It's been brewing (pun intended :-) in the labs a long time, but it's still new. Security model has to be scrutinized, and we (security geeks) need to bang on the implementation to see how well it enforces the model. Generally speaking, it's a bad idea to use any New Stuff where security is a big concern. The reason is practical: without knowing what bugs are there, it's difficult to assess what sorts of risks you're exposing yourself to. Now, if you're talking about firewall-type *applications* that are written in Java, you're dealing with another religious issue altogether: Should any compilers or interpreters live on your bastion host? There isn't anything less secure about using an application that's written in Java vs. one written in C. In fact, given that the liklihood of errors in memory allocation, use of pointers, etc., is between nil and very small, just the opposite might be argued. But Java is *very* slow by comparison to C. And you need to have a bytecode interpreter on your bastion host, or a Java development environment that lets you generate machine-native object code. In any case, what is it that you're trying to gain with this? -- C Matthew Curtin MEGASOFT, INC Chief Scientist I speak only for myself. Don't whine to anyone but me about anything I say. Hacker Security Firewall Crypto PGP Privacy Unix Perl Java Internet Intranet cmcurtin@research.megasoft.com http://research.megasoft.com/people/cmcurtin/ From firewalls-owner Mon Sep 9 21:20:28 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id VAA07107 for firewalls-outgoing; Mon, 9 Sep 1996 21:09:19 -0700 (PDT) Received: from firewall.harker.com (firewall.harker.com [192.102.231.125]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id VAA06994 for ; Mon, 9 Sep 1996 21:08:52 -0700 (PDT) Received: from harker.harker.com (harker.harker.com [192.102.231.1]) by firewall.harker.com (8.6.9/8.6.12) with ESMTP id MAA17891; Mon, 9 Sep 1996 12:45:36 GMT Received: by harker.harker.com (8.7.5/external.RLH1.0a) id EAA10727; Tue, 10 Sep 1996 04:09:02 GMT Date: Tue, 10 Sep 1996 04:09:02 GMT From: harker@harker.com (Robert Harker) Message-Id: <199609100409.EAA10727@harker.harker.com> X-comment: This message was relayed through harker.harker.com To: firewalls@GreatCircle.com, rruda@osti.com Subject: Re: Modem hacking Cc: dean@cua.santa-clara.ca.us Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Many people will point out the problems with dial-in modems. This is sort of a different tact; block dial-in access at the PBX switch. To look at modems in a different way, my experience is that the main reasons that people want modems on their personal hosts is for one of three reasons: Dial out connectivity Receiving FAXes Dial in access from home or the road FAXes: either use a fax machine (more reliable) or use a dedicated PC that is under your control Dial-in connectivity: Do you trust your users to set this up securely? (you know my answer) Again dedicated hosts or modem terminal server that are under your control. For both of these cases, I feel that personal modems are a bad idea and should be prohibited by management as part of a reasonable security policy. In the case of people wanting to have modems to dial-out only, ask you telecom department if your switch can support phones that are valid ports, but do not have a valid extension. This means that they can not be dialed into. Telecom people I have talked to have always been excited about this feature because it allows them to add a modem with out using one of their extension numbers. The benefit is that this works on multiple levels: Someone who wants to use their modem for "dial-out only" access, is allowed to. It makes modem policy in a good security policy more acceptable: Yes you can have dial-out only modems and here is a way we enforce it. If you need dial-in access, then we have very specific security requirements before we allow it. Finally, your telecom department uses a war dialer to keep people honest and check that the policy is being followed. Dial-out only phone lines, a great idea. Hope this helps RLH > For info about our "Managing Internet Mail, Setting Up and Trouble < > Shooting sendmail and DNS" and a schedule of dates and locations, < > please send email to info@harker.com, or visit www.harker.com < Robert Harker Harker Systems Sendmail and TCP/IP Network Training 1180 Hester Ave Network and Sysadmin Consulting San Jose, CA 95126 harker@harker.com 408-295-9432 From firewalls-owner Mon Sep 9 22:59:25 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id WAA14785 for firewalls-outgoing; Mon, 9 Sep 1996 22:45:35 -0700 (PDT) Received: from m4.sprynet.com (m4.sprynet.com [165.121.1.96]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id WAA14778 for ; Mon, 9 Sep 1996 22:45:26 -0700 (PDT) Received: from local.com (hd05-072.compuserve.com [199.174.215.72]) by m4.sprynet.com (8.6.12/8.6.12) with SMTP id WAA05699 for ; Mon, 9 Sep 1996 22:43:40 -0700 Message-Id: <199609100543.WAA05699@m4.sprynet.com> Comments: Authenticated sender is From: "Jesse" To: firewalls@GreatCircle.com Date: Thu, 9 Jan 1986 23:44:24 +0000 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Deny all But? X-mailer: Pegasus Mail for Win32 (v2.42a) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello Everyone, Just got a small question. In FreeBSD (Based on 4.4BSD), is it possible to DENY all ip calls, and then either earlyer or later in the list ALLOW certain other calls? Would it let the ones allowed through, or would I have to block all of them? Thanks, Jesse Brown From firewalls-owner Tue Sep 10 02:33:26 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id BAA24705 for firewalls-outgoing; Tue, 10 Sep 1996 01:49:26 -0700 (PDT) Received: from ns.isk.co.kr ([203.240.169.11]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id BAA24594 for ; Tue, 10 Sep 1996 01:48:42 -0700 (PDT) Received: from isk82.isk.co.kr (isk82.isk.co.kr [203.240.169.82]) by ns.isk.co.kr (8.6.12H1/8.6.12) with SMTP id RAA02481 for ; Tue, 10 Sep 1996 17:48:25 +0900 Message-ID: <32352977.757D@isk.co.kr> Date: Tue, 10 Sep 1996 17:40:23 +0900 From: Kwanho Shin Organization: Internet Security Korea, Inc. X-Mailer: Mozilla 3.0 (Win95; I) MIME-Version: 1.0 To: firewalls@GreatCircle.COM Subject: Authentication on F/W-1 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello. I'm Kwanho Shin. I have a question about Checkpoint F/W-1 F/W-1 provide two ways authentication. One is user authentication, the other is a client authentication. I wnat to know how much different between this and that. Let me Information, please. Regards... -- Kwanho Shin (HL1MLV) Mailto: skh@isk.co.kr Internet Security Korea Co., Ltd. Tel:(02)786-3555 Fax:(02)786-3554 From firewalls-owner Tue Sep 10 03:32:24 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id DAA00437 for firewalls-outgoing; Tue, 10 Sep 1996 03:07:16 -0700 (PDT) Received: from gk1.nea.fr (gk1.nea.fr [193.51.64.250]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id DAA00344 for ; Tue, 10 Sep 1996 03:06:44 -0700 (PDT) Received: from DECOUZEY (pc1.nea.fr [193.51.64.100]) by gk1.nea.fr (8.7.3/8.7.3/mc) with SMTP id MAA12978 for ; Tue, 10 Sep 1996 12:11:24 +0200 (MET DST) Message-ID: <3235BA31.7800@nea.fr> Date: Tue, 10 Sep 1996 11:57:53 -0700 From: de Cuzey Organization: OECD NEA X-Mailer: Mozilla 3.0 (Win16; I) MIME-Version: 1.0 To: firewalls@GreatCircle.Com Subject: DEC Print Server proxy Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I have several Workstations with Digital Unix v3.2 behind a DEC firewall hosted on a DU 3.2 workstation as well. I would like the workstations to print through the firewall on a Print Server on the non-protected network. I tried to setup a proxy from the generic relay program available, but this doesn't work because the PrintServer protocol doesn't work with a given port number, but rather uses port 170 for connection, but then negociates another port with the printer for actual data transfer. Does anyone know of (or has developped ?!) a dedicated relay program for DEC PrintServer protocol ??? Thanks -- ========================================================= O.E.C.D. Nuclear Energy Agency P. de Cuzey phid@nea.fr ========================================================= From firewalls-owner Tue Sep 10 04:14:18 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id EAA03761 for firewalls-outgoing; Tue, 10 Sep 1996 04:06:18 -0700 (PDT) Received: from ns.isk.co.kr ([203.240.169.11]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id EAA03754 for ; Tue, 10 Sep 1996 04:06:05 -0700 (PDT) Received: from isk82.isk.co.kr (isk82.isk.co.kr [203.240.169.82]) by ns.isk.co.kr (8.6.12H1/8.6.12) with SMTP id UAA03347 for ; Tue, 10 Sep 1996 20:05:48 +0900 Message-ID: <323549A7.3E02@isk.co.kr> Date: Tue, 10 Sep 1996 19:57:43 +0900 From: Kwanho Shin Organization: Internet Security Korea, Inc. X-Mailer: Mozilla 3.0 (Win95; I) MIME-Version: 1.0 To: firewalls@greatcircle.com Subject: Authentication on F/W-1 References: <32352977.757D@isk.co.kr> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello. I'm Kwanho Shin. I have a question about Checkpoint F/W-1 F/W-1 provide two ways authentication. One is user authentication, the other is a client authentication. I wnat to know how much different between this and that. Let me Information, please. Regards... -- Kwanho Shin (HL1MLV) Mailto: skh@isk.co.kr Internet Security Korea Co., Ltd. Tel:(02)786-3555 Fax:(02)786-3554 From firewalls-owner Tue Sep 10 04:29:11 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id DAA03284 for firewalls-outgoing; Tue, 10 Sep 1996 03:59:29 -0700 (PDT) Received: from GWSMTP.NU.COM (gwsmtp-dos.nu.com [159.108.25.142]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id DAA03268 for ; Tue, 10 Sep 1996 03:59:14 -0700 (PDT) Received: from NU-Message_Server by GWSMTP.NU.COM with Novell_GroupWise; Tue, 10 Sep 1996 06:59:24 -0400 Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Tue, 10 Sep 1996 06:58:52 -0400 From: "JEFFREY P. BALLACHINO" To: firewalls@GreatCircle.COM Subject: Firewall-1 and bootp Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I have a Synoptics 3000 hub on a protected network. I would like to allow this hub to load its image from a bootp server on our "public" network. I have configured a rule on the firewall (a SPARC 5 running Firewall-1 v2) to allow bootp and tftp between this hub and the bootp server. My problem is that bootp is always blocked by rule 0, which may mean some setting in my properties is incorrect. However, in my log, the source of the bootp request is always blank. A snoop determined the request has a source address of 0.0.0.0. I suspect FW-1 does not recognize this as a valid address. The destination is broadcast 255.255.255.255 and is recognized by FW-1. Does anyone have any thoughts on this? thanks, jeff ballachino From firewalls-owner Tue Sep 10 05:44:14 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id EAA06968 for firewalls-outgoing; Tue, 10 Sep 1996 04:49:23 -0700 (PDT) Received: from efemce.taunet.net.au (efemce.taunet.net.au [203.21.6.50]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id EAA06897 for ; Tue, 10 Sep 1996 04:48:53 -0700 (PDT) Received: from mapmark.taunet.net.au (203.21.6.6) by efemce.taunet.net.au with SMTP (Apple Internet Mail Server 1.1); Tue, 10 Sep 1996 21:18:33 +0930 Message-ID: <32355678.14A2@taunet.net.au> Date: Tue, 10 Sep 1996 21:22:24 +0930 From: Matt Hoving X-Mailer: Mozilla 2.01Gold (Win95; I) MIME-Version: 1.0 To: firewalls@greatcircle.com Subject: Removal from Mail List and Digest List Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I have tried to remove myself from the lists automatically but it hasn't done the trick. Could you please remove my email address from the digest and standard mailing list. Matt Hoving hoving@taunet.net.au mapmark@taunet.net.au From firewalls-owner Tue Sep 10 05:45:53 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA09734 for firewalls-outgoing; Tue, 10 Sep 1996 05:16:16 -0700 (PDT) Received: from relay5.UU.NET (relay5.UU.NET [192.48.96.15]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id FAA09725 for ; Tue, 10 Sep 1996 05:15:56 -0700 (PDT) From: rusty.merrell@smtpgate.crestar.com Received: from uucp6.UU.NET by relay5.UU.NET with SMTP (peer crosschecked as: uucp6.UU.NET [192.48.96.37]) id QQbgof05643; Tue, 10 Sep 1996 08:15:52 -0400 (EDT) Received: from crestar1.UUCP by uucp6.UU.NET with UUCP/RMAIL ; Tue, 10 Sep 1996 08:16:08 -0400 Received: from smtpgate.crestar.com by crestar1.crestar.com ; 10 SEP 96 07:52:02 EDT X-Nvlenv-01Date-Posted: 10-Sep-1996 7:53:03 -0400; at SCCOPCA1.Crestar Date: 10 Sep 96 07:49:00 EDT To: firewalls@greatcircle.com Subject: SUN & #/proc Content-Type: text/plain Message-ID: Reply-To: rusty.merrell@smtpgate.crestar.com References: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I have just installed a Firewall & Proxy Server. I am new to the SUN OS. The /proc directory has several files. Looks like their linked to processes, but when I try to match the ID with a currenty PID I dont get anything and I can't remove them. These files are very large 2meg and above. My question is: what do these files do? Thanks, Rusty N. Merrell rusty.merrell@crestar.com From firewalls-owner Tue Sep 10 06:18:31 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA11541 for firewalls-outgoing; Tue, 10 Sep 1996 05:58:46 -0700 (PDT) Received: from CMSSOFT.STATE.IL.US (mvstcpa.state.il.us [163.191.193.129]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id FAA11507 for ; Tue, 10 Sep 1996 05:58:21 -0700 (PDT) Received: from REV084R1.STATE.IL.US by CMSSOFT.STATE.IL.US (Soft*Switch Central V4L40P1A) id 334856070096254FREV084R1; 10 Sep 1996 07:56:07 GMT Message-Id: Date: 10 Sep 1996 07:56:07 GMT From: "RSLA002" Subject: FW-1 message?? To: firewalls@greatcircle.com Comment: MEMO 09/10/96 07:52:37 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello All, I am in the process of evaluating FW-1 2.0 running on Solaris 2.5. Yesterday, an alert popped up on the screen "Status firewall switching from old state 'installed' to new state 'disconnected'" but it kept functioning. I also noticed in the Service window the icon of a brickwall and pc changed to two telephone poles connected with wires with a large x across it. Two other configuration notes which may have some influence, I have 3 interfaces(having troubles with the 3rd one, but that's a whole different question) and am using the hide address feature of Address Translation. I am really puzzled, a) what does this mean, b) what caused it, c) is it something I should worry about (I will until I know a&b), and d) how do I prevent it from happening assuming it's bad???? adTHANKSvance, Dennis Evans Illinois Dept of Revenue 217-785-6732 ps I tried all day to contact the VAR who sent me the stuff and am running out of time, oh yea, I found calling Checkpoint itself to be less than fruitful. If anyone knows of a good reseller(that can SUPPORT FW-1) in the midwest please let me know, via my email or phone, please don't bother the rest of the list with this portion. From firewalls-owner Tue Sep 10 06:40:50 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA12973 for firewalls-outgoing; Tue, 10 Sep 1996 06:13:24 -0700 (PDT) Received: from 17af.sembach.af.mil ([131.54.127.251]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id GAA12888 for ; Tue, 10 Sep 1996 06:12:46 -0700 (PDT) Received: by 17af.sembach.af.mil with Microsoft Exchange (IMC 4.0.838.14) id <01BB9F2A.A615CCF0@17af.sembach.af.mil>; Tue, 10 Sep 1996 15:13:40 +0200 Message-ID: From: Powers William SSgt 886CS/SCSNB To: "'firewalls@greatcircle.com'" Subject: NT & X.400 firewall Date: Tue, 10 Sep 1996 15:13:39 +0200 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.838.14 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am trying to find out if anyone has found a firewall product that will run on an NT 3.51 box that will allow X.400 as well as SMTP Mail through. Bill Sends................ william.powers@sembach.af.mil From firewalls-owner Tue Sep 10 07:00:01 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA16584 for firewalls-outgoing; Tue, 10 Sep 1996 06:44:53 -0700 (PDT) Received: from wichita.fn.net (wichita.fn.net [204.233.71.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id GAA16562 for ; Tue, 10 Sep 1996 06:44:37 -0700 (PDT) Received: (from bkmarsh@localhost) by wichita.fn.net (8.7.4/8.6.9) id IAA07569; Tue, 10 Sep 1996 08:42:19 -0500 (CDT) Date: Tue, 10 Sep 1996 08:42:18 -0500 (CDT) From: "Bruce M." X-Sender: bkmarsh@wichita.fn.net To: firewalls@greatcircle.com Subject: Re: Modem hacking In-Reply-To: <199609100409.EAA10727@harker.harker.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 10 Sep 1996, Robert Harker wrote: > Many people will point out the problems with dial-in modems. > This is sort of a different tact; block dial-in access at the PBX switch. > For both of these cases, I feel that personal modems are a bad idea and > should be prohibited by management as part of a reasonable security policy. This is the easiest, and probably most effective, policy to enact. Just tell the employees that it is untolerable to hook up a modem without authorization just like it would be untolerable to use company money for personal purchases without authorization. > In the case of people wanting to have modems to dial-out only, ask you > telecom department if your switch can support phones that are valid > ports, but do not have a valid extension. This means that they can not > be dialed into. Telecom people I have talked to have always been > excited about this feature because it allows them to add a modem with > out using one of their extension numbers. This is possible with a Nortel Meridian X11 switch by using non-DID extension numbers. They can grab an outside line, but can't be dialed into externally. ________________________________ [ Bruce M. - Feist Systems, Inc. ] ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ "Official estimates show that more than 120 countries have or are developing [information warfare] capabilities." -GAO/AIMD-96-84 So, what is your excuse now? From firewalls-owner Tue Sep 10 07:14:45 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA19210 for firewalls-outgoing; Tue, 10 Sep 1996 07:05:02 -0700 (PDT) Received: from mail.sdsu.edu (mail.sdsu.edu [130.191.1.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id HAA19199 for ; Tue, 10 Sep 1996 07:04:50 -0700 (PDT) Received: from gammara.sdsu.edu (gammara.sdsu.edu [130.191.5.195]) by mail.sdsu.edu (8.7.5/8.7.3/1.5) with SMTP id HAA23233 for ; Tue, 10 Sep 1996 07:04:45 -0700 (PDT) Message-Id: <3.0b15.32.19960910070445.0074f47c@mail.sdsu.edu> X-Sender: mmccurdy@mail.sdsu.edu X-Mailer: Windows Eudora Pro Version 3.0b15 (32) Date: Tue, 10 Sep 1996 07:04:46 -0700 To: firewalls@GreatCircle.COM From: Mike McCurdy Subject: Removal from Mail List and Digest List Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >I have tried to remove myself from the lists automatically but it hasn't >done the trick. Could you please remove my email address from the digest >and standard mailing list. Ditto for me: mmccurdy@mail.sdsu.edu and/or mccurdy@ucsvax.sdsu.edu thank you Mike McCurdy Oracle Database/AIX Systems Administration University Computer Operations San Diego State University mmccurdy@mail.sdsu.edu From firewalls-owner Tue Sep 10 07:44:27 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA22396 for firewalls-outgoing; Tue, 10 Sep 1996 07:38:15 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id HAA22365 for ; Tue, 10 Sep 1996 07:38:00 -0700 (PDT) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) id HAA02567; Tue, 10 Sep 1996 07:37:10 -0700 Received: from mailbox.syr.edu(128.230.1.5) by mycroft via smap (V1.3mjr) id sma002565; Tue Sep 10 07:36:41 1996 Received: from forbin.syr.edu (xwang02@forbin.syr.edu [128.230.1.9]) by mailbox.syr.edu (8.7.5/8.7.3) with ESMTP id KAA16347 for ; Tue, 10 Sep 1996 10:34:03 -0400 (EDT) Received: from localhost (xwang02@localhost) by forbin.syr.edu (8.7.5/8.7.3) with SMTP id KAA11843 for ; Tue, 10 Sep 1996 10:33:33 -0400 (EDT) X-Authentication-Warning: forbin.syr.edu: xwang02 owned process doing -bs Date: Tue, 10 Sep 1996 10:33:30 -0400 (EDT) From: Xu-Ming Wang X-Sender: xwang02@forbin.syr.edu Reply-To: Xu-Ming Wang To: firewalls@GreatCircle.COM Subject: Re: Removal from Mail List and Digest List In-Reply-To: <32355678.14A2@taunet.net.au> Message-ID: Institution: Syracuse University MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I would be appreciated if someone could do this to me too. XuMing xwang02@mailbox.syr.edu xwang02@syr.edu From firewalls-owner Tue Sep 10 08:03:41 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA23594 for firewalls-outgoing; Tue, 10 Sep 1996 07:46:58 -0700 (PDT) Received: from linux.ctyme.com ([204.71.97.109]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id HAA23539 for ; Tue, 10 Sep 1996 07:46:39 -0700 (PDT) Received: from localhost (joey@localhost) by linux.ctyme.com (8.6.12/8.6.9) with SMTP id JAA12460 for ; Tue, 10 Sep 1996 09:51:32 -0500 Date: Tue, 10 Sep 1996 09:51:31 -0500 (CDT) From: Just Dew it! To: firewalls@greatcircle.com Subject: Internet access Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Currently we have available an internet connection from our corporate office that is linked to the internet via a TIS FWTK. We are connected through a frame relay connection to corporate and maintain our own DMZ between our network and corporate. We are using the proxy services of the FWTK for Telnet, WWW, and ftp. What we would like to implement at our site is a way to maintain accountability of internet access by our users. This needs to be accomplished by a userid approach to accessing the proxy services of the corporate firewall. We could request that corporate either send logs, or copy their syslog daemon to a machine on our network, but this would only give us IP address accountability. I want to be able to have the users "login" first before they can access the proxy server at corporate. What products and methodologies are available to accomplish this? From firewalls-owner Tue Sep 10 08:36:59 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA27611 for firewalls-outgoing; Tue, 10 Sep 1996 08:14:54 -0700 (PDT) Received: from ctrvx1.Vanderbilt.Edu (ctrvx1.Vanderbilt.Edu [129.59.1.21]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id IAA27436 for ; Tue, 10 Sep 1996 08:13:44 -0700 (PDT) Received: from cornelius.cc.vanderbilt.edu by ctrvax.Vanderbilt.Edu (PMDF V5.0-7 #11488) id <01I9B5QOI0LC8XLK8O@ctrvax.Vanderbilt.Edu> for firewalls@GreatCircle.COM; Tue, 10 Sep 1996 09:58:20 -0500 (CDT) Received: by cornelius.cc.vanderbilt.edu (SMI-8.6/SMI-SVR4) id JAA21187; Tue, 10 Sep 1996 09:58:27 -0500 Date: Tue, 10 Sep 1996 09:58:26 -0500 (CDT) From: Alex Tsiantos Subject: Re: Removal from Mail List and Digest List In-reply-to: <3.0b15.32.19960910070445.0074f47c@mail.sdsu.edu> To: firewalls@GreatCircle.COM Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Content-transfer-encoding: 7BIT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 10 Sep 1996, Mike McCurdy wrote: Same problem here... > >I have tried to remove myself from the lists automatically but it hasn't > >done the trick. Could you please remove my email address from the digest > >and standard mailing list. > > > Ditto for me: > > mmccurdy@mail.sdsu.edu and/or mccurdy@ucsvax.sdsu.edu > > thank you > > Mike McCurdy > Oracle Database/AIX Systems Administration > University Computer Operations > San Diego State University mmccurdy@mail.sdsu.edu > > Alex Tsiantos ------------- Email : alex.tsiantos@mcmail.vanderbilt.edu Web Page : http://cornelius.cc.vanderbilt.edu/Users/tsianta Phone : (615) 353-9655 (Home) (615) 936-3267 (Work) From firewalls-owner Tue Sep 10 09:04:31 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA26596 for firewalls-outgoing; Tue, 10 Sep 1996 08:07:44 -0700 (PDT) Received: from citadel.evolving.com (citadel.evolving.com [198.202.204.162]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id IAA26574 for ; Tue, 10 Sep 1996 08:07:23 -0700 (PDT) Received: from valiant.evolving.com (valiant.evolving.com [198.202.204.66]) by citadel.evolving.com (8.6.12/8.6.9) with ESMTP id JAA25654; Tue, 10 Sep 1996 09:07:15 -0600 Received: from thepound.evolving.com (thepound.evolving.com [192.124.159.19]) by valiant.evolving.com (8.6.12/8.6.9) with ESMTP id JAA29308; Tue, 10 Sep 1996 09:07:14 -0600 Received: (from rtruitt@localhost) by thepound.evolving.com (8.6.12/8.6.12) id JAA02690; Tue, 10 Sep 1996 09:06:49 -0600 Date: Tue, 10 Sep 1996 09:06:49 -0600 From: Todd Truitt Message-Id: <199609101506.JAA02690@thepound.evolving.com> To: firewalls@GreatCircle.COM, rusty.merrell@smtpgate.crestar.com Subject: Re: SUN & #/proc Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Content-MD5: aGZ9Hsd17Jdo8z72PcaE2w== Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >=20 > I have just installed a Firewall & Proxy Server. I am new to the SUN = OS. =20 > The /proc directory has several files. Looks like their linked to = processes, > but when I try to match the ID with a currenty PID I dont get = anything and=20 > I can't remove them. These files are very large 2meg and above. My = question=20 > is: what do these files do? =20 >=20 The /proc filesystem provides access to each process running on the=20 system. The size is not disk usage, but rather memory usage=20 (someone feel free to correct me). There are a number of tools provided with the OS to manipulate these process through the decimal number equiv. of the process id's. Don't delete these files. ;-) Cheers, --Todd PS - see proc(4) _____________________________________________________________________________ R. Todd Truitt Todd.Truitt@evolving.com Evolving Systems, Inc. From firewalls-owner Tue Sep 10 09:14:44 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA26758 for firewalls-outgoing; Tue, 10 Sep 1996 08:09:23 -0700 (PDT) Received: from rmikesel.ogden.disa.mil (rmikesel.hill.af.mil [137.241.3.81]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id IAA26733 for ; Tue, 10 Sep 1996 08:09:01 -0700 (PDT) Received: from rmikesel.ogden.disa.mil (rmikesel.ogden.disa.mil [137.241.3.81]) by rmikesel.ogden.disa.mil (8.6.12/8.6.9) with SMTP id JAA06783 for ; Tue, 10 Sep 1996 09:09:21 -0600 Date: Tue, 10 Sep 1996 09:09:21 -0600 (MDT) From: Randy Mikesell Reply-To: Randy Mikesell Subject: Re: su - userid To: firewalls@GreatCircle.COM In-Reply-To: <9609091731.AA09668@slopok.roses.rockwell.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > > > Not knowing much about NIS+, I would not know how to disable su'ing > in that enviorment (assuming there is a way to, of which I don't > know). But as a person who works at a site with many unix workstations > on user's desks I have to ask one question: Why are users given root > access at all? They certainly should not need it unless they are > working as a sysadm. And if that is the case, then you should > reconsider using NIS+ and keep to separate passwd files. As long as > you have "trusted" unix machines in your network for which untrusted people > have the root password, you will not have a "secure network". I would > recommend all the unix boxes to have the same root password and ONLY > the real sysadms have access to it. I would have to disagree about having the same root password on all the unix boxes. If someone managed to get access to one system, all of them would be in jeopardy. I know it's a nightmare trying to keep track of several passwords, but I sleep better knowing that I have delayed an intruder for another five minutes. > > > Hi, > > > > I know that this is not the right place, but thought that there must be > > a lot of capable people who can answer this . > > > > Our system administrator is not capable of distinguishing the fact of > > how to stop people from using some one else 's id. > > We are running NIS+. > > > > The process: > > > > su - root (On any client machine, of which you have the password.) > > > > Now > > su - userid (You get logged in as the 'userid' specified). > > > > > > Is there a way to stop this (Other than going to AFS. etc...). > > > > Thanks In advance. > > > > > > > > > > > -- > Mark Crother crotherm@roses.rockwell.com > Rockwell's Operational Software Engineering System (ROSES) > Space Systems Division (SSD) From firewalls-owner Tue Sep 10 09:30:53 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA28330 for firewalls-outgoing; Tue, 10 Sep 1996 08:21:59 -0700 (PDT) Received: from LIVEDGAR.gsionline.com (livedgar.gsionline.com [204.254.209.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id IAA28299 for ; Tue, 10 Sep 1996 08:21:36 -0700 (PDT) Received: from LIVEDGAR.gsionline.com by LIVEDGAR.gsionline.com (NTMail 3.02.09) with ESMTP id ra026693 for ; Tue, 10 Sep 1996 11:20:49 -0400 X-Sender: nbk#204.254.209.2@192.168.0.22 X-Mailer: Windows Eudora Version 1.4.3 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: Richard Ruda From: nkeenan@gsionline.com (Nick Keenan) Subject: Re: Modem hacking Cc: firewalls@greatcircle.com Date: Tue, 10 Sep 1996 11:20:49 -0400 Message-Id: <15204964000630@gsionline.com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I want to step in here as someone who comes from the PC world, as it seems that most of the people on this list come from a unix background, and a question like this shows up the paradigm difference between the two environments. The key thing to remember about PC's is that traditionally the OS did not provide any communications services at all, or even manage the com ports for that matter. (This has changed slightly with Windows 95 and Windows NT). With a PC, you can't really say "The modem is set to answer at all times". The operating system doesn't control the modem -- application software does, and on a PC, that means the user has to start a program. So the danger is not in having modems installed -- without the proper application software, the modem is not going to do anything. What you have to be concerned about is what kinds of software people are using. The story really revolves around whether you are running DOS (or Windows 3.1) or one of the newer PC operating systems (95 or NT). Under DOS / Windows 3.1, networking was not part of the operating system, and it was VERY HARD to get computers to communicate with each other. I have never seen a setup that allows you to dial into a DOS computer and route traffic onto a network, and I strongly believe that it is not possible. And certainly no one would do that on a computer where they also want to get work done. The only real danger is remote control programs -- programs like PCAnywhere, Carbon Copy, etc. that allow a remote user to take over the PC and do everything that a local user of that PC could do. And that means everything -- if you want to, you can reboot, repartition the hard disk, or cruise the LAN. If people insist on using these programs, the remote control progams all come with security now -- the simplest and most effective measure is to force callbacks. Windows NT and Windows 95 have dramatically changed this picture, for two reasons. One is that network support is now part of the operating system. Two is that modem/serial port support is also part of the operating system, and the modem is treated like a special kind of network adapter. This is great if your job is getting computers to talk to each other -- it's a snap. It's not so great if your job is securing the network. If Dial Up Networking or Remote Access Service is enabled on a computer, it's essentially creating a network card on your network that is available to anyone with a modem and their own copy of DUN or RAS. I have heard apparently true stories along the following lines: User uses DUN to connect to the Internet through an ISP. After a while, he notices that the hard drive is awfully busy, even though he's doing nothing. He checks the server manager, and it says that two people are logged in! Very believable, if you've used Win95. And here's the catch -- the security risk exists even if you disallow incoming calls. Another common scenario: Employee has internet access on the LAN at work. Figures if he puts a modem in his work computer, he can dial into it and get free internet access at home. With Win95 or NT this works and is easy. The problem is that it doesn't just give access to the internet -- it gives access to the LAN. A final note. A lot of people will try to sell you a modem pool as a solution to all of your problems. On paper, they look great -- leverage your existing hardware, centralize communications and security, save on line charges, etc. The only problem is they don't really work, so users won't want to use them. I have never used a modem pool that was worth a bucket of warm spit, and I've used a lot (modem pools, not buckets of spit). In terms of security, would a modem pool protect you from the situation described two paragraphs up? No. A modem pool is tolerable for infrequent and casual use, but anyone who uses online services regularly or needs maximum reliability should have his own modem and his own phone line. HTH >Can someone list the dangers of having modems installed in host PCs. These modems would have direct outside telephone connections. >These few PCs are part of a large firewalled network but firewall would not protect hacking via these modems/PC's. >What potential dangers are there to the network when: >- Modem is set to listen for incoming calls at all times. >- Modem is not set to listen for incoming calls but is host activated/used for specific outside comms (for example for sending faxes or specific dial-in to remote systems). Is there a danger whilst the modem is in use and whilst idle? >What else to look out for? > >Thanks, >Richard R > > From firewalls-owner Tue Sep 10 10:01:42 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA01305 for firewalls-outgoing; Tue, 10 Sep 1996 08:45:07 -0700 (PDT) Received: from relay5.UU.NET (relay5.UU.NET [192.48.96.15]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id IAA01202 for ; Tue, 10 Sep 1996 08:44:40 -0700 (PDT) From: rusty.merrell@smtpgate.crestar.com Received: from uucp1.UU.NET by relay5.UU.NET with SMTP (peer crosschecked as: uucp1.UU.NET [192.48.96.32]) id QQbgos07735; Tue, 10 Sep 1996 11:44:28 -0400 (EDT) Received: from crestar1.UUCP by uucp1.UU.NET with UUCP/RMAIL ; Tue, 10 Sep 1996 11:44:28 -0400 Received: from smtpgate.crestar.com by crestar1.crestar.com ; 10 SEP 96 11:33:14 EDT X-Nvlenv-01Date-Posted: 10-Sep-1996 11:34:11 -0400; at SCCOPCA1.Crestar Date: 10 Sep 96 11:30:00 EDT To: firewalls@GreatCircle.COM, Todd.Truitt@evolving.com (Todd Truitt) Subject: Re: SUN & #/proc Content-Type: text/plain Message-ID: <3FA8873001883A0C@-SMF-> In-Reply-To: <199609101506.JAA02690@thepound.evolving.com> Reply-To: rusty.merrell@smtpgate.crestar.com References: <199609101506.JAA02690@thepound.evolving.com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Thanks everyone. ------------- Original Text >From Todd.Truitt@evolving.com (Todd Truitt), on 9/10/96 9:06 AM: To: firewalls@GreatCircle.COM, Rusty N Merrell@Technology & Operations.Crestar > > I have just installed a Firewall & Proxy Server. I am new to the SUN OS. > The /proc directory has several files. Looks like their linked to processes, > but when I try to match the ID with a currenty PID I dont get anything and > I can't remove them. These files are very large 2meg and above. My question > is: what do these files do? > The /proc filesystem provides access to each process running on the system. The size is not disk usage, but rather memory usage (someone feel free to correct me). There are a number of tools provided with the OS to manipulate these process through the decimal number equiv. of the process id's. Don't delete these files. ;-) Cheers, --Todd PS - see proc(4) _____________________________________________________________________________ R. Todd Truitt Todd.Truitt@evolving.com Evolving Systems, Inc. From firewalls-owner Tue Sep 10 10:21:03 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA08211 for firewalls-outgoing; Tue, 10 Sep 1996 09:37:12 -0700 (PDT) Received: from dallas-cs-000.novare.net ([205.229.104.10]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id JAA08202 for ; Tue, 10 Sep 1996 09:37:03 -0700 (PDT) Received: from muggles (mark@muggles.novare.net [205.229.105.72]) by dallas-cs-000.novare.net (8.7.5/8.6.9) with SMTP id LAA03124 for ; Tue, 10 Sep 1996 11:36:01 -0500 Message-ID: <32359C93.516CC243@novare.net> Date: Tue, 10 Sep 1996 11:51:31 -0500 From: mark Organization: novare international advanced weapons division X-Mailer: Mozilla 3.0 (X11; I; Linux 2.0.6 i586) MIME-Version: 1.0 To: firewalls@GreatCircle.COM Subject: Re: Modem hacking References: <199609100409.EAA10727@harker.harker.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Robert Harker wrote: > > Many people will point out the problems with dial-in modems. i used to work for a very large corporation and we would on occasion get "scans" on numerous extensions on the pbx seeking modems that were willing to answer. our corporate policy was "no modems on unauthorized workstations", and rightly so. =m= From firewalls-owner Tue Sep 10 10:21:46 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA01567 for firewalls-outgoing; Tue, 10 Sep 1996 08:46:59 -0700 (PDT) Received: from mail2.panix.com (mail2.panix.com [198.7.0.33]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id IAA01367 for ; Tue, 10 Sep 1996 08:45:26 -0700 (PDT) Received: from 166.84.217.46 (ef.dialup.access.net [166.84.217.46]) by mail2.panix.com (8.7.5/8.7.1/PanixM1.0) with SMTP id LAA29909; Tue, 10 Sep 1996 11:44:29 -0400 (EDT) Message-ID: <32357FDD.1EE6@panix.com> Date: Tue, 10 Sep 1996 10:49:01 -0400 From: Eric Fluger Reply-To: ef@panix.com X-Mailer: Mozilla 2.02 (Macintosh; I; 68K) MIME-Version: 1.0 To: debian-user@lists.debian.org CC: Firewalls@GreatCircle.COM Subject: Re: time to split the list? References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Yes!! (In addition, a master containing all messages would probobly be appreciated by the thorough, the obsesive and the idle.) ALSO: Making either the master or all subsets available as a digest would REALLY help! I'm getting the firewall list this way. It's very tidy. (Perhaps those maintaining it could offer some pointers.) - ef ==================== Richard G. Roberto wrote: > > On Thu, 5 Sep 1996, Bruce Perens wrote: > > > Some newbies tell me they find debian-user intimidating due to the high > > level of technical discussion that sometimes goes on there. Is it time > > to split the list? About 2 years ago I proposed a separate list just for > > people trying to install the system. At the time we did not have enough > > traffic for that. We probably do now. > > > > I would propose: > > > > debian-install > > debian-nontechnical > > debian-technical > > > > Now I just have to find our list administrator :-) . > > > > Bruce > > > > This sounds like a good idea, but I'd sure like to see one > of the lists a superset of the others if that's possible (a > la crossposting?) Also, there's a new section in linux > journal providing help with various distributions. Last > time I checked, Debian didn't have an entry. Perhaps we > should come up with a debian-support list? > > Thanks > > Richard G. Roberto > richr@bear.com > 201-739-2886 - whippany, nj > > -- > ******************************************************************************* > Bear Stearns is not responsible for any recommendation, solicitation, offer or > agreement or any information about any transaction, customer account or account > activity contained in this communication. > ******************************************************************************* From firewalls-owner Tue Sep 10 10:29:16 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA10347 for firewalls-outgoing; Tue, 10 Sep 1996 09:55:37 -0700 (PDT) Received: from mailbox.syr.edu (mailbox.syr.edu [128.230.1.5]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id JAA10295 for ; Tue, 10 Sep 1996 09:55:20 -0700 (PDT) Received: from gamera.syr.edu (mdeb@gamera.syr.edu [128.230.1.14]) by mailbox.syr.edu (8.7.5/8.7.3) with ESMTP id MAA04646; Tue, 10 Sep 1996 12:54:55 -0400 (EDT) Received: from localhost (mdeb@localhost) by gamera.syr.edu (8.7.5/8.7.3) with SMTP id MAA03907; Tue, 10 Sep 1996 12:54:21 -0400 (EDT) X-Authentication-Warning: gamera.syr.edu: mdeb owned process doing -bs Date: Tue, 10 Sep 1996 12:54:19 -0400 (EDT) From: Mondira Deb X-Sender: mdeb@gamera.syr.edu To: Matt Hoving cc: firewalls@GreatCircle.COM Subject: Re: Removal from Mail List and Digest List In-Reply-To: <32355678.14A2@taunet.net.au> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I would also like my name removed ..I have tried a number of times ..but woithout success ..Somebody put my name on this mailing list and I cannt seem to get it removed ..My mailbox gets flooded with mails as a result ..Please remove thismy address from the digest and standard mailing list .. Mdeb. On Tue, 10 Sep 1996, Matt Hoving wrote: > I have tried to remove myself from the lists automatically but it hasn't > done the trick. Could you please remove my email address from the digest > and standard mailing list. > > Matt Hoving > > hoving@taunet.net.au > mapmark@taunet.net.au > From firewalls-owner Tue Sep 10 10:49:38 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA13818 for firewalls-outgoing; Tue, 10 Sep 1996 10:28:40 -0700 (PDT) Received: from ns.ncsa.com (ns.ncsa.com [205.160.199.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id KAA13791 for ; Tue, 10 Sep 1996 10:28:20 -0700 (PDT) Received: (from janos@localhost) by ns.ncsa.com (8.6.12/8.6.9) id NAA05956; Tue, 10 Sep 1996 13:32:01 -0400 Date: Tue, 10 Sep 1996 13:32:01 -0400 (EDT) From: Janos J Krezgy To: "Sacherich, Larry" cc: "'Firewalls-Digest-L'" , "'Enrique Vadillo'" Subject: Re: Firewall for NT (and NCSA Certifications) In-Reply-To: <199609051413.AA17477@gateway.ppg.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 5 Sep 1996, Sacherich, Larry wrote: > After reviewing the NCSA firewall site, I was still confused as > to which platforms / operating systems were being approved. In > particular, are there any Windows NT firewall systems NCSA approved? > And the answer is NO. Even firewalls like the Raptor Eagle that is Greetings: Since the message was sent to Larry, we (NCSA) have certified Digital's AltaVista Firewall for NT (this should be soon reflected in the web information). I'm not telling any secrets in saying that a non-zero number of NT products are in the process of becoming certified. We acknowledge that a number of functional summaries blur the distinctions between platforms/implementations, and that we are addressing the problem. Regards, - J From firewalls-owner Tue Sep 10 11:19:28 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA14021 for firewalls-outgoing; Tue, 10 Sep 1996 10:30:47 -0700 (PDT) Received: from mailbox.neosoft.com (mailbox.neosoft.com [206.109.1.16]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id KAA13993 for ; Tue, 10 Sep 1996 10:30:23 -0700 (PDT) Received: from fw.nmti.com (fw.baileynm.com [206.109.159.11]) by mailbox.neosoft.com (8.7.5/8.7.3) with SMTP id MAA23083; Tue, 10 Sep 1996 12:30:13 -0500 (CDT) Received: from web.nmti.com(198.178.0.201) by fw.nmti.com via smap (V1.3) id sma011072; Tue Sep 10 10:35:54 1996 Received: from sonic.nmti.com (peter@sonic.nmti.com [198.178.0.2]) by web.nmti.com (8.6.12/8.6.9) with SMTP id KAA03159; Tue, 10 Sep 1996 10:35:53 -0500 Received: by sonic.nmti.com; id AA29423; Tue, 10 Sep 1996 10:35:49 -0500 From: peter@baileynm.com (Peter da Silva) Message-Id: <9609101535.AA29423@sonic.nmti.com.nmti.com> Subject: Re: Modem hacking To: bkmarsh@feist.com (Bruce M.) Date: Tue, 10 Sep 1996 10:35:49 -0500 (CDT) Cc: firewalls@GreatCircle.COM In-Reply-To: from "Bruce M." at Sep 10, 96 08:42:18 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Just tell the employees that it is untolerable to hook up a modem without > authorization just like it would be untolerable to use company money for > personal purchases without authorization. And for the cases where they *do* have authorization? This doesn't solve the problem of supporting dial-out where there's a real business need. (we simply run digital-only lines to offices unless there's a business need for a second analog line) From firewalls-owner Tue Sep 10 11:51:24 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA08403 for firewalls-outgoing; Tue, 10 Sep 1996 09:38:47 -0700 (PDT) Received: from halon.sybase.com (halon.sybase.com [192.138.151.33]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id JAA08332 for ; Tue, 10 Sep 1996 09:38:20 -0700 (PDT) Received: from smtp1.sybase.com (sybgate) by halon.sybase.com (5.x/SMI-SVR4/SybFW4.0) id AA07537; Tue, 10 Sep 1996 09:39:34 -0700 Received: from notesgw2.sybase.com by smtp1.sybase.com (4.1/SMI-4.1/SybH3.5-030896) id AA06289; Tue, 10 Sep 96 09:38:01 PDT Received: by notesgw2.sybase.com (5.x/SMI-4.1/SybEGW3.3) id AA23216; Tue, 10 Sep 1996 09:37:56 -0700 Message-Id: <9609101637.AA23216@notesgw2.sybase.com> Received: by SybaseNotes (Lotus Notes Mail Gateway for SMTP V1.1) id 922CD0F41616F834882563A1005B264B; Tue, 10 Sep 96 09:37:55 EDT To: firewalls From: Ryan Russell/SYBASE Date: 10 Sep 96 9:39:30 EDT Subject: Re: Firewall-1 and bootp X-Lotus-Type: Reply All Mime-Version: 1.0 Content-Type: Text/Plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Getting a bootp image from a server on the untrusted side of the network may not be such a great idea, but be that as it may... I haven't tried this, but I suspect it won't work... You'd almost have to have an interface on the sun configured as 0.0.0.0, which of course, won't work. Do you have a router in the picture somewhere that you can configure IP helper on? Ryan ---------- Previous Message ---------- To: firewalls cc: From: BALLAJP @ GWSMTP.NU.COM ("JEFFREY P. BALLACHINO") @ smtp Date: 09/10/96 06:58:52 AM Subject: Firewall-1 and bootp I have a Synoptics 3000 hub on a protected network. I would like to allow this hub to load its image from a bootp server on our "public" network. I have configured a rule on the firewall (a SPARC 5 running Firewall-1 v2) to allow bootp and tftp between this hub and the bootp server. My problem is that bootp is always blocked by rule 0, which may mean some setting in my properties is incorrect. However, in my log, the source of the bootp request is always blank. A snoop determined the request has a source address of 0.0.0.0. I suspect FW-1 does not recognize this as a valid address. The destination is broadcast 255.255.255.255 and is recognized by FW-1. Does anyone have any thoughts on this? thanks, jeff ballachino From firewalls-owner Tue Sep 10 12:00:21 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA24950 for firewalls-outgoing; Tue, 10 Sep 1996 11:37:25 -0700 (PDT) Received: from Homer (homer.starledger.com [204.255.141.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id LAA24839 for ; Tue, 10 Sep 1996 11:36:55 -0700 (PDT) Received: from [153.34.189.148] by Homer (SMI-8.6/SMI-SVR4) id OAA17483; Tue, 10 Sep 1996 14:41:50 -0400 Message-Id: <199609101841.OAA17483@Homer> To: "firewalls@greatcircle.com" Subject: Removal from lists Date: Tue, 10 Sep 96 14:37:25 -0500 From: Bob Himmelman X-Mailer: E-Mail Connection v2.5.03 CC: "himmelman@dorf.com" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk -- [ From: Bob Himmelman * EMC.Ver #2.5.02 ] -- I have made numerous attempts to automatically be removed from the digest and firewalls mailing lists... NO LUCK! Please manually remove my address. Thank you, Bob Himmelman bobh@starledger.com From firewalls-owner Tue Sep 10 12:14:28 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA21249 for firewalls-outgoing; Tue, 10 Sep 1996 11:14:07 -0700 (PDT) Received: from ftp.com (ftp.com [128.127.2.122]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id LAA21238 for ; Tue, 10 Sep 1996 11:13:49 -0700 (PDT) Received: from ftp.com by ftp.com ; Tue, 10 Sep 1996 14:13:13 -0400 Received: from mailserv-100bs.ftp.com by ftp.com ; Tue, 10 Sep 1996 14:13:13 -0400 Received: by MAILSERV-100BS.FTP.COM (SMI-8.6/SMI-SVR4) id OAA02175; Tue, 10 Sep 1996 14:12:23 -0400 Date: Tue, 10 Sep 1996 14:12:23 -0400 Message-Id: <199609101812.OAA02175@MAILSERV-100BS.FTP.COM> To: steve@gbnet.org Subject: Re: libdes.a From: chip@ftp.com (Chip Sparling) Reply-To: chip@ftp.com Cc: firewalls@GreatCircle.COM Repository: mailserv-100bs.ftp.com, [message accepted at Tue Sep 10 14:12:17 1996] Originating-Client: slingshot.ftp.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >The US ITAR regulations forbid the export of crypto technology >(considered munitions). Since no one has mentioned it, the US Senate Commerce Committee is probably going to vote on Pro-CODE this Thursday. From Pro-CODE, "The purpose of this Act is to promote electronic commerce through the use of strong encryption." See http://www.vtw.org or http://www.crypto.com for details and the phone #s of the Senators. chip From firewalls-owner Tue Sep 10 12:30:38 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA26947 for firewalls-outgoing; Tue, 10 Sep 1996 11:51:25 -0700 (PDT) Received: from hidata.com (hidata.com [205.158.61.34]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id LAA26929 for ; Tue, 10 Sep 1996 11:51:03 -0700 (PDT) Received: by hidata.com; id AA22595; Tue, 10 Sep 96 11:50:54 PDT Received: from osc.hidata.com(205.158.62.10) by hds-gw.hidata.com via smap (V3.1.1) id xma022588; Tue, 10 Sep 96 11:50:23 -0700 Received: from clag by osc.osc.hidata.com (SMI-8.6/SMI-SVR4) id LAA03320; Tue, 10 Sep 1996 11:50:22 -0700 Message-Id: <2.2.32.19960910184817.0063d664@osc.hidata.com> X-Sender: bstout@osc.hidata.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Tue, 10 Sep 1996 11:48:17 -0700 To: Firewalls@GreatCircle.COM From: Bill Stout Subject: Services authentication Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Here's a freshman-level question for the group. For _any_ operating system, are there any network services which do not just alias a session ID to an internal UID, but actually use the operating system's user authentication method? Every (secured) network service I've seen has it's own authentication method, and maps who it is or who it thinks or claims it has a session with, to an internal authentication 'ticket' (FTP, HTTPS, s/key, Telnet username/password, Kerberos, NT logon, NT SMB, NFS, NIS+, etc). If that statement is true, then I would say: "Operating system integrated user security is only effective internally. All incoming network connections are not authenticated by the operating system, but by services on a port-by-port basis." Comments? Bill Stout _______________________________________________________________________________ Senior Systems Admin NT/UNIX/I-net/Routers/Mainframes/Janitor ;) Hitachi Data Systems 408-970-4822 --- Disclaimer: I speak only for myself ___________"Infowar, Cyber-war, yes, 'they' _are_ out to get you..."___________ Political Protest: Because of a reported fight I got into in 1987, the state of California recently violated my constitutional right to keep and bear arms by refusing to allow me to purchase a gun, after experiencing a prowler on my ranch at night. I resent having my constitutional rights violated by anyone, and consider anyone who attacks the constitution as a traitor against the American people. In this case, California lawmakers have committed an act of treason against me, and the people of America with their bureaucratic laws. Our right to keep and bear arms has _DEFINITELY_ been infringed. I am _definitely_ pissed off. Record _that_ in the Federal Internet logs. I am a U.S. Army veteran and have served in live-fire environments, held various Federal T.S. and higher clearances, worked for government contractors, and currently pay >$2,000 per month in various taxes. I live in the countryside where police are not present, and defend a family of four on a large ranch from wild Boar, cougar, rattlers, hunters, poachers, outlaw bikers, and prowlers. And now Democrats. To ensure recording by multiple agencies: __________________________________________________________________________ President Project Secret Terrorist Nuclear Satellite Submarine Explosive NSC NSA CIA FEMA DCI FBI NRO Keyhole TopSecret Tango Cosmic General SCIF Briefed Militia Project-Office Congress Successorship Missile Cryptokey Classified Whitestory Coverstory Blackproject Underground Shelters Mobile Meteorburst Particle Weapon Two-man Blackagency Agent Operative Deltaforce Tempest Espionage Radiation Biological Warfare Blacksite Bomb Code Admiral __________________________________________________________________________ From firewalls-owner Tue Sep 10 12:31:05 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA17210 for firewalls-outgoing; Tue, 10 Sep 1996 10:51:21 -0700 (PDT) Received: from bsp.is (shr.is [193.4.68.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id KAA17071 for ; Tue, 10 Sep 1996 10:50:31 -0700 (PDT) Received: (from ragnar@localhost) by bsp.is (8.6.12/8.6.6) id SAA11547 for firewalls@GreatCircle.COM; Tue, 10 Sep 1996 18:14:51 GMT From: ragnar@bsp.is (Finnbogi Ragnar Ragnarsson) Message-Id: <199609101814.SAA11547@bsp.is> Subject: RE:Lotus Notes Security To: firewalls@GreatCircle.COM Date: Tue, 10 Sep 1996 18:14:51 +0000 (GMT) X-Mailer: ELM [version 2.4 PL23beta2] MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Forwarded message: > From firewalls-owner@GreatCircle.COM Tue Sep 10 02:03:27 1996 > From: Joseph.Cupano@ey.com > X400-Originator: Joseph.Cupano@EY.COM > X400-Recipients: firewalls@greatcircle.com > X400-Mts-Identifier: [/PRMD=ERNSTYOUNG/ADMD=ATTMAIL/C=US/;0014500005125969000002] > X400-Content-Type: P2-1988 (22) > Message-Id: <0014500005125969000002*@MHS> > To: " - (052)firewalls(a)greatcircle.com" > Subject: Lotus Notes Security > Date: Mon, 9 Sep 1996 16:05:46 -0400 > Sender: firewalls-owner@GreatCircle.COM > Precedence: bulk > > > > > >Hello all! > > > >While Notes access through firewalls is a FAQ (short answer: use your > >favorite circuit-level relay to pass traffic on port 1352 to your > >notes server), I was looking for a true application level proxy. By > >this I mean a proxy that would UNDERSTAND the protocol Notes uses, > >and allow me the functionality to: > > > Efficient and effective Notes firewall design best served by > understanding the Notes environment. Notes is a complex application with > granularity of access control from Server/Database/Document down to Field level. > [Stuff deleted] I sincerely hope that Notes security beats their smtp gateway implementation (on OS/2 to be precise, but I have the feeling that the same problems are in other platforms). Although this isn't strictly firewall related I'd like to mention some problems that sites in europe and generally outside the english speaking nations, might have when using smtp gateway from Notes to the internet. The situation is improving though. Former version used OS/2 sendmail (came with OS/2) that is very basic and support almost nothing to leverage some of the problems we had with notes I had to translate to and from iso latin-1 and CP-850 on a unix machine with 'real' sendmail. That wasn't hard but showed that Notes had not thought about specific smpt requirements for non-english speakin nations. Now they have their own (still buggy, but 'ok, it's new') smtp gateway and smpt daemon (sendmail). It is much better and now translates automatically between character sets. The older version had a 'gateway' that used os/2 sendmail. But the main problem was (and still is) the following: Notes likes to have your from adress as firstname_lastname@site.com or even firstname_lastname@notesdomainstuff/morenotesdomainstuff.site.com. (The latter can be prevented). I, like most other people want to have a short email address. It is supposed to work, by using a 'nickname' instead of the full name (previously it didn't, meaning that the gateway only supported 7 bit names), and work *IF* your name contains only letters from the lover half of the asci table (<128). Otherwise it doesn't, I can't say why, it just doesn't. (Anyway, nobody should use the upperhalf 8 bit characters in their email adresses). The from address is displayed with extra 7 bit characters instead of the 8 bit characters. An example is Geir\gr\#\Pur_Sigur\Pard\"ttir@shr.is I happen to be one of the 'lucky' ones, as my name contains no characters from above ascii127 (doen't matter anyway, I personally don't use notes for smtp mail). Other are forced to have their names on the notes server written with seven bit characters instead of the 8 bit ones, and have their real name as alias. This is probably not enough firewall related, so please don't respond to the list. But it makes you wonder how good the ip security is in Notes, altough the theory is sound. Btw, we don't have an external notes server. From firewalls-owner Tue Sep 10 12:34:07 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA22801 for firewalls-outgoing; Tue, 10 Sep 1996 11:25:02 -0700 (PDT) Received: from wichita.fn.net (wichita.fn.net [204.233.71.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id LAA22627 for ; Tue, 10 Sep 1996 11:24:09 -0700 (PDT) Received: (from bkmarsh@localhost) by wichita.fn.net (8.7.4/8.6.9) id NAA23688; Tue, 10 Sep 1996 13:24:01 -0500 (CDT) Date: Tue, 10 Sep 1996 13:24:01 -0500 (CDT) From: "Bruce M." X-Sender: bkmarsh@wichita.fn.net To: firewalls@greatcircle.com Subject: Re: Modem hacking In-Reply-To: <32359C93.516CC243@novare.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 10 Sep 1996, mark wrote: > > Many people will point out the problems with dial-in modems. > > i used to work for a very large corporation and we > would on occasion get "scans" on numerous > extensions on the pbx seeking modems that were > willing to answer. > > our corporate policy was "no modems on unauthorized > workstations", and rightly so. When doing security audits, ToneLoc can be a very useful tool. To bring some list relevance back to the thread, this is another good reason why internal firewalls can also be a wise idea. Even if you can trust your employees, you don't always know that you can trust the person who managed to get on their workstation, modem, etc. ________________________________ [ Bruce M. - Feist Systems, Inc. ] ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 'DISA information shows that computer attacks on the Department of Defense are successful 65 percent of the time. The DoD, despite its problems, probably has one of the strongest computer security programs in government.' -GAO/T-AIMD-96-108 From firewalls-owner Tue Sep 10 13:18:28 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA22140 for firewalls-outgoing; Tue, 10 Sep 1996 11:20:16 -0700 (PDT) Received: from wichita.fn.net (wichita.fn.net [204.233.71.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id LAA21949 for ; Tue, 10 Sep 1996 11:19:17 -0700 (PDT) Received: (from bkmarsh@localhost) by wichita.fn.net (8.7.4/8.6.9) id NAA23094; Tue, 10 Sep 1996 13:19:06 -0500 (CDT) Date: Tue, 10 Sep 1996 13:19:03 -0500 (CDT) From: "Bruce M." X-Sender: bkmarsh@wichita.fn.net To: firewalls@greatcircle.com Subject: Re: Modem hacking In-Reply-To: <9609101535.AA29423@sonic.nmti.com.nmti.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 10 Sep 1996, Peter da Silva wrote: > > Just tell the employees that it is untolerable to hook up a modem without > > authorization just like it would be untolerable to use company money for > > personal purchases without authorization. > > And for the cases where they *do* have authorization? Let them have a line but make sure that you, or whoever is responsible for maintaining the network security, installs and configures the appropriate hardware/software. To be extra careful use one of the communications products that supports password --> dial-back security (I just saw one today from B&B Electronics for around $150) and OTP authentication. > This doesn't solve the problem of supporting dial-out where there's a real > business need. It isn't supposed to. While you should maintain company policies for outdial modems as you do indial modems, there still should be an official method for installing/using one. Toggle off auto-answer and instruct your users not to run any communication host programs without the proper authorization. > (we simply run digital-only lines to offices unless there's a business need > for a second analog line) Same situation here. ________________________________ [ Bruce M. - Feist Systems, Inc. ] ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 'DISA information shows that computer attacks on the Department of Defense are successful 65 percent of the time. The DoD, despite its problems, probably has one of the strongest computer security programs in government.' -GAO/T-AIMD-96-108 From firewalls-owner Tue Sep 10 13:53:42 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA00356 for firewalls-outgoing; Tue, 10 Sep 1996 12:25:27 -0700 (PDT) Received: from lider.ldc.com.br ([200.251.177.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id MAA00316 for ; Tue, 10 Sep 1996 12:25:08 -0700 (PDT) Received: from dialup ([200.251.177.110]) by lider.ldc.com.br (8.6.8.1/SCA-6.6) with SMTP id NAA02342 for ; Tue, 10 Sep 1996 13:20:06 GMT Date: Tue, 10 Sep 1996 13:20:06 GMT Message-Id: <1.5.4.16.19960103131021.32373122@pop-gw.ldc.com.br> X-Sender: pcecilio@pop-gw.ldc.com.br X-Mailer: Windows Eudora Light Version 1.5.4 (16) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@greatcircle.com From: Paulo Cecilio Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I have tried to remove myself from the lists automatically but it hasn't done the trick. Could you please remove my email address from the digest and standard mailing list. Matt Hoving Please, for me too. thank's Paulo Cecilio from Brazil Virtual Planet , para um mundo unido. Correspondam-se, de uma olhada em : http:www.ldc.com.br/ldc02/homes/pcecilio/ (Virtual Planet) e se integre ao mundo virtual. ====================Virtual Planet========================= = Responsavel : Paulo Cecilio = = E-mail : pcecilio@ldc.com.br = = Homepage : http://www.ldc.com.br/ldc02/homes/pcecilio/ = ======================================================= From firewalls-owner Tue Sep 10 13:58:54 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA06265 for firewalls-outgoing; Tue, 10 Sep 1996 13:01:04 -0700 (PDT) Received: from mail-sd-01.cnsii.com (mail-sd-01.cnsii.com [207.67.237.11]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id NAA06049 for ; Tue, 10 Sep 1996 13:00:10 -0700 (PDT) Received: from andrew ([207.67.239.18]) by mail-sd-01.cnsii.com (post.office MTA v1.9.3 ID# 184-13418) with SMTP id AAA168 for ; Tue, 10 Sep 1996 13:03:44 -0700 Message-Id: <3.0b11.32.19960910125629.00b85490@mail.cnsii.com> X-Sender: andrew@mail.cnsii.com X-Mailer: Windows Eudora Pro Version 3.0b11 (32) Date: Tue, 10 Sep 1996 12:56:29 -0700 To: firewalls@greatcircle.com From: andrew@cnsii.com (Andrew Liles) Subject: Remove Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Remove from list. >[:^) ::-b|d-:: =[8]-o ]:-{o <*(:=? ___^..^____ Andrew Liles System Engineer :-8p CNS Internet 2911 State Street `\=o-o=/' Suite D Carlsbad, California (:-O ==> 92008-1415 619-730-7301 office :->X==| 619-730-0060 fax andrew@cnsii.com ())=( http://www.cnsii.com #:o\o/:o\:o/:o|| (z(:^p *-=|8-D <0____/\____/\____ From firewalls-owner Tue Sep 10 14:03:46 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA05553 for firewalls-outgoing; Tue, 10 Sep 1996 12:58:13 -0700 (PDT) Received: from mcfeely.bsfs.org (mcfeely.bsfs.org [204.91.13.34]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id MAA05351 for ; Tue, 10 Sep 1996 12:57:22 -0700 (PDT) Received: (from wombat@localhost) by mcfeely.bsfs.org (8.6.12/8.6.12) id OAA05090; Tue, 10 Sep 1996 14:49:42 -0400 Date: Tue, 10 Sep 1996 14:49:37 -0400 (EDT) From: Rabid Wombat To: Peter da Silva cc: "Bruce M." , firewalls@GreatCircle.COM Subject: Re: Modem hacking In-Reply-To: <9609101535.AA29423@sonic.nmti.com.nmti.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Just make them use dial-in and dial-out systems located on a bastion segment, so you have control; terminal servers w/ authentication for dial-in, a small UNIX box w/ some modems for dial-out, or NCSI/NASI based comm server for dial-out if you're supporting primarily a PC environment. No backdoors to the desktop. - r.w. On Tue, 10 Sep 1996, Peter da Silva wrote: > > Just tell the employees that it is untolerable to hook up a modem without > > authorization just like it would be untolerable to use company money for > > personal purchases without authorization. > > And for the cases where they *do* have authorization? > > This doesn't solve the problem of supporting dial-out where there's a real > business need. > > (we simply run digital-only lines to offices unless there's a business need > for a second analog line) > From firewalls-owner Tue Sep 10 14:04:03 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA07824 for firewalls-outgoing; Tue, 10 Sep 1996 13:10:59 -0700 (PDT) Received: from mm1 (mm1.sprynet.com [165.121.2.50]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id NAA07593 for ; Tue, 10 Sep 1996 13:09:49 -0700 (PDT) Received: from stoico ([204.146.159.249]) by mm1.sprynet.com with SMTP id <148112-25090>; Tue, 10 Sep 1996 13:04:05 -0700 Message-Id: <3.0b11.32.19960910160547.009847f0@hqmail.metlife.com> X-Sender: mstoico%hqmail.metlife.com@hqmail.metlife.com X-Mailer: Windows Eudora Pro Version 3.0b11 (32) Date: Tue, 10 Sep 1996 16:05:49 -0400 To: peter@baileynm.com (Peter da Silva), bkmarsh@feist.com (Bruce M.) From: Mike Stoico Subject: Re: Modem hacking Cc: firewalls@GreatCircle.COM Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 10:35 AM 9/10/96 -0500, Peter da Silva wrote: > >> Just tell the employees that it is untolerable to hook up a modem without >> authorization just like it would be untolerable to use company money for >> personal purchases without authorization. > >And for the cases where they *do* have authorization? > >This doesn't solve the problem of supporting dial-out where there's a real >business need. > >(we simply run digital-only lines to offices unless there's a business need > for a second analog line) > You need make it very clear that if you need to hook up a modem to a PC that it should be on a stand alone PC only. I realize that enforcement is hard but your policy should be driven home. I know of a manager in that told an employee that come the next day, either he or the modem would be gone from the office. It worked. ========================================================================= Mike Stoico, I/S Security Consultant * Phone: (518)285-2567 MetLife * Fax: (518)285-2542 500 Jordan Rd * E-Mail: mstoico@metlife.com Troy, NY 12180 * URL: www.metlife.com ========================================================================= The opinions expressed here are my own and may not be those of my employer. ========================================================================= From firewalls-owner Tue Sep 10 14:15:06 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA08394 for firewalls-outgoing; Tue, 10 Sep 1996 13:14:42 -0700 (PDT) Received: from bulldog.ca (indy.bulldog.ca [204.101.141.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id NAA08175 for ; Tue, 10 Sep 1996 13:13:40 -0700 (PDT) Received: from belgium.bulldog.ca by bulldog.ca via SMTP (940816.SGI.8.6.9/940406.SGI) for id QAA17016; Tue, 10 Sep 1996 16:14:46 -0400 Received: by belgium.bulldog.ca with Microsoft Mail id <01BB9F33.32C5E880@belgium.bulldog.ca>; Tue, 10 Sep 1996 16:14:52 -0400 Message-ID: <01BB9F33.32C5E880@belgium.bulldog.ca> From: Dan Tshin To: "'Firewalls@greatcircle.com'" Subject: RE: Modem hacking Date: Tue, 10 Sep 1996 16:14:51 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tuesday, September 10, 1996 6:35 AM, Peter da = Silva[SMTP:peter@baileynm.com] wrote: >> Just tell the employees that it is untolerable to hook up a modem = without=20 >> authorization just like it would be untolerable to use company money = for=20 >> personal purchases without authorization. > >And for the cases where they *do* have authorization? > >This doesn't solve the problem of supporting dial-out where there's a = real >business need. > >(we simply run digital-only lines to offices unless there's a business = need > for a second analog line) > > Around 18 months ago, when I was working at a local office of a Company = That Most Everyone Knows Of/Despises, when we connected via analog lines = to the outside world, we were _Required_ to physically unplug our = ethernet connections. Obviously this method does not work for everyone = /every situation, but it was understood that all the resources that we = really needed were on the corporate net. Another note: SOmeone posted that when connected to the Internet, he/she = noticed lots of HDD activity and upon checking the user manager (Win 95 = equiv) found 2 people logged in. My question is: Does Windows 95 block external accesses when connection = via DUN? There are options to disable MS networking over the DUN, and = there is a pop up option box that asked whether to perform a security = check before going online... do there options work... well? Thx kindly, Dan =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D Dan Tshin The Bulldog Group Inc. Web Developer The Media Lab 416.594.9207 : x252 416.594.1473 (Fax) http://www.bulldog.ca =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D A head is not merely a hat hangar. Just Use It. From firewalls-owner Tue Sep 10 14:45:32 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA06873 for firewalls-outgoing; Tue, 10 Sep 1996 13:04:26 -0700 (PDT) Received: from wichita.fn.net (wichita.fn.net [204.233.71.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id NAA06424 for ; Tue, 10 Sep 1996 13:01:52 -0700 (PDT) Received: (from bkmarsh@localhost) by wichita.fn.net (8.7.4/8.6.9) id PAA03842; Tue, 10 Sep 1996 15:01:26 -0500 (CDT) Date: Tue, 10 Sep 1996 15:01:26 -0500 (CDT) From: "Bruce M." X-Sender: bkmarsh@wichita.fn.net To: firewalls@greatcircle.com Subject: Re: Modem hacking In-Reply-To: <15204964000630@gsionline.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 10 Sep 1996, Nick Keenan wrote: > With a PC, you can't really say "The modem is set to answer at all times". > The operating system doesn't control the modem -- application software does, > and on a PC, that means the user has to start a program. A lot of modems have a toggle switch that will force the modem to automatically answer the phone. I am not aware of much that you could do by simply being connected to the modem without communications software running, but I would still try to prevent this from happening. > Another common scenario: Employee has internet access on the LAN at work. > Figures if he puts a modem in his work computer, he can dial into it and get > free internet access at home. With Win95 or NT this works and is easy. The > problem is that it doesn't just give access to the internet -- it gives > access to the LAN. That depends. You can configure Win95 to only give specific protocols, so if you wanted Internet access but not Novell access, you could allow TCP/IP but disallow IPX. > A final note. A lot of people will try to sell you a modem pool as a > solution to all of your problems. On paper, they look great -- leverage > your existing hardware, centralize communications and security, save on line > charges, etc. The only problem is they don't really work, so users won't > want to use them. I have never used a modem pool that was worth a bucket of > warm spit, and I've used a lot (modem pools, not buckets of spit). In terms > of security, would a modem pool protect you from the situation described two > paragraphs up? No. A modem pool is tolerable for infrequent and casual > use, but anyone who uses online services regularly or needs maximum > reliability should have his own modem and his own phone line. Maybe you and I have different ideas about modem pools, but I haven't had much trouble with the ones that I've dealt with. Some of the newer products from Shiva, USR, Hayes, etc. are usually okay for most businesses. ________________________________ [ Bruce M. - Feist Systems, Inc. ] ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 'DISA information shows that computer attacks on the Department of Defense are successful 65 percent of the time. The DoD, despite its problems, probably has one of the strongest computer security programs in government.' -GAO/T-AIMD-96-108 From firewalls-owner Tue Sep 10 14:48:56 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA16253 for firewalls-outgoing; Tue, 10 Sep 1996 14:26:18 -0700 (PDT) Received: from gate.ups.com (gate.ups.com [198.80.14.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id OAA16201 for ; Tue, 10 Sep 1996 14:25:53 -0700 (PDT) Received: from is.ups.com (smtp.telecom.ups.com) by gate.ups.com with SMTP id AA19953 (InterLock SMTP Gateway 3.0 for ); Tue, 10 Sep 1996 17:25:10 -0400 Received: from butthead.ups.com by is.ups.com (5.x/SMI-SVR4) id AA01194; Tue, 10 Sep 1996 17:24:33 -0400 Received: from localhost by butthead.ups.com (SMI-8.6/SMI-SVR4) id RAA09263; Tue, 10 Sep 1996 17:25:08 -0400 Date: Tue, 10 Sep 1996 17:25:08 -0400 (EDT) From: Dave Wreski X-Sender: tel1dvw@butthead To: firewalls@greatcircle.com Subject: Interlock and RealAudio? Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi all. I'm not sure if its ok to ask such a question here, but does anyone have RealAudio working thru ANS's InterLock? I understand it can be done, but I haven't been able to. I have to go thru a proxy server, which in turn makes the connection to the internet, thru the interlock. Thanks, Dave Wreski -- echo '16i[q]sa[ln0=aln100%Pln100/snlbx]sbA0D3F204445524F42snlbxq'|dc From firewalls-owner Tue Sep 10 15:06:33 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA07876 for firewalls-outgoing; Tue, 10 Sep 1996 13:11:26 -0700 (PDT) Received: from anchorsteam (anchorsteam.unifiedtech.com [38.251.136.100]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id NAA07698 for ; Tue, 10 Sep 1996 13:10:19 -0700 (PDT) Received: from bass.com. by anchorsteam (SMI-8.6/SMI-SVR4) id QAA28097; Tue, 10 Sep 1996 16:10:30 -0400 Received: by bass.com. (SMI-8.6/SMI-SVR4) id QAA06629; Tue, 10 Sep 1996 16:07:59 -0400 Date: Tue, 10 Sep 1996 16:07:59 -0400 From: jonesmd@unifiedtech.com (Mike Jones) Message-Id: <199609102007.QAA06629@bass.com.> To: rruda@osti.com, nkeenan@gsionline.com Subject: Re: Modem hacking Cc: firewalls@greatcircle.com Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Content-MD5: cnchk5FgX2suEOOUPZ2ITA== Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Richard Ruda writes... > I want to step in here as someone who comes from the PC world, as it seems > that most of the people on this list come from a unix background, and a > question like this shows up the paradigm difference between the two > environments. Yes, it does. > The key thing to remember about PC's is that traditionally the OS did not > provide any communications services at all, or even manage the com ports for > that matter. (This has changed slightly with Windows 95 and Windows NT). > With a PC, you can't really say "The modem is set to answer at all times". > The operating system doesn't control the modem -- application software does, > and on a PC, that means the user has to start a program. Perhaps. It isn't hard to imagine a subtle virus that would check to see if there's a modem attached to the machine and set it to auto-answer. > So the danger is not in having modems installed -- without the proper > application software, the modem is not going to do anything. What you have > to be concerned about is what kinds of software people are using. This is the paradigm difference between folks from the PC world and folks from the Unix world. PC folks seem to be much more willing to believe that (a) they can trust users, and (b) they know *everything* that's going on with their machine. > The only real danger is remote control programs -- programs like PCAnywhere, > Carbon Copy, etc. that allow a remote user to take over the PC and do > everything that a local user of that PC could do. And that means everything > -- if you want to, you can reboot, repartition the hard disk, or cruise the > LAN. If people insist on using these programs, the remote control progams > all come with security now -- the simplest and most effective measure is to > force callbacks. And the simplest and most effective way of subverting that security is to bypass the callbacks. Since DOS/Windows has no security architecture, all somebody has to do is get a virus into your organization that will turn it off. This isn't a likely strategy for a general attack, but in a scenario where the attacker knows you run PCAnywhere and knows a couple of folks in your organization, it would be a *very* easy avenue of attack unless your per-machine virus checks are better than I've ever seen. > A final note. A lot of people will try to sell you a modem pool as a > solution to all of your problems. On paper, they look great -- leverage > your existing hardware, centralize communications and security, save on line > charges, etc. The only problem is they don't really work, so users won't > want to use them. I have never used a modem pool that was worth a bucket of > warm spit, and I've used a lot (modem pools, not buckets of spit). In terms > of security, would a modem pool protect you from the situation described two > paragraphs up? No. A modem pool is tolerable for infrequent and casual > use, but anyone who uses online services regularly or needs maximum > reliability should have his own modem and his own phone line. Dialout modem pools are pretty bad, agreed. For dialin use, though, they're the only way to go. They let you put all the security in one place where (theoretically) somebody who understands security can manage it. As far as I'm concerned, network connections and modems are mutually exclusive on any machine behind the firewall whether it's running Windows, Unix, or MVS. Mike Jones Sr. Network Computing Advisor UNIFIED Technologies From firewalls-owner Tue Sep 10 16:44:25 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id PAA21795 for firewalls-outgoing; Tue, 10 Sep 1996 15:10:46 -0700 (PDT) Received: from emout18.mail.aol.com (emout18.mx.aol.com [198.81.11.44]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id PAA21773 for ; Tue, 10 Sep 1996 15:10:30 -0700 (PDT) From: Janus4u@aol.com Received: by emout18.mail.aol.com (8.6.12/8.6.12) id SAA15541 for firewalls@greatcircle.com; Tue, 10 Sep 1996 18:09:26 -0400 Date: Tue, 10 Sep 1996 18:09:26 -0400 Message-ID: <960910180925_519947169@emout18.mail.aol.com> To: firewalls@greatcircle.com Subject: Digital Firewalls Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am evaluating a proposal from Digital Equipment Corp for their AltaVista Firewall with Layered Product Support. Has anyone had any experience with this product from a security perspective? Is it easy to configure? Is the user interface easy to work with? What problems have you run into? Thanks, Pat Fisher From firewalls-owner Tue Sep 10 16:59:21 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id QAA08554 for firewalls-outgoing; Tue, 10 Sep 1996 16:47:00 -0700 (PDT) Received: from istar.ca (istar.ca [204.191.136.4]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id QAA08444 for ; Tue, 10 Sep 1996 16:46:29 -0700 (PDT) Received: from genel (mpngate4.ny.us.ibm.com [198.133.29.21]) by istar.ca (8.7.3/8.7) with SMTP id TAA22123 for ; Tue, 10 Sep 1996 19:56:03 -0400 (EDT) Received: by genel with Microsoft Mail id <01BB9F50.8F283E80@genel>; Tue, 10 Sep 1996 19:45:03 -0400 Message-ID: <01BB9F50.8F283E80@genel> From: Gene Lee To: "firewalls@GreatCircle.COM" Subject: RE: Modem hacking Date: Tue, 10 Sep 1996 19:45:01 -0400 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tuesday, September 10, 1996 11:01 AM, Bruce M.[SMTP:bkmarsh@feist.com] wrote: >On Tue, 10 Sep 1996, Nick Keenan wrote: > >> With a PC, you can't really say "The modem is set to answer at all times". >> The operating system doesn't control the modem -- application software does, >> and on a PC, that means the user has to start a program. > > A lot of modems have a toggle switch that will force the modem to >automatically answer the phone. I am not aware of much that you could do >by simply being connected to the modem without communications software >running, but I would still try to prevent this from happening. If I were to try, I'd begin by writing a trojan or virus that would raise the DTR, send "ATS0=1" and do a "CTTY COM1:" (in the DOS world). Then I'd figure out how to do all of this without the user being aware of anything happening... Hmm.... -- Gene Lee genel@inforamp.net genelee@vnet.ibm.com From firewalls-owner Tue Sep 10 17:14:38 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id PAA24515 for firewalls-outgoing; Tue, 10 Sep 1996 15:25:43 -0700 (PDT) Received: from blue.misnet.com (blue.misnet.com [204.177.124.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id PAA24332 for ; Tue, 10 Sep 1996 15:24:57 -0700 (PDT) Received: (from inter@localhost) by blue.misnet.com (8.7.3/8.7.3) id RAA26112; Tue, 10 Sep 1996 17:25:13 -0500 (CDT) Date: Tue, 10 Sep 1996 17:25:12 -0500 (CDT) From: inter To: "David J. Taylor" cc: Steve Conner , Jesse , "firewalls@GreatCircle.COM" Subject: RE: FreeBSD Firewall Package In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 9 Sep 1996, David J. Taylor wrote: > That's fine as long as you have 24x7 surveillance. But having logs = > showing an address doesn't give you much comfort if the intruder came = > in, did the damage and left before anyone could detect and stop him. I = > would submit that prevention is still the best medicine. > > > ---------- > From: inter[SMTP:inter@blue.misnet.com] > Sent: Monday, September 09, 1996 1:50 PM > To: Steve Conner > Cc: Jesse; firewalls@GreatCircle.COM > Subject: Re: FreeBSD Firewall Package > > > sure it is but it is when you don't have security enuf to prevent attackers then you don't have anyhting. Say you have a firewall.. still some sites are 'able' to come in. Well then .. iwthout proper logs you will have no clue where the attack came from and you have no clue what they have done. Logs(security) plays hand in hand with prevention. However Firwalls do not count out someone who is DETERMINED to get into a system. period. From firewalls-owner Tue Sep 10 17:21:13 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id QAA07587 for firewalls-outgoing; Tue, 10 Sep 1996 16:38:37 -0700 (PDT) Received: from istar.ca (istar.ca [204.191.136.4]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id QAA07579 for ; Tue, 10 Sep 1996 16:38:24 -0700 (PDT) Received: from genel (mpngate4.ny.us.ibm.com [198.133.29.21]) by istar.ca (8.7.3/8.7) with SMTP id TAA20958 for ; Tue, 10 Sep 1996 19:47:58 -0400 (EDT) Received: by genel with Microsoft Mail id <01BB9F4F.6DE24A00@genel>; Tue, 10 Sep 1996 19:36:57 -0400 Message-ID: <01BB9F4F.6DE24A00@genel> From: Gene Lee To: "'Firewalls@greatcircle.com'" Subject: RE: Modem hacking Date: Tue, 10 Sep 1996 19:36:52 -0400 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tuesday, September 10, 1996 4:14 PM, Dan Tshin[SMTP:dtshin@bulldog.ca] wrote: >Another note: SOmeone posted that when connected to the Internet, he/she noticed lots of HDD activity and upon checking the user manager (Win 95 equiv) found 2 people logged in. >My question is: Does Windows 95 block external accesses when connection via DUN? There are options to disable MS networking over the DUN, and there is a pop up option box that asked whether to perform a security check before going online... do there options work... well? Dan, as far as I know, the only security check in Win95 DUN (at least for PPP connections) is a "Require encrypted password" which uses PAP to authenticate the client to the Terminal Server. This "security check" in no way protects the client from malicious attacks from the Net when PPP-connected, so if there are any open ports (ie. if the Win95 host has an ftpd or smtpd process running, or even ftp/telnet/etc client sessions running) they are susceptible to most (if not all) of the attacks that LAN-connected hosts are vulnerable to. As far as "blocking external access when connection via DUN", this seems like defeating the purpose of a network connection. You *WANT* external access when using DUN, otherwise you'd never get your web pages delivered to you, or be able to download via ftp, gopher, etc. I don't think I've seen this "disable MS networking over the DUN" option that you mention, but it seems like a contradiction in terms. Personally, I think the biggest vulnerability is the NetBIOS over TCP/IP. I have been able to browse unprotected file shares on a Win95 machine connected via PPP, using a Linux box running Samba. Quite scary actually. -- Gene Lee genel@inforamp.net genelee@vnet.ibm.com From firewalls-owner Tue Sep 10 17:44:28 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id QAA10135 for firewalls-outgoing; Tue, 10 Sep 1996 16:59:23 -0700 (PDT) Received: from apu.connectix.com (apu.connectix.com [204.247.159.242]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id QAA10088 for ; Tue, 10 Sep 1996 16:59:07 -0700 (PDT) Received: from [204.118.199.198] (snowball.connectix.com [204.118.199.198]) by apu.connectix.com (8.7.5/8.6.9) with SMTP id QAA05059 for ; Tue, 10 Sep 1996 16:59:08 -0700 Date: Tue, 10 Sep 1996 16:59:08 -0700 Message-Id: <199609102359.QAA05059@apu.connectix.com> Subject: Routing when net is unreachable From: Rob Sansom To: Mime-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Perhaps someone out there can help me with a mystery. I keep receiving packets on our T1 interface from a host on our internal net. 99% of the time, they are DNS packets. A few things to consider: * The router is a Cisco 2514, IOS 11.1 * All packets are filtered inbound on the interface (ip access-goup 123 in) * All routes are static (no RIP, OSPF, etc...) * The T1 is a dedicated point to point link with our ISP Heres an actual log entry: denied udp 204.247.159.242(1210) -> 204.118.199.11(53), 1 packet This is a DNS request from our mail server to one of our DNS servers. If it were on the internal net, this would be normal. This is a packet that has been filtered inbound on our serial (T1) interface. It might be a spoofer, but I'm beginning to doubt this, since it makes no sense. Also it seems to happen when our internal router chokes (NOT a Cisco), and the link beteween our mail server and DNS server is down. Would it be possible that if the link is down, our Cisco might try to send via the gateway of last resort, this packet? Once the line comes back up, these packets eventually go away, so I think there might be a connection. Thanks in Advance, #include Rob Sansom Network Admin. Connectix Corp (415) 638-7398 sansom@connectix.com From firewalls-owner Tue Sep 10 17:49:19 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id QAA07331 for firewalls-outgoing; Tue, 10 Sep 1996 16:36:06 -0700 (PDT) Received: from star.elim.net (elim.net [206.48.171.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id QAA07282 for ; Tue, 10 Sep 1996 16:35:29 -0700 (PDT) Received: from star.elim.net (rf095.elim.net [206.48.168.149]) by star.elim.net (8.6.12h2/8.6.9) with ESMTP id IAA05868 for ; Wed, 11 Sep 1996 08:35:02 +0900 Message-Id: <199609102335.IAA05868@star.elim.net> From: "Seung-Il Han" To: Subject: Removal from mail lists Date: Wed, 11 Sep 1996 08:33:36 +0900 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1155 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I have tried to remove myself from the lists automatically but it hasn't done the trick. Could you please remove my email address from the digest and standard mailing list. Seung-Il Han From firewalls-owner Tue Sep 10 18:14:15 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id QAA03271 for firewalls-outgoing; Tue, 10 Sep 1996 16:11:18 -0700 (PDT) Received: from kyoko.mpx.com.au (new-kyoko.mpx.com.au [203.2.75.38]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id QAA02982 for ; Tue, 10 Sep 1996 16:10:15 -0700 (PDT) From: craigw@mac.ce.com.au Received: from enterprise.ce.com.au(really [203.23.60.2]) by kyoko.mpx.com.au via sendmail with esmtp id for ; Wed, 11 Sep 96 09:09:45 +1000 (EST) (/\##/\ Smail3.1.30.13 #30.8 built 5-oct-95) Received: from mac.ce.com.au by enterprise.ce.com.au with smtp (Smail3.1.30.13 #1) id m0v0bwS-001TdeC; Wed, 11 Sep 96 09:10:04 +1000 (EST) Received: from craig.ce.com.au by mac.ce.com.au (8.6.10/200.8.1.3) id JAA24169; Wed, 11 Sep 1996 09:08:05 +1000 Message-Id: <199609102308.JAA24169@mac.ce.com.au> Comments: Authenticated sender is To: nkeenan@gsionline.com (Nick Keenan) Date: Wed, 11 Sep 1996 09:09:29 +0000 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Re: Modem hacking CC: firewalls@greatcircle.com X-mailer: Pegasus Mail for Win32 (v2.42a) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk well personally I come from a Unix and windows, NT, dos background. 1 windows 3.11 and 3.1 can be configured for TCP/IP networking 2 the TCP/IP protcol supplied with M$ windows (3.1,3.11,NT,95) has a static route program. (from the dos prompt type route add ), and it is theroretically able to route networks and subnets. 3 there is a suppliment disk for tcp/ip networking for early dos/windows systems > The key thing to remember about PC's is that traditionally the OS did not > provide any communications services at all, or even manage the com ports for > that matter. (This has changed slightly with Windows 95 and Windows NT). as I said...there is a basic routing protocol. NT can be configured quite easily, 95 sux. but it is still routable (esp using some freeware available over the net), and dos/3.1/3.11 while a REAL pain is also configurable. I can route traffic from a modem to the LAN to a WAN. I do it now, but outside the trusted network. If you want details on how to do this, with only the native OS, mail me personally (doshai@pip.com.au). The problem is that it is more of a nucense...you need individual static routes for alot of points. Very time consuming. most users will not know of the M$ route add command (a rip off of the Unix one, but some will). ,'~``. \|/ ,'``~. (-o=o-) (@ @) ,(-o=o-), +--.oooO--(_)--Ooo-----oOO-(_)-OOo-------oooO--(_)--Oooo.------+ | | | Soon, we may all be staring at our computers, wondering | | whether they're staring back. | | | | [Network Admin For WPA Business Products. aka doshai >;-) ] | | .oooO http://pip.com.au/~doshai/ Oooo. | | ( ) Oooo. .oooO ( ) | +-----\ (----( )-------oooO-Oooo--------( )--- ) /---------+ \_) ) / \ ( (_/ (_/ \_) Key fingerprint = 2D F4 54 BB B4 EA F1 E7 B6 DE 48 92 FC 8D FF 49 Send a message with the subject "send pgp-key" for a copy of my key. (if I want to give it to you) From firewalls-owner Tue Sep 10 18:44:26 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id SAA22565 for firewalls-outgoing; Tue, 10 Sep 1996 18:24:15 -0700 (PDT) Received: from lint.cisco.com (lint.cisco.com [171.68.223.44]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id SAA22476 for ; Tue, 10 Sep 1996 18:23:48 -0700 (PDT) Received: from pferguso-pc.cisco.com ([171.68.52.54]) by lint.cisco.com (8.6.10/CISCO.SERVER.1.1) with SMTP id SAA18309; Tue, 10 Sep 1996 18:23:25 -0700 Message-Id: <2.2.32.19960911012325.006b99b8@lint.cisco.com> X-Sender: pferguso@lint.cisco.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Tue, 10 Sep 1996 21:23:25 -0400 To: Rob Sansom From: Paul Ferguson Subject: Re: Routing when net is unreachable Cc: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Well, that scenario is certainly possible, but its *really* hard to determine without more details. ;-) - paul At 04:59 PM 9/10/96 -0700, Rob Sansom wrote: >Perhaps someone out there can help me with a mystery. I keep receiving >packets on our T1 interface from a host on our internal net. 99% of the >time, they are DNS packets. A few things to consider: > >* The router is a Cisco 2514, IOS 11.1 >* All packets are filtered inbound on the interface (ip access-goup 123 >in) >* All routes are static (no RIP, OSPF, etc...) >* The T1 is a dedicated point to point link with our ISP > >Heres an actual log entry: > >denied udp 204.247.159.242(1210) -> 204.118.199.11(53), 1 packet > >This is a DNS request from our mail server to one of our DNS servers. If >it were on the internal net, this would be normal. This is a packet that >has been filtered inbound on our serial (T1) interface. It might be a >spoofer, but I'm beginning to doubt this, since it makes no sense. Also >it seems to happen when our internal router chokes (NOT a Cisco), and the >link beteween our mail server and DNS server is down. Would it be >possible that if the link is down, our Cisco might try to send via the >gateway of last resort, this packet? Once the line comes back up, these >packets eventually go away, so I think there might be a connection. > >Thanks in Advance, > >#include > >Rob Sansom >Network Admin. >Connectix Corp >(415) 638-7398 >sansom@connectix.com > -- Paul Ferguson || || Consulting Engineering || || Reston, Virginia USA |||| |||| tel: +1.703.716.9538 ..:||||||:..:||||||:.. e-mail: pferguso@cisco.com c i s c o S y s t e m s From firewalls-owner Tue Sep 10 19:14:17 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id SAA26690 for firewalls-outgoing; Tue, 10 Sep 1996 18:54:10 -0700 (PDT) Received: from manukau.govt.nz ([202.14.82.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id SAA26637 for ; Tue, 10 Sep 1996 18:53:53 -0700 (PDT) Received: by kotuku.manukau.govt.nz id <35715>; Wed, 11 Sep 1996 14:30:33 +1200 Message-Id: <96Sep11.143033nzst.35715@kotuku.manukau.govt.nz> From: Matthew Thompson To: "'Firewalls@greatcircle.com'" , "'Gene Lee'" Subject: RE: Modem hacking Date: Thu, 12 Sep 1996 13:52:36 +1200 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Dan, as far as I know, the only security check in Win95 DUN (at least for >PPP connections) is a "Require encrypted password" which uses PAP to >authenticate the client to the Terminal Server. This "security check" in no >way protects the client from malicious attacks from the Net when >PPP-connected, so if there are any open ports (ie. if the Win95 host has an >ftpd or smtpd process running, or even ftp/telnet/etc client sessions >running) they are susceptible to most (if not all) of the attacks that >LAN-connected hosts are vulnerable to. I thought it was unbinding Network client and server services from TCP/IP on the dial up adapter. This (Theoretically, wouldn't like to speculate on what other holes are left) means that your file sharing service is not listening for connections on this adapter. You can do this in the network control panel under TCPIP->Dial Up Adapter, Bindings. Either that or don't load file and print sharing on your PC. Anyone hit a W95 system with client and server disabled on the dial up adapter, but still bound to LAN interface and seen what else is still listening/sending? --------------------------------------------------------------------- Kiwitech Marine Solutions Ltd. RaceTech, SailTech, PowerTech, Marine Software & Hardware Web: http://www.kiwitech.co.nz, Email: mthomps1@kiwitech.co.nz Phone: +64-9-307-0819 Fax: +64-9-307-6685 Mobile: +64-21-998-600 PO Box 5909, Wellesley Street, Auckland, New Zealand From firewalls-owner Tue Sep 10 19:29:41 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id SAA27215 for firewalls-outgoing; Tue, 10 Sep 1996 18:58:49 -0700 (PDT) Received: from phoenix.iss.net (phoenix.iss.net [204.241.60.5]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id SAA27187 for ; Tue, 10 Sep 1996 18:58:29 -0700 (PDT) Received: (from cklaus@localhost) by phoenix.iss.net (8.6.13/8.6.12) id VAA05975 for firewalls@greatcircle.com; Tue, 10 Sep 1996 21:54:47 -0400 From: Christopher Klaus Message-Id: <199609110154.VAA05975@phoenix.iss.net> Subject: Network Security Leakage [info] To: firewalls@greatcircle.com Date: Tue, 10 Sep 1996 21:54:47 -0400 (EDT) Reply-To: cklaus@iss.net X-Mailer: ELM [version 2.4 PL24 PGP2] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk [This doesn't address the age old problem of the dial-in modems connected to a PC.] Network Security Leakage Even organizations that secure their internal networks behind perimeter security devices such as firewalls can incur a network security leak. If a workstation on an internal LAN is connected to an Internet Service Provider (ISP), it can become a gateway for the passage of packets between the internal network and the Internet. Such a gateway bypasses the filtering and proxy rules of the firewall, thereby opening the network to several possible threats: 1) Anyone on the Internet can potentially access restricted machines on the internal LAN in spite of the firewall. 2) Users on the internal LAN whose access to certain services on the Internet is controlled by the firewall can bypass the firewall to access those services. Thus, reliance on a firewall as the sole means of securing a network can actually open that network up to significant security vulnerabilities. All that is required is a user on the internal network with a PC and modem connected directly to the Internet. The first step in correcting this problem is detecting it. Here are some possible means of detection: Get on each segment of the network behind the firewall and try to send IP packets of various types to well known Internet hosts and look for responses. The firewall should be blocking these IP packets but if there is a leakage, the packets may be routed through the internal gateway machine. There are some technical issues to consider. For instance, you need to send more than just Ping (ICMP Echo & Request) Packets because if the gateway host is using SLIP, it may actually block the Ping packets but allow a telnet connection to go through. Also, if the machine trying to send out packets and discover a leakage has an internal IP address of a private domain (ie 10.0.x.x), its packets will not get a response. Any machine with a public IP address may get through the security leakage with a response. It is also possible to detect network security leakage through the use of a sniffer set up to filter out all internal network traffic and only log non-internal traffic. Normally, the firewall blocks all non-internal traffic and if such traffic appears, there may be a leakage. Probably a more effective method would be to use the sniffer on a response server outside of the firewall on the Internet. Then by sending packets from inside the firewall to the response server's IP address, you can detect outgoing leaks without worrying about packets routing back inside the firewall. Once such leakage is detected, network diagnostic tools such as traceroute may help you discover exactly what machine is being used as a gateway. Depending on the type of routing used internally, it also may be worthwhile to examine all routing tables. By applying these techniques to your network, you may be able to expose potential security vulnerabilities before someone else points them out to you in an unfriendly fashion. Comments welcome. Chris -- Christopher William Klaus Voice: (770)395-0150. Fax: (770)395-1972 Internet Security Systems, Inc. "Internet Scanner finds Ste. 660,41 Perimeter Center East,Atlanta,GA 30346 your network security holes Web: http://www.iss.net/ Email: cklaus@iss.net before the hackers do." From firewalls-owner Tue Sep 10 19:59:17 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id TAA02149 for firewalls-outgoing; Tue, 10 Sep 1996 19:42:27 -0700 (PDT) Received: from lexicon.ins.com (lexicon.ins.com [199.0.193.11]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id TAA02131 for ; Tue, 10 Sep 1996 19:42:12 -0700 (PDT) Received: from ragans-compaq.dal.mobil.com (mtv2-dynamic224.ins.com [199.0.193.224]) by lexicon.ins.com (8.7.5/8.7.3) with SMTP id TAA13687; Tue, 10 Sep 1996 19:40:40 -0700 (PDT) Message-Id: <3.0b11.32.19960910213722.007264f0@lexicon.ins.com> X-Sender: ragan@lexicon.ins.com X-Mailer: Windows Eudora Pro Version 3.0b11 (32) Date: Tue, 10 Sep 1996 21:37:24 -0500 To: Gene Lee , "firewalls@GreatCircle.COM" From: Charles Ragan Subject: RE: Modem hacking Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Not to mention things like TTY Watcher, or simply modifying NT's RAS switch.inf...... Charles At 07:45 PM 9/10/96 -0400, Gene Lee wrote: >On Tuesday, September 10, 1996 11:01 AM, Bruce M.[SMTP:bkmarsh@feist.com] >wrote: >>On Tue, 10 Sep 1996, Nick Keenan wrote: >> >>> With a PC, you can't really say "The modem is set to answer at all >times". >>> The operating system doesn't control the modem -- application software >does, >>> and on a PC, that means the user has to start a program. >> >> A lot of modems have a toggle switch that will force the modem to >>automatically answer the phone. I am not aware of much that you could do >>by simply being connected to the modem without communications software >>running, but I would still try to prevent this from happening. > >If I were to try, I'd begin by writing a trojan or virus that would raise >the DTR, send "ATS0=1" and do a "CTTY COM1:" (in the DOS world). Then I'd >figure out how to do all of this without the user being aware of anything >happening... Hmm.... > >-- >Gene Lee >genel@inforamp.net >genelee@vnet.ibm.com > > > ----------------------------------------------------- Charles B. Ragan, Jr. International Network Services (214) 392-3545 14160 Dallas Parkway Suite 200 Charles_Ragan@ins.com Dallas, TX 75040 Cisco Certified IE (CCIE) Text Page - 1-800-INS-1-INS Master CNE Direct Page - 1-888-360-5812 Microsoft SE Certified Banyan Engineer "Semper Fi" - USMC Retired ----------------------------------------------------- From firewalls-owner Tue Sep 10 21:27:52 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id VAA12405 for firewalls-outgoing; Tue, 10 Sep 1996 21:07:18 -0700 (PDT) Received: from istar.ca (istar.ca [204.191.136.4]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id VAA12364 for ; Tue, 10 Sep 1996 21:07:03 -0700 (PDT) Received: from ts47-11.tor.iSTAR.ca (ts47-11.tor.iSTAR.ca [204.191.141.131]) by istar.ca (8.7.3/8.7) with SMTP id AAA05055; Wed, 11 Sep 1996 00:16:44 -0400 (EDT) Received: by ts47-11.tor.iSTAR.ca with Microsoft Mail id <01BB9F75.0A342480@ts47-11.tor.iSTAR.ca>; Wed, 11 Sep 1996 00:06:11 -0400 Message-ID: <01BB9F75.0A342480@ts47-11.tor.iSTAR.ca> From: Gene Lee To: "'Firewalls@greatcircle.com'" , "'Gene Lee'" , "'Matthew Thompson'" Subject: RE: Modem hacking Date: Wed, 11 Sep 1996 00:06:09 -0400 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wednesday, September 11, 1996 9:52 PM, Matthew Thompson[SMTP:mthomps1@kiwitech.co.nz] wrote: >I thought it was unbinding Network client and server services from TCP/IP >on the dial up adapter. This (Theoretically, wouldn't like to speculate on >what other holes are left) means that your file sharing service is not >listening for connections on this adapter. I'm aware of this, but I'm wondering if you disable NetBIOS (or "Net-Boo-EE") bindings on your dial-up adapter, presumably these packets would still reach the kernel if they were encapsulated over IP? Something I have to try sometime... Does anyone know off-hand? -- Gene Lee genel@inforamp.net genelee@vnet.ibm.com From firewalls-owner Tue Sep 10 21:28:13 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id UAA08564 for firewalls-outgoing; Tue, 10 Sep 1996 20:35:47 -0700 (PDT) Received: (mcb@localhost) by miles.greatcircle.com (8.7.4/Miles-960830-1) id UAA08541 for firewalls@greatcircle.com; Tue, 10 Sep 1996 20:35:40 -0700 (PDT) Received: from relay1.shore.net (relay1.shore.net [192.233.85.129]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id KAA15046 for ; Tue, 10 Sep 1996 10:39:58 -0700 (PDT) Received: from [198.115.177.220] (slip-0-20.slip.shore.net [198.115.177.220]) by relay1.shore.net (8.7.5/8.7.3) with SMTP id NAA02518; Tue, 10 Sep 1996 13:39:21 -0400 (EDT) X-Sender: vin@shell1.shore.net Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Tue, 10 Sep 1996 13:37:06 -0400 To: Firewalls@GreatCircle.com From: vin@shore.net (Vin McLellan) Subject: Re: SecurID White Paper - A Comment Cc: BUGTRAQ@netspace.org, mcn@EnGarde.com, frankw@in.net, peiterz@SECNET.COM, hobbit@avian.org, mudge@l0pht.com, adam@homeport.org Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Any user community, and the vendor of any security product, is vastly served by talented critics, crackers, and customers who bang on a product relentlessly; analyze it in detail; and then sound trumpets to announce its weaknesses: real, theoretical, and mythical. Give us only the Grace to sort by these categories -- and a grip on context that can keep these reports in some earthly perspective -- and the typical sysadmin will require no more than her allotted budget for Maloxx and Pepcid AC. 'Course, that's sometimes easier said than done;-) Authentication products -- one-time password (OTP) tokens in particular; and the popular ACE/SecurID system in specific -- have had the benefit of several articulate Cassandras over the past year. In the IDS community, Mike Neuman , reputed to have created the first of the current generation of automated TCP session-hijack devices at Sandia a few years back, regularly scorches token authentication systems as generically insecure. Mr. Neuman argues, as he did again last week in a post to multiple mailing lists: >It's trivial for an intruder to monitor the network, waiting for a user to >legitimately authenticate themselves. Once authenticated, the intruder can >hijack that user's connection and assume his credentials." Session hijacking -- aka "active sniffing" or "TCP splicing" -- is "the most serious flaw in one-time password systems," proclaims Mr. Neuman. (What Neuman means, I presume, is that TCP splicing can subvert the integrity and continuity, "hijack," any unencrypted TCP session... even one which has been initiated with strong authentication. Even with total control of the comm link, a bad guy can only block or snatch a two-factor OTP; he can never create one, and the best will timeout quickly. (But then, the validity or integrity of two-factor authentication -- a token "held;" plus a password "known" -- is not really an issue for Mr. Neuman. He simply declares OTPs irrelevant if the TCP session they initialized can be taken over; the valid user cut off; and the bad guy left in control of an authenticated session with all the user's privileges. It's a intriguing POV... particularly from a vendor who sells a commercial session-hijack tool, IP-Watcher, to a hopefully restricted clientele.) Over in the Firewalls community, Frank Willoughby of Fortified Networks -- bane of Firewall vendors rash enough to market products which do not yet offer user-to-firewall encryption -- has echoed Mr. Neuman, with a slightly more narrow focus. Last week, in a post to BoS, he declared: |> Using SecurID (or Digital Pathways, S/Key, etc) is *lethal* if you are |> planning on using it to authenticate users from the Internet who wish to |> access a system on your internal network which is protected by the |> firewall." Both Neuman and Willoughby are bright guys and respected security mavens, but don't they sound like armchair generals who want to abolish the infantry because it can't defend against high-altitude bombing? Perhaps because they seek to challenge a still-pervasive illusion about the integrity of TCP/IP network connections, they tend to generalize a bit and toss the proverbial baby with the bathwater. They don't bother to acknowledge the limited purpose and function, or any independent value, of strong user authentication. (Encryption without strong authentication is also problematic, to say the least.) But then, Prophets with a Revelation are like that: single-minded;-) These guys, and others who use similar rhetoric, sometimes get so caught up in their jeremiads that they ignore basic tradecraft. In Compsec, security is never absolute; both threats and defenses are always relative. Prudent CIOs invest in defenses against likely and serious threats -- not all known threats. We live with all manner of vulnerabilities which never become serious threats, like Unix viruses. Others -- like the risk of eavesdroppers snooping on network traffic -- become all but accepted; and relatively few sites feel the potential for loss justifies the solution (encryption.) For any given environment, an assessment of current risks, and the need to invest in new security tech, are both CIO judgment calls. The cost of additional security is weighed against the perceived vulnerability and value of the data or system assets at risk. Firewalls without user/firewall crypto is not silly; two-factor authentication without crypto is not lethal. Each, properly configured, offers an effective tool to block an array of known and dangerous threats. At issue is whether the threat of TCP session hijacking now poses a danger of a magnitude which demands that a prudent administrator invest in link or application-level cryptography. For a growing number of sites and environments, the answer is clearly "yes." Yet, professionals who decide that this threat does not yet justify the expenditure necessary to block it do not deserve to be scorned as fools. Risk-analysis is Security 101. How much insurance, at what cost? To protect against what scope of potential loss? Properly forging TCP packets, the essential skill for tcp-splicing, is still beyond the wannabes on Alt.2600. And to tap a telephone line -- the typical OTP app is a dial-in phone connection, through a communications server -- requires a wholly different level of criminal commitment than "sniffing" on a local LAN or Internet link to which one is already connected. At least in the US, wiretapping is a federal felony, punishable by serious jail time.) That said, I should point out that _all_ vendors of two-factor authentication systems "strongly recommend" encryption today as the natural complement to their OTP products for high-security installations. The function of a security device is to raise the cost of an attack upon it -- in terms of time, money, equipment, specialized knowledge, and risk of criminal penalties -- so that it is no longer (compared to alternatives) an attractive or likely avenue of attack. As a class, OTP tokens do that for user authentication. Protecting the continuity, security, and confidentiality of a TCP network connection is a different task, which in many secure environments will (sooner rather than later) doubtless require an additional investment in crypto. Even crypto won't bring on Nirvana. No security tool should be purchased with any illusion that it offers Total Security, of course; anyone who claims to sell TS is a bandit, and anyone who accepts such a claim is a fool. Such illusions can be dangerous, even (rarely;-) "lethal." No recent buyer of any of the six or seven commercial two-factor OTP systems is likely to be unaware of the distinction between user authentication and network integrity. Up until three years ago, however, almost everyone presumed that a TCP session had internal integrity -- although we always knew that unencrypted network traffic promised no more confidentiality than a postcard. Cheap and omnipresent PC-based sniffers, often configured as "password grabbers," were then, as now, seen by CERT as the dominant threat to secure remote access over networks. The security community and their managers responded by investing in OTP tokens to both validate a remote users identity to a high degree of certainty and to foil the pesky sniffer threat. (CERT even went proactive and recommended a switch to OTPs two years ago!) But to the extent that anyone trusts a network, or trusts it to safeguard valuable data unencrypted, many of us assumed a confidence in the integrity of the TCP/IP infrastructure that was, in hindsight, rash. It was a comfortable illusion that survived even the abundant evidence of e-mail and source forgeries. Not everyone has yet escaped it -- despite the energy and enthusiasm with which Neuman, Willoughby, and many, many, others (me among them,) have beat the drums of warning. The fundamental truth about the Vulnerable Network, circa 1996: The delay in providing full network encryption has left the Internet not only a "party line" (vulnerable to sundry eavesdroppers with low-tech "sniffers,") it has also left us wholly dependent upon a TCP/IP infrastructure which can not guarantee even the integrity or continuity of an ongoing user/host connection. Like Isaiah and Obadiah, dismal Prophets of yore, Neuman and Willoughby took to their pulpits last week to comment on the publication of a "white paper" entitled "Weaknesses in SecurID," by "PeiterZ" . This document reports on recent research into the ACE/SecurID protocol by PieterZ and a group of loosely-associated TCP hackers including "Mudge," "*Hobbit," and the moderator of the SDAdmin mailing list, Adam Shostack. Such a report was widely anticipated because Mudge, the author of a devastating critique of the freeware s/key OTP protocol last year, had promised a similar deconstruction of SDTI's ACE/SecurID for this year. For a ten-page "white paper" from the hacker elite, the PieterZ Paper was rather disappointing (or reassuring, as the case may be;-) In a widely cross-posted comment, Mike Neuman harrumped: > I appreciate the conclusion of the paper which finally does proclaim that > SecurID (and other one-time password tokens) are extremely vulnerable. > The vulnerabilities described seem to be overly esoteric, however." Neuman complained that the over-arching reality of network insecurity -- session hijacking -- went "unmentioned" in the hackers' white paper. (Actually, it is mentioned, but only in passing... as if such an attack was too lacking in finesse, too basic and blunt, for such elite protocol mavens to waste time or text discussing;-) SDTI, the vendor of the ACE/SecurID system, has posted a substantive commentary on the PieterZ Paper and it's allegations, suggestions, and conclusions on their web site. (Look for Network Security Bulletin 2-897 at . The document, unsigned, is an analysis by Jim Kotanchik, SDTI's director of engineering.) With the lethargy of summer behind us, I also expect the issues raised will enjoy a full and energetic discussion on Adam Shoshack's SDAdmin mailing list. (Enroll with an "subscribe sdadmin" message to ) I look forward to participating. As the author of the SecurID FAQ, however, I'm surprised to find myself in agreement with Mike Neuman's summary judgment. "Overly esoteric" is just about right. This is a relatively harmless and fruitless exploration of the ACE protocol by some very smart guys who deduce or propose several potential attacks on the ACE system. Attacks which are blocked by various security features (documented or undocumented) in the current versions of SDTI's ACE/Server... or which seem extremely unlikely to succeed outside a software lab or a DefCon fantasy fest. (My favorite PieterZ threat scenario is the suggestion that an attacker could time a phone call to a valid user -- then in the process of typing in a SecurID Passcode -- so as to interrupt his typing _precisely between the second-to-last and last digit of the Passcode_ in order to stall the user and delay the keystroke for the last digit of his SecurID Passcode.) There is also, however, an impressive analysis of the ACE client/server protocol which uncovers a exotic vulnerability in the protocol's use of SDTI's F2 hash which could have been a real problem for the ACE/SecurID user community six months ago -- before SDTI fixed it with an undocumented tweak buried in both v1.3 and v2.2 upgrades to the ACE/Server. (ACE/Server 1.3 and 2.2 were free "mandatory upgrades," flagged for security concerns.) I've elsewhere credited Mudge with another intriguing idea, unattributed by PieterZ, for an unspecified attack which would physically or logically split a network into two sections and then isolate a working authentication server from its backup (slave,) in order to mimic to one what a valid user sends to the other. Many of these threat scenarios have the problems endemic to theoretical attacks. They presume an uncommonly fragile network infrastructure (with, for instance, no redundancy in vital comm links.) They often presume an attacker has free reign to operate inside the target net and that the sysadmin is both dumb and blind. And they often presume that an attacker -- who has somehow brilliantly hacked his way deep into the target's control system -- will then turn around to screw up a security device like OTP access control or the firewall... rather than do something criminally productive (or even destructive) to the system assets being protected. Session stealing remains a real or, at least, potential threat at most ACE/SecurID installations -- but I've never believe it is realistic threat to the authentication function, per se. PieterZ, et al, do propose a class of attacks on a target system's access control and SecurID authentication, however, which use TCP splicing (the active intrusion of skillfully forged TCP packets directly into the authentication exchange, the essential art for TCP session hijacking) to bump the good guy off the Net -- after he has typed his Passcode, but before he has hit the carriage-return... while the bad guy (quickly) uses the sniffed SecurID Passcode to access the target system, masquerading as the valid user. It is a valid attack, but even PieterZ acknowledged that if an bad guy can do all that he is using the same level of skill and knowledge -- the identical tools -- required to hijack an ongoing TCP session after a SecurID or strong authentication. So, the logical question: why would an attacker who effectively controls the network link choose not go for the whole enchilada? When an ongoing TCP/IP session is hijacked -- from a user's point of view, the network connection is just dropped -- it would likely be shrugged off as one of the daily hassles of life on the Net. A just-completed OTP authentication call which collapses -- likely to be followed by a second SecurID authentication call which is wrongly rejected -- is far more likely to result in a complaint or warning to the sysadmin or security manager than the straightforward hijack. Withal, an attack directly on the TCP session is less risky, more likely to succeed, and offers potentially greater access to a target system than messing with the TCP packets used in the OTP authentication process. As Willie Sutton might say: Where is the loot? PeiterZ's "Weaknesses in SecurID" identifies some interesting issues -- several of which will doubtless need to be considered in future enhancements to various OTP protocols -- but (other than by subverting the TCP network) his torturous threat scenarios do not provide potential attackers with any practical methods for breaking into ACE/Server-protected systems. Peter Neuman and his ingenious automated tools for TCP splicing -- now potentially in the hands of sundry hackers, outlaws, or crooks -- remain (unfortunately) a threat of a different magnitude. To deal with that, we will all need network encyption... plus strong authentication. Suerte, _Vin Vin McLellan +The Privacy Guild+ 53 Nichols St., Chelsea, Ma. 02150 USA Tel: (617) 884-5548 <*><*><*><*><*><*><*><*><*> From firewalls-owner Tue Sep 10 22:06:12 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id VAA14303 for firewalls-outgoing; Tue, 10 Sep 1996 21:29:30 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id VAA13856 for ; Tue, 10 Sep 1996 21:28:10 -0700 (PDT) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) id UAA05620; Tue, 10 Sep 1996 20:28:08 -0700 Received: from mcfeely.bsfs.org(204.91.13.34) by mycroft via smap (V1.3mjr) id sma005610; Tue Sep 10 20:27:27 1996 Received: (from wombat@localhost) by mcfeely.bsfs.org (8.6.12/8.6.12) id WAA06109; Tue, 10 Sep 1996 22:20:36 -0400 Date: Tue, 10 Sep 1996 22:20:31 -0400 (EDT) From: Rabid Wombat To: Rob Sansom cc: firewalls@GreatCircle.COM Subject: Re: Routing when net is unreachable In-Reply-To: <199609102359.QAA05059@apu.connectix.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Are ALL routers using static routes, or do you have RIP running somewhere without reverse poison set? - r.w. From firewalls-owner Tue Sep 10 22:14:39 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id UAA07593 for firewalls-outgoing; Tue, 10 Sep 1996 20:25:17 -0700 (PDT) Received: from mcfeely.bsfs.org (mcfeely.bsfs.org [204.91.13.34]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id UAA07572 for ; Tue, 10 Sep 1996 20:25:05 -0700 (PDT) Received: (from wombat@localhost) by mcfeely.bsfs.org (8.6.12/8.6.12) id WAA06082; Tue, 10 Sep 1996 22:17:09 -0400 Date: Tue, 10 Sep 1996 22:17:04 -0400 (EDT) From: Rabid Wombat To: craigw@dg.ce.com.au cc: Nick Keenan , firewalls@GreatCircle.COM Subject: Re: Modem hacking In-Reply-To: <199609102308.JAA24169@mac.ce.com.au> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I've had a similar problem at a site where users should have known better. Only certain individuals were allowed modems, and presumably they were savvy enough to understand the security risks. One (that we know of) wasn't: He configured Chameleon to route. Backdoor. Bad Thing(tm). We caught him at it because we started seeing packets that should not have been on the internal net, and they had his system's MAC address. He wasn't doing this maliciously, but was just experimenting with his new software that he bought at Egghead. ALL users lost their modems most ricky tic. If you are serious about security, don't go out and spend $50,000 on a firewall package, system to run it on, time to set it up, and then leave modems plugged into everything, including the pump on the lobby fish tank. Set up a UNIX system on a bastion segment, and make users telnet through to this, log in, and then dial out, or set up a NCSI/NASI modem pool for users running Windoze (AFAIK, you still need IPX for this, but I haven't looked into it lately). You might get away with local modems at a small site, where you can keep an eye on everyone. At a large site, you'll have someone who's brother-in-law's neighbor tells him about this great PC Anywhere package, etc., and it'll be set up for dial-in before you know it. Users love to get around getting a "home" ISP account by connecting in to the office. - r.w. > > as I said...there is a basic routing protocol. > NT can be configured quite easily, 95 sux. but it is still routable > (esp using some freeware available over the net), and dos/3.1/3.11 > while a REAL pain is also configurable. > > I can route traffic from a modem to the LAN to a WAN. I do it now, > but outside the trusted network. If you want details on how to do > this, with only the native OS, mail me personally > (doshai@pip.com.au). The problem is that it is more of a > nucense...you need individual static routes for alot of points. Very > time consuming. > most users will not know of the M$ route add command (a rip off of > the Unix one, but some will). > From firewalls-owner Tue Sep 10 23:29:54 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id XAA24984 for firewalls-outgoing; Tue, 10 Sep 1996 23:15:25 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id XAA24946 for ; Tue, 10 Sep 1996 23:15:10 -0700 (PDT) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) id XAA06471; Tue, 10 Sep 1996 23:14:19 -0700 Received: from ilex.fernuni-hagen.de(132.176.114.22) by mycroft via smap (V1.3mjr) id sma006469; Tue Sep 10 23:13:30 1996 Received: from poplar.fernuni-hagen.de by ilex.FernUni-Hagen.de with SMTP (PP); Wed, 11 Sep 1996 08:07:58 +0200 Message-ID: <323657A5.3C77@FernUni-Hagen.de> Date: Wed, 11 Sep 1996 08:09:41 +0200 From: Rolf Riess Organization: FernUniversitaet Hagen X-Mailer: Mozilla 2.01Gold (Win95; I) MIME-Version: 1.0 To: Mondira Deb CC: Matt Hoving , firewalls@GreatCircle.COM Subject: Re: Removal from Mail List and Digest List References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Mondira Deb wrote: > > I would also like my name removed ..I have tried a number of times ..but > woithout success ..Somebody put my name on this mailing list and I > cannt seem to get it removed ..My mailbox gets flooded with mails as a > result ..Please remove thismy address from the digest and standard > mailing list .. > > Mdeb. > > On Tue, 10 Sep 1996, Matt Hoving wrote: > > > I have tried to remove myself from the lists automatically but it hasn't > > done the trick. Could you please remove my email address from the digest > > and standard mailing list. > > > > Matt Hoving > > > > hoving@taunet.net.au > > mapmark@taunet.net.au > >Me toooooooooo..................... -- Rolf Riess Voice +49 2331 987 2866 FernUniversitaet Hagen Fax +49 2331 987 2720 Universitaetsrechenzentrum EMail Rolf.Riess@FernUni-Hagen.de Feithstrasse 140 D - 58084 Hagen From firewalls-owner Wed Sep 11 03:59:56 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id DAA10085 for firewalls-outgoing; Wed, 11 Sep 1996 03:45:49 -0700 (PDT) Received: from relay-4.mail.demon.net (relay-4.mail.demon.net [158.152.1.108]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id DAA10075 for ; Wed, 11 Sep 1996 03:45:34 -0700 (PDT) Received: from post.demon.co.uk ([(null)]) by relay-4.mail.demon.net id ai09546; 11 Sep 96 6:14 GMT Received: from dowrmain.demon.co.uk ([158.152.123.251]) by relay-3.mail.demon.net id aa28805; 11 Sep 96 7:13 BST Message-ID: Date: Wed, 11 Sep 1996 07:08:31 +0100 To: firewalls@greatcircle.com From: Ian Wade Reply-To: Ian Wade Subject: Re: Modem hacking In-Reply-To: MIME-Version: 1.0 X-Mailer: Turnpike Version 1.10 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In article , Rabid Wombat writes > >Just make them use dial-in and dial-out systems located on a bastion >segment, so you have control; terminal servers w/ authentication for >dial-in, a small UNIX box w/ some modems for dial-out, or NCSI/NASI based >comm server for dial-out if you're supporting primarily a PC environment. >No backdoors to the desktop. > This is the *only* acceptable solution. You cannot trust *any* users at the desktop to act in a secure manner -- witness the widespread disregard for sensible password choice and security (writing passwords down on PostIt notes, sharing passwords with colleagues etc). The world is full of "experts" who "know" how to configure modems, and goodness knows what they get up to when management isn't looking. For a secure environment, modem access can *only* be allowed under the control of security management; e.g. via a modem pool located in a locked room. Ian -- \|--------\|--------\|--------\| Ian Wade |\--------|\--------|\--------|\ | | | | http://www.netro.co.uk/nosintro.html | Netro | Press | (tm)| for all about KA9Q NOS. From firewalls-owner Wed Sep 11 04:45:00 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id EAA13082 for firewalls-outgoing; Wed, 11 Sep 1996 04:36:50 -0700 (PDT) Received: from dde.dde.dk (dde.dde.dk [152.95.32.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id EAA13025 for ; Wed, 11 Sep 1996 04:36:11 -0700 (PDT) Received: by dde.dde.dk (5.61/9.3) id AA02162; Wed, 11 Sep 96 13:35:42 +0200 Received: from Knud.dde.dk by dde.dde.dk (5.61/9.3) with SMTP id AA24742; Wed, 11 Sep 96 13:35:42 +0200 Received: by Knud.dde.dk (4.1/9.7) id AA16864; Wed, 11 Sep 96 13:35:50 +0200 Message-Id: <9609111135.AA16864@Knud.dde.dk> X-Mailer: exmh version 1.6.6 3/24/96 To: Firewalls@greatcircle.com, ipsec@tis.com Subject: Re: SecurID White Paper - A Comment In-Reply-To: vin's message of Tue, 10 Sep 1996 13:37:06 -0400. Date: Wed, 11 Sep 1996 13:35:49 +0200 From: "Frederik H. Andersen" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi! Have anybody tried or considered to implement encrypted or secure-hashed TCP-checksums of OTP validated connections? This should prevent TCP connection hijacking with a minimum of per packet overhead . The OTP validation phase should be enough for "synchronizing" the endpoints? I heard somebody suggest this once but I've forgotten whom. -- ------------------------------------------------------------------ Frederik H. Andersen Phone: +45 42 84 50 11 Dansk Data Elektronik A/S Fax: +45 42 84 52 20 Herlev Hovedgade 199 Email: fha@dde.dk (MIME accepted) DK-2730 Herlev, DENMARK ------------------------------------------------------------------ From firewalls-owner Wed Sep 11 05:41:59 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA15522 for firewalls-outgoing; Wed, 11 Sep 1996 05:15:34 -0700 (PDT) Received: from diablo.cisco.com (diablo.cisco.com [171.68.223.106]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id FAA15501 for ; Wed, 11 Sep 1996 05:15:24 -0700 (PDT) Received: from emailid90-pc.cisco.com ([171.68.41.109]) by diablo.cisco.com (8.6.12/CISCO.SERVER.1.1) with SMTP id FAA03364 for ; Wed, 11 Sep 1996 05:15:20 -0700 Message-Id: <2.2.32.19960911141015.00702a78@diablo.cisco.com> X-Sender: clonvick@diablo.cisco.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 11 Sep 1996 07:10:15 -0700 To: firewalls@greatcircle.com From: Chris Lonvick Subject: Re: curios traceroute Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello All, A few days ago, I posted my explanation of why people were seeing the 10.x.x.x network listed in a traceroute. This was based upon an explanation that someone had told me about many years ago which was incorrect. My sincere thanks to everyone who gave me clues and pointers to the publicly available source code to traceroute. >>Go to the ftp site at Lawrence Berkeley National Labs and you can get the >>source and description of this clever little utility. So, based upon that, here's the corrected reason that you can see 10.x.x.x addresses in a traceroute. When you start a traceroute, your machine sends a packet towards the destination (IP source address of your machine, destination address of the target) with the TTL set at 1. This packet dies on the first router which sends back (source address of itself, destination address of your machine) an ICMP time exceeded message. The program will see the source of this packet (router) and report that it is the first reachable point in the path towards the target. Your machine will then send the same packet with the TTL=2. The same stuff occurs until the TTL is high enough to go through the NAT. Your machine still sends a packet which has the source IP address of your machine and the destination address of the target. However, when it goes through, the NAT will translate the destination IP address to a private internal address. The first router inside the NAT will know the path to send this packet, but will also notice that TTL has been exceeded and will destroy the packet. It will send back to you an ICMP time exceeded message with the source address of itself (in the 10.x.x.x network) and a destination of your machine. Like I said before, RFC-1631 says: It is not entirely clear if the IP header information in the ICMP part of the body really need to be modified. This depends on whether or not any host code actually looks at this IP header information. Indeed, it may be useful to provide the exact header seen by the router or host that issued the ICMP message to aid in debugging. In any event, no modifications are needed for the Echo and Timestamp messages, and NAT should never need to handle a Redirect message. SNMP messages could be modified, but it is even more dubious than for ICMP messages that it will be necessary. So this NAT has been programmed to let the source IP address (10.something) stay in the header as the ICMP packet goes back to your machine. Your machine reports that this router, in the 10.x.x.x network, is the next hop towards the target. So, is it legal to get a traceroute reporting RFC-1918 addresses? Yes. Is there a route leak that is letting RFC-1918 route paths onto the Internet? No. You can verify this, next time, by trying to ping or telnet to one of the routers that is identified in the traceroute. Hope this helps and, again, thanks to everyone who took the time to give me a clue. Thanks, Chris Lonvick Cisco Systems Consulting Engineering +1-713-778-5663 From firewalls-owner Wed Sep 11 05:44:48 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA16575 for firewalls-outgoing; Wed, 11 Sep 1996 05:38:02 -0700 (PDT) Received: from dde.dde.dk (dde.dde.dk [152.95.32.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id FAA16471 for ; Wed, 11 Sep 1996 05:35:46 -0700 (PDT) Received: by dde.dde.dk (5.61/9.3) id AA06229; Wed, 11 Sep 96 14:34:55 +0200 Received: from Knud.dde.dk by dde.dde.dk (5.61/9.3) with SMTP id AA06269; Wed, 11 Sep 96 14:34:55 +0200 Received: by Knud.dde.dk (4.1/9.7) id AA21174; Wed, 11 Sep 96 14:35:03 +0200 Message-Id: <9609111235.AA21174@Knud.dde.dk> X-Mailer: exmh version 1.6.6 3/24/96 To: Firewalls@greatcircle.com Cc: Administrator@ccmailink.vsebav.com, ANDY_J._GASPARD@mail.orkand.com Subject: Delivery replies from ccMail SMTPLINK??? Date: Wed, 11 Sep 1996 14:35:02 +0200 From: "Frederik H. Andersen" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi! Do you all get non-delivery notifications from ccMail SMTPLINK when you post something to the Firewalls list? Shouldn't they go to Firewalls-request? Or what? (Don't answer this all of you :-) /Frederik From firewalls-owner Wed Sep 11 06:42:42 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA21605 for firewalls-outgoing; Wed, 11 Sep 1996 06:27:50 -0700 (PDT) Received: from hp01.vak12ed.edu (hp01.vak12ed.edu [141.104.150.251]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id GAA21551 for ; Wed, 11 Sep 1996 06:27:35 -0700 (PDT) Message-Id: <199609111327.GAA21551@miles.greatcircle.com> Received: by hp01.vak12ed.edu (1.37.109.20/16.2) id AA172178610; Wed, 11 Sep 1996 09:30:11 -0400 From: "W.C. Epperson" Subject: Re: Delivery replies from ccMail SMTPLINK??? To: fha@dde.dk Date: Wed, 11 Sep 1996 9:30:10 EDT Cc: firewalls@greatcircle.com In-Reply-To: <9609111235.AA21174@Knud.dde.dk>; from "Frederik H. Andersen" at Sep 11, 96 2:35 pm Reply-To: epperson@vak12ed.edu X-Mailer: Elm [revision: 109.18] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > Hi! > > Do you all get non-delivery notifications from ccMail SMTPLINK when you > post something to the Firewalls list? > > Shouldn't they go to Firewalls-request? Or what? > > (Don't answer this all of you :-) > Which of us did you want to answer this? The problem is that these sites are not RFC822 compliant. The "Sender" field mailbox should be sent notices of any problems in transport or delivery of the original messages. If there is no "Sender" field, then the "From" field mailbox should be used. -- W.C. Epperson "I have great faith in fools. Senior SE Self-confidence, my friends call it." Information Security Officer --Edgar Allan Poe-- DBA Emeritus Curmudgeon-for-Life Virginia Dept. of Education epperson@pen.k12.va.us From firewalls-owner Wed Sep 11 07:01:23 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA22817 for firewalls-outgoing; Wed, 11 Sep 1996 06:51:25 -0700 (PDT) Received: from wlbrk.coris.com (wlbrk.coris.com [204.149.56.20]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id GAA22808 for ; Wed, 11 Sep 1996 06:51:15 -0700 (PDT) From: dcrotteau@coris.com Received: by wlbrk.coris.com; id IAA28465; Wed, 11 Sep 1996 08:51:17 -0500 (CDT) Received: from imail.in.coris.com(162.27.111.157) by wlbrk.coris.com via smap (V3.1) id xma028442; Wed, 11 Sep 96 08:50:55 -0500 Received: from smtpm.in.coris.com by imail.in.coris.com (5.x/SMI-SVR4) id AA01121; Wed, 11 Sep 1996 08:50:54 -0500 Received: from ccMail by smtpm.in.coris.com (IMA Internet Exchange 2.01 Enterprise) id 236C34A0; Wed, 11 Sep 96 08:48:58 -0500 Mime-Version: 1.0 Date: Wed, 11 Sep 1996 08:41:36 -0500 Message-Id: <236C34A0.1753@smtpm.in.coris.com> Subject: remove To: firewalls@greatcircle.com Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Description: cc:Mail note part Sender: firewalls-owner@GreatCircle.COM Precedence: bulk remove From firewalls-owner Wed Sep 11 08:06:22 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA28150 for firewalls-outgoing; Wed, 11 Sep 1996 07:50:39 -0700 (PDT) Received: from mailbox.neosoft.com (mailbox.neosoft.com [206.109.1.16]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id HAA28111 for ; Wed, 11 Sep 1996 07:50:18 -0700 (PDT) Received: from fw.nmti.com (fw.baileynm.com [206.109.159.11]) by mailbox.neosoft.com (8.7.5/8.7.3) with SMTP id JAA09030; Wed, 11 Sep 1996 09:50:09 -0500 (CDT) Received: from web.nmti.com(198.178.0.201) by fw.nmti.com via smap (V1.3) id sma016661; Wed Sep 11 09:42:36 1996 Received: from sonic.nmti.com (peter@sonic.nmti.com [198.178.0.2]) by web.nmti.com (8.6.12/8.6.9) with SMTP id JAA15253; Wed, 11 Sep 1996 09:42:36 -0500 Received: by sonic.nmti.com; id AA03216; Wed, 11 Sep 1996 09:42:35 -0500 From: peter@baileynm.com (Peter da Silva) Message-Id: <9609111442.AA03216@sonic.nmti.com.nmti.com> Subject: Re: Modem hacking To: ianwade@netro.co.uk Date: Wed, 11 Sep 1996 09:42:35 -0500 (CDT) Cc: firewalls@GreatCircle.COM In-Reply-To: from "Ian Wade" at Sep 11, 96 07:08:31 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > For a secure environment, modem access can *only* be allowed under the > control of security management; e.g. via a modem pool located in a > locked room. That won't give you a secure environment. You do that and the next thing you know your user's got his PC set up to connect to the modem pool and running twinsock or slirp or some damnfool IP tunneling hack and you've got another backdoor. From firewalls-owner Wed Sep 11 08:15:03 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA28396 for firewalls-outgoing; Wed, 11 Sep 1996 07:59:00 -0700 (PDT) Received: from gw3.pacbell.com (gw3.PacBell.COM [129.245.2.24]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id HAA28388 for ; Wed, 11 Sep 1996 07:58:42 -0700 (PDT) Received: from srv.PacBell.COM (mother.srv.PacBell.COM) by gw3.pacbell.com (5.x/PacBell-10/18/95) id AA11713; Wed, 11 Sep 1996 07:58:39 -0700 Received: from hillary.srv.PacBell.COM by srv.PacBell.COM (4.1/Mother-7/26/95) id AA11766; Wed, 11 Sep 96 07:58:38 PDT Received: from dckavan.srv.PacBell.COM by hillary.srv.PacBell.COM (AIX 3.2/UCB 5.64/4.03) id AA18245; Wed, 11 Sep 1996 07:59:13 -0700 Received: by dckavan.srv.PacBell.COM with Microsoft Mail id <01BB9FB6.40337900@dckavan.srv.PacBell.COM>; Wed, 11 Sep 1996 07:52:59 -0700 Message-Id: <01BB9FB6.40337900@dckavan.srv.PacBell.COM> From: Dennis Kavanaugh To: "'Firewalls@GreatCircle.com'" Subject: S/Key vulnerabilities Date: Wed, 11 Sep 1996 07:52:57 -0700 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Vin McLellan[SMTP:vin@shore.net] mentioned that there was a paper published on s/key vulnerabilities some time last year. Does anyone have a current link to that paper? Dennis Kavanaugh Principal Security Consultant Infrastructure Support - Internet/Intranet Security From firewalls-owner Wed Sep 11 08:29:52 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA29858 for firewalls-outgoing; Wed, 11 Sep 1996 08:24:12 -0700 (PDT) Received: from mm1 (mm1.sprynet.com [165.121.2.50]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id IAA29851 for ; Wed, 11 Sep 1996 08:24:03 -0700 (PDT) Received: from stoico ([204.146.159.249]) by mm1.sprynet.com with SMTP id <148118-25090>; Wed, 11 Sep 1996 08:18:35 -0700 Message-Id: <3.0b11.32.19960911112018.0095fcb0@hqmail.metlife.com> X-Sender: mstoico%hqmail.metlife.com@hqmail.metlife.com X-Mailer: Windows Eudora Pro Version 3.0b11 (32) Date: Wed, 11 Sep 1996 11:20:21 -0400 To: firewalls@Greatcircle.com From: Mike Stoico Subject: smap Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Where can I get a copy of the smap package? ========================================================================= Mike Stoico, I/S Security Consultant * Phone: (518)285-2567 MetLife * Fax: (518)285-2542 500 Jordan Rd * E-Mail: mstoico@metlife.com Troy, NY 12180 * URL: www.metlife.com ========================================================================= The opinions expressed here are my own and may not be those of my employer. ========================================================================= From firewalls-owner Wed Sep 11 08:44:58 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA00375 for firewalls-outgoing; Wed, 11 Sep 1996 08:33:19 -0700 (PDT) Received: from hp01.vak12ed.edu (hp01.vak12ed.edu [141.104.150.251]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id IAA29990 for ; Wed, 11 Sep 1996 08:32:35 -0700 (PDT) Message-Id: <199609111532.IAA29990@miles.greatcircle.com> Received: by hp01.vak12ed.edu (1.37.109.20/16.2) id AA055165838; Wed, 11 Sep 1996 11:30:38 -0400 From: "W.C. Epperson" Subject: Re: SecurID White Paper - A Comment To: firewalls@greatcircle.com Date: Wed, 11 Sep 1996 11:30:38 EDT In-Reply-To: ; from "Vin McLellan" at Sep 10, 96 1:37 pm Reply-To: epperson@vak12ed.edu X-Mailer: Elm [revision: 109.18] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Vin may have written: [a lot of very eloquent stuff snipped] > Peter Neuman and his ingenious automated tools for TCP splicing -- > now potentially in the hands of sundry hackers, outlaws, or crooks -- > remain (unfortunately) a threat of a different magnitude. To deal with > that, we will all need network encyption... plus strong authentication. > Thanks for, as usual, a thorough and well stated commentary. I've always felt that the worthless-without-encryption debate was analogous to the arguments about car alarms without kill switches (or vice versa). Maybe your requirements call for one, the other, or both. They do different things. Bundling may not be the appropriate solution for everyone. Of course, if what you're protecting is valuable enough to warrant both strong authentication and high-end encryption, then you should be sure to pay your security d00d at least, say, $200K., lest he become the cheapest means of subverting your systems. ;) Now, back to trying to figure out what The Privacy Guild is.... -- W.C. Epperson "But that is exactly what I have Senior SE been saying, you fool...." Information Security Officer --Inspector Clouseau-- Curmudgeon-for-Life Virginia Dept. of Education From firewalls-owner Wed Sep 11 08:56:16 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA29121 for firewalls-outgoing; Wed, 11 Sep 1996 08:09:18 -0700 (PDT) Received: from homeport.org (lighthouse.homeport.org [205.136.65.198]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id IAA29104 for ; Wed, 11 Sep 1996 08:08:58 -0700 (PDT) Received: (adam@localhost) by homeport.org (8.6.9/8.6.9) id JAA25060; Wed, 11 Sep 1996 09:39:42 -0500 From: Adam Shostack Message-Id: <199609111439.JAA25060@homeport.org> Subject: Re: Lotus Notes Security To: Joseph.Cupano@ey.com Date: Wed, 11 Sep 1996 09:39:42 -0500 (EST) Cc: firewalls@GreatCircle.COM In-Reply-To: <0014500005125969000002*@MHS> from "Joseph.Cupano@ey.com" at Sep 9, 96 04:05:46 pm X-Mailer: ELM [version 2.4 PL24 ME8b] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This makes the very broad assumption that Notes access control mechanisms all work perfectly, and that there are no bugs in the notes servers, such as buffer overflows. A true Notes Firewall would understand the protocol, take requests from one side, possibly authenticate them*, and ensure the requests are protocol compliant before passing them through. You don't want a complete Notes environment on the machine; its too big. * You might want to require authentication at the firewall, although thats a lot of extra CPU work for the public key based mutual authentication. Authorization at the firewall requires the firewall to have an understanding of the database structure, which to my mind is too much potential for information leakage. (Also, Notes (v4.0 I think; it was a while ago) does not seem to enforce good passphrase requirements. This may be site configurable.) Adam Joseph.Cupano@ey.com wrote: | Efficient and effective Notes firewall design best served by | understanding the Notes environment. Notes is a complex application with | granularity of access control from Server/Database/Document down to | Field level. | | At the application-level, Notes provides the most granularity of | control. So | much so that | when you try to firewall two networks that include Notes, the network layer is | your weakest link. | In this scenario you have a Notes Firewall (pass-thru server) in parallel with | the traditional firewall. The Notes Firewall would be a dual NIC (IP Forwarding | disabled) on an NT or UNIX box . | Security mechanisms within Notes would be utilized. (Client encryption, | Pub/Priv key | authentication, minimized version of Notes NAB on NFW.) No replication or | additional | database management is necessary except defining access limitations among the | existing | internal servers/databases. | | The NFW is a true application-level firewall, Notes being the application. Yes, | you are trusting the security mechanisms (and local implementations.) In some | firewall implementations, are we not trusting FTP data transfers ? | | RISK | The risk is equivalent in both scenarios, the management and administration | have only been simplified. For someone to successful attack a Notes environment | they need a copy of your ID | file (stored locally) and know your password. | | OUTSIDE OF SCOPE | This scenario excludes the Domino or Notes 4.5 environments. 4.5 provides | mechanisms for anonymous access and Domino permits basic authentication via | HTTP. -- "It is seldom that liberty of any kind is lost all at once." -Hume From firewalls-owner Wed Sep 11 09:03:35 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA29056 for firewalls-outgoing; Wed, 11 Sep 1996 08:07:08 -0700 (PDT) Received: from gw3.pacbell.com (gw3.PacBell.COM [129.245.2.24]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id IAA29031 for ; Wed, 11 Sep 1996 08:06:48 -0700 (PDT) Received: from srv.PacBell.COM (mother.srv.PacBell.COM) by gw3.pacbell.com (5.x/PacBell-10/18/95) id AA13337; Wed, 11 Sep 1996 08:06:45 -0700 Received: from hillary.srv.PacBell.COM by srv.PacBell.COM (4.1/Mother-7/26/95) id AA12011; Wed, 11 Sep 96 08:06:45 PDT Received: from dckavan.srv.PacBell.COM by hillary.srv.PacBell.COM (AIX 3.2/UCB 5.64/4.03) id AA15695; Wed, 11 Sep 1996 08:07:19 -0700 Received: by dckavan.srv.PacBell.COM with Microsoft Mail id <01BB9FB7.6219A520@dckavan.srv.PacBell.COM>; Wed, 11 Sep 1996 08:01:05 -0700 Message-Id: <01BB9FB7.6219A520@dckavan.srv.PacBell.COM> From: Dennis Kavanaugh To: "'Firewalls@GreatCircle.COM'" Subject: User/Firewall encryption and OTP through a terminal server Date: Wed, 11 Sep 1996 08:01:04 -0700 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I think I want to use a OTP to get through a terminal server to a = firewall, where the session will then be encrypted. However, I want the = user to perform the dialup/authenticate/encrypt setup in one pass; that = is, only one prompt for challenge/response et al, then connect right = through if everything is okay. The client might be PC/wfw, pc/win95, or = mac. I have been told that you MUST authenticate at the terminal server to = keep hackers from attacking your authenticated users from the terminal = server through an open dialin port. However, it seems that the OTP = challenge would necessarily have to be separate from the setup for the = encryption, therefore requiring more than the one step that I desire. Am I missing something, or has this already been solved? If so, by whom, = and how? Thanks, Dennis Kavanaugh Principal Security Consultant Infrastructure Support - Internet/Intranet Security From firewalls-owner Wed Sep 11 09:40:38 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA05901 for firewalls-outgoing; Wed, 11 Sep 1996 09:18:23 -0700 (PDT) Received: from gauntlet-1.trusted.com (gauntlet-1.trusted.com [204.254.155.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id JAA05883 for ; Wed, 11 Sep 1996 09:18:11 -0700 (PDT) Received: by gauntlet-1.trusted.com; id MAA29353; Wed, 11 Sep 1996 12:20:43 -0400 Received: from hilo.trusted.com(10.0.1.126) by gauntlet-1.trusted.com via smap (V3.1.1) id xma029351; Wed, 11 Sep 96 12:20:26 -0400 Received: from dyn187.trusted.com by hilo.trusted.com with SMTP (1.37.109.4/16.2) id AA18742; Wed, 11 Sep 96 12:18:30 -0400 Message-Id: <2.2.32.19960911161645.0073a5a4@pop.trusted.com> X-Sender: avolio@pop.trusted.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 11 Sep 1996 12:16:45 -0400 To: Mike Stoico , firewalls@GreatCircle.COM From: Frederick M Avolio Subject: Re: smap Sender: firewalls-owner@GreatCircle.COM Precedence: bulk It is part of the TIS Internet Firewall Toolkit. See our web page -- http://www.tis.com -- or our ftp site. Read the readme file in /pub/firewalls/toolkit. It is licensed, but freely available software, not for commercial use. Fred At 11:20 AM 9/11/96 -0400, Mike Stoico wrote: >Where can I get a copy of the smap package? >========================================================================= >Mike Stoico, I/S Security Consultant * Phone: (518)285-2567 >MetLife * Fax: (518)285-2542 >500 Jordan Rd * E-Mail: mstoico@metlife.com >Troy, NY 12180 * URL: www.metlife.com >========================================================================= >The opinions expressed here are my own and may not be those of my employer. >========================================================================= > > From firewalls-owner Wed Sep 11 10:12:57 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA08131 for firewalls-outgoing; Wed, 11 Sep 1996 09:43:42 -0700 (PDT) Received: from LIVEDGAR.gsionline.com (livedgar.gsionline.com [204.254.209.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id JAA08067 for ; Wed, 11 Sep 1996 09:43:13 -0700 (PDT) Received: from LIVEDGAR.gsionline.com by LIVEDGAR.gsionline.com (NTMail 3.02.09) with ESMTP id fa027071 for ; Wed, 11 Sep 1996 12:42:29 -0400 X-Sender: nbk#204.254.209.2@192.168.0.22 X-Mailer: Windows Eudora Version 1.4.3 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: peter@baileynm.com (Peter da Silva) From: nkeenan@gsionline.com (Nick Keenan) Subject: Re: Modem hacking Cc: firewalls@greatcircle.com Date: Wed, 11 Sep 1996 12:42:29 -0400 Message-Id: <16422942102013@gsionline.com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >> For a secure environment, modem access can *only* be allowed under the >> control of security management; e.g. via a modem pool located in a >> locked room. > >That won't give you a secure environment. > >You do that and the next thing you know your user's got his PC set up to >connect to the modem pool and running twinsock or slirp or some damnfool >IP tunneling hack and you've got another backdoor. Or even worse -- Dial Up Networking under Windows 95! From firewalls-owner Wed Sep 11 10:14:20 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA08036 for firewalls-outgoing; Wed, 11 Sep 1996 09:42:52 -0700 (PDT) Received: from gateway.mitre.org (gateway.mitre.org [128.29.31.10]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id JAA07977 for ; Wed, 11 Sep 1996 09:42:30 -0700 (PDT) From: lazear@gateway.mitre.org Received: from dockside.mitre.org (dockside.mitre.org [128.29.31.77]) by gateway.mitre.org (8.7.2/8.7.2) with ESMTP id MAA23785; Wed, 11 Sep 1996 12:42:26 -0400 (EDT) Received: from localhost (lazear@localhost) by dockside.mitre.org (8.7.2/8.7.2) with SMTP id MAA01925; Wed, 11 Sep 1996 12:46:24 -0400 (EDT) Message-Id: <199609111646.MAA01925@dockside.mitre.org> X-Authentication-Warning: dockside.mitre.org: lazear owned process doing -bs X-Authentication-Warning: dockside.mitre.org: Host lazear@localhost didn't use HELO protocol To: firewalls-digest@greatcircle.com, lazear@gateway.mitre.org Subject: SQL through firewall Date: Wed, 11 Sep 96 12:46:24 -0400 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Although we'd love to wait for the Guantlet proxy for SQL, it will come too late for one customer. So, is there a way to get SQL through a FWTK firewall using "plug-gw"? How about using a Cisco router and access lists? How flexible are the protocols under SQL in terms of port humbers used or usable? Thanks for any help. Walt From firewalls-owner Wed Sep 11 10:29:19 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA08431 for firewalls-outgoing; Wed, 11 Sep 1996 09:45:57 -0700 (PDT) Received: from pinky.junction.net (pinky.junction.net [199.166.227.12]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id JAA08401 for ; Wed, 11 Sep 1996 09:45:35 -0700 (PDT) Received: from sidhe.memra.com (sidhe.memra.com [199.166.227.105]) by pinky.junction.net (8.6.12/8.6.12) with ESMTP id IAA15962 for ; Wed, 11 Sep 1996 08:58:51 -0700 Received: from localhost (michael@localhost) by sidhe.memra.com (8.6.12/8.6.12) with SMTP id JAA22737 for ; Wed, 11 Sep 1996 09:43:09 -0700 Date: Wed, 11 Sep 1996 09:43:07 -0700 (PDT) From: Michael Dillon To: firewalls@greatcircle.com Subject: SYN floods continue (fwd) Message-ID: Organization: Memra Software Inc. - Internet consulting MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk A major New York ISP has been severely attacked by SYN floods with random spoofed source addresses since las Friday or so. When these attacks occur, they are basically shut down. And tracking them back to source requires each provider to track it back one router at a time. Anybody have any good ideas on how this can be tracked back faster or how you can prevent a SYN flood from shutting you down? Michael Dillon - ISP & Internet Consulting Memra Software Inc. - Fax: +1-604-546-3049 http://www.memra.com - E-mail: michael@memra.com ---------- Forwarded message ---------- Date: Wed, 11 Sep 1996 05:58:02 -0400 (EDT) From: Alexis Rosen To: nanog@merit.edu Subject: SYN floods continue We got hit again tonight. This time on seven different machines- three mail hosts, two news machines, our web site, and VTW's web site (we provide all service for VTW). I am simply amazed that anyone would attack VTW. Even the shmuck who's attacking us benefits from VTW's work. Why would anyone attack them? Anyway. Point is this: We can't take too much more of this, nor can our customers. I have yet to hear *anyone* come up with any ideas even remotely reasonable for how to deal with this situation, long term, except for the filtering that Avi, Perry, and I have been promoting these last few days. Whether or not existing equipment can handle the job is *IRRELEVANT*. If it won't, new equipment must be bought. The net won't survive without it. (And yes, I've been hearing "death of the net" predictions for longer than most readers of this list have been on the net. This could really be it.) /a From firewalls-owner Wed Sep 11 10:44:33 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA11217 for firewalls-outgoing; Wed, 11 Sep 1996 10:30:24 -0700 (PDT) Received: from mm1 (mm1.sprynet.com [165.121.2.50]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id KAA11153 for ; Wed, 11 Sep 1996 10:29:59 -0700 (PDT) Received: by mm1.sprynet.com via suspension id <148106-25090>; Wed, 11 Sep 1996 10:24:31 -0700 Received: from stoico ([204.146.159.249]) by mm1.sprynet.com with SMTP id <148110-25090>; Wed, 11 Sep 1996 10:16:04 -0700 Message-Id: <3.0b11.32.19960911131738.009029e0@hqmail.metlife.com> X-Sender: mstoico%hqmail.metlife.com@hqmail.metlife.com X-Mailer: Windows Eudora Pro Version 3.0b11 (32) Date: Wed, 11 Sep 1996 13:17:40 -0400 To: einar@sdata.no (Einar Landre) From: Mike Stoico Subject: Re: smap Cc: firewalls@Greatcircle.com Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk thanks to everyone for the help! Mike At 07:13 PM 9/11/96 +0200, you wrote: > >Try ftp.tis.com or www.tis.com. Its part of TIS FWTK. > >Einar >------------------------------------------------------ >Einar Landre E-mail: einar.landre@sdata.no >Manager Network Group, >Consultant Department >Skrivervik Data AS > >Business: Skrivervik Data AS, Post Box 3885 > Ullevaal Hageby, N-0805 Oslo, Norway >Phone: +47 22 18 58 27 Fax: +47 22 18 59 98 >Mobile: +47 905 94 154 > >> From mstoico@metlife.com Wed Sep 11 17:37:05 1996 >> X-Sender: mstoico%hqmail.metlife.com@hqmail.metlife.com >> Date: Wed, 11 Sep 1996 11:20:21 -0400 >> To: firewalls@Greatcircle.com >> From: Mike Stoico >> Subject: smap >> Mime-Version: 1.0 >> >> Where can I get a copy of the smap package? >> ========================================================================= >> Mike Stoico, I/S Security Consultant * Phone: (518)285-2567 >> MetLife * Fax: (518)285-2542 >> 500 Jordan Rd * E-Mail: mstoico@metlife.com >> Troy, NY 12180 * URL: www.metlife.com >> ========================================================================= >> The opinions expressed here are my own and may not be those of my employer. >> ========================================================================= >> > ========================================================================= Mike Stoico, I/S Security Consultant * Phone: (518)285-2567 MetLife * Fax: (518)285-2542 500 Jordan Rd * E-Mail: mstoico@metlife.com Troy, NY 12180 * URL: www.metlife.com ========================================================================= The opinions expressed here are my own and may not be those of my employer. ========================================================================= From firewalls-owner Wed Sep 11 11:15:27 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA09485 for firewalls-outgoing; Wed, 11 Sep 1996 09:57:17 -0700 (PDT) Received: from gateway2.ey.com (gateway2.ey.com [199.50.26.3]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id JAA09465 for ; Wed, 11 Sep 1996 09:57:03 -0700 (PDT) From: Joseph.Cupano@EY.COM Received: by gateway2.ey.com id AA25569 (InterLock SMTP Gateway 3.0 for firewalls@GreatCircle.COM); Wed, 11 Sep 1996 12:56:55 -0400 Received: by gateway2.ey.com (Protected-side Proxy Mail Agent-1); Wed, 11 Sep 1996 12:56:55 -0400 X400-Originator: Joseph.Cupano@EY.COM X400-Recipients: non-disclosure:; X400-Mts-Identifier: [/PRMD=ERNSTYOUNG/ADMD=ATTMAIL/C=US/;0014500005189758000002] X400-Content-Type: P2-1988 (22) Message-Id: <0014500005189758000002*@MHS> To: " - (052)adam(a)homeport.org" Cc: " - (052)firewalls(a)GreatCircle.COM" Subject: Re: Lotus Notes Security Date: Wed, 11 Sep 1996 12:54:49 -0400 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >This makes the very broad assumption that Notes access control >mechanisms all work perfectly, and that there are no bugs in the notes >servers, such as buffer overflows. Yes, the "Utopia" is that the Notes ACL's have been configured properly by the Db administrators. Bugs is a moot point. It is a given the bugs will be encountered with anything followed by the patch then the patch for the patch. BTW, If I did not already preface, my discussion was limited to the Notes 4.X platform >A true Notes Firewall would understand the protocol, take requests >from one side, possibly authenticate them*, and ensure the requests >are protocol compliant before passing them through. You don't want a >complete Notes environment on the machine; its too big. At the network layer, Notes client/server authentication is pub/priv key based with the inclusion of network encryption. A mark better than SSL .. IMHO. So your communication across the Internet is encrypted for all intents and purposes, is encrypted. The Notes firewall is a dual-homed Notes Server (pass-thru) server. (I wish they would use a name other than pass-thru.) After you have been authenticated by the Notes Firewall, it makes connections on your behalf to Notes Serves on the private side. These proxy requests include all the granularity of security Notes is noted (pun) for. Notes Servers on the private that should not accept requests from the Firewall server can have it explicitly mentioned in the Server ACL. This makes the Notes Firewall an excellent application-level firewall. Unfortunately the only application supported is Notes. >* You might want to require authentication at the firewall, although >thats a lot of extra CPU work for the public key based mutual >authentication. Authorization at the firewall requires the firewall >to have an understanding of the database structure, which to my mind >is too much potential for information leakage. To me thats "reinventing the wheel" when a Notes Firewall implementation will do that for you. The granular of database security in Notes goes from server/database/document/field level. Firewall administrators thus far have been implementing dual Notes Servers (one on either side of the firewall) and opening a port on the Firewall to permit replication. A network-layer centric approach when todays more common threats are at the application-script level (JAVE, etc.) >(Also, Notes (v4.0 I think; it was a while ago) does not seem to >enforce good passphrase requirements. This may be site configurable.) PassPhrase? If I understand you correctlyt it is a configurable item. Thanks for the feedback, Adam. Like I mentioned in my previous message Domino and Notes 4.5 are a separate issue. IMHO Web integration into Notes makes Notes a less secure environment (SSL / ACL arbitration, support for anonymous access, etc.) Regards, Joe From firewalls-owner Wed Sep 11 11:30:54 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA13103 for firewalls-outgoing; Wed, 11 Sep 1996 10:43:37 -0700 (PDT) Received: from callnet.com (callnet.com [204.249.209.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id KAA13038 for ; Wed, 11 Sep 1996 10:43:15 -0700 (PDT) Received: from islou (ppp8.callnet.com [204.249.209.133]) by callnet.com (8.7.5/8.7.3) with SMTP id NAA07209; Wed, 11 Sep 1996 13:56:37 -0400 (EDT) Message-ID: <3236F9C6.6D2A@callnet.com> Date: Wed, 11 Sep 1996 13:41:26 -0400 From: "Louis T. Chmielewski" Organization: Franchise World Headquarters Inc. X-Mailer: Mozilla 3.0 (Win95; I) MIME-Version: 1.0 To: Dennis Kavanaugh CC: "'Firewalls@GreatCircle.com'" Subject: Re: S/Key vulnerabilities References: <01BB9FB6.40337900@dckavan.srv.PacBell.COM> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Dennis Kavanaugh wrote: > > Vin McLellan[SMTP:vin@shore.net] > mentioned that there was a paper published on s/key vulnerabilities some time last year. Does anyone have a current link to that paper? > > Dennis Kavanaugh I am also interested in a paper published about s/key vulnerablilities. c'ya Lou -- Louis T. Chmielewski Security Manager/DBA Franchise World Heaquarters (203)877-4281 x1128 From firewalls-owner Wed Sep 11 11:44:56 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA15692 for firewalls-outgoing; Wed, 11 Sep 1996 11:00:17 -0700 (PDT) Received: from callnet.com (callnet.com [204.249.209.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id KAA15394 for ; Wed, 11 Sep 1996 10:59:21 -0700 (PDT) Received: from islou (ppp8.callnet.com [204.249.209.133]) by callnet.com (8.7.5/8.7.3) with SMTP id OAA07342 for ; Wed, 11 Sep 1996 14:13:02 -0400 (EDT) Message-ID: <3236FD9F.4CDF@callnet.com> Date: Wed, 11 Sep 1996 13:57:51 -0400 From: "Louis T. Chmielewski" Organization: Franchise World Headquarters Inc. X-Mailer: Mozilla 3.0 (Win95; I) MIME-Version: 1.0 To: firewalls@greatcircle.com Subject: How secure is Bay Networks Annex 6100... Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello all, We are looking at using a Bay Networks Annex 6100 to allow end-users throughout the country in our organization to connect to a Windows NT machine running Netscape Enterprise Server 2.0 on the internal network. The plan is to use a T1 into the Annex 6100 which will give us 24 lines (64Kb per) of access to the 'Intranet' Web Server. My question is : Does the Annex 6100 Access Control Program(s) do the equivalent job of a 'firewall'? Or do we need to put a 'firewall' in place too? Essentially, the connection we will have with the Annex 6100 will be a direct connection, so we're not so worried about 'tunnelling' the data, but authentication is a major concern. We want to go with a 'secure' method of connecting to the 'Intranet' Web Server. Thanks in advance for your input. c'ya Lou -- Louis T. Chmielewski Security Manager/DBA Franchise World Heaquarters (203)877-4281 x1128 From firewalls-owner Wed Sep 11 12:48:13 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA21525 for firewalls-outgoing; Wed, 11 Sep 1996 11:34:57 -0700 (PDT) Received: from gatekeeper.maritz.com (gatekeeper.maritz.com [205.139.229.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id LAA21452 for ; Wed, 11 Sep 1996 11:34:34 -0700 (PDT) Received: (from uucp@localhost) by gatekeeper.maritz.com (8.6.12/8.6.12) id NAA00101 for ; Wed, 11 Sep 1996 13:37:05 -0500 Received: from mifen-comm01.maritz.com(156.45.55.30) by gatekeeper.maritz.com via smap (V3.1) id xma027579; Wed, 11 Sep 96 13:15:36 -0500 Received: by mifen-comm01.maritz.com with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.993.5) id <01BB9FE3.0DDD4C60@mifen-comm01.maritz.com>; Wed, 11 Sep 1996 13:13:42 -0500 Message-ID: From: "Crandall, John" To: "'firewalls-digest@greatcircle.com'" , "'lazear@gateway.mitre.org'" Subject: RE: SQL through firewall Date: Wed, 11 Sep 1996 12:55:54 -0500 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.993.5 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Sure, I do that here and it works just fine. Just plug 1521 or 1523 (whichever version of SQL*Net you are using). I use it to do cgi queries from our web server in the DMZ to an Oracle database inside the firewall. >---------- >From: lazear@gateway.mitre.org[SMTP:lazear@gateway.mitre.org] >Sent: Wednesday, September 11, 1996 11:46 AM >To: firewalls-digest@greatcircle.com; lazear@gateway.mitre.org >Subject: SQL through firewall > >Although we'd love to wait for the Guantlet proxy for SQL, >it will come too late for one customer. So, is there a way >to get SQL through a FWTK firewall using "plug-gw"? How about >using a Cisco router and access lists? How flexible are the >protocols under SQL in terms of port humbers used or usable? >Thanks for any help. > > > Walt > From firewalls-owner Wed Sep 11 12:52:25 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA27887 for firewalls-outgoing; Wed, 11 Sep 1996 12:30:36 -0700 (PDT) Received: from mailgate.bigyellow.com ([167.241.93.25]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id MAA27865 for ; Wed, 11 Sep 1996 12:30:22 -0700 (PDT) Received: by mailgate.bigyellow.com (IBM OS/2 SENDMAIL VERSION 1.3.2)/1.0) id AA0749; Wed, 11 Sep 96 15:34:01 -0400 Message-Id: <9609111934.AA0749@mailgate.bigyellow.com> Received: from NIRC with "Lotus Notes Mail Gateway for SMTP" id D8232AA19E935C45852563A20069904C; Wed, 11 Sep 96 15:34:01 To: firewalls From: "Donna O'Connell" Date: 11 Sep 96 15:16:55 Subject: -No Subject- Mime-Version: 1.0 Content-Type: Text/Plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am currently working on a project that may require management of servers on the untrusted side of the firewall to servers on the trusted side of the firewall. I am currently looking for ideas to do this securely. Is anyone currently managing their web servers from their internal network? Thanks, Donna O'Connell From firewalls-owner Wed Sep 11 13:23:01 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA29537 for firewalls-outgoing; Wed, 11 Sep 1996 12:48:29 -0700 (PDT) Received: from nymt.reuter.com (nymt.reuter.com [204.5.74.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id MAA29529 for ; Wed, 11 Sep 1996 12:48:14 -0700 (PDT) Received: by nymt.reuter.com (8.6.12) id PAA23909; Wed, 11 Sep 1996 15:48:42 -0400 Received: from zarquon(129.12.42.104) by nymt via smap (V1.3) id sma023898; Wed Sep 11 15:48:12 1996 Received: from titan.reuter. by zarquon (4.1) id AA14270; Wed, 11 Sep 96 15:40:31 EDT Received: by titan.reuter. (5.x/SMI-SVR4) id AA00465; Wed, 11 Sep 1996 15:41:36 -0400 From: hsingh@nymt.reuter.com (Hardayal Singh) Message-Id: <9609111941.AA00465@titan.reuter.> Subject: telnet proxy To: firewalls@greatcircle.com Date: Wed, 11 Sep 1996 15:41:35 -0400 (EDT) X-Mailer: ELM [version 2.4 PL24] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk HI, Looks, my first one was a not in English ... Well here is another try ....... ________________________-- What we have is a server running on a mach1 that writes to port1 on mach1 . The result is displayed as a stream of formatted on the screen, which issued the below command. telnet mach1 port1 (from any machine within the network) (1) What I want is to write something that will run on a machine say mach_A and be as , Code|Script mach2 port2 -------(2) mach2 is an intermediate machine that will act as a buffer machine between mach1 and mach_A. Now the Code|Script in (2) should work such that it should get the same data as obtained from (1) but now coming from mach2 and port2. ______________________________________________________ Diagram --------- mach1 (port1) | | | mach2 (port2) | (port1) | | Any_machine (port1) (port2) -------------- TO EXPLAIN IT ONCE AGAIN: We get DATA by telnet mach1 port1 (THis is run from Any_machine) (1) What I want is to Code|Script mach2 port2 (This is also to run from Any_machine) (2) This Code|Script should rsh to mach2 and repeat command (1) and display the data to the screen on Any_machine. ANy wild or domestic inputs who have done this sort of thing or any other available pointers. hs From firewalls-owner Wed Sep 11 13:35:09 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA23779 for firewalls-outgoing; Wed, 11 Sep 1996 11:54:07 -0700 (PDT) Received: from pa0016c1.kpmg.com (pa0016c1.kpmg.com [199.207.255.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id LAA23735 for ; Wed, 11 Sep 1996 11:53:43 -0700 (PDT) From: kenng@kpmg.com Received: by pa0016c1.kpmg.com; id OAA25191; Wed, 11 Sep 1996 14:53:36 -0400 Received: from unknown(199.207.255.11) by pa0016c1.kpmg.com via smap (V3.1) id xma025030; Wed, 11 Sep 96 14:53:10 -0400 Received: from ccMail by mailgate6.kpmg.com (SMTPLINK V2.11.01) id AA842480069; Wed, 11 Sep 96 15:00:42 EST Date: Wed, 11 Sep 96 15:00:42 EST Message-Id: <9608118424.AA842480069@mailgate6.kpmg.com> To: firewalls-digest@greatcircle.com, lazear@gateway.mitre.org Subject: Re: SQL through firewall Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Doesn't Gauntlet 3.2 come with a Sybase SQL proxy? ______________________________ Reply Separator _________________________________ Subject: SQL through firewall Author: lazear@gateway.mitre.org at internet Date: 9/11/96 12:46 PM Although we'd love to wait for the Guantlet proxy for SQL, it will come too late for one customer. So, is there a way to get SQL through a FWTK firewall using "plug-gw"? How about using a Cisco router and access lists? How flexible are the protocols under SQL in terms of port humbers used or usable? Thanks for any help. Walt From firewalls-owner Wed Sep 11 13:57:25 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA03669 for firewalls-outgoing; Wed, 11 Sep 1996 13:23:04 -0700 (PDT) Received: from halon.sybase.com (halon.sybase.com [192.138.151.33]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id NAA03582 for ; Wed, 11 Sep 1996 13:22:31 -0700 (PDT) Received: from smtp1.sybase.com (sybgate) by halon.sybase.com (5.x/SMI-SVR4/SybFW4.0) id AA08115; Wed, 11 Sep 1996 13:24:09 -0700 Received: from notesgw2.sybase.com by smtp1.sybase.com (4.1/SMI-4.1/SybH3.5-030896) id AA25305; Wed, 11 Sep 96 13:22:38 PDT Received: by notesgw2.sybase.com (5.x/SMI-4.1/SybEGW3.3) id AA10525; Wed, 11 Sep 1996 13:22:32 -0700 Message-Id: <9609112022.AA10525@notesgw2.sybase.com> Received: by SybaseNotes (Lotus Notes Mail Gateway for SMTP V1.1) id 00ED0A3038A4AFD5882563A2006E7C9A; Wed, 11 Sep 96 13:22:32 EDT To: firewalls From: Ryan Russell/SYBASE Date: 11 Sep 96 13:24:33 EDT Subject: Re: SYN floods continue (fwd) X-Lotus-Type: Reply All Mime-Version: 1.0 Content-Type: Text/Plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Geez, that's nasty. If the attacker is doing a good enough job of using truly random, legal source addresses, they will have to track through every router, as you said. Hopefully there aren't too many hops between them and the attacker. If the attacker isn't being so carefull about randomness, you might be able to take advantage of some patterns (i.e. ask the most likely ISPs to look for traffic from a,b and c to d) I wish them luck. If you hear the final resolution, I'd love to know. Ryan ---------- Previous Message ---------- To: firewalls cc: From: michael @ memra.com (Michael Dillon) @ smtp Date: 09/11/96 09:43:07 AM Subject: SYN floods continue (fwd) A major New York ISP has been severely attacked by SYN floods with random spoofed source addresses since las Friday or so. When these attacks occur, they are basically shut down. And tracking them back to source requires each provider to track it back one router at a time. Anybody have any good ideas on how this can be tracked back faster or how you can prevent a SYN flood from shutting you down? Michael Dillon - ISP & Internet Consulting Memra Software Inc. - Fax: +1-604-546-3049 http://www.memra.com - E-mail: michael@memra.com ---------- Forwarded message ---------- Date: Wed, 11 Sep 1996 05:58:02 -0400 (EDT) From: Alexis Rosen To: nanog@merit.edu Subject: SYN floods continue We got hit again tonight. This time on seven different machines- three mail hosts, two news machines, our web site, and VTW's web site (we provide all service for VTW). I am simply amazed that anyone would attack VTW. Even the shmuck who's attacking us benefits from VTW's work. Why would anyone attack them? Anyway. Point is this: We can't take too much more of this, nor can our customers. I have yet to hear *anyone* come up with any ideas even remotely reasonable for how to deal with this situation, long term, except for the filtering that Avi, Perry, and I have been promoting these last few days. Whether or not existing equipment can handle the job is *IRRELEVANT*. If it won't, new equipment must be bought. The net won't survive without it. (And yes, I've been hearing "death of the net" predictions for longer than most readers of this list have been on the net. This could really be it.) /a From firewalls-owner Wed Sep 11 14:20:23 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA25183 for firewalls-outgoing; Wed, 11 Sep 1996 12:07:33 -0700 (PDT) Received: from nsco.network.com (nsco.network.com [129.191.1.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id MAA25161 for ; Wed, 11 Sep 1996 12:07:22 -0700 (PDT) Received: from anubis.network.com by nsco.network.com (4.1/1.34) id AA26646; Wed, 11 Sep 96 14:13:05 CDT Received: from blefscu.network.com by anubis.network.com (4.1/SMI-4.1) id AA19926; Wed, 11 Sep 96 14:06:05 CDT Date: Wed, 11 Sep 96 14:06:05 CDT From: amolitor@anubis.network.com (Andrew Molitor) Message-Id: <9609111906.AA19926@anubis.network.com> To: firewalls@greatcircle.com, michael@memra.com Subject: Re: SYN floods continue (fwd) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk With fine NSC routers all over the place, one could insert a RR option into all the SYN packets flowing through them. The enclosed filter fragment will insert a RR option capable of recording the first 7 routers after this one that the packet goes through. It won't work on all our stuff, and (realistically) is enclosed for reference only. I can dream, though, eh? A little additional checking could be added to make it hard or impossible to spoof this by inserting your own RR option at the source. Basically, if you're deploying this, you strip out options on packets arriving from 'little leaf nodes that might be bad guys' before you add yours in. It would be relatively trivial to add this to, say, the freely available IP filtering in Linux. The performance hit in the core routers would only be taken for SYN packets, which are some modest percentage (less that 10?) of all packets. They'd feel it, but would probably not topple right over. With this option present, the problem or tracing it back to the source begins to look like backtracing usenet headers -- it's not easy, but it often/usually provides some useful information. It also would require lots of co-operation among ISPs. Andrew filter syn_tracking not ip_protocol in (6) break; # Get outta here if it's not TCP not ip_fo in (0) break; # or if the header's not here not tl_byte (13) mask 0x02 in (0x02) break; # if SYN not set, get out ip_option_present 0x07 break; # Get out if RR option already here # Otherwise insert a 7 hop RR option. stamp_option 0x071f0400000000000000000000000000000000000000000000000000000000; end From firewalls-owner Wed Sep 11 14:22:09 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA24343 for firewalls-outgoing; Wed, 11 Sep 1996 11:59:01 -0700 (PDT) Received: from mail.ruhrgebiet.individual.net (in-ruhr.ruhr.de [193.100.176.38]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id LAA24336 for ; Wed, 11 Sep 1996 11:58:36 -0700 (PDT) Received: by mail.ruhrgebiet.individual.net (8.7.1/8.6.12) with UUCP id UAA04810; Wed, 11 Sep 1996 20:03:41 +0200 (MET DST) Received: from sigsegv.local.net (sigsegv.local.net [192.168.122.75]) by devnull.local.net (8.6.12/8.6.9) with ESMTP id PAA01299; Wed, 11 Sep 1996 15:17:38 +0200 Received: (from benedikt@localhost) by sigsegv.local.net (8.6.12/8.6.9) id PAA01927; Wed, 11 Sep 1996 15:25:30 +0200 To: peter@baileynm.com, firewalls@GreatCircle.COM Subject: Re: Modem hacking References: <9609101535.AA29423@sonic.nmti.com.nmti.com> Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit From: Benedikt Stockebrand Date: 11 Sep 1996 15:25:29 +0200 In-Reply-To: peter@baileynm.com's message of Tue, 10 Sep 1996 10:35:49 -0500 (CDT) Message-ID: Lines: 53 X-Mailer: Gnus v5.3/Emacs 19.31 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk peter@baileynm.com (Peter da Silva) writes: > > Just tell the employees that it is untolerable to hook up a modem without > > authorization just like it would be untolerable to use company money for > > personal purchases without authorization. > > And for the cases where they *do* have authorization? > > This doesn't solve the problem of supporting dial-out where there's a real > business need. If you need to support modems you've got a lot of decisions to make, including: - Do you need Dial-in access? - Do you need Dial-out access? - Which services are needed? - Which users need access? - Can you possibly deny all users direct access to the modem server (like if you just want to allow customers do download stuff)? - Do the modems need to be hooked up to some user machine or can you get away with a dedicated modem server under your immediate control? - Do you have to place that modem server inside your trusted network or can you put it inside your DMZ? - How much money can you get for additional hardware, and what hardware can you already use for this? (Getting a dial-out only PBX and/or a drop-safe loghost for the modem server may depend on this.) There are only two things you should stick to universally: Be as paranoid as possible (as usual when dealing with fire) and make sure that any user who gets access to the modems knows that he's petting a very dangerous beast (which may be a hard bit of work). If possible, make them sign some kind of acknowledgment. Everything else depends on your specific requirements, so your question can't be answered in a general way. > (we simply run digital-only lines to offices unless there's a business need > for a second analog line) Not sure if we're talking about the same stuff, but at least in Europe you can get ISDN cards for less than (the equivalent of) US$ 65. So long, Ben -- Ben(edikt)? Stockebrand Runaway ping.de Admin---Never Ever Trust Old Friends My name and email address are not to be added to any list used for advertising purposes. Any sender of unsolicited advertisement e-mail to this address im- plicitly agrees to pay a DM 500 fee to the recipient for proofreading services. From firewalls-owner Wed Sep 11 15:06:52 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA14990 for firewalls-outgoing; Wed, 11 Sep 1996 14:49:01 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id OAA14894 for ; Wed, 11 Sep 1996 14:48:34 -0700 (PDT) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) id OAA10306; Wed, 11 Sep 1996 14:47:44 -0700 Received: from gw.nnsy.navy.mil(199.208.213.35) by mycroft via smap (V1.3mjr) id sma010299; Wed Sep 11 14:47:20 1996 Received: by nnsy.navy.mil; id RAA13371; Wed, 11 Sep 1996 17:40:52 -0400 Received: from nnsaimhp.nnsy.navy.mil(157.141.205.12) by gw.nnsy.navy.mil via smap (V3.1.1) id xma013367; Wed, 11 Sep 96 17:40:35 -0400 Received: from nnsy_ns00.nnsy.navy.mil by nnsaimhp with SMTP (1.37.109.4/16.2) id AA24095; Wed, 11 Sep 96 17:51:33 -0400 Received: by nnsy_ns00.nnsy.navy.mil; Wed, 11 Sep 96 17:43:58 EDT Date: Wed, 11 Sep 96 17:43:34 EDT Message-Id: X-Priority: 3 (Normal) To: From: (Tony Geddie) Subject: ...no subject... X-Incognito-Sn: 909 X-Incognito-Format: VERSION=2.01a ENCRYPTED=NO Sender: firewalls-owner@GreatCircle.COM Precedence: bulk please send info on subscribing to the mailing list. Thanx From firewalls-owner Wed Sep 11 15:29:27 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id PAA18351 for firewalls-outgoing; Wed, 11 Sep 1996 15:16:13 -0700 (PDT) Received: from cet.cet.com (cet.cet.com [206.96.91.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id PAA18300 for ; Wed, 11 Sep 1996 15:15:57 -0700 (PDT) Received: from cet.cet.com (roberth@cet.cet.com [206.96.91.1]) by cet.cet.com (8.6.12/8.6.12) with SMTP id PAA15165; Wed, 11 Sep 1996 15:15:48 -0700 Date: Wed, 11 Sep 1996 15:15:48 -0700 (PDT) From: Robert Hanson To: Andrew Molitor cc: firewalls@GreatCircle.COM Subject: Re: SYN floods continue (fwd) In-Reply-To: <9609111906.AA19926@anubis.network.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk please excuse my lack of research on the overall subject of SYN. where do we go to get "educated" besides here. www or list? now... logically speaking... isnt there some integral part of a syn flood or syn this or that that is "detectable" and therefor "blockable" or that it will allow some "logic" to be coded to prevent full scale "bombing"? in this syn function, what is so "necessary" about it that a machine must "answer" to it good or bad? please help us all understand.. i know it happens to me... i see it happen, and i think ive effectively traced it... yet i dont know what ive found... know what i mean? aka im trying to discover the properties of what i have "accidentally" stumbled upon... thank you. ---> Robert H. Hanson LAN/WAN Consultant - Internet Service Provider Otis Orchards, Wa. Cutting Edge Communications www.cet.com (509) 927-9541 finger: info@cet.com or email: roberth@cet.com On Wed, 11 Sep 1996, Andrew Molitor wrote: > With fine NSC routers all over the place, one could insert a > RR option into all the SYN packets flowing through them. The enclosed > filter fragment will insert a RR option capable of recording the > first 7 routers after this one that the packet goes through. It won't > work on all our stuff, and (realistically) is enclosed for reference only. > I can dream, though, eh? > > A little additional checking could be added to make it hard or > impossible to spoof this by inserting your own RR option at the source. > Basically, if you're deploying this, you strip out options on packets > arriving from 'little leaf nodes that might be bad guys' before you add > yours in. > > It would be relatively trivial to add this to, say, the freely > available IP filtering in Linux. The performance hit in the core routers > would only be taken for SYN packets, which are some modest percentage > (less that 10?) of all packets. They'd feel it, but would probably not > topple right over. > > With this option present, the problem or tracing it back to the > source begins to look like backtracing usenet headers -- it's not easy, > but it often/usually provides some useful information. It also would > require lots of co-operation among ISPs. > > Andrew > > filter syn_tracking > not ip_protocol in (6) break; # Get outta here if it's not TCP > not ip_fo in (0) break; # or if the header's not here > not tl_byte (13) mask 0x02 in (0x02) break; # if SYN not set, get out > ip_option_present 0x07 break; # Get out if RR option already here > > # Otherwise insert a 7 hop RR option. > stamp_option > 0x071f0400000000000000000000000000000000000000000000000000000000; > end > From firewalls-owner Wed Sep 11 18:38:17 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id SAA04023 for firewalls-outgoing; Wed, 11 Sep 1996 18:16:07 -0700 (PDT) Received: from mcfeely.bsfs.org (mcfeely.bsfs.org [204.91.13.34]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id SAA03929 for ; Wed, 11 Sep 1996 18:15:32 -0700 (PDT) Received: (from wombat@localhost) by mcfeely.bsfs.org (8.6.12/8.6.12) id UAA01868; Wed, 11 Sep 1996 20:07:46 -0400 Date: Wed, 11 Sep 1996 20:07:41 -0400 (EDT) From: Rabid Wombat To: inter cc: "David J. Taylor" , Steve Conner , Jesse , "firewalls@GreatCircle.COM" Subject: RE: FreeBSD Firewall Package In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 10 Sep 1996, inter wrote: > > > On Mon, 9 Sep 1996, David J. Taylor wrote: > > > That's fine as long as you have 24x7 surveillance. But having logs = > > showing an address doesn't give you much comfort if the intruder came = > > in, did the damage and left before anyone could detect and stop him. I = > > would submit that prevention is still the best medicine. > > > > > > ---------- > > From: inter[SMTP:inter@blue.misnet.com] > > Sent: Monday, September 09, 1996 1:50 PM > > To: Steve Conner > > Cc: Jesse; firewalls@GreatCircle.COM > > Subject: Re: FreeBSD Firewall Package > > > > > > > sure it is but it is when you don't have security enuf to prevent > attackers then you don't have anyhting. Say you have a firewall.. still > some sites are 'able' to come in. Well then .. iwthout proper logs you > will have no clue where the attack came from and you have no clue what > they have done. Logs(security) plays hand in hand with prevention. > However Firwalls do not count out someone who is DETERMINED to get into a > system. period. > With logs, you have a better chance of finding someone who is looking around for weaknesses, and hopefully be able to spot their activity before they spot something they can exploit. In a wide open environment, someone may easily get in and do the damage before your logs are of use. If you are doing a fair job of hardening the target, however, you (hopefully) increase the time the intruder spends looking for weaknesses, and increase your chances of spotting something in the logs before the intruder has hurt you. Good security is not a matter of deploying a single solution; having a bank-vault style front door will not keep someone from crawling in through a window. However, if you do all the little things well, and harden the target, you increase the effectiveness of the alarm system - logs in this case. Just my $.02 - r.w. From firewalls-owner Wed Sep 11 18:44:38 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id SAA03542 for firewalls-outgoing; Wed, 11 Sep 1996 18:12:23 -0700 (PDT) Received: from citadel.evolving.com (citadel.evolving.com [198.202.204.162]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id SAA03527 for ; Wed, 11 Sep 1996 18:12:12 -0700 (PDT) Received: from valiant.evolving.com (valiant.evolving.com [198.202.204.66]) by citadel.evolving.com (8.6.12/8.6.9) with ESMTP id TAA10777 for ; Wed, 11 Sep 1996 19:12:10 -0600 Received: from thepound.evolving.com (thepound.evolving.com [192.124.159.19]) by valiant.evolving.com (8.6.12/8.6.9) with ESMTP id TAA11592; Wed, 11 Sep 1996 19:12:09 -0600 Received: (from rtruitt@localhost) by thepound.evolving.com (8.6.12/8.6.12) id TAA06372; Wed, 11 Sep 1996 19:11:43 -0600 Date: Wed, 11 Sep 1996 19:11:43 -0600 From: Todd Truitt Message-Id: <199609120111.TAA06372@thepound.evolving.com> To: firewalls@GreatCircle.com Subject: Re: SYN floods Cc: Todd.Truitt@evolving.com Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Content-MD5: I2h6DlxXBzIg784GIN5Q2w== Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Robert-- > > please excuse my lack of research on the overall subject of SYN. > > where do we go to get "educated" besides here. www or list? Comer: "Internetworking w/ TCP/IP" > > now... > > logically speaking... isnt there some integral part of a syn flood or = syn > this or that that is "detectable" and therefor "blockable" or that it = will > allow some "logic" to be coded to prevent full scale "bombing"? > I believe it was stated that this SYN flood came from IP packets with the "Source Route" option set. There should be a packet filter routine which will drop ALL packets with *any* options triggered. Since, typically speaking, the only reason that the IP options are used are to debug or cause trouble, this might be the safest approach for a firewall. > in this syn function, what is so "necessary" about it that a machine = must > "answer" to it good or bad? > It is necessary...if you want TCP to work. When TCP is passed a segment to "carry", it (TCP on host a) establishes a connection with the other (host b) host's transport layer using a "three-way handshake". A SYN is sent over the connection to synchronize sequence numbers (x), which is replied to by hostb with it's own SYN, call it SYN-b, which contains another sequence number as well as host a's sequence number+1 (SYN-b =3D y, x+1) which initiates an ACK from host a as well as the begining of the data stream. I agree with Andrew regarding the needed cooperation from other ISPs in debugging this one. My advice for step 1 is to get the last hop from a lower layer and contact the administrator for that domain. Hasta, --Todd _________________________________________________________________________= ____ R. Todd Truitt Todd.Truitt@evolving.com=09 Evolving Systems, Inc.=20 _____________________________________________________________________________ R. Todd Truitt Todd.Truitt@evolving.com Evolving Systems, Inc. From firewalls-owner Wed Sep 11 19:14:27 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id SAA06060 for firewalls-outgoing; Wed, 11 Sep 1996 18:42:25 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id SAA06040 for ; Wed, 11 Sep 1996 18:42:06 -0700 (PDT) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) id SAA11747; Wed, 11 Sep 1996 18:41:15 -0700 Received: from sapa.inka.de(193.197.84.6) by mycroft via smap (V1.3mjr) id sma011745; Wed Sep 11 18:40:25 1996 Received: from uu.inka.de (root@[193.197.84.8]) by sapa.inka.de with smtp (S3.1.29.1) id ; Thu, 12 Sep 96 03:38 MET DST Received: from lina (lists@lina.inka.de) by uu.inka.de with bsmtp (S3.1.29.1) id ; Thu, 12 Sep 96 03:38 MET DST Received: by lina id m0v10ca-0004k6C (Debian /\oo/\ Smail3.1.29.1 #29.37); Thu, 12 Sep 96 03:31 MET DST Message-Id: From: lists@lina.inka.de (Bernd Eckenfels) Subject: Re: SYN floods continue (fwd) To: roberth@cet.com (Robert Hanson) Date: Thu, 12 Sep 1996 03:31:11 +0200 (MET DST) Cc: firewalls@GreatCircle.COM In-Reply-To: from "Robert Hanson" at Sep 11, 96 05:44:12 pm X-Mailer: ELM [version 2.4 PL25 PGP2] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, > how do we fix zillions of machines from a "red flag" situation. or at > least the ones we care about... is this not "logical"... There are 2 fixes. The first is very simple: Every ISP has ppl to do the work. Within a few hours every SYN attack should be backtraceable, especially if one can expect it and prepare to it. Every ISP only needs the phone number of the person on the upstream isp which is providing the trace service. Additionally Tools like Argus can be used at ISPs to log the Traffic and bad conditions with source. Geenrally this is a political Fix which can be supported by Filtering and all kind of time consuming and expensive work. The other fix is to deveop a new protocol which is beeter suited for communication in an hostile environment. This is IPv6 or IPsec. Currently the is no real fix to SYN attacks. There are a few good attempts like reverse-resolving of addresses, wrap around listen-backlogs instead of fill up queues. At least systems can be enhanced to WARN about SYN Attacks. With some things like Wrap-Around queues one can at least enhance the amount of bandwith needed for a syn attack. But you can nerver gurantee operation forr servicers which are connected to the open internet. Greetings Bernd -- (OO) -- Bernd_Eckenfels@Wittumstrasse13.76646Bruchsal.de -- ( .. ) ecki@{lina.inka.de,linux.de} http://home.pages.de/~eckes/ o--o *plush* 2048/A2C51749 eckes@irc +4972573817 *plush* (O____O) If privacy is outlawed only Outlaws have privacy From firewalls-owner Wed Sep 11 19:23:28 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA02041 for firewalls-outgoing; Wed, 11 Sep 1996 17:49:14 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id RAA00332 for ; Wed, 11 Sep 1996 17:28:57 -0700 (PDT) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) id QAA10955; Wed, 11 Sep 1996 16:42:00 -0700 Received: from allison.clark.net(168.143.0.3) by mycroft via smap (V1.3mjr) id sma010949; Wed Sep 11 16:41:36 1996 Received: from clark.net (proberts@clark.net [168.143.0.7]) by allison.clark.net (8.6.12/8.6.5) with ESMTP id TAA27644; Wed, 11 Sep 1996 19:42:15 -0400 Received: from localhost (proberts@localhost) by clark.net (8.7.1/8.7.1) with SMTP id TAA24247; Wed, 11 Sep 1996 19:42:14 -0400 (EDT) X-Authentication-Warning: clark.net: proberts owned process doing -bs Date: Wed, 11 Sep 1996 19:42:14 -0400 (EDT) From: "Paul D. Robertson" To: Robert Hanson cc: firewalls@GreatCircle.COM Subject: Re: SYN floods continue (fwd) In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 11 Sep 1996, Robert Hanson wrote: > please excuse my lack of research on the overall subject of SYN. > > where do we go to get "educated" besides here. www or list? For this particular issue, comp.protocols.tcp-ip would probably be the most appropriate venue. > > now... > > logically speaking... isnt there some integral part of a syn flood or syn > this or that that is "detectable" and therefor "blockable" or that it will > allow some "logic" to be coded to prevent full scale "bombing"? No. You can detect that you've been flooded, and are being flooded, but you can't really stop a malicious flood without dropping the ability for users to connect. You can reduce timeouts for sockets in SYN_RCVD state, make your buffers very large, increase SO_MAXCONN, and listen queues to very, very large values, and you may be able to make the resources necessary to SYN flood you some, but you can't stop it. I've also seen programs to kill SYN_RCVD sockets for SunOS and/or Solaris somewhere. If you drop the values too low, you will deny service to legitimate users on slow lines. IF ISPs and NSPs would disallow traffic that doesn't originate on their networks from their gateways, this would be almost a moot issue. > > in this syn function, what is so "necessary" about it that a machine must > "answer" to it good or bad? It initiates a TCP connection. If you block it, you block connections. If you don't know how TCP works, I'd recommend W. Richard Stevens' TCP/IP Illustrated Volume 1. > > please help us all understand.. i know it happens to me... i see it > happen, and i think ive effectively traced it... yet i dont know what ive > found... > > know what i mean? aka im trying to discover the properties of what i have > "accidentally" stumbled upon... > > thank you. > > ---> > Robert H. Hanson LAN/WAN Consultant - Internet Service Provider > Otis Orchards, Wa. Cutting Edge Communications www.cet.com > (509) 927-9541 finger: info@cet.com or email: roberth@cet.com > > > > On Wed, 11 Sep 1996, Andrew Molitor wrote: > > > With fine NSC routers all over the place, one could insert a > > RR option into all the SYN packets flowing through them. The enclosed > > filter fragment will insert a RR option capable of recording the > > first 7 routers after this one that the packet goes through. It won't > > work on all our stuff, and (realistically) is enclosed for reference only. > > I can dream, though, eh? > > > > A little additional checking could be added to make it hard or > > impossible to spoof this by inserting your own RR option at the source. > > Basically, if you're deploying this, you strip out options on packets > > arriving from 'little leaf nodes that might be bad guys' before you add > > yours in. > > > > It would be relatively trivial to add this to, say, the freely > > available IP filtering in Linux. The performance hit in the core routers > > would only be taken for SYN packets, which are some modest percentage > > (less that 10?) of all packets. They'd feel it, but would probably not > > topple right over. > > > > With this option present, the problem or tracing it back to the > > source begins to look like backtracing usenet headers -- it's not easy, > > but it often/usually provides some useful information. It also would > > require lots of co-operation among ISPs. > > > > Andrew > > > > filter syn_tracking > > not ip_protocol in (6) break; # Get outta here if it's not TCP > > not ip_fo in (0) break; # or if the header's not here > > not tl_byte (13) mask 0x02 in (0x02) break; # if SYN not set, get out > > ip_option_present 0x07 break; # Get out if RR option already here > > > > # Otherwise insert a 7 hop RR option. > > stamp_option > > 0x071f0400000000000000000000000000000000000000000000000000000000; > > end > > > > ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts@clark.net which may have no basis whatsoever in fact." PSB#9280 From firewalls-owner Wed Sep 11 19:35:02 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA01830 for firewalls-outgoing; Wed, 11 Sep 1996 17:45:15 -0700 (PDT) Received: from cet.cet.com (cet.cet.com [206.96.91.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id RAA01638 for ; Wed, 11 Sep 1996 17:44:24 -0700 (PDT) Received: from cet.cet.com (roberth@cet.cet.com [206.96.91.1]) by cet.cet.com (8.6.12/8.6.12) with SMTP id RAA19201; Wed, 11 Sep 1996 17:44:13 -0700 Date: Wed, 11 Sep 1996 17:44:12 -0700 (PDT) From: Robert Hanson To: Bernd Eckenfels cc: firewalls@GreatCircle.COM Subject: Re: SYN floods continue (fwd) In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk hmmmm.... i know this code and functionality has been here for years... so it is modifiable or "fixable" based upon scenario... im not as "quick" a hack as i used to be yet i was always able to brute force an algo and then refine. so... and not that this hasnt been thought of before... how do we fix zillions of machines from a "red flag" situation. or at least the ones we care about... is this not "logical"... im not so stupid that i dont understand what you just wrote... im just ignorant to that "facts" as to what has been done previously to mentor a solution to what appears to me as a "boundary value problem"... too much is typically bad and is at an outer boundary... ie not within normal levels based upon performance of a machine with multiple services being offered.... how much does bandwidth affect SYN attacks... quite a bit im guessing... ---> Robert H. Hanson LAN/WAN Consultant - Internet Service Provider Otis Orchards, Wa. Cutting Edge Communications www.cet.com (509) 927-9541 finger: info@cet.com or email: roberth@cet.com On Thu, 12 Sep 1996, Bernd Eckenfels wrote: > Hi, > > > logically speaking... isnt there some integral part of a syn flood or syn > > this or that that is "detectable" and therefor "blockable" or that it will > > allow some "logic" to be coded to prevent full scale "bombing"? > > No: > > SYN is the first packet received from the remote host if he wants to > establish a TCP connection. You normally answer with an ACKnowledgeemnt. > This Acknowledgement needs to be Acknowledged again to consider the > connection established. As long as the second ACK isnt received the kernel > has to wait for it. f you dont get an ACK you can't distinguish a SYN Bomb > from a slow elayed ack. Therefore you cant expire pending SYNs too fast, > cause that would block Connections from slow networks. You cant block SYN > requests by source, cause the source is fakeable without problem. And you > cant block too much syn requests, cause you are unable to tell which syn > request is a valid connection and which not. > > The only chance you have in SYN flooding is, that an existing host will send > a RST packet if it receives an ACK for a not estalished connection. This RST > will clean the pending socket before the Timeout occur and will free > Resources on the Attackt Host faster. > > > in this syn function, what is so "necessary" about it that a machine must > > "answer" to it good or bad? > > If you dont answer you wont get any connections. This is exactly the damage > the offending sender wants to achief. > > Greetings > Bernd > From firewalls-owner Wed Sep 11 19:40:03 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA01395 for firewalls-outgoing; Wed, 11 Sep 1996 17:39:50 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id RAA00291 for ; Wed, 11 Sep 1996 17:28:51 -0700 (PDT) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) id QAA11007; Wed, 11 Sep 1996 16:45:08 -0700 Received: from lint.cisco.com(171.68.223.44) by mycroft via smap (V1.3mjr) id sma010990; Wed Sep 11 16:44:37 1996 Received: from pferguso-pc.cisco.com ([171.68.52.54]) by lint.cisco.com (8.6.10/CISCO.SERVER.1.1) with SMTP id QAA02073; Wed, 11 Sep 1996 16:45:16 -0700 Message-Id: <2.2.32.19960911234516.006b6924@lint.cisco.com> X-Sender: pferguso@lint.cisco.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 11 Sep 1996 19:45:16 -0400 To: Robert Hanson From: Paul Ferguson Subject: Re: SYN floods continue (fwd) Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Briefly, what has been happening is an attacker has been targeting specific ISP's with sequential TCP SYN probes which originate from consistently changing, random, and sometimes unreachable source addresses and port numbers. As mjr says, in a nutshell, you just blow the target away by sending them a wad of SYN packets, the kernel allocates a gob of memory for new TCP sessions, and then chokes and croaks. The increase in instances of this type of attack is due to the attack method being described in 'PHRACK', an underground magazine. In any event, this is an opportune time to remind everyone to encourage MD5 route authentication between BGP peers for the purpose of securing Internet gateways from being fed bogus routing information. For more background, this topic has been discussed in some detail on the NANOG [North American Network Operator's Group] mailing list. The list archives are located at: http://www.merit.edu/mail.archives/html/nanog/ For a detailed description of the TCP SYN denial of service attack and IP spoofing, see: http://www.fc.net/phrack/files/p48/p48-13.html http://www.fc.net/phrack/files/p48/p48-14.html Also, Steve Bellovin at AT&T has written a couple of technical security papers which discuss similar attacks in more detail: ftp://ftp.research.att.com/dist/internet_security/117.ps.Z ftp://ftp.research.att.com/dist/internet_security/ipext.ps.Z - paul At 03:15 PM 9/11/96 -0700, Robert Hanson wrote: >please excuse my lack of research on the overall subject of SYN. > >where do we go to get "educated" besides here. www or list? > >now... > >logically speaking... isnt there some integral part of a syn flood or syn >this or that that is "detectable" and therefor "blockable" or that it will >allow some "logic" to be coded to prevent full scale "bombing"? > >in this syn function, what is so "necessary" about it that a machine must >"answer" to it good or bad? > >please help us all understand.. i know it happens to me... i see it >happen, and i think ive effectively traced it... yet i dont know what ive >found... > >know what i mean? aka im trying to discover the properties of what i have >"accidentally" stumbled upon... > >thank you. > >---> >Robert H. Hanson LAN/WAN Consultant - Internet Service Provider >Otis Orchards, Wa. Cutting Edge Communications www.cet.com >(509) 927-9541 finger: info@cet.com or email: roberth@cet.com > -- Paul Ferguson || || Consulting Engineering || || Reston, Virginia USA |||| |||| tel: +1.703.716.9538 ..:||||||:..:||||||:.. e-mail: pferguso@cisco.com c i s c o S y s t e m s From firewalls-owner Wed Sep 11 20:30:19 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA01250 for firewalls-outgoing; Wed, 11 Sep 1996 17:35:53 -0700 (PDT) Received: from citadel.evolving.com (citadel.evolving.com [198.202.204.162]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id RAA01212 for ; Wed, 11 Sep 1996 17:35:01 -0700 (PDT) Received: from valiant.evolving.com (valiant.evolving.com [198.202.204.66]) by citadel.evolving.com (8.6.12/8.6.9) with ESMTP id SAA09704; Wed, 11 Sep 1996 18:34:54 -0600 Received: from thepound.evolving.com (thepound.evolving.com [192.124.159.19]) by valiant.evolving.com (8.6.12/8.6.9) with ESMTP id SAA11481; Wed, 11 Sep 1996 18:34:54 -0600 Received: (from rtruitt@localhost) by thepound.evolving.com (8.6.12/8.6.12) id SAA06327; Wed, 11 Sep 1996 18:34:25 -0600 Date: Wed, 11 Sep 1996 18:34:25 -0600 From: Todd Truitt Message-Id: <199609120034.SAA06327@thepound.evolving.com> To: roberth@cet.net Subject: Re: SYN floods continue Cc: firewalls@GreatCircle.com, amolitor@anubis.network.com Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Content-MD5: Rw7Aly0SjLQLDE9OjKfzvQ== Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Robert-- >=20 > please excuse my lack of research on the overall subject of SYN. >=20 > where do we go to get "educated" besides here. www or list? Comer: "Internetworking w/ TCP/IP" >=20 > now... >=20 > logically speaking... isnt there some integral part of a syn flood or = syn > this or that that is "detectable" and therefor "blockable" or that it = will > allow some "logic" to be coded to prevent full scale "bombing"? >=20 I believe it was stated that this SYN flood came from IP packets with the "Source Route" option set. There should be a packet filter routine which will drop ALL packets with *any* options triggered. Since, = typically speaking, the only reason that the IP options are used are to debug or cause trouble, this might be the safest approach for a firewall. > in this syn function, what is so "necessary" about it that a machine = must > "answer" to it good or bad? >=20 It is necessary...if you want TCP to work. When TCP is passed a segment to "carry", it (TCP on host a) establishes a connection with the other (host b) host's transport layer using a "three-way handshake". A SYN is sent over the connection to synchronize sequence numbers (x), which = is replied to by hostb with it's own SYN, call it SYN-b, which contains another sequence number as well as host a's sequence number+1 (SYN-b =3D = y, x+1) which initiates an ACK from host a as well as the begining of the data = stream. I agree with Andrew regarding the needed cooperation from other ISPs in debugging this one. My advice for step 1 is to get the last hop from a lower layer and contact the administrator for that domain. Hasta, --Todd _____________________________________________________________________________ R. Todd Truitt Todd.Truitt@evolving.com Evolving Systems, Inc. From firewalls-owner Wed Sep 11 20:37:19 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA29454 for firewalls-outgoing; Wed, 11 Sep 1996 17:18:12 -0700 (PDT) Received: (mcb@localhost) by miles.greatcircle.com (8.7.4/Miles-960830-1) id QAA26725 for firewalls@greatcircle.com; Wed, 11 Sep 1996 16:44:48 -0700 (PDT) Received: from volitans.MorningStar.Com (volitans.MorningStar.Com [137.175.2.11]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id IAA29113 for ; Wed, 11 Sep 1996 08:09:12 -0700 (PDT) Received: from harlequin.morningstar.com by volitans.MorningStar.Com (8.7.1/95070701) id PAA22350; Wed, 11 Sep 1996 15:08:50 GMT From: Aydin Edguer Message-Id: <199609111508.PAA22350@volitans.MorningStar.Com> Subject: *STOP* sending unsubscription requests to the list To: firewalls@GreatCircle.COM Date: Wed, 11 Sep 1996 11:08:06 -0400 (EDT) Cc: dcrotteau@coris.com, andrew@cnsii.com, pcecilio@ldc.com.br, ace@star.elim.net, bobh@Homer.starledger.com, tsianta@cornelius.cc.vanderbilt.edu, xwang02@mailbox.syr.edu, mmccurdy@mail.sdsu.edu, hoving@taunet.net.au X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In the last few days there have been a flurry of unsubscription requests sent the the mailing list. In an effort to reduce the future number on this or other lists you subscribe to, please keep the following in mind. To those of you who are already familiar with the information, please forgive the capitalizations and noise. #1 - *NEVER* send mailing list administation questions (subscribe, unsubscribe) to the mailing list. The other people on the mailing list cannot change your status and all you will do is annoy them. #2 - *ALWAYS* keep the message that you received when you subscribed to the list that describes how to unsubscribe. #3 - If you encounter a problem when unsubscribing, *CAREFULLY* read the full text of the error message you receive. It will frequently give you additional steps you can take to resolve the problem. Remember, most mailing list management software require the command to be in the body of the message, not the "Subject:" line. #4 - If you have continue to have problems automatically unsubscribing, send the *full and unedited* headers lines from a mail message you received from the list along with your request to be removed from the list to the list manager, *NEVER* the list. The manager can generally be reached as "listname-request", where "listname" is replaced by the name of the list e.g. "firewalls-request". Some mailing lists use different request addresses (such as "listserv" or "majordomo"), but they are generally noted in the initial subscription request and the "-request" address is usually aliased to the name. The reason for including the header lines is that you may be on a separate mailing list "exploder" and not directly subscribed to the mailing list and the header lines will help point to the real list to which you are "subscribed". #5 - *TRY* to be patient. When sending electronic mail to the manager, please keep in mind that it must be handled by a person. This person is frequently a very busy person, who may even take vacations from time to time. #6 - If you are not having success reaching the list manager at the "-request" address, you may try reaching the "postmaster" for the site. In some cases, this will be the same as the list manager, but it is the one address that the electronic mail standards require for hosts receiving Internet mail. #7 - If you continue to have problems, contact your system or site administrator or other local resource (user group, Internet Access Provider) or try using the phone to contact the Technical Contact for the site which hosts the mailing list. You can usually find the technical contact using the "whois" command. Do *NOT* send e-mail to the list. The following are from the instructions that are included at the bottom of each Firewalls-Digest message: To unsubscribe from Firewalls-Digest, send the following command in the body of a message to "Majordomo@GreatCircle.COM": unsubscribe firewalls-digest If you want to subscribe or unsubscribe an address other than the account the mail is coming from, such as a local redistribution list, then append that address to the command; for example, to unsubscribe "local-firewalls": unsubscribe firewalls-digest local-firewalls@your.domain.net A non-digest (direct mail) version of this list is also available; to unsubscribe to that instead, replace all instances of "firewalls-digest" in the commands above with "firewalls". In addition to the "firewalls-request" and "majordomo" addresses, you can also try the "Firewalls-Owner" or "Majordomo-Owner" e-mail addresses, if you are having problems removing yourself from the list. From firewalls-owner Wed Sep 11 21:04:05 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA29127 for firewalls-outgoing; Wed, 11 Sep 1996 17:12:24 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id QAA26272 for ; Wed, 11 Sep 1996 16:41:57 -0700 (PDT) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) id QAA10920; Wed, 11 Sep 1996 16:41:03 -0700 Received: from ns.coslabs.com(199.233.92.34) by mycroft via smap (V1.3mjr) id sma010896; Wed Sep 11 16:40:06 1996 Received: from future.mulligan.com by grab (SMI-8.6/SMI-SVR4) id RAA06325; Wed, 11 Sep 1996 17:40:47 -0600 Received: from future by future.mulligan.com (SMI-8.6/SMI-SVR4) id RAA23146; Wed, 11 Sep 1996 17:40:44 -0600 Message-Id: <199609112340.RAA23146@future.mulligan.com> To: roberth@cet.com Cc: amolitor@anubis.network.com, firewalls@GreatCircle.COM Subject: Re: SYN floods continue (fwd) In-Reply-To: Your message of "Wed, 11 Sep 1996 15:15:48 -0700 (PDT)" References: X-Mailer: Mew version 1.05 on Emacs 19.31.1 Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Date: Wed, 11 Sep 1996 17:40:44 -0600 From: Geoff Mulligan Sender: firewalls-owner@GreatCircle.COM Precedence: bulk From: Robert Hanson > logically speaking... isnt there some integral part of a syn flood or syn > this or that that is "detectable" and therefor "blockable" or that it will > allow some "logic" to be coded to prevent full scale "bombing"? If the SYN flood is done "right", it is impossible to block AT THE DESTINATION without blocking valid traffic because there is no way of knowing what is a valid SYN segment from a flood SYN segment. Only a foolish person would send the SYN segments from their real IP address, which could blocked and be traced back to the source. It is possible to block this type of attack at the source, or at least force the flooder to use their real IP address - the routers at leaf networks would have to drop ip packets carrying source addresses not known to be on the incomming interface - much like stopping inbound ip spoofing. > in this syn function, what is so "necessary" about it that a machine must > "answer" to it good or bad? SYN segments are an integral part of the TCP 3-way handshake protocol used to set up a TCP connection and therefore cannot be eliminated. When a host receives a SYN segment it allocates some resources for the incomming connection. Most systems will allow 5 to 8 queued incomming connections before dropping all further packets sent to that port. Each of these queued connections will remain in place for approximately 75 seconds before timing out. Therefore by simply sending SYN segments from random ip addresses at 10 intervals to a hosts www port the web server would be blocked. geoff From firewalls-owner Wed Sep 11 21:08:34 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id QAA26762 for firewalls-outgoing; Wed, 11 Sep 1996 16:44:58 -0700 (PDT) Received: (mcb@localhost) by miles.greatcircle.com (8.7.4/Miles-960830-1) id QAA26545 for firewalls@greatcircle.com; Wed, 11 Sep 1996 16:44:08 -0700 (PDT) Received: from relay.tandy.com (relay.tandy.com [139.60.210.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id GAA19833 for ; Wed, 11 Sep 1996 06:12:58 -0700 (PDT) Received: from tandy.com (tcgw.tandy.com [139.60.206.238]) by relay.tandy.com (8.7.4/8.7.3) with SMTP id IAA04030 for ; Wed, 11 Sep 1996 08:11:30 -0500 (CDT) Received: from abacus.TIS.Tandy.com by tandy.com (5.65/3.1.090690) id AA11845; Wed, 11 Sep 96 08:07:08 -0500 Received: by abacus.tis.tandy.com (951211.SGI.8.6.12.PATCH1042/930416.SGI) for firewalls@GreatCircle.COM id IAA12639; Wed, 11 Sep 1996 08:07:07 -0500 From: "Chris Riney" Message-Id: <9609110807.ZM12637@abacus.tis.tandy.com> Date: Wed, 11 Sep 1996 08:07:06 -0500 In-Reply-To: andrew@cnsii.com (Andrew Liles) "Remove" (Sep 10, 12:56pm) References: <3.0b11.32.19960910125629.00b85490@mail.cnsii.com> X-Mailer: Z-Mail (3.1.0 22feb94 MediaMail) To: firewalls@GreatCircle.COM Subject: Re: Remove Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Remember, If you are not able to use the standard procedure for removing yourself from this mailing list (E-mail sent to majordomo@greatcircle.com with the line 'unsubscribe firewalls ' in the body), then PLEASE send your request to firwalls-owner@greatcircle.com, and you will keep from unmaking friends on this list. On Sep 10, 12:56pm, Andrew Liles wrote: > Subject: Remove > Remove from list. > > > > >[:^) ::-b|d-:: =[8]-o ]:-{o <*(:=? ___^..^____ > > Andrew Liles > System Engineer :-8p > CNS Internet > 2911 State Street `\=o-o=/' > Suite D > Carlsbad, California (:-O ==> > 92008-1415 > 619-730-7301 office :->X==| > 619-730-0060 fax > andrew@cnsii.com ())=( > http://www.cnsii.com > > #:o\o/:o\:o/:o|| (z(:^p *-=|8-D <0____/\____/\____ >-- End of excerpt from Andrew Liles From firewalls-owner Wed Sep 11 21:47:50 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id QAA27126 for firewalls-outgoing; Wed, 11 Sep 1996 16:46:45 -0700 (PDT) Received: (mcb@localhost) by miles.greatcircle.com (8.7.4/Miles-960830-1) id QAA27014 for firewalls@greatcircle.com; Wed, 11 Sep 1996 16:46:17 -0700 (PDT) Received: from remise (remise.EnGarde.com [199.165.219.132]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id LAA18636 for ; Wed, 11 Sep 1996 11:17:27 -0700 (PDT) Received: from localhost (mcn@localhost) by remise (950413.SGI.8.6.12/950213.SGI.AUTOCF) via SMTP id MAA28262; Wed, 11 Sep 1996 12:15:01 -0600 Message-Id: <199609111815.MAA28262@remise> X-Mailer: exmh version 1.6.7 5/3/96 To: vin@shore.net (Vin McLellan) Cc: Firewalls@GreatCircle.com, BUGTRAQ@netspace.org, mcn@EnGarde.com, peiterz@SECNET.COM, hobbit@avian.org, mudge@l0pht.com, adam@homeport.org Subject: Re: SecurID White Paper - A Comment Reply-To: mcn@EnGarde.com Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Wed, 11 Sep 1996 12:15:01 -0600 From: Mike Neuman Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi Vin, you're wrong. And although you argued eloquently, your statements seem to reflect those of a person who is blindly defending a purchasing decision rather than listening to reason. > Both Neuman and Willoughby... don't bother to > acknowledge the limited purpose and function, or any independent value, of > strong user authentication. (Encryption without strong authentication is > also problematic, to say the least.) I never said strong authentication has no value. However, I would not classify SecureID as strong authentication. SecureID + good encryption *IS* strong authentication, which is exactly why I said in my message. > But then, Prophets with a Revelation are like that: single-minded;-) > > These guys, and others who use similar rhetoric, sometimes get so > caught up in their jeremiads that they ignore basic tradecraft. In Compsec, > security is never absolute; both threats and defenses are always relative. Here's the reason you're wrong, and the reason one time passwords without encryption should be completely avoided: What is the primary value of One Time Passwords? To eliminate the possiblity that a sniffer can steal a password and reuse it. All other benefits are tertiary (i.e. To prevent password guessing? Most systems have limits on the number of guesses before an account is disabled. To prevent password file stealing and cracking? If your passwords are that bad, get npasswd, or any of the other products for VMS, IBM, NT, etc which enforce good passwords. For dialup? reusable passwords (which aren't transfered over the network in plaintext) work just fine when taken with account disabling and good password enforcement, AND they're a LOT cheaper than the $50/pop every 3 years for SecureID.) So, if the primary purpose in using SecureID is to eliminate the effectiveness of sniffers, then guess what--a hijacking attack is a VERY simple modification of a sniffer. So, your "elimination of the effectiveness of sniffers" is now anything but. This sounds like a pretty major vulnerability to me. > Yet, professionals who decide that this threat does not yet justify > the expenditure necessary to block it do not deserve to be scorned as > fools. Risk-analysis is Security 101. How much insurance, at what cost? To > protect against what scope of potential loss? Indeed. It seems like SecureID is pretty expensive "insurance" for no additional benefit. You argument treats hijacking as some esoteric, theoretically attack. Arguments like yours are the reason TCP Sequence Number Prediction works--it was theorized about at least 6 years ago, and widely published. But people claimed, "Oh, it's not that big of a risk, let's ignore the problem." And we all got bit by it. To use your exact quote: > Properly forging TCP packets, the essential skill for tcp-splicing, > is still beyond the wannabes on Alt.2600. As my post attempted to point out, there ARE exploit programs out, and available to the wannabes in Alt.2600. > The function of a security device is to raise the cost of an attack > upon it -- in terms of time, money, equipment, specialized knowledge, and > risk of criminal penalties -- so that it is no longer (compared to > alternatives) an attractive or likely avenue of attack. There is no additional time, money, equipment, knowledge, or risk in session hijacking. As I said, it's a simple modification of a sniffer. And public versions DO exist. (Do you take my word for it yet, or would you like me to post one?) Here's the header from one I picked up during one of my intrusion investigations: /* ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** */ /* RoadWarrier presents... */ /* \|/a8 c00|_ h11j@k|\|g T00lz (wcht) */ /* Greetz to: */ ... /* Use by: */ /* 1: Get root */ /* 2: Make sure yer $DISPLAY is correct */ /* 3: wcht */ /* 4: Every new connectiun will be hiijacked after "Last login" */ /* or "mail." is seen. An xterm will started on your display */ To use an analogy someone else posted on firewalls, using SecureID without encryption is like paying for a car alarm but never bothering to lock your car. - -Mike Neuman mcn@EnGarde.com http://www.engarde.com From firewalls-owner Wed Sep 11 22:20:41 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id VAA29820 for firewalls-outgoing; Wed, 11 Sep 1996 21:35:06 -0700 (PDT) Received: from burrito.insource.com (burrito.insource.com [206.97.167.190]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id VAA29741 for ; Wed, 11 Sep 1996 21:34:41 -0700 (PDT) Received: (from michaelj@localhost) by burrito.insource.com (8.7.5/8.7.3) id XAA10149 for firewalls@GreatCircle.COM; Wed, 11 Sep 1996 23:38:27 -0500 (CDT) From: Michael Jarvis Message-Id: <199609120438.XAA10149@burrito.insource.com> Subject: Re: TCP/IP and AOL To: firewalls@GreatCircle.COM Date: Wed, 11 Sep 1996 23:38:26 -0500 (CDT) In-Reply-To: <960911201904_282888348@emout04.mail.aol.com> from "KRES007@aol.com" at Sep 11, 96 08:19:05 pm X-Mailer: ELM [version 2.4 PL24 PGP3 *ALPHA*] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Can anyone give me instructions on how i go about setting up my computer to > connect to America Online using TCP/IP? > > PC..win95 > > thanks > This *HAS* to be a troll. -michael -- Michael A. Jarvis Technology Consultant, Internet Solutions Group Insource Technology, Houston, TX michaelj@insource.com 713.955.3672 From firewalls-owner Wed Sep 11 22:21:49 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id VAA27706 for firewalls-outgoing; Wed, 11 Sep 1996 21:22:29 -0700 (PDT) Received: from relay1.shore.net (relay1.shore.net [192.233.85.129]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id VAA27644 for ; Wed, 11 Sep 1996 21:22:08 -0700 (PDT) Received: from [198.115.177.208] (slip-0-8.slip.shore.net [198.115.177.208]) by relay1.shore.net (8.7.5/8.7.3) with SMTP id AAA27609; Thu, 12 Sep 1996 00:21:59 -0400 (EDT) X-Sender: vin@shell1.shore.net Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Thu, 12 Sep 1996 00:19:39 -0400 To: firewalls@greatcircle.com From: vin@shore.net (Vin McLellan) Subject: Re: S/Key vulnerabilities Cc: dckavan@PacBell.COM, lou@callnet.com, mudge@10pht.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Dennis Kavanaugh and Louis T. Chmielewski both asked where they could obtain mudge's 1995 paper on vulnerabilities of s/key. mudge's s/key paper is at: You might also want to check out his "Monkey" exploit code ("think about it as Crack for s/key," suggested mudge) at: I understand that Bellcore has fixed the problem in their commercial version of s/key. I don't know the current status of the the several versions of s/key in circulation in the US or abroad -- or, for that matter, OPIE or logdaemon, both derived from s/key, but renamed because Bellcore owns the name -- but I would be very surprised if current versions of all aren't snug and safe. The latest "official" version was submitted by Bellcore to the IESG last year and was apparently been the basis of the proposed Internet standard. Neil Haller of Bellcore noted a few months back that the original version of s/key (v1.0, still available from thumper.bellcore.com, I believe) should now be viewed as a reference implementation. "It supports only MD4 and has at least one known weakness," said Mr. Haller. Suerte, _Vin Vin McLellan +The Privacy Guild+ 53 Nichols St., Chelsea, Ma. 02150 USA Tel: (617) 884-5548 <*><*><*><*><*><*><*><*><*> From firewalls-owner Wed Sep 11 22:23:56 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id QAA27142 for firewalls-outgoing; Wed, 11 Sep 1996 16:46:51 -0700 (PDT) Received: (mcb@localhost) by miles.greatcircle.com (8.7.4/Miles-960830-1) id QAA27029 for firewalls@greatcircle.com; Wed, 11 Sep 1996 16:46:23 -0700 (PDT) Received: from silence.secnet.com ([204.191.222.34]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id MAA26722 for ; Wed, 11 Sep 1996 12:17:29 -0700 (PDT) Received: (from peiterz@localhost) by silence.secnet.com (8.8.Beta.1/secnet) id GAA10250; Thu, 12 Sep 1996 06:34:52 -0600 (MDT) Date: Thu, 12 Sep 1996 06:34:52 -0600 (MDT) From: Peiter Z Message-Id: <199609121234.GAA10250@silence.secnet.com> To: adam@homeport.org, BUGTRAQ@netspace.org, Firewalls@GreatCircle.com, hobbit@avian.org, mcn@EnGarde.com, mudge@l0pht.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The stance and statements that Vin make are quite interesting. We at Secure Networks take offense to some of the implications that are made in his post and wish to point out other statements we believe to be in error. First: >(But then, the validity or integrity of two-factor authentication >-- a token "held;" plus a password "known" -- is not really an issue for >Mr. Neuman. He simply declares OTPs irrelevant if the TCP session they >initialized can be taken over; the valid user cut off; and the bad guy left >in control of an authenticated session with all the user's privileges. It's >a intriguing POV... particularly from a vendor who sells a commercial >session-hijack tool, IP-Watcher, to a hopefully restricted clientele.) The above is quite an interesting statement coming from a person who does a lot of paid contract work for SDTI. 'Hello kettle, you're black!' I will leave Neuman and Willoughby to defend themselves in regards to some of Vin's comments towards them. Let me explain why I did not embark upon session hi-jacking in the white paper. Session hi-jacking is something that SecurID never claimed to protect against. I did mention session hi-jacking briefly in the paper but did not feel it was fair to bash SDTI on this. All of the vulnerabilities mentioned in the paper demonstrate problems that the SecurID mechanism claims to prevent against and could be corrected if the product was written properly (or kept up to date - depending upon the viewpoint you take). > Properly forging TCP packets, the essential skill for tcp-splicing, >is still beyond the wannabes on Alt.2600. The above statement is completely incorrect. The tools are readilly available and have been for some time now. Even to the "wannabes". >the typical OTP app is a dial-in phone connection, through a communications >server -- Please come into the 90's Vin. If your security is in having an unmonitored connection why not stop selling telnet clients for the SecurID card or at least market it to dial-in type customers. Why not? Because there's more money selling into the 'net', whether or not the application is particularly suited for it or not. >Even crypto won't bring on Nirvana. Yes. This is true. Funny how an encrypted s/key session (and many other OTP's) gains much more security from the encrypted link than SecurID does. The problem being that the SecurID authentication mechanism is out of band from the, in this example, telnet session. > For a ten-page "white paper" from the hacker elite, the PieterZ >Paper was rather disappointing (or reassuring, as the case may be;-) In a >widely cross-posted comment, Mike Neuman harrumped: >> I appreciate the conclusion of the paper which finally does proclaim that >> SecurID (and other one-time password tokens) are extremely vulnerable. >> The vulnerabilities described seem to be overly esoteric, however." This passage really irks me. First, what gives you the right to label an employee of a legitimate company a member of the 'hacker elite'. The only person that I mentioned that has any ties to the hacker community ,to the best of my knowledge, in my paper was hobbit@avian.org. I do not know if he appreciates being labeled as a hacker but his knowledge and understanding of security would definately place him in the 'elite' ranks. As for the attacks being esoteric, we opted *not* to publish the source code for the racing attacks, which are *still* viable against the current incarnation of the SecurID solution. As a point of interest, we do not have our own Ace server. We were given permission by a company that runs one to break into their network (for a security assesment) and to use the information that we found from the network traffic in the report. Of course we were asked not to release any information pointing back to this company. We gained the information on the ACE client server protocol in this fashion. How, you might ask, did we break in to their internal network? Through SecurID of course. Thus I do not think all of the attacks mentioned in the paper are too terribly 'esoteric' [Is everyone getting this? Yes, we were able to break into their network because they were using SecurID]. Besides, esoteric or not, these are problems with the SecurID mechanism that shouldn't exist. I would assume that there are some employees at SDTI whose job it is to speculate on attacks against this product and to recommend / implement fixes. No? > As the author of the SecurID FAQ, however, I'm surprised to find >myself in agreement with Mike Neuman's summary judgment. "Overly esoteric" >is just about right. This is a relatively harmless and fruitless >exploration of the ACE protocol by some very smart guys who deduce or >propose several potential attacks on the ACE system. Attacks which are >blocked by various security features (documented or undocumented) in the >current versions of SDTI's ACE/Server... or which seem extremely unlikely >to succeed outside a software lab or a DefCon fantasy fest. Please see my previous paragraph. We broke through an otherwise largely secure network through their use of SecurID. I am surprised to hear you refer to this as 'relatively harmless and fruitless'. > SDTI, the vendor of the ACE/SecurID system, has posted a >substantive commentary on the PieterZ Paper and it's allegations, >suggestions, and conclusions on their web site. (Look for Network Security >Bulletin 2-897 at . The document, unsigned, is an >analysis by Jim Kotanchik, SDTI's director of engineering.) Interestingly enough, this document was not available on the web server when you posted your message. A call to SDTI inquiring about it recieved the response of "We are currently working on the paper but it has not been completed yet". Funny how you have this inside information. > There is also, however, an impressive analysis of the ACE >client/server protocol which uncovers a exotic vulnerability in the >protocol's use of SDTI's F2 hash which could have been a real problem for >the ACE/SecurID user community six months ago -- before SDTI fixed it with >an undocumented tweak buried in both v1.3 and v2.2 upgrades to the >ACE/Server. (ACE/Server 1.3 and 2.2 were free "mandatory upgrades," >flagged for security concerns.) I am sorry to hear that this is how SDTI addresses security issues : Undocumented and burried fixes that are then shoved upon the user community. What makes you think that this vulnerability was not a real problem for the ACE/SecurID user community less than a year ago. Are all ACE/Server's that are in use on the internet running these "fixed" versions? It would also be nice if SDTI would offer some proof to the validity of the "fix". I look forward to reading the SDTI bulletin by Jim Kotanchik. Rest assured that I will have comments and packet dumps showing several succesfull attacks against the SecurID mechanism if the bulletin states that the attacks are 'relatively harmless and fruitless', as you say. Sincerely, PeiterZ@silence.secnet.com From firewalls-owner Wed Sep 11 22:59:22 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA29482 for firewalls-outgoing; Wed, 11 Sep 1996 17:19:16 -0700 (PDT) Received: from emout04.mail.aol.com (emout04.mx.aol.com [198.81.11.95]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id RAA29475 for ; Wed, 11 Sep 1996 17:19:07 -0700 (PDT) From: KRES007@aol.com Received: by emout04.mail.aol.com (8.6.12/8.6.12) id UAA01340 for firewalls@greatcircle.com; Wed, 11 Sep 1996 20:19:05 -0400 Date: Wed, 11 Sep 1996 20:19:05 -0400 Message-ID: <960911201904_282888348@emout04.mail.aol.com> To: firewalls@greatcircle.com Subject: TCP/IP and AOL Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Can anyone give me instructions on how i go about setting up my computer to connect to America Online using TCP/IP? PC..win95 thanks From firewalls-owner Wed Sep 11 23:00:45 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id QAA25972 for firewalls-outgoing; Wed, 11 Sep 1996 16:38:57 -0700 (PDT) Received: (mcb@localhost) by miles.greatcircle.com (8.7.4/Miles-960830-1) id QAA25939 for firewalls@greatcircle.com; Wed, 11 Sep 1996 16:38:31 -0700 (PDT) Received: from homeport.org (lighthouse.homeport.org [205.136.65.198]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id MAA02507 for ; Tue, 10 Sep 1996 12:40:45 -0700 (PDT) Received: (adam@localhost) by homeport.org (8.6.9/8.6.9) id PAA22233; Tue, 10 Sep 1996 15:46:10 -0500 From: Adam Shostack Message-Id: <199609102046.PAA22233@homeport.org> Subject: Re: SecurID White Paper - A Comment To: vin@shore.net (Vin McLellan) Date: Tue, 10 Sep 1996 15:46:10 -0500 (EST) Cc: Firewalls@GreatCircle.com, BUGTRAQ@netspace.org, mcn@EnGarde.com, frankw@in.net, peiterz@SECNET.COM, hobbit@avian.org, mudge@l0pht.com, adam@homeport.org In-Reply-To: from "Vin McLellan" at Sep 10, 96 01:37:06 pm X-Mailer: ELM [version 2.4 PL24 ME8b] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Vin McLellan wrote: | With the lethargy of summer behind us, I also expect the issues | raised will enjoy a full and energetic discussion on Adam Shoshack's | SDAdmin mailing list. (Enroll with an "subscribe sdadmin" message to | ) I look forward to participating. The list is served by majordomo@jabberwocky.bbnplanet.com. Please don't bother the other majordomo. Other than that, I'll comment that a documented protocol makes discussing it much easier, and call for Security Dynamics to publish their protocols so that security engineers can know they're not relying on security through obscurity. Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume From firewalls-owner Wed Sep 11 23:04:36 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id QAA25084 for firewalls-outgoing; Wed, 11 Sep 1996 16:29:45 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id QAA24741 for ; Wed, 11 Sep 1996 16:28:11 -0700 (PDT) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) id QAA10829; Wed, 11 Sep 1996 16:21:55 -0700 Received: from sapa.inka.de(193.197.84.6) by mycroft via smap (V1.3mjr) id sma010821; Wed Sep 11 16:21:35 1996 Received: from uu.inka.de (root@[193.197.84.8]) by sapa.inka.de with smtp (S3.1.29.1) id ; Thu, 12 Sep 96 01:21 MET DST Received: from lina (lists@lina.inka.de) by uu.inka.de with bsmtp (S3.1.29.1) id ; Thu, 12 Sep 96 01:21 MET DST Received: by lina id m0v0yPI-0004k6C (Debian /\oo/\ Smail3.1.29.1 #29.37); Thu, 12 Sep 96 01:09 MET DST Message-Id: From: lists@lina.inka.de (Bernd Eckenfels) Subject: Re: SYN floods continue (fwd) To: roberth@cet.com (Robert Hanson) Date: Thu, 12 Sep 1996 01:09:20 +0200 (MET DST) Cc: amolitor@anubis.network.com, firewalls@GreatCircle.COM In-Reply-To: from "Robert Hanson" at Sep 11, 96 03:15:48 pm X-Mailer: ELM [version 2.4 PL25 PGP2] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, > logically speaking... isnt there some integral part of a syn flood or syn > this or that that is "detectable" and therefor "blockable" or that it will > allow some "logic" to be coded to prevent full scale "bombing"? No: SYN is the first packet received from the remote host if he wants to establish a TCP connection. You normally answer with an ACKnowledgeemnt. This Acknowledgement needs to be Acknowledged again to consider the connection established. As long as the second ACK isnt received the kernel has to wait for it. f you dont get an ACK you can't distinguish a SYN Bomb from a slow elayed ack. Therefore you cant expire pending SYNs too fast, cause that would block Connections from slow networks. You cant block SYN requests by source, cause the source is fakeable without problem. And you cant block too much syn requests, cause you are unable to tell which syn request is a valid connection and which not. The only chance you have in SYN flooding is, that an existing host will send a RST packet if it receives an ACK for a not estalished connection. This RST will clean the pending socket before the Timeout occur and will free Resources on the Attackt Host faster. > in this syn function, what is so "necessary" about it that a machine must > "answer" to it good or bad? If you dont answer you wont get any connections. This is exactly the damage the offending sender wants to achief. Greetings Bernd From firewalls-owner Wed Sep 11 23:44:34 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id XAA11924 for firewalls-outgoing; Wed, 11 Sep 1996 23:13:43 -0700 (PDT) Received: from xyzzy.plugh.edmonton.ab.ca (xyzzy.plugh.edmonton.ab.ca [198.161.22.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id XAA11894 for ; Wed, 11 Sep 1996 23:13:25 -0700 (PDT) Received: (from uucp@localhost) by xyzzy.plugh.edmonton.ab.ca (8.6.12/8.6.9) id AAA26046 for ; Thu, 12 Sep 1996 00:13:18 -0600 Received: from beckio.precise.ab.ca(192.168.30.61), claiming to be "snouts.obtuse.com" via SMTP by mailhost.Plugh.edmonton.ab.ca, id smtpd26044aaa; Thu Sep 12 00:13:11 1996 Received: (from danny@localhost) by snouts.obtuse.com (8.7.5/8.7.3) id AAA02756; Thu, 12 Sep 1996 00:13:05 -0600 Date: Thu, 12 Sep 1996 00:13:05 -0600 From: Dan Boulet Message-Id: <199609120613.AAA02756@snouts.obtuse.com> To: firewalls@greatcircle.com Subject: An alternative to smap (was "Re: smap") Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Frederick M Avolio says: > It is part of the TIS Internet Firewall Toolkit. See our web page -- > http://www.tis.com -- or our ftp site. Read the readme file in > /pub/firewalls/toolkit. > > It is licensed, but freely available software, not for commercial use. > > Fred > > At 11:20 AM 9/11/96 -0400, Mike Stoico wrote: > >Where can I get a copy of the smap package? > >========================================================================= > >Mike Stoico, I/S Security Consultant * Phone: (518)285-2567 > >MetLife * Fax: (518)285-2542 > >500 Jordan Rd * E-Mail: mstoico@metlife.com > >Troy, NY 12180 * URL: www.metlife.com > >========================================================================= > >The opinions expressed here are my own and may not be those of my employer. > >========================================================================= You may also want to have a look at smtpd. This is a facility which is roughly equivalent to smap. We wrote it because we didn't like the licensing restrictions attached to smap. smtpd is available on our ftp site (ftp.obtuse.com). Have a look in the directory "/pub/smtpd". A few caveats: - the documentation on the ftp site is somewhat sparse. We'll be releasing more in a day or two. - smtpd was written to be portable to a wide variety of *nix systems. As I'm sure that you are aware, there is no such thing as "portable software" (there is only "ported software"). Please let us know if you run into problems with it on any *nix platform. - we've tried to make it quite solid. On the other hand, it obviously doesn't have as many miles on it as smap. -Danny P.S. The best way to reach us is probably via e-mail to "info@obtuse.com". From firewalls-owner Thu Sep 12 01:29:24 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id BAA24028 for firewalls-outgoing; Thu, 12 Sep 1996 01:19:02 -0700 (PDT) Received: from relay-4.mail.demon.net (relay-4.mail.demon.net [158.152.1.108]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id BAA24007 for ; Thu, 12 Sep 1996 01:18:51 -0700 (PDT) Received: from post.demon.co.uk ([(null)]) by relay-4.mail.demon.net id ac12667; 12 Sep 96 7:13 GMT Received: from dowrmain.demon.co.uk ([158.152.123.251]) by relay-3.mail.demon.net id aa22327; 12 Sep 96 6:19 BST Message-ID: <8g8dRHAB05NyEwMT@dowrmain.demon.co.uk> Date: Thu, 12 Sep 1996 06:17:53 +0100 To: firewalls@greatcircle.com From: Ian Wade Reply-To: Ian Wade Subject: Re: Modem hacking In-Reply-To: MIME-Version: 1.0 X-Mailer: Turnpike Version 1.10 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In article , Rabid Wombat writes > >Just make them use dial-in and dial-out systems located on a bastion >segment, so you have control; terminal servers w/ authentication for >dial-in, a small UNIX box w/ some modems for dial-out, or NCSI/NASI based >comm server for dial-out if you're supporting primarily a PC environment. >No backdoors to the desktop. This is the *only* acceptable solution. You cannot trust *any* users at the desktop to act in a secure manner -- witness the widespread disregard for sensible password choice and security (writing passwords down on PostIt notes, sharing passwords with colleagues etc). The world is full of "experts" who "know" how to configure modems, and goodness knows what they get up to when management isn't looking. For a secure environment, modem access can *only* be allowed under the control of security management; e.g. via a modem pool located in a locked room. Ian -- \|--------\|--------\|--------\| Ian Wade |\--------|\--------|\--------|\ | | | | http://www.netro.co.uk/nosintro.html | Netro | Press | (tm)| for all about KA9Q NOS. From firewalls-owner Thu Sep 12 02:29:42 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id BAA25995 for firewalls-outgoing; Thu, 12 Sep 1996 01:45:58 -0700 (PDT) Received: from diablo.ppp.de (diablo.ppp.de [193.141.101.34]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id BAA25680 for ; Thu, 12 Sep 1996 01:44:14 -0700 (PDT) Received: from wmdhh by diablo.ppp.de with uucp (Smail3.1.28.1 #1) id m0v17NA-000QgxC; Thu, 12 Sep 96 10:43 MET DST Received: from rs3.wmd.de by wmdhh with smtp (Smail3.1.26.7 #3) id m0v17Lp-0009LZC; Thu, 12 Sep 96 10:42 CDT Received: by rs3.wmd.de (AIX 3.2/UCB 5.64/4.03.01) id AA18958; Thu, 12 Sep 1996 10:17:29 +0200 From: pauck@rs3.wmd.de (Marco Pauck) Message-Id: <9609120817.AA18958@rs3.wmd.de> Subject: Re: SQL through firewall To: lazear@gateway.mitre.org Date: Thu, 12 Sep 1996 10:17:28 +0100 (MESZ) Cc: firewalls@greatcircle.com In-Reply-To: <199609111646.MAA01925@dockside.mitre.org> from "lazear@gateway.mitre.org" at Sep 11, 96 12:46:24 pm Reply-To: pauck@wmd.de X-Mailer: ELM [version 2.4 PL20] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Although we'd love to wait for the Guantlet proxy for SQL, > it will come too late for one customer. So, is there a way > to get SQL through a FWTK firewall using "plug-gw"? How about > using a Cisco router and access lists? How flexible are the > protocols under SQL in terms of port humbers used or usable? > Thanks for any help. Regarding Oracle's SQL*Net have a look at http://www.wmd.de/~pauck/misc/oracle_and_firewalls.html Marco -- Marco Pauck - WMD GmbH Hamburg, Germany - http://www.wmd.de/~pauck/ e-mail: pauck@wmd.de, phone: +49-40-58958-120, fax: +49-40-58958-199 You are on your own words. From firewalls-owner Thu Sep 12 04:59:39 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id EAA04921 for firewalls-outgoing; Thu, 12 Sep 1996 04:55:41 -0700 (PDT) Received: from smtpgate.saa-cons.co.uk (haddock.demon.co.uk [158.152.16.191]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id EAA04886 for ; Thu, 12 Sep 1996 04:54:55 -0700 (PDT) Received: by smtpgate.saa-cons.co.uk (8.6.8.1/1.3-eef) id LAA02119; Thu, 12 Sep 1996 11:57:17 GMT Received: from haddock.saa-cons.co.uk(193.132.156.161) by amnesiac via smap (V1.3) id sma002117; Thu Sep 12 11:57:05 1996 Received: from localhost by haddock.saa-cons.co.uk (AIX 3.2/UCB 5.64/5.00) id AA35604; Thu, 12 Sep 1996 12:57:04 +0100 Date: Thu, 12 Sep 1996 12:57:04 +0100 (BST) From: Dave Roberts To: Bernd Eckenfels Cc: Firewalls Mailing List Subject: Re: smap alternative? In-Reply-To: Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 6 Sep 1996, Bernd Eckenfels wrote: > just use a secure MTA like qmail. If you take a close look at smap you will > see that it realy doesnt do very much at all. Sounds good to me. Sounds exactly like the kind of philosophy that firewall tools should adhere to. > It is not very restrictive on > the addresses and passes a lot of insane data... I dont think it is much > protection. I don't agree. It prevents an external user connecting to a process that has the run of the system, and often with root privaledges. smap is a nice simple process running without root. It's dumb yes - but that's its strength. Reads the mail, drops it into a file, and that's all. Sounds perfect. The address parsing etc can be taken care of later by sendmail, after smapd has passed the mail onto it. Dave Roberts | "Surfing the Internet" is a sad term for sad people. Unix Systems Admin | Get a board, find a beach, surf some REAL waves and SAA Consultants Ltd | get a *real* life. Plymouth, U.K. | -=[For PGP Key, send mail with subject of "get pgp"]=- From firewalls-owner Thu Sep 12 05:35:28 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA06381 for firewalls-outgoing; Thu, 12 Sep 1996 05:23:03 -0700 (PDT) Received: from minotaur.labyrinth.net.au (minotaur.labyrinth.net.au [203.9.148.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id FAA06289 for ; Thu, 12 Sep 1996 05:22:18 -0700 (PDT) Received: (from mail@localhost) by minotaur.labyrinth.net.au (8.7.2/8.7.2) id WAA26884; Thu, 12 Sep 1996 22:21:09 +1000 (EST) X-Authentication-Warning: minotaur.labyrinth.net.au: mail set sender to using -f Received: from gate.quick.com.au(203.12.250.130) by minotaur.labyrinth.net.au via smap (V1.3) id sma026880; Thu Sep 12 22:20:49 1996 Received: (from sjg@localhost) by zen.quick.com.au (8.7.3/8.6.9) id WAA27993; Thu, 12 Sep 1996 22:20:47 +1000 (EST) Date: Thu, 12 Sep 1996 22:20:47 +1000 (EST) From: "Simon J. Gerraty" Message-Id: <199609121220.WAA27993@zen.quick.com.au> To: firewalls@greatcircle.com Cc: Todd.Truitt@evolving.com Subject: Re: SYN floods Newsgroups: lists.firewalls References: <199609120111.TAA06372@thepound.evolving.com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Todd.Truitt writes: >I believe it was stated that this SYN flood came from IP packets with >the "Source Route" option set. Perhaps so, but SR is not necessary unless the attacker wanted to receive responses, which is not needed for this sort of attack. > ... There should be a packet filter routine >which will drop ALL packets with *any* options triggered. Since, >typically speaking, the only reason that the IP options are used are >to debug or cause trouble, this might be the safest approach for a >firewall. All quite true. The most useful thing you can do with your Internet router is drop all packets with IP options and with source addresses from the wrong side. Sadly though, that is not enough to save you from a SYN attack. --sjg From firewalls-owner Thu Sep 12 05:49:56 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA07947 for firewalls-outgoing; Thu, 12 Sep 1996 05:44:11 -0700 (PDT) Received: from eci-esyst.com (callisto.eci-esyst.com [205.129.215.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id FAA07880 for ; Thu, 12 Sep 1996 05:43:53 -0700 (PDT) Received: by eci-esyst.com (4.1/SMI-4.1) id AA13549; Thu, 12 Sep 96 08:41:14 EDT Received: from www.eci-esyst.com(198.135.69.2) by callisto.eci-esyst.com via smap (V1.3mjr) id sma013495; Thu Sep 12 08:40:18 1996 Received: from callisto (rodney.eci.esys.com) by eci.esys.com (4.1/SMI-4.1) id AA10830; Thu, 12 Sep 96 08:38:16 EDT Received: from qmgate.eci-esyst.com by callisto (4.1/SMI-4.1) id AA23115; Thu, 12 Sep 96 08:40:46 EDT Message-Id: Date: 12 Sep 1996 08:41:18 -0400 From: "Jerry Edmiston" Subject: Firewall DNS To: firewalls@greatcircle.com X-Mailer: Mail*Link SMTP-QM 3.0.2 Mime-Version: 1.0 Content-Type: text/plain; charset="ISO-8859-1"; Name="Message Body" Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Subject: Time: 8:29 = AM OFFICE MEMO Firewall DNS Date: = 9/12/96 Pls HELP...I am trying to configure a split DNS on my firewall. The = problem seems to be when I use NSLOOKUP to access the internal side of = the firewall, I recieve message: ***Can't find server name for address xxx.xxx.xxx.x : Query refused *** What does this message mean and how is it corrected. I also have a = resolv.conf file on the Sun box I am attempting to do the NSLOOKUP on = pointing to the internal interface of the firewall. Thanks in advance for = any help. From firewalls-owner Thu Sep 12 06:46:36 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA11437 for firewalls-outgoing; Thu, 12 Sep 1996 06:41:54 -0700 (PDT) Received: from sapa.inka.de (sapa.inka.de [193.197.84.6]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id GAA11387 for ; Thu, 12 Sep 1996 06:41:33 -0700 (PDT) Received: from uu.inka.de (root@[193.197.84.8]) by sapa.inka.de with smtp (S3.1.29.1) id ; Thu, 12 Sep 96 15:40 MET DST Received: from lina (lists@lina.inka.de) by uu.inka.de with bsmtp (S3.1.29.1) id ; Thu, 12 Sep 96 15:40 MET DST Received: by lina id m0v1BhC-0004k6C (Debian /\oo/\ Smail3.1.29.1 #29.37); Thu, 12 Sep 96 15:20 MET DST Message-Id: From: lists@lina.inka.de (Bernd Eckenfels) Subject: Re: smap alternative? To: djr@saa-cons.co.uk (Dave Roberts) Date: Thu, 12 Sep 1996 15:20:41 +0200 (MET DST) Cc: firewalls@GreatCircle.COM In-Reply-To: from "Dave Roberts" at Sep 12, 96 12:57:04 pm X-Mailer: ELM [version 2.4 PL25 PGP2] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, > I don't agree. It prevents an external user connecting to a process that > has the run of the system, and often with root privaledges. smap is a > nice simple process running without root. It's dumb yes - but that's its > strength. Reads the mail, drops it into a file, and that's all. Sounds > perfect. The address parsing etc can be taken care of later by sendmail, > after smapd has passed the mail onto it. You miss the main point here: the address-parsing is exactly the source of millions of sendmail exploits. smapd wont secure sendmail if it doents reject malicious addresses. qmail on the other hand runs with least privileges possible and handles tainted data with the necessary care. I won't recommend running qmail on a firewall (although I would feel much safer than with smapd), but I certainly recommend using qmail on a DMZ host for receiving internet mail. Greetings Bernd From firewalls-owner Thu Sep 12 07:01:21 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA12197 for firewalls-outgoing; Thu, 12 Sep 1996 06:50:28 -0700 (PDT) Received: from drunivac.drew.edu (drunivac.drew.edu [192.107.39.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id GAA12141 for ; Thu, 12 Sep 1996 06:50:07 -0700 (PDT) Received: from DRUNIVAC.DREW.EDU by DRUNIVAC.DREW.EDU (PMDF V5.0-6 #9657) id <01I9DXWEPHIO003WH2@DRUNIVAC.DREW.EDU> for firewalls@greatcircle.com; Thu, 12 Sep 1996 09:49:54 -0400 (EDT) Date: Thu, 12 Sep 1996 09:46:52 -0400 (EDT) From: "Mike Richichi, Systems Manager, Drew U Academic Technology" Subject: Netware/IP through a firewall To: firewalls@greatcircle.com Message-id: <01I9DY1WG4N8003WH2@DRUNIVAC.DREW.EDU> MIME-version: 1.0 Content-type: TEXT/PLAIN; CHARSET=US-ASCII Content-transfer-encoding: 7BIT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk We're using Netware/IP extensively throughout campus, and we may want to allow access to a system through an internal firewall. We've been doing some testing, and Novell says Netware/IP uses UDP ports 396, 43981 and 43982, but merely enabling these as a source and destination port doesn't work. We've also allowed DNS (port 53 TCP and UDP) and TCP port 396 (the Netware server has a listener on this port as well.) No dice. Has anyone gotten this to work? What is Novell not telling us? --Mike -------------------- Mike Richichi, Systems Manager, Drew University Academic Technology BC-COMPCEN, Madison, NJ 07940 +1 201 408 3840 FAX: +1 201 408 3816 mrichich@drunivac.drew.edu, http://daniel.drew.edu/~mrichich From firewalls-owner Thu Sep 12 07:46:32 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA15966 for firewalls-outgoing; Thu, 12 Sep 1996 07:36:39 -0700 (PDT) Received: from services.britgas.co.uk (gate.britgas.co.uk [193.133.101.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id HAA15949 for ; Thu, 12 Sep 1996 07:36:27 -0700 (PDT) Received: (from daemon@localhost) by services.britgas.co.uk (8.6.12/8.6.9) id PAA21249; Thu, 12 Sep 1996 15:40:25 +0100 To: firewalls@greatcircle.com Path: not-for-mail From: "Mike Richichi, Systems Manager, Drew U Academic Technology"" -a"@services.britgas.co.uk Newsgroups: britgas.maillist.firewalls Subject: Netware/IP through a firewall Date: 12 Sep 1996 15:40:24 +0100 Organization: British Gas Service Lines: 16 Message-ID: <5197co$knu@gate.service.britgas.co.uk> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk We're using Netware/IP extensively throughout campus, and we may want to allow access to a system through an internal firewall. We've been doing some testing, and Novell says Netware/IP uses UDP ports 396, 43981 and 43982, but merely enabling these as a source and destination port doesn't work. We've also allowed DNS (port 53 TCP and UDP) and TCP port 396 (the Netware server has a listener on this port as well.) No dice. Has anyone gotten this to work? What is Novell not telling us? --Mike -------------------- Mike Richichi, Systems Manager, Drew University Academic Technology BC-COMPCEN, Madison, NJ 07940 +1 201 408 3840 FAX: +1 201 408 3816 mrichich@drunivac.drew.edu, http://daniel.drew.edu/~mrichich From firewalls-owner Thu Sep 12 07:55:43 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA14822 for firewalls-outgoing; Thu, 12 Sep 1996 07:21:54 -0700 (PDT) Received: from dns.eng.auburn.edu (dns.eng.auburn.edu [131.204.10.13]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id HAA14763 for ; Thu, 12 Sep 1996 07:21:24 -0700 (PDT) Received: from netman.eng.auburn.edu (netman.eng.auburn.edu [131.204.12.24]) by dns.eng.auburn.edu (8.7.5/8.6.4) with ESMTP id JAA16784 for ; Thu, 12 Sep 1996 09:21:21 -0500 (CDT) From: Doug Hughes Received: (doug@localhost) by netman.eng.auburn.edu (SMI-8.6/8.6.4) id JAA13396; Thu, 12 Sep 1996 09:21:20 -0500 Date: Thu, 12 Sep 1996 09:21:20 -0500 Subject: Re: SYN floods continue (fwd) To: firewalls@greatcircle.com Message-Id: X-Mailer: TkMail 4.0beta6 In-Reply-To: <9609112022.AA10525@notesgw2.sybase.com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Geez, that's nasty. Agreed! If the attacker is doing a good enough >job of using truly random, legal source addresses, they will >have to track through every router, as you said. Hopefully >there aren't too many hops between them and the attacker. > >If the attacker isn't being so carefull about randomness, you >might be able to take advantage of some patterns (i.e. >ask the most likely ISPs to look for traffic from a,b and c >to d) Just thinking out loud here. Wouldn't it be nice if the major router vendors for the Internet (esp Cisco) had an option that you could turn on that would just disregard spoofing from an address that would normally come from another interface. Kind of a modified split horizons. The router knows which interface is the next hop to a certain network address. If it hears a source address of that interface coming from somewhere else, it should drop the packet on the floor (and possibly send a syslog message - another option) interface serial0 ip no-source-spoofing ip spoofing-syslog Yes, this will take more CPU processing, possibly more than current backbone routers could handle. But it sure would be a nice option wouldn't it? :) A source address look-aside co-processor... IOS 11.3? -- ____________________________________________________________________________ Doug Hughes Engineering Network Services System/Net Admin Auburn University doug@eng.auburn.edu From firewalls-owner Thu Sep 12 08:34:03 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA19919 for firewalls-outgoing; Thu, 12 Sep 1996 08:22:18 -0700 (PDT) Received: from dde.dde.dk (dde.dde.dk [152.95.32.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id IAA19862 for ; Thu, 12 Sep 1996 08:21:25 -0700 (PDT) Received: by dde.dde.dk (5.61/9.3) id AA12401; Thu, 12 Sep 96 17:20:50 +0200 Received: from Knud.dde.dk by dde.dde.dk (5.61/9.3) with SMTP id AA14405; Thu, 12 Sep 96 17:20:49 +0200 Received: by Knud.dde.dk (4.1/9.7) id AA29646; Thu, 12 Sep 96 17:19:06 +0200 Message-Id: <9609121519.AA29646@Knud.dde.dk> X-Mailer: exmh version 1.6.6 3/24/96 To: lists@lina.inka.de (Bernd Eckenfels) Cc: firewalls@greatcircle.com Subject: Re: smap alternative? In-Reply-To: lists's message of Thu, 12 Sep 1996 15:20:41 +0200. Date: Thu, 12 Sep 1996 17:19:06 +0200 From: "Frederik H. Andersen" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk lists@lina.inka.de said: > I won't recommend running qmail on a firewall (although I would feel > much safer than with smapd), but I certainly recommend using qmail on > a DMZ host for receiving internet mail. How do you make this evaluation? What are you criteria? (No criticism intended, pure interest 8-) /Frederik From firewalls-owner Thu Sep 12 08:43:51 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA17045 for firewalls-outgoing; Thu, 12 Sep 1996 07:58:20 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id HAA17014 for ; Thu, 12 Sep 1996 07:57:59 -0700 (PDT) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) id HAA14867; Thu, 12 Sep 1996 07:57:09 -0700 Received: from unknown(164.106.3.7) by mycroft via smap (V1.3mjr) id sma014863; Thu Sep 12 07:56:36 1996 Received: from VCCS#u#DOM1-Message_Server by cc.va.us with Novell_GroupWise; Thu, 12 Sep 1996 10:55:58 -0400 Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Thu, 12 Sep 1996 10:58:54 -0400 From: Pam Perdue To: firewalls@greatcircle.com Subject: Firewall 1 - Problems with redirects... Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Greetings, I would like to request the assistance of this wonderful discussion group as we are completing the final phase of testing Firewall-1. The Host configuration is Firewall-1 v2.0, on Sparc 5, SUNOS v5.x with two 16mb token ring cards. The Intranet consists of remote sites which currently pass through a Crosscomm router at the remote location to a Crosscomm router at the Host location then onto token ring LAN. The problem: Remote PC on Remote Token Ring LAN attempts to access WEB server located at Host LAN and never receives data. Sniffed the packet and this is what we got: Source Destination 164.106.remote.pc www.webserver (SYN SEQ=####, TCP D=80) www.webserver 164.106.remote.pc (SYN ACK=###, TCP D=1635) www.webserver 164.106.remote.pc (SYN ACK=###, transport retransmission, TCP D=1635) 164.106.remote.pc www.webserver (SYN ACK=###, transport retransmission, TCP D=80) www.webserver 164.106.remote.pc (SYN SEQ=###, TCP D=1635) 164.106.firewall www.webserver (ACK=####, redirect host ICMP Redirect) (Redirect datagrams for the host ) www.webserver 164.106.remote.pc (2 routers to local station, TCP D=1635) www.webserver 164.106.remote.pc (URG ACK, TCP D=1635) 164.106.remote.pc www.webserver (SYN ACK, TCP D=80) www.webserver 164.106.remote.pc (SYN SEQ=###, TCP D=1635) 164.106.firewall www.webserver (ACK=###, Redirect host ICMP Redirect) (Redirect datagrams for the host) www.webserver 164.106.remote.pc (TCP D=1635) www.webserver 164.106.remote.pc (URG ACK=###, TCP D=1635) 164.106.remote.pc www.webserver (SYN ACK, TCP D=80) www.webserver 164.106.remote.pc (SYN SEQ=###, TCP D=1635) 164.106.firewall www.webserver (ACK=###, Redirect host ICMP Redirect) (Redirect datagrams for the host) repeat above 5 lines, the barf Additional information: Data from WEBserver never reaches remote PC and is not visible on the Firewall-1 log viewer. Also, if the Firewall is stopped, remote pc receives data from WEBserver, yet still redirects 3 times. Any suggestions would be appreciated. TIA, Pam Internet: SOPERDP@SO.CC.VA.US Phone: 804-225-2348 Fax: 804-371-2330 From firewalls-owner Thu Sep 12 08:44:25 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA20260 for firewalls-outgoing; Thu, 12 Sep 1996 08:27:43 -0700 (PDT) Received: from csdxp01 (csdxp01.City.Winnipeg.MB.CA [198.163.52.4]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id IAA20249 for ; Thu, 12 Sep 1996 08:27:27 -0700 (PDT) Received: from City.Winnipeg.MB.CA (citygw.City.Winnipeg.MB.CA) by csdxp01 (5.0/SMI-SVR4) id AA26283; Thu, 12 Sep 1996 10:17:46 -0500 Received: from City_of_WPG-Message_Server by City.Winnipeg.MB.CA with Novell_GroupWise; Thu, 12 Sep 1996 10:17:43 -0500 Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Thu, 12 Sep 1996 10:10:30 -0500 From: "Kenneth W. Betcher" To: firewalls@greatcircle.com Subject: "Cooltalk" / "Netmeeting" concerns? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi all: I was wondering if someone would care to comment on the security concerns of using or allowing the use of Microsoft's "NETMEETING", Netscape's "COOLTALK", or similar products within the firewall? Thanks for your time; Kenneth W. Betcher kbetcher@city.winnipeg.mb.ca Nothing is obvious to those that don't look! From firewalls-owner Thu Sep 12 09:36:22 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA21662 for firewalls-outgoing; Thu, 12 Sep 1996 08:51:46 -0700 (PDT) Received: from ascolta1.ascoltatraining.com (ascolta1.ascolta.com [204.30.117.37]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id IAA21653 for ; Thu, 12 Sep 1996 08:51:37 -0700 (PDT) Received: by ascolta1.ascoltatraining.com with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.993.5) id <01BBA089.03C07990@ascolta1.ascoltatraining.com>; Thu, 12 Sep 1996 09:01:41 -0700 Message-ID: From: Tony Desimone To: "'firewalls-digest@GreatCircle.COM'" Subject: FW: Notification: Inbound Mail Failure - Address not found Date: Thu, 12 Sep 1996 09:01:40 -0700 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.993.5 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Please change the recipient to tdesimone@ascoltatraining.com >---------- >From: System Administrator[SMTP:postmaster@ascoltatraining.com] >Sent: Wednesday, September 11, 1996 8:19PM >To: Tony Desimone >Subject: Notification: Inbound Mail Failure - Address not found > >A mail message was not sent because the following address(es) could not be >found: > > bsepara@ascolta.com > >The message that caused this notification was: > > To: > From: > Subject: Firewalls-Digest V5 #506 > > > From firewalls-owner Thu Sep 12 09:42:33 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA22269 for firewalls-outgoing; Thu, 12 Sep 1996 08:57:28 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id IAA22220 for ; Thu, 12 Sep 1996 08:57:04 -0700 (PDT) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) id IAA15194; Thu, 12 Sep 1996 08:56:14 -0700 Received: from lexicon.ins.com(199.0.193.11) by mycroft via smap (V1.3mjr) id sma015190; Thu Sep 12 08:55:53 1996 Received: from ragans-compaq.dal.mobil.com ([158.27.188.175]) by lexicon.ins.com (8.7.5/8.7.3) with SMTP id IAA04064; Thu, 12 Sep 1996 08:51:43 -0700 (PDT) Message-Id: <3.0b11.32.19960912103730.0070a474@lexicon.ins.com> X-Sender: ragan@lexicon.ins.com X-Mailer: Windows Eudora Pro Version 3.0b11 (32) Date: Thu, 12 Sep 1996 10:48:24 -0500 To: "Mike Richichi, Systems Manager, Drew U Academic Technology"" -a"@services.britgas.co.uk, firewalls@GreatCircle.COM From: Charles Ragan Subject: Re: Netware/IP through a firewall Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Mike, I'd go check the following url and 'guidelines' for implementing nwip. It provides trace examples and does have other udp ports being used. http://www.novell.com/corp/programs/ncs/toolkit/internet.html Charles At 03:40 PM 9/12/96 +0100, Mike Richichi, Systems Manager, Drew U Academic Technology"" -a wrote: >We're using Netware/IP extensively throughout campus, and we may want >to allow access to a system through an internal firewall. We've been >doing some testing, and Novell says Netware/IP uses UDP ports 396, >43981 and 43982, but merely enabling these as a source and >destination port doesn't work. We've also allowed DNS (port 53 TCP >and UDP) and TCP port 396 (the Netware server has a listener on this >port as well.) No dice. > >Has anyone gotten this to work? What is Novell not telling us? > >--Mike > >-------------------- >Mike Richichi, Systems Manager, Drew University Academic Technology >BC-COMPCEN, Madison, NJ 07940 +1 201 408 3840 FAX: +1 201 408 3816 >mrichich@drunivac.drew.edu, http://daniel.drew.edu/~mrichich > > ----------------------------------------------------- Charles B. Ragan, Jr. International Network Services (214) 392-3545 14160 Dallas Parkway Suite 200 Charles_Ragan@ins.com Dallas, TX 75040 Cisco Certified IE (CCIE) Text Page - 1-800-INS-1-INS Master CNE Direct Page - 1-888-360-5812 Microsoft SE Certified Banyan Engineer "Semper Fi" - USMC Retired ----------------------------------------------------- From firewalls-owner Thu Sep 12 10:22:51 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA22355 for firewalls-outgoing; Thu, 12 Sep 1996 08:58:27 -0700 (PDT) Received: from sapa.inka.de (sapa.inka.de [193.197.84.6]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id IAA22294 for ; Thu, 12 Sep 1996 08:57:45 -0700 (PDT) Received: from uu.inka.de (root@[193.197.84.8]) by sapa.inka.de with smtp (S3.1.29.1) id ; Thu, 12 Sep 96 17:51 MET DST Received: from lina (lists@lina.inka.de) by uu.inka.de with bsmtp (S3.1.29.1) id ; Thu, 12 Sep 96 17:51 MET DST Received: by lina id m0v1DuQ-0004k6C (Debian /\oo/\ Smail3.1.29.1 #29.37); Thu, 12 Sep 96 17:42 MET DST Message-Id: From: lists@lina.inka.de (Bernd Eckenfels) Subject: Re: smap alternative? To: fha@dde.dk (Frederik H. Andersen) Date: Thu, 12 Sep 1996 17:42:29 +0200 (MET DST) Cc: firewalls@greatcircle.com In-Reply-To: <9609121519.AA29646@Knud.dde.dk> from "Frederik H. Andersen" at Sep 12, 96 05:19:06 pm X-Mailer: ELM [version 2.4 PL25 PGP2] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, > How do you make this evaluation? What are you criteria? (No criticism > intended, pure interest 8-) Well, from reading the source and looking at the design. Qmail is designed to run in a few very small modules, all running with least priveleges needed. If you dont need local delivery you can even skip the root process for lacal delivery. The System uses no unsafe "strcpy"-like functions and it was designed to be safe. Of course it is too large to be verified in my spare time, but I feel much safer with the qmail design then with a simple sendmail wrapper, since it is still much smaller than sendmail. >From qmail doku: >Security: >* clear separation between addresses, files, and programs >* minimization of setuid code (qmail-queue) >* minimization of root code (qmail-start, qmail-lspawn) >* five-way trust partitioning---security in depth >1. Programs and files are not addresses. Don't treat them as addresses. ... >2. Do as little as possible in setuid programs. ... >3. Do as little as possible as root. ... >4. Move separate functions into mutually untrusting programs. > >Five of the qmail programs---qmail-smtpd, qmail-send, qmail-rspawn, >qmail-remote, and tcp-env---are not security-critical. Even if all of >these programs are completely compromised, so that an intruder has >control over the qmaild, qmails, and qmailr accounts and the mail queue, >he still can't take over your system. None of the other programs trust >the results from these five. ... >5. Don't parse. ... >6. Keep it simple, stupid. ... >7. Write bug-free code. > >I've mostly given up on the standard C library. Many of its facilities, >particularly stdio, seem designed to encourage bugs. A big chunk of >qmail is stolen from a basic C library that I've been developing for >several years for a variety of applications. The stralloc concept and >getline2() make it very easy to avoid buffer overruns, memory leaks, >and artificial line length limits. And one can easyly check that those design rules are applied to the actual source. The smtp-receiver for example (function is compareable to smap) is 430 lines, which is very small self-containing module. homepage: http://pobox.com/~djb/qmail.html primary archive: ftp://koobera.math.uic.edu/pub/software/ Greetings Bernd -- (OO) -- Bernd_Eckenfels@Wittumstrasse13.76646Bruchsal.de -- ( .. ) ecki@{lina.inka.de,linux.de} http://home.pages.de/~eckes/ o--o *plush* 2048/A2C51749 eckes@irc +4972573817 *plush* (O____O) If privacy is outlawed only Outlaws have privacy From firewalls-owner Thu Sep 12 11:18:21 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA27056 for firewalls-outgoing; Thu, 12 Sep 1996 09:46:54 -0700 (PDT) Received: from earth.usa.net (earth.usa.net [192.156.196.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id JAA26985 for ; Thu, 12 Sep 1996 09:46:21 -0700 (PDT) Received: from localhost (mec@localhost) by earth.usa.net (8.7.5/8.7.5) with SMTP id KAA25587; Thu, 12 Sep 1996 10:45:06 -0600 (MDT) X-Authentication-Warning: earth.usa.net: mec owned process doing -bs Date: Thu, 12 Sep 1996 10:45:05 -0600 (MDT) From: "Matthew Cable/USA.NET Inc." X-Sender: mec@earth To: Dave Roberts cc: Bernd Eckenfels , Firewalls Mailing List Subject: Re: smap alternative? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 12 Sep 1996, Dave Roberts wrote: > On Fri, 6 Sep 1996, Bernd Eckenfels wrote: > > > just use a secure MTA like qmail. If you take a close look at smap you will > > see that it realy doesnt do very much at all. > > It is not very restrictive on > > the addresses and passes a lot of insane data... I dont think it is much > > protection. > > I don't agree. It prevents an external user connecting to a process that > has the run of the system, and often with root privaledges. smap is a > nice simple process running without root. It's dumb yes - but that's its > strength. Reads the mail, drops it into a file, and that's all. Sounds > perfect. The address parsing etc can be taken care of later by sendmail, > after smapd has passed the mail onto it. > I tend to agree with you about putting a simple wrapper smtp program to receive email. Apprently, you haven't looked at qmail though. root 26327 26326 0 19:17:28 ? 0:06 /usr/local/src/qmail/qmailanalog/accustamp qmails 26326 1 0 19:17:28 ? 0:19 qmail-send root 26328 26326 0 19:17:28 ? 0:01 qmail-lspawn qmaild 6005 99 2 10:37:35 ? 0:00 /var/qmail/bin/qmail-smtpd qmailq 6006 6005 1 10:37:36 ? 0:00 bin/qmail-queue qmailq 26330 26326 0 19:17:28 ? 0:02 qmail-clean qmailr 26329 26326 0 19:17:28 ? 0:16 qmail-rspawn The only things that run as root in qmail is qmail-lspawn, which delivers to local mailboxes (which aren't kept in a common spool dir btw), and accustamp and/or logger which logs to a file, and if extrememly paranoid, could run as something else (just change the owner of the logs). qmail-smtpd is a tiny little program -rwxr-xr-x 1 root qmail 33440 Sep 6 21:04 qmail-smtpd which doesn't run as root, so there's little to worry about from it. In addition, the coding practices of the author are EXTREMELY paranoid. #!/usr/bin/perl -- Matthew Cable -- USA.NET -- Senior System Administrator $fof='8a*)v2*^Gf#*5S="!jh!;F)]#T):)#&f5kR^(%!E#;0>#:|#8)#;P#80#:o#;)#; From firewalls-owner Thu Sep 12 11:21:39 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA02421 for firewalls-outgoing; Thu, 12 Sep 1996 10:22:46 -0700 (PDT) Received: from pcslink.com (pcslink.com [206.43.160.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id KAA01283 for ; Thu, 12 Sep 1996 10:15:21 -0700 (PDT) Received: (from ryan@localhost) by pcslink.com (8.6.12/8.6.12) id KAA07353; Thu, 12 Sep 1996 10:12:36 -0700 From: Ryan Mooney Message-Id: <199609121712.KAA07353@pcslink.com> Subject: Re: Netware/IP through a firewall To: MRICHICH@DRUNIVAC.DREW.EDU (Mike Richichi Systems Manager Drew U Academic Technology) Date: Thu, 12 Sep 1996 10:12:35 -0700 (MST) Cc: firewalls@GreatCircle.COM In-Reply-To: <01I9DY1WG4N8003WH2@DRUNIVAC.DREW.EDU> from "Mike Richichi, Systems Manager, Drew U Academic Technology" at Sep 12, 96 09:46:52 am X-Mailer: ELM [version 2.4 PL24] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Been there done that... I can give you what I have, but you can configure most of the ports... so my setup may not exactly match yours.. send me private mail if you have continuing difficulties and I can try to help you out... I'll be out most of the afternoon though... Server1 Server2 Source Dest port port Protocol 53 53 UDP 53 53 TCP 1024:500 53 TCP 53 1024:500 TCP 396 396 UDP (This is the actual netware IP data) Also 1024:500 53 TCP 53 1024:500 TCP For both servers to your main DNS server... All of those should of course also be limited by host... As far as ports 43981 and 43982 Yes Novell says you need them, and yes there is something there (can't remember what although I knew at one time), but I dissallow them... I also allow port 213<->213, but I don't think they're nessecary, I'll have to verify that when the guy on the other end of the link gets his server back up... Maybe thats the problem? Try turning off all filtering between them and see if it works, I had a few bugaboos that made it barf rather badly due to the rather obtuse documentation.... (I'd tried specifying things that conflicted). Once you get that working you can just do a tcpdump on an machine on a segment they're on and record the source/dest ports and construct your filters appropriately. Thats what I ended up doing... Apparently you got a more cluefull tech... the one I got kept saying "It uses TCP/IP on port 396", well no it really only uses UDP (at least thats all I've seen). There are some other things that you need to setup also, like I said try it without any filters (permit and to/from each machine), and see if it works... then try the filters. > We're using Netware/IP extensively throughout campus, and we may want > to allow access to a system through an internal firewall. We've been > doing some testing, and Novell says Netware/IP uses UDP ports 396, > 43981 and 43982, but merely enabling these as a source and > destination port doesn't work. We've also allowed DNS (port 53 TCP > and UDP) and TCP port 396 (the Netware server has a listener on this > port as well.) No dice. > > Has anyone gotten this to work? What is Novell not telling us? > > --Mike > > -------------------- > Mike Richichi, Systems Manager, Drew University Academic Technology > BC-COMPCEN, Madison, NJ 07940 +1 201 408 3840 FAX: +1 201 408 3816 > mrichich@drunivac.drew.edu, http://daniel.drew.edu/~mrichich ---------------------------------------------------------------------------- Ryan Mooney Phone (602)265-9188 PCSLink ryan@pcslink.com Fax (602)265-9357 Internet Services The world needs more bitter, twisted souls. It would be a much better place. ----------------------------------------------------------------------------- From firewalls-owner Thu Sep 12 11:52:41 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA05029 for firewalls-outgoing; Thu, 12 Sep 1996 10:50:16 -0700 (PDT) Received: from gateway.damark.com (GATEWAY.DAMARK.COM [204.17.145.230]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id KAA04963 for ; Thu, 12 Sep 1996 10:49:50 -0700 (PDT) Received: by gateway.damark.com; id MAA21219; Thu, 12 Sep 1996 12:48:42 -0500 (CDT) Received: from sco.damark.com(172.31.254.231) by gateway.damark.com via smap (V3.1) id xme021217; Thu, 12 Sep 96 12:48:34 -0500 Received: by damark.com (5.65/1.2-eef) id AA01892; Thu, 12 Sep 96 12:47:36 -0500 Message-Id: <9609121747.AA01892@damark.com> From: "william.wells" To: FIREWALLS Subject: RE: SecurID White Paper - A Comment Date: Thu, 12 Sep 96 12:47:00 +6C Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 11 Sep 1996 12:15:01 -0600, Mike Neuman wrote: > What is the primary value of One Time Passwords? To eliminate the possibility >that a sniffer can steal a password and reuse it. All other benefits are >tertiary (i.e. To prevent password guessing? Most systems have limits on >the number of guesses before an account is disabled. To prevent password >file stealing and cracking? If your passwords are that bad, get npasswd, >or any of the other products for VMS, IBM, NT, etc which enforce good >passwords. For dialup? reusable passwords (which aren't transfered over the >network in plaintext) work just fine when taken with account disabling and >good password enforcement, AND they're a LOT cheaper than the $50/pop every >3 years for SecureID.) There is an intangible benefit to having OTPs and these fall into an identify area. With OTP, the person who was assigned the card knows that we have a reliable means of identifying that they, the card holder, was the one who initiated the session. They have a responsibility to assure that their kids, neighbors, office-mates, and such don't initiate sessions and that we don't expect the employee to leave the session "unattended". Does this assure that the transmissions aren't snooped or hijacked, no; but it does identify the initiator of a connection. If we detect weird stuff, we know who to start talking to. They can't say "I don't know how they got my password" since that doesn't work with OTPs. We may have to investigate further; but we have an identifiable starting point. The other benefit is that OTPs essentially prevents the casual someone who has discovered our dial-in modem band (or Internet address) from getting through. There is a definite benefit to this which is worth the cost. Does this guarantee that we're not hacked, no. It does eliminate much of the 'noise' that I need to pay attention to. That is a significant benefit. Could we do this with encrypted static passwords or other approaches? Probably, but we've decided that the cost/benefit of OTPs make them worth it. William Wells Manager, Technical Support Damark International, Inc. william.wells@damark.com These are solely my opinions.... From firewalls-owner Thu Sep 12 12:15:01 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA11451 for firewalls-outgoing; Thu, 12 Sep 1996 11:44:41 -0700 (PDT) Received: from ipi.smoothmove.com ([204.119.61.99]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id LAA11399 for ; Thu, 12 Sep 1996 11:44:23 -0700 (PDT) Received: from uncle (uncle.smoothmove.com [204.119.61.101]) by ipi.smoothmove.com (8.7.1/8.7.1) with SMTP id MAA25578 for ; Thu, 12 Sep 1996 12:19:32 -0700 Received: by uncle with Microsoft Mail id <01BBA09F.B2260160@uncle>; Thu, 12 Sep 1996 11:44:03 -0700 Message-ID: <01BBA09F.B2260160@uncle> From: Jonathan Eggert To: "'firewalls@GreatCircle.com'" Subject: WatchGuard Firewall Date: Thu, 12 Sep 1996 11:43:55 -0700 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Has anyone on this mailing list looked into the WatchGuard firewall from = Seattle Software Labs? It's a new product, but they sold the Mazama = Packet Filter before changing company names. I would appreciate hearing = any comments about their products. The price is right, but I don't know = much more about them. Jon. From firewalls-owner Thu Sep 12 12:21:03 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA08120 for firewalls-outgoing; Thu, 12 Sep 1996 11:16:20 -0700 (PDT) Received: from mail1.inlink.com (mail1.inlink.com [206.196.96.4]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id LAA08077 for ; Thu, 12 Sep 1996 11:16:08 -0700 (PDT) Received: from pm00416.inlink.com (pm00416.inlink.com [206.196.98.112]) by mail1.inlink.com (8.7.5/V8) with SMTP id NAA02997 for ; Thu, 12 Sep 1996 13:17:22 -0500 (CDT) Date: Thu, 12 Sep 1996 13:17:22 -0500 (CDT) Message-Id: <199609121817.NAA02997@mail1.inlink.com> X-Sender: isacastl@mail.inlink.com X-Mailer: Windows Eudora Light Version 1.5.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: Firewalls@GreatCircle.com From: Doug Menendez Subject: Raptor Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'm looking for information regarding the strengths and weaknesses of the RAPTOR firewall. All comments are welcome! Thanks. From firewalls-owner Thu Sep 12 12:52:29 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA15819 for firewalls-outgoing; Thu, 12 Sep 1996 12:23:39 -0700 (PDT) Received: from callnet.com (callnet.com [204.249.209.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id MAA15645 for ; Thu, 12 Sep 1996 12:22:47 -0700 (PDT) Received: from islou (ppp7.callnet.com [204.249.209.132]) by callnet.com (8.7.5/8.7.3) with SMTP id PAA20987 for ; Thu, 12 Sep 1996 15:36:33 -0400 (EDT) Message-ID: <32386298.7CF@callnet.com> Date: Thu, 12 Sep 1996 15:20:56 -0400 From: "Louis T. Chmielewski" Organization: Franchise World Headquarters Inc. X-Mailer: Mozilla 3.0 (Win95; I) MIME-Version: 1.0 To: firewalls@greatcircle.com Subject: Do you know anything about Gradient's WebCrusader? Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi all, Someone just dropped a brief outline of Gradient's WebCrusader product line. I'm not exactly sure what it is. Apparently it claims to provide secure communications between the desktop and an application server or document server using security built into DCE. Does anyone know more about this product set? I am curious. c'ya Lou -- Louis T. Chmielewski Security Manager/DBA Franchise World Heaquarters (203)877-4281 x1128 From firewalls-owner Thu Sep 12 12:59:56 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA14986 for firewalls-outgoing; Thu, 12 Sep 1996 12:18:36 -0700 (PDT) Received: from halon.sybase.com (halon.sybase.com [192.138.151.33]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id MAA14965 for ; Thu, 12 Sep 1996 12:18:18 -0700 (PDT) Received: from smtp1.sybase.com (sybgate) by halon.sybase.com (5.x/SMI-SVR4/SybFW4.0) id AA29245; Thu, 12 Sep 1996 12:19:55 -0700 Received: from notesgw2.sybase.com by smtp1.sybase.com (4.1/SMI-4.1/SybH3.5-030896) id AA12699; Thu, 12 Sep 96 12:18:16 PDT Received: by notesgw2.sybase.com (5.x/SMI-4.1/SybEGW3.3) id AA12649; Thu, 12 Sep 1996 12:18:08 -0700 Message-Id: <9609121918.AA12649@notesgw2.sybase.com> Received: by SybaseNotes (Lotus Notes Mail Gateway for SMTP V1.1) id 670F06F58F3966F1882563A30069B2CE; Thu, 12 Sep 96 12:18:08 EDT To: firewalls From: Ryan Russell/SYBASE Date: 12 Sep 96 12:20:40 EDT Subject: Re: SYN floods continue (fwd) X-Lotus-Type: Reply All Mime-Version: 1.0 Content-Type: Text/Plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk It can be done now with a simple access-list. Say, you've got a modem pool that has addresses in the range 199.199.199.x access-list 100 permit ip any host 199.199.199.0 0.0.0.255 any int eth 1/1 access-group 100 out (or something like that...if you must correct my syntax, go ahead..) I, too, would like to see it more of an automatic/easy option. I bet after they track this guy down, the ISP adds something like this... Ryan ---------- Previous Message ---------- To: firewalls cc: From: Doug.Hughes @ Eng.Auburn.EDU (Doug Hughes) @ smtp Date: 09/12/96 09:21:20 AM Subject: Re: SYN floods continue (fwd) >Geez, that's nasty. Agreed! If the attacker is doing a good enough >job of using truly random, legal source addresses, they will >have to track through every router, as you said. Hopefully >there aren't too many hops between them and the attacker. > >If the attacker isn't being so carefull about randomness, you >might be able to take advantage of some patterns (i.e. >ask the most likely ISPs to look for traffic from a,b and c >to d) Just thinking out loud here. Wouldn't it be nice if the major router vendors for the Internet (esp Cisco) had an option that you could turn on that would just disregard spoofing from an address that would normally come from another interface. Kind of a modified split horizons. The router knows which interface is the next hop to a certain network address. If it hears a source address of that interface coming from somewhere else, it should drop the packet on the floor (and possibly send a syslog message - another option) interface serial0 ip no-source-spoofing ip spoofing-syslog Yes, this will take more CPU processing, possibly more than current backbone routers could handle. But it sure would be a nice option wouldn't it? :) A source address look-aside co-processor... IOS 11.3? -- ____________________________________________________________________________ Doug Hughes Engineering Network Services System/Net Admin Auburn University doug@eng.auburn.edu From firewalls-owner Thu Sep 12 13:19:35 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA09125 for firewalls-outgoing; Thu, 12 Sep 1996 11:22:39 -0700 (PDT) Received: from ny3hpfw01.lazard.com (ny3hpfw01.lazard.com [207.19.205.10]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id LAA09000 for ; Thu, 12 Sep 1996 11:21:59 -0700 (PDT) Received: by ny3hpfw01.lazard.com; id OAA03619; Thu, 12 Sep 1996 14:11:41 -0400 Received: from ny3hpx01.lazard.com(129.1.96.201) by ny3hpfw01.lazard.com via smap (V3.1) id xma003615; Thu, 12 Sep 96 14:11:23 -0400 Received: by ny3hpx01.lazard.com (1.37.109.16/16.2-WT4.0) id AA284212839; Thu, 12 Sep 1996 14:27:19 -0400 Date: Thu, 12 Sep 1996 14:27:13 -0400 From: DykesD Message-Id: Subject: A GOOD WINDOWS NT NEWSGROUP??? To: firewalls@GreatCircle.COM X400-Mts-Identifier: [ /P=LAZARD/A=TELEMAIL/C=US/ ; n\wtln01\960912142713a ] X-Mailer: Worldtalk (4.0.1p12)/MIME Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Does anyone know of any really good comprehensive NT newsgroups. A group that deals with information that is helpful to a more senior analyst. Thanks Dale D. From firewalls-owner Thu Sep 12 13:30:58 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA20629 for firewalls-outgoing; Thu, 12 Sep 1996 13:10:37 -0700 (PDT) Received: from Xenon.Stanford.EDU (Xenon.Stanford.EDU [171.64.64.24]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id NAA20601 for ; Thu, 12 Sep 1996 13:10:20 -0700 (PDT) Received: (from dechon@localhost) by Xenon.Stanford.EDU (8.7.5/8.7.1) id NAA25061 for Firewalls@GreatCircle.COM; Thu, 12 Sep 1996 13:10:30 -0700 (PDT) From: "Marc D. Jackson" Message-Id: <199609122010.NAA25061@Xenon.Stanford.EDU> Subject: gauntlet 3.1 To: Firewalls@GreatCircle.COM Date: Thu, 12 Sep 1996 13:10:29 -0700 (PDT) X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello, I'm trying to install a netscape proxy on the services segment of a triple-homed firewall. The product is gauntlet 3.1.1. TIS has a nifty idea of proxying a proxy with an attirubte called a handoff. The command looks like this: http-gw: handoff X.X.X.X While this looks great on paper I'm having a difficult time making it work. I'm getting a broken pipe error msg. I've been able to verify that the request is making it to the netscape proxy server and in fact is going back to the gauntlet box, as it should. The problem appears to be that it is not continuing it's journey. I have 3 questions: a) Has anyone done anything like this w/ this product? b) Since I got an error msg on the browser that indicated there was a broken pipe I started looking in the netperm table. I found the following: #pipecmd # /usr/local/etc/mgmt/ipeedit -netperm ${ip_insidiface} ${ip_outsideaddr} #endpipecmd I can find no documentation on the pipecmd. Does anyone know anything about this? [ Yes, I know it's commented out. I asked TIS about that too, but so far they haven't responded. ] c) I noticed, in the logs on Gauntlet, that I was getting complaints about the forward screen. Specifically, that there wasn't an entry in the screen which matches the path b/n the proxy server and the Gauntlet machine. I tried an authenIP statement, but that doesn't seem to help. Does anyone know anything about the forward screen table on Gauntlet? Any help would be much appreciated! marc From firewalls-owner Thu Sep 12 13:31:14 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA21857 for firewalls-outgoing; Thu, 12 Sep 1996 13:22:36 -0700 (PDT) Received: from smartstuff.aiim.org (smartstuff.aiim.mo.md.us [198.77.178.4]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id NAA21821 for ; Thu, 12 Sep 1996 13:22:19 -0700 (PDT) Received: from aiimail.aiim.org (aiimail.aiim.org [198.77.178.3]) by smartstuff.aiim.org (8.6.10/8.6.9) with SMTP id QAA21035 for ; Thu, 12 Sep 1996 16:38:25 -0400 Received: by aiimail.aiim.org with Microsoft Mail id <3238712B@aiimail.aiim.org>; Thu, 12 Sep 96 16:23:07 EDT From: RGRANGER To: "'firewalls'" Subject: RAS server security Date: Thu, 12 Sep 96 16:17:00 EDT Message-ID: <3238712B@aiimail.aiim.org> X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi everyone...I tried posting to nt-security but I didn't get much response so I'm throwing this one out to all you security experts. I have a question about the security issues involved in putting a RAS server inside a firewall. Our current setup allows users to dialup to an NT RAS server and then they have the ability log into our Novell network if they want. We are in the process of implementing a firewall security solution to protect our Novell network, and we are debating whether to keep the current RAS setup or to buy special encrypting dialup software. How dangerous would it be to put the RAS server inside the firewall and allow our users to continue to use it as always? What are the issues there? Thanks! Any and all input will be appreciated. Becky Granger AIIM International (301) 587-8202 x605 rgranger@aiim.org From firewalls-owner Thu Sep 12 13:59:34 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA24225 for firewalls-outgoing; Thu, 12 Sep 1996 13:45:22 -0700 (PDT) Received: from tango.lightech.com.ar (spy.lightech.com.ar [200.0.253.134]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id NAA24142 for ; Thu, 12 Sep 1996 13:44:43 -0700 (PDT) Received: from salsa (router1-p08.pccp.com.ar [200.0.253.24]) by tango.lightech.com.ar (8.6.8.1/SCA-6.6) with SMTP id RAA15958; Thu, 12 Sep 1996 17:58:49 GMT Message-ID: <32384E81.2E33@lightech.com.ar> Date: Thu, 12 Sep 1996 14:55:13 -0300 From: Adrian Setton Reply-To: asetton@lightech.com.ar Organization: LighTech X-Mailer: Mozilla 3.0 (Win95; I) MIME-Version: 1.0 To: Hardayal Singh CC: firewalls@greatcircle.com Subject: Re: telnet proxy References: <9609111941.AA00465@titan.reuter.> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk If I understood correctly, you are looking a process that relays a TCP connection from one machine to another. If this is the case, you can use passthru.c from book Internet Security Techniques by Larry Hughes. I've used this as a basis for a program, and the code is straight forward to modify, if you need to. Final Comment: you should add a line in order to close the input socket. Regards ... Hardayal Singh wrote: > > HI, > > Looks, my first one was a not in English ... > > Well here is another try ....... > > ________________________-- > What we have is a server running on a mach1 that writes to port1 on > mach1 . The result is displayed as a stream of formatted on the > screen, which issued the below command. > > telnet mach1 port1 (from any machine within the network) (1) > > What I want is to write something that will run on a machine say > mach_A and be as , > > Code|Script mach2 port2 -------(2) > > mach2 is an intermediate machine that will act as a buffer machine > between mach1 and mach_A. > > Now the Code|Script in (2) should work such that it should get the > same data as obtained from (1) but now coming from mach2 and port2. > > ______________________________________________________ > Diagram > > --------- > mach1 (port1) > | > | > | > mach2 (port2) > | (port1) > | > | > Any_machine (port1) > (port2) > > -------------- > TO EXPLAIN IT ONCE AGAIN: > We get DATA by > > telnet mach1 port1 (THis is run from Any_machine) (1) > > What I want is to > > Code|Script mach2 port2 (This is also to run from Any_machine) (2) > > This Code|Script should rsh to mach2 and repeat command (1) and display > the data to the screen on Any_machine. > > ANy wild or domestic inputs who have done this sort of thing or any > other available pointers. > > hs -- Adrian F. Setton LighTech Voice: (54-1) 420-4110 Ayacucho 563. Piso 13 Dto "A" FAX: (54-1) 315-1343 Buenos Aires e-mail: asetton@lightech.com.ar Argentina URL: http://www.lightech.com.ar From firewalls-owner Thu Sep 12 15:23:27 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA04384 for firewalls-outgoing; Thu, 12 Sep 1996 14:48:40 -0700 (PDT) Received: from dns.eng.auburn.edu (dns.eng.auburn.edu [131.204.10.13]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id OAA04342 for ; Thu, 12 Sep 1996 14:48:17 -0700 (PDT) Received: from netman.eng.auburn.edu (netman.eng.auburn.edu [131.204.12.24]) by dns.eng.auburn.edu (8.7.5/8.6.4) with ESMTP id QAA06410 for ; Thu, 12 Sep 1996 16:48:14 -0500 (CDT) From: Doug Hughes Received: (doug@localhost) by netman.eng.auburn.edu (SMI-8.6/8.6.4) id QAA14031; Thu, 12 Sep 1996 16:48:14 -0500 Date: Thu, 12 Sep 1996 16:48:14 -0500 Subject: Re: SYN floods continue (fwd) To: firewalls@greatcircle.com Message-Id: X-Mailer: TkMail 4.0beta6 In-Reply-To: <9609121918.AA12649@notesgw2.sybase.com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk After some reformatting it was determined that Ryan wrote: >> >>Just thinking out loud here. Wouldn't it be nice if the major >>router vendors for the Internet (esp Cisco) had an option that you >>could turn on that would just disregard spoofing from an address >>that would normally come from another interface. Kind of a modified >>split horizons. >> The router knows which interface is the next hop to a certain network >>address. If it hears a source address of that interface coming from >>somewhere else, it should drop the packet on the floor (and possibly >>send a syslog message - another option) >> >>interface serial0 >>ip no-source-spoofing >>ip spoofing-syslog >> >>Yes, this will take more CPU processing, possibly more than current >>backbone routers could handle. But it sure would be a nice option >>wouldn't it? :) >> A source address look-aside co-processor... >>IOS 11.3? > >It can be done now with a simple access-list. > >Say, you've got a modem pool that has addresses in the >range 199.199.199.x > >access-list 100 permit ip any host 199.199.199.0 0.0.0.255 any > >int eth 1/1 >access-group 100 out > >(or something like that...if you must correct my syntax, go ahead..) > If you want to do it on a onesy-twosy basis, this is fine, but there are 10s of thousands of routes on the internet. Building access lists for all of them and binding to an interface would be horrific (as well as not handling redundant paths). >I, too, would like to see it more of an automatic/easy >option. I bet after they track this guy down, the ISP >adds something like this... > > Ryan I'm thinking of something like this: A router has (for instance) 3 interfaces, s1, s2, s3. s2 has a route to network 3. Therefore, if we see a source address of network 3 coming in on either s1 or s3, it has to be bogus. Now, let's say there is a backup route (using a lower priority route metric) on interface s1. Normally, a source address of 3.X.X.X from s1 would be bogus, but if interface s2 goes down, then it would be okay. One appearing on interface s3 would still be utterly bogus. So, changes in topology would require the possibly rebuilding of the 'boggosity-table' which determines if a source address is valid on a particular interface or not. Yes, as I said, it would be much more CPU intensive (probably memory too). Default configuration: routers examine destination address and forward packet along its way. This new option would require the router to examine the source AND the destination (+ whatever access lists may require). The source would be checked for spoofing. As someone else mentioned, this probably wouldn't work where assymmetric routing topologies were in place. But, if you the outlying leaf routers were to use it on their Internet links, and if the major providers were to use something like this (SURA, MCI, Sprint, AT&T, ANS, etc), then it would become less and less likely for this type of traffic to propagate. All you need is one router between any two places with this sort of measure in place to effectively stop the traffic. -- ____________________________________________________________________________ Doug Hughes Engineering Network Services System/Net Admin Auburn University doug@eng.auburn.edu From firewalls-owner Thu Sep 12 16:52:12 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id QAA13629 for firewalls-outgoing; Thu, 12 Sep 1996 16:28:54 -0700 (PDT) Received: from citadel.evolving.com (citadel.evolving.com [198.202.204.162]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id QAA13619 for ; Thu, 12 Sep 1996 16:28:43 -0700 (PDT) Received: from valiant.evolving.com (valiant.evolving.com [198.202.204.66]) by citadel.evolving.com (8.6.12/8.6.9) with ESMTP id RAA00967; Thu, 12 Sep 1996 17:27:58 -0600 Received: from thepound.evolving.com (thepound.evolving.com [192.124.159.19]) by valiant.evolving.com (8.6.12/8.6.9) with ESMTP id RAA18046; Thu, 12 Sep 1996 17:27:56 -0600 Received: (from rtruitt@localhost) by thepound.evolving.com (8.6.12/8.6.12) id RAA08798; Thu, 12 Sep 1996 17:27:30 -0600 From: Todd Truitt Message-Id: <199609122327.RAA08798@thepound.evolving.com> Subject: Re: SYN floods To: sjg@zen.quick.com.au (Simon J. Gerraty) Date: Thu, 12 Sep 1996 17:27:29 -0600 (MDT) Cc: firewalls@greatcircle.com, Todd.Truitt@evolving.com In-Reply-To: <199609121220.WAA27993@zen.quick.com.au> from "Simon J. Gerraty" at Sep 12, 96 10:20:47 pm X-Mailer: ELM [version 2.4 PL24] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > >I believe it was stated that this SYN flood came from IP packets with > >the "Source Route" option set. > > Perhaps so, but SR is not necessary unless the attacker wanted to > receive responses, which is not needed for this sort of attack. True, SR is not ncessary. Address spoofing, which is notoriously easy to do on PCs, is a much easier way to flood a host w/ SYNs, and one which can't be stopped through filtering the "option" bits. > > > ... There should be a packet filter routine > >which will drop ALL packets with *any* options triggered. Since, > >typically speaking, the only reason that the IP options are used are > >to debug or cause trouble, this might be the safest approach for a > >firewall. > > All quite true. The most useful thing you can do with your Internet > router is drop all packets with IP options and with source addresses > from the wrong side. > > Sadly though, that is not enough to save you from a SYN attack. > >From a SYN attack using spoofed addresses or just a flat out attack (in which case it would be fairly easy to track). Perhaps a valid solution to this would be to implement crytographic authentication between the external interfaces of the autonomous systems. What I'm trying to get at is for cisco routers (for example) to use a crypto key inside each BGP header which is based upon domain name, IP address and hardware address which will be authenticated by it's nieghbors as the packet traverses the next hop. If authentcation fails, the packet gets dumped into the bit bucket in the sky. This way, the SYNs never become an overwhelming problem absorbing CPU cycles and bandwidth because they are dumped before they traverse the OSI stack. Bellovin touches upon crytographic authentication in RFC 1948, but he's discussing it in the transport layer while I'm moving along the lines of testing on the network layer. C' ya, --Todd From firewalls-owner Thu Sep 12 16:54:54 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id QAA11261 for firewalls-outgoing; Thu, 12 Sep 1996 16:05:46 -0700 (PDT) Received: (mcb@localhost) by miles.greatcircle.com (8.7.4/Miles-960830-1) id QAA11214 for firewalls@greatcircle.com; Thu, 12 Sep 1996 16:05:33 -0700 (PDT) Received: from medab.se (mail.medab.se [194.198.160.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id EAA03731 for ; Thu, 12 Sep 1996 04:16:19 -0700 (PDT) Received: by bart.medab.se id <41473>; Thu, 12 Sep 1996 13:34:46 +0100 Date: Thu, 12 Sep 1996 13:19:36 +0100 From: Jan Rockstedt Subject: whois port number To: firewall Message-Id: <96Sep12.133446gmt+0100.41473@bart.medab.se> X-Mailer: QM-Internet Gateway 1.0.1 X-Priority: 4 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="iso-8859-1" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi ! I want to open outbound whois traffic over my firewall. Anyone who knows what port number i should open (destination/source) for = oubound proxy ? Jan Rockstedt From firewalls-owner Thu Sep 12 17:07:45 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id PAA08288 for firewalls-outgoing; Thu, 12 Sep 1996 15:33:04 -0700 (PDT) Received: from www.steldyn.com (www.steldyn.com [198.68.45.121]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id PAA08267 for ; Thu, 12 Sep 1996 15:32:47 -0700 (PDT) Received: from juneau.steldyn.com (172.16.31.1) by www.steldyn.com (EMWAC SMTPRS 0.81) with SMTP id ; Thu, 12 Sep 1996 16:38:55 -0600 Received: by juneau.steldyn.com with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.993.5) id <01BBA0C8.17D63C00@juneau.steldyn.com>; Thu, 12 Sep 1996 16:33:13 -0600 Message-ID: From: Chris Pugrud To: Firewalls Mailing list Subject: Secure Web Server? Date: Thu, 12 Sep 1996 16:33:06 -0600 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.993.5 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk While we are on the subject of secure programs for firewalls, Does anybody have any strong feelings for a well coded, secure web server software? I am looking for *nix variant to run on a Linux platform. This is intended to be a very tightly locked down machine with only http, smtp, and ftp ports open. Everything else will be shut down and blocked. I have worked with the Apache product and I was satisfied with it's performance, but I am wondering if there is anything else out there that is tighter and cleaner. At this point I am not using any CGI so I don't need support for that. Chris From firewalls-owner Thu Sep 12 17:23:47 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id QAA10763 for firewalls-outgoing; Thu, 12 Sep 1996 16:01:19 -0700 (PDT) Received: (mcb@localhost) by miles.greatcircle.com (8.7.4/Miles-960830-1) id QAA10725 for firewalls@greatcircle.com; Thu, 12 Sep 1996 16:00:59 -0700 (PDT) Received: from halon.sybase.com (halon.sybase.com [192.138.151.33]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id OAA11442 for ; Wed, 11 Sep 1996 14:23:13 -0700 (PDT) Received: from smtp1.sybase.com (sybgate) by halon.sybase.com (5.x/SMI-SVR4/SybFW4.0) id AA14835; Wed, 11 Sep 1996 14:24:49 -0700 Received: from notesgw2.sybase.com by smtp1.sybase.com (4.1/SMI-4.1/SybH3.5-030896) id AA01951; Wed, 11 Sep 96 14:23:18 PDT Received: by notesgw2.sybase.com (5.x/SMI-4.1/SybEGW3.3) id AA12706; Wed, 11 Sep 1996 14:23:12 -0700 Message-Id: <9609112123.AA12706@notesgw2.sybase.com> Received: by SybaseNotes (Lotus Notes Mail Gateway for SMTP V1.1) id BE1D274D09C1C667882563A200756D74; Wed, 11 Sep 96 14:23:11 EDT To: "'firewalls-digest@greatcircle.com'" From: Ryan Russell/SYBASE Date: 11 Sep 96 14:24:25 EDT Subject: RE: SQL through firewall X-Lotus-Type: Reply All Mime-Version: 1.0 Content-Type: Text/Plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Which SQL? ( Yes...please note the domain I'm mailing from :) ) Sybase can certainly be done through the Cisco access lists, but I haven't used FWTK. I suspect it would be just fine, it's a pretty simple TCP transaction. Ryan ---------- Previous Message ---------- To: firewalls-digest, lazear cc: From: CrandaJE @ Maritz.com ("Crandall, John") @ smtp Date: 09/11/96 12:55:54 PM Subject: RE: SQL through firewall Sure, I do that here and it works just fine. Just plug 1521 or 1523 (whichever version of SQL*Net you are using). I use it to do cgi queries from our web server in the DMZ to an Oracle database inside the firewall. >---------- >From: lazear@gateway.mitre.org[SMTP:lazear@gateway.mitre.org] >Sent: Wednesday, September 11, 1996 11:46 AM >To: firewalls-digest@greatcircle.com; lazear@gateway.mitre.org >Subject: SQL through firewall > >Although we'd love to wait for the Guantlet proxy for SQL, >it will come too late for one customer. So, is there a way >to get SQL through a FWTK firewall using "plug-gw"? How about >using a Cisco router and access lists? How flexible are the >protocols under SQL in terms of port humbers used or usable? >Thanks for any help. > > > Walt > From firewalls-owner Thu Sep 12 17:59:38 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA23794 for firewalls-outgoing; Thu, 12 Sep 1996 17:51:44 -0700 (PDT) Received: from citadel.evolving.com (citadel.evolving.com [198.202.204.162]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id RAA23782 for ; Thu, 12 Sep 1996 17:51:36 -0700 (PDT) Received: from valiant.evolving.com (valiant.evolving.com [198.202.204.66]) by citadel.evolving.com (8.6.12/8.6.9) with ESMTP id SAA03881; Thu, 12 Sep 1996 18:51:32 -0600 Received: from thepound.evolving.com (thepound.evolving.com [192.124.159.19]) by valiant.evolving.com (8.6.12/8.6.9) with ESMTP id SAA18525; Thu, 12 Sep 1996 18:51:31 -0600 Received: (from rtruitt@localhost) by thepound.evolving.com (8.6.12/8.6.12) id SAA08911; Thu, 12 Sep 1996 18:51:05 -0600 From: Todd Truitt Message-Id: <199609130051.SAA08911@thepound.evolving.com> Subject: Re: whois port number To: postmaster@medab.se (Jan Rockstedt) Date: Thu, 12 Sep 1996 18:51:05 -0600 (MDT) Cc: Firewalls-Digest@GreatCircle.COM In-Reply-To: <96Sep12.133446gmt+0100.41473@bart.medab.se> from "Jan Rockstedt" at Sep 12, 96 01:19:36 pm X-Mailer: ELM [version 2.4 PL24] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > I want to open outbound whois traffic over my firewall. > Anyone who knows what port number i should open (destination/source) for = > oubound proxy ? RFC 1700: assigned port numbers. :-) --Todd From firewalls-owner Thu Sep 12 18:34:59 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id SAA26391 for firewalls-outgoing; Thu, 12 Sep 1996 18:21:14 -0700 (PDT) Received: from internet (internet.dswnet.com [206.214.66.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id SAA26341 for ; Thu, 12 Sep 1996 18:20:58 -0700 (PDT) Received: from ntraptor (boni) by internet (5.x/SMI-SVR4) id AA08389; Thu, 12 Sep 1996 18:29:29 -0700 Message-Id: <3238B6C8.2C7C@dsw.net> Date: Thu, 12 Sep 1996 18:20:08 -0700 From: Boni Bruno - Director of Internet Services & Security Organization: Data Systems West X-Mailer: Mozilla 3.0 (WinNT; I) Mime-Version: 1.0 To: Firewalls@GreatCircle.COM Cc: closeout@dsw.net Subject: Re: Firewalls-Digest V5 #509 References: <199609122227.PAA07882@miles.greatcircle.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Trojan Horses: A friend sent the following from his web server running IRIX: and came across the following symbolic links in /bin. >> >> lrwxr-xr-x 1 root sys 14 Jun 1 16:11 time -> ../sbin/strace* >> lrwxr-xr-x 1 root sys 16 Jun 1 16:11 timex -> ../sbin/strclean * >> lrwxr-xr-x 1 root sys 14 Jun 1 16:11 touch -> ../sbin/strerr* >> lrwxr-xr-x 1 root sys 15 Jun 1 16:11 tr -> ../../sbin/stty* >> lrwxr-xr-x 1 root sys 13 Jun 1 16:11 true -> ../../sbin/su* Does anyone know how these symbolic links could have been created by a hacker? What are the ramifications?? Your input greatly appreciated, co From firewalls-owner Thu Sep 12 18:48:10 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id SAA27149 for firewalls-outgoing; Thu, 12 Sep 1996 18:30:19 -0700 (PDT) Received: from lint.cisco.com (lint.cisco.com [171.68.223.44]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id SAA27142 for ; Thu, 12 Sep 1996 18:30:08 -0700 (PDT) Received: from pferguso-pc.cisco.com ([171.68.52.54]) by lint.cisco.com (8.6.10/CISCO.SERVER.1.1) with SMTP id SAA19392; Thu, 12 Sep 1996 18:29:58 -0700 Message-Id: <2.2.32.19960913012958.006cc5e4@lint.cisco.com> X-Sender: pferguso@lint.cisco.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Thu, 12 Sep 1996 21:29:58 -0400 To: Doug Hughes From: Paul Ferguson Subject: Re: SYN floods continue (fwd) Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 04:48 PM 9/12/96 -0500, Doug Hughes wrote: >A router has (for instance) 3 interfaces, s1, s2, s3. >s2 has a route to network 3. Therefore, if we see a source address of >network 3 coming in on either s1 or s3, it has to be bogus. Now, let's >say there is a backup route (using a lower priority route metric) on >interface s1. Normally, a source address of 3.X.X.X from s1 would be bogus, >but if interface s2 goes down, then it would be okay. One appearing on >interface s3 would still be utterly bogus. So, changes in topology would >require the possibly rebuilding of the 'boggosity-table' which determines >if a source address is valid on a particular interface or not. Yes, as I said, >it would be much more CPU intensive (probably memory too). > There are certainly problems to this approach, namely the asymmetry of routing, and the sometimes unpredictable paths in which packets can traverse a network. - paul From firewalls-owner Thu Sep 12 18:59:36 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id SAA28242 for firewalls-outgoing; Thu, 12 Sep 1996 18:45:47 -0700 (PDT) Received: from lint.cisco.com (lint.cisco.com [171.68.223.44]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id SAA28235 for ; Thu, 12 Sep 1996 18:45:38 -0700 (PDT) Received: from pferguso-pc.cisco.com ([171.68.52.54]) by lint.cisco.com (8.6.10/CISCO.SERVER.1.1) with SMTP id SAA22909; Thu, 12 Sep 1996 18:45:15 -0700 Message-Id: <2.2.32.19960913014516.006c7a34@lint.cisco.com> X-Sender: pferguso@lint.cisco.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Thu, 12 Sep 1996 21:45:16 -0400 To: Todd Truitt From: Paul Ferguson Subject: Re: SYN floods Cc: sjg@zen.quick.com.au (Simon J. Gerraty), firewalls@GreatCircle.COM, Todd.Truitt@evolving.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I continue to encourage service providers who are peering with one another to use MD5 route authentication (when possible) when establishing BGP peering. This can, at least, thwart someone clever from feeding you bogus routes. (The same functionality is available for OSPF and RIPv2 within cisco IOS.) This means that each segment sent on the TCP connection between BGP peers is verified against this hash. Of course, this does nothing to thwart someone from flooding a given host with TCP SYN's, as these are generally passed along in the traffic stream. This is a harder problem to solve than one would suspect. - paul At 05:27 PM 9/12/96 -0600, Todd Truitt wrote: > >Perhaps a valid solution to this would be to implement >crytographic authentication between the external interfaces of >the autonomous systems. What I'm trying to get at is for >cisco routers (for example) to use a crypto key inside each >BGP header which is based upon domain name, IP address and hardware >address which will be authenticated by it's nieghbors as the packet >traverses the next hop. If authentcation fails, the packet gets >dumped into the bit bucket in the sky. This way, the SYNs never >become an overwhelming problem absorbing CPU cycles and bandwidth >because they are dumped before they traverse the OSI stack. Bellovin >touches upon crytographic authentication in RFC 1948, but he's >discussing it in the transport layer while I'm moving along the >lines of testing on the network layer. > -- Paul Ferguson || || Consulting Engineering || || Reston, Virginia USA |||| |||| tel: +1.703.716.9538 ..:||||||:..:||||||:.. e-mail: pferguso@cisco.com c i s c o S y s t e m s From firewalls-owner Thu Sep 12 19:44:37 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id TAA03267 for firewalls-outgoing; Thu, 12 Sep 1996 19:36:28 -0700 (PDT) Received: from ns.helec.co.nz (helec.co.nz [202.49.84.17]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id TAA03246 for ; Thu, 12 Sep 1996 19:36:12 -0700 (PDT) Received: from dev.helec.co.nz (gw.helec.co.nz [202.49.84.24]) by ns.helec.co.nz (8.7.4/8.7.3) with ESMTP id OAA26310; Fri, 13 Sep 1996 14:35:59 +1200 Received: (from john@localhost) by dev.helec.co.nz (8.8.Beta.2/8.7.3) id OAA00468; Fri, 13 Sep 1996 14:36:36 +1200 From: john@helec.co.nz (John L Hardcastle) Message-Id: <9609131436.ZM467@dev.helec.co.nz> Date: Fri, 13 Sep 1996 14:36:36 +0000 X-Mailer: Z-Mail (3.2.1 24feb96 Caldera) To: firewalls@greatcircle.com Subject: WatchGuard Firewall Cc: John L Hardcastle Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Jonathan Eggert wrote: >Has anyone on this mailing list looked into the WatchGuard firewall from = >Seattle Software Labs? It's a new product, but they sold the Mazama = >Packet Filter before changing company names. I would appreciate hearing = >any comments about their products. The price is right, but I don't know = >much more about them. Classic firewall design with extensive logging, easy GUI setup, and nice features like paging the sys admin when a site get locks out as hostile for any number of user configurable reasons such as dangerous port, spoofing, IP options, scan detected etc. Unashamed plug from NZ Sales/Support Agent. But you did ask. Check out http://www.sealabs.com. All further correspondence off this list to me or the folk at SSL please to avoid ruffling too many feathers on this list. (I apologize in advance to any offended persons). -- John L Hardcastle, Director, HARDCASTLE ELECTRONICS LIMITED P O Box 74028 Market Rd, Auckland 5 Level 7, Eden House, 44 Khyber Pass Rd, Grafton, Auckland, NEW ZEALAND Tel +64.9.366.1502 Fax +64.9.366.1554 Internet: john@helec.co.nz http://www.helec.co.nz/~helec From firewalls-owner Thu Sep 12 19:59:30 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id TAA04290 for firewalls-outgoing; Thu, 12 Sep 1996 19:48:52 -0700 (PDT) Received: from atbms.achq.dnd.ca (atbms.achq.dnd.ca [131.136.222.3]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id TAA04272 for ; Thu, 12 Sep 1996 19:48:38 -0700 (PDT) Received: from rob.achq.dnd.ca ([131.136.222.102]) by atbms.achq.dnd.ca (4.1/SMI-4.1) id AA03929; Thu, 12 Sep 96 21:45:52 CDT Message-Id: <9609130245.AA03929@atbms.achq.dnd.ca> Comments: Authenticated sender is From: "Rob Janzen" Organization: 17 Wing To: firewalls@greatcircle.com Date: Thu, 12 Sep 1996 21:47:50 +0000 Subject: Digital Firewall for Unix Reply-To: rob@vulcan.achq.dnd.ca X-Mailer: Pegasus Mail for Windows (v2.23) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Good morning: I was wondering if anyone could point me towards technical info about DEC's product "Digital Firewall for UNIX". When I looked at their web pages, it seems to all be marketing hype, and the documentation I have seen seems merely to be an installation guide. Rob Janzen From firewalls-owner Thu Sep 12 21:14:46 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id UAA11104 for firewalls-outgoing; Thu, 12 Sep 1996 20:58:46 -0700 (PDT) Received: from baldy.worldbit.com (baldy.worldbit.com [199.4.115.35]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id UAA11097 for ; Thu, 12 Sep 1996 20:58:36 -0700 (PDT) Received: from localhost (blast@localhost) by baldy.worldbit.com (8.7.5/8.7.3) with SMTP id UAA16883; Thu, 12 Sep 1996 20:54:32 -0700 (PDT) Date: Thu, 12 Sep 1996 20:54:32 -0700 (PDT) From: Blast To: Paul Ferguson cc: firewalls@GreatCircle.COM Subject: Re: SYN floods In-Reply-To: <2.2.32.19960913014516.006c7a34@lint.cisco.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 12 Sep 1996, Paul Ferguson wrote: > Of course, this does nothing to thwart someone from flooding a given > host with TCP SYN's, as these are generally passed along in the traffic > stream. > > This is a harder problem to solve than one would suspect. First, thanks Paul for the wonderful information you have posted on this topic. This problem has kept me awake more than coffee. :-) The only way to start to defend against this problem is at the two end points. The problem is that the only end point we know about is the "victim". So lets start there: We are working on a daemon that will slide the kernel's timer from a normal 75 seconds waiting for the 3rd step in the handshake to 5 seconds (these numbers are not firm yet). As a host's kernel exceeds a threshold of incomplete handshakes it will start to adjust its timer (wait less) in closing these incomplete handshakes. The idea is to make the victims host more resilient to this abnormal socket state. IT DOES NOT GET RID OF THE PROBLEM. It just tries to manage it while alerting the sys admin. :-) The other end point (the one of the attacker) is tricky. If it is a terminal server, then a few access-lists on the ip pool will be effective. It will be a miracle if ISP's start to do this and lets not forget the edu, gov, and all other organizations that can be the lily pad for the attacker. At this point, I think that it is infeasible for anything to be done given the nature of the attack other than a defensive position at the victims host. This SYN bomb is nothing new. I am happy in a sick way that this took place. 1) It got me off my ass to do more coding with my buddies 2) Maybe the move to IPv6 will quicken? Thanks for you time, --blast +--------------------------------------------------------------------+ \ Tim Keanini | "The limits of my language, / / aka blast | are the limits of my world." \ \ | --Ludwig Wittgenstein / \ +================================================/ |Key fingerprint = 7B 68 88 41 A8 74 AB EC F0 37 98 4C 37 F7 40 D6 | / PUB KEY: http://www-swiss.ai.mit.edu/~bal/pks-commands.html \ \ / +--------------------------------------------------------------------+ From firewalls-owner Thu Sep 12 22:50:17 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id WAA16214 for firewalls-outgoing; Thu, 12 Sep 1996 22:40:20 -0700 (PDT) Received: from tartarus (willard.us.newbridge.com [204.177.219.100]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id WAA16206 for ; Thu, 12 Sep 1996 22:40:08 -0700 (PDT) Received: from tartarus (tartarus.us.newbridge.com [138.120.108.65]) by tartarus (8.7.5/8.7.3) with SMTP id BAA10630; Fri, 13 Sep 1996 01:36:55 -0400 (EDT) Date: Fri, 13 Sep 1996 01:36:54 -0400 (EDT) From: "Roderick Murchison, Jr." X-Sender: murchiso@tartarus Reply-To: "Roderick Murchison, Jr." To: firewall-1@applicom.co.il cc: firewalls@GreatCircle.COM Subject: Re: SYN floods - possible solution? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 12 Sep 1996, Blast wrote: > This problem has kept me awake more than coffee. :-) Ditto... I just woke up *again* with a kludgy but potential defense... sorry if this is totally out of whack, but I'm really beat! Ok. say you have a firewall between your network and you Internet connection. If that firewall could detect and *detain* a segment with the SYN option set, then see if the set source IP answers an ICMP echo request, we could effectively determine whether or not the SYN could be dropped at the firewall and not sent through to spam our hosts. If the source responds, release the SYN and let it pass through to the intended host. If it does not, trash the SYN and log the failure. Some moderate tracking and aging methods could be employed to intelligently quick drop sources we know are recently offline, and lessen the amount of echo requests we send out. Could this be a potential defense? If so, what products would be best suited to implement this? hope this helps, -r Roderick Murchison, Jr. murchiso@vivid.newbridge.com Newbridge Networks, Inc. office: (703) 708-5930 Product Manager - VIVID ACS fax: (703) 708-5937 Herndon, VA 22070-5241 http://www.vivid.newbridge.com From firewalls-owner Thu Sep 12 23:44:38 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id XAA19632 for firewalls-outgoing; Thu, 12 Sep 1996 23:30:43 -0700 (PDT) Received: from tartarus (willard.us.newbridge.com [204.177.219.100]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id XAA19625 for ; Thu, 12 Sep 1996 23:30:34 -0700 (PDT) Received: from tartarus (tartarus.us.newbridge.com [138.120.108.65]) by tartarus (8.7.5/8.7.3) with SMTP id CAA10945; Fri, 13 Sep 1996 02:27:28 -0400 (EDT) Date: Fri, 13 Sep 1996 02:27:25 -0400 (EDT) From: "Roderick Murchison, Jr." X-Sender: murchiso@tartarus Reply-To: "Roderick Murchison, Jr." To: firewall-1@applicom.co.il cc: firewalls@GreatCircle.COM Subject: Re: SYN floods - possible solution?(update) Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Duh.. Ok, I guess successful ICMP echo requests sent from the firewall won't help us if the source port on the source ip address has been SYN bombed as well. :-) How about this: - firewall detects and detains a SYN - firewall sends a SYN to the source port on the supposed source IP - depending on the response (SYN-ACK, or deny?) or no response, we can intelligently drop the queued SYN or pass it through... and, of course, appropriately respond to a SYN-ACK if we get one. :-) - log BOTH the success and failure of the FW initiated SYN probes to quickly pass or deny SYN's for known entities Making more sense? I'm damn beat, and I left my TCP/IP book at the office. l8tr, -r Roderick Murchison, Jr. murchiso@vivid.newbridge.com Newbridge Networks, Inc. office: (703) 708-5930 Product Manager - VIVID ACS fax: (703) 708-5937 Herndon, VA 22070-5241 http://www.vivid.newbridge.com From firewalls-owner Thu Sep 12 23:59:34 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id XAA19708 for firewalls-outgoing; Thu, 12 Sep 1996 23:33:02 -0700 (PDT) Received: from mail.Clark.Net (mail.clark.net [168.143.0.10]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id XAA19697 for ; Thu, 12 Sep 1996 23:32:47 -0700 (PDT) Received: from clark.net (proberts@clark.net [168.143.0.7]) by mail.Clark.Net (8.7.3/8.6.5) with ESMTP id CAA14232; Fri, 13 Sep 1996 02:32:46 -0400 (EDT) Received: from localhost (proberts@localhost) by clark.net (8.7.1/8.7.1) with SMTP id CAA10194; Fri, 13 Sep 1996 02:32:45 -0400 (EDT) X-Authentication-Warning: clark.net: proberts owned process doing -bs Date: Fri, 13 Sep 1996 02:32:45 -0400 (EDT) From: "Paul D. Robertson" To: "Roderick Murchison, Jr." cc: firewall-1@applicom.co.il, firewalls@GreatCircle.COM Subject: Re: SYN floods - possible solution? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 13 Sep 1996, Roderick Murchison, Jr. wrote: > Ok. say you have a firewall between your network and you Internet > connection. If that firewall could detect and *detain* a segment with the > SYN option set, then see if the set source IP answers an ICMP echo > request, we could effectively determine whether or not the SYN could be > dropped at the firewall and not sent through to spam our hosts. If the > source responds, release the SYN and let it pass through to the intended > host. If it does not, trash the SYN and log the failure. You run into the same problem, sooner or later you fill the hold buffer while checking, then legitimate connections are lost. Beef the IP stack buffers, shorten timers, and increase listen queues, and you're at about the same place. Dynamically dropping timers is a good thing, IMO, as it allows slow connections when not under attack. Meanwhile, the NSPs sniffing for this, and going after the flagrant offenders would help, since the general attack profile is probably 800-2000 packets from different source addresses within a range of several seconds. Sniffing at the NSP leaf routers could possibly detect this pre-interface. A small PC with a couple of v.35 interfaces and some code could perhaps detect this quite easily. Then it'd just be getting the NSPs to put them on an interface for a week at at time not as good as inbound filter rules, but perahps not as invasive either. Basically, it's detectable, and stoppable on the leaf routers, if the larger NSPs would get together and agree to do one or the other, perhaps it would give us enough breathing room. Maybe make it part of peering agreements. Meanwhile, perhaps the firewall vendors would consider having customers enable specific lists of outbound networks by default where applicable, can't hurt. > > Some moderate tracking and aging methods could be employed to > intelligently quick drop sources we know are recently offline, and lessen > the amount of echo requests we send out. > > Could this be a potential defense? If so, what products would be best > suited to implement this? > Not in my world, I don't allow ICMP in general. Paul --------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts@clark.net which may have no basis whatsoever in fact." PSB#9280 From firewalls-owner Fri Sep 13 00:44:27 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id AAA23442 for firewalls-outgoing; Fri, 13 Sep 1996 00:40:01 -0700 (PDT) Received: from sprite (sprite.acsacs.com [206.16.240.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id AAA23418 for ; Fri, 13 Sep 1996 00:39:49 -0700 (PDT) Date: Fri, 13 Sep 1996 00:39:53 -0700 (PDT) From: "Daniel J Blander - Sr. Systems Engineer for ACS" X-Sender: phaedrus@ferrari To: "Roderick Murchison, Jr." cc: firewalls@greatcircle.com Subject: Re: SYN floods - possible solution? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Granted that I am no underlying code expert, but can not Firewall-1's code be tweeked to do this? Since it handles all packets before it hits the actual ports, these checks can be input...and the code and header to the compile are open to "hack"... On Fri, 13 Sep 1996, Roderick Murchison, Jr. wrote: > Date: Fri, 13 Sep 1996 01:36:54 -0400 (EDT) > From: Roderick Murchison, Jr. > To: firewall-1@applicom.co.il > Cc: firewalls@GreatCircle.COM > Subject: Re: SYN floods - possible solution? > > On Thu, 12 Sep 1996, Blast wrote: > > This problem has kept me awake more than coffee. :-) > > Ditto... I just woke up *again* with a kludgy but potential defense... > sorry if this is totally out of whack, but I'm really beat! > > Ok. say you have a firewall between your network and you Internet > connection. If that firewall could detect and *detain* a segment with the > SYN option set, then see if the set source IP answers an ICMP echo > request, we could effectively determine whether or not the SYN could be > dropped at the firewall and not sent through to spam our hosts. If the > source responds, release the SYN and let it pass through to the intended > host. If it does not, trash the SYN and log the failure. > > Some moderate tracking and aging methods could be employed to > intelligently quick drop sources we know are recently offline, and lessen > the amount of echo requests we send out. > > Could this be a potential defense? If so, what products would be best > suited to implement this? > > hope this helps, > -r > > Roderick Murchison, Jr. murchiso@vivid.newbridge.com > Newbridge Networks, Inc. office: (703) 708-5930 > Product Manager - VIVID ACS fax: (703) 708-5937 > Herndon, VA 22070-5241 http://www.vivid.newbridge.com > > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Daniel Blander =8^) Sr. Systems Engineer Applied Computer Solutions ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Phone: (714) 842.7800 Fax: (714) 842.8299 Email: Daniel.Blander@acsacs.com ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The Official Applied Computer Solutions Home Page and Tech Tip of the Week: http://www.acsacs.com ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From firewalls-owner Fri Sep 13 02:59:28 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id CAA02250 for firewalls-outgoing; Fri, 13 Sep 1996 02:48:58 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id CAA02243 for ; Fri, 13 Sep 1996 02:48:41 -0700 (PDT) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) id CAA18829; Fri, 13 Sep 1996 02:47:51 -0700 Received: from whale.gu.kiev.ua(193.124.51.77) by mycroft via smap (V1.3mjr) id sma018788; Fri Sep 13 02:45:57 1996 Received: from creator.gu.kiev.ua (stesin@creator.gu.kiev.ua [193.124.51.73]) by whale.gu.kiev.ua (8.7.5/8.7.3) with SMTP id MAA44164; Fri, 13 Sep 1996 12:32:01 +0300 Date: Fri, 13 Sep 1996 12:32:26 +0300 (EET DST) From: Andrew Stesin X-Sender: stesin@creator.gu.kiev.ua To: Michael Dillon cc: firewalls@greatcircle.com, freebsd-hackers@freebsd.org Subject: Re: SYN floods - possible solution? (fwd) In-Reply-To: Message-ID: X-NCC-RegID: ua.gu MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Date: Thu, 12 Sep 1996 23:33:39 -0700 (PDT) > From: Michael Dillon > > Now here is something that could be used by sites to protect against SYN > flood attacke assuming that they can build a special custom box with > enough RAM to buffer the sockets for 30 seconds or more. How high a rate > can SYN floods come in at? I think ICMP-based solutions won't work. But assume the following: we take a PC with a plenty of RAM and customized BSD kernel, which works as a packet filter. What we can do with it -- we T can teach it to do "spoofing+buffering" of TCP handshakes for i a whole network behind it. The following chain of events will m take place in time: e | ------------------- "Acting persons" -------------------------- | | Client "Spoofer" Protected V (attacker?) firewall server 1. Sends SYN to protected Queues SYN as it Knows nothing :) server. was destined to it (just to another queue?) Sends SYN/ACK to client claiming to be a server, sets a timeout to wait for responce. #if (client is valid) 2. Continues with TCP Sends SYN to server, Gets 1st SYN connection. claiming to be a client. sends SYN/ACK to client. 3. Waits Silently "eats" SYN/ACK Waits server sent, caches connection as "valid,established" for passing it through later on. Passed continuation packet to server. 4. Works as usual Passed valid connection Works as usual through. #else /* SYN/flood attack -- queue timeout expired */ 2'. ??? (who cares?) Drops bad SYN away Still knows nothing #endif How to implement this? I'm just starting to check out exactly this, but as far as I know, Darren Reed's latest IPfilter is able to do some really sophisticated filtering, and (!) is able today to pass packets to an external user-space program. Some time coding that external program for your pet FreeBSD box -- and you may even store all that nasty-SYNs to a disk queue file! 8-) (Berkeley DB comes to mind -- very suitable for the purpose!) > I've heard of 1,000 per sec which implies that > this box needs to hold open 30,000 to 75,000 potential sockets. Is there > any problem within IPv4 (seq #'s?) that would make this inherently > impossible? 200MHz P5, 2 PCI NICs, 256+ Mb RAM, fast SCSI disk subsystem, + intelligent OS with intelligent packet filter. That's a today's firewall of choice for many people, anyway. What do you people think? This should (might?) work... > > Michael Dillon - ISP & Internet Consulting > Memra Software Inc. - Fax: +1-604-546-3049 > http://www.memra.com - E-mail: michael@memra.com > Best, Andrew Stesin From firewalls-owner Fri Sep 13 03:59:29 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id DAA04476 for firewalls-outgoing; Fri, 13 Sep 1996 03:42:44 -0700 (PDT) Received: from sapa.inka.de (sapa.inka.de [193.197.84.6]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id DAA04446 for ; Fri, 13 Sep 1996 03:41:03 -0700 (PDT) Received: from uu.inka.de (root@[193.197.84.8]) by sapa.inka.de with smtp (S3.1.29.1) id ; Fri, 13 Sep 96 12:37 MET DST Received: from lina (lists@lina.inka.de) by uu.inka.de with bsmtp (S3.1.29.1) id ; Fri, 13 Sep 96 12:37 MET DST Received: by lina id m0v1V5f-0004k6C (Debian /\oo/\ Smail3.1.29.1 #29.37); Fri, 13 Sep 96 12:03 MET DST Message-Id: From: lists@lina.inka.de (Bernd Eckenfels) Subject: Re: SYN floods - possible solution? To: murchiso@vivid.newbridge.com Date: Fri, 13 Sep 1996 12:03:14 +0200 (MET DST) Cc: firewall-1@applicom.co.il, firewalls@GreatCircle.COM In-Reply-To: from "Roderick Murchison, Jr." at Sep 13, 96 01:36:54 am X-Mailer: ELM [version 2.4 PL25 PGP2] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Ok. say you have a firewall between your network and you Internet > connection. If that firewall could detect and *detain* a segment with the > SYN option set, then see if the set source IP answers an ICMP echo > request, we could effectively determine whether or not the SYN could be > dropped at the firewall and not sent through to spam our hosts. This will increase connection establishment latency (by at least 2xRTT) and wont buy you very much, since the firewall needs to limit the slots for open SYN-sockets the same way the host does. (If it dont you can flood firewalls mem with syn attacks which is an old method to crash sun hosts). I agree that it can help the situation a little bit. But much better is: a) large backlog (at the listen call) b) recycle Slots c) usermode daemon to notify admin Greetings Bernd -- (OO) -- Bernd_Eckenfels@Wittumstrasse13.76646Bruchsal.de -- ( .. ) ecki@{lina.inka.de,linux.de} http://home.pages.de/~eckes/ o--o *plush* 2048/A2C51749 eckes@irc +4972573817 *plush* (O____O) If privacy is outlawed only Outlaws have privacy From firewalls-owner Fri Sep 13 04:14:42 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id EAA04867 for firewalls-outgoing; Fri, 13 Sep 1996 04:01:12 -0700 (PDT) Received: from sums2.rdg.ac.uk (sums2.rdg.ac.uk [134.225.44.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id EAA04859 for ; Fri, 13 Sep 1996 04:00:53 -0700 (PDT) Received: from suma3.rdg.ac.uk (actually host suma3-e3.rdg.ac.uk) by sums2.rdg.ac.uk with ESMTP; Fri, 13 Sep 1996 12:00:02 +0100 Received: from localhost by suma3.rdg.ac.uk (8.7.5/8.7.3) with SMTP id LAA27952; Fri, 13 Sep 1996 11:59:59 +0100 (BST) Date: Fri, 13 Sep 1996 11:59:58 +0100 (BST) From: John Stumbles To: Firewalls@GreatCircle.COM Subject: Re: Firewalls-Digest V5 #510 In-Reply-To: <199609130800.BAA24816@miles.greatcircle.com> Message-ID: MIME-Version: 1.0 Content-Type: text/PLAIN; charset="US-ASCII" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 13 Sep 1996, Firewalls-Digest wrote: > ------------------------------ > > Date: Fri, 13 Sep 1996 01:36:54 -0400 (EDT) > From: "Roderick Murchison, Jr." > Subject: Re: SYN floods - possible solution? > > On Thu, 12 Sep 1996, Blast wrote: > > This problem has kept me awake more than coffee. :-) > > Ditto... I just woke up *again* with a kludgy but potential defense... > sorry if this is totally out of whack, but I'm really beat! > > Ok. say you have a firewall between your network and you Internet > connection. If that firewall could detect and *detain* a segment with the > SYN option set, then see if the set source IP answers an ICMP echo > request, we could effectively determine whether or not the SYN could be > dropped at the firewall and not sent through to spam our hosts. If the > source responds, release the SYN and let it pass through to the intended > host. If it does not, trash the SYN and log the failure. --- 8< --- This is probably a goofy newbie howler but here goes: My (probably flawed :) understanding is that the trick to the SYN attack is that because the source address is unreachable (a reachable host would respond with a RST) the TCP layer keeps waiting, tying up resources in the kernel, and succumbing to the attack. (How am I doing so far?) Why does it do this? If the IP layer 'knows' the source is unreachable (because its SYN/ACK gets an ICMP unreachable back) couldn't it pass the message up to the TCP layer and then TCP could abort the connection attempt, free up its reources, and stay in business? Would this break some other aspect of TCP? If not, would it be possible to code - or, more to the point, to patch existing code? Just my two-penn'orth :-) -- John Stumbles j.d.stumbles@reading.ac.uk Computer Services, University of Reading http://www.rdg.ac.uk/~suqstmbl +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ I'm sorry Dave - an error has occurred in module PodBayDoor::Open Quit all programs, and then restart your mission. From firewalls-owner Fri Sep 13 04:59:34 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id EAA08381 for firewalls-outgoing; Fri, 13 Sep 1996 04:53:30 -0700 (PDT) Received: from cet.cet.com (cet.cet.com [206.96.91.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id EAA08373 for ; Fri, 13 Sep 1996 04:53:16 -0700 (PDT) Received: from cet.cet.com (roberth@cet.cet.com [206.96.91.1]) by cet.cet.com (8.6.12/8.6.12) with SMTP id EAA01686; Fri, 13 Sep 1996 04:39:14 -0700 Date: Fri, 13 Sep 1996 04:39:14 -0700 (PDT) From: Robert Hanson To: Andrew Stesin cc: firewalls@GreatCircle.COM, freebsd-hackers@freebsd.org Subject: Re: SYN floods - possible solution? (fwd) In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 13 Sep 1996, Andrew Stesin wrote: > > > #else /* SYN/flood attack -- queue timeout expired */ > > 2'. ??? (who cares?) Drops bad SYN away Still knows > nothing snip > > I've heard of 1,000 per sec which implies that > > this box needs to hold open 30,000 to 75,000 potential sockets. Is there > > any problem within IPv4 (seq #'s?) that would make this inherently > > impossible? > > 200MHz P5, 2 PCI NICs, 256+ Mb RAM, > fast SCSI disk subsystem, + intelligent OS with > intelligent packet filter. That's a today's firewall > of choice for many people, anyway. > > What do you people think? This should (might?) work... > > Andrew Stesin im thinking dec alpha with 64 bit OS... is there 64 bit FreeBSD coming? Evidently Linus is working on Linux/Alpha... IMHO pentiums are consumer class product (read affordable for most).... my observations are that other than "basic" affordability pentium stuff isnt really scalable... every new chip only affords "price" hosabilty cycle all over again for the mfgs.... what makes pentiums fly is good BSD and Linux hackers... go with the idea if it is fairly easily implementable though... good luck nuff said... ---> Robert H. Hanson LAN/WAN Consultant - Internet Service Provider Otis Orchards, Wa. Cutting Edge Communications www.cet.com (509) 927-9541 finger: info@cet.com or email: roberth@cet.com From firewalls-owner Fri Sep 13 05:47:30 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA09328 for firewalls-outgoing; Fri, 13 Sep 1996 05:11:03 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id FAA09306 for ; Fri, 13 Sep 1996 05:10:43 -0700 (PDT) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) id FAA19164; Fri, 13 Sep 1996 05:09:53 -0700 Received: from flow.mail.pipex.net(158.43.128.6) by mycroft via smap (V1.3mjr) id sma019162; Fri Sep 13 05:09:50 1996 Received: from mailhost.ashridge.org.uk by flow.mail.pipex.net with SMTP (PP); Fri, 13 Sep 1996 13:04:23 +0100 Received: from ccMail by mailhost.ashridge.org.uk (IMA Internet Exchange 1.04b) id 2393f8d0; Fri, 13 Sep 96 12:03:41 +0100 Mime-Version: 1.0 Date: Fri, 13 Sep 1996 13:04:13 +0100 Message-ID: <2393f8d0@ashridge.org.uk> From: Mike.Baxter@ashridge.org.uk (Mike Baxter) Subject: Re[2]: SYN floods - possible solution? (fwd) To: Andrew Stesin Cc: firewalls@greatcircle.com Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Description: cc:Mail note part Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > 200MHz P5, 2 PCI NICs, 256+ Mb RAM, > fast SCSI disk subsystem, + intelligent OS with > intelligent packet filter. That's a today's firewall > of choice for many people, anyway. Best, Andrew Stesin Hi, Sorry if I am being a bit thick, but why so much RAM? Surely a Firewall takes packets in and then passes them on. With this amount of RAM I am being to think that I have missed something! :-) Mike Baxter From firewalls-owner Fri Sep 13 06:03:37 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA11526 for firewalls-outgoing; Fri, 13 Sep 1996 05:50:18 -0700 (PDT) Received: from zeus.uniandes.edu.co (zeus.uniandes.edu.co [157.253.1.5]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id FAA11505 for ; Fri, 13 Sep 1996 05:50:00 -0700 (PDT) Received: by zeus.uniandes.edu.co (AIX 4.1/UCB 5.64/4.03) id AA26956; Fri, 13 Sep 1996 07:41:26 -0500 Posted-Date: Fri, 13 Sep 1996 07:41:26 -0500 (EST) Date: Fri, 13 Sep 1996 07:41:26 -0500 (EST) From: Juan Carlos Paez To: firewalls@greatcircle.com Subject: Mail Problem Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi ! We are having a problem with our internet mail. We use either Netscape mail client or Microsoft Mail client and we have the same problem. I can send an e-mail using as the sender another e-mail account. The person to which the mail was send will receive it as it were send by the e-mail account that I am trying to suplant. As you can see this is a big problem because someone can send mails on my name as easy as to go to the mail options on the browser that is using and can cause big problems. Any out there can give me any hint about how to solve this ? You can answer directly to my e-mail address: jpaez@zeus.uniandes.edu.co Thanks, Juan From firewalls-owner Fri Sep 13 06:26:01 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA10041 for firewalls-outgoing; Fri, 13 Sep 1996 05:22:19 -0700 (PDT) Received: from brahma.iitm.ernet.in (brahma.iitm.ernet.in [144.16.224.3]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id FAA09767 for ; Fri, 13 Sep 1996 05:18:05 -0700 (PDT) Received: from localhost by brahma.iitm.ernet.in; (5.65/1.1.8.2/07Feb96-0917AM) id AA00662; Fri, 13 Sep 1996 14:52:26 +0530 Date: Fri, 13 Sep 1996 14:52:23 +0530 (IST) From: Natchu Vishnu Priya To: "Roderick Murchison, Jr." Cc: firewall-1@applicom.co.il, firewalls@greatcircle.com Subject: Re: SYN floods - possible solution?(update) In-Reply-To: Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 13 Sep 1996, Roderick Murchison, Jr. wrote: > Duh.. Ok, I guess successful ICMP echo requests sent from the firewall > won't help us if the source port on the source ip address has been SYN > bombed as well. :-) > > How about this: > - firewall detects and detains a SYN > - firewall sends a SYN to the source port on the supposed source IP > - depending on the response (SYN-ACK, or deny?) or no response, we can > intelligently drop the queued SYN or pass it through... and, of course, > appropriately respond to a SYN-ACK if we get one. :-) > - log BOTH the success and failure of the FW initiated SYN probes to > quickly pass or deny SYN's for known entities Wow.. arn't we running the risk of starting a SYN war. Your FW does this, my FW does the same and Mr. hacker sends you a SYN with my source IP.. hey in fact.. if I send you a legitimate SYN what happens.. you send me a SYN I send you a SYN ad inf... when do the SYN-ACKs start.... how do I get out of the loop. > Making more sense? I'm damn beat, and I left my TCP/IP book at the > office. and I left mine at home... but I'm missing something.. ;-) -vishnu _______________________________________________________ Vishnu Priya Natchu System Administrator 225, Saraswathi, Network Systems Lab, IIT Madras 600 036 Computer Science & Engg. INDIA IIT Madras 91-44-235-1889 91-44-235-1921 _______________________________________________________ Email: mailto:vishnu@brahma.iitm.ernet.in WWW page: http://brahma.iitm.ernet.in/~vishnu _______________________________________________________ From firewalls-owner Fri Sep 13 07:21:14 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA15732 for firewalls-outgoing; Fri, 13 Sep 1996 06:42:28 -0700 (PDT) Received: from lokkur.dexter.mi.us (lokkur.dexter.mi.us [148.59.2.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id GAA15713 for ; Fri, 13 Sep 1996 06:42:06 -0700 (PDT) Received: (from scs@localhost) by lokkur.dexter.mi.us (8.7.5/8.7.5/lokkur-1.1-scs) id JAA00452; Fri, 13 Sep 1996 09:42:02 -0400 (EDT) To: firewalls@GreatCircle.COM Path: lokkur.dexter.mi.us!not-for-mail From: scs@lokkur.dexter.mi.us (Steve Simmons) Newsgroups: local.firewalls Subject: Re: SYN floods - possible solution?(update) Date: 13 Sep 1996 09:42:02 -0400 Organization: Inland Sea Lines: 15 Distribution: local Message-ID: <51boba$e1@lokkur.dexter.mi.us> References: X-Newsreader: NN version 6.5.0 CURRENT #2 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk "Roderick Murchison, Jr." writes: >How about this: >- firewall detects and detains a SYN >- firewall sends a SYN to the source port on the supposed source IP And if someones sends a SYN flood to you with the return address of the machine they really want to hose? Or better yet, sends 100 small floods to 100 machines like that, all with the return address of the machine they really want to hose? -- "Yea, the heavens shall open and the NP-complete solution given forth. ATT executives shall give birth to two-headed operating systems, and copyrights shall be expunged. The voice of the GNU shall be heard, but the faithless will be without transcievers." -- me From firewalls-owner Fri Sep 13 07:29:57 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA16824 for firewalls-outgoing; Fri, 13 Sep 1996 06:53:07 -0700 (PDT) Received: from phenix.ireq.ca (phenix.ireq.ca [204.19.49.15]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id GAA16804 for ; Fri, 13 Sep 1996 06:52:55 -0700 (PDT) Received: from fragmi (fragmi.ireq.ca [204.19.52.41]) by phenix.ireq.ca with SMTP id JAA21689 (8.6.12/IDA-1.6); Fri, 13 Sep 1996 09:52:50 -0400 Message-ID: <32396657.7577E138@ireq.ca> Date: Fri, 13 Sep 1996 09:49:11 -0400 From: Wayne Veilleux Organization: IREQ X-Mailer: Mozilla 3.0 (X11; I; Linux 2.0.17 i586) MIME-Version: 1.0 Newsgroups: comp.os.linux.networking,comp.sys.sun.admin CC: veilleux@ireq.ca, martino@ireq.ca, audet@ireq.ca, firewalls@GreatCircle.COM, sparclinux@vger.rutgers.edu Subject: SparcLinux/OS for a secure bastion host ! Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi: I need your opinion about using SparcLinux/OS to build a secure bastion host on a DMZ(demilitarize zone) into a cooporate firewall. We bought Blackhole 3.0 from MilkyWay Networks as our firewall software. We need now to install a DNS server, an FTP server, and a Web server on our public network. We have the Rembrandt distrib. from RedHat for SparcLinux with the kernel version 2.0.17. Do you think SparcLinux is enought stable to be a bastion host running Apache Web server, wu-ftpd Ftp server and bind-4.9.4 DNS server ? Or, it is more stable and secure with SunOS 4.1.3 or Solaris 2.5 ? Anyone who got bad stability experience with SparcLinux, please let me know... Thanks for any help. Bye. -- ---------------- http://www.ireq.ca/~veilleux ---------------- Wayne Veilleux,ing. veilleux@ireq.ca IREQ (Hydro-Quebec) Tel: +1 514 652-8074 Network Administrator Fax: +1 514 652-8309 From firewalls-owner Fri Sep 13 08:02:21 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA16884 for firewalls-outgoing; Fri, 13 Sep 1996 06:53:29 -0700 (PDT) Received: from mx.serv.net (mx.serv.net [199.201.191.10]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id GAA16825 for ; Fri, 13 Sep 1996 06:53:08 -0700 (PDT) Received: from MindBender.serv.net by mx.serv.net (8.7.5/SERV Revision: 2.30 † id GAA14332; Fri, 13 Sep 1996 06:53:02 -0700 (PDT) Received: from localhost.HeadCandy.com (michaelv@localhost.HeadCandy.com [127.0.0.1]) by MindBender.serv.net (8.7.5/8.7.3) with SMTP id GAA02501; Fri, 13 Sep 1996 06:52:35 -0700 (PDT) Message-Id: <199609131352.GAA02501@MindBender.serv.net> X-Authentication-Warning: MindBender.serv.net: Host michaelv@localhost.HeadCandy.com [127.0.0.1] didn't use HELO protocol To: Robert Hanson cc: Andrew Stesin , firewalls@greatcircle.com, freebsd-hackers@freebsd.org Subject: Re: SYN floods - possible solution? (fwd) In-reply-to: Your message of Fri, 13 Sep 96 04:39:14 -0700. Date: Fri, 13 Sep 1996 06:52:35 -0700 From: "Michael L. VanLoon -- HeadCandy.com" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >> > I've heard of 1,000 per sec which implies that >> > this box needs to hold open 30,000 to 75,000 potential sockets. Is there >> > any problem within IPv4 (seq #'s?) that would make this inherently >> > impossible? >> 200MHz P5, 2 PCI NICs, 256+ Mb RAM, >> fast SCSI disk subsystem, + intelligent OS with >> intelligent packet filter. That's a today's firewall >> of choice for many people, anyway. >> What do you people think? This should (might?) work... A P6 should give you much better through-put than a 200MHz P5 (and it still has room to grow). Not only that, but 200MHz P6s are cheaper than 200MHz P5s right now. I've also heard that a 200MHz P5 doesn't really run any faster than a 166MHz P5, because the bus is mostly saturated. >im thinking dec alpha with 64 bit OS... >is there 64 bit FreeBSD coming? Evidently Linus is working on >Linux/Alpha... That is an alternative. While Alphas are great, really fast CPUs, they also cost a lot more per MIPS than a decent Intel box. On the other hand, a really good Alpha (read expensive) can scale way beyond an Intel box, if you need the absolute fastest processing you can get. NetBSD/Alpha exists, and is mostly 64-bit from top to bottom. I don't believe Linux/Alpha is truly 64-bit. You might also consider going commercial, if you're going to buy such high-end hardware. Digital Unix (aka OSF/1) isn't as "sexy" as Net/FreeBSD, but it works, is stable, and actually will support multi-processor Alphas reliably. ----------------------------------------------------------------------------- Michael L. VanLoon michaelv@MindBender.serv.net --< Free your mind and your machine -- NetBSD free un*x >-- NetBSD working ports: 386+PC, Mac 68k, Amiga, Atari 68k, HP300, Sun3, Sun4/4c/4m, DEC MIPS, DEC Alpha, PC532, VAX, MVME68k, arm32... NetBSD ports in progress: PICA, others... ----------------------------------------------------------------------------- From firewalls-owner Fri Sep 13 08:16:04 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA19933 for firewalls-outgoing; Fri, 13 Sep 1996 07:37:44 -0700 (PDT) Received: from ALABAMA.CF.CS.YALE.EDU (RT-GW.CS.YALE.EDU [128.36.0.13]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id HAA19915 for ; Fri, 13 Sep 1996 07:37:33 -0700 (PDT) From: long-morrow@CS.YALE.EDU Received: from SPARKY.CF.CS.YALE.EDU by ALABAMA.CF.CS.YALE.EDU (8.7.1/res.host.cf-4.0) with ESMTP id KAA11047; Fri, 13 Sep 1996 10:37:26 -0400 (EDT) sender long-morrow@CS.YALE.EDU for Received: by SPARKY.CF.CS.YALE.EDU (Sendmail-8.7.1/res.client.cf-4.0) id KAA19703; Fri, 13 Sep 1996 10:37:25 -0400 (EDT) Date: Fri, 13 Sep 1996 10:37:25 -0400 (EDT) Message-Id: <199609131437.KAA19703@SPARKY.CF.CS.YALE.EDU> To: ChrisP@steldyn.com, firewalls@greatcircle.com Subject: Re: Secure Web Server? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ChrisP@steldyn.com wrote: >While we are on the subject of secure programs for firewalls, Does >anybody have any strong feelings for a well coded, secure web server >software? I am looking for *nix variant to run on a Linux platform. >This is intended to be a very tightly locked down machine with only >http, smtp, and ftp ports open. Everything else will be shut down and >blocked. I have worked with the Apache product and I was satisfied with >it's performance, but I am wondering if there is anything else out there >that is tighter and cleaner. At this point I am not using any CGI so I >don't need support for that. > >Chris Apache running as nobody without any CGI should be fairly secure. I would also run it in a chroot()d environment (even on a locked down machine). Dr. Frederick B. Cohen ( fc@all.net ) wrote an http daemon last year designed to be verifiably secure called thttpd. It only consists of a small number of lines of source code. If you don't need a Web server with lots of bells and whistles ( server side includes, server side Java, etc.) which tend to make the server less secure you may want to look for it. It should be under http://all.net/ or http://all.net:8080/ though neither of these URLs is working for me this morning. - Morrow From firewalls-owner Fri Sep 13 08:30:06 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA24796 for firewalls-outgoing; Fri, 13 Sep 1996 08:22:10 -0700 (PDT) Received: from apu.connectix.com (apu.connectix.com [204.247.159.242]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id IAA24769 for ; Fri, 13 Sep 1996 08:21:55 -0700 (PDT) Received: from [204.118.199.198] (snowball.connectix.com [204.118.199.198]) by apu.connectix.com (8.7.5/8.6.9) with SMTP id IAA24804 for ; Fri, 13 Sep 1996 08:22:49 -0700 Date: Fri, 13 Sep 1996 08:22:49 -0700 Message-Id: <199609131522.IAA24804@apu.connectix.com> Subject: SNMP scan From: Rob Sansom To: Mime-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Today, someone sent SNMP (udp 161) packets destined for a subnet which is part of my network. It was obvious that this was some sort of automated probe, since the first ip address of the internal machiene was 255, and the last was 1. Maybe someone was screwing around with some network management software, and put in the wrong address? Who knows. My router filtered these packets as it should, but I was curious as to the risks of allowing SNMP thru a firewall from the outside. No, no way in hell will I ever allow this, but I'm just curious. Thanks in Advance, #include Rob Sansom Network Admin. Connectix Corp (415) 638-7398 sansom@connectix.com From firewalls-owner Fri Sep 13 08:51:11 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA18784 for firewalls-outgoing; Fri, 13 Sep 1996 07:15:43 -0700 (PDT) Received: from pa0016c1.kpmg.com (pa0016c1.kpmg.com [199.207.255.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id HAA18744 for ; Fri, 13 Sep 1996 07:15:25 -0700 (PDT) From: kenng@kpmg.com Received: by pa0016c1.kpmg.com; id KAA21790; Fri, 13 Sep 1996 10:06:38 -0400 Received: from unknown(199.207.255.11) by pa0016c1.kpmg.com via smap (V3.1) id xma021652; Fri, 13 Sep 96 10:06:19 -0400 Received: from ccMail by mailgate6.kpmg.com (SMTPLINK V2.11.01) id AA842635717; Fri, 13 Sep 96 10:24:58 EST Date: Fri, 13 Sep 96 10:24:58 EST Message-Id: <9608138426.AA842635717@mailgate6.kpmg.com> To: stesin@gu.net, Mike.Baxter@ashridge.org.uk (Mike Baxter) Cc: firewalls@greatcircle.com Subject: Re[3]: SYN floods - possible solution? (fwd) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk To everyone, its been a very fascinating topic the past few days. I'd like to take a couple of ideas and throw my twist on them. First: make the syn queues on the os and the application bigger, maybe into the thousand range in size. Second: during normal operation, keep track of ip addresses that do successfully connect. Perhaps a cache of a few hundred items in a hash array. Third: put a timestamp on the entries on the syn queue for when they came in. When the syn queue goes over half full (arb value), get the average age of the items in the queue and drop all items over the average and not in the successfully connected cache. Also, keep a counter of the number of entries that had been dropped so that one can at least identify the attack. The good points: This method will dynamically adapt to the rate of syn bombing, yet will allow those who have recently accessed the site to go through. This will work as long as the syn bomber is not closer to the victim than the other users. If he is closer, then he can just flood the victim until it starts rejecting other users. The bad news, it will not cure the disease, but like AZT, it helps keep the victim alive longer and healthier until the end. What really needs to be done is for the router manufacturers to start putting in code that will reject ip traffic with addresses that should not exist. For example, if I have a subnet 10.20.30.X, and I get a packet on that interface supposedly from 38.1.2.3, then I should reject it. Note that this is on the leaf subnets only. This will do two things. One it forces the syn bombers to either go to other places that do not have this filtering, or, it forces the syn bombers to use ip addresses that are at least partly correct for his/her subnet. Either way it should help narrow the places they can hide, or it forces them to partly reveal their hiding place. Well, I'm sure I've made at least one big mistake in here, lets hear it :-). From firewalls-owner Fri Sep 13 09:14:31 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA20207 for firewalls-outgoing; Fri, 13 Sep 1996 07:41:44 -0700 (PDT) Received: from whale.gu.kiev.ua (whale.gu.kiev.ua [193.124.51.77]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id HAA19823 for ; Fri, 13 Sep 1996 07:35:44 -0700 (PDT) Received: from creator.gu.kiev.ua (stesin@creator.gu.kiev.ua [193.124.51.73]) by whale.gu.kiev.ua (8.7.5/8.7.3) with SMTP id RAA46792; Fri, 13 Sep 1996 17:28:52 +0300 Date: Fri, 13 Sep 1996 17:28:51 +0300 (EET DST) From: Andrew Stesin X-Sender: stesin@creator.gu.kiev.ua To: "Michael L. VanLoon -- HeadCandy.com" cc: firewalls@greatcircle.com, freebsd-hackers@freebsd.org Subject: Re: SYN floods - possible solution? (fwd) In-Reply-To: <199609131352.GAA02501@MindBender.serv.net> Message-ID: X-NCC-RegID: ua.gu MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello, be it Alpha or Intel, the most interesting question lays in another area: would Panix pay someone (Darren ?) for the implementation of such a BSDaemonish "spoof-buff" device 8-) for them -- or not? The answer will have a direct consequence of -- will we see it working in reality or not? Otherwise the whole hardware discussion is pointless. BTW as I was pointed already, I overlooked at least one very important (but hopefully not critical) technical detail... Best, Andrew Stesin nic-hdl: ST73-RIPE On Fri, 13 Sep 1996, Michael L. VanLoon -- HeadCandy.com wrote: > A P6 should give you much better through-put than a 200MHz P5 (and it > still has room to grow). Not only that, but 200MHz P6s are cheaper [...] From firewalls-owner Fri Sep 13 09:26:26 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA26908 for firewalls-outgoing; Fri, 13 Sep 1996 08:41:57 -0700 (PDT) Received: from lokkur.dexter.mi.us (lokkur.dexter.mi.us [148.59.2.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id IAA26871 for ; Fri, 13 Sep 1996 08:41:41 -0700 (PDT) Received: (from scs@localhost) by lokkur.dexter.mi.us (8.7.5/8.7.5/lokkur-1.1-scs) id LAA01932; Fri, 13 Sep 1996 11:41:33 -0400 (EDT) To: firewalls@GreatCircle.COM Path: lokkur.dexter.mi.us!not-for-mail From: scs@lokkur.dexter.mi.us (Steve Simmons) Newsgroups: local.firewalls Subject: Re: SYN floods - possible solution?(update) Date: 13 Sep 1996 11:41:33 -0400 Organization: Inland Sea Lines: 14 Distribution: local Message-ID: <51bvbd$1s9@lokkur.dexter.mi.us> References: X-Newsreader: NN version 6.5.0 CURRENT #2 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk "Roderick Murchison, Jr." writes: >That's where the filtering comes in. We would detect and halt a large >grouping of SYN's with the same source IP and drop them. THis still does >not protect the firewall from getting hit with a flurry of SYN's with >random source IP's, but it should keep the firewall from being used as a >proxy for the attack. Yes, if you record the source address you solve this problem. -- "Yea, the heavens shall open and the NP-complete solution given forth. ATT executives shall give birth to two-headed operating systems, and copyrights shall be expunged. The voice of the GNU shall be heard, but the faithless will be without transcievers." -- me From firewalls-owner Fri Sep 13 09:43:48 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA20802 for firewalls-outgoing; Fri, 13 Sep 1996 07:47:53 -0700 (PDT) Received: from ALABAMA.CF.CS.YALE.EDU (RT-GW.CS.YALE.EDU [128.36.0.13]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id HAA20734 for ; Fri, 13 Sep 1996 07:47:27 -0700 (PDT) From: long-morrow@CS.YALE.EDU Received: from SPARKY.CF.CS.YALE.EDU by ALABAMA.CF.CS.YALE.EDU (8.7.1/res.host.cf-4.0) with ESMTP id KAA11603; Fri, 13 Sep 1996 10:47:19 -0400 (EDT) sender long-morrow@CS.YALE.EDU for Received: by SPARKY.CF.CS.YALE.EDU (Sendmail-8.7.1/res.client.cf-4.0) id KAA19741; Fri, 13 Sep 1996 10:47:17 -0400 (EDT) Date: Fri, 13 Sep 1996 10:47:17 -0400 (EDT) Message-Id: <199609131447.KAA19741@SPARKY.CF.CS.YALE.EDU> To: firewalls@greatcircle.com, postmaster@medab.se Subject: Re: whois port number Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Jan Rockstedt wrote: >I want to open outbound whois traffic over my firewall. >Anyone who knows what port number i should open (destination/source) for = >oubound proxy ? The source port for the whois user client will be any random non- privileged pooled port (ie. over 1023). The destination port of the whois server will be 43. (64)% grep whois /etc/services whois 43/tcp nicname # usually to sri-nic (65)% If you want to look at an example of a whois proxy which is hardcoded to go only to Internet server host DS.INTERNIC.NET you can see one at URLs: ftp://ftp.cs.yale.edu/pub/long/src/network/security/whois-proxy.c http://www.cs.yale.edu/pub/long/src/network/security/whois-proxy.c ftp://sparky.cs.yale.edu/pub/long/src/network/security/whois-proxy.c http://sparky.cs.yale.edu/pub/long/src/network/security/whois-proxy.c - Morrow From firewalls-owner Fri Sep 13 09:51:07 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA03521 for firewalls-outgoing; Fri, 13 Sep 1996 09:38:46 -0700 (PDT) Received: from pinky.junction.net (pinky.junction.net [199.166.227.12]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id JAA03513 for ; Fri, 13 Sep 1996 09:38:38 -0700 (PDT) Received: from sidhe.memra.com (sidhe.memra.com [199.166.227.105]) by pinky.junction.net (8.6.12/8.6.12) with ESMTP id IAA16360 for ; Fri, 13 Sep 1996 08:52:01 -0700 Received: from localhost (michael@localhost) by sidhe.memra.com (8.6.12/8.6.12) with SMTP id JAA17740 for ; Fri, 13 Sep 1996 09:36:24 -0700 Date: Fri, 13 Sep 1996 09:36:22 -0700 (PDT) From: Michael Dillon To: firewalls@greatcircle.com Subject: RE: Sym Flood Attacks - Defensible??? (fwd) Message-ID: Organization: Memra Software Inc. - Internet consulting MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >----------------------------------------------------------------------- >Date: Thu, 12 Sep 1996 15:34:04 -0400 (EDT) > From: Simon Spero > To: John Young > cc: cypherpunks@toad.com > Subject: Re: Panix attack > MIME-Version: 1.0 > Sender: owner-cypherpunks@toad.com > Precedence: bulk > > >On Thu, 12 Sep 1996, John Young wrote: > > > WSJ and WaPo have reports on Panix-jamming by info-request bombardment, and > > Bell Labs security expert Bill Cheswick's attempt to solve it. > > This particular attack has been known for some time; kind of suprising it > hasn't been used before. It is defensible, but it can take a lot of > memory to give full protection. > > The best way IPV4 way I know of to stop the listen queue being filled is to > use a special structure to hold half-open incoming connections, and not > allocate the full TCB until the ack of the syn-ack comes in; that way, the > listen queue can be made large enough to keep enouygh connections to cover > the number of SYNS recievable before the half-open connection times out > > This ensures that there's at least a traceable return address for the > connection. Sort of like photuris cookies but without the forced RTT delay > > (The timeout was added to most stacks in 94 after backbone fuckups caused > queues to wedge on most of the big web servers with all sorts of asymetric > routing problems. It's not strictly legal TCP) > > > > ---- > Cause maybe (maybe) | In my mind I'm going to Carolina > you're gonna be the one that saves me | - back in Chapel Hill May 16th. > And after all | Email address remains unchanged > You're my firewall - | ........First in Usenet......... > From firewalls-owner Fri Sep 13 09:54:26 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA15544 for firewalls-outgoing; Fri, 13 Sep 1996 06:39:51 -0700 (PDT) Received: from lokkur.dexter.mi.us (lokkur.dexter.mi.us [148.59.2.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id GAA15484 for ; Fri, 13 Sep 1996 06:39:25 -0700 (PDT) Received: (from scs@localhost) by lokkur.dexter.mi.us (8.7.5/8.7.5/lokkur-1.1-scs) id JAA00377; Fri, 13 Sep 1996 09:39:19 -0400 (EDT) To: firewalls@GreatCircle.COM Path: lokkur.dexter.mi.us!not-for-mail From: scs@lokkur.dexter.mi.us (Steve Simmons) Newsgroups: local.firewalls Subject: Re: SYN floods - possible solution? Date: 13 Sep 1996 09:39:18 -0400 Organization: Inland Sea Lines: 105 Distribution: local Message-ID: <51bo66$bl@lokkur.dexter.mi.us> References: X-Newsreader: NN version 6.5.0 CURRENT #2 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk All the proposed solutions rely on `detecting' the fact that there is a SYN flood occurring and that the offensive SYNs can be filtered. About a year ago I independently thought of the SYN flood attack (I won't say `invented' since I didn't implement it). I thought of various issues about how to do it untraceably, and the executive summary is that none of the proposed solutions would permit a network to continue to function during the SYN attack. Consider these points: When doing a SYN flood, you don't want to reveal who you are. So you forge a return address. However, you want to forge a real but inactive address in order to have the proper effect. When doing a SYN flood, you want the SYN segment to tie up the victims machine as long as possible. The victim, on receiving a SYN, replies with SYN-ACK. The result of the SYN-ACKs depend on the reply address, and strongly determine how effective the attack is: o If it's a bogus network number, the SYN-ACK reaches a core router which returns ICMP network unreachable. The ICMP error reaches the attacked machine, and it frees the SYN'ed resources. Since this happens in milliseconds, it requires the attacker to keep flooding. This is risky to the attacker. o If it's a real address and the machine is up, the SYN-ACK reaches that machine and it replies with an ICMP error. ICMP error reaches the attacked machine, and it frees the SYN'ed resources. It takes longer than the above failure, but probably no more than a factor of 100 even if you choose a site `distant' from the attacker. Still not a good thing, from the attackers point of view. o If it's a real address but the machine is down or silently unreachable, we have the best of all worlds. The SYN-ACKs will drop into never-never land, and it requires a very low incoming packet rate to keep the machine tied up. So how does the attacker determine what reply addresses will result in the latter? Look for two kinds of networks -- ISPs who hand out dialup IP accounts with fixed addresses, and old class B nets owned by corporations who have now installed firewalls. The former gives you a good chance that the machine is not reachable, the latter gives you a good chance that the firewall silently discards things intended for the internal net. A smart attacker would actually test this as part of his strategy, and accumulate a list of addresses and network numbers to use. Heck, they might even start exchanging them on the bulletin boards. :-( Other issues in making the attack effective: o Always use `real' and commonly permitted socket numbers which normally expect lots of transient connections, eg, SMTP, HTTP, etc. Avoid socket number >1023, as you may be attacking a firewall and it might simply drop them as fast as they come in. o Don't bother source-routing, record-routing, or any other options on your SYNs. They only make your SYNs stand out, and some machines (like filtering routers) won't pass them. o Keep your SYNs as vanilla as possible, but make sure each SYN is as unique as possible. Have a pool of `random' numbers to use as initial sequence numbers, pick your max segment size delimiters from a list of commonly used ones appropriate to the socket number you're using -- and use a mix of socket numbers. Now once the stream of SYNs hits the main net, it doesn't even look like a classic packet train because the return addresses are all different. The end result of all of this is that the SYN flood looks just like a normal traffic mix except for the volume. And all of the filter schemes proposed here would fail, because they'd also filter the .01% of traffic that was a valid SYN. The performance of IP systems under SYN attack is fairly well understood. So the smart attacker will begin with a large burst of SYNs, and then quickly ratchet down the send rate to some multiple of how fact the attacked system will free the pending resources. Attack at 10x the free rate, and you'll prevent nearly all valid connections from starting. And since the attacker is now sending more slowly, he's less liable to detection. Also on avoiding detection -- do your initial SYN flood from a host that you're only on for a few seconds, then do the `sustain' from a variety of machines. Cron is your friend. :-( Hit and run is also good, especially if the attacked machine crashes and burns. Unless the routers along the way are actually recording everything, you're untraceable. So how does one prevent the attack? The only immediate detection I can think works best when applied near the source. Relaying routers must check the *return* addresses against their list of internal networks. But (a), I don't know of any routers that do this, and (b) how are you going to convince the ISPs to add that load to their routers. Yeah, it may happen eventually -- but don't hold your breath. And all the other solutions I can think of require *much* more intelligence in the routers than presently exists. In the interim, everyone can help by making `bad' addresses fail more quickly. Firewalls and routers should return ICMP unreachables when someone tries to reach thru them to blocked addresses. ISPs should know who's attached and who's not. But these don't prevent the attack, they merely remove the ability to flood and then ratchet back to the slow sustain. -- "Yea, the heavens shall open and the NP-complete solution given forth. ATT executives shall give birth to two-headed operating systems, and copyrights shall be expunged. The voice of the GNU shall be heard, but the faithless will be without transcievers." -- me From firewalls-owner Fri Sep 13 10:16:02 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA06874 for firewalls-outgoing; Fri, 13 Sep 1996 10:05:37 -0700 (PDT) Received: from lint.cisco.com (lint.cisco.com [171.68.223.44]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id KAA06781 for ; Fri, 13 Sep 1996 10:05:06 -0700 (PDT) Received: from pferguso-pc.cisco.com ([171.68.52.54]) by lint.cisco.com (8.6.10/CISCO.SERVER.1.1) with SMTP id KAA05739; Fri, 13 Sep 1996 10:04:19 -0700 Message-Id: <2.2.32.19960913170419.006e5fa4@lint.cisco.com> X-Sender: pferguso@lint.cisco.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Fri, 13 Sep 1996 13:04:19 -0400 To: scs@lokkur.dexter.mi.us (Steve Simmons) From: Paul Ferguson Subject: Re: SYN floods - possible solution?(update) Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 11:41 AM 9/13/96 -0400, Steve Simmons wrote: > >Yes, if you record the source address you solve this problem. Please explain to me how this will solve the problem is the source address is non-existent or unreachable. - paul -- Paul Ferguson || || Consulting Engineering || || Reston, Virginia USA |||| |||| tel: +1.703.716.9538 ..:||||||:..:||||||:.. e-mail: pferguso@cisco.com c i s c o S y s t e m s From firewalls-owner Fri Sep 13 10:31:16 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA08582 for firewalls-outgoing; Fri, 13 Sep 1996 10:17:59 -0700 (PDT) Received: from lokkur.dexter.mi.us (lokkur.dexter.mi.us [148.59.2.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id KAA08569 for ; Fri, 13 Sep 1996 10:17:44 -0700 (PDT) Received: (from scs@localhost) by lokkur.dexter.mi.us (8.7.5/8.7.5/lokkur-1.1-scs) id NAA05199; Fri, 13 Sep 1996 13:17:35 -0400 (EDT) To: firewalls@GreatCircle.COM Path: lokkur.dexter.mi.us!not-for-mail From: scs@lokkur.dexter.mi.us (Steve Simmons) Newsgroups: local.firewalls Subject: Re: SYN floods - possible solution?(update) Date: 13 Sep 1996 13:17:34 -0400 Organization: Inland Sea Lines: 18 Distribution: local Message-ID: <51c4ve$52c@lokkur.dexter.mi.us> References: <2.2.32.19960913170419.006e5fa4@lint.cisco.com> X-Newsreader: NN version 6.5.0 CURRENT #2 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Paul Ferguson writes: >At 11:41 AM 9/13/96 -0400, Steve Simmons wrote: >>Yes, if you record the source address you solve this problem. >Please explain to me how this will solve the problem is the >source address is non-existent or unreachable. Reread the note. Roderick said `We would detect and halt a large grouping of SYN's with the same source IP and drop them.' In that case it doesn't matter if the source is valid or not, they still drop 'em. -- "Yea, the heavens shall open and the NP-complete solution given forth. ATT executives shall give birth to two-headed operating systems, and copyrights shall be expunged. The voice of the GNU shall be heard, but the faithless will be without transcievers." -- me From firewalls-owner Fri Sep 13 10:44:36 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA11109 for firewalls-outgoing; Fri, 13 Sep 1996 10:33:45 -0700 (PDT) Received: from hidata.com (hidata.com [205.158.61.34]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id KAA11003 for ; Fri, 13 Sep 1996 10:33:13 -0700 (PDT) Received: by hidata.com; id AA08324; Fri, 13 Sep 96 10:33:14 PDT Received: from osc.hidata.com(205.158.62.10) by hds-gw.hidata.com via smap (V3.1.1) id xma008322; Fri, 13 Sep 96 10:32:54 -0700 Received: from clag by osc.osc.hidata.com (SMI-8.6/SMI-SVR4) id KAA18023; Fri, 13 Sep 1996 10:32:52 -0700 Message-Id: <2.2.32.19960913173053.00727900@osc.hidata.com> X-Sender: bstout@osc.hidata.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Fri, 13 Sep 1996 10:30:53 -0700 To: Chris Pugrud , Firewalls Mailing list From: Bill Stout Subject: Re: Secure Web Server? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 04:33 PM 9/12/96 -0600, Chris Pugrud wrote: >While we are on the subject of secure programs for firewalls, Does >anybody have any strong feelings for a well coded, secure web server >software? I am looking for *nix variant to run on a Linux platform. Use Stronghold, a.k.a. Apache-SSL. $495 no matter how big a box. No 10-user limit. http://stronghold.c2.net Bill Stout _______________________________________________________________________________ Senior Systems Admin NT/UNIX/I-net/Routers/Mainframes/Janitor ;) Hitachi Data Systems 408-970-4822 --- Disclaimer: I speak only for myself ___________"Infowar, Cyber-war, yes, 'they' _are_ out to get you..."___________ From firewalls-owner Fri Sep 13 10:59:52 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA04977 for firewalls-outgoing; Fri, 13 Sep 1996 09:51:50 -0700 (PDT) Received: from citadel.evolving.com (citadel.evolving.com [198.202.204.162]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id JAA04890 for ; Fri, 13 Sep 1996 09:51:20 -0700 (PDT) Received: from valiant.evolving.com (valiant.evolving.com [198.202.204.66]) by citadel.evolving.com (8.6.12/8.6.9) with ESMTP id KAA07758; Fri, 13 Sep 1996 10:40:28 -0600 Received: from thepound.evolving.com (thepound.evolving.com [192.124.159.19]) by valiant.evolving.com (8.6.12/8.6.9) with ESMTP id KAA21776; Fri, 13 Sep 1996 10:40:26 -0600 Received: (from rtruitt@localhost) by thepound.evolving.com (8.6.12/8.6.12) id KAA10431; Fri, 13 Sep 1996 10:39:59 -0600 Date: Fri, 13 Sep 1996 10:39:59 -0600 From: Todd Truitt Message-Id: <199609131639.KAA10431@thepound.evolving.com> To: stesin@gu.net, murchiso@vivid.newbridge.com Subject: Re: SYN floods - possible solution Cc: firewalls@GreatCircle.COM, Todd.Truitt@evolving.com Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Content-MD5: T16uokiNinDRBE2uPn0r1Q== Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >=20 > Duh.. Ok,=20 Yea, I felt the same way when I got up this morning and realized that my idea about BGD authentication was flawed for a number of = reasons. Not the least of which was that BGP, a routing protocol, rides on TCP. Thanks to Paul for his patience and persistence in asking me to check = the BGB RFCs! Aw, brainstorming when you're tired... :^) > we take a PC with a plenty of RAM and customized BSD kernel, > which works as a packet filter. What we can do with it -- we > T can teach it to do "spoofing+buffering" of TCP handshakes for > i a whole network behind it. The following chain of events will > m take place in time: > e > | ------------------- "Acting persons" -------------------------- > | > | Client "Spoofer" Protected > V (attacker?) firewall server >=20 > 1. Sends SYN to protected Queues SYN as it Knows nothing = :) > server. was destined to it > (just to another queue?) > Sends SYN/ACK to client > claiming to be a server, > sets a timeout to wait > for responce. >=20 > #if (client is valid) >=20 > 2. Continues with TCP Sends SYN to server, Gets 1st SYN > connection. claiming to be a client. sends SYN/ACK > to client. >=20 > 3. Waits Silently "eats" SYN/ACK Waits > server sent, caches connection > as "valid,established" for > passing it through later on. > Passed continuation packet > to server. >=20 > 4. Works as usual Passed valid connection Works as = usual > through. > =20 > #else /* SYN/flood attack -- queue timeout expired */ >=20 > 2'. ??? (who cares?) Drops bad SYN away Still knows > nothing > #endif >=20 OK, this sounds plausible. But lets modify it a bit. 1. Upon the reciept of any new packet containing a request to set up a connection (SYN), grab the source address, hold the packet, log the address into a cache, "waiting for reply", and send a reply (SYN-2). 2. While waiting for an ACK from the source host to your SYN